Hi all,
I'm packing for travel today, so unfortunately I'm not fully read up on the
thread. However, I wanted to leave a comment about this so that the
conversation is informed by it
There are ongoing conversations between the GDM devs, KDE/SDDM/PlasmaDM
devs, and systemd upstream about "upstream
Hello,
Most projects handle this using a CLI argument, like --foreground or
--no-daemonize or something like that. Then in the systemd unit file, you'd
pass that CLI argument on the ExecStart line.
Best,
Adrian
On Mon, Jun 30, 2025, 06:26 Stef Bon wrote:
> Hi,
>
> it's important for a program
Hello,
Isn't there UID mapping support for this purpose? For that specific NFS
mount, you could map whatever UID it is to UID 0
Best,
Adrian
On Thu, Mar 27, 2025, 15:03 James Muir (jamesmui)
wrote:
> > > Is there a conf option or an environment variable I can use to disable
> the unsafe path t
Hello,
On Mon, Mar 10, 2025, 12:06 Mikko Rapeli wrote:
> Hi,
>
> On Mon, Mar 10, 2025 at 11:16:25AM -0400, Adrian Vovk wrote:
> > Hello,
> >
> > Just to see if I understand your concern correctly, I'll try boiling it
> > down to its simplest, by cutting o
Hello,
Just to see if I understand your concern correctly, I'll try boiling it
down to its simplest, by cutting out the need for two partitions. Here's
the scenario:
- An attacker replaces the real rootfs with a malicious one that just drops
to a shell. The attacker keeps a copy of the original r
Hello all,
This is spawned from another recent thread on this list, with the subject
"Is tpm2-measure-pcr really an additional security?", started by Yann
Diorcet. There's some confusion of what scenario exactly is being discussed
in that thread, and in an attempt to clarify I think I came up with
Hello,
UEFI doesn't support RAID for the ESP, and neither does systemd. So it's
not unexpected that systemd is unable to find your ESP: your ESP isn't a
valid ESP.
You may be able to work around your issue by setting an env var:
SYSTEMD_RELAX_ESP_CHECKS=1
See also:
https://github.com/systemd/sys
Hi,
Very cool to hear! Could you open an issue about that last point? It's
probably an oversight when making sd-varlink a public API.
Thanks,
Adrian
On Fri, Dec 6, 2024, 09:03 Thorsten Kukuk wrote:
> Hi,
>
> in the last days I rewrote openSUSEs rebootmgr to only use sd-varlink,
> sd-json and s
Hi Thorsten,
If I understand correctly, you're looking for a way to distribute sysexts
such that they can be enabled/disabled, and they're updated in lock step
with each other and the base OS. Is that correct?
If so, you're looking for Optional Features [1], which will release with 257
Best,
Adr
Responses inline
On Sat, Oct 19, 2024, 21:52 Thayne Harbaugh wrote:
> Response in line:
>
> On Sat, 2024-10-19 at 20:36 -0400, Adrian Vovk wrote:
> > Hello,
> > I might have spotted something
>
> Thank you for reviewing my long email.
>
> > You tell repa
Hello,
I might have spotted something
You tell repart to encrypt with a keyfile, but it seems like you don't pass
in which keyfile to use. By default, repart will encrypt with a null key in
that case. IIRC, you have to pass in the keyfile (or maybe socket) to use
in your drop-in.
Apologies if I'
I don't have the initial email for some reason (got caught in spam filter?
Idk) so I don't have the full context.
On Mon, Aug 19, 2024, 03:55 Andrei Borzenkov wrote:
> On Mon, Aug 19, 2024 at 10:11 AM Barry wrote:
> >
> >
> >
> > On 19 Aug 2024, at 06:55, Windl, Ulrich wrote:
> >
> >
> > Despit
I think it makes most sense for a distro to pick one thing and stick to it.
Otherwise there's no good way to compare packages (i.e. imagine a custom
build of libfoo relying on osVersion but the distro build relying on
osVersionCodename - you can't programmatically tell if both packages are
compatib
systemd has been recommending against an arrangement like that for a long
time now. These partitions are often fragile (read from bootloader code, or
worse firmware! VFAT has no data integrity), and they really have no reason
to be mounted unless they're about to be accessed. Stacking the mount
poi
On 2/21/24 15:09, Stef Bon wrote:
Hi,
I know that I can use a session file, and I know I can use a pamfile
(I've written one myself) but what I want to know is how can I use
systemd for that? Systemd handles the system, sessions and containers,
so is it for example possible to set some paramet
On 2/21/24 12:57, Stef Bon wrote:
Hi,
maybe this is a question simple to answer.
I want the user sessions to start in a {mount,user} namespace. How can
I do this? I know there is the command systemd-nspawn. But to use this
I have to adjust the first command to start a session. Or is it
possible
You shouldn't be using a linux-generic partition for updates. You need (at
least) two of the same kind of partition to switch between whenever there's
an update
On Mon, Jan 8, 2024, 06:46 Renjaya Raga Zenta wrote:
> Hi,
>
> I've been experimenting with systemd-sysupdate, trying to understand how
Hello!
I'm working on passing sd_notify events from systemd-{pull,import} through
sysupdate.
All services that consume sd_notify events (systemd itself, importd,
machined, homed, etc) act as daemons and own a directory in /run. Thus,
they can open a notification socket at, say, /run/SERVICENAME/n
(whoops accidentally send this only to Felix. Resending to the mailing list
too)
I wouldn't bind anything to PCR4, because it'll wipe out your decryption
key on any update of any component in the boot chain. In other words: PCR4
is not rollback prevention, it's also roll forward prevention as well
Hello
I've got a problem in my systemd --user instance that I can't quite
grok nor can I explain it very well. Essentially I have no idea what
could possibly be going on. Hoping someone here can help.
Basically, the OS boots and I can log in. Once I do, I experience the
following symptoms:
- Not
tion fails (PCR[7] has
changed!). We try the new decryption and it passes
- We delete the old TPM keyslot
Any thoughts and ideas about any of this?
Thanks,
Adrian Vovk
For reference, here are some of my previous possible solutions to this
problem, and why I decided they won't work:
1.
Whoops, forgot to reply-all and replied directly to Lennart. Forwarding to
the ML
-- Forwarded message -
From: Adrian Vovk
Date: Thu, Mar 2, 2023 at 16:59
Subject: Re: [systemd-devel] Immutable Images: Single Data Patition
To: Lennart Poettering
> /home/ with dm-integrity
> I figure this would be a 20 line patch. Would be happy to review a
patch for that.
Got it. That sounds reasonable to me. I'll get you a patch
> wouldn't it make more sense, to allow declaration of a "ReleaseNotes=" link
> inside a sysupdate .conf file, that can optionally take an URL parameter
b vs lib64" confusion)
Best,
Adrian
On Sat, Feb 25, 2023, 10:01 Neal Gompa wrote:
> On Sat, Feb 25, 2023 at 9:45 AM Lennart Poettering
> wrote:
> >
> > On Di, 21.02.23 16:00, Adrian Vovk (adrianv...@gmail.com) wrote:
> >
> > > Hello all,
> > >
&g
them to
be encrypted. Maybe there could be a generator that mounts everything
in /state/encrypted and in /state to the appropriate destination based
on escaped filenames relative to / (e.g. /state/home -> /home,
/state/encrypted/my-fancy-dir -> /my/fancy/dir,
/state/encrypted/fancy\x2ddir -&g
haps down the road
systemd-sysext can intelligently create sysupdate files based on a
template shipped in the sysext, or sysupdate itself can look for
updatable sysexts, but that's a different discussion for a different
place I think. As far as I can tell this issue of updating sysexts is
already on your radar.
Thoughts?
Thank you,
Adrian Vovk
PLE"\0" "usr/lib64\0" to
"usr/lib/"LIB_ARCH_TUPLE"\0" "usr/lib64\0" "usr/lib\0", and ditto for
all the other architectures. That way no matter what, /lib64 always
exists when necessary.
Thank you,
Adrian Vovk
Hi Chengyi,
> In fact, gdm user doesn't need these services
I'm almost certain that this is incorrect. There's a good chance if you
remove the systemd --user instance from GDM, you will end up with a
broken/unbootable system.
Basically, instead of being its own service manager, new versions
es to the block device. Thus
a write to the home dir is 4 writes to the block device. Am I
mistaken?
Regards,
Adrian
On Thu, Dec 2, 2021 at 6:45 PM Wol wrote:
>
> On 02/12/2021 21:24, Adrian Vovk wrote:
> > Hello Wol,
> >
> > Please, read the blog post I'm responding
Hello Wol,
Please, read the blog post I'm responding to for context to what I'm
saying:
https://0pointer.net/blog/authenticated-boot-and-disk-encryption-on-linux.html
> dm-integrity is NOT ABOUT authentication
dm-integrity provides authentication when configured to use
sha256-hmac. I am not conf
Some more thoughts about the usefulness of dm-integrity:
1. There's some past work[1] on authenticated Btrfs, where the whole
filesystem is authenticated w/ a keyed hash algorithm. It's basically
dm-integrity built directly into the filesystem, with none of the
performance and complexity penal
> Why can't you just enable journalling in systemd-homed, so we have
LUKS+dm-integrity-journalling?
That's why there's two layers of dm-integrity stacked on top of each
other (one protecting the filesystem, one baked into the systemd-homed
LUKS image)
> If the user needs to separate / and /ho
icious modifications. I might
be wrong, though: is there anything protecting the bitmap from arbitrary
modifications?
What are your thoughts on these points? What mode did you plan to have
systemd-homed use?
Regards,
Adrian Vovk
33 matches
Mail list logo
