Announcement

Collapse
No announcement yet.

Systemd 215 Works On Factory Reset, DHCPv4 Server Support

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Luke
    replied
    How about using this to sandbox browsers?

    Originally posted by DrYak View Post
    It also makes possible, when combined with LXC and all the facilities that systemd has for lxc, to create very light-weight and quickly initiated containers.
    Think about a way to quickly jail anything you want inside a separate chroot. (like jails, etc.)

    Excpet that, thanks to systemd, you get that chroot completely filled up and indistinguishable from the inside from any actual machine.

    You don't trust skype ? These kind of facilities in systemd will create quickly a stateless linux container in which to run your skype. you only keep your skype installation and skype configuration, everything is ephermal single-use throw away environment.
    This sort of sandboxing could be used to defeat browser-borne attacks that read hardware information such as any port of the FBI's CIPAV spyware programs to Linux. Also would
    confine privilige escalation attacks to write to the system unless the attacker is good enough to first recognize that they are "in jail," then manage to break out of the chroot.

    Yet another use is attack-proofing public computers, so a simple reboot kills any problems from a previous user. One community college whose Internet access I used to poach somehow managed to do this in Windows as though they were running from live disks, I was very impressed with that. Was good for privacy too: just mash the button if you needed to remove your work and all software you had added, due to this they were able to allow a lot of user software to be installed if it did not require driver installation privilige levels.
    Last edited by Luke; 10 July 2014, 11:59 PM.

    Leave a comment:


  • interested
    replied
    Originally posted by haplo602 View Post
    Since when would embedded systems where space is usualy a premium item use a bloated thing like systemd is quickly heading to ?
    First, systemd isn't bloated by any reasonable definition of bloat. It is impressively small, even with all features turned on. It also replaces a lot of other programs like Cron, syslog etc. making to total system size very comparable depending on which features are needed.

    systemd is also very modular, so you can remove most features with compile options, making the effective size of systemd very small.

    Basically, if the embedded system has too little permanent storage for systemd, Linux itself is only a marginally fit.

    Secondly, embedded are much more than routers with only 4mb flash storage. There are probably millions of SmartTV's sold every month, and most of them runs Linux. Systemd is a prefect fit for such systems and probably much better that any internally maintained toolboxes that the SmartTV developers use.

    systemd can also offer much better stability and robustness to embedded systems. It has a total supervising chain; a hardware watchdog supervises systemd itself, while systemd supervises all processes; if a process hang, it can be restarted automatically without user intervention. I think the many router owners who are used to restart their hanging routers once in awhile would appreciate such supervision.

    Also, systemd is also easily capable of only running services when needed, so it only launches e.g. sshd or the http Web GUI when the user actually needs it, reducing overall drain on system resources.

    All in all, systemd easily out-competes any other init systemd for embedded devices, and it enables advanced COTS features that are supported upstream, which reduce developer cost (time to market, maintenance) compared to in-house developed toolboxes.

    Originally posted by haplo602 View Post
    It is either a generaly used and usefull feature, ot it should have a dedicated implementation. I still fail to see the benefit of integrating this feature into systemd. Any kind of reproducible system has 2 requirements:

    1. Non-volatile and non-modifiable storage for base system (i.e. read-only /usr)
    2. Appendable configartion area (you simply cut the addon modifications during a reset)

    Systemd does not serve either ....
    I must say I not sure exactly what you are talking about here. What feature do you think is being integrated into systemd? Is it Factory Resets or Reproducible Systems? Have you actually read Poettering's blog explaining this? It seems not by the look of it.

    I will provide the link again for your perusal:
    "Factory Reset, Stateless Systems, Reproducible Systems & Verifiable Systems"
    http://0pointer.de/blog/projects/

    Leave a comment:


  • Luke_Wolf
    replied
    Originally posted by doom_Oo7 View Post
    They should just rename it to systemd-init so that everybody would understand.
    +1 on suggesting you go tell them that as it would solve any legitimate misunderstandings.

    Leave a comment:


  • haplo602
    replied
    Originally posted by interested View Post
    The problem with using a snapshot to restore a system to a pristine state is, that you thereby also looses all security updates and all packages added or removed since.( you also need extra disk space, a problem on embedded devices). A Factory Reset may keep all the binaries in /usr (and can verify them cryptographically to be in a pristine state), so the system remains secure at all times.

    Factory Resets (FR) as feature in it self isn't so important for individual people running a traditional desktop system, though a handy feature nonetheless. But the changes needed to get a stateless system are beneficial to all. It will make Linux a more robust system, especially when it comes to system upgrades and installations.

    There are +100.000.000 devices running Linux (not counting Android and pc's), from routers, NAS', SmartTVs, Navigation and entertainment systems etc. Such systems can really benefit from a standard, easy way to do a Factory Reset.

    Factory Resets, Reproducible Systems, Stateless Systems, Verifiable Systems, are now potentially possible because of Systemd. There are however still a long way to go to actually implement these features in distros, but when that work is done, Linux will be even better that it is now.

    Poettering has a good overview here:
    http://0pointer.de/blog/projects/
    Since when would embedded systems where space is usualy a premium item use a bloated thing like systemd is quickly heading to ?

    It is either a generaly used and usefull feature, ot it should have a dedicated implementation. I still fail to see the benefit of integrating this feature into systemd. Any kind of reproducible system has 2 requirements:

    1. Non-volatile and non-modifiable storage for base system (i.e. read-only /usr)
    2. Appendable configartion area (you simply cut the addon modifications during a reset)

    Systemd does not serve either ....

    Leave a comment:


  • DrYak
    replied
    Originally posted by rob11311 View Post
    Stateless, lets you auto generate and deploy new services in a VM for example, based off a standard virtual disks. Things like user info, are stored on a server in network.
    It also makes possible, when combined with LXC and all the facilities that systemd has for lxc, to create very light-weight and quickly initiated containers.
    Think about a way to quickly jail anything you want inside a separate chroot. (like jails, etc.)

    Excpet that, thanks to systemd, you get that chroot completely filled up and indistinguishable from the inside from any actual machine.

    You don't trust skype ? These kind of facilities in systemd will create quickly a stateless linux container in which to run your skype. you only keep your skype installation and skype configuration, everything is ephermal single-use throw away environment.

    Leave a comment:


  • chinoto
    replied
    Originally posted by doom_Oo7 View Post
    They should just rename it to systemd-init so that everybody would understand.
    Wonderful idea, why don't you go ahead and contact whoever is in charge of that? It's a great way to contribute, even if it isn't code or a bug report (I guess you could say it is in a way).

    Leave a comment:


  • doom_Oo7
    replied
    Originally posted by Teho View Post
    systemd is an ubrella project that includes among other things a init system by the same name. It's nowadays relatively small part of the entire project and calling systemd, the project, an init system is misleading at best. It's a set of building blocks to build an operating system from or a core os.
    They should just rename it to systemd-init so that everybody would understand.

    Leave a comment:


  • Teho
    replied
    Originally posted by Pajn View Post
    So SystemD isn't an init system?
    systemd is an ubrella project that includes among other things a init system by the same name. It's nowadays relatively small part of the entire project and calling systemd, the project, an init system is misleading at best. It's a set of building blocks to build an operating system from or a core os.

    Leave a comment:


  • Pajn
    replied
    Originally posted by Teho View Post
    The DHCP server isn't part of the init system. It's part of systemd-networkd.
    So SystemD isn't an init system?

    Leave a comment:


  • Teho
    replied
    Originally posted by Pajn View Post
    Why should I have a DHCP server in a INIT SYSTEM?
    The DHCP server isn't part of the init system. It's part of systemd-networkd.

    Leave a comment:

Working...
X