Jarkko Sakkinen
Posts
4888Following
324Followers
489OpenPGP: 3AB05486C7752FE1
Jarkko Sakkinen
repeated
repeated
@Conan_Kudo I pinged from David whether he still has a Git branch for this work. No answer yet.
Just would want to try rebase/compile on top of 6.15-rcX, no bandwidth atm :-) BTW, I have channel with David at OFTC called "#linux-security", if you want to hang out there.
It's a total idle channel, for occasional keyring sync ups and stuff like that so except long response times :-) Still, could be forum to sync up with this and random kernel stuff.
Just would want to try rebase/compile on top of 6.15-rcX, no bandwidth atm :-) BTW, I have channel with David at OFTC called "#linux-security", if you want to hang out there.
It's a total idle channel, for occasional keyring sync ups and stuff like that so except long response times :-) Still, could be forum to sync up with this and random kernel stuff.
1
0
0
@vbabka duh :-/
and i'd presume you've tried the off-on-dance:
systemctl --user disable --now gpg-agent-extra.socket
systemctl --user enable --now gpg-agent-extra.socket
(--now's are important here obviously for stop/start)
and i'd presume you've tried the off-on-dance:
systemctl --user disable --now gpg-agent-extra.socket
systemctl --user enable --now gpg-agent-extra.socket
(--now's are important here obviously for stop/start)
0
0
0
Jarkko Sakkinen
jarkko
@Conan_Kudo yeah, it would have immediate use.
when i read the cover letter, i think the idea is great but the cover letter should talk about user needs (such as nesting related and stuff like that).
when i read the cover letter, i think the idea is great but the cover letter should talk about user needs (such as nesting related and stuff like that).
1
0
0
The patch set was rejected on basis of having already namespaces etc. but obviously the need was still there. Otherwise, Arjan van Der Ven and his team would not have put to get clear containers (which came later known as kata containers).
Quite often at least I end up using VM, not for full system emulation but because Podman or similar is not too great "in the edges".
Quite often at least I end up using VM, not for full system emulation but because Podman or similar is not too great "in the edges".
1
0
0
Jarkko Sakkinen
jarkko
After fighting with container nesting, I think that this concept would still make sense:
https://lwn.net/Articles/723477/
It's not discussed in the cover letter but obviously this would be much better tool for "full user space nesting" than namespace based containers.
I.e., kind of between Podman and Kata Containers as an infrastructure.
https://lwn.net/Articles/723477/
It's not discussed in the cover letter but obviously this would be much better tool for "full user space nesting" than namespace based containers.
I.e., kind of between Podman and Kata Containers as an infrastructure.
1
0
0
@vbabka Off-topic (a bit): in some cases I need to explicitly delete .gnupg/private-keys-v1.d when I switch Yubikey. Otherwise pinentry keeps asking for the old one.
Right and one more thing: https://codeberg.org/jarkko/skeleton/src/branch/main/.gnupg
Maybe it is better to check and compare (e.g., I have separate config for scdaemon).
Right and one more thing: https://codeberg.org/jarkko/skeleton/src/branch/main/.gnupg
Maybe it is better to check and compare (e.g., I have separate config for scdaemon).
1
0
1
Jarkko Sakkinen
jarkko
@vbabka hmm...
Check first taht you have both of these installed:
1. pcscd (system service check also systemctl)
2. scdaemon (user service)
I've never dared to change my bootstrap script. It's shitty and does stuff that is not probably necessary but seems to always do the trick:
GPG_AGENT_SOCKETS=(gpg-agent-ssh.socket
gpg-agent-browser.socket
gpg-agent-extra.socket
gpg-agent-ssh.socket
gpg-agent.socket)
systemctl --user disable --now "${GPG_AGENT_SOCKETS[@]}"
gpgconf --kill gpg-agent
sudo systemctl disable --now pcscd.socket
systemctl --user enable --now gpg-agent.socket gpg-agent-ssh.socket
sudo systemctl enable --now pcscd.socket
Check first taht you have both of these installed:
1. pcscd (system service check also systemctl)
2. scdaemon (user service)
I've never dared to change my bootstrap script. It's shitty and does stuff that is not probably necessary but seems to always do the trick:
GPG_AGENT_SOCKETS=(gpg-agent-ssh.socket
gpg-agent-browser.socket
gpg-agent-extra.socket
gpg-agent-ssh.socket
gpg-agent.socket)
systemctl --user disable --now "${GPG_AGENT_SOCKETS[@]}"
gpgconf --kill gpg-agent
sudo systemctl disable --now pcscd.socket
systemctl --user enable --now gpg-agent.socket gpg-agent-ssh.socket
sudo systemctl enable --now pcscd.socket
1
0
1
Jarkko Sakkinen
jarkko
Edited 6 months ago
my #build #container framework:
sudo unshare \
--fork \
--mount \
--uts \
sh -c "
mkdir -p $ROOTFS/proc
mkdir -p $ROOTFS/sys
mkdir -p $ROOTFS/dev
mount -t sysfs /sys $ROOTFS/sys
mount -t proc /proc $ROOTFS/proc
mount --rbind /dev $ROOTFS/dev
hostname $MACHINE
su $USER
export PUAVO_CACHE_PROXY=$PUAVO_CACHE_PROXY
sudo unshare --root $ROOTFS $CMDLINE
"
Jarkko Sakkinen
jarkko
Edited 6 months ago
I wonder if I could apply for Nobel for this one:
https://bsky.app/profile/jarkk0.bsky.social/post/3lmkaiqxdb22o
https://bsky.app/profile/jarkk0.bsky.social/post/3lmkaiqxdb22o
0
0
1
Jarkko Sakkinen
jarkko
Time for yet another LSM upstream meeting :-) My favorite meeting of the month.
0
0
1
Jarkko Sakkinen
jarkko
I think the bright side in the current times is that the relationship towards both Sweden and Estonia has been tightened up, and I can feel that there is more mutual respect towards each other :-)
🇪🇪 🇸🇪 🇫🇮
🇪🇪 🇸🇪 🇫🇮
0
0
2