Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [<thread-prev] [day] [month] [year] [list]
Date: Mon, 9 Jul 2018 17:23:37 +0300
From: gremlin@...mlin.ru
To: owl-users@...ts.openwall.com
Subject: Re: Owl update

On 2018-07-07 13:57:30 +0200, Solar Designer wrote:

 >> Well, may be I'm crazy, but isn't there any chance to fork
 >> OpenVZ to get simfs back? I strongly believe there are
 >> thousands (if not millions) of people who would appreciate
 >> this. I think this can even attract more developers to Owl.
 > Yes. Actually, simfs without quotas just works (albeit again
 > we'd need to untie everything from prl* userspace components).

IIUC, that applies to 3.10 (vz7) kernel. In 4.15 (will-be-vz8)
kernel I was unable to find any mention of it.

 > Re-adding first-level quotas for containers (as ext4 "project
 > quotas") looks realistic. Re-adding second-level quotas (for
 > users inside containers) looks too complicated, so no more
 > shared hosting inside containers.

I can't surely tell for all administrators, but the most common
OpenVZ applications never use the second-level quotas.

Also, the shared hosting is moving to VPSes, and the main (or at
least most annoying) limitation is the IPv4 addresses shortage.
That means, cheap VPSes are sharing one common IPv4 address with
well-known ports being proxied - for example, with nginx for HTTP
and HTTPS.

 >> 1) fork of RHEL has no sense at all, this monster must be buried,
 >> not forked (and it applies to CentOS, too);
 > OK, that's your opinion. To me, it's unclear where to draw the
 > line. Why bury RHEL, etc. and not bury Linux (kernel), which is
 > also a monster in many ways. When we chose to go with Linux for
 > Owl, we accepted some monstrosity [...] for a variety of reasons,
 > including meeting demand for Linux.

I also don't like the modern RHEL, but I realize it's the de facto
standard for the industrial GNU/Linux systems. Obviously enough, the
main reason is "others are even worse" (or just exotic), so when the
professional administrators talk about "Linux servers" they (with a
probability over 90%) mean ughm... well, CentOS :-)

 > Maybe the same applies to a RHEL fork (or rather, a fork of RHEL
 > core only),

Yes, that could be even more wise, as we'd retain good compatibility
while still going on our own - for example, there's a strong demand
for "CentOS without systemd and other crap".

 > which could enable us to reuse the security enhancements we've
 > developed and make them reasonably available to more people.

It seems you didn't notice, but we have some usability enhancements
as well: minimalistic system allows easy (re)?build of any package
to suit the administrators' needs. Especially when the system has
VPS support out-of-the-box: then a clean rebuild looks as simple as
"vzctl create && vzctl start && rsync && vzctl exec rpmbuild &&
rsync && vzctl stop && vzctl destroy" :-)

 > I also find RHEL clones (CentOS, Scientific Linux) useful for
 > projects such as our HPC Village.

I've created several hosting services for different providers, and
the most popular system (as requested by their customers) is CentOS,
which was requested in 2/3 cases. The second (by popularity) system
was Ubuntu, with a share of 1/5 or slightly less. The third was...
Windows (available only on a more expensive VDSes), with 1/8; other
systems had less than 1% in total.

 >> 2) fork of Alpine makes more sense, but for me (personally)
 >> it will be useless; if I choose Owl for my servers, it is NOT
 >> for the absence of suid binaries nor for using of tcb, but only
 >> for its minimalism and strong unix tradition compliance
 > It sounds like there are already distros suitable for you -
 > as you say, Alpine and Slackware. Lucky you.

Unlike croco, I can't simply take some other distribution :-/

 >> 3) discontinuation of the project would not make me glad, but,
 >> honestly speaking, if you prefer to turn it into a fork of some
 >> bloatware out there, this makes not much of difference for me;
 >> so, I would vote for revitalization of the project as it is the
 >> only option that keeps Owl useful for me.
 > Why focus on keeping Owl useful for you when you readily have
 > other distros you could happily use instead?

That's why we should make Owl useful for me :-)

And other administrators, of course. Well, I'm a bit non-typical
administrator, but I deal with other administrators, whether they
are my colleagues, customers, partners or ever competitors - and,
therefore, have some idea of what they really need.

 >> Well, I'm still sure you continue to ignore the thing which I
 >> personally consider to be the main feature of Owl: its minimalism
 >> (and conservatism as a kind of consequence). For me, it is more
 >> important that Owl uses LILO

2 croco: it's really time to move to syslinux (start with extlinux).

 >> and sysVinit than that it is a bit harder to break in if
 >> compared with other distros.

I'd agree: SysVinit is much more fool-proof.

 > Continuing with Owl for its minimalism when there's already
 > comparably (or more) minimalist Alpine may be unreasonable.
 > Would we be doing it out of habit, NIH, PR?

Besides its' minimalism, Owl can (and, after some efforts applied,
does) provide a full-featured system.

Alpine... well, show me how it would perform PostgreSQL replication
over RDMA through Infiniband :-)

 >> Actually, the whole Linux world seems for me to be going wrong
 >> way now, I even started to think about switching to FreeBSD;
 > Same here.

Here I'd heavily disagree: the FreeBSD is not just useless for
production use, but simply dead.

 > If we can't easily have secure containers on a minimalistic
 > Linux distro anymore/yet (ironically, in part due to effort
 > of upstreaming containers, which has resulted in lots of
 > things but not what we had with OpenVZ), we can as well switch
 > to FreeBSD jails and bhyve.

Who would use it? Or, more exactly, who would pay for such service?
Users want Linux-based systems...

 >> as of today, Owl it the only Linux distro I know which is not
 >> on that way to hell, and that's why I do use it.
 > Is Alpine "on that way to hell"?

That blind alley is unlikely a hell... :-)


-- 
Alexey V. Vissarionov aka Gremlin from Kremlin
GPG: 8832FE9FA791F7968AC96E4E909DAC45EF3B1FA8

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ