Can mkosi replace Kickkstart / Calamares?
Hi, I am maintaining a systemd, Debian-based Linux distribution (Kicksecure) and am considering moving to mkosi as the "base image creation tool". It seems mkosi is a fine OS image builder. With systemd-repart, you even solved the resizing of partitions at the first boot, which is magic. Suppose a Linux distribution is providing an OS image that can be written to USB. Maybe soon, even to a CD/DVD. [1] Suppose that OS image is supposed to be able to act as an installer, so the user can use it to install it on an internal hard drive. Is something like Kickstart or Calamares still required? It seems (at least Calamares, whose code I am reading) is kind of "yet another OS image builder". It doesn't build an image but instead writes to a hard drive. However, I find it problematic that a lot of code (creating partition tables, creating file systems, making bootable) is duplicated. [2] Do you have any suggestions? Did you envision replacing installers, or do you already have tools for that? Cheers, Patrick [1] https://github.com/systemd/systemd/issues/28798 [2] But what about installer questions, customization such as time zone, keyboard layout? I think the crucial question for an installer is the target drive, and that's it. Perhaps partitioning and file system choices, but that is more for geeks. How about time zone, keyboard layout? Valid points. But I think those would be better handled through a first-boot GUI wizard.
[systemd-devel] systemd unit file to remount /home /tmp /dev/shm /run with nosuid, nodev
Hello, a script to remount /home /tmp /dev/shm /run (configurable) with nosuid,nodev (+noexec configurable) has been created by me. The purpose of remounting is increasing the security of the system. The script shall run as early as reasonably possible during boot. The systemd unit file [1] and script [2] attached below in a simplified version or links to actual version. [3] [4] This is planned to be enabled by default in a Debian derivative Linux distribution. The issue with the systemd unit file is that it runs the script while other scripts are run and it seems like "mount -o nosuid,nodev --bind /tmp /tmp" is non-atomic. By that I mean, other scripts (run by other systemd unit files) that require /tmp are experiencing a split second or so where /tmp is non-writeable and therefore fail. Various race condition are possible and one was already experienced. How to solve that? Not using '/etc/fstab.d' because fstab '.d' folder does not exist yet. [5] Not using '/etc/fstab' because that is non-ideal for a derivative Debian Linux distribution. [6] a) The remount-secure.service unit file should run alone. Non-parallel. Until remount-secure.service is done, no other systemd unit files should be run. Is that possible with systemd? b) The remount-secure.service should add a reverse dependency to most other systemd unit files which is saying "After=remount-secure.service". Is that possible? c) Could the systemd unit file express "do this right after systemd is done with the usual file system mounting but still? Which service or target would that be? 'Before=local-fs.target' and 'After=systemd-remount-fs.service'? d) Or remount-secure.service should not exist and instead be a drop-in configuration file snippet '/lib/systemd/system/systemd-remount-fs.service.d/30_remount-secure.conf' using 'ExecStartPost=/usr/lib/security-misc/remount-secure'? e) Any other solution? Kind regards, Patrick [1] [Unit] Description=remount /home /tmp /dev/shm /run with nosuid,nodev (default) and noexec (opt-in) Documentation=https://github.com/Whonix/security-misc DefaultDependencies=no Before=sysinit.target Requires=local-fs.target After=local-fs.target After=qubes-sysinit.service [Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/lib/security-misc/remount-secure [Install] WantedBy=sysinit.target [2] mount -o remount,nosuid,nodev /home mount -o remount,nosuid,nodev /run mount -o remount,nosuid,nodev /dev/shm mount -o nosuid,nodev --bind /tmp /tmp [3] https://github.com/Whonix/security-misc/blob/master/lib/systemd/system/remount-secure.service [4] https://github.com/Whonix/security-misc/blob/master/usr/lib/security-misc/remount-secure [5] https://github.com/systemd/systemd/issues/12506 [6] Confusing question for users who upgrade or make changes to the file. (dpkg interactive conflict resolution dialog) ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] How to have systemd --user instance share the same environment variables as the X server?
Being on Debian stretch (Qubes). The display manager there does not yet get started by systemd --user. I find it useful to convert /etc/xdg/autostart/app.desktop files to systemd --user unit files. Therefore the environment variables have to be sorted out. On any Linux we would have to set at least DISPLAY as well as XAUTHORITY. On Qubes however, we need a few more environment variables. We need also QT_X11_NO_MITSHM=1 and may need a few others ones. Now, before I go through them manually and then have this break in future when more/different environment variables are needed... Is there a way to have the systemd --user session share the same variables as the X server? Writing a parser for /etc/X11/Xsession.d/ seems wrong. Am I missing some tool to do that? Would I add something like this? ExecStartPre=dbus-update-activation-environment --systemd --all Best regards, Patrick ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] Can a systemd --user instance rely on After= of systemd --system instance?
Hi, I read, that a systemd --user instance cannot use Requires=. But what about After=? Can a systemd --user instance use After=some-system.service? Cheers, Patrick ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] redirect multiple local ports to corresponding remote IPs / ports?
systemd directive ListenStream and systemd-socket-proxyd is really useful. Let's say I want to redirect... ListenStream=80 ListenStream=81 etc. ExecStart=/usr/lib/systemd/systemd-socket-proxyd Is there during ExecStart some way to get the ListenStream port? I.e. ExecStart=/usr/lib/systemd/systemd-socket-proxyd 10.152.152.10:${PORT} I mean, if - ListenStream=80 -> ExecStart=/usr/lib/systemd/systemd-socket-proxyd 10.152.152.10:80 - ListenStream=81 -> ExecStart=/usr/lib/systemd/systemd-socket-proxyd 10.152.152.10:81 etc. Or can there be a wrapper that has access to the ListenStream port number? If you are wondering what I am trying to do... I am trying to port anon-ws-disable-stacked-tor from loads of mostly idle socat listeners to systemd socket activation. Ideally, rather elegantly without one systemd unit file per port redirection. [1] [2] [3] [4] Best regards, Patrick [1] https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/etc/anon-ws-disable-stacked-tor.d/30_anon-dist.conf [2] https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/lib/systemd/system/anon-ws-disable-stacked-tor.service [3] https://github.com/Whonix/anon-ws-disable-stacked-tor/blob/master/usr/lib/anon-ws-disable-stacked-tor/socat-unix-sockets [4] https://github.com/Whonix/anon-ws-disable-stacked-tor ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] How to securely load a firewall before networking gets up?
Thank you! I forwarded your review in form of bug reports to the affected projects. [1] [2] Lennart Poettering: > On Thu, 28.07.16 17:29, Patrick Schleizer (patrick-mailingli...@whonix.org) > wrote: > >> TLDR: >> >> How to securely load a firewall before networking gets up? >> >> Can you provide a secure, recommended or even canonical example of such >> a firewall.service? > > See https://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/ With all due respect, I do not think this is a case of read the manual here. I did read that also before posting this question. I am sure also rustybird, the author of the second systemd unit file I posted in this subject, also read that before. As rustybird (who also once submitted a systemd patch wrt network-pre.target) pointed out, the author of netfilter-persistent also got it wrong. [1] Having explained this, I would like to reiterate my my request... Can you provide a secure, recommended or even canonical example of such a firewall.service? Cheers, Patrick [1] https://github.com/rustybird/corridor/issues/29 [2] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=832911 [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829640 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] How to securely load a firewall before networking gets up?
TLDR: How to securely load a firewall before networking gets up? Can you provide a secure, recommended or even canonical example of such a firewall.service? Long: Various people have come up with a different implementations and systemd.special documentation makes me wonder if my own interpretation would be ideal. Why not WantedBy=network-pre.target? # firewalld.service (from Debian package) [Unit] Description=firewalld - dynamic firewall daemon Before=network.target Before=libvirtd.service Before=NetworkManager.service Conflicts=iptables.service ip6tables.service ebtables.service [Service] ExecStart=/usr/sbin/firewalld --nofork --nopid ExecReload=/bin/kill -HUP $MAINPID # supress to log debug and error output also to /var/log/messages StandardOutput=null StandardError=null Type=dbus BusName=org.fedoraproject.FirewallD1 [Install] WantedBy=basic.target Alias=dbus-org.fedoraproject.FirewallD1.service # corridor-init-forwarding.service.in (by corridor package) [Unit] Description=corridor's forwarding After=iptables.service systemd-sysctl.service Before=network-pre.target Wants=network-pre.target [Service] ExecStart=SBIN/corridor-init-forwarding ExecStop=SBIN/corridor-stop-forwarding Type=oneshot RemainAfterExit=yes [Install] WantedBy=multi-user.target RequiredBy=systemd-networkd.service ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] understanding systemd ordering vs dependencies
Hi! I am trying to understand systemd ordering vs dependencies. When I am already using Wants=, why should I also add After=? When I am already using After=, why should I also add Wants=? Systemd ordering with Before= and After= is more about speed concerns? Such as for example to express "i want the webserver running before the backup service" so I added for my custom backup systemd service After=apache2.service." Systemd ordering with Before= and After= is not "as strictly" adhered compared to Wants= and WantedBy=? Before, I thought After= is effectively as good as Wants=, but this is apparently wrong? Cheers, Patrick ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] how to use per-user systemd --user services / how to replace /etc/xdg/autostart/app.desktop?
Hi! I would like to replace some /etc/xdg/autostart/app.desktop files with systemd --user services. I believe these are better because then systemd keywords such as 'After=' etc. can be used. Is this a use case systemd can be used for? Once the user logs in, the systemd --user service should start. Similar to like /etc/xdg/autostart mechanism works. Using Debian jessie (stable) with systemd package version 215-17+deb8u4. How to do that? Is there any difference for a login console and an X session? Nowhere on search engines I found how to do that with Debian. I also asked the Debian systemd package maintainers a while ago [with instructions what I did], but did not get an answer. [1] Cheers, Patrick [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=820111 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] systemctl list failed daemons in computer-parsable format?
Hi, does systemctl or some other tool have a method to create computer-parsable format for failed systemd daemons? Cheers, Patrick ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org https://lists.freedesktop.org/mailman/listinfo/systemd-devel