397 liens privés
"""
In this article, we will review how Docker container achieves its security and isolation utilizing native container features of Linux such as namespaces, cgroups, capabilities, etc.
"""
Un peu de révision grâce à cet article dûment référencé.
Lire aussi "Docker: Differences between Container and Full VM" http://xmlandmore.blogspot.fr/2015/11/docker-difference-between-container-and.html
PS: ne pas se fier au titre du blog :)
"""
The program keeps records of whether network interfaces are up or down. Under exceptional circumstances these records can become inconsistent with the real states of the interfaces. For example, an interface that was brought up using ifup and later deconfigured using ifconfig will still be recorded as up. To fix this you can use the --force option to force ifup or ifdown to run configuration or deconfiguration commands despite what it considers the current state of the interface to be.
"""
Une grosse doc pour iproute2.
La déclaration faite en 2009 sur la mailing-list debian-devel qui annonce la dépréciation de net-tools (ifconfig, route, netstat, arp...) au profit de iproute2 (ip, ss, nstat, tc..): https://lists.debian.org/debian-devel/2009/03/msg00780.html
Les fichiers de iproute2:
https://packages.debian.org/jessie/amd64/iproute2/filelist
Sarah Sharp quitte la communauté en charge du développement du noyau Linux. Elle explique les raisons de son départ. Extrait:
""'
I need communication that is technically brutal but personally respectful. I need people to correct my behavior when I’m doing something wrong (either technically or socially) without tearing me down as a person. We are human. We make mistakes, and we correct them. We get frustrated with someone, we over-react, and then we apologize and try to work together towards a solution.
"""
Human after all.
"""
Congratulations!
If you are reading this message, it means that your e-mail service provider is
able to receive e-mail from IPv6-only server. Your e-mail is therefore fully
ready for the new internet protocol!
--
DoesNotWork.eu
"""
Grâce au répondeur test@doesnotwork.eu (IPv6 seulement), j'ai pu valider que mon serveur savait envoyer/recevoir du mail en IPv6.
"""
Sep 14 15:47:24 dedibox postfix/smtpd[6960]: connect from www.doesnotwork.eu[2001:1528:132:70::d0e5]
Sep 14 15:47:24 dedibox postfix/smtpd[6960]: Anonymous TLS connection established from www.doesnotwork.eu[2001:1528:132:70::d0e5]: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
Sep 14 15:47:24 dedibox postfix/smtpd[6960]: 8B605FFB57: client=www.doesnotwork.eu[2001:1528:132:70::d0e5]
Sep 14 15:47:24 dedibox opendkim[809]: 8B605FFB57: s=doesnotwork2015 d=doesnotwork.eu SSL
Sep 14 15:47:24 dedibox postfix/qmgr[26726]: 8B605FFB57: from=test@doesnotwork.eu, size=1793, nrcpt=1 (queue active)
Sep 14 15:47:24 dedibox postfix/smtpd[6960]: disconnect from www.doesnotwork.eu[2001:1528:132:70::d0e5]
Sep 14 15:47:24 dedibox postfix/pipe[6963]: 8B605FFB57: to=********@fralef.me, orig_to=egoijegoijzg@fralef.me, relay=dovecot, delay=0.12, delays=0.07/0/0/0.05, dsn=2.0.0, status=sent (delivered via dovecot service)
"""
'"'"
Apart from the inevitable problems associated with being a jack-of-all-trades (and) master-of-none, the result will be the death of innovation for all functions absorbed into systemd as it is impossible to replace any one of them without replacing systemd entirely... which makes the job of developing improvements just too big a job.
"Right now, we have several alternatives to choose between for cron, ntp, logging, etc – each of them with different advantages and disadvantages. With systemd, it becomes a one-size-fits-all-or-else situation. If what it does doesn't suit you then tough luck, because you can't replace it without breaking your system.
"The second major problem with systemd is that it is becoming (or has become) mandatory - unnecessary dependencies on logind or systemd itself make it nearly impossible to avoid having systemd installed."
It remains to be seen which other functions systemd will seek to take over. As one wag put it, it might come to the point where one has just systemd and the kernel making up a LInux distribution.
"""
Lire aussi le très bon papier de ars: http://arstechnica.co.uk/business/2015/08/how-linux-was-born-as-told-by-linus-torvalds-himself/
"""
A series of posts about the linux kernel and its insides.
The goal is simple - to share my modest knowledge about the internals of the linux kernel and help people who are interested in linux kernel internals, and other low-level subject matter.
"""
De base, laptop-mode est plutôt agressif et envoie en veille les périphériques USB au bout de 2 secondes d'inactivité. Ca devient problématique quand on veut utiliser une souris usb ;)
Pour ma part je déclenche la veille au bout de 60 secondes en éditant /etc/laptop-mode/conf.d/runtime-pm.conf de cette façon:
''''"
Auto-Suspend timeout in seconds
Number of seconds after which the USB devices should suspend
AUTOSUSPEND_TIMEOUT=2
AUTOSUSPEND_TIMEOUT=60
'"""
puis on redémarre laptop-mode:
"""
$ sudo systemctl restart laptop-mode.service
"""
"""
Close windows, open doors.
"""
https://www.fsf.org/windows/pledge
"""
32-bit binaries are now available! Now users on i386 systems can try out the 1.x betas as well. Please reply to this thread with any technical problems that you encounter on that architecture.
"""
merki kiki
"""
uif - Tool for generating optimized firewall rules
The uif project has been developed for a diskless router system and provides
a mechanism to create and simplify packet filter rules. It forces you to
provide names for every value you use in order to make firewalls less
confusing.
"""
syntaxe claire.
basé sur iptables.
dispo dans debian
exemple de conf:
"""
masq+ o=extern s=intranet
nat+ s=intranet p=http D=relayintern P=squid
in+ s=trusted p=ssh,ping,traceroute,http
out- s=intranet p=smb f=reject
fw- d=microsoft f=reject,log(ms-alert)
slin+ s=testnet
slout- d=testnet
fw> o=extern
fw+ p=myhttp f=account(HTTP)
"""
WTF !
Si la commande dd a déja été lancé, faire
"""
kill -USR1 $(pgrep ^dd)
"""
EDIT, ou mieux comme le suggère un lecteur (merci Damien)
"""
pkill -USR1 ^dd
"""
Ca affichera des infos de ce genre dans le terminal dans lequel tourne dd
"""
321121+0 records in
321120+0 records out
164413440 bytes transferred in 112.708791 secs (1458745 bytes/sec)
"""
Si vous vous appretez à utiliser dd, utilisez pv.
"""
apt-get install pv
dd if=/dev/sda | pv | dd of=/dev/sdc
"""
ça donne
"""
6,84GO 0:09:09 [ 38,5MB/s] [ <=> ]
"""
Vraiment cool.
On peut aller plus loin, avec une barre de progression comme décrit ici: http://www.cyberciti.biz/faq/linux-unix-dd-command-show-progress-while-coping/
Linux Storage Stack Diagramm v4.0 (for Linux Kernel 4.0)
Origine: https://www.thomas-krenn.com/en/wiki/Linux_I/O_Stack_Diagram (avec les diagrammes pour les versions inférieures du kernel linux)
Shellcodes qui permettent à n'importe quels « script kiddies » de faire une élevation de privilège dès qu'ils ont accès à un shell (exemple https://demo.cozycloud.cc/#apps/term/).
"""
We don't merge kernel code just because user space was written by a retarded monkey on crack.
‒ Linus Torvalds
"""
en réponse à Andy Lutomirski (https://lkml.org/lkml/2015/6/23/22) qui explique notamment que:
"""
The current state of uncertainty is problematic, I think. The kdbus
team is spending a lot of time making things compatible with kdbus,
and the latest systemd release makes kdbus userspace support
mandatory. The kernel people who would review it (myself included)
probably don't want to review new versions at a line-by-line level,
because we (myself included) either don't know whether there's any
point or don't think that it should be merged even if the
implementation were flawless.
"""
Les dernières versions de systemd dépendent de kdbus, donc ils mettent la pression sur Linus pour accepter kdbus dans linux.
Popcorn time. Stay tuned.
EDIT: pour rappel tout comme systemd, dbus est l'oeuvre de Lennart.
""'
One of the "features" of systemd is that it allows you to boot a system without needing a shell at all. This seems like such a senseless manoeuvre that I can't help but think of it as a knee-jerk reaction to the perception of Too Much Shell in sysv init scripts.
In exactly which universe is it reasonable to assume that you have a running D-Bus service (or kdbus) and a filesystem containing unit files, all the binaries they refer to, all the libraries they link against, and all the configuration files any of them reference, but that you lack that most ubiquitous of UNIX binaries, /bin/sh?
The use case often cited for this is managing services inside a container. I don't see why the init on my desktop needs to be complicated and restricted for the sake of a feature used by a minority of people with specialised use cases. By all means, write a tool for bootstrapping containers that doesn't rely on a shell, but don't shoehorn that into a one-size-fits-all init.
"""