smoser

editing melange yaml with python

Sometimes its helpful to edit lots of melange files quickly.

This is something that I used to do that.

notes

• uses ruamel.yaml this is pretty good. I have seen one case where messed up roundtrip (py3-botocore.yaml)
• running 'yam' afterwards fixed up more of the small differences with indentation.

smoser

chainctl token helper

This little helper just wraps calls to chainctl auth and reads token ttls.

On my workstation, I call it from ~/.profile like this:

is_interactive() {
    [ -t 0 ] && [ -t 1 ]
}

smoser

Random wolfi and tools.

• get-archive-info - get a tar tvf output and the .APKINFO for every file in the archive.

• build-stage - throw a bunch of files and see which build. they do not depend on each other (each only builds with the wolfi repo)

  I used this to help create batches of things when changing lots of files.

• test-installable - its like the c-i test that checks that all packages

smoser

find shell deps

The idea here is just to "parse" files to

1. see if they are shell
2. find the external commands/utilities that they use

A more advanced version of this would help identify dependencies.

there are bugs in the fs traversal and I'm not finding everything :-(.

example

smoser

get-sbom and sbom-to-manifest

Just a friendly wrapper for getting the sbom for an image.

$ ./get-sbom cgr.dev/chainguard/busybox:latest | ./sbom-to-manifest
alpine-baselayout-data	3.6.5-r0
alpine-keys	2.4-r1
alpine-release	3.20.0-r0
busybox	1.36.1-r29
ca-certificates-bundle	20240226-r0

smoser

boot a tarball or oci imag ref

Get yourself a kernel

# kernel from vmlinuz on ubuntu
kdist=/boot/$(uname -r)
# https://bugs.launchpad.net/ubuntu/+source/linux/+bug/759725
sudo cat "$kdist" > kernel

Now convert a oci or local tarball to kernel flavor cpio. this script adds a very basic 'init'

smoser

This is a simple melange package file. It builds really quickly.

Build it in wolfi-dev/os with:

make hello-busybox

Build it directly with melange as:

melange build ./hello-busybox.yaml \

smoser

catch-fail - trap and sleep to enter a melange build for debug

Usage: catch-fail op

   catch-fail is used to help debug a melange build.  In a 'run' section
   you can add at the top:

      eval $(/home/build/catch-fail eval-trap 1h)

smoser

All Systems Go 2023: Kernel command line and UKI; systemd-stub and the ‘stubby’ alternative

This talk is was given 2023-09-14 in Berlin at the All Systems Go 2023 conference. It is available online from all-systems-go conference here.

Abstract

Modification of the kernel command line has historically been one of the easiest ways to customize system behavior. Bootloaders allow for persistent changes via config-files and on-the-fly changes interactively during system boot.

System behavior changes made via the kernel command line are not limited to the kernel itself. Userspace applications from installers to init systems and beyond also take input from /proc/cmdline.

It is clear that some kernel command line options are desirable (console=ttyS0 verbose) and possibly even necessary. Others, such as the cromulent 'init=/bin/sh', can allow circumvention of benefits that Secureboot and TPM provide.

smoser

Yubikey and GPG setup

A change in process at work meant that internal IT would be managing my work-provided laptop. While I do not expect management to leak any personal sensitive data that was on the machine, it does represent an increase in the potential for such a thing to happen.

I bought a Yubikey (5c). The goal was to store "personal" GPG and SSH credentials on the yubikey so that they would not be available to a compromised system, or inadvertantly get backed up.

The setup seems to work pretty well. Here is what I did.