Posts by pid_eins@mastodon.social
(DIR) Post #AxoxjIpROCxTBUDhtg by pid_eins@mastodon.social
2025-09-02T05:58:42Z
0 likes, 0 repeats
@Logical_Error @LaF0rge Let me stress this again. The stuff @LaF0rge is complaining about has *not* taken place at all in v258, unlike what he claims – we made zero changes in v258 regarding /run/lock/ management since basically 2016!
(DIR) Post #AxoxjJVyq2zBJQ7gCe by pid_eins@mastodon.social
2025-09-02T06:06:38Z
1 likes, 0 repeats
@Logical_Error @LaF0rge And to add more to this noise about nothing:It's not just that Debian and Fedora disagree about ownership/access mode of the dir. It's also, they disagree where to place those frickin' LCK..* files in the first place!Because on Fedora the dir for that is actually /{var|run)/lock/lockdev/.Hence, fuck this "decades-old standard". It's not even "a standard" at all.
(DIR) Post #Ay4o84marICbqgQBPs by pid_eins@mastodon.social
2025-09-10T08:43:11Z
0 likes, 0 repeats
5️⃣2️⃣ Here's the 52nd post highlighting key new features of the upcoming v258 release of systemd. #systemd258PrivateUsers= is one of the many sandboxing knobs in service unit files. It configures a minimal user namespace for the service code to run in. So far you could set it to "self", which would set up the user namespace mapping for the service to map the root user and the service's user to itself, and leave everything else unmapped.
(DIR) Post #Ay4o85zONC2BafPv0K by pid_eins@mastodon.social
2025-09-10T08:46:45Z
0 likes, 0 repeats
Setting the knob to "self" hence would somewhat disconnect the service from the host user table: all inodes, processes, and other objects it sees will be owned by itself, by root or by the "nobody" user (which is where unmapped users are mapped to). In v257 the setting learnt a new value "identity". If used the first 64K users plus the service's own user (if outside the 64K range) would be mapped, nothing else. Or in other words, the service would be limited to the 16bit UID range.
(DIR) Post #Ay4o86prE80ADNxomW by pid_eins@mastodon.social
2025-09-10T08:50:14Z
0 likes, 0 repeats
With v258 a third value has been added: "full". If used the user namespace's UID mapping would map all 2^32 UIDs to themselves.You might wonder: what's the point of a user namespace if it has a full mapping of the host UID range without altering anything? Here's the thing: user namespaces are not just about mappings, they also make various operations unnaccessible to processes contained in them, and they can "own" other namespace types.
(DIR) Post #B0NV0WKbzsFyDQTUnI by pid_eins@mastodon.social
2025-11-18T09:55:14Z
0 likes, 1 repeats
It's that time again! The systemd v259 release is coming closer. Let's restart the "what's new" series of posts for this iteration! Hence:1️⃣ Here's the 1st post highlighting key new features of the upcoming v259 release of systemd. #systemd259For many usecases it's quite useful if local services can register additional hostnames for local resolution. For example, container and VM managers might want to register the IPs of locally running containers or VMs via a hostname, so that you can…
(DIR) Post #B0NV0c22noy9tZpkga by pid_eins@mastodon.social
2025-11-18T09:57:56Z
0 likes, 0 repeats
…access them by name rather than by address.With v259 we are making this easy: there's now a "hook" interface in systemd-resolved: any privileged local daemon may bind an AF_UNIX socket in /run/systemd/resolve.hook/, and implement a simple Varlink IPC interface on it. If they do so, systemd-resolved will query it for every single local name resolution request, and they can answer positively, negatively, or let the resolution request be processed by the usual DNS based logic.
(DIR) Post #B0NV0i6AFPpWi5o7wO by pid_eins@mastodon.social
2025-11-18T10:00:03Z
0 likes, 0 repeats
If multiple hook services are in place, they are always queried in parallel, to reduce latencies (but if multiple return positively the service with the alphabetically first socket path wins). In systemd there are now two services which bind sockets there by default:First of all systemd-machined makes all local containers/VMs that registered their IP addresses with it resolvable.Secondly, systemd-networkd makes all hosts resolvable for which its internal DHCP server handed out leases.
(DIR) Post #B0NV0oIRChDFvtb0u8 by pid_eins@mastodon.social
2025-11-18T10:02:16Z
0 likes, 0 repeats
You might wonder: how does this relate to nss-mymachines? That NSS plugin did something very similar to the systemd-machined logic implemented now, however, it has one problem: it operates strictly and exclusively on the NSS level, but many programs nowadays bypass that and talk DNS directly with the configured servers. Since systemd-resolved registers itself as local DNS server in /etc/resolv.conf it means the new hook logic works for all types of lookups, regardless if they come via NSS, …
(DIR) Post #B0NV0uCdFC8MFcvSgi by pid_eins@mastodon.social
2025-11-18T10:04:53Z
0 likes, 0 repeats
…, D-Bus, Varlink or the local DNS stub. I think in the longer run we should deprecate nss-mymachines.You might also wonder: sending every single lookup to all hooks might be quite expensive! As it turns out, the Varlink protocol spoken on the hook services is a bit smarter: it allows the hook service to install a filter on the requests it wants: restrict the hook to certain domains, or limits on the number of labels in the lookup.Note that this API is public, i.e. any service can register…
(DIR) Post #B0NV0zyJnKFW8yH7D6 by pid_eins@mastodon.social
2025-11-18T10:05:17Z
0 likes, 0 repeats
…names this way, not just systemd-machined and systemd-networkd.And that's it for the first episode.
(DIR) Post #B0fAIW4KfVgrBWwDyq by pid_eins@mastodon.social
2025-11-25T15:30:55Z
0 likes, 1 repeats
6️⃣ Here's the 6th post highlighting key new features of the upcoming v259 release of systemd. #systemd259 #systemdHere's a short one: systemd v259 will compile fine with musl libc, out of the box.Sounds great? Well, it's not as great as it might sound to some. musl has quite some limitations compared to glibc: the primary one is that there's no Name Service Switch (NSS) support. That's the subsystem that allows systemd to make domain names, user names, groups names resolvable via…
(DIR) Post #B0fAIbCJbG2x5jiAcK by pid_eins@mastodon.social
2025-11-25T15:36:53Z
0 likes, 0 repeats
…gethostbyname(), getaddrinfo(), getpwnam(), getgrnam() and similar calls.And that in turn is used to make a good chunk of systemd's infrastructure work, for example DynamicUser=1, systemd-resolved, systemd-homed, systemd-userdbd, systemd-nsresoured, nss-myhostname, and so on. Hence, if you don't have NSS then all that is gone or half-broken.And there are other limitations: systemd will react to memory pressure by releasing memory that libc has acquired from the kernel…
(DIR) Post #B0fAIgNqJpErAw8wmO by pid_eins@mastodon.social
2025-11-25T15:40:53Z
0 likes, 0 repeats
…but is no longer using back to the kernel. It's an essential feature that makes things work on low-memory systems. But musl has no concept for this, hence the memory pressure operation is a NOP there...And then of course, musl upstream is what one might describe as hostile towards systemd, and that alone is a good reason to not recommend its use for me.
(DIR) Post #B0fAIlSzQ7KIwLaczo by pid_eins@mastodon.social
2025-11-25T15:42:24Z
0 likes, 0 repeats
Hence, make of this what you want. But my recommendation continues to be: just use glibc, the pain and limitations musl brings are really not worth it. glibc has NSS, glibc has malloc_trim(), doesn't need tons of polyfills, and most of all glibc upstream folks are good to work with.
(DIR) Post #B0vwH9SBAeIJ5Grl3I by pid_eins@mastodon.social
2025-12-05T09:02:20Z
1 likes, 0 repeats
1️⃣2️⃣ Here's the 12th post highlighting key new features of the upcoming v259 release of systemd. #systemd259 #systemdsystemd-vmspawn is a small wrapper around qemu that provides various integration points with systemd infrastructure, such as ready notification, credential passing, machined integration and so on.With v259 it gained one additional little feature for integrating VMs better in the host:
(DIR) Post #B1dF8YEgBLK8jVCD7g by pid_eins@mastodon.social
2025-12-26T06:13:52Z
0 likes, 1 repeats
2️⃣1️⃣ Here's the 21st post highlighting key new features of the recently released v259 release of systemd. #systemd259 #systemdIn episode 16 we already talked about systemd-firstboot, systemd's little configuration console tool that can run on first boot and ask the user for a few simple basic questions regarding keymap or locale or such.With v259 it received a small facelift of a kind. First of all, we'll now turn off concurrent log output from the kernel and from PID 1…
(DIR) Post #B1dF8e2qaFQMkXhqVs by pid_eins@mastodon.social
2025-12-26T06:16:43Z
0 likes, 0 repeats
…while the tool is in the foreground, so that it's terminal output is not interrupted by log output. This is implemented via a tiny Varlink service "systemd-mute-console", that is carefully written to ensure that after systemd-firstboot exits the output is turned back on to its original settings.Moreover, systemd-firstboot will now output a footer and header while doing its thing, in order to communicate better that this separate from the usual boot-time output. The footer/header is colored…
(DIR) Post #B1dF8jP0fH7hMj77Fg by pid_eins@mastodon.social
2025-12-26T06:18:24Z
0 likes, 0 repeats
…based on /etc/os-release settings, and stays on screen as long as the tool runs.The homectl firstboot verb got the same facelift.Both together now give a much more pleasant first boot experience if you boot up a ParticleOS install for the first time.
(DIR) Post #B1v1XoL1Y8FZOraoqm by pid_eins@mastodon.social
2024-08-28T13:45:33Z
0 likes, 0 repeats
@shironeko I am talking about this drivel:https://www.fsf.org/news/treacherous.htmlhttps://www.fsf.org/news/lifes-better-together-when-you-avoid-windows-11https://www.gnu.org/philosophy/you-the-problem-tpm2-solves.htmlhttps://www.fsf.org/windows/Some of this is just plain dumb and uniformed.