@JWBananas

JWBananas@startrek.website · 9 months ago

They do. By default the system partition is straight up mounted read-only.

JWBananas@startrek.website · 9 months ago

Is that… ICQ? Why?

JWBananas@startrek.website · 10 months ago

systemctl disable systemd-critic.service

JWBananas@startrek.website · 10 months ago

Systemd-init, the core part of systemd, offersa wide range of features surpassing other init systems. More features lead to more bugs and security vulnerabilities.

This is a bad take. Many of systemd’s features improve security significantly. And having all that code in one cohesive place can’t possibly be inherently less secure than the cornucopia of init scripts we used to use.

JWBananas@startrek.website · 11 months ago

They do. Even back in their pre-UEFI days, it was possible to flash BIOS from a properly-formatted USB drive by holding down a magic key combination at power on. But it was not exactly publicized as a supported method.

JWBananas@startrek.website · 11 months ago

deleted by creator

JWBananas@startrek.website · 1 year ago

It can be a big issue. The newest release offers some improvements.

https://devblogs.microsoft.com/commandline/windows-subsystem-for-linux-september-2023-update/

JWBananas@startrek.website · 1 year ago

Oh and the aqueducts!

The ones we’re investing tons of money to replace to remove the lead?

JWBananas@startrek.website · 1 year ago

You basically just made the case for exactly why.

Programs should be using the system resolver, not parsing that file.

The system resolver should have predictable behavior. But if other programs are doing their own DNS resolution (or otherwise predicating their functionality) based directly on the contents of resolv.conf then their behavior will not always be consistent with the system resolver (or with how the sysadmin intended things to function).

And that can break things in subtle, unpredictable ways, which is always a headache.

Thus, on some modern systems, resolv.conf simply declares the local systemd-resolved instance (i.e. 127.0.0.1) and nothing else.

A single global resolv.conf file also will not let you configure different behavior based on interface or on network namespace. Want to ensure DNS lookups for specific apps occur only through your VPN-specific DNS servers but all other apps only use the normal system resolvers (i.e. no leaking from either side of the divide)? Want to also ensure DNS lookups for those specific apps fail when the VPN is down (again, as opposed to leaking)? systemd-resolved has your back.

And before anyone asks, yes, I am aware there are other, more crude and convoluted ways to do that with e.g. iptables (just like you can use crude, inconsistent init.d spaghetti scripts to manage services). It’s just one single real-world example.

A single global resolv.conf file also will not let you configure different behavior based on interface or on network namespace.

The point is to configure everything using consistent, predictable configuration files and syntax, and to ensure consistent, predictable behavior.

But if you ultimately still want resolv.conf.d back, then your distro of choice undoubtedly provides a way to do so.

JWBananas@startrek.website · 1 year ago

Cloud-init is fairly well documented:

https://cloudinit.readthedocs.io/en/latest/reference/network-config-format-v2.html#nameservers-mapping

But if you do not need it (and if you’re configuring DNS by hand, it doesn’t sound like you do), you can disable it entirely:

https://cloudinit.readthedocs.io/en/latest/howto/disable_cloud_init.html

resolv.conf itself should be managed by systemd-resolved on any modern Ubuntu Server release. And that service will use the DNS settings provided by netplan.

With cloud-init disabled, you should have the freedom to create/edit configuration files in /etc/netplan and apply changes with netplan apply.