qyliss changed the topic of #spectrum to: A compartmentalized operating system | https://spectrum-os.org/ | Logs: https://logs.spectrum-os.org/spectrum/
cole-h has quit [Ping timeout: 265 seconds]
airgap has quit [Quit: %]
PeterEaston is now known as TheJollyRoger
<JJJollyjim1> :o
<JJJollyjim1> is the connection between machines just PCIe or do they encapsulate it over a network or something?
v0idifyy has joined #spectrum
v0idify has quit [Ping timeout: 240 seconds]
<pie_> idk there was some mention of inifiniband on that wikipage, i tihnk, or im mixing stuff up
cole-h has joined #spectrum
<pie_> "Why does Qubes use Xen instead of KVM or some other hypervisor?
<pie_> In short: we believe the Xen architecture allows for the creation of more secure systems (i.e. with a much smaller TCB, which translates to a smaller attack surface). We discuss this in much greater depth in our Architecture Specification document."
<pie_> hm
tazjin has quit [*.net *.split]
Irenes has quit [*.net *.split]
ehmry has quit [*.net *.split]
josias has quit [*.net *.split]
qyliss has quit [*.net *.split]
mcint has quit [*.net *.split]
andi- has quit [*.net *.split]
cleeyv has quit [*.net *.split]
sterni has quit [*.net *.split]
bridge[evilred] has quit [*.net *.split]
multi has quit [*.net *.split]
IdleBot_0ca1d906 has quit [*.net *.split]
ghavil has quit [*.net *.split]
flosse has quit [*.net *.split]
kenmacd[m] has quit [*.net *.split]
cryptix has quit [*.net *.split]
Ox4A6F has quit [*.net *.split]
Yakulu[m] has quit [*.net *.split]
v0idifyy has quit [*.net *.split]
jpds has quit [*.net *.split]
nicoo has quit [*.net *.split]
TheJollyRoger has quit [*.net *.split]
edadqr has quit [*.net *.split]
pinkieval has quit [*.net *.split]
katrms[m] has quit [*.net *.split]
Lestat[m] has quit [*.net *.split]
M011100110110110 has quit [*.net *.split]
colemickens has quit [*.net *.split]
ashkitten has quit [*.net *.split]
ncm[m] has quit [*.net *.split]
superherointj[m] has quit [*.net *.split]
mx08 has quit [*.net *.split]
hexa- has quit [*.net *.split]
pie_ has quit [*.net *.split]
cation21 has quit [*.net *.split]
kylie has quit [*.net *.split]
adisbladis has quit [*.net *.split]
feepo has quit [*.net *.split]
ameliadafloof[m] has quit [*.net *.split]
siraben has quit [*.net *.split]
danielrf[m] has quit [*.net *.split]
JJJollyjim1 has quit [*.net *.split]
thefloweringash has quit [*.net *.split]
hypokeimenon[m] has quit [*.net *.split]
raboof has quit [*.net *.split]
acertain has quit [*.net *.split]
zgrep has quit [*.net *.split]
dnull has quit [*.net *.split]
lukegb has quit [*.net *.split]
omni has quit [*.net *.split]
nyanotech has quit [*.net *.split]
mewra has quit [*.net *.split]
dgreid_ has quit [*.net *.split]
manveru has quit [*.net *.split]
CcxWrk has quit [*.net *.split]
jpo has quit [*.net *.split]
leah2 has quit [*.net *.split]
IdleBot_d6dff8fb has quit [*.net *.split]
chipb has quit [*.net *.split]
Profpatsch has quit [*.net *.split]
FireFly has quit [*.net *.split]
cole-h has quit [*.net *.split]
stigo has quit [*.net *.split]
kinozawa has quit [*.net *.split]
lejonet has quit [*.net *.split]
edwtjo has quit [*.net *.split]
V has quit [*.net *.split]
tg-x has quit [*.net *.split]
puck has quit [*.net *.split]
infowicz has quit [*.net *.split]
samueldr has quit [*.net *.split]
hiroshi[m] has quit [*.net *.split]
rhysmd has quit [*.net *.split]
packetup has quit [*.net *.split]
jryans has quit [*.net *.split]
hyperfekt has quit [*.net *.split]
Shados has quit [*.net *.split]
vilhalmer has quit [*.net *.split]
MichaelRaskin has quit [*.net *.split]
mvnetbiz_ has quit [*.net *.split]
mjsir911 has quit [*.net *.split]
dfgg has quit [*.net *.split]
IdleBot_0ca1d906 has joined #spectrum
ghavil has joined #spectrum
bridge[evilred] has joined #spectrum
multi has joined #spectrum
cleeyv has joined #spectrum
sterni has joined #spectrum
andi- has joined #spectrum
qyliss has joined #spectrum
mcint has joined #spectrum
mjsir911 has joined #spectrum
dfgg has joined #spectrum
superherointj[m] has joined #spectrum
mx08 has joined #spectrum
ncm[m] has joined #spectrum
hexa- has joined #spectrum
MichaelRaskin has joined #spectrum
vilhalmer has joined #spectrum
ncm[m] has quit [Ping timeout: 252 seconds]
superherointj[m] has quit [Ping timeout: 252 seconds]
puck has joined #spectrum
infowicz has joined #spectrum
edef has joined #spectrum
tg-x has joined #spectrum
ehmry has joined #spectrum
Irenes has joined #spectrum
tazjin has joined #spectrum
hyperfekt has joined #spectrum
Shados has joined #spectrum
edwtjo has joined #spectrum
kylie has joined #spectrum
V has joined #spectrum
adisbladis has joined #spectrum
flosse has joined #spectrum
feepo has joined #spectrum
raboof has joined #spectrum
stigo has joined #spectrum
manveru has joined #spectrum
cole-h has joined #spectrum
zgrep has joined #spectrum
kinozawa has joined #spectrum
jpo has joined #spectrum
dnull has joined #spectrum
leah2 has joined #spectrum
omni has joined #spectrum
nyanotech has joined #spectrum
acertain has joined #spectrum
mewra has joined #spectrum
CcxWrk has joined #spectrum
dgreid_ has joined #spectrum
lejonet has joined #spectrum
lukegb has joined #spectrum
feepo has quit [Ping timeout: 258 seconds]
raboof has quit [Ping timeout: 258 seconds]
cation21 has joined #spectrum
pie_ has joined #spectrum
FireFly has joined #spectrum
Profpatsch has joined #spectrum
chipb has joined #spectrum
IdleBot_d6dff8fb has joined #spectrum
philipp[m]2 has quit [Ping timeout: 245 seconds]
ashkitten has joined #spectrum
pinkieval has joined #spectrum
v0idifyy has joined #spectrum
jpds has joined #spectrum
nicoo has joined #spectrum
TheJollyRoger has joined #spectrum
edadqr has joined #spectrum
raboof has joined #spectrum
feepo has joined #spectrum
cation21 has quit [Changing host]
cation21 has joined #spectrum
feepo has joined #spectrum
feepo has quit [Changing host]
Ox4A6F has joined #spectrum
samueldr has joined #spectrum
stigo has quit [Quit: stigo]
colemickens has joined #spectrum
danielrf[m] has joined #spectrum
thefloweringash has joined #spectrum
Lestat[m] has joined #spectrum
packetup has joined #spectrum
JJJollyjim has joined #spectrum
mvnetbiz_ has joined #spectrum
hiroshi[m] has joined #spectrum
M011100110110110 has joined #spectrum
jryans has joined #spectrum
superherointj[m] has joined #spectrum
katrms[m] has joined #spectrum
Yakulu[m] has joined #spectrum
hypokeimenon[m] has joined #spectrum
siraben has joined #spectrum
philipp[m] has joined #spectrum
josias has joined #spectrum
cryptix has joined #spectrum
kenmacd[m] has joined #spectrum
ncm[m] has joined #spectrum
rhysmd has joined #spectrum
ameliadafloof[m] has joined #spectrum
<qyliss> puck: implementing what exactly?
<qyliss> ncm[m]: thank you :)
<puck> qyliss: passthrough a GPU to a VM, then have that VM export multiple virtual GPUs
<qyliss> oh wow
<qyliss> puck: there's been some conversation on virtio-devel or qemu-devel or both that would be relevant to you if you decided to do that
<qyliss> one of the big problems is that sharing memory is hard if it doesn't come from the host
<puck> there's some stuff that is kinda the inverse of what i'm looking for, e.g. vhost-net, i might give this a try
<qyliss> vhost-user-gpu would definitely be feasible, but I think you'd have a hard time moving that into a VM
<qyliss> don't let me dissuade you from trying though!
<puck> ah, vhost-user-gpu isn't what i'm looking for, the issue is that virtio-gpu is paravirtualized, and i do need a full GPU passthrough
<qyliss> to the VM that does the exporting?
<puck> what i want is effectively, i guess it'd be .. vhost-pci?
<qyliss> are you looking for virtio-vhost-user perhaps?
<puck> i wish all this wall better documented :(
<puck> the vhost stuff seems to mostly exist because of DPDK/networking reasons
<qyliss> I know quite a lot about the state of play in this area fwiw
<qyliss> vhost-pci never really went anywhere. Its successor is virtio-vhost-user.
<qyliss> which seems to be going somewhere very slowly
<qyliss> puck: do you mean vhost-user?
<qyliss> vhost is kernelspace virtio
<puck> ah. so what i effectively want is; i have a VM that has a virtual PCI device, and i want to have it show up to another VM as a PCI device
<qyliss> does the code for emulating that virtual device run in the first VM?
<puck> yeah
<qyliss> then you want virtio-vhost-user
<puck> virtio-vhost-user and all of this, afict, only allows you to export virtio style things
<qyliss> it's designed for e.g. running SPDK in a VM and attaching the virtual device to other VMs
<qyliss> correct
<qyliss> I don't think a more generic mechanism is really on the cards in the ecosystem at the moment
<qyliss> but you'd be exporting a virtual GPU anyway, right? Why wouldn't that be virtio-gpu?
<puck> the primary issue is that that loses the special features that a GPU may have, which i do need
<puck> and it wouldn't work with other uses of the mdev infrastructure (which i'm not sure exist)
<qyliss> what is mdev here?
<qyliss> I assume you don't mean the busybox thing
<puck> vfio mediated devices
andi- has quit [Ping timeout: 246 seconds]
<qyliss> yeah I guess you'd need to do some virtio-gpu extensions or something for special features
<puck> yeah, the only in-tree uses of mdev are i915 and .. a s390 cryptocoprocessor
<lejonet> puck: if I've understod you correctly, basically you want to have the ability to passthrough the real GPU, and not have it masked behind like the QXL driver, because you want to be able to utilize specific parts of the hardware, for example CUDA or other hardware-acceleration parts of the real GPU?
<puck> lejonet: yeah
<lejonet> puck: That would be amazing to be able to do, but yeah, its a tricky thing to do
<puck> i think i have a decent enough sense of how to do this, thankfully
<lejonet> puck: if you manage to do it, do share it, I'd certainly be interested in it
<qyliss> how would you handle shared memory?
<Lestat[m]> mind if i ask
<Lestat[m]> What kind of hardening are yall planning to do for the base os
<qyliss> the main thing is I'd like to have as little as possible in there
<puck> qyliss: probably actually modifying the vfio driver itselfa or making s
<qyliss> a custom kernel with lots of stuff completely disabled (all of networking, for example)
<puck> qyliss: some assumptions* e.g. certain mmaps will come from the passed-through PCI device, so i can assume that the guest kernel won't mind that
andi- has joined #spectrum
<Lestat[m]> Dunno if it helps but yall can take a look at the patches ive done for my custom kernel
<qyliss> oh damn that link doesn't work any more
<puck> 404, but found a patch containing it
<Lestat[m]> <qyliss "the main thing is I'd like to ha"> Then u should also use something like musl and openrc or runit instead of the systemd and glibc
<puck> qyliss: interesting, i might be able to use this
<Lestat[m]> Cuz both systemd and glibc are much more bloaty
<Lestat[m]> dracut would also be quite minimalistic
<qyliss> Lestat[m]: I would like to use s6-rc if possible
<qyliss> and I would expect to use musl for the base system, yeah
<qyliss> puck: do you have a link or message-id for vfio-over-socket?
<qyliss> puck: fwiw as of jul last year:
<puck> that's the ..newest version, i think?
<Lestat[m]> Anyways yall can take a look at the patches i linked for some security implementations. We are currently working on kanging all of the pax patches from the last grsecurity leak
<qyliss> > It doesn't have a virtio-vhost-user equivalent yet, but the same approach could be applied to VFIO-over-socket too.
<Lestat[m]> I dont think thats a full init system?
<qyliss> Lestat[m]: it can be
<Lestat[m]> <qyliss "Lestat: it can be"> Interesting
<qyliss> alpine is considering a switch
<qyliss> puck: ahhh so it got renamed
<qyliss> wow no replies
<qyliss> sad
<puck> my design plan is probably to allow a guest to export an mdev to the host kernel, and then just mount it as usual
<qyliss> puck: later version of that series is here btw: https://lore.kernel.org/qemu-devel/20201130161229.23164-1-thanos.makatos@nutanix.com/
<puck> aha
<qyliss> (I just searched on p-i for f:thanos.makatos@nutanix.com to see what had happened since)
<qyliss> puck: the reason for the @localhost message-ids btw is that python3 -c 'import socket; print(socket.gethostbyaddr(socket.gethostname()))' doesn't include the hostname on NixOS for some reason
<leah2> no fqdn for localhosy in /etc/hosts?
<qyliss> leah2: the FQDN is set as 127.0.0.2
<puck> hrm
<qyliss> there's justification for that that I don't really understand here: https://github.com/NixOS/nixpkgs/pull/76542
<puck> i think ::1 has both localhost and the hostname
<puck> my output is ('localhost', [], ['::1'])
<qyliss> yeah mine too
<Lestat[m]> So are yall gonna add kernel hardening or just a rly rly slim kernel?
<puck> so i assume it's just "localhost is above the other hostname"
<qyliss> it should have the hostname or fqdn or something in the second element
<Lestat[m]> Cuz if its just a slim kernel yall could start with tinyconfig and add whatever u need
<qyliss> puck: socket.getfqdn() in python tries to take the first element of that array in the middle (the "aliases" array), but we don't have anything in it
<puck> qyliss: hrm, interesting. `getent hosts 127.0.0.1` returns only the first entry
<qyliss> leah2: assuming you have a Void system? What does the above Python command print for you?
<puck> qyliss: if i modify the hosts file and add a second name to the list, it works .. fine
<qyliss> I think I'm just going to open a Nixpkgs issue for this because I don't really know what the right thing to do here is
<puck> qyliss: so, i think in the /etc/hosts file, the first entry is what gets returned
<leah2> ('rhea.home.vuxu.org', ['localhost.localdomain', 'localhost', 'ip6-localhost', 'rhea'], ['::1'])
<puck> if i have `::1 localhost marisa` it shows up as ('localhost', ['marisa'], ['::1']) properly
<qyliss> leah2: yeah that looks better
<leah2> 127.0.0.1 rhea.home.vuxu.org localhost.localdomain localhost4.localdomain localhost rhea
<leah2> ::1 rhea.home.vuxu.org localhost.localdomain localhost ip6-localhost rhea
<qyliss> I have three seperate lines for 127.0.0.1
cole-h has quit [Ping timeout: 268 seconds]
<puck> yeah, that's what breaks it i think
<leah2> that doesnt work yeah, it only takes the first
<qyliss> okay, that doesn't seem too bad to fix
<leah2> hm ok
<leah2> i didnt notice any issues
<leah2> i think hostname -f takes the first one with .
<qyliss> "Debian does the same"
<qyliss> I think I'll get a Debian VM going and see how that works
<leah2> % hostname -f
<leah2> localhost
<leah2> lol
<qyliss> ahh that's not right then
<qyliss> we've put a lot of effort into getting it to not do that
<leah2> (doesnt have any fqdn in /etc/hosts tho)
<leah2> anyway, this runs postfix with a hardcoded domain
<qyliss> In my Debian VM the IPv4 lines are just:
<qyliss> 127.0.0.1 localhost
<qyliss> 127.0.1.1 debian
<qyliss> And yet hostname and hostname -f both report debian
<leah2> 2 kaja ~% hostname
<leah2> kaja
<leah2> 2 kaja ~% hostname -f
<leah2> localhost
<leah2> oO
<qyliss> yikes
<leah2> 127.0.0.1 localhost kaja
<leah2> ::1 localhost ip6-localhost ip6-loopback kaja
<qyliss> looks like we're not the only ones getting this wrong
<leah2> but this is a very old debian install, perhaps it works differently on new ones
<qyliss> I tested sid
<puck> hrm, my hostname now shows `marisa`, and `-f` returns localhost (with `::1 localhost marisa`)
<qyliss> Debian seems to be using a different hostname implementation
<qyliss> I wonder if that's anything to do with it
<qyliss> I'm using net-tools 2.10-alpha
<qyliss> Debian is using "hostname 3.23"
<qyliss> Lestat[m]: it's really too early to say too much about the host system when we're still exploring what can and can't be moved into guests
<Lestat[m]> For guest os i would recommend artix or void
<Lestat[m]> Artix is gonna have glibc if yall want it
<qyliss> I'm not convinced running a full generic Linux distribution in a single-application VM is the right thing to do but am open to discovering I'm wrong
<qyliss> wtf dpkg -S can't find where /usr/bin/hostname comes from
<qyliss> maybe this is because I'm running sid or something
<leah2> it may be an alternative
<qyliss> oh that makes sense
<qyliss> hmm doesn't look like it
<leah2> is it /bin/hostname then?
<qyliss> $ which hostname
<qyliss> /usr/bin/hostname
<leah2> well yes
<leah2> due to usrmerge
<qyliss> $ realpath $(which hostname)
<qyliss> /usr/bin/hostname
<leah2> hostname: /bin/hostname
<leah2> but in the package it's in /bin
<qyliss> ahh
<qyliss> we don't even have a package for that implementation
<leah2> the one in coreutils sucks and lacks -f
<leah2> the one in inetutils is ok
<leah2> but debian historically has their own iirc
<qyliss> we're using net-tools
<qyliss> puck: does the inetutils hostname do anything different for you?
<puck> qyliss: interestingly, no
<qyliss> hmm
<qyliss> wonder if the debian one would
<qyliss> seems like our reference distro for this should probably not be the one with a custom hostname implementation, anyway
<Lestat[m]> well i mean dunno about a full distro but an application vm having its own kernel is better
<Lestat[m]> thats what gVisor does
<qyliss> it's not really a VM if it doesn't have its own kernel
<Lestat[m]> Yeah haha
<Lestat[m]> whats the topic about debian?
<qyliss> oh just a slight problem with the server running the spectrum mailing lists
<qyliss> we've tracked it down to a NixOS bug and are looking at what other distros do to figure out how to fix it
<Lestat[m]> Ayt
<multi> re. debian things above; new debian installs are usrmerged by default, but the package builds still are not
<multi> if you're on a usrmerged system then dpkg won't be aware of it, everything will just indirect through the top-level symlinks
<Lestat[m]> Fuck debian :P
* multi shrugs
<multi> 's what i use, and it gets the job done
<leah2> imo debian does this properly here
<leah2> if it wants to support non-usrmerge
<multi> ^
<multi> there are a *lot* of *very* old debian installs still around
<Lestat[m]> honestly the 2 things i use for servers are proxmox and alpine
stigo has joined #spectrum
<Lestat[m]> Btw if yall need any help im here. I may not be ALWAYS available as i have tons of things to do for my projects but still
<qyliss> Lestat[m]: well, what are your skills?
<Lestat[m]> Generally i just write kernel patches
<Lestat[m]> but i dunno just ask me if u need help
<Lestat[m]> If i cant do it ill let u know
cole-h has joined #spectrum
<Lestat[m]> I work as a sysadmin but i contribute to projects (usually by testing :p) as my "part-time job"
<Lestat[m]> I also have my own projects (currently just a custom hardened kernel for void linux but im working on porting some whonix packages to void linux). The website for them is anon-lestat.github.io
<Lestat[m]> Im not the sharpest tool in the shed but ill help if i can
<Lestat[m]> Anyways if u dont mind. Ill go back to wiping half my homelab
pastbytes has joined #spectrum
pastbytes_ has joined #spectrum
pastbytes has quit [Ping timeout: 246 seconds]
pastbytes__ has joined #spectrum
pastbytes_ has quit [Ping timeout: 252 seconds]
pastbytes__ has quit [Ping timeout: 265 seconds]
pastbytes__ has joined #spectrum
MichaelRaskin has quit [Ping timeout: 240 seconds]
<qyliss> puck: inetutils hostname -f does the right thing for me, with the following hosts:
<qyliss> 127.0.0.1 localhost
<qyliss> 127.0.0.2 atuin.qyliss.net atuin
<qyliss> ::1 localhost atuin.qyliss.net atuin
<qyliss> puck: what did your hosts file look like when you tried inetutils?
MichaelRaskin has joined #spectrum
<puck> qyliss: `::1 localhost marisa`, `127.0.0.2 marisa`
<qyliss> ah, so you don't have networking.domain?
<puck> i think i patched that out lmao