@lkundrak @vegard And if I ever need to get away from Debootstrap I can probably just:

mknod /dev/null c 1 3
mknod /dev/zero c 1 5
mknod /dev/full c 1 7
mknod /dev/random c 1 8
mknod /dev/urandom c 1 9
mknod /dev/tty c 5 0

@lkundrak @vegard getting rid of /dev was at least dead easy:

+# Debootstrap populates `/dev/{null,zero,full,random,urandom,tty}`, meaning that
+# mounting devtmpfs to `/dev` is not required.
 sudo unshare \
   --mount \
   --uts \
   --root "$ROOTFS" \
   sh -c "
-    mkdir -p /proc
-    mkdir -p /sys
-    mkdir -p /dev
-    mount -t sysfs /sys /sys
     mount -t proc /proc /proc
-    mount -t devtmpfs /dev /dev
     mount -t devpts /dev /dev/pts
     hostname $MACHINE
# ...

I think I can iterate from this :-) E.g, proc-mount can be probably (I’d guess) made unprivileged with “–fork –pid” i.e., creating PID namespace.

@lkundrak @vegard As open-coded apparently "--map-user=0 --map-group=0". Great now I know at least what it does.

Probably "--map-auto" makes sense too for using uid/gid maps.

The goal here is to just substitute "systemd-nspawn" in a build with something that uses as little features as possible so that the build nests nicely with Github/Gitlab CI or anything. And do a home-baked container wrapper in order not to add dependencies ...

I need to check how systemd-nspawn and podman handle /dev etc. mappings from the implementation 🙂

@vegard,

Here’s an example:

sudo unshare \
  --mount \
  --uts \
  --root "$ROOTFS" \
  sh -c "
    mkdir -p /proc
    mkdir -p /sys
    mkdir -p /dev
    mount -t sysfs /sys /sys
    mount -t proc /proc /proc
    mount -t devtmpfs /dev /dev
    mount -t devpts /dev /dev/pts
    hostname $MACHINE
    su -c '$CMDLINE' $USER
  "

If I took sudo away, the mounts would fail on permission error, even with --map-root-user.

It’s even expected outcome, because if such tweak would work, it would be a privilege escalation i.e., a security vulnerability.

Still wondering what is the magic dust Podman uses here :-)

Check out our own Ryan Goodfellow’s fantastic InfoQ talk on how we're innovating rack-scale computing with P4! From programmable fabrics to debugging tools, Ry shares how to turn theory into production-ready systems. https://www.infoq.com/presentations/tofino-2/

@bartk there's really not whole a lot of options.

Web page might need some refresh :-)

https://himmelblau-idm.org/

Is #Himmelblau #SUSE project? Just seems something I might have some professional use.

#Azure #Intune

@vegard Right, "--map-root-user" was the thing I was probably looking for, thanks.

How does something like Podman handle bind mounts without requiring root?

#podman

my favorite scripting language is actually bash and second favorite programming language after C :-)

curl bans “AI” security reports as Zuckberg claims we’ll all have more “AI” friends than real ones

Daniel Stenberg, creator and maintainer of curl, has had enough of the neverending torrent of "AI"-generated security reports the curl project has to deal with.

That's it. I've had it. I'm putting my foot down on this craziness.

https://www.osnews.com/story/142300/curl-bans-ai-security-reports-as-zuckberg-claims-well-all-have-more-ai-friends-than-real-ones/

#ClownCar

(Almost) the last embarrasing GNOME website revamped! Big shoutout to @felipeborges

https://planet.gnome.org/

#gnome #web #planet #rss

Looking for a new laptop that runs Linux out of the box? Get a ThinkPad!

Lenovo has been offering ThinkPads with Fedora and @ubuntu preinstalled for a few years now. The more people who shop for these devices, the more attention they can give to this business!

Here's an article of someone discovering Lenovo's Linux program: https://news.itsfoss.com/lenovo-cuts-windows-tax/

#Fedora #Lenovo #ThinkPad #Linux #OpenSource

@ljs I've used BuildRoot for 16 years, to which Bootlin is an active contributor.

When I was a kid, we did not spend time as a family watching Ron Jeremy films 🤷 Not really part of my growth story ...

My "growth story" was more like watching pieces from my friends big brothers German VHS movie collection :---) They were actually quite scary stuff tbh.

In my opinion the title screen for the Mac release of Wizardry was very, very good.

the only thing related to world news i've knowingly spotted during last three weeks is this Easter pic with a creepiest ever bunny :-)

I've done a series that adds support for AF_UNIX sockets in coredumps. Userspace provides an AF_UNIX socket path via core_pattern and the kernel connects to it, shuts down the read side and writes the coredump to the socket.

This means no more super privileged usermode helper upcalls and makes for a very nice API experience. I captured coredumps simply via socat:

https://lore.kernel.org/20250430-work-coredump-socket-v1-0-2faf027dbb47@kernel.org

The receiver can use SO_PEERPIDFD to get a stable handle on the crashed process.

#kernel #linux #coredump

@lkundrak tbh, not for some time 😅

If I was a dictator of this world, I would forbid cameras in phones :-) They net so much more harm than they do good.