Kubermatic on Hetzner
Hello and welcome to another article about Kubernetes. In this article we will go through the Kubermatic installation on Hetzner Cloud. But first of all let us go through a few questions: What is Kubermatic and why do I need it? Kubermatic abstracts different Kubernetes clusters and providers for you. It does not matter if you want a cluster on Amazon, Google, Hetzner, vSphere or on-premise. With Kubermatic you can easily bootstrap new clusters in your favorite location with your favorite cloud provider or on-premise.
https://shibumi.dev/posts/kubermatic-on-hetzner/
Hello and welcome to another article about Kubernetes. In this article we will go through the Kubermatic installation on Hetzner Cloud. But first of all let us go through a few questions: What is Kubermatic and why do I need it? Kubermatic abstracts different Kubernetes clusters and providers for you. It does not matter if you want a cluster on Amazon, Google, Hetzner, vSphere or on-premise. With Kubermatic you can easily bootstrap new clusters in your favorite location with your favorite cloud provider or on-premise.
https://shibumi.dev/posts/kubermatic-on-hetzner/
shibumi.dev
Kubermatic on Hetzner
Installing Kubermatic on Hetzner
Hardening Executables
Quite a while ago, Arch Linux has turned on many binary security features via compilation flags (2016)1 or turned off options that are known to help exploit software (debugging symbols, RPATH). Now we have 2021 and Arch Linux made good experience with the additional security options. We made good experience on Arch Linux with the following flags so far: FULL RELRO (Full Relocation Read-Only)2 STACK CANARY3 NX-Bit4 PIE (Position Independent Executable/Code)5 Setting no RPATH6 Setting no Symbols FORTIFY7 Some of these flags are known to have effects on performance.
https://shibumi.dev/posts/hardening-executables/
Quite a while ago, Arch Linux has turned on many binary security features via compilation flags (2016)1 or turned off options that are known to help exploit software (debugging symbols, RPATH). Now we have 2021 and Arch Linux made good experience with the additional security options. We made good experience on Arch Linux with the following flags so far: FULL RELRO (Full Relocation Read-Only)2 STACK CANARY3 NX-Bit4 PIE (Position Independent Executable/Code)5 Setting no RPATH6 Setting no Symbols FORTIFY7 Some of these flags are known to have effects on performance.
https://shibumi.dev/posts/hardening-executables/
shibumi.dev
Hardening Executables
Quite a while ago, Arch Linux has turned on many binary security features via compilation flags (2016)1 or turned off options that are known to help exploit software (debugging symbols, RPATH). Now we have 2021 and Arch Linux made good experience with the…
mkinitcpio v31 and UEFI stubs
A few months ago I wrote up some code for mkinitcpio which teaches it how to create UEFI executables utilizing the systemd stub. The change can be found here: https://github.com/archlinux/mkinitcpio/pull/53 This is a short introduction to why the feature is great, how it makes it easier to boot your system, and how it can be used to better secure your system with something like secure boot. The Boot Process For the past decade most computers have two ways to boot.
https://linderud.dev/blog/mkinitcpio-v31-and-uefi-stubs/
A few months ago I wrote up some code for mkinitcpio which teaches it how to create UEFI executables utilizing the systemd stub. The change can be found here: https://github.com/archlinux/mkinitcpio/pull/53 This is a short introduction to why the feature is great, how it makes it easier to boot your system, and how it can be used to better secure your system with something like secure boot. The Boot Process For the past decade most computers have two ways to boot.
https://linderud.dev/blog/mkinitcpio-v31-and-uefi-stubs/
GitHub
[mkinitcpio] Create UEFI executables by Foxboron · Pull Request #53 · archlinux/mkinitcpio
Missing stuff for this pull-request.
Do we want a new section in the manpages?
Is the flags okay enough?
Testing
Implement UEFI executable generation in mkinitcpio by utilizing UEFI
stubs pro...
Do we want a new section in the manpages?
Is the flags okay enough?
Testing
Implement UEFI executable generation in mkinitcpio by utilizing UEFI
stubs pro...
Monthly Report (August 2021)
This is the monthly report of what I’ve been up to in August 2021. 🙌 Reproducible Builds There are many different reasons to be interested in Reproducible Builds. When I originally got involved in the project I wasn’t a maintainer in any Linux distribution yet, instead I was wondering if there’s a way to distribute pre-compiled artifacts as an independent open source dev without carrying all the responsibility alone. A few years later I’ve now published a manual called i-probably-didnt-backdoor-this. It contains a hello world program and instructions on how to reproduce the various pre-compiled artifacts, explains all build …
https://vulns.xyz/2021/08/monthly-report/
This is the monthly report of what I’ve been up to in August 2021. 🙌 Reproducible Builds There are many different reasons to be interested in Reproducible Builds. When I originally got involved in the project I wasn’t a maintainer in any Linux distribution yet, instead I was wondering if there’s a way to distribute pre-compiled artifacts as an independent open source dev without carrying all the responsibility alone. A few years later I’ve now published a manual called i-probably-didnt-backdoor-this. It contains a hello world program and instructions on how to reproduce the various pre-compiled artifacts, explains all build …
https://vulns.xyz/2021/08/monthly-report/
GitHub
GitHub - kpcyrd/i-probably-didnt-backdoor-this: A practical experiment on supply-chain security using reproducible builds
A practical experiment on supply-chain security using reproducible builds - kpcyrd/i-probably-didnt-backdoor-this
Xandikos CardDAV/CalDAV server
In looking to moving my phone to LineageOS, I've started thinking about moving my mail, contacts and calendar data to my own server. After researching solutions for a while, I decided to try out xandikos. A simple Python carddav/caldav server intended for a single user with a basic feature …
https://vdwaa.nl/xandikos-server-setup.html
In looking to moving my phone to LineageOS, I've started thinking about moving my mail, contacts and calendar data to my own server. After researching solutions for a while, I decided to try out xandikos. A simple Python carddav/caldav server intended for a single user with a basic feature …
https://vdwaa.nl/xandikos-server-setup.html
Cloud Native and Arch Linux
In this article I want to give a short overview over the current state of Arch Linux with respect to cloud native technologies. I would like to show why I think Arch Linux is perfect as a daily driver in the cloud native ecosystem and how the current state of cloud native software in Arch Linux looks like. Reason Nr 1: Security At Arch Linux we take security very seriously. Our newly selected project lead has a strong security background (founding member of the Arch Linux security team) and member in a CTF group.
https://shibumi.dev/posts/cncf-and-archlinux/
In this article I want to give a short overview over the current state of Arch Linux with respect to cloud native technologies. I would like to show why I think Arch Linux is perfect as a daily driver in the cloud native ecosystem and how the current state of cloud native software in Arch Linux looks like. Reason Nr 1: Security At Arch Linux we take security very seriously. Our newly selected project lead has a strong security background (founding member of the Arch Linux security team) and member in a CTF group.
https://shibumi.dev/posts/cncf-and-archlinux/
shibumi.dev
Cloud Native and Arch Linux
In this article I want to give a short overview over the current state of Arch Linux with respect to cloud native technologies. I would like to show why I think Arch Linux is perfect as a daily driver in the cloud native ecosystem and how the current state…
Monthly Report (September 2021)
This is the monthly report of what I’ve been up to in September 2021. 🙌 Reproducible Builds There have been 3 releases of rebuilderd this month, 0.14.0, and two minor bugfix releases, 0.14.1 and 0.14.2. The 0.14.0 release introduced experimental support to rebuild Tails images in #66. Tails is a portable operating system that’s known for it’s strong focus on privacy and security, and commonly used by activists, journalists and various human-rights NGOs. It already had reproducible images for a long time (since around 2017), but you had to reproduce the images manually. Starting with this release …
https://vulns.xyz/2021/09/monthly-report/
This is the monthly report of what I’ve been up to in September 2021. 🙌 Reproducible Builds There have been 3 releases of rebuilderd this month, 0.14.0, and two minor bugfix releases, 0.14.1 and 0.14.2. The 0.14.0 release introduced experimental support to rebuild Tails images in #66. Tails is a portable operating system that’s known for it’s strong focus on privacy and security, and commonly used by activists, journalists and various human-rights NGOs. It already had reproducible images for a long time (since around 2017), but you had to reproduce the images manually. Starting with this release …
https://vulns.xyz/2021/09/monthly-report/
GitHub
Release v0.14.0 · kpcyrd/rebuilderd
Add in-toto attestation to rebuilderd by @joyliu-q during Google Summer of Code
Add experimental tails support
Add subcommand to download attestation with rebuildctl
Dynamically link zstd
Arch Linu...
Add experimental tails support
Add subcommand to download attestation with rebuildctl
Dynamically link zstd
Arch Linu...
Release: rebuilderd v0.15.0
rebuilderd 0.15.0 very recently released, this is a short intro into what it is, how it works and how to build our own integrations! (https://vulns.xyz/img/Vx35qrG.png)rebuilderd monitors an index of artifacts and parses it into a datastructure that looks like this. In the most basic case, based on the
https://vulns.xyz/2021/10/rebuilderd-v0.15.0/
rebuilderd 0.15.0 very recently released, this is a short intro into what it is, how it works and how to build our own integrations! (https://vulns.xyz/img/Vx35qrG.png)rebuilderd monitors an index of artifacts and parses it into a datastructure that looks like this. In the most basic case, based on the
distro field it’s going to pick the right build script and attempt to generate an artifact identical to the file linked to in url. (https://vulns.xyz/img/V6r1iXsRTpLp.png)We’re starting with a script that generates a json. In our case we’ll simply hard-code all values for demonstration purpose. Most of these values can be arbitrary …https://vulns.xyz/2021/10/rebuilderd-v0.15.0/
GitHub
Release v0.15.0 · kpcyrd/rebuilderd
distro field is now an opaque string instead of an enum
url has been renamed to artifact_url in a few places
It's now possible to pass --input-url to support eg. external buildinfo files
/data ...
url has been renamed to artifact_url in a few places
It's now possible to pass --input-url to support eg. external buildinfo files
/data ...
Keyless signatures for blobs with cosign
While reading the cosign-installer I have stumbled upon these lines in the documentation: - name:SigntheimageswithGitHubOIDC**notproductionready**run:cosignsign-oidc-issuerhttps://token.actions.githubusercontent.com${TAGS}env:TAGS:${{steps.docker_meta.outputs.tags}}COSIGN_EXPERIMENTAL:1The shown lines are a step of a Github Action and are still experimental, but very interesting. It allows to sign a docker image via making use of the OpenID Connect standard. OpenID Connect can be summarized as follows: If you login into Github, Github will create a number of tokens. These tokens are then associated with your Github Action and with these tokens you can sign any artifact.
https://shibumi.dev/posts/first-look-into-cosign/
While reading the cosign-installer I have stumbled upon these lines in the documentation: - name:SigntheimageswithGitHubOIDC**notproductionready**run:cosignsign-oidc-issuerhttps://token.actions.githubusercontent.com${TAGS}env:TAGS:${{steps.docker_meta.outputs.tags}}COSIGN_EXPERIMENTAL:1The shown lines are a step of a Github Action and are still experimental, but very interesting. It allows to sign a docker image via making use of the OpenID Connect standard. OpenID Connect can be summarized as follows: If you login into Github, Github will create a number of tokens. These tokens are then associated with your Github Action and with these tokens you can sign any artifact.
https://shibumi.dev/posts/first-look-into-cosign/
shibumi.dev
Keyless signatures for blobs with cosign
First look into cosign and rekor for signing and verifying binaries
What are ephemeral certificates?
This article is a short followup to my last article about cosign. I received many questions for my last article. The most common one was: “But wait! If the certificates are only valid for 30 minutes, how are my users supposed to validate my artifacts?” This is very common misconception and to be honest: I ran into the same trap at first. The terms “ephemeral” or “short-lived” do not refer to the signature validation.
https://shibumi.dev/posts/what-are-ephemeral-certificates/
This article is a short followup to my last article about cosign. I received many questions for my last article. The most common one was: “But wait! If the certificates are only valid for 30 minutes, how are my users supposed to validate my artifacts?” This is very common misconception and to be honest: I ran into the same trap at first. The terms “ephemeral” or “short-lived” do not refer to the signature validation.
https://shibumi.dev/posts/what-are-ephemeral-certificates/
Keyless signatures with Github Actions
As Arch Linux package maintainer I heavily rely on a secure upstream and a secure source code distribution process. I have spent days or maybe even weeks discussing with maintainers why I rely on a secure upstream and how important signatures on tags, commits or source tarballs are. Many maintainers have started signing their source tarballs after such a discussion, others mentioned problems with their PGP keys and a minority saw signing their source tarballs as waste of time.
https://shibumi.dev/posts/keyless-signatures-with-github-actions/
As Arch Linux package maintainer I heavily rely on a secure upstream and a secure source code distribution process. I have spent days or maybe even weeks discussing with maintainers why I rely on a secure upstream and how important signatures on tags, commits or source tarballs are. Many maintainers have started signing their source tarballs after such a discussion, others mentioned problems with their PGP keys and a minority saw signing their source tarballs as waste of time.
https://shibumi.dev/posts/keyless-signatures-with-github-actions/
shibumi.dev
Keyless signatures with Github Actions
Keyless signatures with Github Actions and GoReleaser
Hetzner Pulumi Intro
The full configuration for this article can be visited here: https://github.com/shibumi/infra/tree/pulumi-migration This weekend I had finally some time to have a longer glimpse on Hetzner and Pulumi. Pulumi sparked my interest for a pretty long time now after reading Engin’s blog post about pulumi and Microsoft Azure. I tried Pulumi earlier, but I gave up pretty fast, because it had no Netlify support. The missing Netlify support did not change, but I did not want to invest time in my Terraform configuration, hence I decided to have a look on Pulumi instead.
https://shibumi.dev/posts/hetzner-pulumi-intro/
The full configuration for this article can be visited here: https://github.com/shibumi/infra/tree/pulumi-migration This weekend I had finally some time to have a longer glimpse on Hetzner and Pulumi. Pulumi sparked my interest for a pretty long time now after reading Engin’s blog post about pulumi and Microsoft Azure. I tried Pulumi earlier, but I gave up pretty fast, because it had no Netlify support. The missing Netlify support did not change, but I did not want to invest time in my Terraform configuration, hence I decided to have a look on Pulumi instead.
https://shibumi.dev/posts/hetzner-pulumi-intro/
GitHub
GitHub - shibumi/infra at pulumi-migration
My personal infrastructure managed by terraform. Contribute to shibumi/infra development by creating an account on GitHub.
libxml2>=2.9.12-6 update may require manual intervention
The libxml2 package prior to version 2.9.12-6 was missing the compiled python modules. This has been fixed in 2.9.12-6, so the upgrade may need to overwrite any untracked pyc files created. If you get errors like these
when updating, use
to perform the upgrade.
https://archlinux.org/news/libxml22912-6-update-may-require-manual-intervention/
#news
The libxml2 package prior to version 2.9.12-6 was missing the compiled python modules. This has been fixed in 2.9.12-6, so the upgrade may need to overwrite any untracked pyc files created. If you get errors like these
libxml2: /usr/lib/python3.10/site-packages/__pycache__/drv_libxml2.cpython-310.opt-1.pyc exists in filesystem
libxml2: /usr/lib/python3.10/site-packages/__pycache__/drv_libxml2.cpython-310.pyc exists in filesystem
libxml2: /usr/lib/python3.10/site-packages/__pycache__/libxml2.cpython-310.opt-1.pyc exists in filesystem
libxml2: /usr/lib/python3.10/site-packages/__pycache__/libxml2.cpython-310.pyc exists in filesystem
when updating, use
pacman -Syu --overwrite /usr/lib/python3.10/site-packages/__pycache__/\*
to perform the upgrade.
https://archlinux.org/news/libxml22912-6-update-may-require-manual-intervention/
#news
Reproducible Builds: Debian and the case of the missing version string
If you’ve been following my twitter recently you probably noticed there’s now a rebuilderd based Debian rebuilder run by the Purdue Trustworthy Software Ecosystems Lab. The rebuilder backend - the code that’s actually re-creating the build environment and running the build - is debrebuild.py, written by Frédéric Pierret from the QubesOS project. The setup as a whole automatically monitors packages in Debian unstable, then downloads the source code, build-dependencies and attempts to compile a bit-for-bit identical binary package. If this succeeds, the package is marked as “reproducible”. (https://vulns.xyz/img/6gswC1Pux2Dr.png)The
https://vulns.xyz/2022/01/debian-missing-version-string/
If you’ve been following my twitter recently you probably noticed there’s now a rebuilderd based Debian rebuilder run by the Purdue Trustworthy Software Ecosystems Lab. The rebuilder backend - the code that’s actually re-creating the build environment and running the build - is debrebuild.py, written by Frédéric Pierret from the QubesOS project. The setup as a whole automatically monitors packages in Debian unstable, then downloads the source code, build-dependencies and attempts to compile a bit-for-bit identical binary package. If this succeeds, the package is marked as “reproducible”. (https://vulns.xyz/img/6gswC1Pux2Dr.png)The
62.89% reproducible number is currently significantly lower than the 94.6% …https://vulns.xyz/2022/01/debian-missing-version-string/
Twitter
kpcyrd@chaos.social 🏴 (@kpcyrd) / Twitter
Software Supply-Chain Security Specialist 🦝 Arch Linux Package Maintainer 📦 Underground for years like a subway driver 🚇 Literal Anarchist 🏴
❤1
linux-firmware 20220119.0c6a7b3-2 requires kernel >=5.3 and package splitting
The linux-firmware package 20220119.0c6a7b3-2 implements kernel firmware compression. Linux kernel from 5.3 on support loading from xz compressed firmware.
CONFIG_FW_LOADER_COMPRESS kernel option must be enabled. All official Arch Linux kernel support this for a long time. [1\]
The linux-firmware package has been split into smaller packages to further reduce required disk space. Some big firmware files of rarely used hardware have been split into separate packages.
This affects firmware for Mellanox Spectrum switches, Marvell devices, Qualcomm SoCs, Cavium LiquidIO server adapters, QLogic devices, Broadcom NetXtreme II 10Gb ethernet adapters.
Make sure to install additional firmware packages if needed. [2\]
[1\] FS#72899
[2\] FS#72559 + svn commit
https://archlinux.org/news/linux-firmware-202201190c6a7b3-2-requires-kernel-53-and-package-splitting/
#news
The linux-firmware package 20220119.0c6a7b3-2 implements kernel firmware compression. Linux kernel from 5.3 on support loading from xz compressed firmware.
CONFIG_FW_LOADER_COMPRESS kernel option must be enabled. All official Arch Linux kernel support this for a long time. [1\]
The linux-firmware package has been split into smaller packages to further reduce required disk space. Some big firmware files of rarely used hardware have been split into separate packages.
This affects firmware for Mellanox Spectrum switches, Marvell devices, Qualcomm SoCs, Cavium LiquidIO server adapters, QLogic devices, Broadcom NetXtreme II 10Gb ethernet adapters.
Make sure to install additional firmware packages if needed. [2\]
[1\] FS#72899
[2\] FS#72559 + svn commit
https://archlinux.org/news/linux-firmware-202201190c6a7b3-2-requires-kernel-53-and-package-splitting/
#news
bugs.archlinux.org
FS#72899 : [linux-firmware] compress firmware files
Flyspray, a Bug Tracking System written in PHP.
👍2
Arch, a recap
One of the things, that has kept me (increasingly) busy over the past few years is my involvement with the Linux distribution Arch Linux. While I have been using Linux for probably about 14 years it is frankly hard to pinpoint when exactly I went down the rabbit hole that this operating system/ ecosystem/ community is (relevant XKCD). However, I can elaborate on my motivation and where that got me. Read more… (6 min remaining to read)
https://sleepmap.de/2022/arch-a-recap/
#planetarch
One of the things, that has kept me (increasingly) busy over the past few years is my involvement with the Linux distribution Arch Linux. While I have been using Linux for probably about 14 years it is frankly hard to pinpoint when exactly I went down the rabbit hole that this operating system/ ecosystem/ community is (relevant XKCD). However, I can elaborate on my motivation and where that got me. Read more… (6 min remaining to read)
https://sleepmap.de/2022/arch-a-recap/
#planetarch
👍3🔥2
Debug packages and debuginfod
We are very happy to announce that debug packages are now available in Arch Linux.
Debug symbols and source listing are provided through our debuginfod instance which can be utilized by debuggers such as gdb and delve.
https://debuginfod.archlinux.org/
A couple of sponsored mirrors are providing the debug repositories while we figure out and communicate the new mirror requirements.
https://america.mirror.pkgbuild.com
https://asia.mirror.pkgbuild.com
https://europe.mirror.pkgbuild.com
Not all packages provide debug packages as enabling it for all packages is an ongoing effort.
For more information, please visit the Debuginfod wiki article, and also our newly renovated Debugging/Getting traces article.
https://archlinux.org/news/debug-packages-and-debuginfod/
#news
We are very happy to announce that debug packages are now available in Arch Linux.
Debug symbols and source listing are provided through our debuginfod instance which can be utilized by debuggers such as gdb and delve.
https://debuginfod.archlinux.org/
A couple of sponsored mirrors are providing the debug repositories while we figure out and communicate the new mirror requirements.
https://america.mirror.pkgbuild.com
https://asia.mirror.pkgbuild.com
https://europe.mirror.pkgbuild.com
Not all packages provide debug packages as enabling it for all packages is an ongoing effort.
For more information, please visit the Debuginfod wiki article, and also our newly renovated Debugging/Getting traces article.
https://archlinux.org/news/debug-packages-and-debuginfod/
#news
👍6
Arch Linux Leader Election Results
This month we held our leader election, and our current leader Levente Polyák ran unopposed. As per our election rules he is re-elected for a new term.
Congratulations to Levente Polyak on a new term!
https://archlinux.org/news/arch-linux-leader-election-results/
#news
This month we held our leader election, and our current leader Levente Polyák ran unopposed. As per our election rules he is re-elected for a new term.
Congratulations to Levente Polyak on a new term!
https://archlinux.org/news/arch-linux-leader-election-results/
#news
👍2🎉1
Keycloak 17.0.1-2 update requires manual reconfiguration
The
The configuration needs to be adjusted from the old
Prior to the upgrade, stop the keycloak service, upgrade the package and migrate the configuration before starting:
See Keycloak migration docs and Keycloak Quarkus server docs
https://archlinux.org/news/keycloak-1701-2-update-requires-manual-reconfiguration/
#news
The
keycloak package prior to version 17.0.1-2 was running with WildFly server. Since upstream officially moved to Quarkus distribution, Arch Linux follows this approach. This means some manual intervention is required for the upgrade.The configuration needs to be adjusted from the old
.xml format to the new /etc/keycloak/keycloak.conf.Prior to the upgrade, stop the keycloak service, upgrade the package and migrate the configuration before starting:
systemctl stop keycloak.service
pacman -Syu keycloak
# migrate configuration /etc/keycloak/keycloak.conf
systemctl start keycloak.service
See Keycloak migration docs and Keycloak Quarkus server docs
https://archlinux.org/news/keycloak-1701-2-update-requires-manual-reconfiguration/
#news
👍3
Streaming the Steam Deck to OBS
Valve was kind enough to send Steam Deck devkits to Arch Linux maintainers and developers which gave us an opportunity to mess around with the device. Personally I find it a bit fun to mess around with video streaming, thus one of the first things I wanted to try figure out was how I could stream the gamemode on the Steam Deck. Installing the OBS flatpak and adding it to the menu doesn’t actually work so we sadly have to be a bit more clever.
https://linderud.dev/blog/streaming-the-steam-deck-to-obs/
#planetarch
Valve was kind enough to send Steam Deck devkits to Arch Linux maintainers and developers which gave us an opportunity to mess around with the device. Personally I find it a bit fun to mess around with video streaming, thus one of the first things I wanted to try figure out was how I could stream the gamemode on the Steam Deck. Installing the OBS flatpak and adding it to the menu doesn’t actually work so we sadly have to be a bit more clever.
https://linderud.dev/blog/streaming-the-steam-deck-to-obs/
#planetarch
👏2
Go 1.18 debug/buildinfo features
Hello and welcome to another blog article. Today, I would like to discuss one feature of Go 1.18, that I am interested in. No, this will not be another article about generics. The feature I would like to write about is something that might be under the radar for most people, but it still might be useful. If you ever wrote a CLI app in Go you are very familiar with injecting information during the build process into global variables.
https://shibumi.dev/posts/go-18-feature/
#planetarch
Hello and welcome to another blog article. Today, I would like to discuss one feature of Go 1.18, that I am interested in. No, this will not be another article about generics. The feature I would like to write about is something that might be under the radar for most people, but it still might be useful. If you ever wrote a CLI app in Go you are very familiar with injecting information during the build process into global variables.
https://shibumi.dev/posts/go-18-feature/
#planetarch