@vegard @lkundrak Yeah, not eagerly exploring on topic :-) Now I know enough to wrap a shitty build container with bash and unshare, which will cover at least the next 5+ years ;-)

@vegard @lkundrak TBH, I'm quite newbie with namespaces. I've just stuck before to VMs because they are so much easier. Now I actually needed a container for the first time ever (to substitute systemd-nspawn in a build).

@vegard @lkundrak OK yet another option I was not aware about, thanks :-)

@lkundrak @vegard And if I ever need to get away from Debootstrap I can probably just:

mknod /dev/null c 1 3
mknod /dev/zero c 1 5
mknod /dev/full c 1 7
mknod /dev/random c 1 8
mknod /dev/urandom c 1 9
mknod /dev/tty c 5 0

@lkundrak @vegard getting rid of /dev was at least dead easy:

+# Debootstrap populates `/dev/{null,zero,full,random,urandom,tty}`, meaning that
+# mounting devtmpfs to `/dev` is not required.
 sudo unshare \
   --mount \
   --uts \
   --root "$ROOTFS" \
   sh -c "
-    mkdir -p /proc
-    mkdir -p /sys
-    mkdir -p /dev
-    mount -t sysfs /sys /sys
     mount -t proc /proc /proc
-    mount -t devtmpfs /dev /dev
     mount -t devpts /dev /dev/pts
     hostname $MACHINE
# ...

I think I can iterate from this :-) E.g, proc-mount can be probably (I’d guess) made unprivileged with “–fork –pid” i.e., creating PID namespace.

@lkundrak @vegard As open-coded apparently "--map-user=0 --map-group=0". Great now I know at least what it does.

Probably "--map-auto" makes sense too for using uid/gid maps.

The goal here is to just substitute "systemd-nspawn" in a build with something that uses as little features as possible so that the build nests nicely with Github/Gitlab CI or anything. And do a home-baked container wrapper in order not to add dependencies ...

I need to check how systemd-nspawn and podman handle /dev etc. mappings from the implementation 🙂

@vegard,

Here’s an example:

sudo unshare \
  --mount \
  --uts \
  --root "$ROOTFS" \
  sh -c "
    mkdir -p /proc
    mkdir -p /sys
    mkdir -p /dev
    mount -t sysfs /sys /sys
    mount -t proc /proc /proc
    mount -t devtmpfs /dev /dev
    mount -t devpts /dev /dev/pts
    hostname $MACHINE
    su -c '$CMDLINE' $USER
  "

If I took sudo away, the mounts would fail on permission error, even with --map-root-user.

It’s even expected outcome, because if such tweak would work, it would be a privilege escalation i.e., a security vulnerability.

Still wondering what is the magic dust Podman uses here :-)

Check out our own Ryan Goodfellow’s fantastic InfoQ talk on how we're innovating rack-scale computing with P4! From programmable fabrics to debugging tools, Ry shares how to turn theory into production-ready systems. https://www.infoq.com/presentations/tofino-2/

@bartk there's really not whole a lot of options.

Web page might need some refresh :-)

https://himmelblau-idm.org/

Is #Himmelblau #SUSE project? Just seems something I might have some professional use.

#Azure #Intune

@vegard Right, "--map-root-user" was the thing I was probably looking for, thanks.

How does something like Podman handle bind mounts without requiring root?

#podman

my favorite scripting language is actually bash and second favorite programming language after C :-)

curl bans “AI” security reports as Zuckberg claims we’ll all have more “AI” friends than real ones

Daniel Stenberg, creator and maintainer of curl, has had enough of the neverending torrent of "AI"-generated security reports the curl project has to deal with.

That's it. I've had it. I'm putting my foot down on this craziness.

https://www.osnews.com/story/142300/curl-bans-ai-security-reports-as-zuckberg-claims-well-all-have-more-ai-friends-than-real-ones/

#ClownCar

(Almost) the last embarrasing GNOME website revamped! Big shoutout to @felipeborges

https://planet.gnome.org/

#gnome #web #planet #rss

Looking for a new laptop that runs Linux out of the box? Get a ThinkPad!

Lenovo has been offering ThinkPads with Fedora and @ubuntu preinstalled for a few years now. The more people who shop for these devices, the more attention they can give to this business!

Here's an article of someone discovering Lenovo's Linux program: https://news.itsfoss.com/lenovo-cuts-windows-tax/

#Fedora #Lenovo #ThinkPad #Linux #OpenSource

Think before you buy a big Mac!!

@ljs I've used BuildRoot for 16 years, to which Bootlin is an active contributor.

When I was a kid, we did not spend time as a family watching Ron Jeremy films 🤷 Not really part of my growth story ...

My "growth story" was more like watching pieces from my friends big brothers German VHS movie collection :---) They were actually quite scary stuff tbh.

In my opinion the title screen for the Mac release of Wizardry was very, very good.