Announcement

Collapse
No announcement yet.

How To Use Systemd For Application Sandboxing & How To Easily Crash Systemd

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #31
    Originally posted by caligula View Post
    The most popular hacker friendly IoT devices are Arduino and ESP8266 chips which won't even run Linux. Commercial vendors might even use lower spec machines with RTOS or bare metal OS. It doesn't really make any sense to use Linux since these devices are expected to harvest energy from solar, wind, temp changes, pressure, radio waves etc. Idle power of 5-10 mW might be too high. Now that chip production is close to atomic level, I have my doubts that Linux will ever get there. Perhaps, if we are lucky. So the majority of embedded / IoT devices definitely won't ever ship with enough storage for Linux and systemd. Why would anyone want a 'smart button' (like the Amazon one) with a full blown OS?
    Which is sort of frightening given the security implications. Embedded devices running Linux are already terrible at this.

    Comment


    • #32
      Originally posted by caligula View Post
      I had the impression that systemd is supposed to be used everywhere. From Raspberry Pi style hardware to computer centers. They don't clearly state that they don't want to support low end hardware.
      They don't clearly state that they want to rule the world either, this is a delusion of anti-systemd nutters. They want to support the most they can realistically support without dropping features they care about.

      The only fact you can infer is that they like glibc and glibc/gnu extensions which make systemd compatible with minimal/standard compliant C libraries like musl. So apparently they use features that glibc has and musl does not.
      fixed.

      About the hardware.. there are plenty of router boxes which come with 4-16 MB of flash and even support 802.11ac. They will be here for a long while.
      Most ac routers have 128 or more MB, btw. You are probably talking of crappy ac access points without a gigabit switch nor usb2/3 (the ones that aren't worth switching to custom firmwares anyway, and imho not even worth buying at all).
      For example my netgear 6300v2 (wifi ac router) has like 128MB of flash and rolled off the assembly line like 4 years ago.
      Let's ignore for a moment that it has a broadcomm SoC so its wifi ac isn't working in openwrt so I have to keep it with shitty dd-wrt that is still much better than very very very shitty stock firmware.

      Now, systemd expects glibc and refuses to work with other libc implementations so the router would probably need at least 128 MB, maybe 1-8 GB of flash to work with systemd mainly due to the larger footprint of glibc (compared to 8-16 which is sufficient now). Or maybe they should ship glibc for systemd and the smaller libc for everything else?
      Stop drug abuse, OpenWRT can be compiled with glibc too (Musl is default but toolchain can be switched to glibc by changing a setting, they also support uClibc, btw) and yes even with a basic systemd it will fit in a 128MB flash with AMPLE space to spare.
      OpenWRT/LEDE as other embedded systems use special compiler flags that sacrifice potential higher performance (useless in embedded devices where the processors are meh) to get a smaller binary, plus they put the / on a squashfs or in a ubifs which are compressed (squashfs better than ubifs) so you can fit a whole default userspace + webinterface in less than 4 Mib with musl.
      With glibc it uses more space but more than 30 Mib hell no.

      OpenWRT is actually moving to musl and waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah waah and the other for all other software.
      Can you please stop hallucinating on things you don't know?
      Since 2012 OpenWRT/LEDE have a simpler but systemd-like PID1 daemon that supervises the show called Procd https://www.lede-project.org/docs/procd.html
      here the initial commit https://dev.openwrt.org/changeset/34865
      and here its "unit files" that are special scripts https://wiki.openwrt.org/inbox/procd-init-scripts

      Yes, because they aren't whiners and trolls that claim Red Hat wants to rule the world, they actually make stuff to run their own distro that suits their own needs, and they didn't do it out of spite but out of technical reasons (small footprint and compatibility with musl, mostly), as they don't really need most of the advanced features of systemd in a router anyway.

      Btw, OpenWRT is basically reduced to the role of "LEDE third party package repos" after the fork as most devs have moved to LEDE and they receive pull requests daily by people adding support or fixing bugs.

      Finally, even if OpenWRT adopts systemd, the user won't gain any significant improvements. Maybe if he/she plans to run containers and hotplug stuff, but otherwise it's all just bloat with no improved functionality.
      Which is why they don't have any plans to adopt it, duh.

      The most popular hacker friendly IoT devices are Arduino and ESP8266 chips which won't even run Linux. Commercial vendors might even use lower spec machines with RTOS or bare metal OS. It doesn't really make any sense to use Linux since these devices are expected to harvest energy from solar, wind, temp changes, pressure, radio waves etc. Idle power of 5-10 mW might be too high. Now that chip production is close to atomic level, I have my doubts that Linux will ever get there. Perhaps, if we are lucky. So the majority of embedded / IoT devices definitely won't ever ship with enough storage for Linux and systemd. Why would anyone want a 'smart button' (like the Amazon one) with a full blown OS?
      And this is a problem because?
      Let's look at this closely: microcontrollers run a SINGLE program on the BARE METAL.
      An init system (any init system) is a program that manages daemons (programs in a multi-program environment) and/or access to hardware/filesystem.
      Now can you take a deep breath and please explain in detail with fullHD images why they fuck they even need a init system when there is only a SINGLE program with full hardware access in that thing?

      Comment


      • #33
        Originally posted by GreekGeek View Post
        Hi yall,

        @ pal666, starshipeleven & rtfazeberdee, please see ad hominem fallacy....

        FYI: Ad hominem (Latin for "to the man" or "to the person"), short for argumentum ad hominem, is a logical fallacy in which an argument is rebutted by attacking the character, motive, or other attribute of the person making the argument, or persons associated with the argument, rather than attacking the substance of the argument itself. ( https://en.wikipedia.org/wiki/Ad_hominem )

        GreekGeek :-)
        And I attacked the person by saying the content posted is bullshit, and explaining why is wrong point by point?

        How about you read Straw Man and stfu? https://en.wikipedia.org/wiki/Straw_man

        A straw man is a common form of argument and is an informal fallacy based on giving the impression of refuting an opponent's argument, while actually refuting an argument that was not advanced by that opponent.

        Comment


        • #34
          Originally posted by GreekGeek View Post
          Hi yall,

          @ pal666, starshipeleven & rtfazeberdee, please see ad hominem fallacy....

          FYI: Ad hominem (Latin for "to the man" or "to the person"), short for argumentum ad hominem, is a logical fallacy in which an argument is rebutted by attacking the character, motive, or other attribute of the person making the argument, or persons associated with the argument, rather than attacking the substance of the argument itself. ( https://en.wikipedia.org/wiki/Ad_hominem )

          GreekGeek :-)
          And I attacked the person by saying the content posted is bullshit, explaining why is wrong point by point?

          How about you read Straw Man and stfu? https://en.wikipedia.org/wiki/Straw_man

          A straw man is a common form of argument and is an informal fallacy based on giving the impression of refuting an opponent's argument, while actually refuting an argument that was not advanced by that opponent.

          Comment


          • #35
            Originally posted by nils_ View Post
            Which is sort of frightening given the security implications. Embedded devices running Linux are already terrible at this.
            embedded devices in general are total shit at security, it's not like those running some fork of BSD or windows embedded are better.

            Comment


            • #36
              unapproved posts for everyone above! (god I hate vBullettin)

              Comment


              • #37
                Originally posted by caligula View Post
                I had the impression that systemd is supposed to be used everywhere. From Raspberry Pi style hardware to computer centers. They don't clearly state that they don't want to support low end hardware. The only fact you can infer is that they like glibc and glibc/gnu extensions which make systemd compatible with minimal/standard compliant C libraries like musl. So apparently instead they hate POSIX and low end hardware.
                glibc is of course fully ISO and Posix compliant. But you got to understand that no libc implementation is useful without extensions beyond that. Musl is no exception to that, and it eg. carries several BSD extensions that never got formalized but still are in use.
                Does that mean Musl and BSD hates Posix?

                In any case, ISO/Posix standards are usually made by adopting existing non-standard extensions when they have proven themselves useful in the real world, so the glibc extensions systemd uses may very well be integrated in the next ISO/Posix libc standard.


                Originally posted by caligula View Post
                About the hardware.. there are plenty of router boxes which come with 4-16 MB of flash and even support 802.11ac. They will be here for a long while.
                Sure, old stuff may hang around for a long while, but very few vendors still makes such small systems anymore. So it is easy to predict that systemd will become standard for practically all new embedded software that actually needs userspace apps. The reason is simply time-to-market, in which systemd excels. It comes with an optional load of useful embedded functionality unified with a single config system in a package that can be smaller than competing solutions like Busybox.


                Originally posted by caligula View Post
                Now, systemd expects glibc and refuses to work with other libc implementations
                No, it just expect that other glibc implementations have the same glibc extensions that they use. ulibc-ng is working on that so it will probably replace Musl everywhere in the embedded world, since the Musl lead developer is a foaming-at-the-mouth systemd-hater and probably will refuse patches that support systemd, even if they become Posix standard.

                You can still use any libc implementation that you want with systemd, it is just that Upstream won't accept patches that turns off the security features it uses from glibc, and that are lacking in Musl.



                Originally posted by caligula View Post
                Finally, even if OpenWRT adopts systemd, the user won't gain any significant improvements. Maybe if he/she plans to run containers and hotplug stuff, but otherwise it's all just bloat with no improved functionality.
                The security features of systemd alone is reason why systemd is a better choice; not a single existing alternative have a similar framework using seccomp, Ambient Capabilities, cgroups, Namespaces etc. It will provide much needed hardening of Internet facing services. systemd is also an excellent choice for making further sandboxing and containerization of user-space programs.

                Socket activation also means that services that aren't needed aren't running either, freeing both memory and CPU time. Eg. a https-server maybe needed for 10 minutes while the user configures the device, and then perhaps not used for years afterwards. Why should it be running in all that time?

                systemd's new "Portable Services" also have interesting applications for the embedded world since they are fully self-contained services. They can enable the user to make the system download and install a particular service like a web-management tool, or a log analyzer, or a "iPhone-to-device" service, and then purge them after use with no traces left.
                It is of course extremely useful for embedded devices since it will allow them to update their user-facing services without re-flashing the entire system.


                Originally posted by caligula View Post
                So the majority of embedded / IoT devices definitely won't ever ship with enough storage for Linux and systemd.
                Those devices that are too small for Linux with systemd, are too small for Linux using Busybox too. Very simple devices doesn't need user-space at all. People have started making the entire system one-big monolithic binary that runs as pid 1 with statically linked libs, and actually built into the kernel itself in initramfs: no user space, no init. See the Solleta Project for examples.

                Comment


                • #38
                  Originally posted by starshipeleven View Post
                  Most ac routers have 128 or more MB RAM, btw.
                  Fixed that for you.

                  You are probably talking of crappy ac access points without a gigabit switch nor usb2/3 (the ones that aren't worth switching to custom firmwares anyway, and imho not even worth buying at all).
                  For example my netgear 6300v2 (wifi ac router) has like 128MB of flash and rolled off the assembly line like 4 years ago.
                  Let's ignore for a moment that it has a broadcomm SoC so its wifi ac isn't working in openwrt so I have to keep it with shitty dd-wrt that is still much better than very very very shitty stock firmware.

                  Stop drug abuse, OpenWRT can be compiled with glibc too and yes even with a basic systemd it will fit in a 128MB flash with AMPLE space to spare.
                  [..]
                  With glibc it uses more space but more than 30 Mib hell no.
                  [..]
                  Can you please stop hallucinating on things you don't know?
                  I'm still pretty sure you're the one who hallucinating here. Please take a look at OpenWRT wiki to see what's the status of 802.11ac and other routers. You're so totally clueless I'm not even sure where to start. Most/all MIPS/ARM boards ship with 4x gigabit LAN switch and USB2. They've had both for ages. USB3 is very rare. Routers have had gigabit switches for almost 10 years now. Even mid-price devices. However, they often only have 4-16 MB of NOR Flash. Want some examples? Take a look at TP-Link devices. They're very popular. The wiki is full of similar devices. Only the few most expensive high end routers (price > $250) have usb3 and dual core and 64+ MB of flash, but aren't even supported by OpenWRT. A majority of routers don't have. You clearly have no idea here.

                  Comment


                  • #39
                    Originally posted by starshipeleven View Post
                    Most ac routers have 128 or more MB, btw. You are probably talking of crappy ac access points without a gigabit switch nor usb2/3 (the ones that aren't worth switching to custom firmwares anyway, and imho not even worth buying at all).
                    If you don't want to visit the OpenWRT wiki, here's a list I collected that shows the specs for each device supported by the latest OpenWRT along with averages and maximums for Flash and RAM. https://postimg.org/image/pgg1ac6mx/

                    Comment


                    • #40
                      Originally posted by caligula View Post
                      I'm still pretty sure you're the one who hallucinating here.
                      All other points you raised apart from this are considered conceded then?

                      Please take a look at OpenWRT wiki to see what's the status of 802.11ac and other routers.
                      Here, table of hardware for you, filtering routers with 128MB https://wiki.openwrt.org/toh/views/t...+MB*%7E%5D=128
                      There is a buttload with 128MiB, like 70 units if I filter out the NAS and other stuff.
                      Sure most aren't supported yet or fully (usually there is no ac), but that's normal for ac routers. Only atheros ones have decent support.

                      Most/all MIPS/ARM boards ship with 4x gigabit LAN switch and USB2. They've had both for ages.
                      Usb isn't that common in midrange routers. Sadly the ToH has inconsistent data for USB (some are listed as "", some are listed as "-", some as "1x2.0", some as "yes") so it's not easy to post a link with that.
                      Routers have had gigabit switches for almost 10 years now. Even mid-price devices.
                      Was talking of access point devices. access point devices aren't routers and usually don't need a gbit switch (or even gbit eth at all for that matter) because they are access point devices.
                      this for devices with a single gbit port

                      this for devices with a single 100eth port

                      total around 200 devices.
                      However, they often only have 4-16 MB of NOR Flash. Want some examples? Take a look at TP-Link devices. They're very popular. The wiki is full of similar devices.
                      Yeah, even their top ones have shit storage. So what?
                      https://wiki.openwrt.org/toh/views/t...dataflt%5BBran d%2A~%5D=tp-link

                      Only the few most expensive high end routers (price > $250) have usb3 and dual core and 64+ MB of flash, but aren't even supported by OpenWRT. A majority of routers don't have. You clearly have no idea here.
                      Yeah, right, if you look at the first ToH link you'll see many that aren't > $250 but still have ample storage from Asus, Buffalo, Linksys, and others.

                      We weren't talking about full hardware support from LEDE but just about availability of new hardware with decent storage, so I'm not going to give a shit if many are partially supported or WIP or whatever.

                      here's a list I collected that shows the specs for each device supported by the latest OpenWRT along with averages and maximums for Flash and RAM. https://postimg.org/image/pgg1ac6mx/
                      plz learn to use the ToH n00b.

                      Comment

                      Working...
                      X