<    March 2017    >
Su Mo Tu We Th Fr Sa  
          1  2  3  4  
 5  6  7  8  9 10 11  
12 13 14 15 16 17 18  
19 20 21 22 23 24 25  
26 27 28 29 30 31
00:19 laj joined
00:34 hairyhenderson joined
00:49 czart joined
01:12 minimalism joined
01:14 blueness joined
01:15 mikeee_ joined
01:21 blueness joined
01:25 tty` joined
01:46 minimalism joined
01:57 leitao joined
02:47 s33se joined
03:55 Emperor_Earth joined
03:57 czart_ joined
04:55 <pickfire> Weird, how come /usr/sbin/sendmail is symbolic link to /bin/busybox and /bin/busybox is a dynamic binary, I thought /sbin stuffs are static?
04:57 <pickfire> Oh, I think it's my mistake.
04:58 <pickfire> It's system binary instead of static binary
06:03 fabled joined
06:16 <TemptorSent> 'evening fabled.
06:16 <TemptorSent> lddtree is giving me fits again and I don't know why.
06:17 <TemptorSent> Any recent changes that would have impacted it?
06:17 <fabled> hi
06:17 <fabled> not that i know of
06:18 <TemptorSent> Hmm, well it had been working happily with mkinitfs, and now, not so much -- I'm trying to see if I'm triggering something or what.
06:19 <TemptorSent> Hmm, looks like there's a bump to both scanelf and pax-utils available..
06:23 <TemptorSent> I *think* I may have found it, mkinitfs is passing it a null value for the target elf.
06:24 <TemptorSent> Which probably means something in the input directory structure is fubar.
06:30 vakartel joined
06:33 <TemptorSent> Same error on the command line.
06:46 cyteen joined
06:49 <kaniini> https://github.com/alpinelinux/aports/pull/1019
06:49 <kaniini> one has to ponder the implications of this
06:50 <kaniini> audit is something that is only really effective if it is part of the base system (so that things can build-dep on it and make use of it)
07:06 <TemptorSent> *facepalm* I don't think we really want to use the features directory of the basedir by default in mkinitfs, especially if it doesn't exist!
07:37 <TemptorSent> features_files is returning nothing...
07:46 <TemptorSent> Damn, that's two complete days wasted trying to figure this out so far and nothing jumping out at me still.
08:02 ncopa joined
08:02 ncopa joined
08:08 <TemptorSent> I just want it to work now, I'll rewrite that part later!
08:10 <kaniini> ncopa: as a docker person, do you know why docker wants us to ship support for auditd?
08:10 <* kaniini> is mostly concerned about it being (a) done right, and (b) not rotting
08:16 <ncopa> hi
08:16 <ncopa> kaniini: where they want us to ship auditd?
08:18 <_ikke_> ncopa: https://github.com/alpinelinux/aports/pull/1019
08:18 <ncopa> ah
08:18 <ncopa> audit
08:18 <ncopa> for selinux
08:18 <ncopa> docker uses alpine userspace
08:18 <ncopa> with their own kernel
08:19 <ncopa> and they are looking into selinux
08:20 <kaniini> so they will support this work in upstream alpine?
08:20 <ncopa> yes
08:20 <ncopa> well, they want the tools in upstream
08:21 <ncopa> it will not work with the alpine kernel
08:21 <kaniini> auditd on its own should function with the alpine kernels
08:21 <ncopa> ok thats good
08:21 <ncopa> i can do maintenance on that
08:21 <kaniini> it wont do much of anything useful since it would need selinux or some other containment system
08:21 <ncopa> i need to go now, will be afk for half day at least
08:22 <kaniini> but it would log the events no problem
08:22 <kaniini> okay
08:22 <kaniini> well #1019 needs an initscript anyway
08:22 <algitbot> Bug #1019: [v2.2] Vulnerability (hash tables) in apr &lt; 1.4.6 may allow remote denial of service - Alpine Linux - Alpine Linux Development: http://bugs.alpinelinux.org/issues/1019
08:22 <ncopa> we can push the binary to testing and add initscript later
08:22 <ncopa> see u later
08:23 <kaniini> kk
08:28 tty` joined
08:29 <kaniini> ncopa: pushed
08:29 <kaniini> i think it should go to main/, but indeed, selinux is probably not something we are likely to support in alpine proper
08:29 <kaniini> apparmor makes more sense for us on linux-vanilla
08:30 <kaniini> (and possibly on grsec too)
08:36 t0mmy joined
08:37 <* kaniini> zzz
08:40 volleyper joined
08:43 volleyper joined
08:47 volleyper joined
09:00 t0mmy joined
09:03 al3hex_ joined
09:13 s33se joined
09:16 al3hex joined
09:17 <TemptorSent> What would cause apk to throw a bad file descriptor on fetch?
09:18 <TemptorSent> Ahh, never mind -- non-existent output directory.
09:32 grrrkit joined
09:37 fekepp joined
09:52 volleyper joined
10:36 vakartel joined
10:48 nlf joined
10:51 NightKhaos joined
11:56 leitao joined
12:08 <TemptorSent> ls
12:08 ferseiti joined
12:09 <^7heo> pwd
12:10 <skarnet> kill -9 -1
12:12 <^7heo> v_v
12:12 <^7heo> savage.
12:12 <TemptorSent> *lol* Sorry, flipping terms trying to track down the last bugglets.
12:16 fekepp joined
12:17 farosas joined
12:29 pavlix joined
12:38 leo-unglaub joined
13:27 <jirutka> https://github.com/ers35/luastatic this allows to compile Lua program, including native extensions, into single binary, both dynamically linked with libc or completely statically linked against musl; hello world compiled against lua5.3 and dynamically linked against libc has just 220 kiB (compare it with Go… ;) ) :)
13:27 <jirutka> Lua is so awesome!
13:27 <^7heo> yeah Lua is pretty cool.
13:28 <^7heo> You know what sucks tho?
13:28 <^7heo> My connection. v-v
13:28 <^7heo> v_v*
13:28 <jirutka> heh
13:28 <jirutka> I’m on academic network now, 1 Gbps :P
13:28 <^7heo> (I typed all of this in one go without any printing back to my screen, sorry for the botched smiley)
13:28 <^7heo> I'm on consumer-DSL network, 1kbs.
13:29 <^7heo> kbps even.
13:29 <jirutka> almost direct connection into NIX.CZ (main peering point in CZ)
13:29 <^7heo> nice.
13:29 leo-unglaub joined
13:29 <jirutka> but it has also downside, the network is monitoring, for example you can’t download any torrents
13:30 <jirutka> otherwise you’ll be banned pretty soon
13:30 <jirutka> but never mind, I don’t download movies at work
13:30 <^7heo> you mean "monitored"
13:30 <jirutka> s/monitoring/monitored/
13:30 <^7heo> yeah
13:31 <^7heo> in .de you just don't download torrents.
13:31 <^7heo> it's just a bad idea
13:45 <jirutka> hm, abuild -K does not work in HEAD
13:50 volleyper joined
13:51 <^7heo> try abuild -D HEAD
13:51 <* ^7heo> hides
13:53 <jirutka> what?
13:54 <^7heo> it was a stupid joke, nevermind.
14:01 ferseiti joined
14:10 ncopa joined
14:10 ncopa joined
14:56 minimalism joined
15:09 leo-unglaub joined
15:34 minimalism joined
15:36 <tmh1999> ^7heo : lol
15:41 fcolista joined
15:45 leo-unglaub joined
16:37 stateless joined
17:24 vakartel joined
17:54 <kaniini> ^7heo: thats why you live in some place like norway where you can basically do whatever you want
17:54 <kaniini> :p
17:57 <skarnet> like shiver in the winter?
17:57 <kaniini> you can even own a giant pickup truck with a rebel flag on it in norway and not get looked at like a weirdo
17:57 <kaniini> that's more free than america
17:58 <skarnet> don't get me wrong, scandinavia is great
17:58 <skarnet> but what do you do in the winter when it's dark at 3pm and freezing?
17:58 <^7heo> kaniini: :D
17:59 <^7heo> skarnet: you drink.
17:59 <^7heo> skarnet: all you find.
17:59 <^7heo> skarnet: and eat lots of shit
17:59 <kaniini> skarnet: you go to barbados for the entire winter
17:59 <kaniini> c/o norway government
17:59 <kaniini> michael moore told me this so it must be true
17:59 <^7heo> yeah a LOT of people here go to the south for the whole winter.
18:00 <^7heo> it's barely okay to stay here inside.
18:00 <kaniini> oh wait, you guys probably dont know who michael moore is
18:00 <skarnet> ...
18:00 <skarnet> it's Europe here
18:00 <kaniini> he is a political commentator who makes movies
18:00 <kaniini> where he basically BSes half of it
18:00 <skarnet> we actually know who American people are
18:00 <skarnet> you're thinking the other way around: Americans don't know shit outside of their own country
18:01 <kaniini> that largely is true
18:01 <kaniini> also norway prisons look pretty posh
18:01 <kaniini> even the high security one looks way nicer than any i've seen on TV in america
18:01 <skarnet> I don't intend on visiting one
18:02 <kaniini> yeah, the whole you cant leave aspect does seem problematic
18:04 BitL0G1c joined
18:08 <kaniini> skarnet, ^7heo so what is your opinion on europe's main cultural export to america: DJ Bobo?
18:08 <kaniini> ok ok, of the 1990s anyway
18:10 <skarnet> if he really is the main cultural export, then we're in trouble
18:10 <clandmeter> /o/
18:10 <clandmeter> \o\
18:11 <skarnet> anyway he's Swiss, that's not Europe
18:11 <jirutka> kaniini: when you merge some pull request, you can modify the patches, like fixing whitespaces or squashing, github-pr-closer is able to detect even modified PRs
18:13 <kaniini> jirutka: that was more a test of how committed docker is to seeing this go in
18:13 <kaniini> jirutka: as in, "hey there's an initscript that is needed, but while youre at it, please fix the indentation" :p
18:13 <jirutka> aha
18:14 <ncopa> and there i added init.d script
18:15 <kaniini> :P
18:15 <kaniini> audit was already on my todo list anyway, because i want to integrate apparmor
18:15 <ncopa> i just copied the gentoo init.d script
18:15 <kaniini> should be fine
18:15 <jirutka> btw I’d like to add check for whitespaces into tests run on Travis, b/c I’m quite bored of telling that people over and over again… programmers should be intelligent people and still they can’t handle such stupid thing like tabs and spaces :(
18:15 <ncopa> maybe i could ask vakartel to clean it up
18:16 <ncopa> jirutka: good idea
18:16 <jirutka> ncopa: why apparmor?
18:16 <ncopa> and we could make some basic whitespace tests in abuild sanitycheck too
18:16 <kaniini> isn't vakartel
18:16 <ncopa> apparmor?
18:16 <kaniini> the guy who made that sshd init script you hate
18:16 <kaniini> lol
18:16 <ncopa> yeah
18:16 <ncopa> it is
18:16 <ncopa> well
18:17 <ncopa> i think much of his stuff is good
18:17 <jirutka> well…
18:17 <ncopa> probably most of it
18:17 <jirutka> I’m not so sure
18:17 <ncopa> the problem is big risky changes
18:17 <kaniini> that initscript seems bad reading through the PR
18:17 <ncopa> and break stuff without good reason
18:17 <ncopa> and break stuff way too often
18:17 <jirutka> he doesn’t know consequences of some of his actions
18:17 <kaniini> i would be irritated if i restarted sshd and got kicked out of my box
18:18 <kaniini> and that type of irritation would be something that would probably cause many people to reconsider using alpine
18:18 <jirutka> exactly
18:18 <kaniini> "they cant even make their SSH init work right"
18:18 <ncopa> ssh is special in that regard
18:18 <ncopa> needs to take extra care there
18:19 <ncopa> i didnt look too close to the package split parts
18:19 <ncopa> i think the 3 commits i did from his work should be more readable
18:19 <jirutka> and that’s why ncopa reviewed it thoroughly, isn’t it? sshd must work well
18:19 <kaniini> jirutka: as for why apparmor -- it provides similar hardening as grsecurity RBAC, and could be used on both grsec and vanilla kernels for that purpose
18:19 <ncopa> jirutka, kaniini: it would be great if you could review the 3 rebase commits
18:20 <ncopa> i dont want push without atleast one more (skilled) reviews it
18:20 <jirutka> kaniini: why not just use SELinux then?
18:20 <ncopa> i think apparmor is simpler
18:20 <kaniini> jirutka: apparmor is a lot easier to use and fits alpine philosophy way better than selinux :p
18:20 <ncopa> selinux is complicated
18:21 <jirutka> isn’t AppArmor Canonical project?
18:21 <kaniini> no
18:22 <kaniini> it comes from immunix (which was a debian distribution which had similar goals to alpine)
18:22 <kaniini> the apparmor team is mostly at suse now as i understand it
18:22 <jirutka> aha
18:22 <ncopa> i thought i filed a bug for apparmor and musl
18:23 <ncopa> it fails on scandirat
18:24 <kaniini> selinux makes more sense for docker than apparmor though
18:24 <kaniini> because you can label the containers
18:24 <kaniini> for further confinement
18:25 <ncopa> the launchpad.net bugtracker is worse than our redmine...
18:26 <ncopa> i cannot find the bug i filed
18:26 <jirutka> launchpad.net is horrible
18:26 <ncopa> https://bugs.launchpad.net/apparmor/+bug/1671857
18:26 <jirutka> not just as bug tracker
18:26 <ncopa> it feels sluggish too
18:26 <kaniini> yes pretty much everything about launchpad is crap
18:26 <jirutka> kaniini: ^ +1
18:27 <ncopa> apparmor$ tpaste < APKBUILD
18:27 <ncopa> http://tpaste.us/7BgB
18:27 <ncopa> apparmor$ tpaste < musl-fixes.patch
18:27 <ncopa> http://tpaste.us/1vJ0
18:27 <ncopa> in case someone want to continue on it
18:28 <kaniini> i will just pay dalias to implement scandirat() as i did rtld_lazy ;)
18:28 <ncopa> you paid him for that
18:28 <kaniini> yes
18:28 <ncopa> thats awesome
18:29 <ncopa> thank you for doing so
18:29 <jirutka> kaniini: btw how it goes with vanilla kernel? I’d like to have linux-virtvanilla
18:29 <kaniini> jirutka: i am hoping to get a virt profile for vanilla into 3.6 :)
18:29 <kaniini> but
18:30 <kaniini> the way we do kernels is really, i don't know
18:30 <kaniini> we need to clean it up somehow
18:30 <jirutka> agree
18:30 <jirutka> the current state is total mess :/
18:30 <ncopa> talked with fabled about kernel config the other day
18:30 <ncopa> managing kernel configs is not that easy
18:30 <ncopa> and yes its a mess
18:30 <kaniini> debian uses one source package for all of it
18:31 <jirutka> maybe this could help https://github.com/crossdistro/kernel-tools (by pavlix)
18:31 <kaniini> which may be how we ultimately have to do it
18:31 <kaniini> i dont know
18:31 <jirutka> but I haven’t looked into it yet
18:31 <ncopa> i think gentoo also has a source package
18:31 <ncopa> at least the used to
18:31 <jirutka> uff, linux-vanilla 8.5 MiB… I’d probably just build my own kernel
18:32 <kaniini> grsec is same size no?
18:32 <ncopa> :-o
18:32 <ncopa> 8.5MB!
18:32 <ncopa> thats huge
18:32 <jirutka> kaniini: no, b/c I use virtgrsec
18:32 <jirutka> and I’m not even talking about dozens of useless modules…
18:32 leo-unglaub joined
18:32 <kaniini> how large is virtgrsec?
18:32 <jirutka> 3.8 MiB
18:33 <kaniini> i am pretty sure we can shrink vanilla down like that
18:35 <ncopa> btw, i wonder if someone has experience with dnssec-root
18:35 <ncopa> the root-anchors.xml thingy
18:35 <jirutka> kernel-3.7.5-hardened-quest-v1 … 3.7 MiB – that’s my custom kernel I used in VMs, no modules
18:36 <ncopa> http://tpaste.us/pQrW
18:36 <ncopa> icann publised new .xml
18:36 <ncopa> the cmp root-anchors.txt check we have in the APKBUILD fails now
18:37 <kaniini> my ultimate goal is to replace linux-grsec with linux-hardened that is just upstream PaX + AppArmor, while linux-vanilla is without PaX
18:37 <kaniini> this solves 'the grsec problem'
18:37 <ncopa> can you get the PaX patches separately?
18:37 <kaniini> yes, he is releasing separately again
18:37 <ncopa> aha
18:38 <ncopa> i saw the vmware mini distro uses it
18:38 <jirutka> * Starting networking ...
18:38 <jirutka> * br0 ...
18:38 <jirutka> ip: RTNETLINK answers: File exists [ !! ]
18:38 <jirutka> * ERROR: net.br0 failed to start
18:38 <ncopa> photon or what they call it
18:38 <jirutka> what the heck is wrong with that :/
18:38 <jirutka> it creates bridge, I can see it in brctl show, but still it exists with this
18:39 <ncopa> jirutka: try --debug
18:39 <kaniini> file exists usually means there is a duplicate route or ip
18:39 <jirutka> that’s not the case
18:40 <jirutka> aah, I’m stupid
18:42 <jirutka> obviously, I should not set gateway when creating a standalone bridge…
18:43 <ncopa> kaniini: where are the pax patches released?
18:43 <kaniini> ncopa: https://www.grsecurity.net/~paxguy1/pax-linux-4.9.13-test6.patch
18:44 <ncopa> right
18:45 <ncopa> they just dont publish the stable pax patch
18:45 <ncopa> seems like there are fragments of it here: https://github.com/vmware/photon/tree/master/SPECS/linux
18:46 <kaniini> from what i have been told, it is basically the same as what we publish now
18:47 <ncopa> they take the free patch and rebase?
18:47 <kaniini> yes
18:47 <ncopa> ok
18:49 <ncopa> what i'd like is feature to disable pax protections per container
18:51 <kaniini> yes, that would be nice for docker hosts and lxc/lxd hosts
18:51 <kaniini> looks like adding scandirat(3) to musl is pretty easy
18:51 <ncopa> ah nice
18:52 <ncopa> i was thinking adding #ifndef HAVE_SCANDIRAT
18:52 <ncopa> and inthere have a copy of musl scandir with the "at" fd
18:53 <kaniini> that is another way we could go
18:53 <ncopa> dalias said it might make sense to add scandirat to musl
18:54 <skarnet> what exactly requires scandirat?
18:54 <ncopa> apparmor
18:54 <skarnet> sounds like a good reason not to use it
18:56 fekepp joined
19:24 <kaniini> skarnet: while i do not personally like scandir()/scandirat(), apparmor + pax is a viable replacement to what we currently ship as grsec
19:32 leo-unglaub joined
19:49 <jirutka> ncopa: please look into #alpine-commits, linux-grsec failed on armhf
19:50 <kaniini> looks like config needs updating
19:55 StarWarsFan|afk joined
19:57 grrrkit joined
20:03 blueness joined
20:07 <TemptorSent> Speaking of kernel configs, I think the ability to roll vm-host-specific kernels would yield the smallest containers reasonably possible, especially if the modules could be avoided entirely for base configs. Specifically I'm working on a virtio-only target with no other drivers that aren't necessary.
20:15 blueness joined
20:42 <pavlix> ncopa: Gentoo has a source-only package but I have a full Gentoo package building a binary kernel and initramfs.
20:42 <pavlix> ncopa: Plus I was somewhat involved in Fedora DNSSEC initiatives.
21:13 <jirutka> kaniini: ^
21:13 czart joined
21:16 <jirutka> TemptorSent: you mean VMs, not containers…? b/c you don’t need (and actually can’t have) own kernel inside a container
21:18 blueness joined
21:21 <TemptorSent> jirutka: Sorry, you're correct -- a VM PROVIDING containers to be correct.
21:22 <TemptorSent> jirutka: LXC on KVM being the concept.
21:23 t0mmy joined
21:23 <TemptorSent> jirutka: So a single VM may contain several interrelated contanerized apps, but be isolated from any other VM
21:25 <jirutka> TemptorSent: yeah, I have this setup on vpsFree :P
21:25 <jirutka> TemptorSent: LXC containers inside QEMU/KVM machine that runs inside OpenVZ container
21:25 <jirutka> because, you know, we must to go deeper :P
21:29 <TemptorSent> jirutka: For me, the interesting thing is the ability to migrate VMs while keeping the actual containerization environment as light as possible.
21:30 <TemptorSent> jirutka: Plus the ability to have control over the kernel, which is sometimes necessary.
21:38 <mitchty> so i preordered one of these https://www.solid-run.com/marvell-armada-family/armada-8040-community-board/ hoping it should be fairly easy to get alpine linux running on it
21:41 blueness joined
21:43 <mitchty> or does the aarch64 stuff already support the uefi arm boot stuff already and I just never noticed?
21:46 <TemptorSent> mitchty: I'm not sure on the arm uefi stuff, it should be straightforward to add if the standard config doesn't work.
21:47 <mitchty> TemptorSent: cool, it looks like the new arm server type boards have a pretty standard setup though, so supporting this should mean the others work from what i've read
21:49 <mitchty> but 16GiB of ram ecc even on an arm 64 board would be ideal
21:51 <TemptorSent> mitchty: Let me know when you've got HW to test on.
22:08 <TemptorSent> jirutka: Please take a look at the latest rev on my PR - it integrates the update-kernel functionality and will make it easy to trim the modloop.
22:09 <jirutka> what PR?
22:18 <TemptorSent> https://github.com/TemptorSent/aports/tree/mkimage-refactor-scripts/scripts/mkimage
22:22 <TemptorSent> jirutka: The one based on that ^^^
22:42 LouisA joined
23:22 LouisA joined
23:25 blueness joined
23:57 <kaniini> pavlix: what are your thoughts on cleaning up kernel APKBUILDs at alpine?