localhost, and tell the browser to connect to it. Bonus points for listening to a randomly allocated free port, so that one does not need to involve some amount of luck to get the program started. However, using a local port still means that any user on the local machine can connect to it, which is generally a security issue. A possible solution would be to use
AF_UNIXUnix Domain Sockets, which are supported by various web servers, but as far as I understand not currently by browsers. I checked Firefox and Chrome, and they currently seem to fail to even acknowledge the use case. I'm reasonably sure I'm not the first person doing this, and yes, it's intended as an understatement. So, dear Lazyweb, is there a way to securely use a browser as a UI for a user's program, without exposing access to the backend to other users in the system? Access token in the URL Emanuele Di Giacomo suggests to add an access token to the URL that gets passed to the browser. This would work to protect access on localhost: even if the application cannot use HTTPS, other users cannot see packets that go through the local interface, so both the access token and the session cookie that one could send afterwards would be protected. Network namespaces I thought about isolating server and browser in a private network namespace with something like
unshare(1), but it seems to require root. Johannes Schauer Marin Rodrigues wrote to correct that:
It's possible to unshare the network namespace by first unsharing the user namespace and thus becoming root which is possible without being root since #898446 got fixed. For example you can run this as the normal user:Firewalling Martin Schuster wrote to suggest another option:
lxc-usernsexec -- lxc-unshare -s NETWORK -- ip addrIf you don't want to depend on lxc, you can write a wrapper in Perl or Python. I have a Perl implementation of that in mmdebstrap.
I had the same issue. My approach was "weird", but worked: Block /outgoing/ connections to the port, unless the uid is correct. That might be counter-intuitive, but of course all connections /to/ localhost will be done /from/ localhost also. Something like:
iptables -A OUTPUT -p tcp -d localhost --dport 8123 -m owner --uid-owner joe -j ACCEPT
iptables -A OUTPUT -p tcp -d localhost --dport 8123 -j REJECT
kubeadmdeployer with these packages is not that hard, and is similar to the upstream kubeadm documentation
Bump the RAM and CPU of the VM, Kubernetes needs at least 2 gigs and 2 cores.
apt install vagrant vagrant-libvirt
vagrant init debian/testing64
Start the VM, login, update the package index.
awk -i inplace '1;/^Vagrant.configure\("2"\) do \ config/ print " config.vm.provider :libvirt do vm vm.memory=2048 end" ' Vagrantfile
awk -i inplace '1;/^Vagrant.configure\("2"\) do \ config/ print " config.vm.provider :libvirt do vm vm.cpus=2 end" ' Vagrantfile
Install a container engine, here we use docker.io, we could also use containerd (both are packaged in Debian) or cri-o.
sudo apt update
Install kubernetes binaries. This will install
sudo apt install --yes --no-install-recommends docker.io curl
kubelet, the system service which will manage the containers, and
kubectlthe user/admin tool to manage the cluster.
Although it is not technically mandatory, we will use
sudo apt install --yes kubernetes- node,client containernetworking-plugins
kubeadm, the most popular installer to create a Kubernetes cluster. Kubeadm is not packaged in Debian, we have to download an upstream binary.
sudo tar --directory=/usr/local/sbin --strip-components 3 -xaf kubernetes-server-linux-amd64.tar.gz kubernetes/server/bin/kubeadm
sudo chmod +x /usr/local/sbin/kubeadm
sudo kubeadm version
kubeadm version: &version.Info Major:"1", Minor:"20", GitVersion:"v1.20.5", GitCommit:"6b1d87acf3c8253c123756b9e61dac642678305f", GitTreeState:"clean", BuildDate:"2021-03-18T01:08:27Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"
and a default config file for
curl -sSL "https://raw.githubusercontent.com/kubernetes/release/$ RELEASE_VERSION /cmd/kubepkg/templates/latest/deb/kubelet/lib/systemd/system/kubelet.service" sudo tee /etc/systemd/system/kubelet.service
sudo systemctl enable kubelet
finally we need to help
sudo mkdir -p /etc/systemd/system/kubelet.service.d
curl -sSL "https://raw.githubusercontent.com/kubernetes/release/$ RELEASE_VERSION /cmd/kubepkg/templates/latest/deb/kubeadm/10-kubeadm.conf" sudo tee /etc/systemd/system/kubelet.service.d/10-kubeadm.conf
kubeletfind the components needed for container networking
echo 'KUBELET_EXTRA_ARGS="--cni-bin-dir=/usr/lib/cni"' sudo tee /etc/default/kubelet
kubeadm: this will download container images for the Kubernetes control plane (= the brain of the cluster), and start the containers via the kubelet service. Yes a good part of Kubernetes itself run in containers.
Follow the instructions from the kubeadm output, and verify you have a single node cluster, with the status
sudo kubeadm init --pod-network-cidr=10.244.0.0/16
Your Kubernetes control-plane has initialized successfully!
To start using your cluster, you need to run the following as a regular user:
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
At that point you should also have a bunch of containers running on the node:
kubectl get nodes
NAME STATUS ROLES AGE VERSION
testing NotReady control-plane,master 9m9s v1.20.5
sudo docker ps --format ' .Names '
kubeletservice also needs an external network plugin to get the cluster in Ready state.
Let s add that network plugin. Download the flannel network plugin definition, and schedule flannel to run on all nodes of your cluster:
sudo systemctl status kubelet
Mar 28 09:28:43 testing kubelet: E0328 09:28:43.958059 9405 kubelet.go:2188] Container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized
After a dozen of seconds your node should be in ready status.
kubectl apply --filename=kube-flannel.yml
kubectl get nodes
NAME STATUS ROLES AGE VERSION
testing Ready control-plane,master 16m v1.20.5
Let s allow node
kubectl describe node testing grep ^Taints
testingto run user applications:
Deploy a nginx container:
kubectl taint node testing node-role.kubernetes.io/master-
Create a Kubernetes service to access this pod externally:
kubectl run my-nginx-pod --image=docker.io/library/nginx --port=80 --labels="app=http-content"
Access the service via IP adress:
- port: 80
kubectl create --filename service.yaml
Thank you for using nginx.
kubernetes-nodedocumentation. Blog posts deprecate and disappear, wiki and project docs live longer.
Start the VM, install dependencies
apt install vagrant vagrant-libvirt
vagrant init debian/testing64
Install cri-o the container engine
sudo apt update
sudo apt install --yes curl gnupg jq
Verify it is running properly
export OS=Debian_Testing VERSION=1.20
echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/ /" > /etc/apt/sources.list.d/libcontainers.list
echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/$VERSION/$OS/ /" > /etc/apt/sources.list.d/cri-o:$VERSION.list
curl -L https://download.opensuse.org/repositories/devel:kubic:libcontainers:stable:cri-o:$VERSION/$OS/Release.key apt-key add -
curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/$OS/Release.key apt-key add -
apt install cri-o cri-o-runc containernetworking-plugins conntrack
Say hello to cri-o via its unix domain socket
systemctl restart cri-o
systemctl status cri-o
Started Container Runtime Interface for OCI (CRI-O).
Install crictl, a Kubernetes debugging tool for containers
curl --silent --unix-socket /var/run/crio/crio.sock http://localhost/info jq
From there on you can create a container following the examples in https://github.com/kubernetes-sigs/cri-tools/blob/master/docs/crictl.md
wget --directory-prefix=/tmp https://github.com/kubernetes-sigs/cri-tools/releases/download/v1.20.0/crictl-v1.20.0-linux-amd64.tar.gz
tar -xaf /tmp/crictl-v1.20.0-linux-amd64.tar.gz -C /usr/local/sbin/
chmod +x /usr/local/sbin/crictl
wget https://cdn.netbsd.org/pub/NetBSD/NetBSD-9.1/i386/installation/cdrom/boot-com.isostart the install
$ virt-install \
--connect qemu:///session \
--name netbsd \
--ram 64 \
--vcpus 2 \
--disk path=$HOME/netbsd.qcow2,size=4,bus=scsi,format=qcow2 \
--controller type=scsi,model=virtio-scsi \
--virt-type kvm \
--os-variant netbsd8.0 \
--graphics none \
--arch i686 \
This will start a VM in usermode networking, so no need to be root, but the VM won t be reachable from the outside world, except if you add qemu usermode port forwarding.
/etc/cups/printers.confand change the
ErrorPolicyfor each printer from
cvlc v4l2:///dev/video0and there you go.
awkto print the nth column of a file:
will print all IP addresses from
$ awk ' print $1 ' /etc/hosts
/etc/hostsBut you can also do filtering before printing the chosen column:
will print the second column of all lines, where the 5th column is greater than 2. That would have been hard with grep. Now I can use that to find out all deployments on my openshift cluster, where the number of current replicas is greater than 2.
$ awk '$5 >= 2 print $2 ' /path/to/file
I know that openshift/kubernetes both have a powerful query selector syntax, but for the moment
$ oc get deployments --all-namespaces awk '$5 >= 2 print $2 '
Welcome to the May 2020 report from the Reproducible Builds project. One of the original promises of open source software is that distributed peer review and transparency of process results in enhanced end-user security. Nonetheless, whilst anyone may inspect the source code of free and open source software for malicious flaws, almost all software today is distributed as pre-compiled binaries. This allows nefarious third-parties to compromise systems by injecting malicious code into seemingly secure software during the various compilation and distribution processes. In these reports we outline the most important things that we and the rest of the community have been up to over the past month.
Recent years saw a number of supply chain attacks that leverage the increasing use of open source during software development, which is facilitated by dependency managers that automatically resolve, download and install hundreds of open source packages throughout the software life cycle.In related news, the LineageOS Android distribution announced that a hacker had access to the infrastructure of their servers after exploiting an unpatched vulnerability. Marcin Jachymiak of the Sia decentralised cloud storage platform posted on their blog that their
siadutilities can now be built reproducibly:
This means that anyone can recreate the same binaries produced from our official release process. Now anyone can verify that the release binaries were created using the source code we say they were created from. No single person or computer needs to be trusted when producing the binaries now, which greatly reduces the attack surface for Sia users.Synchronicity is a distributed build system for Rust build artifacts which have been published to crates.io. The goal of Synchronicity is to provide a distributed binary transparency system which is independent of any central operator. The Comparison of Linux distributions article on Wikipedia now features a Reproducible Builds column indicating whether distributions approach and progress towards achieving reproducible builds.
binutilspackage ships its own, unreproducible, log files in its binary packages. It was followed-up by replies from Chris Lamb and Matthias Klose.
.apkpackages. Allan McRae of the ArchLinux project posted their third Reproducible builds progress report to the
arch-dev-publicmailing list which includes the following call for help:
We also need help to investigate and fix the packages that fail to reproduce that we have not investigated as of yet.In openSUSE, Bernhard M. Wiedemann published his monthly Reproducible Builds status update.
146to Debian, PyPI, etc.
filenow supports recognising JSON data. (#106)
.buildinfohandling to show all details (including the GnuPG header and footer components) even when referenced files are not present. (#122)
BuildinfoFilecomparator (etc.) regardless of whether the associated files (such as the
.deb) are present. [ ]
.changes, etc. [ ]
differencestypo in the
id="foo"anchor reference twice in the HTML output, otherwise identically-named parts will not be able to linked to via a
#. [ ]
--jsonpresenter; it will usually be too complicated to be readable by the human anyway. [ ]
Command [ ] failed with exit codemessages to remove duplicate
exited with exitbut also to note that
diffoscopeis interpreting this as an error. [ ]
Command [ ] exited with 1messages. (#126)
debianPython module. [ ]
stderr fromif both commands emit the same output. [ ]
apksignertest failures due to lack of
binfmt_misc, eg. on Salsa CI and elsewhere. [ ]
.travis.ymlas we use Salsa instead. [ ]
.dockerignorefile to whitelist files we actually need in our container. (#105)
ENVwhen setting up the
DEBIAN_FRONTENDenvironment variable at runtime. (#103)
build-essentialduring build so we can install the recommended packages from Git. [ ]
shell=Falsekeyword argument to
subprocess.Popenso that the potentially-unsafe
shell=Trueis more obvious. [ ]
MissingFiles special handling of
deb822to prevent leaking through abstract layers. [ ][ ]
exceptblock when cleaning up temporary files with respect to the
flake8quality assurance tool. [ ]
dsc_in_same_dirto clarify the use of this variable. [ ]
debian_fallbackclass [ ] and add descriptions for the file types. [ ]
Opensslcommand class to
OpenSSLPKCS7to accommodate other command names with this prefix. [ ]
--debuggercommand-line argument to
--pdb. [ ]
stat(2)birth times (ie.
st_birthtime) in the same way we do with the
Change:times to fix a nondeterministic build failure in GNU Guix. (#74)
has_same_contentmethod was called regardless of the underlying type of file. [ ]
debian/py3dist-overridesto ensure the
rpm-pythonmodule is used in package dependencies (#89) and moved to using the new
execute_before_*Debhelper rules [ ].
relative_urlwhere possible [ ][ ] and move a number of configuration variables to
_config.yml[ ][ ].
golang-packaging(toolchain issue, affecting times in
jboss-logging-tools(toolchain issue, affecting date for
findoutput to avoid inheriting filesystem order)
moonjit(generate reproducible output by default if
vala(report ASLR nondeterminism)
1.8.1-1to Debian unstable and Bernhard M. Wiedemann fixed an off-by-one error when parsing PNG image modification times. (#16) In disorderfs, our FUSE-based filesystem that deliberately introduces non-determinism into directory system calls in order to flush out reproducibility issues, Chris Lamb replaced the term dirents in place of directory entries in human-readable output/log messages [ ] and used the astyle source code formatter with the default settings to the main
disorderfs.cppsource file [ ]. Holger Levsen bumped the
debhelper-compat levelto 13 in disorderfs [ ] and reprotest [ ], and for the GNU Guix distribution Vagrant Cascadian updated the versions of disorderfs to version 0.5.10 [ ] and diffoscope to version 145 [ ].
libtool. [ ]
_docssubdirectory to find the
_docs/index.mdfile after an internal move. (#27)
ltmain.shetc. in preformatted quotes. [ ]
SOURCE_DATE_EPOCHPython examples onto more lines to prevent visual overflow on the page. [ ]
tests.reproducible-builds.orgthat, amongst many other tasks, tracks the status of our reproducibility efforts as well as identifies any regressions that have been introduced. Holger Levsen made the following changes:
let VARIABLE=0exits with an error. [ ]
.buildinfofiles with the same name. [ ]
/usrmerge variation on Debian unstable. [ ]
molly-guard. [ ]
debrebuildscript. [ ][ ][ ][ ]
.buildinfofiles. [ ][ ]
alpine_schroot.shscript now that a patch for
abuildhad been released upstream. [ ]
bcm47xx. [ ]
jenkinsto run the
blacklistcommand [ ] and the usual build node maintenance was performed was performed by Holger Levsen [ ][ ][ ], Mattia Rizzolo [ ][ ] and Vagrant Cascadian [ ][ ][ ].
To make the results accessible, storable and create tools around them, they should all follow the same schema, a reproducible builds verification format. The format tries to be as generic as possible to cover all open source projects offering precompiled source code. It stores the rebuilder results of what is reproducible and what not.Hans-Christoph Steiner of the Guardian Project also continued his previous discussion regarding making our website translatable. Lastly, Leo Wandersleb posted a detailed request for feedback on a question of supply chain security and other issues of software review; Leo is the founder of the Wallet Scrutiny project which aims to prove the security of Android Bitcoin Wallets:
Do you own your Bitcoins or do you trust that your app allows you to use your coins while they are actually controlled by them ? Do you have a backup? Do they have a copy they didn t tell you about? Did anybody check the wallet for deliberate backdoors or vulnerabilities? Could anybody check the wallet for those?Elsewhere, Leo had posted instructions on his attempts to reproduce the binaries for the BlueWallet Bitcoin wallet for iOS and Android platforms.
This month s report was written by Bernhard M. Wiedemann, Chris Lamb, Holger Levsen, Jelle van der Waa and Vagrant Cascadian. It was subsequently reviewed by a bunch of Reproducible Builds folks on IRC and the mailing list.
@samyak-jn, myself), and
@The_LoudSpeaker, Raman Sarda).
kotlinpackage residing in m36 s repository had a couple of issues that were needed to be fixed to meet Debian standards, but Kotlin was building fine locally with the mentioned dependencies. :D
patchesas all the changes were made directly to the source, and henceforth fixed
controlfiles to meet Debian Standards. Debian is very particular about its license policies. The copyright was a pending task that was completed for Good. The newer package exists at Samyak's repo.
@_hc) for the help with that. The wiki page for Kotlin exists here.
#debian-mobilechannel on OFTC.
145. This version includes the following changes:
[ Chris Lamb ] * Improvements: - Add support for Apple Xcode mobile provisioning .mobilepovision files. (Closes: reproducible-builds/diffoscope#113) - Add support for printing the signatures via apksigner(1). (Closes: reproducible-builds/diffoscope#121) - Use SHA256 over MD5 when generating page names for the HTML directory presenter, validate checksums for files referenced in .changes files using SHA256 too, and move to using SHA256 in "Too much input for diff" output too. (Closes: reproducible-builds/diffoscope#124) - Don't leak the full path of the temporary directory in "Command [..] exited with 1". (Closes: reproducible-builds/diffoscope#126) - Identify "iOS App Zip archive data" files as .zip files. (Closes: reproducible-builds/diffoscope#116) * Bug fixes: - Correct "differences" typo in the ApkFile handler. (Closes: reproducible-builds/diffoscope#127) * Reporting/output improvements: - Never emit the same id="foo" TML anchor reference twice, otherwise identically-named parts will not be able to linked to via "#foo". (Closes: reproducible-builds/diffoscope#120) - Never emit HTML with empty "id" anchor lements as it is not possible to link to "#" (vs "#foo"). We use "#top" as a fallback value so it will work for the top-level parent container. - Clarify the message when we cannot find the "debian" Python module. - Clarify "Command [..] failed with exit code" to remove duplicate "exited with exit" but also to note that diffoscope is interpreting this as an error. - Add descriptions for the 'fallback' Debian module file types. - Rename the --debugger command-line argument to --pdb. * Testsuite improvements: - Prevent CI (and runtime) apksigner test failures due to lack of binfmt_misc on Salsa CI and elsewhere. * Codebase improvements: - Initially add a pair of comments to tidy up a slightly abstraction level violating code in diffoscope.comparators.mising_file and the .dsc/.buildinfo file handling, but replace this later by by inlining MissingFile's special handling of deb822 to prevent leaking through abstraction layers in the first place. - Use a BuildinfoFile (etc.) regardless of whether the associated files such as the orig.tar.gz and the .deb are present, but don't treat them as actual containers. (Re: reproducible-builds/diffoscope#122) - Rename the "Openssl" command class to "OpenSSLPKCS7" to accommodate other commands with this prefix. - Wrap a docstring across multiple lines, drop an inline pprint import and comment the HTMLPrintContext class, etc. [ Emanuel Bronshtein ] * Avoid build-cache in building the released Docker image. (Closes: reproducible-builds/diffoscope#123) [ Holger Levsen ] * Wrap long lines in older changelog entries.
setxkbmap -layout us -variant altgr-intland become a happier programmer.
After restarting the X server, you can check that the settings have been applied with
If using Gnome, you can also set the keyboard layout and variant by changing the schema org.gnome.desktop-inputsources, which will override the desktop-agnostic settings of /etc/default/keyboard.
setxkbmap -print -verbose 10
or navigate with the gui tool dconf-settings to org.gnome.desktop-inputsources and set the value there.
dconf write /org/gnome/desktop/input-sources/sources "[('xkb', 'us+altgr-intl')]"