<    April 2017    >
Su Mo Tu We Th Fr Sa  
 2  3  4  5  6  7  8  
 9 10 11 12 13 14 15  
16 17 18 19 20 21 22  
23 24 25 26 27 28 29  
00:11 mdillon joined
00:12 blueness joined
00:15 kvda joined
00:19 Nobabs27 joined
00:36 emacsoma` joined
00:44 blueness joined
00:48 <emacsoma`> does anyone know anything about what will happen with the grsec kernel in alpine?
00:49 <dalias> i don't know specifics
00:49 <dalias> but the plan for a long time has been trying to get useful stuff merged upstream and getting away from grsec, i think
00:50 <dalias> disclosure: i'm not a fan of grsec
00:55 aw1 joined
00:56 BitL0G1c joined
00:59 <nwmcsween> should never have been imo
00:59 <dalias> ?
01:00 <emacsoma`> dalias: that does sound like a good plan
01:00 <emacsoma`> I'm slightly dubious of Spengler given that he doesn't seem to eat his own dogfood...
01:02 <nwmcsween> alpine w/ grsec
01:03 <nwmcsween> I thought he used gentoo hardened?
01:05 <duncaen> https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project
01:05 <nwmcsween> I told spender that his stuff would just get reimplemented unless he tried to upstream it
01:06 <nwmcsween> tbh I think he didn't want to upstream it
01:06 <emacsoma`> from https://slo-tech.com/clanki/10001en
01:07 s33se_ joined
01:07 <dalias> my personal view is that grsec was a mistake of early alpine, much like uclibc was
01:07 <emacsoma`> Spengler: I use Windows 7 actually -- the Cheddar Bay video was on the RC I think. I use it because the only fiddling around I want to do with Linux is testing and improving grsecurity. I used to use Linux as my primary desktop back in high school and in college, but nowadays I just want to get stuff done -- so Linux stays in VMs. Linux was much simpler back then too, in both the kernel and userland. You had known conf
01:07 <emacsoma`> edited them some 'intelligent' process wouldn't go and change it behind your back, you wouldn't have to modify SELinux policy because you wanted to host something from a location different from the system default. There was more of a feeling of freedom on it then -- something I think it's losing the more it becomes commercialized. Also: games; I play them. New ones. And if Pidgin notifies me that a new release is avail
01:07 <emacsoma`> download a Pidgin executable; I'm not forced to update 100+ packages at the same time, always risking that something will go wrong.
01:07 kl3 joined
01:07 <dalias> :-p
01:08 <dalias> grsec does provide some useful additional hardening here and there
01:08 <emacsoma`> I mean, if you work on Linux security, maybe you know too much to feel comfortable on Linux, but then to use Windows.....
01:08 <duncaen> but from reading the tweets and the blog working with them seems hard
01:08 <nwmcsween> that's an understatement
01:09 <dalias> but it's also a big nuisance. breaks lots of stuff, and the quality of the code is questionable
01:09 kulinacs joined
01:10 <nwmcsween> it would be nice if Linux had something like pledge
01:10 <dalias> it does, seccomp
01:11 <duncaen> no :S
01:11 <nwmcsween> not the same though
01:11 <dalias> it kinda is
01:11 <nwmcsween> pledge is function
01:11 <duncaen> you cant use seccomp for stuff that execs other binaries
01:11 <dalias> a library providing pledge could do exactly the same as bsd pledge using seccomp as the mechanism
01:11 <duncaen> with pledge you restrict each binary
01:11 <duncaen> i have a library
01:11 <duncaen> https://github.com/Duncaen/playground
01:13 minimalism joined
01:14 <psychi[m]> Yeah, i am also concerned about Grsec. and what will Alpine do...
01:14 <nwmcsween> they will have to use vanilla
01:14 <dalias> the practical impact on security is very minimal just switching to linux-vanilla
01:15 <dalias> or someone can sponsor alpine a subscription to grsec
01:15 <duncaen> could they provide the source in this case?
01:15 <dalias> and then we can watch the fireworks and grab some popcorn when grsec tries to retaliate and ban alpine for sharing the source...
01:15 <duncaen> :D
01:15 <emacsoma`> dalias: :)
01:16 <dalias> almost makes me want to shell out the $$ to do it
01:16 <nwmcsween> meh pledge looks worse than I thought, I assumed it was per func e.g. pledge("printf foo")
01:16 <duncaen> no this is good
01:17 <duncaen> its a shitshow to restrict each syscall
01:17 <duncaen> your library adds a new one? have fun rebuilding
01:17 <nwmcsween> restricting funcs isn't the same as syscalls
01:17 <duncaen> pledge resticts groups of syscalls
01:17 <nwmcsween> which sort of sucks imo
01:18 <nwmcsween> why does impl foo use the same syscalls as impl bar?
01:18 <duncaen> no, libressl uses getrandom(2), everything that uses seccomp needs to be patched
01:19 <duncaen> different libcs use different syscalls too
01:19 <dalias> the idea is that pledge is supposed to be easy to use and not overly restrictive
01:19 <dalias> so that it's practical to use
01:19 <dalias> whereas seccomp requires knowing library implementation details
01:19 <dalias> details that might change with versions
01:20 <dalias> a good easy-to-use seccomp library would always whitelist all the relatively-harmless syscalls
01:20 <duncaen> https://github.com/kristapsdz/acme-client-portable/blob/master/Linux-seccomp.md
01:20 <dalias> to have less chance of breaking things
01:21 <duncaen> thtas what my lib does, first a whitelist, then blacklisting
01:21 <duncaen> and then there are some filters for arguments too
01:21 <nwmcsween> yeah I'm not advocating seccomp, i'm advocating per function restriction
01:21 <duncaen> but thats what seccomp does?
01:22 <nwmcsween> no it does syscalls
01:22 <duncaen> oO
01:22 <duncaen> how would per function even work
01:23 <dalias> well it would need to be per-functionality-group or something
01:24 <nwmcsween> there would have to be a mapping of some sort or a tool to figure stuff out at compile time(?)
01:24 <duncaen> but how to restrict this, you can just go around it at runtime
01:32 helloj joined
01:38 blueness joined
01:39 LouisA joined
01:51 dirac1 joined
01:56 grayhemp joined
01:58 blueness joined
01:59 grayhemp_ joined
02:06 emacsoma` joined
02:09 <minimalism> Does this grsecurity news affect Alpine at all?
02:12 BitL0G1c joined
02:19 <dirac1> What news?
02:20 kl3_ joined
02:22 grayhemp joined
02:23 <duncaen> it has to
02:24 <duncaen> if somene would sponsor it then it would probably not be possible to provide the source
02:24 fnlkj joined
02:32 czart_ joined
02:36 <minimalism> dirac1: https://grsecurity.net/passing_the_baton.php
02:40 <emacsoma`> minimalism: we had a bit of discussion here earlier on that topic
02:41 <dirac1> minimalism, thanks, oh wow.
02:41 <dirac1> So... no more "security" in alpine
02:42 <dirac1> For some time at least, it will take some time for the comunity to organize and start maintaining and patching grsec.
02:43 <dirac1> (expecting that the comunity will drive and maintain the grsec source)
02:45 <dirac1> Is my opinion btw.
02:46 <duncaen> i hope not
02:46 <duncaen> kernsec should just upstream usefull features
02:47 <emacsoma`> how do I get mkinit to build zfs modules to allow alpine to boot from zfs / ?
02:47 <dirac1> One interesting about the news is... the part when they say... there's no widely developed alternative to kernel security like grsec.
02:48 <duncaen> why? because they cant upstream it?
02:49 <duncaen> everyone else wants to get their stuff upstreamed, why maintain patches for years
03:02 ryonaloli joined
03:03 ryonaloli joined
03:04 ryonaloli joined
03:04 grayhemp joined
03:06 ryonaloli joined
03:21 ifbizo joined
03:36 atomi joined
03:42 grayhemp joined
03:43 <ifbizo> hi! i'm trying to install and enable serial console with alpine 3.5.2 x86_64 using freebsd 11.0's bhyve and getting strange behavior. serial output gets stuck at "starting ntpd" and i can ping the host. i try to reboot and use installer to enable sshd but then it oddly gets stuck at "loading hardware drivers". any ideas?
03:48 cyborg-one joined
03:54 dirac1 joined
03:54 Emperor_Earth joined
03:54 Emperor_Earth_ joined
04:01 mmlb joined
04:01 dirac1 joined
04:03 aw1 joined
04:07 tmh1999 joined
04:34 k0nsl joined
04:34 k0nsl joined
04:40 mdillon joined
04:59 fabled joined
05:04 grayhemp joined
05:30 felixjet joined
05:50 <psychi[m]> So the story is about....( curious
06:03 kaniini joined
06:25 gogoprog joined
06:27 <kaniini> guys, security is dead at alpine linux because grsec is dead, everyone can go home now
06:27 <kaniini> haha i am just kidding
06:28 <kaniini> there's a lot more to what we do security wise than just grsec
06:29 helloj left
06:30 <scv> like not including the kitchen sink
06:32 <kaniini> that is indeed a good starting point
06:34 feuerteufel|afk left
06:51 ams__ joined
06:59 greguu joined
07:06 bob_ joined
07:08 bob_ joined
07:15 t0mmy joined
07:16 codingfabian joined
07:16 <codingfabian> Hello, is the projected Alpine 3.6 release in less than a week realistic? We want to upgrade docker in 3.5, but I would rather wait a bit than to use edge now.
07:21 <xentec> codingfabian, afaik it's scheduled for end of May
07:23 greguu joined
07:24 Zucca joined
07:36 minimalism joined
07:38 <codingfabian> xentec thanks, I was checking https://bugs.alpinelinux.org/versions/115 - good to know it is at least a month away
08:02 royger joined
08:11 feuerteufel joined
08:13 <feuerteufel> I've a question to "apk":
08:13 <feuerteufel> apk upgrade -v
08:14 <feuerteufel> 1 errors; 146 packages, 1867 dirs, 17768 files, 727 MiB
08:14 <feuerteufel> How do I find out where the error come's from?
08:19 kvda joined
08:20 Kachel joined
08:22 <Kachel> I can't extract the alpine tar.gz file into an SD card for a raspberry pi
08:22 <Kachel> Running as root doesn't work either
08:23 mouthbreather joined
08:26 andor2007 joined
08:28 codingfabian joined
08:29 <codingfabian> I am back with a new questionregarding docker 1.17 :) I fail to install it on an alpine 3.5. I did add a tagged repo (@edge http://dl-cdn.alpinelinux.org/alpine/edge/main) and then user apk add docker@edge - but it still installs 1.12. any pointers?
08:29 cyborg-one joined
08:30 <IcePic> Kachel: perhaps you can expand a bit on "I cant extract", its hard to know if your SD card is write protected, or if tar is acting up or if you mean "the resulting files will not boot ok when I test it later on".
08:31 <Kachel> I used tar -pvxzf alpine-rpi-3.5.2-armhf.tar.gz -C alpine-install/
08:32 <Kachel> And no it isn't write protected because some files were able to be on the SD card
08:32 <Kachel> But some apk files not
08:33 <IcePic> I didn't specifically mean that SD being RO was a very plausable reason, just that "I did something and it didn't work" is a bit vague and covers huge possibilities.
08:33 <IcePic> computers tend to be able to NotWork(tm) in millions of weird ways.
08:35 <Kachel> Now it works after mounting and unmounting...
08:35 <Kachel> no errors atleast
08:36 <Kachel> But is the full rpi install of alpine really intended to be on only one partition?
08:38 fekepp joined
08:40 felixjet joined
08:47 grayhemp joined
09:08 k0nsl joined
09:08 k0nsl joined
09:20 consus joined
09:38 <clandmeter> it runs from memory
09:43 grayhemp joined
09:54 k0nsl joined
09:54 k0nsl joined
10:16 grayhemp joined
10:18 kahiru joined
11:05 gromero joined
11:05 <armin> BitL0G1c: btw i completely don't understand this guide here: https://github.com/OpenRC/openrc/blob/1edb5f6fd9c4827e5d4ed5c854bc322ba8a7df73/supervise-daemon-guide.md
11:06 <armin> BitL0G1c: i do understand the supervise-daemon, nevertheless, but the kind that guide is written is not clarifying anything to me...
11:12 gromero joined
11:44 iorux joined
11:52 <IcePic> armin: yeah, I think you are right in that
11:58 iorux joined
12:03 <armin> so i wrote a custom init-script and enabled that service. however, when rebooting my machine, all i see on the tty is the output from my program, but i don't see any login prompt. anyone a clue what i got wrong here?
12:24 <armin> ok, now i'm screwed it seems: even after removing the symlink for my program from a live environment, my boot hangs, but now stops after "Starting busybox crond ..."
12:24 rollniak joined
12:24 <armin> ah now it goes on.
12:24 <armin> weird.
12:29 GerWoManChester joined
12:30 <BitL0G1c> armin - could be missing entropy if you are running openssh server - installing / enabling haveged & enabling urandom service fixes entropy - for supervise-daemon examples it may be clearer to search git for 'supervise-daemon' in the log messages to see the changes I made to enable it
12:34 gromero joined
12:35 <armin> BitL0G1c: it's not too terrible, takes about 30sec to start. i also was able to solve the init script issue by adding command_background="yes" to that init script
12:36 gromero joined
13:02 haarts joined
13:03 rollniak joined
13:09 bOSKE joined
13:12 kvda joined
13:14 dasher^0_o joined
13:21 iorux joined
13:28 <mmlb> hmm regarding 3.6, who can I ping to add Bug #7037 and subsequent mkinitfs PR #12 to the release?
13:28 <algitbot> Bug #7037: /init does not correctly handle serial port config from command line - Alpine Linux - Alpine Linux Development: http://bugs.alpinelinux.org/issues/7037
13:28 <algitbot> Bug #12: crond doesnt seem to succesfully execute run-parts - Alpine Linux - Alpine Linux Development: http://bugs.alpinelinux.org/issues/12
13:28 <mmlb> 1/2 algitbot
13:29 <mmlb> maybe even #6713 since it looks like an alpine issue from patching busybox and makes `set -e` do the wrong thing in one (maybe more) case
13:29 <algitbot> Bug #6713: ash doesn&#39;t errexit correctly - Alpine Linux - Alpine Linux Development: http://bugs.alpinelinux.org/issues/6713
13:36 <IcePic> armin: 30 sec delays sounds a bit like "tries to backwards resolve an ip and fails on first resolver"
13:36 <IcePic> especially if you dont see load during those 30 secs
13:39 MH0815 joined
13:41 grayhemp joined
13:42 <armin> IcePic, BitL0G1c: thanks a lot for those pointers!
13:42 lesion joined
13:43 <BitL0G1c> armin - np - boot up should be about 4-5 seconds
14:01 <armin> BitL0G1c, IcePic: not sure what that is still - looks like this when this happens for about 40-50 sec: http://base.m2m.pm/shot.png
14:10 felixjet joined
14:11 felixjet joined
14:17 rejadatodo joined
14:30 dirac1 joined
14:32 <BitL0G1c> armin - disable chronyd (it didn't use to background itself) - sntpc is nice & light - just configure /etc/conf.d/sntpc
14:35 orbiter joined
14:37 grayhemp joined
14:43 nepochal joined
14:44 iorux joined
14:50 Marc1n joined
14:50 <Marc1n> hello all
14:51 StarWarsFan|afk joined
14:51 kahiru joined
15:02 tkharju joined
15:03 dirac1 joined
15:08 StarWarsFan|afk joined
15:23 omegamike joined
15:26 grayhemp joined
15:39 grayhemp joined
15:57 magellanic joined
16:02 davidmichaelkarr joined
16:05 copumpkin joined
16:27 fabled joined
16:28 dlaube joined
16:55 pickfire joined
17:00 pickfire joined
17:11 pickfire joined
17:16 pickfire joined
17:18 sergey_ joined
17:28 __number5__ joined
17:28 gopar joined
17:32 magellanic left
17:43 terran joined
17:45 <Shiz> successfully replaced Debian on scaleway's new aarch64 servers with Alpine :D
17:45 <Shiz> remotely
17:46 <arch3y> nice was just reading the article about it on hackernews
17:48 emacsoma` joined
17:52 <TemptorSent> Do you know if that was from within the deb host or if there was OOB management available as a safety net?
17:55 rollniak joined
17:56 <Shiz> TemptorSent: within the deb host
17:56 <Shiz> there's no rescue mode
17:56 <Shiz> :)
17:56 <Shiz> this is how I did it: https://txt.shiz.me/NTM4Yzg1MT
18:02 BitL0G1c joined
18:03 dwreck joined
18:05 <TemptorSent> Shiz: Nice.
18:06 f1rebird left
18:06 jyoungs joined
18:08 <Shiz> https://txt.shiz.me/ZGE2YzZlNW slightly updated to get a working inittab
18:08 jeffyoungs joined
18:08 <TemptorSent> Shiz: I see the find -xdev bug didn't bite you in that case, luckily!
18:08 <Shiz> hmm?
18:09 <TemptorSent> Find -xdev doesn't actually check the mount point.
18:09 dwreck joined
18:10 <dwreck> hey. I have an init script I wrote (badly obviously) that is hanging startup. is there a keystroke that will kill it? ctrl-c doesn't work.
18:11 <TemptorSent> dwreck: reboot and add 'single' to the kernel command line. You could also try a magick SysRQ
18:13 <dwreck> /etc/init.d doesn't get created during single user (tried it), tried mount -a to mount any tmpfs junk. are those scripts stored somewhere else before that runlevel fires off?
18:15 <jeffyoungs> Hey guys- I've been stuck for a while now trying to get apk working from behind a proxy (basically this issue: https://github.com/gliderlabs/docker-alpine/issues/191 but the fix there isn't working). I know my http_proxy, https_proxy and http_proxy_auth are setup correctly because GNU wget works, but busybox wget fails at the 407 Authentication Required (whereas gnu wget gets that message, but continues).
18:15 <jeffyoungs> Is there any way to get apk to just use /usr/bin/wget ? the docs say explicitly that it uses busybox
18:27 <feuerteufel> Hello everybody - I still try to feind out, "apk" is logging the errors. I can't find a logfile. Any hints?
18:28 <Shiz> apk doesn't log to any logfile that i know of
18:28 <Shiz> it's all stdout/stderr
18:29 <feuerteufel> I get the following:
18:29 <feuerteufel> apk upgrade -v
18:29 <feuerteufel> 1 errors; 146 packages, 1867 dirs, 17768 files, 727 MiB
18:30 <feuerteufel> I try to find put, whre the error comes from
18:30 <feuerteufel> *out
18:31 <Shiz> have you tried # apk fix ?
18:32 <feuerteufel> Just for one pakage, but i'll do
18:32 <jeffyoungs> Also try -vv
18:33 ahrs joined
18:35 LouisA joined
18:35 john51 joined
18:36 <TemptorSent> feuerteufel do you by chance have the -docs package installed and both libedit and readline installed as deps for other packages?
18:37 leprechau joined
18:38 <feuerteufel> Here ist the output: https://pastebin.com/VRhNKzcV
18:38 pickfire_ joined
18:38 bfritz_ joined
18:38 Marc1n_ joined
18:41 irclogger_com joined
18:41 Topic for
18:44 <feuerteufel> Shiz: I think, i have to uninstall the hole "php" Stuff because:
18:44 <feuerteufel> World updated, but the following packages are not removed due to:
18:44 <feuerteufel> php-cli: php-pdo php-pdo_mysql php-mysql
18:45 <Shiz> hmm.
18:45 <feuerteufel> Is there a trick?
18:57 arch3y joined
18:59 <dwreck> how can I get /etc/init.d/ populated in single user mode?
18:59 <Shiz> it should already be populated?
18:59 <Shiz> it's part of the busybox-initscripts
18:59 <Shiz> package
18:59 <Shiz> among others
19:01 <feuerteufel> Shiz: I think, Ifound the problem: It looks like there is a conflict between the alpine and the eis-ng packages
19:01 <Shiz> eis-ng?
19:01 <dwreck> it is not
19:03 <feuerteufel> So what do I have to do, if not?
19:03 <Shiz> i don't know what eis-ng is
19:03 <Shiz> dwreck: what does /etc/apk/world contain, and does apk info -L busybox-initscripts contain anything?
19:04 <dwreck> that first path is non-existent in single user mode, the second command fails to read database state
19:05 <Shiz> uuhm
19:06 <Shiz> i think you may be caught in something that is not your install then
19:06 <feuerteufel> Shiz: It's a distri based on Alpine
19:06 <dwreck> init scripts run fine on full boot, it's just hanging on a crappy one I wrote
19:06 <Shiz> dwreck: sure your rootfs is actually your partition?
19:07 help-im-stuck joined
19:07 <feuerteufel> Shiz: I think, I have to talk to those folks ... thank's
19:07 <dwreck> hmmm
19:07 <dwreck> I am not sure at all. this is a pretty vanilla install in a vm though
19:08 <help-im-stuck> so.. are there any howto or guide out there on how to user alpine linux as a xen host for virt-manager?
19:08 <Shiz> dwreck: check the output of # mount
19:09 <dwreck> yeah it says /
19:09 <Shiz> mounted from?
19:09 <Shiz> mine says /dev/vda3 on / type ext4 (rw,relatime,data=ordered) for instance :P
19:10 <dwreck> yeah but I'm in single user
19:10 <dwreck> I wonder if I can just get into another runlevel to do this
19:11 <Shiz> what does /proc/mounts say
19:11 <Shiz> for /
19:12 <Shiz> dwreck: ah: single user mode gives you a shel in the initramfs
19:12 <Shiz> meaning your root part isn't mounted yet
19:12 <dwreck> ahhh
19:12 <dwreck> oh!
19:12 <dwreck> duh
19:12 <dwreck> I need to just mount it somewhere
19:12 <Shiz> yup
19:12 <Shiz> that's why i inquired about your mounts
19:12 <dwreck> I should know better
19:12 <dwreck> thanks
19:14 arch3y joined
19:18 <Shiz> feuerteufel: why do you have php and phhp5 installed at the same time?
19:20 grayhemp joined
19:20 <feuerteufel> That's what I try to find out ;)
19:22 <feuerteufel> It looks like there is a renamed package ...
19:40 MH0815 joined
19:41 blueness joined
19:44 lesion joined
19:45 <feuerteufel> Shiz: OK, I got told what to do ...
19:47 <feuerteufel> In /etc/apk/world I had to change php-mysql and php-pdo-mysql to php5-mysql and php5-pdo-mysql
19:47 gopar joined
19:47 <feuerteufel> Then a "apk fix"
19:47 <feuerteufel> The error ist gone!!
19:48 <feuerteufel> Shiz: Thank's again!!
19:49 <Shiz> np
19:49 jeffyoungs joined
19:50 <TemptorSent> feuerteufel You may have been caught by an apk bug that kaniini is working on where apk fails to resolve some updates properly - #7250.
19:50 <algitbot> Bug #7250: apk upgrade --available produces incomplete upgrade transactions if a package is replaced with another package - Alpine Package Keeper - Alpine Linux Development: http://bugs.alpinelinux.org/issues/7250
19:52 <TemptorSent> kaniini: BTW, I finally managed to force APK to install a kernel by purging every reference to grsec and manually doing apk add linux-hardened.
19:52 <kaniini> odd. the virtual should have handled the transition
19:53 <TemptorSent> kaniini: Ahh, the 'S' word, the foulest word in computing ;)
19:54 <mepholic> shit
19:56 arch3y joined
19:57 <feuerteufel> Hopfully I don't drive someone upset, I'm sorry then!!
19:57 <TemptorSent> Cool, something worked right and libressl updated cleanly at least :)
19:58 <feuerteufel> algitbot: TemptorSent: Thank's!
19:58 <Shiz> don't worry about it
19:59 <TemptorSent> feuerteufel: It's a bigger problem than your issue, breaking kernel upgrades in fun ways :)
19:59 nmeum joined
19:59 <TemptorSent> feuerteufel: No problem.
20:01 <kaniini> the kernel upgrade problem is mostly worked around for now :P
20:02 <TemptorSent> Yep, after I unbroke my fubared apk database it all seems happy :) Thanks kaniini!
20:02 <emacsoma`> TemptorSent: is linux-hardened an alpine package?
20:02 <kaniini> emacsoma`: yes. it replaces linux-grsec
20:02 <emacsoma`> kaniini: is that new, or something which has been around?
20:02 <Shiz> it's new
20:02 <emacsoma`> ah
20:03 <Shiz> because grsecurity insists on not using the grsec name for products that aren't stable latest grsecurity
20:03 rollniak joined
20:03 <Shiz> and since we don't pay for grsec kernels, we can't use that name
20:03 <kaniini> emacsoma`: the rename is new, but has been pending for some time
20:03 <TemptorSent> There was a brief snafu with a dep resolution that I happened to update during, but with mismatched repos, so I totally hosed my system.
20:03 <Shiz> so we replaced it with -hardened in the interest of providing a potentially more general package too
20:04 <kaniini> Shiz: and also to dispel the whole "100% of alpine security is because of grsec" belief
20:04 <emacsoma`> Shiz: so it might change from being grsec-centric?
20:04 <kaniini> which really is prettymuch not true at all
20:04 <kaniini> emacsoma`: there is no grsec anymore
20:04 <kaniini> emacsoma`: the grsec guy is peddling compiler plugins now
20:04 <kaniini> emacsoma`: see also: https://grsecurity.net/passing_the_baton_faq.php
20:05 <Shiz> emacsoma`: right.
20:05 sparklyballs joined
20:05 <Shiz> in fact, it has to, since grsecurity is not going to be releasing any more public patches now
20:05 <Shiz> how alpine is going to handle this is still under discussion :p
20:05 <emacsoma`> kaniini: right, I know about that, but I mean does this suggest a change towards hardening based on other resources?
20:05 <emacsoma`> Shiz: ok
20:05 <TemptorSent> grsec has a few useful features, but generally doesn't do much for intrinsic security without a lot of hoop-jumping, and even then it's far from perfect.
20:06 <Shiz> eh, grsec does a fair bit for intrinsic security
20:06 <TemptorSent> PaX seems to be the best of it.
20:06 <kaniini> emacsoma`: alpine's security story is not just grsec
20:06 <Shiz> ^ is definitely true
20:06 <kaniini> emacsoma`: there are differences in userspace and many other initiatives
20:06 <emacsoma`> ok
20:07 <kaniini> emacsoma`: for example new policy requiring all packages to pass conformance testing has caused us to discover a CVE in libressl 2 days ago
20:07 <Shiz> kaniini: speaking of, global switch to tcb-shadow when
20:07 <kaniini> Shiz: hoping for 3.7, we need to make busybox aware of it
20:07 <TemptorSent> Shiz: Yeah, if you configure everything properly, it has some big wins, but it's easier to get a higher level of security with proper configuration of the system and pacakages.
20:08 <kaniini> Shiz: i am also looking at clang as default system compiler so we can build packages with the new CFI stuff
20:08 <Shiz> TemptorSent: disagree
20:08 <Shiz> kaniini: we need to patch clang a bunch more to be as viable as gcc right now, probably
20:08 <kaniini> Shiz: yes
20:08 <Shiz> but that's definitely something i'm interested in
20:09 <kaniini> Shiz: i think what TemptorSent is saying is that you can have all the kernel security in the world and it means basically fuck all if you don't have app security
20:09 <Shiz> sure, but it's parallel levels of security
20:09 <kaniini> right
20:09 <Shiz> so "higher level" doesn't really apply imo
20:09 <Shiz> but yeah
20:09 <TemptorSent> Shiz: Okay, what does it gain us by default without any configuration? You can still make a hole big enough to drive a truck through by misconfiguring the system.
20:09 <Shiz> with that rephrasing I agree
20:10 <kaniini> these days, where everyone is using docker or some other VPS/jail type thing, app security is more important than grsec
20:10 <TemptorSent> That's the issue -- it's only picks up where proper application configuration leaves off, and too many apps are FUBAR.
20:10 <kaniini> because most installs aren't multiuser
20:10 <Shiz> kaniini: even then, I argue they're parallel
20:10 <Shiz> because good kernel sec implies better container isolation
20:11 <kaniini> sure, but point is
20:11 <Shiz> can you count the vulns in linux user namespaces
20:11 <Shiz> :P
20:11 <darkfader> kaniini: nack, kernel sec is more important ...
20:11 <kaniini> grsec is mostly related to things like shell boxes
20:11 <darkfader> we got 1000ths of nicely contained applications
20:11 <kaniini> darkfader: sure, kernel sec is important for containers
20:11 <darkfader> but the one safely available vector is the kernel
20:11 <kaniini> darkfader: but if you are running under say, xen or kvm, doesnt matter so much
20:12 <TemptorSent> Yes, grsec can provide some safety against certain classes of exploits in otherwise properly configured systems, but it can't help with bad configurations much.
20:12 t0mmy joined
20:12 <kaniini> grsec won't protect you from a wordpress 0day though
20:12 <Shiz> or a libressl one
20:12 <kaniini> :)
20:12 <TemptorSent> Exactly.
20:13 <kaniini> emacsoma`: so what i am trying to say is, we've been trying to pivot away from grsec being the story in our docs and so on for about 2 years now
20:13 <TemptorSent> I'd suggest that time is better spent working on the kernel features that provide the most generally useful security enhancements and minimize the overall complexity of maintaining them.
20:13 <kaniini> it was, possibly, 'good marketing' at the time to highlight the collaboration
20:14 <kaniini> but it downplayed a lot of other things that go into alpine for security
20:14 <Shiz> TemptorSent: people have been planning that since the grsec announcement actually
20:14 <Shiz> (and got banned from #grsecurity for it)
20:14 <emacsoma`> kaniini: that make sense, and seems like a good idea. I've had reservations about spender.
20:14 <TemptorSent> *lol* Yeah - it's the right approach.
20:15 <TemptorSent> And doing things the right way has a tendency of pissing off people who want it their way regardless.
20:15 <kaniini> emacsoma`: we have been kind of in a bad place for a while in terms of communicating our plans because spender also makes us nervous. but now he can't really do anything to us he hasn't already done
20:15 <emacsoma`> kaniini: i see
20:16 <kaniini> but overall, we are not that concerned about it
20:16 <Shiz> we should probably discuss our overall plans what to do with grsec after 3.6 gets out
20:16 <kaniini> if the community steps up and produces grsec derived patches, we'll carry them
20:16 <Shiz> and make a formal decision
20:16 <kaniini> if not, we built some prototype LSMs a few years ago as a backup plan to emulate things like W^X
20:17 <kaniini> well, not emulate, but implement
20:17 <kaniini> we have quite a few options available to us
20:17 <kaniini> arguably we have more options available to us now than we did previously, as we were kind of painted into a grsec corner
20:19 <kaniini> calling the hardened package what it is gives us quite a bit of flexibility in that regard too
20:19 <TemptorSent> What's the thought on SELinux support? Too much of a mess?
20:19 <kaniini> docker want it
20:19 <kaniini> you can probably get it from them in their linuxkit stuff
20:19 <kaniini> which is some sort of thing that cobbles together an alpine-esque distro
20:19 <kaniini> from alpine pieces
20:19 <kaniini> with some broken kernel
20:19 <kaniini> and blah blah
20:19 <Shiz> im not a huge fan of selinux, but if people want it it can probably be done
20:19 <Shiz> i think gentoo has a decent collection of policies
20:20 <Shiz> we could nab
20:20 <Shiz> if it's the case
20:20 <TemptorSent> It might be worth considering going into hardened as an option...
20:20 <kaniini> i think apparmor is a better win than selinux personally
20:20 <kaniini> it's more in line with what we would want
20:20 <kaniini> selinux is about declarative policies, we just want to define what sane behaviour for an app is
20:20 <TemptorSent> Agreed on apparmor, but SELinux has some functionality that is critical to certain classes of users.
20:21 <kaniini> i'm nto against carrying selinux personally
20:21 <kaniini> i just don't think it's the appropriate 'default' for alpine
20:21 <TemptorSent> I think it would give Alpine a lot more potential users.
20:21 <TemptorSent> Fully agreed.
20:21 <Shiz> kaniini: -selinux subpackages here we go :P
20:21 <Shiz> with the appropriate metapkg
20:21 <kaniini> Shiz: yes, exactly. and then install_if rules to determine if they should be installed :)
20:21 <Shiz> :)
20:21 <TemptorSent> Although basic support for selinux can be enabled in most things without requring it be in the kernel.
20:22 <TemptorSent> (FS attributes being the big one)
20:22 <kaniini> TemptorSent: it's fine to have it in the kernel as an LSM
20:22 <kaniini> just not as default (for us)
20:22 <Shiz> it can even be in the kernel but not active by default
20:22 <Shiz> surely it has a sysctl toggle
20:22 <kaniini> Yama + AppArmor is more familiar to what people get out of grsec kernels right now
20:23 <kaniini> ideally, i would like personally -hardened to just be vanilla except with more aggressive security selections and built with Clang+CFI
20:24 <Shiz> personally disagree :p
20:24 <kaniini> which despite spender's hype, is actually pretty close to what we're doing with grsec
20:24 <kaniini> Shiz: by more aggressive security selections i mean some sort of PaX clone, etc
20:24 <Shiz> right
20:25 <Shiz> i understood selections as CONFIG_*
20:25 <Shiz> lol
20:25 <kaniini> although PaX has a lot of stuff that is not really relevant
20:25 <kaniini> anymore
20:25 arch3y joined
20:25 <kaniini> IMO the most relevant part of PaX is the GCC plugins work
20:25 <kaniini> so i am hopeful KSPP team can extract it
20:26 <Shiz> ehh
20:26 <Shiz> im more interested in the memory protection features
20:26 <Shiz> lol
20:26 gopar joined
20:28 <kaniini> Shiz: most of the modern memory protection features are done by the GCC plugins
20:29 <Shiz> PAGEEXEC and MPROTECT?
20:41 grayhemp joined
20:47 Lord joined
20:49 arch3y joined
20:50 <help-im-stuck> How do I use Alpine linux as host for xen and manage it with virt-manager?
20:56 dirac1 joined
20:56 jeffyoungs joined
21:00 arch3y joined
21:01 dirac1 joined
21:03 <BitL0G1c> help-im-stuck - lookup "virsh" & libvirt - then you can manage vm's without a desktop - if you really want a desktop perhaps consider kvm https://it-offshore.co.uk/linux/alpine-linux/30-alpine-linux-spice-kvm-desktop
21:08 kahiru_ joined
21:09 <help-im-stuck> BitL0G1c, my cpu does not have support for kvm if i should belive virt-manager
21:14 <BitL0G1c> help-im-stuck - the same cpu extensions are needed for xen too - check manually with https://www.cyberciti.biz/faq/linux-xen-vmware-kvm-intel-vt-amd-v-support/
21:15 jeffyoungs joined
21:15 <qman> help-im-stuck: your CPU may have the extensions but have support disabled in BIOS
21:16 <help-im-stuck> there must be something wrong with virt-managers cpu reporting at the time i tried it
21:16 <help-im-stuck> I'v enabled svn in bios
21:17 <help-im-stuck> so i guess it supports kvm..
21:17 <help-im-stuck> it has to do :)
21:17 <help-im-stuck> svm*
21:18 Diftraku joined
21:19 <BitL0G1c> help-im-stuck - virsh + pac manager works well for kvm
21:20 tmh1999 joined
21:23 <help-im-stuck> on alpine?
21:24 <help-im-stuck> I still don't understand apk fully.. and the keymap i select via setup-keymap does not stick..
21:24 <help-im-stuck> after reboot
21:27 arch3y joined
21:27 gopar joined
21:32 <help-im-stuck> if i manage to solve that.. alpine is my choice
21:32 <Shiz> hmm
21:32 <Shiz> are you in a sys install?
21:33 <help-im-stuck> yes
21:33 <help-im-stuck> installed the xen version
21:33 <help-im-stuck> changed to the edge repos
21:33 <help-im-stuck> updated the system
21:36 <help-im-stuck> and i'm looking for a firewall too, as simple as possible
21:37 <darkfader> firewall: "awall"
21:37 <help-im-stuck> but i need to create bridges because i'm going to virtulize pfsense
21:40 saarg joined
21:41 <BitL0G1c> openvswitch works ok as a bridge - I use it with lxc - if you use libvirt it will create a nat bridge virbr0
21:42 <help-im-stuck> yes, i know :)
21:42 <help-im-stuck> can pacmanager handle xen then?
21:43 <BitL0G1c> I use it with local & remote kvm without issues
21:43 <BitL0G1c> no pac manager in alpine unfortunately - author will not provide vt libraries for musl
21:44 minimalism joined
21:45 <help-im-stuck> ok, but alpine got the latest libvritd in it's edge repos.. so why not use virt-manager?
21:46 <BitL0G1c> in alpine virt manager is probably your best bet
21:46 <BitL0G1c> i just prefer virsh in arch - less dependencies - less to go wrong
21:46 <help-im-stuck> how would a setup look like? are there any howto's on how to get everything working? I had some problems with I/O-stuff last time i tried
21:47 <help-im-stuck> word
21:48 <help-im-stuck> do you have the time to be some kind of moral support?
21:49 tmh1999 joined
21:53 arch3y joined
21:59 jeffyoungs joined
22:03 dfgd joined
22:05 tdtrask joined
22:10 <help-im-stuck-ag> BitL0G1c :)
22:11 <help-im-stuck-ag> when setup-alpine are about to partition the disk it says failed to add partition invalid argument
22:12 tmh1999 joined
22:14 <help-im-stuck-ag> fixed it
22:15 urzds joined
22:16 <BitL0G1c> help-im-stuck-ag - rebooting the vm normally does - these scripts may be useful for installing https://it-offshore.co.uk/linux/alpine-linux/25-alpine-linux-luks-encrypted-installations
22:16 Adran joined
22:16 Adran joined
22:16 James_T joined
22:17 kunev joined
22:17 arch3y joined
22:18 Xe` joined
22:19 jaustinpage joined
22:20 BlackIkeEagle joined
22:21 yo61 joined
22:21 jcloud joined
22:21 Lloyd joined
22:21 krainboltgreene joined
22:24 ng_ joined
22:26 <help-im-stuck-ag> BitL0G1c, nice, but the biggest problem i'v got now is that my settings aren't saved. Like which network card to use or the keymap
22:28 <BitL0G1c> you are doing a sys install ? (setup-disk -m sys /mnt)
22:30 arch3y joined
22:31 LouisA joined
22:33 <help-im-stuck-ag> i did it with the setup-alpine script
22:33 <help-im-stuck-ag> and i set lbu to /var and now i'm updating the system from edge repos
22:34 Wayward_One joined
22:35 <Shiz> well
22:35 <Shiz> setup-keymap writes to /etc
22:35 <Shiz> so if your lbu doesn't save that :P
22:35 <help-im-stuck-ag> I'm new to alpine :)
22:36 <help-im-stuck-ag> Seams like an interesting project.. that's why i'm spending time with it
22:36 <Shiz> any reason for your lbu config to not save /etc? it does that by default even iirc
22:36 <Shiz> does lbu status -a include anything from /etc?
22:36 <help-im-stuck-ag> yes, alot
22:36 <help-im-stuck-ag> allot
22:37 <Shiz> okay, so you do save etc
22:37 <help-im-stuck-ag> even from var/www/localhost
22:37 <Shiz> help-im-stuck-ag: what does rc-status | grep keymaps say?
22:37 <Shiz> if nothing, you need to # rc-update add keymaps boot
22:37 <Shiz> and that's the fix
22:37 <Shiz> :P
22:38 <help-im-stuck-ag> Shiz, it's empty
22:38 <Shiz> there you go
22:38 <Shiz> just add the keymaps service to boot
22:39 <Shiz> the service that actually sets up your keymaps ;)
22:39 blackwind_123 joined
22:39 <help-im-stuck-ag> keymaps already installed in runlevel 'boot' i says
22:40 <Shiz> hmm
22:40 <Shiz> oh right, it's a one-shot, so doesn't show in rc-status
22:40 <Shiz> help-im-stuck-ag: does tail -n1 /etc/conf.d/keymaps list your desired keymap?
22:41 <Shiz> moreover, does the file it references exist?
22:42 <help-im-stuck-ag> yes, after I runt setup-keymap it's there
22:43 <Shiz> was it there before you did?
22:44 <help-im-stuck-ag> did not check.. i'll reboot again.. but rc-status says that xenqemu crashed.. but that's a problem for later
22:46 <help-im-stuck-ag> and the keymap there.. but my keyboard is still set to en/us
22:46 <Shiz> hmm...
22:46 <help-im-stuck-ag> the keymap is there*
22:46 <Shiz> in /etc/conf.d/keymaps?
22:46 <Shiz> does the boot log say anything about setting keymap?
22:47 <help-im-stuck-ag> no, but rc-update says that the keymap is loaded on boot
22:48 <Shiz> what about this
22:48 <Shiz> lbu status -a | grep etc/runlevels
22:48 cyborg-one joined
22:48 emacsoma` joined
22:48 <help-im-stuck-ag> nothing
22:49 <Shiz> when is your apkovl applied?
22:50 arch3y_ joined
22:50 <help-im-stuck-ag> apkolv?
22:50 <help-im-stuck-ag> ovl
22:50 <Shiz> the thing that lbu generates when you do # lbu commit
22:51 <Shiz> or # lbu package
22:52 <help-im-stuck-ag> lbu commit gives me the help page
22:52 <Shiz> uuh
22:52 <help-im-stuck-ag> the keymap file is in /etc/keymap but it does not seam to be loaded
22:53 <Shiz> do you have a sys install or a ram install
22:53 <help-im-stuck-ag> ooh.. lbu commit said failed to mount /media/var
22:53 gromero joined
22:53 <help-im-stuck-ag> it's a sys install
22:54 <Shiz> then you don't need lbu at all
22:54 <Shiz> lol
22:54 <Shiz> lbu is if you're running a ram install
22:55 <help-im-stuck-ag> so i'll setup-lbu to none then=?
22:55 tugrik joined
22:55 <Shiz> sure
22:56 <help-im-stuck-ag> but the thing with my keymap is weird.. the file exist in /etc/keymap and rc-thingy says that the keymap is loaded at boot..
22:56 <Shiz> try this
22:56 <Shiz> zcat /etc/keymap/<your-desired-keymap>.bmap.gz | loadkmap
22:57 <Shiz> does that fix the keymap at least?
22:59 <help-im-stuck-ag> without doing the setup-keymap before?
23:00 <help-im-stuck-ag> yes, it fixes the keymap
23:00 <help-im-stuck-ag> so should i do an ungly'hack' and put that line in some rc.local-file?
23:01 arch3y_ joined
23:02 <Shiz> nah, i think i have an idea what sgoing on
23:03 <Shiz> help-im-stuck-ag: can you paste the output of:
23:03 <Shiz> grep rc_sys= /etc/rc.conf
23:04 <help-im-stuck-ag> it's commented and empty
23:04 <help-im-stuck-ag> #rc_sys=""
23:04 <Shiz> right
23:05 <Shiz> try to uncomment it
23:05 <Shiz> and then reboot
23:06 <help-im-stuck-ag> sure thing
23:08 <help-im-stuck-ag> lol, on tty1 the keymap is really fkd up.. if i change to another tty and login.. it's the right keymap :)
23:09 <Shiz> right, as i thought
23:09 arch3y_ joined
23:09 <Shiz> fun exercise: try commenting rc_sys= again and tell me what rc --version gives you
23:09 <Shiz> specifically what comes after OpenRC
23:11 Dirac1 joined
23:11 <Shiz> (then comment it again)
23:11 <help-im-stuck-ag> OpenRC [XEN0] 0.24.1...
23:11 <Shiz> :)
23:11 <Shiz> so what happens is
23:11 <Shiz> it detects you're a xen dom0 and disables the keymaps initscripts
23:12 <Shiz> because the keymaps initscript says: keyword -openvz -prefix -uml -vserver -xenu -lxc
23:12 <Shiz> which somehow also disables dom0
23:14 <help-im-stuck-ag> okey
23:14 <Shiz> so you can do two things
23:14 <Shiz> uncomment rc_sys to set it to "" as I told you
23:14 <Shiz> or modify the keymaps initscripts to remove that line
23:14 <Shiz> i think it's a bug, as that shouldn't match xen0 but it does
23:15 <Shiz> help-im-stuck-ag: oh, maybe even easier, although i'm not sure if it works:
23:15 <Shiz> try commenting out rc_sys= in /etc/rc.conf as before
23:15 <Shiz> but adding rc_sys="" to /etc/conf.d/keymaps
23:16 <Shiz> that'll only set rc_sys to "" for the keymaps service
23:16 <Shiz> not sure if it works, but worth a shot
23:17 <help-im-stuck-ag> under the rc_sys there are a rc_tty_number=12 and it describes that it is used in consolefont, keymaps, numlock service scripts.. does it have anything to do with the keymap?
23:17 <Shiz> not that i know of
23:18 <Shiz> it just tells you the number of ttys it will spawn
23:18 <Shiz> by default
23:18 <help-im-stuck-ag> so I comment the rc_sys and add rc_sys="" in keymaps.. where the right keymap is present
23:19 arch3y_ joined
23:19 <Shiz> correct, in /etc/conf.d/keymaps
23:19 <Shiz> with the caveat that i'm not sure if it will work
23:19 <Shiz> :P
23:19 <help-im-stuck-ag> oh.. there is a file in /etc/conf.d that has the name keymaps.apk.new :o
23:20 <help-im-stuck-ag> both files are set to keymap "us"
23:21 <Shiz> yeah you can disregard .apk.new files
23:21 <Shiz> even delete them
23:21 <Shiz> the important part is the KEYMAP= at the bottom of /etc/conf.d/keymaps
23:21 <Shiz> that one is correct, right?
23:22 <help-im-stuck-ag> no, both are wrong
23:22 <help-im-stuck-ag> but if i change it.. and reboot.
23:22 <Shiz> huh...
23:23 <help-im-stuck-ag> but at the end of the keymap file there is a path to the right keymap
23:23 <help-im-stuck-ag> the .gz file
23:23 <Shiz> yeah
23:23 <Shiz> that's why i said 'at the bottom'
23:23 <Shiz> ;)
23:25 <help-im-stuck-ag> missed that
23:26 <help-im-stuck-ag> so i should put rc_sys="" after the keymap link?
23:29 <help-im-stuck-ag> or am i too tired for this right now?
23:29 visceral joined
23:32 Tazy joined
23:35 <Shiz> help-im-stuck-ag: after KEYMAP=, yes
23:39 dwreck left
23:40 arch3y_ joined
23:42 blueness joined
23:43 <help-im-stuck-ag> Shiz, it's already there.. above the keymap line
23:43 <Shiz> rc_sys?
23:44 <Shiz> in /etc/conf.d/keymaps?
23:45 <help-im-stuck-ag> yes, maybe i put it there.. but still the same result
23:45 <help-im-stuck-ag> should it be the eof?
23:45 <Shiz> i think you put it there :P
23:45 <Shiz> nah, it's fine if it doesn't work
23:45 <Shiz> i thought it may work, but i guess it doesn't
23:46 <Shiz> feel free to remove it and do either of the previous two sings i said
23:46 <Shiz> (put rc_sys="" in /etc/rc.conf or remove the relevant keywords line from /etc/init.d/keymaps)
23:55 <help-im-stuck-ag> how long have alping linux been around?
23:58 arch3y_ joined
23:59 <Shiz> help-im-stuck-ag: at least 10 years
23:59 <Shiz> http://git.net/ml/linux.leaf.devel/2005-08/msg00039.html says 12