Originally posted by skeevy420
View Post
Announcement
Collapse
No announcement yet.
Lennart Talks Up The Power Of systemd-sysext For Testing /usr Changes
Collapse
X
-
Originally posted by guglovich View PostWhen will systemd swallow up the Linux kernel?
- Likes 1
Comment
-
Originally posted by jacob View Post
Some systemd developers decided to merge *their own* projects into the systemd suite, that's different.
Of course, kudos to those who actually do, like the guys from eudev or the folks who decide to actually maintain systemd-free distros. Everyone else protests too much.
Comment
-
Originally posted by sinepgib View Post
And even then, if that's so problematic, fork the original project. Oh right, people like to complain but they don't like to put the effort :^)
Of course, kudos to those who actually do, like the guys from eudev or the folks who decide to actually maintain systemd-free distros. Everyone else protests too much.
- Likes 1
Comment
-
Originally posted by jacob View Post
Of course. It's the same people who whine that systemd is "closed" and "proprietary". It's LGPL but the problem is that those people know shell, reading and understanding C is beyond their capabilities.
- Likes 2
Comment
-
Originally posted by sinepgib View Post
I may be biased because I know (enough?) C, but I don't think it's beyond any programmer's capabilities... Provided they have the will to learn. If they don't want to then cry me a river, take your freebie and don't complain.
Comment
-
Originally posted by jacob View Post
I would concede that reading C code full of low-level concepts, syscalls and APIs that only exist on Linux (memfd, cgroups etc) is not the easiest thing to get into for somebody who was never exposed to it before. Especially since it's true that systemd does lots of things differently from the UNIX-like systems (usually for a good reason though). But as you say, take your freebie and don't complain, or use Devuan or BSD or whatever.
Comment
-
It's a bit funny to see people minimizing the work or value of this by referencing out-of-tree drivers like aufs and scripts (which clearly aren't additional dependencies, but distro-included tools are) or old "distros" that haven't been updated in almost a decade. Yes, you can already do filesystem overlays. Yes, people have built a lot of custom tooling around overlayFS. And yes, even the things referenced weren't the first of their kind. Niche solutions that aren't maintained are great for historical purposes, but pulling them out when a new solution comes is just weird hipster elitism.
Beyond that, this particular tool and its value for certain workflows was detailed. Lennart's use of it to test development versions of systemd on his host system is nice. Testing core system applications without risking making your system inoperable is useful. The explanation of future plans with using this to run containers from the host's /usr with systemd-nspawn makes sense. Not all containers should be remote-built docker images. Auto-discovery of images is good for centralized feature management. And signature verification is important - especially since, as a point of system extensibility, it's a new potential attack vector. There's a lot of potential for its use in purpose-built distros - as well as for helping advanced users get things done on extremely locked-down systems.
As usual, systemd isn't about adding ground-breaking functionality. It brings niche features into core, maintained system functionality and integrates them with other services in a distro-independent fashion using standardized paths and behavior. And honestly, if it were brand new functionality it'd be even more hate than situations like this where it's integrating more niche functionality.
Although, if you've got some Lennart hate to spare, please direct it at him for refusing to scrap his shitty spec-ignoring stateful tracking of DNS servers in systemd-resolved. Fucker still won't backpedal on that nonsense.
- Likes 3
Comment
-
It might be quite useful to extend the idea and allow unprivileged users to get their own extended /usr, effectively adding per-user package management. But I suppose it's a can of worms to deal with setuid/setgid binaries and just about anything that crosses privilege boundaries (e.g. even 'sudo' might be tricked in more ways).
Comment
-
Originally posted by edgmnt View PostIt might be quite useful to extend the idea and allow unprivileged users to get their own extended /usr, effectively adding per-user package management. But I suppose it's a can of worms to deal with setuid/setgid binaries and just about anything that crosses privilege boundaries (e.g. even 'sudo' might be tricked in more ways).
Unprivileged users cannot modify /user.
If they can, then the system can be easily compromised.
And yes, setuid is a problem for container.
Some escalations indeed from container roots from setuid binaries.
Comment
Comment