Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Why not just put all of portage on read-only NBD volumes?
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3  Next  
Reply to topic    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  
Author Message
nokilli
Apprentice
Apprentice


Joined: 25 Feb 2004
Posts: 237

PostPosted: Tue Jan 14, 2025 4:45 pm    Post subject: Reply with quote

pingtoo wrote:
However I don't see the benefit of doing this.

Why do we use rsync? To download only a few bytes instead of a great many. Mounting distfiles as a remote volume and allowing a local rsync process to access it--as opposed to an rsync server which for a Gentoo repository has to be a load--could conceivably save bandwidth.

Enough bandwidth to justify a big change? I don't have these answers.

I came in the door with a desire to more securely apply system updates though. If this becomes a thing, I'll get to scratch that itch. And I'm glad about that.
_________________
We are the block device. The kernel is our client.
Back to top
View user's profile Send private message
pingtoo
Veteran
Veteran


Joined: 10 Sep 2021
Posts: 1467
Location: Richmond Hill, Canada

PostPosted: Tue Jan 14, 2025 5:06 pm    Post subject: Reply with quote

nokilli wrote:
pingtoo wrote:
However I don't see the benefit of doing this.

Why do we use rsync? To download only a few bytes instead of a great many. Mounting distfiles as a remote volume and allowing a local rsync process to access it--as opposed to an rsync server which for a Gentoo repository has to be a load--could conceivably save bandwidth.

Enough bandwidth to justify a big change? I don't have these answers.

I came in the door with a desire to more securely apply system updates though. If this becomes a thing, I'll get to scratch that itch. And I'm glad about that.


I don't know Gentoo Foundation/Gentoo Maintenance Management running cost. It is not my concern in this conversation. I am just interesting in term of new idea and trying to understand it.

so I assume by "desire to more securely apply system updates" you are thinking two risk factors, in transit and at rest.

Are you thinking wget/curl transport may be riskier than NBD? Or you are concern the source "distfiles" at Gentoo (or mirror) may be tempered?

Another question, Rre we settle yet for doing NBD have more benefit than current rsync/wget/curl method?

I am not trying to debate with you, I am trying to understand you point. Because I got a sense that from you initial port, you believe there is/are benefit from using NBD as transport. however through out the conversation I have not yet learn the benefit.

I do use NBD in my daily usage but for different reason. My main nodes are ARM based machine and are SBC boards so limited local storage. And I like to work in docker. So I use NBD to supply storage for docker. my NBD source still SBC boards just that I installed NVME on it so I run them as NAS. And I recently start using my MBP-M2 with attached USB disks, so I plan to also run VM on the MBP with NBD to share its storage.
Back to top
View user's profile Send private message
nokilli
Apprentice
Apprentice


Joined: 25 Feb 2004
Posts: 237

PostPosted: Tue Jan 14, 2025 5:10 pm    Post subject: Reply with quote

Isn't there an opportunity here?

Gentoo Hardened built a name for itself by dedicating itself to security at the process level.

Why not a new face, dedicating itself to protecting user privacy?

The first step? Can't have system update processes that have simultaneous access to user data and encrypted connections over the Internet.

Solution? Use Gentoo >INSERT NAME HERE<, dedicated to protecting your privacy by ensuring that the update process can never expose your data to the Internet!

How to do that? All data downloaded over the Internet to update your system comes from a read-only volume and features as your client: the Linux Kernel!

Another thing Gentoo can do that maybe the other distros can't? Not sure how this could ever work with apt or dnf.

rpm-ostree doesn't even support using a proxy. Gentoo was doing it in the '90s.

Why focus on privacy? Because I can read the news.
_________________
We are the block device. The kernel is our client.
Back to top
View user's profile Send private message
pingtoo
Veteran
Veteran


Joined: 10 Sep 2021
Posts: 1467
Location: Richmond Hill, Canada

PostPosted: Tue Jan 14, 2025 5:17 pm    Post subject: Reply with quote

nokilli wrote:
Isn't there an opportunity here?

Gentoo Hardened built a name for itself by dedicating itself to security at the process level.

Why not a new face, dedicating itself to protecting user privacy?

The first step? Can't have system update processes that have simultaneous access to user data and encrypted connections over the Internet.

Solution? Use Gentoo >INSERT NAME HERE<, dedicated to protecting your privacy by ensuring that the update process can never expose your data to the Internet!

How to do that? All data downloaded over the Internet to update your system comes from a read-only volume and features as your client: the Linux Kernel!

Another thing Gentoo can do that maybe the other distros can't? Not sure how this could ever work with apt or dnf.

rpm-ostree doesn't even support using a proxy. Gentoo was doing it in the '90s.

Why focus on privacy? Because I can read the news.


This conversation become very strange now. I don't see how a transport mechanism somehow leak privacy information, Do you mind to elaborate more?
Back to top
View user's profile Send private message
nokilli
Apprentice
Apprentice


Joined: 25 Feb 2004
Posts: 237

PostPosted: Tue Jan 14, 2025 6:00 pm    Post subject: Reply with quote

pingtoo wrote:
Are you thinking wget/curl transport may be riskier than NBD? Or you are concern the source "distfiles" at Gentoo (or mirror) may be tempered?

Yes, any kind of transport is riskier than NBD I feel, for this concern. NBD uses the Linux kernel as it's client. It's communicating with the server that is exposing a read-only volume. The opportunity for mischief here appears to be next to nil.

As opposed to letting an installer have simulaneous access to my home directory and an encrypted Internet connection, which is why I fled my last distro.

Recognize that it is not a question of trusting Gentoo developers as much as it is trusting that the process is foolproof and beyond exploitation by bad actors.
pingtoo wrote:
Another question, Rre we settle yet for doing NBD have more benefit than current rsync/wget/curl method?

Do you mean is it more efficient? I'd expect that it would be less efficient in the single file case, but because it enables rsync in an unusual way, much more efficent in the many file case.
pingtoo wrote:
I do use NBD in my daily usage but for different reason. My main nodes are ARM based machine and are SBC boards so limited local storage. And I like to work in docker. So I use NBD to supply storage for docker. my NBD source still SBC boards just that I installed NVME on it so I run them as NAS. And I recently start using my MBP-M2 with attached USB disks, so I plan to also run VM on the MBP with NBD to share its storage.

In the home network environment, NBDs are marvelous, especially because you can so easily combine them with the other dm devices. I am stubbornly resisting moving over to file systems like btrfs, xfs, zfs, which otherwise have some wonderful capabilities, but which I feel don't work as well with the block device model.

It's a good place to point out again that what I'm describing is a read-only network block device, and which appears to present a much simpler use case than writable devices.
_________________
We are the block device. The kernel is our client.
Back to top
View user's profile Send private message
pingtoo
Veteran
Veteran


Joined: 10 Sep 2021
Posts: 1467
Location: Richmond Hill, Canada

PostPosted: Tue Jan 14, 2025 6:23 pm    Post subject: Reply with quote

nokilli wrote:
pingtoo wrote:
Are you thinking wget/curl transport may be riskier than NBD? Or you are concern the source "distfiles" at Gentoo (or mirror) may be tempered?

Yes, any kind of transport is riskier than NBD I feel, for this concern. NBD uses the Linux kernel as it's client. It's communicating with the server that is exposing a read-only volume. The opportunity for mischief here appears to be next to nil.

As opposed to letting an installer have simulaneous access to my home directory and an encrypted Internet connection, which is why I fled my last distro.

Recognize that it is not a question of trusting Gentoo developers as much as it is trusting that the process is foolproof and beyond exploitation by bad actors.
pingtoo wrote:
Another question, Rre we settle yet for doing NBD have more benefit than current rsync/wget/curl method?

Do you mean is it more efficient? I'd expect that it would be less efficient in the single file case, but because it enables rsync in an unusual way, much more efficent in the many file case.
pingtoo wrote:
I do use NBD in my daily usage but for different reason. My main nodes are ARM based machine and are SBC boards so limited local storage. And I like to work in docker. So I use NBD to supply storage for docker. my NBD source still SBC boards just that I installed NVME on it so I run them as NAS. And I recently start using my MBP-M2 with attached USB disks, so I plan to also run VM on the MBP with NBD to share its storage.

In the home network environment, NBDs are marvelous, especially because you can so easily combine them with the other dm devices. I am stubbornly resisting moving over to file systems like btrfs, xfs, zfs, which otherwise have some wonderful capabilities, but which I feel don't work as well with the block device model.

It's a good place to point out again that what I'm describing is a read-only network block device, and which appears to present a much simpler use case than writable devices.


Thank you for the explaination.

Understand your privacy concern now.

Please allow me to point out as current Gentoo Portage implementation this is unavoidable because running emerge require root. so the concern of preventing unwanted access to private data installed on Gentoo node while installation going is not possible if emerge is the tool of choose. Allowing unknown account to execute emerge with root privilege is a system administration issue. Using NBD transport or letting emerge call wget/curl will not make any different.

I am try to get a sense from you about the using NBD transport for benefit beside of privacy. My point been using NBD have no performance benefit nor cost benefit so I don't recommend enable NBD for distfiles.

BTW, using wget/curl is one way transport therefor it is also read-only.
Back to top
View user's profile Send private message
nokilli
Apprentice
Apprentice


Joined: 25 Feb 2004
Posts: 237

PostPosted: Wed Jan 15, 2025 1:48 am    Post subject: Reply with quote

What trade-offs are you willing to make to secure your system?

Everybody's different. Different skill sets, different tolerances.

Honestly, what I want is to only actively administer one machine. And I've decided that's going to be the Gentoo on my home server.

I want the system on my workstation to be exactly the opposite. I'm happy to pull in packages as they're needed but if I can also just freeze the installation and never think about it again and just stay in sway/foot/emacs and sideload flatpaks to take the load for whatever other apps I want to install, that would be amazing.

What protects the workstation if I'm not religiously updating it? It can only connect to the home server over a wifi network dedicated to that purpose on a machine where net.ipv4.ip_forward=0. And then the firewall can further slam the door shut.

So I can access nfs and the new thing is running Podman containers for your network-facing stuff and accessing the admin interfaces via web and this lets me do that too.

If there's a risk that I can easily mitigate using my skill set, then I'm going to want to do that. My skill set isn't amazing. And a problem with Gentoo is that, this quickly becomes obvious.

With this one simple trick, I can update my system and be sure no private data is being exposed in the process. I can already do this on Gentoo right now. Having a nbd-based distfile sitting underneath my local distfiles directory would simply streamline the process.

And then I have another machine I can use to do normal Internet stuff and that I really don't care about, or think about.

I am at peak Gentoo right now. The server was a painless install. I went OpenRC because the other pain point was configuring hostapd to let me have the private network on Ubuntu and it appears to be a use case that the NetworkManager guys aren't supporting. The workstation was a painless install, and I went systemd with that because of the integration opportunities that seem to be developing between sway and flatpak.

I changed a USE flag in my make.conf and did the emerge -uDNa @world and got a list of ten packages and it was a five-minute build. I remember when doing would result in hundreds of packages and the build took the day. I don't know whether it's because machines are faster today or the switch to a pure wayland install but it just feels like a different distro. I got what I wanted on the first try.

What really set me off on this is Fedora. I was using their Sway Atomic Spin on the workstation immediately prior to this new Gentoo install. They use rpm-ostree. This is around eight years old I believe. Not only does rpm-ostree not support proxied access to their servers, but it appears that when the community cobbled together a workaround, Fedora then broke it with a new update. I saw that and it was like, check please.

Ubuntu just casually gives us snapd, which takes simultaneous root access/encrypted network access to all new heights with it's attitude of "we'll read-and-write to your home directory anytime we like and no, you don't even need to know about it." Well, wow.

That said, apt like emerge has been supporting proxied access for awhile too.

Open source is a community of good people who can easily be infiltrated by bad people. A Linux user can't be too careful these days.
_________________
We are the block device. The kernel is our client.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20583

PostPosted: Wed Jan 15, 2025 3:17 am    Post subject: Reply with quote

nokilli wrote:
What trade-offs are you willing to make to secure your system?
If I were a mirror administrator I'd sacrifice untested solutions in favor of those with known risks that have been exposed to scrutiny over a long period of time.

If I were concerned about Gentoo stealing my private data, I'd stop using it.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
nokilli
Apprentice
Apprentice


Joined: 25 Feb 2004
Posts: 237

PostPosted: Wed Jan 15, 2025 3:58 am    Post subject: Reply with quote

pjp wrote:
nokilli wrote:
What trade-offs are you willing to make to secure your system?
If I were a mirror administrator I'd sacrifice untested solutions in favor of those with known risks that have been exposed to scrutiny over a long period of time.

If I were concerned about Gentoo stealing my private data, I'd stop using it.


Are you the one paying for the mirror?

My concern is with a process, not Gentoo specifically. If I were concerned about Gentoo stealing my private data, I wouldn't have installed it on both workstation and server.

I have a process which lets me mitigate that threat that is both simple and effective, and Gentoo lets me achieve that, and to my knowledge, in a way that it alone is capable of. I don't think the rsync over nbd approach makes as much sense as for a binary distribution, but I could be wrong.
_________________
We are the block device. The kernel is our client.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20583

PostPosted: Wed Jan 15, 2025 4:48 am    Post subject: Reply with quote

nokilli wrote:
Are you the one paying for the mirror?
That's an unclear question. If I'm signing the checks for the hardware, utilities, physical space, and labor, then I can assure you I'm not going to care about technical solution A vs B. What I'm going to care about are costs and risks. If I care enough about the mirror to donate any of that, "paying for the mirror" is unlikely to be a cost with which I am concerned. And I will be interested in who made a poor decision to use a solution that unnecessarily caused a security problem. Those are not inexpensive. Other US organizations don't "pay" for bandwidth (.gov, .edu, ?). If you meant something else, please clarify.

nokilli wrote:
My concern is with a process, not Gentoo specifically. If I were concerned about Gentoo stealing my private data, I wouldn't have installed it on both workstation and server.
I did see that you mentioned "package manager" generically, but then it seemed like you were focusing on Gentoo.

The process is interesting. Potentially even the general idea as a solution. I'd be curious to see test results from real world usage. I've considered trying nbd locally. But other comments in this thread make it sound less promising than it initially seemed. I also prefer less complexity, especially with PC-grade hardware.

nokilli wrote:
I have a process which lets me mitigate that threat that is both simple and effective, and Gentoo lets me achieve that, and to my knowledge, in a way that it alone is capable of. I don't think the rsync over nbd approach makes as much sense as for a binary distribution, but I could be wrong.
Maybe I'm misunderstanding. I thought you wanted Gentoo (and/or it's mirror partners) to provide these nbd devices. Otherwise I'm not sure why you couldn't use an nbd device with any other OS / distro if they offered it.

I guess I don't understand how having "private" access to distfiles differs from private access binaries provided by a distro.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
nokilli
Apprentice
Apprentice


Joined: 25 Feb 2004
Posts: 237

PostPosted: Wed Jan 15, 2025 5:32 am    Post subject: Reply with quote

There are two use cases and I am absolutely guilty of confusing the two, so let me try again.

Securely updating my system by using a read-only nbd server is something that can work on any distro, assuming they set it up that way.

Saving bandwidth by using a read-only nbd server is entirely different. We can do it because we have source tarballs and they are very efficiently updated from one version to the next by rsync over nbd.

So the way I see it, Gentoo is eligible for a win-win using nbd as an installation medium whereas the other distros only get a win.

I think you guys are misreading the general fatigue the computer-using community is feeling over the constant stream of exploits, esp. the ones they paid for with their own tax dollars. Because you have the skills, you don't perceive the threat in the same way? You can flip this bit or tweek a conf file and know you're secure. The rest of us maybe aren't so lucky.

Securing something by hitting it with a rock will appeal to many people.

pjp wrote:
I'd be curious to see test results from real world usage.

As one of the few users who has openly admitted to syncing the distfile directory to my local drive in the past (this was many years ago) I am willing to step up and attempt redemption. Can you help me get in touch with one of the providers you are using? AWS would let you do large transfers for free if it was within house; does your provider offer the same policy?

I'm working on a quality nbd server now in asyncio. The plan would be to copy as many (and older too) stage3 files as possible, then maintain a current copy of the distfiles directory with the caveat mentioned before that all tarballs be accompanied by their expanded equivalents, so people could explore the different emerge -u intensities. This could be run as a service that is exposed only to the developers, along with the patch to ebuild fetch replacing wget(?) with rsync. For your consideration.
_________________
We are the block device. The kernel is our client.
Back to top
View user's profile Send private message
nokilli
Apprentice
Apprentice


Joined: 25 Feb 2004
Posts: 237

PostPosted: Wed Jan 15, 2025 5:55 am    Post subject: Reply with quote

I'm calling it glut-master and it accepts a glut parameter which I can preview to elicit feedback.

Code:
gentoo $ glut-master --host monolith.gentoo.org --port 2001 --path /omg/its/so/big --glut "((1000,100),(4000,50),(7000,20))"


So you pass a tuple of tuples with two values each, a block count and a task count. We then create queues for each tuple. Whenever we're going to service a block request from the kernel, we get the number of blocks served so far to that client, then scan through the tuples and select the first value that is greater to that number, and put the request in the associated queue. The second number provides the number of clients we process for that queue in that iteration. There is an implicit final tuple of (Math.MAXINT, 1), which then processes the dd'rs one at a time per iteration.

So, in the example given, we are processing 171 tasks per iteration, giving high priority to people who are using the service responsibly (requested <1000 blocks thus far).

I feel this is better than using the heap as I intimated before. Maybe get to target a micro instance.
_________________
We are the block device. The kernel is our client.
Back to top
View user's profile Send private message
nokilli
Apprentice
Apprentice


Joined: 25 Feb 2004
Posts: 237

PostPosted: Wed Jan 15, 2025 11:44 am    Post subject: Reply with quote

When we're the block device, we can do things.

Like store metadata per block. When was the block written. When was the block last accessed.

How many times has the block been accessed.

We can create a file on the device we're hosting, and store the metadata there.

So look at what we can do:

If we see that a client is requesting a recent, frequently accessed block, we can expedite that request through our queuing system. This should be regarded as clearly legitimate use.

If we see that a client is requesting blocks that are not frequently accessed, or recently written, we might still expedite if the blocks' dates are closely related, as this too suggests legitimate use.

If we see that a client is requesting a never written block, we can put that request in the bulk queue.

It's kind of like we're simulating a cache, or maybe call it a smart cache.

Neddy got me thinking about CDROM filesystems. I bet they implemented some sort of file layout where gaps were deliberately introduced between the files in order to complicate bulk copy operations, right? The point being, we want to quickly detect dd use, and if the files are too closely packed, that might become difficult.

We can create a virtual block device that is so impossibly huge that the odds of randomly requesting a valid block are astronomical.

We are the block device and our client is the Linux kernel.

We are the block device and our client is the Linux kernel.

We are the block device and our client is the Linux kernel.
_________________
We are the block device. The kernel is our client.
Back to top
View user's profile Send private message
nokilli
Apprentice
Apprentice


Joined: 25 Feb 2004
Posts: 237

PostPosted: Wed Jan 15, 2025 11:50 am    Post subject: Reply with quote

Block knocking!

Want a way to grant preferred access to donors maybe or developers? Block knock!

Request a highly specific series of files created expressly for the purpose of authenticating with the block device.

Did I mention that we are the block device?

And the rumor has it, our client is the Linux kernel!
_________________
We are the block device. The kernel is our client.
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10722
Location: Somewhere over Atlanta, Georgia

PostPosted: Wed Jan 15, 2025 1:28 pm    Post subject: Reply with quote

But these things ("...Like store metadata per block. When was the block written. When was the block last accessed. ...") appear to me to be equally possible (and mostly already implemented) with a mounted filesystem, albeit on the file level, but that's what you really care about, isn't it? I don't see what an MBD brings uniquely to the table. Plus when using an MBD all of the filesystem structure must be processed on the client, which means that more data will have to be delivered to the client as opposed to a mounted filesystem rather than less.

Regarding security, if the repository is secured (which it already is for some definition of that term: digital signatures against a Gentoo-managed key), then the distfiles are implicitly secured because the repository contains secure hashes of every source file.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54785
Location: 56N 3W

PostPosted: Wed Jan 15, 2025 1:57 pm    Post subject: Reply with quote

nokilli,

The only secure system is air gapped.
Anything else only increases the difficulty of an attack, not renders it impossible.

After you carry (sneakernet) data across the air gap, the data, or better yet, the device, must be destroyed to avoid data leakage.
You can have entire air gapped networks if needed too.

What price and inconvenience security?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
nokilli
Apprentice
Apprentice


Joined: 25 Feb 2004
Posts: 237

PostPosted: Wed Jan 15, 2025 2:38 pm    Post subject: Reply with quote

John R. Graham wrote:
But these things ("...Like store metadata per block. When was the block written. When was the block last accessed. ...") appear to me to be equally possible (and mostly already implemented) with a mounted filesystem, albeit on the file level, but that's what you really care about, isn't it? I don't see what an MBD brings uniquely to the table. Plus when using an MBD all of the filesystem structure must be processed on the client, which means that more data will have to be delivered to the client as opposed to a mounted filesystem rather than less.

Regarding security, if the repository is secured (which it already is for some definition of that term: digital signatures against a Gentoo-managed key), then the distfiles are implicitly secured because the repository contains secure hashes of every source file.

- John


If I want to update foobar-1.2.3 to foobar-1.2.4, I need to download the whole foobar-1.2.4.tar.bz2. Even if the difference is only one file, I gotta do it. Even if the package is huge and the file I need to update is tiny.

You've got a distfiles directory that's on all of the mirrors you can access via http that holds all of the tarballs and crates. I suppose that if for every distfile, there was also a link to a directory tree representing the associated tarballs contents, you could let users pick out which files they need to download to update their package. But that's really hard, right? And HTTP has GET, POST, PUT, DELETE, it has some good stuff, but it doesn't have SYNC. And how could it, since it needs to accept as input the entire other tree in order to know what's different, and how on Earth could you do that? A big json file?

The beauty of the NBD is that we can use the rsync utility with most any file system we mount atop of it, and using the rsync that sits in the user's /usr/bin. It takes care of inputting the other tree, it does all of the work. We can have distfiles sit on an NBD volume and make sure that every tarball is also accompanied by its source tree, and so when the user does the rsync from the NBD volume to his local package tree he is only downloading that one tiny file.

Show me another way of doing that! Only one file changes, and then the user only downloads that one file. Show me that protocol.

That protocol is rsync. But how to make it work over the Internet? rsync works over ssh. But then everybody is logging in via ssh. You could do that. It would solve the abuse problem for sure. You already have infrastructure I suppose to handle that in a way with the website. But you're not, and that's good, because we all know that it's at least ridiculous, if not a nightmare.

And so if you're not going to do that, the only other way I can see of supporting rsync over the Internet is by running it against an NBD volume. No accounts. No authentication. Anybody can download any block without permission. We do the work to make it work even though it's public-facing (every other NBD implementation I can find isn't.)

With rsync over ssh, you're definitely turning on the fan on the server. With rsync over nbd it doesn't even really know what's going on, since the user's computer is doing all of the processing. The server only needs bandwidth, and because we're letting the user just download the one tiny little file (best case situation, your results may vary), it doesn't need a lot.

--

Look at all of the inversions. My head is still spinning. The Linux kernel is the client. We are the block device. If you're experiencing motion sickness, I can hook you up with a guy who sell anti-emetics.
_________________
We are the block device. The kernel is our client.
Back to top
View user's profile Send private message
nokilli
Apprentice
Apprentice


Joined: 25 Feb 2004
Posts: 237

PostPosted: Wed Jan 15, 2025 4:09 pm    Post subject: Reply with quote

NeddySeagoon wrote:
nokilli,

The only secure system is air gapped.
Anything else only increases the difficulty of an attack, not renders it impossible.

After you carry (sneakernet) data across the air gap, the data, or better yet, the device, must be destroyed to avoid data leakage.
You can have entire air gapped networks if needed too.

What price and inconvenience security?

You can mount a nbd volume as rw from one machine, then write to it, then umount. And remount ro from another machine. No different than the sneakernet device, except for the fact that destroying the nbd volume is cheap.

See how the network block device is already saving you some serious cash?

BTW, that was real read-only. Why? Because we are the block device. We can assert with 100% confidence that no writes will ever be performed against our read device. You weren't able to do that with your USB stick so that's why you had to destroy it.

---

What do you see as the attack against a system that is listening on no ports and has only the one TCP connection that is made to a read-only nbd server and that is using the Linux kernel as its client? How do good bytes get out? How do bad bytes get in?
_________________
We are the block device. The kernel is our client.
Back to top
View user's profile Send private message
pingtoo
Veteran
Veteran


Joined: 10 Sep 2021
Posts: 1467
Location: Richmond Hill, Canada

PostPosted: Wed Jan 15, 2025 4:29 pm    Post subject: Reply with quote

If you unaware of man in the middle, your threat model is incomplete. If your nbd client is kernel you just invite attack directly into your kernel space.
Back to top
View user's profile Send private message
nokilli
Apprentice
Apprentice


Joined: 25 Feb 2004
Posts: 237

PostPosted: Wed Jan 15, 2025 4:51 pm    Post subject: Reply with quote

pingtoo wrote:
If you unaware of man in the middle, your threat model is incomplete.

I had earlier recommended hosting /var/db/repos/gentoo this way too. Everybody hated that and I see now that they're right because it was dumb.

The portage tree standing to the side of all of this is what makes my threat model complete.

Because at the end of the day, whatever it is we end up presenting to portage as a tarball has to verify as being from upstream.

So what is the threat posed by MiTM to a package management system? That packages are corrupted in transit but installed regardless.

Is that going to be possible if the user possesses a correct and complete portage tree?

pingtoo wrote:
If your nbd client is kernel you just invite attack directly into your kernel space.

We are the block device. The kernel is our client.

Are we going to attack the user's kernel?

Our kernel has nothing to do with any of this lol (you know what I mean.)
_________________
We are the block device. The kernel is our client.
Back to top
View user's profile Send private message
pingtoo
Veteran
Veteran


Joined: 10 Sep 2021
Posts: 1467
Location: Richmond Hill, Canada

PostPosted: Wed Jan 15, 2025 5:49 pm    Post subject: Reply with quote

nokilli wrote:
pingtoo wrote:
If you unaware of man in the middle, your threat model is incomplete.

I had earlier recommended hosting /var/db/repos/gentoo this way too. Everybody hated that and I see now that they're right because it was dumb.

The portage tree standing to the side of all of this is what makes my threat model complete.

Because at the end of the day, whatever it is we end up presenting to portage as a tarball has to verify as being from upstream.

So what is the threat posed by MiTM to a package management system? That packages are corrupted in transit but installed regardless.

Is that going to be possible if the user possesses a correct and complete portage tree?

pingtoo wrote:
If your nbd client is kernel you just invite attack directly into your kernel space.

We are the block device. The kernel is our client.

Are we going to attack the user's kernel?

Our kernel has nothing to do with any of this lol (you know what I mean.)


If unaware of there is man in the middle and use kernel as nbd client than any security done at operating system are lost.

the middle have opportunity to control anything kernel can do (read/write file content, execute new process without visibility).

I am under impression your main concern are about privacy. Do you worry the middle man can do/see any thing you stored on your computer?

Why you state "kernel has nothing to do with any of this"? isn't that you said "The Linux kernel is the client, We are the block device"?

Who are we in "Are we going to attack the user's kernel"?

Are you aware when running nbd-client the program just initiate kernel to contact remote nbd server? the nbd-client program does not perform any I/O for the connected NBD device.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54785
Location: 56N 3W

PostPosted: Wed Jan 15, 2025 6:43 pm    Post subject: Reply with quote

nokilli,

You assume logically correct, bug free software. The real world isn't like that.

CAR (Tony) Hoare wrote:
There are two ways of constructing a software design: One way is to make it so simple that there are obviously no deficiencies, and the other way is to make it so complicated that there are no obvious deficiencies. The first method is far more difficult.

_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20583

PostPosted: Wed Jan 15, 2025 6:56 pm    Post subject: Reply with quote

nokilli wrote:
I think you guys are misreading the general fatigue the computer-using community is feeling over the constant stream of exploits, esp. the ones they paid for with their own tax dollars. Because you have the skills, you don't perceive the threat in the same way? You can flip this bit or tweek a conf file and know you're secure. The rest of us maybe aren't so lucky.

Securing something by hitting it with a rock will appeal to many people.
The only bits I flip are comparable to your analogy of hitting things with a rock. I don't do anything meaningful online. I don't use apps on my phone. I block javascriopt by default. How many of the fatigued users you describe are willing to do that?

Of the threats to be concerned with, I just don't see Linux package managers as being a concern. If you were somehow obligated to use RedHat or Canonical, or some obscure distro, I'd understand more.

nokilli wrote:
Can you help me get in touch with one of the providers you are using? AWS would let you do large transfers for free if it was within house; does your provider offer the same policy?
I don't use any providers. Do any charge for uploads? I thought they charged for CPU and data egress.

You could start on your own LAN, depending on hardware. Minimal VMs that mount the nbd device and try to access the data. Delete the files after they've been copied / cached and continue. How does the server handle the load? How is performance for the client? Add a 2nd VM, etc. up to however many you can. If you can do that and demonstrate usability, maybe someone with more hardware would extend the test.

nokilli wrote:
I'm working on a quality nbd server now in asyncio.
I have no idea what that is, but good luck!
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20583

PostPosted: Wed Jan 15, 2025 7:21 pm    Post subject: Reply with quote

nokilli wrote:
There is an implicit final tuple of (Math.MAXINT, 1),
Presuming search results are correct, that's a go-ism.

nokilli wrote:
We can create a virtual block device that is so impossibly huge that the odds of randomly requesting a valid block are astronomical.

We are the block device and our client is the Linux kernel.

We are the block device and our client is the Linux kernel.

We are the block device and our client is the Linux kernel.
You seem to be excited about the project. That's great. But I don't see how you're solving your original problem. Because now I have some go middlewware in the mix.

Nevertheless, I'd still be curious to see performance results on your LAN compared to similar results with rsync or git.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
nokilli
Apprentice
Apprentice


Joined: 25 Feb 2004
Posts: 237

PostPosted: Thu Jan 16, 2025 2:58 am    Post subject: Reply with quote

pjp wrote:
But I don't see how you're solving your original problem.


My original problem is even easier now that the patch ebuild fetch eliminates the need for caching.

I mount the Gentoo NBD block device on my home server. I then simply turn around and serve that very same block device to the workstation.

It's as if the emerge takes place locally on my workstation. That means my workstation is hosting its own local copy of distfiles, yes, but I call that a feature and not a bug. I do have the read-only nfs distfiles I am currently using that's hosted on the home server, but I don't want to make it rw because I'm hitting everything with rocks.

If ebuild fetch could consult a list of directories when attempting to satisfy the tarball dependency, this could help enormously. My emerge could then opportunistically first try the local distfile cache, and then the read-only nfs distfile share on my home server, before reaching out to the Gentoo NBD server.

Also, wow, what about people who don't have home servers? You're doing Gentoo on the one laptop. I've been there. Exciting times.

Well, the laptop is connecting to the Internet, true, but in about as constrained a fashion as is imaginable. The NBD protocol is binary, it's fixed-lengths throughout, you can't overflow a buffer and grab yourself a console (can you?) because malformed requests are simply ignored.

Does anyone know whether it would be possible to instruct the kernel to ignore ALL networking EXCEPT for its own NBD client streams? It would be like a firewall sitting above the firewall.

So imagine the luxury of this. You're in the cafe and you want to install/update some packages. So you reboot into this other kernel I just described that can ONLY connect over NBD. You mount the Gentoo NBD drive on your system. It's gigs and gigs and gigs and you can do emerges to your heart's content (of course while respecting Gentoo's bandwidth concerns.) Got everything the way you like it? Reboot back into the regular kernel and go back to using your laptop.

You're suffering the reboot for the security achieved by managing your system in such a wonderful environment.

Honestly, there's tear in my eyes.
_________________
We are the block device. The kernel is our client.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Goto page Previous  1, 2, 3  Next
Page 2 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum