1. 1

    Likely worth mentioning that https://github.com/smallstep/ exists and would be worth a peeker.

    1. 13

      Client certificates are an important piece of the way the Google corporate network is setup. Each client machine has a cert that it presents to a proxy that checks it and allows access to the rest of the network from anywhere in the world.

      https://cloud.google.com/beyondcorp/ and https://research.google/pubs/pub45728/ if you like whitepapers.

      1. 3

        Google, and many other corporate networks.. Using client certs for authentication has been around for quite some time.

        1. 1

          Good news! All it takes now is taking it from end-to-end managed environments like corporations or universities in a way that everybody can use.

          1. 1

            DoD CAC is a good example as well.

          1. 5

            Slightly off topic (especially since this spin doesn’t seem to actually have a 32 release yet), but is anyone here running Fedora Silverblue? I’m considering moving over to that, but I’ve been burned before. I’m curious for anyone that is running it, how much of an impedance do you feel it is to your everyday development?

            The last “interesting” OS I tried was NixOS, and I eventually came to the conclusion that it was getting in my way more than it was really helping me. Mostly this came down to installing dev tools. I found I wasn’t working on things that were interesting to be because it was too much of a pain to get tools installed. (Rust (latest versions), Adruino (I think having it at all?), and LuaSocket (was getting built wrong, I gave up trying to find where it wanted the -D LUA_COMPAT_APIINTCASTS compile option after 3 hours) are what come to mind.)

            If there is anyone running silverblue here, do you ever have similar kinds of issues?

            1. 3

              but is anyone here running Fedora Silverblue

              I only tried Silverblue on a spare hard disk that I have lying around. I think it is really a bit step forward and like what they are doing. I am reading the Silverblue forums semi-regularly and it seems that Fedora Toolbox (which is used to create VMs for doing development in) breaks every now and then. It seems that Silverblue is still a second-class citizen to regular Fedora. On the other hand, given the nature of Silverblue these problems are easily solved by booting into an older snapshot when such a glitch occurs for the short timeframe it takes them to fix it. Unfortunately, I do not have more data points than that. Besides that it is not possible to run Nix on the root filesystem by default, because / is immutable.

              I would monitor the Silverblue forums for a while, because it gives a good idea of what kind of problems to expect.

              Rust (latest versions)

              I know that this post not about Nix. But with the Mozilla Nix overlay, you can get the latest stable/beta/nightly: mozilla.latest.rustChannels.{stable,beta,nightly}. You can also use the overlay to get any arbitrary stable or nightly version. See the following:

              https://discourse.nixos.org/t/pin-rust-version/5812/2 https://discourse.nixos.org/t/pin-rust-version/5812/3

              I use NixOS on various machines, but I would really recommend newcomers to use Nix for a while on a familiar distribution. NixOS is so much more fun if you have climbed part of the Nix learning curve (know the Nix language, know your way around nixpkgs). That way you can always revert back to what you know if trying to do it the Nix way takes too much time.

              Sorry for the digression ;).

              1. 3

                I have been running Silverblue on my desktop and my laptop since late January. I enjoy it.

                I resisted the docker fad for a long time for many reasons, but mainly because I thought the implementation of docker was unfortunate, and the ways people used it was cumbersome and error-prone. Podman solves the former, and Toolbox solves the latter.

                There are a few rough edges. Toolbox switching isn’t as nice as it could be (there could be Terminal integrations that would make this nicer), toolbox shits a lot of things in your environment (at least one of these conflicts with Ruby on Rails, so I have to unset VERSION to be able to run migrations), and a few other tiny things.

                The documentation is still sparse.

                Overall, I’m very happy with it and will continue to use it. This is the first time I’ve used anything other than Debian since before the bo release.

                1. 3

                  but is anyone here running Fedora Silverblue?

                  I’d jumped around a couple distros for various reasons (temporal recounting over the last ten years):

                  • Fedora: wanted to follow along with RH (my early days of Linux)
                  • Arch: wanted to be able to consume as “pure” a systemd stack as I could to get a good feel for things
                  • Debian: wanted to converge my workstations (testing) and servers (stable+backports)
                  • Fedora: wanted to really start adopting podman+toolbox

                  I jumped back into Fedora, via silverblue, with F31 and I’ve been using F31 and F32 interchangeably as necessary (when a package in F32 wasn’t working well I could always just use my pinned F31 instance).

                  With Arch and Debian I was effectively rolling my workstation, which is a comfort as if you’re using newer hardware you want new kernels and often you want to get your hands on something without having to consider packaging yourself. Silverblue basically marries up the principles of a released system with the principles of rolling in a way that I find to be completely and utterly acceptable for my use cases. I am able to effectively “ride” the releases of Fedora without having to do a precarious upgrade or reinstall.

                  I’ll say, I am likely layering many more packages in than what you’d see people typically recommend.

                  [agd@enoch ~]$ rpm-ostree status
                  State: idle
                  AutomaticUpdates: disabled
                  Deployments:
                  ● ostree://fedora:fedora/32/x86_64/silverblue
                                     Version: 32.20200428.0 (2020-04-28T01:00:38Z)
                                  BaseCommit: 3304e379ff5090a15816af207dbcc82f0db0cd4883216ede8f4957a499e30df8
                                GPGSignature: Valid signature by 97A1AE57C3A2372CCA3A4ABA6C13026D12C944D0
                             LayeredPackages: baobab beets beets-plugins boxes cheese chromium darktable eog evince evolution ffmpeg file-roller firewall-config gimp git-lfs gmpc gnome-boxes gnome-builder gnome-calculator gnome-firmware gnome-screenshot
                                              gnome-shell-extension-gpaste gnome-shell-extension-pomodoro gnome-sound-recorder gnome-tweaks htop hugo ipmitool keepassxc libreoffice make mpd mpdscribble nautilus-image-converter numix-icon-theme-circle
                                              numix-icon-theme-square oathtool opensc openssl p7zip p7zip-gui p7zip-plugins pass peek rawtherapee seahorse seahorse-nautilus simple-scan sshuttle system-config-printer vim vlc youtube-dl
                               LocalPackages: sublime-text-3210-1.x86_64 code-1.43.2-1585036535.el7.x86_64 rpmfusion-free-release-32-0.3.noarch rpmfusion-nonfree-release-32-0.4.noarch sublime-merge-1119-1.x86_64
                  

                  I’m of the mindset that I choose to run a distribution because I trust the packaging guidelines and the packagers of the software. This means that I’m quite preferential to using the fedora packages. I’ve been using flatpak where necessary but I am only consuming packages that are either:

                  • packaged by upstream in a way that I think is better than the equivalent package in Fedora
                  • doesn’t exist in fedora in a reasonable way (e.g. mumble)

                  I am only a little bit struggling in the sense that Fedora IoT is the “headless” version of Silverblue (if you want to think that way) and it’s difficult to get kernel modules (e.g. ZFS) into. I’d love to be able to install Fedora on my servers and have ZFS available, but be able to “ride the releases” by pulling composes rather than reinstalling.

                  The last “interesting” OS I tried was NixOS, and I eventually came to the conclusion that it was getting in my way more than it was really helping me.

                  I dipped my toes into Nix right before going to silverblue and had the same sentiment.

                1. 2

                  silverblue has been a really interesting ride for someone looking for a home between conventional linux installs and nix. The benefits of the mature Fedora+rpmfusion repositories with ostree have made me feel like I’ve finally found a combination of stable/rolling that matches up to the lifestyle I want to have with my tooling.

                  1. 1

                    Tell us more… are you using Silverblue in combination with nix?

                    1. 1

                      No, I was examining nix, the issue for me was the “trust” in the packaging (nix packages are largely what I’d say are “hobbyist” right now, there is not as much rigor in the packaging pipeline as say {debian, fedora}, specifically a lot of them are lagging behind upstream). So silverblue is a weird mix of being able to “compose” your system, but utilize existing packaging ecosystems (fedora).

                      1. 1

                        I wondered about that too, but I think they are referring to shared capabilities (immutable /, atomic updates/rollbacks). As far as I know, it’s not yet possible to create top-level directories on Silverblue such as Nix needs (unless you use a wrapper that uses user namespaces).

                        That said, it’s of course possible to create a container with Fedora Toolbox and run Nix in that.

                        I am a Nix(OS) user. But I also find Silverblue very interesting. For people who do not want to go over the steep learning curve of Nix, it offers some of the same benefits, while the whole Fedora experience is very smooth.

                    1. 1

                      Hijacking… anyone know of a multifuction device that can do feed scanning as well?

                      1. 3

                        Reminding me it’s free isn’t really a way to be endearing during a decomposition of an incident like this. Having run synapse from early on until recently I can attest that the “bad” practices, albeit being addressed over time, show up in more than just devops for the project.

                        It is altruistic, it is a project with good goals. However it’s viewed by many as being a panacea where people are not registering issues and pr(s) against the project. It needs a lot of love still before folks will be running homeservers for the families and friends that don’t become maintenance nightmares.

                        1. 13

                          hi storrgie - fwiw, from my perspective, our failure to handle your GH issues is certainly one of the biggest screwups over the last few years on synapse. your main one (https://github.com/matrix-org/synapse/issues/2419) has been been brought up time and time again; if you recall, I fixed it myself in https://github.com/matrix-org/synapse/pull/2421, only for it to get derailed by overzealous review). I then eventually fixed it again in https://github.com/matrix-org/synapse/pull/5083 a few weeks ago… which has this time been finished off properly and was merged 6 hours ago. For what it’s worth, I can’t think of any other bug in Synapse (or Matrix) which has had such a bumpy ride, but it’s finally been put to bed. It is excruciatingly embarrassing that it took so long, and doubly so that it sounds like it came too late for your use case.

                          In terms of adminability of Synapse - the thing is still not at 1.0, thanks to being t-boned by things like the security incident in the original post here. Yes, there are still some major admin challenges (lack of richness to the admin API; lack of admin GUI; memory usage and room fragmentation being the main ones), but we are still plugging away to fix them. Then, I’m hoping better servers will emerge.

                          In terms of reminding people that the matrix.org server is a best-effort free service: the intention was more to justify why we invested our ops time in building out the paid services (to try to keep the project funded) rather than trying to be endearing or to say ‘you get what you pay for’. sorry if it jarred.

                          Hopefully Matrix will eventually be something you’ll consider running again once we finally escape beta for Synapse.

                          1. 3

                            I can attest that the “bad” practices, (…) show up in more than just devops for the project.

                            This piqued my interest. Could you expand on what other areas of the project have “bad” practices?

                            1. 0

                              Until synapse is replaced with something written in a sane language that isn’t single threaded / has the dreaded GIL, it will not go anywhere.

                              Also their database schema sucks too.

                            1. 5

                              My last attempt at Matrix a year or two ago end up with me giving up try to host a simple homeserver with a few bridge to IRC and Slack. The conclusion was that a 5$ VPS wasn’t enough to share short text message with the internet. Was there good progress on this side? In any case the new client release look pretty good!

                              1. 3

                                I did the same thing, but with far more system resources and felt it was too much of a nightmare to keep running. A couple things that really made me sad was:

                                • inclusion of they own init/process management which was deprecated early on but still sometimes used
                                • publicRooms endpoint is rough because the primary client (riot) makes operators feel like they need to list rooms in the homserver directory for their users on that homeserver to discover…. well those rooms are discoverable via publicRooms enpoint… take a peek here for discussion
                                • there was an issue that we patched related to enumerating devices where the query could run forever, this literally could kill the homeserver when someone tried to enumerate/verify someone elses devices.

                                We ran a patched version of synapse for a while where we neutered the endpoints that scared us and limited some of the queries. Ultimately it just became a frustration to deal with so we’ve opted to move to XMPP. The clients are far worse on the XMPP side of things, but the governance has been around longer so the community is far more “healthy”.

                                I’m now waiting for a few things before thinking of coming back:

                                • specification to be workflowed past an initial release (the XMPP community certainly knows how to workflow their spec, but the matrix community has been almost entirely a mess on that front)
                                • implementation of a homeserver by someone who is not a part of the primary matrix team
                                  • it would demonstrate that the specification is digestible
                                  • there are things like identity services and STUN that should be rolled into the homeserver (not be separate code-bases requiring separate sysadmin maintenance)
                                  • synapse was a nightmare mess, the project hailing “success” as a transition from python2 to python3 is laughable… you don’t get to claim you’re doing amazing things when you’ve deliberately taken on tech debt*

                                *I think Gitlab is doing something similar lately: claiming they are brave to have started with ruby and survived (which I think that they have not survived, they are in the process of attempting to survive… which is ongoing)

                                1. 1

                                  I just downgraded my homeserver from a 2GB VPS to a 1GB one and it still works fine :)

                                  The big issue with synapse was this, occasionally I had to ssh into the server and run a postgres query to clean up. Haven’t had to do that in a few months.

                                1. 8

                                  I don’t necessarily disagree with your reasoning, but really almost all of the reasons apply specifically to Huawei phones. The experience varies a lot from vendor to vendor, which you could argue is part of the problem with the Android ecosystem–though I would argue the lack of independent vendors is a problem with the Apple ecosystem at the same time.

                                  Personally, I’m a fan of Sony Xperia compact phones. It’s a very vanilla Android experience with solid QA over the Google Pixel phones (updates come a few months later, but way less buggy–worth it for me).

                                  If you’re really committed to untethering from tech giants’ hold, then something like LineageOS is the way to go but it’s certainly more involved and you certainly sacrifice a lot for the privilege–as expected.

                                  1. 1

                                    Just as a data point for the Sony side of things. When we first rolled out our matrix home-server we were being pretty aggressive with the reverse proxy that was handling TLS and it turned out that of 30-50 devices that needed to hit the home-server only two Sony phones were unable to (due to the version of whatever android library provides tls internally not being updated). After many many months this was addressed, but it was surprising how far behind they were (I think we had to do tls 1.1 for these devices).

                                    edit: https://github.com/vector-im/riot-android/issues/963

                                  1. 7

                                    Is the opportunity for IBM to go deep on RISC and starting to disrupt Intel in the server space?

                                    1. 8

                                      They’ve been deep on RISC via POWER. Didnt work out disrupting Intel either on low or high ends. They’re trying again with OpenPOWER. Raptor already deployed workstations and servers for it. We’ll see what happens.

                                    1. 2

                                      This didn’t heat up my hands enough…

                                      1. 3

                                        This looks interesting. Of course it’s a shame it’s based on Intel, but:

                                        • PCI-e
                                        • SATA
                                        • 2 x gigabit ethernet
                                        • x86
                                        • VT-x + VT-d
                                        • 32 GB ram
                                        • 4 okay-ish cores

                                        At first glance this looks like the first SBC that actually will be usable for stuff like routers, virtualization host/hypervisor (in a cluster for example) or a simple linux desktop stuck to the back of a monitor. Price will be important though, since you also need to get memory while a lot of other SBC’s have memory on the PCB.

                                        1. 8

                                          The fact that its based on Intel is, imho, a good thing .. I’ve got a drawer full of SBC’s that started out with lots of promise - ultimate power, great battery life, etc - but are sitting there unused because the vendors failed to keep the kernel promises.

                                          That’ll be less likely to happen with an Intel-based SBC, imho.

                                          1. 4

                                            Most ARM SoCs are decently supported by mainline operating systems. Which boards do you have and what would you like to use them for?

                                            1. 2

                                              Which ARM SoCs do you have that are supported on mainline? I’ve had nothing but all kinds of issues with ARM. I tried using an overpriced SolidRun as a router and ran into nothing but issues and terrible support.

                                              I wrote another post on seeing these issues in Android devices. ARM is not a platform. It’s just random shit soldered to random pins. At least Microsoft phones had ARM + UEFI. I mean we have device tress, but they’re usually broken to hell too and most phone vendors don’t use them.

                                              Is the particular device in this post a 3rd party x86 clone? Is it free of Management Engine or other 3rd party controllers? I realize all x86 stuff has non-free binary blobs everywhere, where as you can get a lot of totally free ARM chips/boards, but long term support is often an issue. With x86+UEFI or even classic BIOS, you can run mainline Linux on them for years to come. There are even forks of Linux for older unsupported 386 chips if you really want to buy a ton of old 386 stock and use them in embedded applications. ARM is a clusterfuck by comparison.

                                              1. 3

                                                Rockchip RK3399/RK3328, Allwinner H3/H5/A64, Nvidia Tegra X1, the Broadcom junk that’s in the RPi…

                                                I run FreeBSD (actually I worked on RK3399 support), so there’s no non-mainline :) but for Linux, Rockchip is actually mainlining their official drivers, and for Allwinner it’s the community.

                                                Of course the cheap embedded boards aren’t as good as the high end server stuff (ThunderX/2/Centriq/eMAG/…), but there is a lot of support.

                                                1. 2

                                                  OLIMEX has some interesting hardware and according to SUNXI Buying guide “Currently, Olimex is the only company creating Allwinner based OSHW, and Olimex actively contributes to the sunxi project.”.

                                                  For some cheaper but less open options(I use an orange pi zero as a home media server/nas/cups/whatever) armbian provides quite decent support.

                                                2. 2

                                                  I bought the original PINE64 and found the is support to be pretty terrible, even today it feels like it’s all been hacked together by guests in China rather than the manufacturer doing much about it.

                                                  1. 1

                                                    It’s very well supported in FreeBSD.

                                                    For Linux, just don’t go to the vendor, ever. Check Arch Linux ARM and Armbian. (Apparently Ethernet support was merged into mainline as late as 4.15, but it’s there now)

                                                3. 4

                                                  I think the parent was implying AMD would have less microcode updates and more trustworthiness due to better QA than Intel. Likely inspired by Meltdown/Spectre vulnerabilities. Also, AMD has been in the low-power, SoC game for some time. I don’t know if you’ll get lots of problems out of them that you wouldn’t out of Intel. It would surprise me a bit. I remember Soekris was using AMD Geodes.

                                                  Oh shit:

                                                  “Due to declining sales, limited resources available to design new products, and increased competition from Asia, Soekris Engineering, Inc. has suspended operations in the USA as of today.”

                                                  Glanced at their page to see product updates. Got sadder news than I was looking for.

                                                  1. 5

                                                    I don’t know much about the Soekris boards, but pcengines.ch sells surprisingly affordable AMD Jaguar-based boards for embedded and network applications. I’m using one for my OPNSense firewall and have been perfectly happy with it.

                                                    1. 1

                                                      Thanks for the tip!

                                                      1. 3

                                                        From corebooting my ALIX2C3 I recalll the geode microcode has another issue in that it’s reliant on legacy tooling to build so you are encouraged to just use the blob (tooling is either DOS based or related to visual studio, can’t recall).

                                                  2. 2

                                                    If I remember properly HardKernel had everything for their C2 platform mainlined so you could use modern kernels without having to use a vendor specific one.

                                                  3. 2

                                                    it’s a shame it’s based on Intel […] Price will be important though

                                                    I too immediately thought “why not Ryzen?” but, price is actually the reason they went with Intel, according to the blog post that’s linked here. Excerpt:

                                                    2017 December, We considered AMD Ryzen 5 2500U 3.5Ghz mobile processor. The performance was very impressive, but the price of the CPU was also very impressive. Fortunately, Intel also announced the Gemini Lake processors. It was slower than Ryzen but much faster than Intel Apollo Lake, and the price was reasonable.

                                                    Looks like the board will be considerably cheaper due to the Intel chip.

                                                  1. 5

                                                    For one I welcome a cost effective x86 platform with dual NICs. Hoping that lots of people get these and run pf/open{sense} and vyos on them.

                                                    1. 1

                                                      The APU2/3?