sig-security
mkosi
Our great sponsors
sig-security | mkosi | |
---|---|---|
21 | 16 | |
1,944 | 1,042 | |
2.1% | 3.7% | |
9.7 | 9.9 | |
2 days ago | 2 days ago | |
HTML | Python | |
GNU General Public License v3.0 or later | GNU Lesser General Public License v3.0 only |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
sig-security
-
Introduction to the Kubernetes ecosystem
It is also interesting to meet the community : the TAGs (Tech Advisor Group) which provide strategic guidance and advice on technical issues, as well as the SIGs (Special Interest Group) which focuses on areas of interest or specific expertise within the Kubernetes community to drive development and innovation. The TAGs are specialized by areas, for example on security or environmental sustainability.
- Practicing Threat Modeling to Assess and Fortify Open Source Security [pdf]
-
Cloud Native Applications - Part 2: Security
Cloud Native Security Whitepaper
-
Does Kubernetes support SELinux?
As Daniel Walsh himself wrote in a blog post, CRI-O integrates very well with SELinux and prevents dangerous actions like a container loading an old, unmaintained and therefore potentially vulnerable kernel module and breaking out of the isolation. Additionally, the Kubernetes API itself contains resources to specifically configure SELinux labels for containers. Doesn't sound like something they would do for a tool that "doesn't work with Kubernetes", according to some. Also, the CNCF security whitepaper mentions SELinux as a tool that can be used to provide isolation and limit privileges, which is as much as we could expect from an high-level, architecturally-minded document.
- Cloud Native Security Whitepaper v2
- Cloud Native Security Whitepaper [pdf]
- Catalog of Supply Chain Compromises
- tag-security/supply-chain-security/compromises at main · cncf/tag-security
- supply-chain-security - Catalog of Supply Chain Compromises
mkosi
- Build Initramfs Rootless
-
Building minimal GNU/Linux operating system images using Systemd Mkosi
I work with a free and open-source software community called Fedora Project. I had the opportunity to moderate the talk of one of the maintainers of the Systemd suite during the annual contributor conference, Flock To Fedora 2023 where he talked about a tool named Mkosi.
- Mkosi: Build Bespoke OS Images
-
Seamlessly run other Linux distributions inside your terminal
For testing i prefer systemd-nspawn containers with mkosi. A neat tool for running your other fav. distro in a terminal. Works like a charm and integrates nicely in your system. Eg. logs and systemd services or CI testing.
- https://github.com/systemd/mkosi
- man:systemd-nspawn(1)
- man:machinectl(1)
-
Bootable Live USB (Debian)
you're gonna have to build this on an x86 pc. sudo dnf install arch-install-scripts bubblewrap gdisk qemu-user-static rsync systemd-container python3 -m pip install --user git+https://github.com/systemd/mkosi.git git clone https://github.com/leifliddy/asahi-fedora-usb.git cd asahi-fedora-usb
-
LAPAS: The story of how I made a distribution for LanPartyServers
There's also mkosi: https://github.com/systemd/mkosi. This one outputs an iso or similar image file and supports many base distributions.
-
systemd /boot/loader/entries/[entry].conf title default
[1] https://github.com/systemd/mkosi/issues/376
-
Crafting container images without Dockerfiles
System's mkosi is worth checking out too: https://github.com/systemd/mkosi I don't think it generates docker/OCI images directly, but it definitely can generate a tarball of the final image contents and then crane of a similar tool could package it up into an appropriate image. For just docker usage it's probably overkill, the main advantage would be it can build other image types like adding a kernel and init to be a fully bootable iso of VM image.
-
Rocket.Chat🚀+ Constellation💫 = most secure chat server ever (?!)
Constellation ensures that all K8s nodes run on AMD-based Confidential VMs (CVMs). CVMs are strongly isolated from the host and remain encrypted in memory at runtime. Constellation also ensures that all nodes run the same minimal mkosi-based node image.
-
AtomsDevs/Atoms - Easily manage Linux Chroot(s) and Containers
At first glance I thought your project is a frontend for mkosi but then I saw that you support non-systemd targets too. Mentioning it here because it may be relevant to other users/developers.
What are some alternatives?
cool-system - The Cloud Optimized Operational Lab (COOL) system
ostree - Operating system and container binary deployment and upgrades
slsa - Supply-chain Levels for Software Artifacts
efiboots - Manage EFI boot loader entries with this simple GUI
spack - A flexible package manager that supports multiple versions, configurations, platforms, and compilers.
btdu - sampling disk usage profiler for btrfs
badPods - A collection of manifests that will create pods with elevated privileges.
dnfdragora - dnfdragora is a dnf frontend based on libyui abstraction
cyclonedx-gomod - Creates CycloneDX Software Bill of Materials (SBOM) from Go modules
nvidia-auto-installer-for-fedora-linux - A CLI tool which lets you install proprietary NVIDIA drivers and much more easily on Fedora Linux (32 or above and Rawhide)
sample-tf-opa-policies
arch-btrfs - My Linux PC Config