<hannes>
I announced on mirageos-devel mailing list that we'll have a catchup in ~10 minutes! :)
<mato>
i'll ping people on slack
djs55 has joined #mirage
<mato>
hannes: i also bumped myself onto the agenda with a quick report on "solo5 security hardening", as i need to flee at about 17.30
<hannes>
mato: sounds good to me
<dinosaure>
hi all
* h01ger
waves and lurks
* ehmry
auch
<hannes>
good evening, welcome to the MirageOS catchup November 2018. we (used to) have these catchups every 2 weeks. The agenda is at https://github.com/mirage/mirage-www/wiki/Call-Agenda - feel free to add/edit items.
<hannes>
the first item is "solo5 security hardening in progress (@mato)"
<mato>
right, so this is just a quick overview from me of what's happening:
<mato>
i'm working on various aspects of adding "standard" security hardening to Solo5, mainly (but not only) concerning the C code/low-level runtime
<mato>
since, we are making security claims about this, so we should be backing those with features, obviously as appropriate for our use cases
<mato>
right now I have work in progress for enabling SSP ("stack smashing protection") (#293), which depends on the also-work-in-progress to unmap the "zero page" (#296)
<mato>
i'm not going to bore people with the details, so all i'll say right now is that this is progressing and will probably land at some point next week. i may or may not cut a point release with this, as the next step (Static PIE and ASLR) is somewhat more involved.
<hannes>
yes, I highly appreciate your work on that! :)
<mato>
i'll also note that those of you waiting for seccomp to appear in solo5, this actually depends on Static PIE which will make it much easier
<dinosaure>
good progress!
<mato>
since that gives us more flexibility in address space layout
<hannes>
next item is "report from our Marrakesh retreat (@hannesm, others)"
<hannes>
it's already been nearly 2 months, lots of projects happened there, so far I don't think we have any blog posts about that. Would be great if some attendees could write some paragraphs! :)
<mato>
i think it'd be worth bugging people on the marrakesh list about this, e.g. please write at least a couple of paragraphs, with a deadline, then collating the reports into a blog post
<mato>
i believe this is how we did it previously?
<hannes>
I saw https://github.com/g2p/wodan working with solo5-hvt, being able to read and write to and from a block device :D
<hannes>
mato: good idea!
<hannes>
spoiler the next retreat will be march 6th - 13th 2019, same place. I'll update the retreat website soon
<dinosaure>
got it!
<hannes>
next item: "git 2.0 released" -- i put this on the agenda, but i think dinosaure knows more about that :)
<hannes>
there are some breakages, but we'll from now on be able to deal better with deprecation, since the mirage tool generates upper bounds for used packages
<hannes>
this means a unikernel configured by mirage.X will depend on the upper bounds of X (e.g. Y.5) - if we want to change Y's API, we can release Y.6 and mirage.(X+1) can use the new Y
<hannes>
but configured unikernels or these with mirage.X will still require Y.5.
<hannes>
another user-visible change are boot parameters, they are now unified across backends. the opam package parse-argv is used everywhere
<mato>
and thanks to ehmry, we now have experimental support for Genode as a target (via Solo5)
<ehmry>
as for Genode, I have unfortunetly not made enough time to figure out/document easy depolyment, but the quarterly release is tomorrow and the release notes have a section on Mirage
<hannes>
the interface of it is to receive a string (i.e. String.concat " " Sys.argv), so whitespaces need to be escaped
<hannes>
ehmry: cool
<mato>
regarding parse-argv, there is still a PR open with some discussion on what the exact semantics "should" be
<hannes>
another feature useful for development is that our config.ml may now contain pinned packages... if you specify package ~pin:"git+https://somewhere" "foo", this will generate a pin-depends in the opam file of foo to the specified string.
<hannes>
this means that e.g. canopy with irmin dev can now be defined in config.ml, no need to transport the irmin.dev stuff around elsewhere.
<hannes>
that's MirageOS 3.3.1 (.0 had some smaller issues which I fixed afterwards)
<hannes>
oh, and there's now again a mirage configure --no-depext command line flag. this generates a Makefile where make depend won't call out to opam depext (which is slow, and not necessary on development macines where you already have the required system packages)
<hannes>
any questions?
<hannes>
some discussions about features etc. for Mirage 4.0 have been done since Marrakesh, I hope we'll have a feature plan for public review in December
<hannes>
if there are no questions, I'll open this meeting with any other business. if someone has something to announce or any question, please do
<hannes>
I wanted to implement routing in our IPv4 stack, and to get multiple interfaces I intended to first use VLAN (802.1q) tagging of a single ethernet interface. While going through the layers, I started to revise the mirage-net interface to cope with this): https://github.com/mirage/mirage-net/pull/13
<hannes>
it is mainly to push allocation to the lowest layer, which knows best about memory alignment and MTU. feedback welcome.
<lobo>
nice :)
<hannes>
(there's certainly more revisions needed for mirage-net to include our recently released metrics library for statistics https://github.com/mirage/metrics)
<hannes>
in other news, for the CCC congress (35c3, https://events.ccc.de), I proposed a MirageOS assembly (to get a table to hang out), will elaborate in a mail to mirageos-devel :)
<hannes>
please, raise your voice or this meeting will be finished ;)
<djwillia>
thanks for running the meeting hannes!
<hannes>
next one will likely be in 2 weeks time on dec 12th
<ehmry>
are on to post-meeting banter?
<ehmry>
are we*
<djs55>
regarding metrics, I made an issue to request / discuss how we could integrate it with prometheus: https://github.com/mirage/metrics/issues/29 since that's very popular in clouds these days
Haudegen has quit [Remote host closed the connection]
djwillia has left #mirage ["ERC (IRC client for Emacs 25.3.1)"]
<ehmry>
with this genode deployment I tried to replicate the git polling as is done on Xen, but after porting libgit2 I realized that the library uses mmap for almost all of its file I/O, just for performancee, so thats a no-go, I could make something work with SFTP or maybe http, but git would have been nice
<ehmry>
I just code, I don't deploy, so I'm not sure what the best thing to do is
<ehmry>
in the meanwhile I did test using FAT images from the file-system with a block translator, and that works ok
<hannes>
ehmry: you can use ocaml-git instead of libgit2 ;)
<ehmry>
yes, I would like to try out this git
<ehmry>
is there any example of using ocaml-git as a server I can push and pull from?
<hannes>
I don't think the server logic is in place there, dinosaure knows more. I use the git implementation only as a client.
<ehmry>
ok, well its a good excuse to learn ocaml then
<ehmry>
ah, yes, genode has an experimental 9P server now, so this is one way to write back to the file-system