Bedrock Linux: Strangest Linux Distro Ever?

What is Bedrock Linux?

From their website:

Bedrock Linux is a meta Linux distribution which allows users to utilize features from other, typically mutually exclusive distributions. Essentially, users can mix-and-match components as desired. For example, one could have:

  • The bulk of the system from an old/stable distribution such as CentOS or Debian.
  • Access to cutting-edge packages from Arch Linux.
  • Access to Arch’s AUR.
  • The ability to automate compiling packages with Gentoo’s portage
  • Library compatibility with Ubuntu, such as for desktop-oriented proprietary software.
  • Library compatibility with CentOS, such as for workstation/server oriented proprietary software.

All at the same time, all working together like one, largely cohesive operating system.

So, what is this thing? Bedrock Linux is a package manager compatibility overlay. Ever wanted to use CentOS or Arch packages on your Debian system? Bedrock Linux will let you do that.

Strata

A stratos in Bedrock Linux is a package management overlay. For example, if you want to add a CentOS Strata, you run:

$ sudo brl fetch centos

The BRL app will then download yum and it’s required apps and libraries into the overlay. Once it’s done you can then yum install whatever you want.

Have multiple versions of the same package? Use:

$ strat [stratus name] [packagename]

For example with the Nano editor:

tux@debian:~$ strat arch nano -V
GNU nano, version 4.2
(C) 1999-2011, 2013-2019 Free Software Foundation, Inc.
(C) 2014-2019 the contributors to nano
Email: nano@nano-editor.org Web: https://nano-editor.org/
Compiled options: --enable-utf8
tux@debian:~$ strat debian nano -V
GNU nano, version 2.7.4
(C) 1999..2016 Free Software Foundation, Inc.
(C) 2014..2016 the contributors to nano
Email: nano@nano-editor.org Web: https://nano-editor.org/
Compiled options: --disable-libmagic --disable-wrapping-as-root --enable-utf8
tux@debian:~$ strat centos nano -V
GNU nano version 2.3.1 (compiled 04:47:52, Jun 10 2014)
(C) 1999, 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007,
2008, 2009 Free Software Foundation, Inc.
Email: nano@nano-editor.org Web: http://www.nano-editor.org/
Compiled options: --enable-color --enable-extra --enable-multibuffer --enable-nanorc --enable-utf8

There are problems

It’s not as easy as it sounds. In order to install Bedrock Linux, you must have a compatible base OS. Here is the list that’s currently on the website:

Distro Hijack-able Fetch-able Maintainer
Alpine Linux Yes Yes paradigm
Arch Linux Yes Yes paradigm
CentOS Known issues Yes paradigm
Clear Linux Mixed reports Experimental support N/A
CRUX Known issues No N/A
Debian Yes Yes paradigm
Devuan Needs investigation Yes paradigm
Elementary OS Yes, but limited testing No N/A
Exherbo Yes In development Wulf C. Krueger
Fedora Yes Yes paradigm
Gentoo Linux Yes Yes paradigm
GoboLinux Known issues No N/A
GuixSD Needs investigation No N/A
Manjaro Yes, but pamac/octopi broken No N/A
Mint Needs investigation No N/A
MX Linux Known issues No N/A
NixOS Known issues No N/A
OpenSUSE Yes Experimental support N/A
OpenWRT Needs investigation Experimental support N/A
Raspbian Yes Yes paradigm
Slackware Linux Known issues Experimental support N/A
Solus Yes Experimental support N/A
Ubuntu Yes Yes paradigm
Void Linux Yes Yes paradigm

Hijack-able distros are suitable base installations. Fetch-able distros can be used as overlays.

However this isn’t entirely true or at least not up to date. My first attempt was with OpenSUSE Tumbleweed. After installing, it failed to boot. My second attempt was with Fedora 30. Same resume. It worked on the third try with vanilla Debian. Finally, while Fedora is listed as fetch-able, I couldn’t install it because the brl application couldn’t find a suitable mirror.

Should I give it a try?

Yes! It’s a very interesting project, but don’t do it on any machine where you need your data to be protected. A spare VM is the ideal platform until it becomes more stable.

Advertisement

In Defense of Tumblweed: Why @BryanLunduke is wrong

What is OpenSUSE Tumbleweed?

OpenSUSE Tumbleweed is a cutting-edge Linux distribution from the OpenSUSE team. It uses the latest versions of software applications and the Linux kernel for those who want to see what will be coming up in other Linux distributions in 6-months to a year or more from the time that they appear in Tumbleweed. This means that there are bugs; lots of them. Things break, This is the price that you pay for having the very cutting edge or software technology.

What did Bryan Lunduke actually say?

Let’s break down his complaints. There are only two.

  • SUSE Studio
  • YaST (ugly, cumbersome, hard to use, stupid, bloated)

The first complaint is an application stack that doesn’t actually have anything directly to do with Tumbleweed. I never used it. It was going by the wayside when I started using OpenSUSE as my daily OS of choice. The source code is still out there and maybe it should be forked and brought back to life. I don’t know. I can’t argue with this point because it is a red herring and has nothing to do the OpenSUSE Tumbleweed distribution.

The second list of complaints is pretty vague, but his complaint is basically that YaST has issues that are causing it to bring does the entire distribution as a whole.

What is YaST?

YaST (Yet Another Setup Tool) is a set of system management tools that are grouped together in a single management application called YaST though they can be installed and run separately as needed.

The modules allow the user to easily control most administrative functions that might be needed. Not all of the modules are the same though. Some such as the printer and scanner modules suck. Other modules like the Software Management module are great. I consider this to be on par with Debian’s Synaptic package management tool which is freaking amazing. If unevenness in the quality of the modules is the reason why he dislikes it so much, then it’s not a completely wrong reason but it’s not a really good one either.

I say that it’s a given that some of the modules are out of date or need a fresh new rewrite, but that’s not specifically what he is saying. He keeps his complaints vague and oddly personal. I’m not privy to much of the inner-workings of the OpenSUSE distribution but I’ve seen from social media that there is some bad blood there between him and folks in OpenSUSE and I really hope this isn’t just a rant against them instead of really against the distribution.

With that aside, let’s talk about the real issue with YaST and any GUI based configuration tool. It is yet another level of abstraction away from actually working with the operating system. For example, YaST has an module called HTTP Server. If you run it, it will set up Apache and any modules like PHP for you and will give you some basic options for tuning it without actually needing to work with the command line or configuration files directly. If someone told me that they had been a system administrator for 5 years but they had only ever used YaST, I wouldn’t hire them because many times things break and they can’t be fixed with YaST. Tools like YaST should mainly be a time saver not a replacement for good configuration and I think that’s what it is currently.

Even with my own genuine complaints above, they don’t really co-inside with Bryan Lunduke’s complains (it’s ugly, cumbersome, hard to use, stupid, and bloated) because I can’t see all of that. It’s no more ugly than any other tool (besides real nerds care about function over form). Granted, some of the modules are cumbersome and hard to use, but not all of them. It’s “stupid, stupid and it’s stupid” what the heck is that supposed to mean? Use your words Lunduke! Don’t just emote. “It’s bloated.” There are currently 183 total YaST modules. Many will never be used by an end user because they are only used during installation. However if you were to install them all, it would take up 176MiB which would average out to .96MiB per module. There are some required Ruby libraries that I’m not taking into account here, but this really isn’t what I would call bloat. You can even uninstall the modules that you don’t want without causing a huge fuss.

Let’s Wrap Up

Bryan Lunduke is wrong when he says that OpenSUSE Tumbleweed is one of the worst distros out right now. He is wrong when he says that YaST is dragging down the entire distro. YaST has problems, but they aren’t what he says they are.

LattePanda Gigglescore

A Gigglescore is a ratio score of price to performance for single-board-computers like the LattePanda or Raspberry Pi. A lower Gigglescore means a better value for the money. A higher one is worse. You can see more here: https://gigglescore.com/

My LattePanda:

sudo ./benchmark.sh 149
Repository 'openSUSE-Leap-15.0-Non-Oss' is up to date.
Repository 'openSUSE-Leap-15.0-Oss' is up to date.
Repository 'openSUSE-Leap-15.0-Update' is up to date.
Repository 'openSUSE-Leap-15.0-Update-Non-Oss' is up to date.
All repositories have been refreshed.
Category5.TV SBC Benchmark v1.1
Powered by sysbench 1.0.11
Number of threads for this SBC: 4
Performing CPU Benchmark… WARNING: the --test option is deprecated. You can pass a script name or path on the command line without any options.
576.760 events per second. Price: Ģ930.02 per unit.
Performing RAM Benchmark… WARNING: the --test option is deprecated. You can pass a script name or path on the command line without any options.
3,625,781.466 events per second. Price: Ģ0.15 per unit.
Performing Mutex Benchmark… WARNING: the --test option is deprecated. You can pass a script name or path on the command line without any options.
6.873 events per second. Price: Ģ7.80 per unit.

Total Giggle cost of this board: Ģ1,397.58

Giggles (Ģ) are a cost comparison that takes cost and performance into account. While the figure itself is not a direct translation of a dollar value, it works the same way: A board with a lower Giggle value costs less for the performance.
If a board has a high Giggle value, it means for its performance, it is expensive. Giggles help you determine if a board is better bang-for-the-buck, even if it has a different real-world dollar value. Total Giggle cost does not include I/O since that can be impacted by which SD card you choose. Lower Ģ is better.

Being that the suggested retail price is currently $149, we get a Gigglescore of 1,397.58. This is right between the Raspberry Pi 3 B+ and the ODROID XU4 in terms of value for the dollar.

Does it Leak? — Tumbleweed Edition

The following is a spreadsheet that I put together this weekend testing Linux applications and how well the work on Tor.

The first column is the name of the application and the second is the Linux distribution. In this case, I am using the latest build of OpenSUSE Tumbleweed with the latest patches applied.

The Torsocks column is whether or not the application is compatible with torsocks which is a wrapper around an application that send it’s networking requests to Tor instead of the standard internet.

The Proxy column is whether or not the application supports a SOCKS5 proxy with a DNS Proxy, specifically the one used by the Tor application.

The DNS Leak column is a test that I ran with Wireshark to see if any of the applications were misbehaving with DNS. i.e. Did they try to use DNS even though I set a proxy not to use it and/or did they go around the torsocks application and use DNS directly?

In the No DNS Test, I commented out the nameserver entry in /etc/resolv.conf so that the VM that I was using as a whole would not have access to DNS. Would the application be able to use DNS via Tor alone?

Finally, I tested to see if the application could reach a .onion site. I don’t have a OpenSUSE Repo in an .onion site or a steaming service like youtube to try so I didn’t test those.

ApplicationLinuxTorsocksProxyDNS LeakNo DNS Test.onion
FirefoxTumbleweedNoYesNoPassYes
ZypperTumbleweedYesNoNoPassn/a
LinksTumbleweedNoYesNoPassYes
LynxTumbleweedYesNoNoPassYes
w3mTumbleweedYesNoNoPassYes
curlTumbleweedYesYesNoPassYes
ChromiumTumbleweedNoYesNoPassYes
BraveTumbleweedNoYesNoPassYes
OtterTumbleweedNoYesNoPassYes
Youtube-dlTumbleweedYesNoNoPassn/a

My findings were that none of the applications that I tested had DNS Leaks though there could be other issues that I did not test for. If your concern is strictly about privacy and not being tracked, the official Tor Browser is the way to go. However I am keenly interested in other applications for Tor so this is my first step in finding what could be possible.

Anonymity is Important

Let’s begin with something useful.

In order to use Tor, you ideally need a browser that can access it. The Tor Browser on desktop platforms, formerly known as the Tor Browser Bundle, and the Orfox Browser with the Orbot app on Android are the suggested browsers. Why? Tor takes anonymity seriously.

The four log entries below are from 4 browsers that are using Tor.

Brave:
127.0.0.1 - - [10/Nov/2018:12:56:19 +0000] "GET /favicon.ico HTTP/1.1" 404 209 "http://irvdwucxcq6kb2nm.onion/" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36"
Firefox:
127.0.0.1 - - [10/Nov/2018:13:00:58 +0000] "GET /favicon.ico HTTP/1.1" 404 152 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0"
Tor Browser
127.0.0.1 - - [10/Nov/2018:12:57:27 +0000] "GET /favicon.ico HTTP/1.1" 404 152 "-" "Mozilla/5.0 (Windows NT 6.1; rv:60.0) Gecko/20100101 Firefox/60.0"
Orfox
127.0.0.1 - - [10/Nov/2018:13:04:53 +0000] "GET / HTTP/1.1" 200 396 "-" "Mozilla/5.0 (Android; Mobile; rv:52.0) Gecko/20100101 Firefox/52.0"

The first log entry is from the Brave browser (https://www.brave.com) which has Tor built in into their Private Window mode. This is a really neat concept, but you gain a lot of information about the person using this browser and that makes them stand out. You can see which website that I am trying to access. You can see that I am running 64-bit Linux. You can also see that I am running a browser based on Chrome. None of these things tell you exactly who I am but they fingerprint me as someone who stands out. The goal of anonymity is it blend in with the rest of the internet.

The second entry is normal unmodified Firefox running on Tor. This is a little better. It almost completely matches the entry for Tor Browser, except that it gives away my operating system and it is a not running the same version as the Tor Browser.

I didn’t change to a Windows PC to test the Tor Browser, all versions will always report the same information. It will always report that it is being used in Window since it is the most widely used operating system. It’s important to keep it up to date not only to apply bugfixes but to keep in line with all of the rest of the Tor Browser users.

The final entry is for Orfox. Yes, you can see that I am running it on Android as it is based on the Firefox app for Android. This is a bit of a negative. Preferably you would want it to appear to be the same as the normal Tor browser but there is probably a trade off. All copies of Orfox, no matter the device or version of Android, should look the same. However in order to get mobile versions of websites suitable for a mobile device, the browser needs to identify itself as a mobile browser. We’ll discuss more about fingerprinting in a later chapter.

We Do It For the Children

I’m staying in a hotel chain in London only to find a firewall that throttles interesting stuff like BBC iPlayer and YouTube. I tried going to my VPN provider. That the website is blocked to protect children and vulnerable people. What?! Meanwhile I have no trouble connecting to #4chan because they only care so much about children.

Untitled

Of course Tor is blocked also, well for other people, I got it to work anyway and now I’m writing this using it out of spite.

If I give them the benefit of the doubt, I would say that they want to keep bandwidth usage down and the best way to do that is to throttle big streaming websites and they want to close loopholes by blocking ways around that.

However the explanation kills me: to help keep children and vulnerable people safe. So this provider says that they want to help make the internet a better place by taking away the anonymity of trolls and online creeps? That makes no sense. Why even provide have internet access at all? I think the real case is above, they need to cut bandwidth costs and that’s fine but leave the nonsensical rhetoric out of it.

My Day with Fedora

I used Fedora 28 today for work instead of my usual OpenSUSE Leap 15 installation. Here’s how it went.

My setup:

  • Intel© Core™ i7-4500U CPU @ 1.80GHz × 2
  • 16GB Ram
  • 250G SSD

Here’s the software that I needed for work today:

  • Synergy
  • LibreOffice > 6.0
  • Chromium Browser
  • Spotify
  • NFS
  • virt-manager
  • Graphical multi-tab text editor
  • Tilix
  • Pidgin
  • Hexchat
  • KeepassXC

I use Synergy as a virtual KVM between my home server machine that handles my storage, email, etc. and this brings us our first real problems. The “software” application in Gnome doesn’t list Synergy even when I search for it and I was wondering if I would have to go download the RPM it’s creator (I have a valid license so that’s not really a problem). I ran ‘dnf search synergy’ and there it was. If your software installation tool only covers “best of” software but not everything then it’s usefulness is only marginal at best.

I installed Synergy and when I ran it I received an error that I shouldn’t close it because there is no systray available. This is a pet peeve that I have with a lot of distros who use Gnome 3. Either the systray isn’t enabled or isn’t available at all. The fact is that a lot of applications still use it. Of the ones that I use, Synergy, Pidgin, KeepassXC, and Hexchat all fall into those categories. I like having a clean work environment and being able to minimize apps to the systray helps with that. And so I said goodbye to the pure Fedora experience and installed Cinnamon (It also wasn’t available from the GUI software application) and the rest of the apps from the CLI.

Everything else went as expected. I didn’t have any more hiccups as long as I used the dnf command to install the apps. I mounted the directories from my home server to my workstation with NFS so I didn’t have to worry about data loss. I did notice lag from the time that some apps were launched until they were ready that I didn’t notice with OpenSUSE, but I didn’t do a real measurement so that was entirely subjective.

There really wasn’t anything keeping me from doing my work that couldn’t be worked around in a matter of minutes.

Suggestions for Fedora:

  • Bring back the systray into Gnome 3
  • Remember yumex? It was an awkward but very powerful graphical tool for Yum. Bring it back at make it your primary software installation tool.

I need a new open source project

A few years ago I wrote this rousing email about the Linux Documentation Project and I made waves in a mailing list that lay mostly dormant for years. After the list was rejuvenated, I set out to learn git, then then to find pieces of Linux documentation all around the web and add it. The idea was, find a central place (i.e. TLDP) to store all of the documentation from here and there and then replicate that central store all over the globe for redundancy so it is never lost. I had big goals and then nothing really came of it.

sigh

Why did nothing happen? 99% was me and my own laziness/busyness/etc. The other 1% was that there isn’t a community there. The mailing lists are dead. The wiki is never updated. New documents are rarely added and old ones are never retired (not deleted, just retired). I felt almost alone in this huge wasteland of a site with so much potential.

I need a new open source project

I want to find a project that I can help with, can make a difference in, and that has a community that is actively working in it.

I have a few projects in mind. I’ll post more when I make a decision.

Adventures with Kubeadm on OpenSUSE Kubic

This video is a little kludgy.  It was literally my first time putting together the cluster and if you notice at the end, it doesn’t actually work. None of the worker nodes are actually usable. Hopefully that will be fixed soon.

linux-3q2c:~ # kubectl get nodes
NAME         STATUS     ROLES     AGE       VERSION
linux-3q2c   NotReady   master    3m        v1.11.1
linux-fykp   NotReady   <none>    1m        v1.11.1
linux-gbv8   NotReady   <none>    51s       v1.11.1    

In the meantime, thanks to this post, I’ve reinstalled with cri-o and now have a fully functional cluster.

jsevans@jserver:~> kubectl get nodes
NAME STATUS ROLES AGE VERSION
linux-3q2c Ready master 2h v1.11.1
linux-fykp Ready <none> 1h v1.11.1
linux-gbv8 Ready <none> 1h v1.11.1

What have I been doing with my new cluster?

I installed the Kubernetes dashboard, Helm, and WordPress with Helm. I’ve also had to really dig into what it means to use RBAC.  In CaaS Platform 1-3, a lot of your RBAC stuff was already done for you. Now I’ve had to specifically set RBAC to get the Dashboard credentials working as well as to get Tiller working. It’s a learning experience and it’s good to get these fundamentals down pat.

Screenshot from 2018-08-21 20-56-47

Screenshot from 2018-08-21 20-58-13

LattePanda

I picked up a new toy this week to replace my aging and rarely-used Raspberry Pi 3 (original). It came with Windows 10 already on it and I immediate went to the forums for a howto on installing Linux. There is a guide on how to install Ubuntu 16.04 but it seems to require a lot of extra steps (special kernel, etc).  I figured it couldn’t hurt to try it with OpenSUSE. At worst it would fail and I would be left with Ubuntu.

To my surprise, it worked and it was easier than the steps that were provided. The thing with the LattePanda is that it is UEFI-only.  There is no legacy boot mode so if your distro doesn’t have a UEFI-enabled installer, then you are out of luck.

Edit: It’s not just UEFI only, it’s Trusted UEFI only.  That means that if your distro doesn’t have a trusted EFI key, then the bios won’t even recognize it. Canonical/Ubuntu, Redhat/CentOS/Fedora, and SUSE/OpenSUSE have trusted EFI keys and work. Mostly, I think because they have corporate sponsorship and they have a vested interest in working with hardware vendors.

Here’s the basic steps:

  1. Flash the “Ubuntu” bios (this will allow you to boot the Linux USB key)
  2. Burn the OpenSUSE iso to a USB 3.0 Key
  3. When trying to boot with the key, it froze when the installer brought up the GUI.
    Workaround: Reboot and add “textmode=1” to the boot loader for the installer.

Screenshot at 2018-08-18 15-23-30

  1. Install using ncurses installer. It’s a little clunky but all of the options are there.

ss3
5. Reboot after the installer finishes. Everything is as it should be. No more freezes, no special kernel, everything works great.

One last thing. The LattePanda has both HDMI and composite. Linux assumes composite out is Display 1 and HDMI is Display 2.  If you are running headless, then this is fine. If not, you will need to with your desktop environment to disable Display 1. I tend to use the i3 desktop for work and this was easy for me to workaround. It can be a hassle for others. I think this will be the case no matter which distro you use.