Posted Sep 14, 2012 22:40 UTC (Fri) by paradigm (guest, #86730)
Parent article: Bedrock Linux
Hello, I am the founder/lead dev of Bedrock Linux. I was initially extremely anxious when I learned that LWN had an article on my project, as I have a tremendous amount of respect for wonderful folks at LWN, and couldn't bear to hear a negative response from them. Suffice it to say my worry was for naught. The article is, like usual, spot on.
Well, baring one extremely minor issue with the article: I am utilizing Linux capabilities in place of full setuid binaries for the one Bedrock-specific area it is needed. I typically see Linux capabilities contrasted against setuid, and thus unless I am mistaken it would be technically incorrect to describe a Linux capability'd executable as setuid. For what it is worth, the only capability needed (both in the current and upcoming release) is CAP_SYS_CHROOT.
I experimented with utilizing namespaces to handle the unusual filesystem layout requirements but ran into some difficulties. I might revisit the possibility in the future, if not for filesystem then for process isolation, such that I could have multiple init programs each think they are PID 1. This could be a reasonable start for automating boot items, and as the article pointed out automating boot scripts from clients is one area that needs a lot of work.
I'm not sure I follow why the discussed FAQ entry is an amusing read. If I've done something silly, I'm read to admit fault and try to remedy it, if it could be stated more directly. The main issue is limited developer time - I haven't yet had time to write an installer, and I am not confident I will be able to stay on top of pushing out updates for upstream security issues (most notably the kernel). I'm hoping to eventually find a way to use a client's kernel for Bedrock, and just let the client update the kernel as it normally would.
I'd also like to note that, despite being in alpha, Bedrock Linux is quite functional. I have been using it as my primary system on all of my machines (baring the VPS that hosts the website) for quite a while before it ever went public. However, it is certainly very do-it-yourself right now, subject to big changes at this point, and has a few more known issues than I feel comfortable with in a stable release.
Thank you Mr. Corbert for the well written article.