Jonathan Lebon

icon indicating an email [email protected]

icon company @RedHatOfficial icon location CoreOS software engineer at Red Hat

Results 581 comments of Jonathan Lebon
trafficstars

Requires running under rootful podman

> I think this should actually mostly land on the bootc side; making partitions unprivileged is easy. So moving to [bootc-dev/bootc#859](https://github.com/bootc-dev/bootc/issues/859) Can we reopen this? Since for the short to...

Requires running under rootful podman

Nice, thanks @mvo5! I'd suggest taking https://github.com/coreos/coreos-assembler/blob/main/src/supermin-init-prelude.sh as a base. A few tiny tweaks went into it after @cgwalters's fork that I think are relevant here (notably https://github.com/coreos/coreos-assembler/commit/e6aa66a55b770ae20b2dc555c48bde40b24530a5).

Add support for e.g. `/usr/lib/bootc/kargs.d` or equivalent

I know bootc wants to leave the door open for non-ostree backends, but given that kargs are intimately linked to the thing that updates the bootloader, isn't the right place...

Adding 20-systemd-userdb.conf as default can break existing sshd configurations

Another user of `AuthorizedKeysCommand` is https://github.com/coreos/ssh-key-dir, which is used by FCOS. And so naturally, we hit this issue too in FCOS rawhide: https://github.com/coreos/fedora-coreos-tracker/issues/1775. And yes, agree that sshd ideally would...

Adding 20-systemd-userdb.conf as default can break existing sshd configurations

> Which makes me wonder, given this is from the same general direction, has there been any work been done, thoughts spent on figuring out how to marry that sssd...

Adding 20-systemd-userdb.conf as default can break existing sshd configurations

> (And in fact, [coreos/ssh-key-dir](https://github.com/coreos/ssh-key-dir?rgh-link-date=2024-09-13T17%3A00%3A13Z) itself is just working around sshd not supporting an `authorized_keys.d/` directory.) Following up on this, looks like this is happening: https://github.com/coreos/ssh-key-dir/issues/188. This would essentially mean...

Block clone with namespace flag in seccomp default profile

Just to xref, turns out we were implicitly relying on that seccomp hole. See also https://github.com/coreos/fedora-coreos-pipeline/pull/1047.

Block clone with namespace flag in seccomp default profile

Though relatedly, are there plans to allow user namespacing by default in the future?

lib/repo-pull: Retry pulls without static deltas if they fail

We already fallback if we fail to fetch the superblock, right? So this seems to be specifically about falling back if we fail to fetch one of the delta parts?...

lib/repo-pull: Retry pulls without static deltas if they fail

Thanks for the context. Wrapping the whole function still feels a bit strong-handed though. This is something `ostree fsck` could help recover from too, right? (It marks commits as partial...