Hi, this is my crazy Linux OS project. I wasn’t really prepared for this to be shared today, so documentation is a bit lacking. I’m happy to answer any questions.
If you want to try it out, just extract the tarball and run ./run (graphics mode) or ./run -s (serial mode). More information can be found in README.md alongside the image (including how to rebuild from source), which is also available in the home directories inside the image.
Has any thought been placed on the security downsides of using static linking? Since Linux doesn’t support static PIE binaries, ASLR is made ineffectual with statically-compiled applications.
musl and gcc fully support static PIE. If you have a toolchain that supports it, you just need to put -fPIE in your CFLAGS and -static-pie in your LDFLAGS.
This used to be the default actually, but I just changed it in case someone might try to build with a toolchain from musl.cc, which does not build libc.a with -fPIE so it can’t be linked into a static PIE.
Looks neat. As I understand it, your model is closer to a firmware image than a traditional Linux distro (i.e. you build a set of components you want and install them as an atomic set). I can see that being really useful for cloud / server deployments.
Are you using anything like crunchgen to get some of the benefits of dynamic linking in your programs, or do they all carry copies of the same libraries? I’d love to see a system that generated a single binary for all of the programs in the image, did dead-code elimination and link-time optimisation across the entire thing.
(Totally unrelated, but I’m oddly pleased by all of the things using NetSurf suddenly. I remember using it on RiscOS back when AltaVista was an exciting new competitor to Yahoo! and Lycos)
Thanks! Yeah, that seems like a fair comparison. The idea for that stemmed from dissatisfaction with how typical Linux distributions split up source packages into several binary packages (if they even do that at all). With this approach, you select the contents based on whatever criteria you want. Anything that doesn’t get selected doesn’t even get built. Due to the use of static linking, you don’t really have to worry about runtime dependencies. This gives you a lot of control depending on your use case. For example, on my VPS, I use something like
fs = {
-- I need development files from these libraries to rebuild the kernel
{'linux-headers', 'musl', 'ncurses', 'elftoolchain', 'libressl', 'zlib'},
-- I want the st terminfo file, but I don't need st itself
{'st', include={'^share/terminfo/'}},
{
sets.core, sets.extra,
'acme-client', 'dnssec-rr', 'make', 'nginx', 'nsd', 'pounce',
exclude={'^include/', 'lib/.*%.a$'},
},
}
On my desktop, I use fs = {exclude={}}, which builds every package, excluding nothing.
I’m not using anything like crunchgen, so everything carries a copy of everything it links to. However, due to the use of lightweight packages, most binaries are really small anyway. Only a few packages such as mpv or mupdf which link in a lot of libraries have huge binaries (and by huge I still mean < 10M).
Yes, I’m a big fan of NetSurf. It’s quite a capable browser considering their resources. Unfortunately, more and more sites require the monstrosity that is the modern web browser, so I installed firefox via pkgsrc for those.
How do you install your custom image on your VPS? I ask because most VPS providers give you a selection of OS images (built with varying levels of care) that you have to start with.
I started with a Debian image and used that to install oasis on a separate partition. Then I used a rescue image to move/expand oasis to fill the whole drive. I don’t remember the exact procedure I used, it was a few years ago.
On top of supporting providers, there’s tricks to get OS’s onto VMs of unsupporting providers. I’ll be even more impressed when I see someone get something running with an unsupported ISA. I already have an idea about how that might happen.
Not the main topic but I just discovered libtls-bearssl and it looks super cool! It’s not easy to distribute the original libtls since it doesn’t really work with OpenSSL, and using the raw OpenSSL API is pure madness.
Thanks! I’m very happy with how libtls-bearssl turned out.
It didn’t really occur to me at the time that it might be easier to distribute (my goal was just to port various libtls applications to BearSSL), but someone else recently mentioned this to me as well. It makes sense, and could be a good way to expand adoption of the libtls API where it otherwise wouldn’t be available.
Hi, this is my crazy Linux OS project. I wasn’t really prepared for this to be shared today, so documentation is a bit lacking. I’m happy to answer any questions.
I just updated the screenshot on the wiki, now featuring the oasis netsurf frontend. I also added a script to build QEMU images using builds.sr.ht. The latest one is available here: https://patchouli.sr.ht/builds.sr.ht/artifacts/~mcf/226248/1b6626238a895943/oasis-qemu.tar.xz
If you want to try it out, just extract the tarball and run
./run(graphics mode) or./run -s(serial mode). More information can be found in README.md alongside the image (including how to rebuild from source), which is also available in the home directories inside the image.Has any thought been placed on the security downsides of using static linking? Since Linux doesn’t support static PIE binaries, ASLR is made ineffectual with statically-compiled applications.
musl and gcc fully support static PIE. If you have a toolchain that supports it, you just need to put
-fPIEin your CFLAGS and-static-piein your LDFLAGS.This used to be the default actually, but I just changed it in case someone might try to build with a toolchain from musl.cc, which does not build libc.a with
-fPIEso it can’t be linked into a static PIE.Awesome! I didn’t know musl supported static PIE. I haven’t really paid much attention to musl (and if I’m being honest, Linux in general.)
I’m really a big fan of what you have done, everything fits together in such a tidy way, thanks so much!
I thought it was neat to see both your projects on the same day because they solve some similar problems in different ways. Both are really neat.
This one isn’t my project, but I agree it solves similar problems in a more idealistic way.
That was ambiguous. I meant both your as in you and the other person.
Looks neat. As I understand it, your model is closer to a firmware image than a traditional Linux distro (i.e. you build a set of components you want and install them as an atomic set). I can see that being really useful for cloud / server deployments.
Are you using anything like crunchgen to get some of the benefits of dynamic linking in your programs, or do they all carry copies of the same libraries? I’d love to see a system that generated a single binary for all of the programs in the image, did dead-code elimination and link-time optimisation across the entire thing.
(Totally unrelated, but I’m oddly pleased by all of the things using NetSurf suddenly. I remember using it on RiscOS back when AltaVista was an exciting new competitor to Yahoo! and Lycos)
Thanks! Yeah, that seems like a fair comparison. The idea for that stemmed from dissatisfaction with how typical Linux distributions split up source packages into several binary packages (if they even do that at all). With this approach, you select the contents based on whatever criteria you want. Anything that doesn’t get selected doesn’t even get built. Due to the use of static linking, you don’t really have to worry about runtime dependencies. This gives you a lot of control depending on your use case. For example, on my VPS, I use something like
On my desktop, I use
fs = {exclude={}}, which builds every package, excluding nothing.I’m not using anything like crunchgen, so everything carries a copy of everything it links to. However, due to the use of lightweight packages, most binaries are really small anyway. Only a few packages such as mpv or mupdf which link in a lot of libraries have huge binaries (and by huge I still mean < 10M).
Yes, I’m a big fan of NetSurf. It’s quite a capable browser considering their resources. Unfortunately, more and more sites require the monstrosity that is the modern web browser, so I installed firefox via pkgsrc for those.
How do you install your custom image on your VPS? I ask because most VPS providers give you a selection of OS images (built with varying levels of care) that you have to start with.
I started with a Debian image and used that to install oasis on a separate partition. Then I used a rescue image to move/expand oasis to fill the whole drive. I don’t remember the exact procedure I used, it was a few years ago.
Several providers allow you to upload an ISO, Vultr for example, AWS also allows it I think
On top of supporting providers, there’s tricks to get OS’s onto VMs of unsupporting providers. I’ll be even more impressed when I see someone get something running with an unsupported ISA. I already have an idea about how that might happen.
Velox seems to be a window manager, not a display server, unless there’s something I missed?Forgive me, I misread the description.
Not the main topic but I just discovered libtls-bearssl and it looks super cool! It’s not easy to distribute the original libtls since it doesn’t really work with OpenSSL, and using the raw OpenSSL API is pure madness.
Thanks! I’m very happy with how libtls-bearssl turned out.
It didn’t really occur to me at the time that it might be easier to distribute (my goal was just to port various libtls applications to BearSSL), but someone else recently mentioned this to me as well. It makes sense, and could be a good way to expand adoption of the libtls API where it otherwise wouldn’t be available.
I would consider this if there’s a Nix binary cache for musl-compiled packages… Does such a thing exist?
The official nixpkgs has pkgsCross.musl64 I think, not sure if everything is cached though.