DevSensationhttps://avisiedo.github.io/blog/2026-03-16T21:04:00+01:00Disabling application in macOS2026-03-16T21:04:00+01:002026-03-16T21:04:00+01:00Alejandro Visiedotag:avisiedo.github.io,2026-03-16:/blog/disabling-application-in-macos.html<p>Disabling applications to reduce surface attacks.</p><h1>Disabling application in macOS</h1>
<p>In macOS systems I would like to totally disable some
applications which have been in focus because of
security flaws, such as FaceTime, Messages and Phone.
Personally I do not use any of them, and that makes me
think, why not reduce the attack surface by preventing them from
being executed?</p>
<h2>Searching information about .mobileconfig</h2>
<p>It has been very tough to find information about
.mobileconfig examples to disable those applications.
Indeed I am surprised that AI could help me more than
trying to find specific information, because it used to
be the scenario where AI starts to hallucinate.</p>
<h2>What I found</h2>
<p>I found an example in an AI prompt which was showing
the example below (it was extending even for Chess.app;
which indeed is not used normally).</p>
<div class="highlight"><pre><span></span><code><span class="cp"><?xml version="1.0" encoding="UTF-8"?></span>
<span class="cp"><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"&gt;</span>
<span class="cp"><plist version="1.0"></span>
<span class="nt"><dict></span>
<span class="w"> </span><span class="nt"><key></span>PayloadIdentifier<span class="nt"></key></span>
<span class="w"> </span><span class="nt"><string></span>com.company.mcx.blockapps<span class="nt"></string></span>
<span class="w"> </span><span class="nt"><key></span>PayloadRemovalDisallowed<span class="nt"></key></span>
<span class="w"> </span><span class="nt"><true/></span>
<span class="w"> </span><span class="nt"><key></span>PayloadScope<span class="nt"></key></span>
<span class="w"> </span><span class="nt"><string></span>System<span class="nt"></string></span>
<span class="w"> </span><span class="nt"><key></span>PayloadType<span class="nt"></key></span>
<span class="w"> </span><span class="nt"><string></span>Configuration<span class="nt"></string></span>
<span class="w"> </span><span class="nt"><key></span>PayloadUUID<span class="nt"></key></span>
<span class="w"> </span><span class="nt"><string></span>9c24d6b3-6233-4a08-a48d-9068f4f76cf0<span class="nt"></string></span>
<span class="w"> </span><span class="nt"><key></span>PayloadOrganization<span class="nt"></key></span>
<span class="w"> </span><span class="nt"><string></span>Company<span class="w"> </span>Name<span class="nt"></string></span>
<span class="w"> </span><span class="nt"><key></span>PayloadVersion<span class="nt"></key></span>
<span class="w"> </span><span class="nt"><integer></span>1<span class="nt"></integer></span>
<span class="w"> </span><span class="nt"><key></span>PayloadDisplayName<span class="nt"></key></span>
<span class="w"> </span><span class="nt"><string></span>Application<span class="w"> </span>Restrictions<span class="nt"></string></span>
<span class="w"> </span><span class="nt"><key></span>PayloadContent<span class="nt"></key></span>
<span class="w"> </span><span class="nt"><array></span>
<span class="w"> </span><span class="nt"><dict></span>
<span class="w"> </span><span class="nt"><key></span>PayloadType<span class="nt"></key></span>
<span class="w"> </span><span class="nt"><string></span>com.apple.applicationaccess.new<span class="nt"></string></span>
<span class="w"> </span><span class="nt"><key></span>PayloadVersion<span class="nt"></key></span>
<span class="w"> </span><span class="nt"><integer></span>1<span class="nt"></integer></span>
<span class="w"> </span><span class="nt"><key></span>PayloadIdentifier<span class="nt"></key></span>
<span class="w"> </span><span class="nt"><string></span>MCXToProfile.9c24d6b3-6233-4a08-a48d-9068f4f76cf0.alacarte.customsettings.2476221c-1870-4f3e-8c52-52386029c4cf<span class="nt"></string></span>
<span class="w"> </span><span class="nt"><key></span>PayloadEnabled<span class="nt"></key></span>
<span class="w"> </span><span class="nt"><true/></span>
<span class="w"> </span><span class="nt"><key></span>PayloadUUID<span class="nt"></key></span>
<span class="w"> </span><span class="nt"><string></span>2476221c-1870-4f3e-8c52-52386029c4cf<span class="nt"></string></span>
<span class="w"> </span><span class="nt"><key></span>PayloadDisplayName<span class="nt"></key></span>
<span class="w"> </span><span class="nt"><string></span>Block<span class="w"> </span>Specified<span class="w"> </span>Applications<span class="w"> </span>From<span class="w"> </span>Launching<span class="nt"></string></span>
<span class="w"> </span><span class="nt"><key></span>familyControlsEnabled<span class="nt"></key></span>
<span class="w"> </span><span class="nt"><true/></span>
<span class="w"> </span><span class="nt"><key></span>pathBlackList<span class="nt"></key></span>
<span class="w"> </span><span class="nt"><array></span>
<span class="w"> </span><span class="nt"><string></span>/Applications/FaceTime.app/<span class="nt"></string></span>
<span class="w"> </span><span class="nt"><string></span>/Applications/Phone.app/<span class="nt"></string></span>
<span class="w"> </span><span class="nt"><string></span>/Applications/Messages.app/<span class="nt"></string></span>
<span class="w"> </span><span class="nt"></array></span>
<span class="w"> </span><span class="nt"><key></span>pathWhiteList<span class="nt"></key></span>
<span class="w"> </span><span class="nt"><array></span>
<span class="w"> </span><span class="nt"><string></span>/<span class="nt"></string></span>
<span class="w"> </span><span class="nt"></array></span>
<span class="w"> </span><span class="nt"><key></span>whiteList<span class="nt"></key></span>
<span class="w"> </span><span class="nt"><array></span>
<span class="w"> </span><span class="nt"></array></span>
<span class="w"> </span><span class="nt"></dict></span>
<span class="w"> </span><span class="nt"></array></span>
<span class="nt"></dict></span>
<span class="nt"></plist></span>
</code></pre></div>
<p>I tried a few examples before validating this one, and the result
seems to be good. The important part is <code>pathBlackList</code> and
<code>pathWhiteList</code>. On the first we specify the path to the applications
we want to avoid executing; the second is a whitelist for
well-known applications. I am against the second, because it
is too broad, and I prefer the system, so in my personal
<code>.mobileconfig</code> I have removed the <code>pathWhiteList</code> section.</p>
<blockquote>
<p>BE AWARE that sometimes after applying the .mobileconfig and
accepting the file had to be installed, I did not get the
message forbidding the launch of the applications.
<strong>After a reboot, the profile works as expected</strong>.</p>
</blockquote>
<h2>Wrap up!</h2>
<p>We have seen an example of disabling macOS applications to reduce
the attack surface on them, by using deny lists and allow lists.</p>
<p>Hope this helps!
Cheers!</p>Customizing shell on macOS2026-03-06T08:17:00+01:002026-03-06T08:17:00+01:00Alejandro Visiedotag:avisiedo.github.io,2026-03-06:/blog/customizing-shell-on-macos.html<p>A macOS shell customization for developers</p><h1>Customizing shell on macOS</h1>
<p>I use to develop on Linux systems, but I do from a VM, and I was wondering how
to customize in similar way for zsh in macOS. If you want to set up a shell
environment similar to Linux using powerline, this article is for you.</p>
<p>The contents are the below:</p>
<ul>
<li>Installing "0xProto nerd fonts mono".</li>
<li>Custom prompt by using starship.</li>
</ul>
<blockquote>
<p><strong>Pre-requisites</strong>: brew is installed in your system</p>
</blockquote>
<h2>Installing "0xProto nerd fonts mono"</h2>
<p>This font or another font for developing is necessary to print out properly the
prompt. Below are the steps to install the font in the system.</p>
<div class="highlight"><pre><span></span><code><span class="c1"># Download font</span>
curl<span class="w"> </span>-L<span class="w"> </span>-O<span class="w"> </span><span class="s2">"https://github.com/ryanoasis/nerd-fonts/releases/download/v3.4.0/0xProto.zip"</span>
<span class="c1"># unpack the fonts at 0xProto/ directory</span>
unzip<span class="w"> </span>0xProto.zip<span class="w"> </span>-d<span class="w"> </span>0xProto
<span class="c1"># Install the fonts in the system</span>
cp<span class="w"> </span>-vf<span class="w"> </span>0xProto/*.ttf<span class="w"> </span>~/Library/Fonts
<span class="c1"># Reboot if you don't see the new fonts</span>
</code></pre></div>
<p>Additionally I added the font to my VSCode IDE, so the embedded terminal
experience is the same as my system terminal.</p>
<ol>
<li>Open the VSCode settings.</li>
<li>Select User tab.</li>
<li>Search for 'Text Editor > Font : Font Family'</li>
<li>Add at the beginning: "0xProto Nerd Font Mono"</li>
</ol>
<h2>Custom prompt by using starship</h2>
<ul>
<li>
<p>Install starship by: <code>brew install starship</code></p>
</li>
<li>
<p>Configure your starship by:
<code>starship preset gruvbox-rainbow -o ~/.config/starship.toml</code></p>
</li>
<li>
<p>Now we want to make effective the prompt configuration so we add the below
to our .zshrc file or similar. In my case I have <code>.profile.d/starship.zsh</code>
that is included from the <code>.zshrc</code> file:</p>
</li>
</ul>
<p><code>sh
if command -v starship &>/dev/null; then
if tty -s &>/dev/null; then
source <(starship init zsh)
fi
fi</code></p>
<ul>
<li>Finally, close your terminal, and re-open again, and you will see your prompt
shell customized.</li>
</ul>
<h2>Wrap up!</h2>
<p>To have a prompt that display useful information for the developer is important
to avoid human mistakes, and already is cool to have a prompt shell that display
such information.</p>
<p>Hope this help!</p>
<p>See you on the next article!</p>Run windows powershell scripts2026-02-13T10:00:00+01:002026-02-13T10:00:00+01:00Alejandro Visiedotag:avisiedo.github.io,2026-02-13:/blog/run-windows-powershell-scripts.html<p>Hot to get your $PROFILE signed and running</p><h1>Run windows powershell scripts</h1>
<p>I have not used windows from a while, and several things that I use to do in
Linux systems, are different in Windows. One of this things are customize my
Windows terminal session by using an init script ($PROFILE) so I can define
useful aliases (or functions in this case). But when I tried to use $PROFILE
I realized that to allow it I had to degrade the <code>ExecutionPolicy</code> to be
extremaly permissive, and setting the <code>Scope</code> to the <code>Process</code>, everytime I
open a terminal, is tedious. So I have tried to sign my script so the
<code>ExecutionPolicy</code> can be set to <code>AllSigned</code> and do not loose too much on the
security levels. The steps could breakdown as below:</p>
<ul>
<li>Define the initial content for the <code>$PROFILE</code> file.</li>
<li>Create a self-signed certificate.</li>
<li>Sign the <code>$PROFILE</code> file.</li>
<li>Verify we can run <code>$PROFILE</code> with no issues, and the function <code>dotfiles</code> is
available.</li>
</ul>
<h2>Define the initial content</h2>
<p>The initial $PROFILE content is only the below content (once it works we can
add whatever we could need).</p>
<div class="highlight"><pre><span></span><code><span class="k">function</span> <span class="n">dotfiles</span> <span class="p">{</span>
<span class="n">git</span> <span class="p">-</span><span class="n">-git-dir</span><span class="p">=</span><span class="s2">"$HOME/.dotfiles/"</span> <span class="p">-</span><span class="n">-work-tree</span><span class="p">=</span><span class="s2">"$HOME"</span> <span class="nv">@args</span>
<span class="p">}</span>
</code></pre></div>
<h2>Create a self-signed certificate</h2>
<p>We have to create a self-signed certificate, store it in our local
certificate storage (no system, so no privileges are needed).</p>
<div class="highlight"><pre><span></span><code><span class="nv">$certName</span> <span class="p">=</span> <span class="s2">"Alejandro Visiedo"</span>
<span class="nv">$dnsName</span> <span class="p">=</span> <span class="s2">"PowerShellLocal"</span>
<span class="nv">$cert</span> <span class="p">=</span> <span class="nb">New-SelfSignedCertificate</span> <span class="n">-Type</span> <span class="n">CodeSigningCert</span> <span class="p">`</span>
<span class="n">-Subject</span> <span class="s2">"CN=$certName"</span> <span class="p">`</span>
<span class="n">-DnsName</span> <span class="nv">$dnsName</span> <span class="p">`</span>
<span class="n">-CertStoreLocation</span> <span class="s2">"Cert:\CurrentUser\My"</span> <span class="p">`</span>
<span class="n">-NotAfter</span> <span class="p">(</span><span class="nb">Get-Date</span><span class="p">).</span><span class="n">AddYears</span><span class="p">(</span><span class="n">5</span><span class="p">)</span> <span class="p">`</span>
<span class="n">-KeyExportPolicy</span> <span class="n">NonExportable</span>
</code></pre></div>
<ul>
<li><code>-Type CodeSigningCert</code>: We indicate we want a certificate to sign code as
we want to sign our scripts.</li>
<li><code>-Subject "CN=$certName"</code>: We inform the value for the Subject of the
certificate. As it is a self-signed, this value will be used to for the
<code>-Issuer</code>.</li>
<li><code>-DnsName $dnsName</code>: This value is not importante, just using a common
value that is broadly used. It is important on the scope of TLS
certificates.</li>
<li><code>-CertStoreLocation "Cert:\CurrentUser\My"</code>: Indicate the store where the
certificates and key pair will be stored. As we are using the user store,
we don't need elevate privileges.</li>
<li><code>-NotAfter (Get-Date).AddYears(5)</code>: The certificate will outdate in five
years.</li>
<li><code>-KeyExportPolicy NonExportable</code>: This argument indicate that the key stored
are not exportable.</li>
</ul>
<blockquote>
<p>We can check the certificate by running <code>certmgr.msc</code></p>
</blockquote>
<p>And now configure the trust on the new certificate by:</p>
<div class="highlight"><pre><span></span><code><span class="nv">$stores</span> <span class="p">=</span> <span class="s2">"Root"</span><span class="p">,</span> <span class="s2">"TrustedPublisher"</span>
<span class="k">foreach</span> <span class="p">(</span><span class="nv">$storeName</span> <span class="k">in</span> <span class="nv">$stores</span><span class="p">)</span> <span class="p">{</span>
<span class="nv">$store</span> <span class="p">=</span> <span class="nb">New-Object</span> <span class="n">System</span><span class="p">.</span><span class="n">Security</span><span class="p">.</span><span class="n">Cryptography</span><span class="p">.</span><span class="n">X509Certificates</span><span class="p">.</span><span class="n">X509Store</span><span class="p">(</span><span class="nv">$storeName</span><span class="p">,</span> <span class="s2">"CurrentUser"</span><span class="p">)</span>
<span class="nv">$store</span><span class="p">.</span><span class="n">Open</span><span class="p">(</span><span class="s2">"ReadWrite"</span><span class="p">)</span>
<span class="nv">$store</span><span class="p">.</span><span class="n">Add</span><span class="p">(</span><span class="nv">$cert</span><span class="p">)</span>
<span class="nv">$store</span><span class="p">.</span><span class="n">Close</span><span class="p">()</span>
<span class="nb">Write-Host</span> <span class="s2">"Added to: $storeName"</span>
<span class="p">}</span>
</code></pre></div>
<h2>Sign the <code>$PROFILE</code> file</h2>
<div class="highlight"><pre><span></span><code><span class="k">if</span> <span class="p">(!(</span><span class="nb">Test-Path</span> <span class="nv">$PROFILE</span><span class="p">))</span> <span class="p">{</span>
<span class="nb">New-Item</span> <span class="n">-Path</span> <span class="nv">$PROFILE</span> <span class="n">-Type</span> <span class="n">File</span> <span class="n">-Force</span>
<span class="nb">Add-Content</span> <span class="nv">$PROFILE</span> <span class="s2">"# File $PROFILE signed"</span>
<span class="p">}</span>
<span class="nv">$status</span> <span class="p">=</span> <span class="nb">Set-AuthenticodeSignature</span> <span class="n">-FilePath</span> <span class="nv">$PROFILE</span> <span class="n">-Certificate</span> <span class="nv">$cert</span>
<span class="nv">$status</span><span class="p">.</span><span class="n">Status</span>
</code></pre></div>
<h2>Verify</h2>
<div class="highlight"><pre><span></span><code><span class="nb">Get-AuthenticodeSignature</span> <span class="nv">$PROFILE</span> <span class="p">|</span> <span class="nb">Select-Object</span> <span class="n">Path</span><span class="p">,</span> <span class="n">Status</span><span class="p">,</span> <span class="n">Hash</span>
</code></pre></div>
<h2>Final script</h2>
<p>Before to enable $PROFILE you have to run:</p>
<div class="highlight"><pre><span></span><code><span class="nb">Set-ExecutionPolicy</span> <span class="n">-Scope</span> <span class="n">CurrentUser</span> <span class="n">-ExecutionPolicy</span> <span class="n">AllSigned</span>
</code></pre></div>
<p>As we can see, we shrink the scope to the current user only, and the execution
policy will be applied to all signed scripts.</p>
<p>Any script from other user that we don't trust or not signed scripts
will be rejected its execution.</p>
<p>Finally all the above together could be joined in the script below:</p>
<div class="highlight"><pre><span></span><code><span class="c"># 1. Configure names</span>
<span class="nv">$certName</span> <span class="p">=</span> <span class="s2">"Alejandro Visiedo"</span>
<span class="nv">$dnsName</span> <span class="p">=</span> <span class="s2">"PowerShellLocal"</span>
<span class="nb">Write-Host</span> <span class="s2">"--- Generating Certificate ---"</span> <span class="n">-ForegroundColor</span> <span class="n">Yellow</span>
<span class="nv">$cert</span> <span class="p">=</span> <span class="nb">New-SelfSignedCertificate</span> <span class="n">-Type</span> <span class="n">CodeSigningCert</span> <span class="p">`</span>
<span class="n">-Subject</span> <span class="s2">"CN=$certName"</span> <span class="p">`</span>
<span class="n">-DnsName</span> <span class="nv">$dnsName</span> <span class="p">`</span>
<span class="n">-CertStoreLocation</span> <span class="s2">"Cert:\CurrentUser\My"</span> <span class="p">`</span>
<span class="n">-NotAfter</span> <span class="p">(</span><span class="nb">Get-Date</span><span class="p">).</span><span class="n">AddYears</span><span class="p">(</span><span class="n">5</span><span class="p">)</span> <span class="p">`</span>
<span class="n">-KeyExportPolicy</span> <span class="n">NonExportable</span>
<span class="nb">Write-Host</span> <span class="s2">"Certificate create with Thumbprint: </span><span class="p">$(</span><span class="nv">$cert</span><span class="p">.</span><span class="n">Thumbprint</span><span class="p">)</span><span class="s2">"</span>
<span class="c"># 2. Trust on the certificate (Move to root and trusted editors)</span>
<span class="nb">Write-Host</span> <span class="s2">"--- Configuring trust ---"</span> <span class="n">-ForegroundColor</span> <span class="n">Yellow</span>
<span class="nv">$stores</span> <span class="p">=</span> <span class="s2">"Root"</span><span class="p">,</span> <span class="s2">"TrustedPublisher"</span>
<span class="k">foreach</span> <span class="p">(</span><span class="nv">$storeName</span> <span class="k">in</span> <span class="nv">$stores</span><span class="p">)</span> <span class="p">{</span>
<span class="nv">$store</span> <span class="p">=</span> <span class="nb">New-Object</span> <span class="n">System</span><span class="p">.</span><span class="n">Security</span><span class="p">.</span><span class="n">Cryptography</span><span class="p">.</span><span class="n">X509Certificates</span><span class="p">.</span><span class="n">X509Store</span><span class="p">(</span><span class="nv">$storeName</span><span class="p">,</span> <span class="s2">"CurrentUser"</span><span class="p">)</span>
<span class="nv">$store</span><span class="p">.</span><span class="n">Open</span><span class="p">(</span><span class="s2">"ReadWrite"</span><span class="p">)</span>
<span class="nv">$store</span><span class="p">.</span><span class="n">Add</span><span class="p">(</span><span class="nv">$cert</span><span class="p">)</span>
<span class="nv">$store</span><span class="p">.</span><span class="n">Close</span><span class="p">()</span>
<span class="nb">Write-Host</span> <span class="s2">"Added to: $storeName"</span>
<span class="p">}</span>
<span class="c"># 3. Sign $PROFILE</span>
<span class="nb">Write-Host</span> <span class="s2">"--- Signing $PROFILE ---"</span> <span class="n">-ForegroundColor</span> <span class="n">Yellow</span>
<span class="k">if</span> <span class="p">(!(</span><span class="nb">Test-Path</span> <span class="nv">$PROFILE</span><span class="p">))</span> <span class="p">{</span>
<span class="nb">New-Item</span> <span class="n">-Path</span> <span class="nv">$PROFILE</span> <span class="n">-Type</span> <span class="n">File</span> <span class="n">-Force</span>
<span class="nb">Add-Content</span> <span class="nv">$PROFILE</span> <span class="s2">"# File $PROFILE signed"</span>
<span class="p">}</span>
<span class="nv">$status</span> <span class="p">=</span> <span class="nb">Set-AuthenticodeSignature</span> <span class="n">-FilePath</span> <span class="nv">$PROFILE</span> <span class="n">-Certificate</span> <span class="nv">$cert</span>
<span class="nv">$status</span><span class="p">.</span><span class="n">Status</span>
<span class="nb">Write-Host</span> <span class="s2">"--- Verification ---"</span> <span class="n">-ForegroundColor</span> <span class="n">Yellow</span>
<span class="nb">Get-AuthenticodeSignature</span> <span class="nv">$PROFILE</span> <span class="p">|</span> <span class="nb">Select-Object</span> <span class="n">Path</span><span class="p">,</span> <span class="n">Status</span><span class="p">,</span> <span class="n">Hash</span>
</code></pre></div>
<h2>Signing another script</h2>
<div class="highlight"><pre><span></span><code><span class="c"># the long hash is the fingerprint for the certificate</span>
<span class="nv">$cert</span> <span class="p">=</span> <span class="nb">Get-Item</span> <span class="n">-Path</span> <span class="s2">"Cert:\CurrentUser\My\ea9a1d609c091bb023c1ccd54261e4982d747047"</span>
<span class="nv">$status</span> <span class="p">=</span> <span class="nb">Set-AuthenticodeSignature</span> <span class="n">-FilePath</span> <span class="s2">"myscript.ps1"</span> <span class="n">-Certificate</span> <span class="nv">$cert</span>
<span class="nv">$status</span><span class="p">.</span><span class="n">Status</span>
</code></pre></div>
<h2>Wrap up!</h2>
<p>We have seen how to prepare our environment to run powershell scripts without
relaxing the execution policy, and how to add a customization for our
environment by defining the <code>dotfiles</code> function. Now we can extend this for
additional helper scripts we could want to create in our environment.</p>
<p>What's the next? IMHO use a hardware key increase the security, so instead of
having a certificate in the system certificate storage, I'd rather to have
the private key stored in a cryptographic device (one ring to govern all the
realms).</p>
<p>Another question is, how to rotate the certificate? What happen after 5 years?</p>
<p>But that will be another story.</p>
<p>See you on the next article!</p>Disable wsdd service2025-11-23T13:11:00+01:002025-11-23T13:11:00+01:00Alejandro Visiedotag:avisiedo.github.io,2025-11-23:/blog/disable-wsdd-service.html<p>Disable Web Search Discovery host Daemon.</p><h1>Disable wsdd service</h1>
<p>The Web Search Discovery host Daemon allow to discover hosts in a windows
network. It uses ports 3702/udp and 5357/tcp. But this service reveals
information that we could want to void, because it makes easier the discovery
and recognition in a network.</p>
<p>This service is not managed by systemd, but exists a way to disable it, by
using <code>gsettings</code> command.</p>
<p>So to disable the service run:</p>
<div class="highlight"><pre><span></span><code>gsettings<span class="w"> </span><span class="nb">set</span><span class="w"> </span>org.gnome.system.wsdd<span class="w"> </span>display-mode<span class="w"> </span><span class="s1">'disabled'</span>
</code></pre></div>
<p>You could need to reboot, but after that, you should not see the service
listening on port 3702/udp and 5357/tcp.</p>
<p>See you on the next post!</p>
<h2>References</h2>
<p>https://github.com/christgau/wsdd
https://gitlab.gnome.org/GNOME/gvfs/-/issues/753</p>Passwordless environment2025-10-31T01:00:00+01:002026-03-13T20:00:00+01:00Alejandro Visiedotag:avisiedo.github.io,2025-10-31:/blog/passwordless.html<p>Quick steps to get passwordless working in Silverblue</p><h1>Passwordless environment</h1>
<p>The below are the steps I have followed to get passwordless on
a Silverblue 43 distro with yubico. It is based in the steps found at the
references.</p>
<blockquote>
<p>I recommend to try in a VM before use in your primary system,
and then extend to it.</p>
</blockquote>
<h2>Requirements</h2>
<ul>
<li>Install the required packages: <code>rpm-ostree install pam-u2f pamu2fcfg</code></li>
<li>Reboot to get the packages available: <code>systemctl reboot</code></li>
<li>Create directory where store the configuration for your account:
<code>mkdir ~/.config/Yubico</code></li>
<li>Add the configuration line by: <code>pamu2fcfg --username=$USER >> ~/.config/Yubico/u2f_keys</code></li>
<li>Shrink permissions: <code>chmod 0400 ~/.config/Yubico/u2f_keys</code></li>
<li>Copy u2f_keys to a the global location below by:
<code>cat ~/.config/Yubico/u2f_keys | run0 tee -a /etc/u2f_mappings</code></li>
</ul>
<h2>Set up passwordless</h2>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>run0<span class="w"> </span>authselect<span class="w"> </span>enable-feature<span class="w"> </span>with-pam-u2f
</code></pre></div>
<h2>Set up 2FA</h2>
<div class="highlight"><pre><span></span><code>$<span class="w"> </span>run0<span class="w"> </span>authselect<span class="w"> </span>enable-feature<span class="w"> </span>with-pam-u2f-2fa
</code></pre></div>
<hr>
<p>Notes about <code>pamu2fcfg</code>:</p>
<ul>
<li>For the yubikey I am using, I required to use the <code>--username=$USER</code> argument
or I got <code>error: fido_dev_make_cred (63) FIDO_ERR_UV_INVALID</code></li>
</ul>
<h2>Setup Git signing</h2>
<p>Generate the key pair as below:</p>
<div class="highlight"><pre><span></span><code>ssh-keygen<span class="w"> </span>-t<span class="w"> </span>ed25519-sk<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>-O<span class="w"> </span>resident<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>-O<span class="w"> </span><span class="nv">application</span><span class="o">=</span>ssh:<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>-O<span class="w"> </span>verify-required<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>-f<span class="w"> </span>~/.ssh/id_ed25519_sk_rk
</code></pre></div>
<ul>
<li><code>-O resident</code> indicate to generate a resident key.</li>
<li><code>-O application=ssh:</code> set the application namespace associated to the
handler key. By default it is <code>ssh:</code>, and we need to prefix it always with
<code>ssh:</code> if we want to generate a different key for different purposes.</li>
<li><code>-O verify-required</code> indicates to verify (by PIN or biometrics) the user
when the key is going to be used.</li>
</ul>
<p>OR (if you are moving your keys to another machine)</p>
<div class="highlight"><pre><span></span><code><span class="c1"># The below will extract the resident key to use the private key stored</span>
<span class="c1"># inside the crypto device (the private key never is disclosed from the</span>
<span class="c1"># device). The below will extract all the resident keys (if you had</span>
<span class="c1"># one tagged `ssh:` and another `ssh:fedora`, both redident keys would</span>
<span class="c1"># be extracted.</span>
<span class="nb">cd</span><span class="w"> </span>~/.ssh
ssh-keygen<span class="w"> </span>-K
</code></pre></div>
<blockquote>
<p>NOTE: In macOS requires to install ssh from homebrew, because the openssh
installed by the system does not have support for <strong>secret keys</strong> (physical
security key) nor <strong>resident key</strong> (stored in the device internal memory).</p>
<p>I moved the identities from one system to another without compromise them.</p>
</blockquote>
<p>Configure Git for SSH Signing:</p>
<div class="highlight"><pre><span></span><code>git<span class="w"> </span>config<span class="w"> </span>--global<span class="w"> </span>gpg.format<span class="w"> </span>ssh
git<span class="w"> </span>config<span class="w"> </span>--global<span class="w"> </span>user.signingkey<span class="w"> </span><span class="s2">"~/.ssh/id_ed25519_sk_rk.pub"</span>
git<span class="w"> </span>config<span class="w"> </span>--global<span class="w"> </span>commit.gpgSign<span class="w"> </span><span class="nb">true</span>
git<span class="w"> </span>config<span class="w"> </span>--global<span class="w"> </span>tag.forceSignAnnotated<span class="w"> </span><span class="nb">true</span>
</code></pre></div>
<p>Configure SSH (the key to identify does not match the defaults that try SSH, so
we need to let it know to SSH by adding the content below to <code>.ssh/config</code>:</p>
<div class="highlight"><pre><span></span><code>IdentityFile ~/.ssh/id_ed25519_sk_rk
</code></pre></div>
<blockquote>
<p>This was detected in macOS system when verifying the connection by
<code>ssh -T git@github.com</code></p>
</blockquote>
<p>Create and configure the allowed signers file.</p>
<div class="highlight"><pre><span></span><code>touch<span class="w"> </span>~/.ssh/allowed_signers
<span class="nv">EMAIL</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span>git<span class="w"> </span>config<span class="w"> </span>--global<span class="w"> </span>user.email<span class="k">)</span><span class="s2">"</span>
<span class="nv">PUB_KEY</span><span class="o">=</span><span class="s2">"</span><span class="k">$(</span>cat<span class="w"> </span>~/.ssh/id_ed25519_sk_rk.pub<span class="w"> </span><span class="p">|</span><span class="w"> </span>awk<span class="w"> </span><span class="s1">'{ print $2 }'</span><span class="k">)</span><span class="s2">"</span>
<span class="nb">printf</span><span class="w"> </span><span class="s1">'%s namespaces="git" ssh-ed25519 %s Git signing key %s\n'</span><span class="w"> </span><span class="s2">"</span><span class="si">${</span><span class="nv">EMAIL</span><span class="si">}</span><span class="s2">"</span><span class="w"> </span><span class="s2">"</span><span class="si">${</span><span class="nv">PUB_KEY</span><span class="si">}</span><span class="s2">"</span><span class="w"> </span><span class="s2">"</span><span class="si">${</span><span class="nv">EMAIL</span><span class="si">}</span><span class="s2">"</span><span class="w"> </span>>><span class="w"> </span>~/.ssh/allowed_signers
<span class="nb">unset</span><span class="w"> </span>PUB_KEY<span class="w"> </span>EMAIL
</code></pre></div>
<p>Tell git where to find the allowed signers:</p>
<div class="highlight"><pre><span></span><code>git<span class="w"> </span>config<span class="w"> </span>--global<span class="w"> </span>gpg.ssh.allowedSignersFile<span class="w"> </span><span class="s2">"~/.ssh/allowed_signers"</span>
</code></pre></div>
<hr>
<blockquote>
<p>Don't forget to add your public key to yout github, gitlab or another
SCM where you push your commits.</p>
</blockquote>
<h2>Unlock LUKS using FIDO2</h2>
<p>I tried in a VM several configurations, and the one that fit well
in terms of security and usability was the below one:</p>
<div class="highlight"><pre><span></span><code>run0<span class="w"> </span>systemd-cryptenroll<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--fido2-device<span class="o">=</span>auto<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--fido2-with-client-pin<span class="o">=</span>no<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--fido2-with-user-presence<span class="o">=</span>yes<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--fido2-with-user-verification<span class="o">=</span>yes<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>/dev/sdXY
</code></pre></div>
<p>Edit <code>/etc/crypttab</code> and add to your LUKS device entry: <code>- fido2-device=auto</code></p>
<p>Verify enrollment by: <code>run0; cryptsetup luksDump /dev/sdXY</code></p>
<p>Reboot your system: <code>systemctl reboot</code> and now you should be prompted for
touching your FIDO 2 device.</p>
<p>If you want to only unlock the disk by using your FIDO2 device you can remove
the password slot with the following command:</p>
<blockquote>
<p>WARNING: Before run this command, check you can boot and unlock LUKS by
using your FIDO2 device.</p>
</blockquote>
<div class="highlight"><pre><span></span><code>run0<span class="w"> </span>systemd-cryptenroll<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>--wipe-slot<span class="o">=</span>password<span class="w"> </span><span class="se">\</span>
<span class="w"> </span>/dev/sdXY
</code></pre></div>
<blockquote>
<p>Update <code>/dev/sdXY by your LUKS partition;</code>lsblk` should help you.</p>
</blockquote>
<p>Reboot your system: <code>systemctl reboot</code> and now you should be
able to unlock your LUKS partition using your FIDO2 device and
touching it.</p>
<h2>Lock screen on extracting token</h2>
<ul>
<li>Create the file <code>/usr/local/bin/lockcomputer.sh</code>:</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="c1"># Create /usr/local/bin/lockcomputer.sh</span>
cat<span class="w"> </span><span class="s"><<EOF | run0 tee /usr/local/bin/lockcomputer.sh</span>
<span class="s">#!/bin/sh</span>
<span class="s"># Inspired by: https://gist.github.com/jhass/070207e9d22b314d9992</span>
<span class="s"># INFO This script lock the screen and disconnect network when it is invoked</span>
<span class="s">lockscreen() {</span>
<span class="s"> busctl call org.freedesktop.login1 /org/freedesktop/login1 org.freedesktop.login1.Manager LockSessions</span>
<span class="s">}</span>
<span class="s">disconnect-network() {</span>
<span class="s"> devices=$(nmcli --fields DEVICE,TYPE,STATE device status | grep ethernet | grep connected | awk '{ print $1 }')</span>
<span class="s"> for device in $devices; do</span>
<span class="s"> nmcli device down "$device"</span>
<span class="s"> done</span>
<span class="s">}</span>
<span class="s">main() {</span>
<span class="s"> echo "lockcomputer.sh: $*" >> /tmp/lockcomputer.log</span>
<span class="s"> disconnect-network</span>
<span class="s"> lockscreen</span>
<span class="s">}</span>
<span class="s">main "$@"</span>
<span class="s">EOF</span>
<span class="c1"># Change permissions</span>
run0<span class="w"> </span>chmod<span class="w"> </span>u+x<span class="w"> </span>/usr/local/bin/lockcomputer.sh
</code></pre></div>
<ul>
<li>Create udev rule file to lock the computer on removing the key event.
This rule is generic, and it likely works for any fido device.</li>
</ul>
<div class="highlight"><pre><span></span><code>cat<span class="w"> </span><span class="s"><<EOF | run0 tee /etc/udev/rules.d/20-yubico.rules</span>
<span class="s">ACTION=="remove", ENV{ID_FIDO_TOKEN}=="1", RUN+="/usr/local/bin/lockcomputer.sh"</span>
<span class="s">EOF</span>
</code></pre></div>
<ul>
<li>Reload udev rules by: <code>run0 udevadm control -R</code></li>
</ul>
<h2>Wrap up</h2>
<p>So far we set up our login, gdm, git commits and tags, LUKS and lockcomputer
on key extraction by using our passwordkey token. This is a step forward to
keep your environment safer.</p>
<p>Stay tuned and see you on the next post!</p>
<p><strong>UPDATE</strong>: Added <code>Unlock LUKS using FIDO2</code> section.</p>
<p><strong>UPDATE</strong>: Fix the <code>lockcomputer.sh</code> script and udev rules</p>
<h2>References</h2>
<ul>
<li><a href="https://fedoramagazine.org/how-to-use-a-yubikey-with-fedora-linux/">How to use yubikey with fedora linux</a></li>
<li><a href="https://developers.yubico.com/pam-u2f/">pam-u2f</a></li>
<li><a href="https://docs.fedoraproject.org/en-US/quick-docs/using-yubikeys/">Using Yubikeys</a></li>
<li><a href="https://dev.to/bashbunni/set-up-yubikey-for-passwordless-sudo-authentication-4h5o">Set up Yubikey for Passwordless Sudo Authentication</a></li>
<li><a href="https://www.reddit.com/r/Fedora/comments/akck9m/authenticating_with_gdm_and_sudo_with_a_u2f/">Authenticating with GDM and sudo with a U2F security key</a></li>
</ul>Grow logical volume2025-10-22T17:52:00+02:002025-10-22T17:52:00+02:00Alejandro Visiedotag:avisiedo.github.io,2025-10-22:/blog/grow-logical-volume.html<p>Quick steps that I followed to extend the logical volume to the whole disk in a fedora system.</p><h1>Grow logical volume</h1>
<p>Sometimes I had been the scenario where I needed to extend the
logical volume of my system such as:</p>
<ul>
<li>A VM which required more space and after increase the available disk
I had to extend the logical volume.</li>
<li>A raspy using not the usual distros.</li>
</ul>
<p>The same steps worked for me in a fedora system. I won't extend
and I will go straight to the point.</p>
<p>In this steps I am using <code>/dev/sda3</code> update it for your scenario:</p>
<ul>
<li>Increase the physical partition: <code>fdisk /dev/sda3</code></li>
<li>Increase the physical volume: <code>pvresize /dev/sda3</code></li>
<li>Increase logical volume: <code>/dev/mapper/systemVG-LVRoot -L+100%FREE</code></li>
<li>Grow filesystem: <code>xfs_growfs /dev/mapper/systemVG-LVRoot</code></li>
</ul>
<blockquote>
<p>Hope this helps you in similar scenario, take the above steps at your
own risk and create a backup before run them if you are not sure
what your are running. Be warned that something wrong could
state in a broken system.</p>
</blockquote>
<p>See you on the next post!</p>Running LLM locally2025-08-20T14:22:00+02:002025-08-20T14:22:00+02:00Alejandro Visiedotag:avisiedo.github.io,2025-08-20:/blog/running-llm-locally.html<p>Getting started to run a LLM model locally, and using Hardware acceleration with Asahi Linux.</p><h1>Running LLM locally</h1>
<p>IA is an amazing new field, but we have to take it carefully. And one of the
things rolling my mind is about keep prompts privates, so I was wondering to run
it locally, so it can help me even with no Internet connection.</p>
<p>In my opinion, IA works as an assistant, not as a new developer that make the
work for us, but helps a lot to get things, even new ideas that we didn't
consider; also it can provide wrong responses, so we need to review carefully
the responses.</p>
<h2>Trying ollama</h2>
<p>I move from one system to another, I like to test things, and at the moment of
trying this I was using an Asahi Linux with Arch Linux.</p>
<ul>
<li>I installed ollama by: <code>run0 pacman -Sy extra/ollama</code>.</li>
<li>Start the systemd service by: <code>run0 systemctl start ollama.service</code></li>
</ul>
<p>And I searched for some model at: https://ollama.com/models</p>
<p>And I pulled a model from it: <code>ollama pull deepseek-coder</code></p>
<p>I started the LLM by: <code>ollama run deepseek-coder:33b</code></p>
<blockquote>
<p>This github thread was helpful to avoid to download twice the model
because at the beginning I started it only for my user by <code>ollama serve &</code></p>
</blockquote>
<p>Positive things:</p>
<ul>
<li>I install the LLM by using the package manager.</li>
<li>I can start to use quickly just starting the service, pulling a model, and
starting to use that model.</li>
</ul>
<p>Negative things:</p>
<ul>
<li>After checking some models, the ones that works better (it is not a statement
that accomplish, as it depends the data used for the training) are the one
which size is bigger, so it takes time to download them, and you require
a lot of memory to run them.</li>
<li>For Asahi Linux, it was not accelerating the process by using the GPU, so
I could see how my workstation was about to take off.</li>
</ul>
<h2>Trying ramalama</h2>
<p>After try ollama, I was worried about get it working with GPU acceleration, and
googling a little I found ramalama, which provide that GPU acceleration, and
pack the model ready to use for it in a container. The idea is great, and we can
use the same models we found at ollama web page.</p>
<ul>
<li>Create a directory: <code>mkdir ramalama; cd ramalama</code></li>
<li>Create a virtual environment: <code>python3 -m venv .venv && source .venv/bin/activate</code></li>
<li>Install ramalama by: <code>pip install ramalama</code></li>
<li>Download a model by: <code>ramalama pull deepseek-coder:33b</code></li>
<li>Run the model by: <code>ramalama run deepseek-coder:33b</code></li>
</ul>
<p>Positive things:</p>
<ul>
<li>All the workload is moved to the GPU.</li>
<li>It is easy to install and use models.</li>
</ul>
<p>Negative things:</p>
<ul>
<li>I dislike to install it by using pip; I rather to install it from official
distro packages, but I didn't find it at Arch Linux for Asahi Linux.</li>
</ul>
<h2>Wrap up</h2>
<p>My first contact for running local LLM has not been bad, and I think is a
powerful tool for the day to day; both tools helps on quickly start using a
LLM model. If you are using an Asahi Linux, then your bet for ramalama will be
the right option, in terms of performance. I would like to have more hardware to
test more different scenarios.</p>
<p>I like the idea that ramalama has containers per gpu/llm-model so you get
something ready to use and optimized quickly. I like it is running isolated,
even without network access, so all the information is processed locally (when
running by <code>ramalama</code>.</p>
<p>So, if you have the resources, now you have the way to use your local assistant
to help you into your day to day.</p>
<h2>References</h2>
<ul>
<li>https://ollama.com/models</li>
<li>https://github.com/ollama/ollama</li>
<li>https://github.com/containers/ramalama</li>
</ul>Using SSH through proxy2025-06-11T10:39:00+02:002025-06-11T10:39:00+02:00Alejandro Visiedotag:avisiedo.github.io,2025-06-11:/blog/using-ssh-through-proxy.html<p>Quick configuration when you only can do outgoing connections by
using a proxy.</p><h1>Using SSH through proxy</h1>
<p>If the system that you are using use a local proxy for the outgoing connections,
your SSH connections will be rejected without any additional configuration.</p>
<p>In my case I would like to use github and gitlab upstreams through the SSH
connection, so I can push my changes.</p>
<p>It could be more solutions, but the one indicated here require <code>nc</code> tool
installed in your system, and some changes to <code>~/.ssh/config</code> file.</p>
<ul>
<li>Install <code>nc</code> in fedora by: <code>run0 dnf install -y nc</code></li>
<li>Open <code>~/.ssh/config</code> and add the configuration below:</li>
</ul>
<div class="highlight"><pre><span></span><code><span class="nx">Host</span><span class="w"> </span><span class="nx">github</span><span class="p">.</span><span class="nx">com</span>
<span class="w"> </span><span class="nx">ProxyCommand</span><span class="w"> </span><span class="nx">nc</span><span class="w"> </span><span class="o">--</span><span class="nx">proxy</span><span class="o">-</span><span class="k">type</span><span class="w"> </span><span class="nx">http</span><span class="w"> </span><span class="o">--</span><span class="nx">proxy</span><span class="w"> </span><span class="p"><</span><span class="nx">proxy</span><span class="o">-</span><span class="nx">host</span><span class="o">-</span><span class="k">or</span><span class="o">-</span><span class="nx">ip</span><span class="p">>:<</span><span class="nx">proxy</span><span class="o">-</span><span class="nx">port</span><span class="p">></span><span class="w"> </span><span class="o">%</span><span class="nx">h</span><span class="w"> </span><span class="o">%</span><span class="nx">p</span>
<span class="nx">Host</span><span class="w"> </span><span class="nx">gitlab</span><span class="p">.</span><span class="nx">com</span>
<span class="w"> </span><span class="nx">ProxyCommand</span><span class="w"> </span><span class="nx">nc</span><span class="w"> </span><span class="o">--</span><span class="nx">proxy</span><span class="o">-</span><span class="k">type</span><span class="w"> </span><span class="nx">http</span><span class="w"> </span><span class="o">--</span><span class="nx">proxy</span><span class="w"> </span><span class="p"><</span><span class="nx">proxy</span><span class="o">-</span><span class="nx">host</span><span class="o">-</span><span class="k">or</span><span class="o">-</span><span class="nx">ip</span><span class="p">>:<</span><span class="nx">proxy</span><span class="o">-</span><span class="nx">port</span><span class="p">></span><span class="w"> </span><span class="o">%</span><span class="nx">h</span><span class="w"> </span><span class="o">%</span><span class="nx">p</span>
</code></pre></div>
<blockquote>
<p>NOTE Change <code><proxy-host-or-ip></code> by the address of your proxy, and
<code><proxy-port></code> by the port where your proxy is listening.</p>
<p>If the number of hosts is small, I recommend to keep the list specific
so you can block any outgoing connection to other hosts you don't know
that your system is connecting to.</p>
</blockquote>
<h2>Wrap up!</h2>
<p>We have have seen how we can use <code>nc</code> to use proxy connections to our git
repositories when we have network restrictions.</p>
<p>Happy coding! :)</p>proxy on rpm-ostree2025-06-04T15:43:00+02:002025-06-04T15:43:00+02:00Alejandro Visiedotag:avisiedo.github.io,2025-06-04:/blog/proxy-on-rpm-ostree.html<p>Make rpm-ostree works with our proxy could be not trivial.
This article describe how I did (or what I missed).</p><h1>proxy on rpm-ostree</h1>
<p>Hi there! if you are here, probably are facing similar situation
than me today! I installed Fedora Silverblue in a fresh VM, and
I use a proxy to reach out Internet, so how to make the things
work in Silverblue? I am going to enumerate the failed intents,
before the final solution.</p>
<h2>Failed intents</h2>
<p>The first thing I thought was, well just setup the http in the
system and that will make everything. Yeah! I did it, and I rebooted
even several times, but no connection was happening through the
proxy. It makes things like <code>curl</code> works from my terminal, but
for any reason, not for <code>rpm-ostree</code>.</p>
<p>Secondly, I thought "well, maybe I have to indicate that information
into the repo files". So I edited every <code>.repo</code> file at
<code>/etc/yum.repos.d/*.repo</code> and I realoaded rpm-ostree by</p>
<p><code>run0 systemctl daemon-reload; run0 systemctl restart rpm-ostreed.service</code></p>
<p>Even I tried to reboot, but still rpm-ostree was failing and the
request didn't go through my proxy.</p>
<p>Later, I tried googling about it, and I found the below reference
which was really helpful:</p>
<p>https://github.com/coreos/rpm-ostree/issues/762#issuecomment-434256478</p>
<p>I did the change by: <code>run0 systemctl edit --full rpm-ostreed.service</code>,
and adding the change below:</p>
<div class="highlight"><pre><span></span><code><span class="k">[Service]</span>
<span class="n">Environment</span><span class="o">=</span><span class="s2">"http_proxy=http://<ip-for-my-proxy>:<port>"</span>
</code></pre></div>
<p>I run <code>run0 systemctl daemon-reload; run0 systemctl restart rpm-ostreed.service</code>,
but surprise, still not working! And I rebooted and nothing changed.</p>
<h2>Final change</h2>
<p>Finally, I realized that I could require another environment variable, and that
was the key in case for it, so I added <code>HTTPS_PROXY</code> and I run
<code>run0 systemctl daemon-reload; run0 systemctl restart rpm-ostreed.service</code> and
finally, it started to work.</p>
<h2>Wrap up!</h2>
<p>If you are using a proxy in your system, and you want to use Silverblue
or other rpm-ostree based distribution, you will need to add manually the
<code>http_proxy</code> and <code>HTTPS_PROXY</code> to the rpm-ostreed.service configuration.</p>
<div class="highlight"><pre><span></span><code>run0<span class="w"> </span>systemctl<span class="w"> </span>edit<span class="w"> </span>--full<span class="w"> </span>rpm-ostreed.service
</code></pre></div>
<p>Add the environment variables:</p>
<div class="highlight"><pre><span></span><code><span class="k">[Service]</span>
<span class="n">Environment</span><span class="o">=</span><span class="s2">"http_proxy=http://<ip-for-my-proxy>:<port>"</span>
<span class="n">Environment</span><span class="o">=</span><span class="s2">"HTTPS_PROXY=http://<ip-for-my-proxy>:<port>"</span>
</code></pre></div>
<p>Reload the configuration and restart the service by:</p>
<div class="highlight"><pre><span></span><code>run0<span class="w"> </span>systemctl<span class="w"> </span>daemon-reload
run0<span class="w"> </span>systemctl<span class="w"> </span>restart<span class="w"> </span>rpm-ostreed.service
</code></pre></div>
<p>And finally upgrade your system:</p>
<div class="highlight"><pre><span></span><code>run0<span class="w"> </span>rpm-ostree<span class="w"> </span>upgrade
</code></pre></div>Welcome2025-03-28T12:24:00+01:002025-03-28T12:24:00+01:00Alejandro Visiedotag:avisiedo.github.io,2025-03-28:/blog/welcome.html<p>Welcome to the site article</p><h1>Welcome</h1>
<p>DevSensation is a space where I will publish all my nerd stuff.</p>
<p>Starting by creating a static site by using python3-pelican, and
the sky is the limit.</p>Configuring OCP for user namespaces2022-01-31T10:45:58+01:002022-01-31T10:45:58+01:00Alejandro Visiedotag:avisiedo.github.io,2022-01-31:/blog/configuring-ocp-for-user-namespace.html<p>Preparing an OpenShift cluster for using namespaces</p><p>Preparing an OpenShift cluster for using user namespaces involves
several steps and hands-over. To simplify the process we are using
some configurations at <a href="https://github.com/freeipa/freeipa-kustomize">freeipa-kustomize</a>
that make easier that task.</p>
<p><strong>Pre-requisites</strong>:</p>
<ul>
<li>A 4.9 or 4.10 OpenShift cluster.</li>
<li>You are logged in the cluster and you have cluster-admin privileges.</li>
</ul>
<blockquote>
<p><strong>Out of scope</strong>: Build the runc and cri-o rpm packages.</p>
</blockquote>
<h2>Setting the configuration node</h2>
<ul>
<li>Clone freeipa-kustomize repository:</li>
</ul>
<p><code>sh
git clone https://github.com/freeipa/freeipa-kustomize.git</code></p>
<ul>
<li>Retrieve the machine config pools by:</li>
</ul>
<p><code>sh
oc get mcp</code></p>
<ul>
<li>Set the POOL environment variables with the names of the machine config pool
that are going to be configured:</li>
</ul>
<p><code>sh
export POOL="worker"</code></p>
<p>if you want to specify more than one:</p>
<p><code>sh
export POOL="worker master"</code></p>
<ul>
<li>Install some custom RPMs by:</li>
</ul>
<p><code>sh
export RPM_PACKAGES="https://ftweedal.fedorapeople.org/runc-1.0.3-992.rhaos4.10.el8.x86_64.rpm https://ftweedal.fedorapeople.org/cri-o-1.23.0-990.rhaos4.10.git8c7713a.el8.x86_64.rpm"</code></p>
<blockquote>
<p>The RPMs above are experimental and will become obsolete. This show
how you can customize the ocp node environment easily by using this
configuration. Keep in mind that if they become a lower version than
the version that ships in the cluster release, the RPM package
will not be installed. Credits and thanks to
<a href="https://frasertweedale.github.io/blog-redhat/">Fraser Tweedale</a>.</p>
</blockquote>
<ul>
<li>Now we just run:</li>
</ul>
<p><code>sh
make -C config/static/nodes/userns configure
kustomize build config/static/nodes/userns | oc create -f -</code></p>
<ul>
<li>Finally await the node state is updated by:</li>
</ul>
<p><code>sh
oc wait mcp/worker --for condition=updated --timeout=-1s</code></p>
<blockquote>
<p>It will take a few minutes (5-10minutes) as the configuration is applied node by node,
evacuate the node, restart the node, and make it available. This
process is repeated for all impacted nodes. Eventually all the nodes will get a
Ready state and they could be used.</p>
</blockquote>
<h2>How is it structured?</h2>
<p>The main overlay at <code>config/static/nodes/userns</code> is a composition of smaller
ones, that are divided on:</p>
<ul>
<li><code>config/static/nodes/cgroup-v2</code>: Configure cgroup-v2 into the node, enabling
to mount cgroup v2 filessytem into the node.</li>
<li><code>config/static/nodes/userns-subid</code>: Configure the necessary subid for the
user namespaces. Different files can be found at
<code>config/static/nodes/userns-subid/files</code> to spicify the subuid and subgid
information.</li>
<li><code>99-crio-userns.conf</code>: Enable the <code>io.kubernetes.cri-o.userns-mode</code> annotation
into the PodSpec.</li>
<li><code>subuid</code> and <code>subgid</code>: Configure the subordinate ids to be used by the user namespace.</li>
<li><code>config/static/nodes/rpm-overrides</code>: This configuration handle the RPM
package installation. This is made by creating a systemd unit, and executing
the command that install the RPM package. It is generated a resource for each
RPM and POOL. The package installation is checked before launch the RPM
command, so that future reboots does not try to install the RPM package
again. Here this is used for custom runc and cri-o rpm packages, but this
configuration could work for any RPM that we want to quickly test into our
OCP <strong>development</strong> cluster.</li>
</ul>
<h2>Checking that the configuration was applied</h2>
<p>Here you will find several commands that are executed from the node. If you
are using CodeReadyContainers you can directly use a ssh command such as:</p>
<div class="highlight"><pre><span></span><code>ssh<span class="w"> </span>-i<span class="w"> </span>~/.crc/machines/crc/id_ecdsa<span class="w"> </span>core@192.168.130.11
</code></pre></div>
<blockquote>
<p>This could be helpful when the KAS communication is not available.</p>
</blockquote>
<p>Or you can just open a terminal into the node and run the command there by:</p>
<div class="highlight"><pre><span></span><code><span class="c1"># Retrieve node list by:</span>
oc<span class="w"> </span>get<span class="w"> </span>nodes
<span class="c1"># Open the terminal by:</span>
oc<span class="w"> </span>debug<span class="w"> </span>node/NODE
chroot<span class="w"> </span>/host
<span class="c1"># Now run your commands here</span>
</code></pre></div>
<ul>
<li>For the RPM packages check from the node:</li>
</ul>
<p><code>sh
runc --version</code></p>
<p><code>raw
runc version 1.0.3
spec: 1.0.2-dev
go: go1.17.2
libseccomp: 2.5.1</code></p>
<p><code>sh
# If you are using code ready containers, you can directly do the below
ssh -i ~/.crc/machines/crc/id_ecdsa core@192.168.130.11 journalctl -u install-runc.service
# Or using the oc adm command
oc adm node-logs -u install-runc.service NODE</code></p>
<p><code>raw
-- Logs begin at Sat 2021-12-11 13:38:56 UTC, end at Wed 2022-01-26 07:12:23 UTC. --
Jan 26 06:50:13 crc-hsl9k-master-0 bash[1658]: package runc-1.0.3-992.rhaos4.10.el8.x86_64 is not installed
Jan 26 06:50:13 crc-hsl9k-master-0 systemd[1]: Started Install custom runc.
Jan 26 06:50:14 crc-hsl9k-master-0 bash[1658]: Downloading 'https://ftweedal.fedorapeople.org/runc-1.0.3-992.rhaos4.10.el8.x86_64.rpm'... done!
Jan 26 06:50:16 crc-hsl9k-master-0 bash[1658]: Checking out tree 26d80bc...done
Jan 26 06:50:16 crc-hsl9k-master-0 bash[1658]: No enabled rpm-md repositories.
Jan 26 06:50:16 crc-hsl9k-master-0 bash[1658]: Importing rpm-md...done
Jan 26 06:50:16 crc-hsl9k-master-0 bash[1658]: Resolving dependencies...done
Jan 26 06:50:16 crc-hsl9k-master-0 bash[1658]: Applying 1 override and 5 overlays
Jan 26 06:50:16 crc-hsl9k-master-0 bash[1658]: Processing packages...done
Jan 26 06:50:16 crc-hsl9k-master-0 bash[1658]: Running pre scripts...done
Jan 26 06:50:16 crc-hsl9k-master-0 bash[1658]: Running post scripts...done
Jan 26 06:50:17 crc-hsl9k-master-0 bash[1658]: Running posttrans scripts...done
Jan 26 06:50:17 crc-hsl9k-master-0 bash[1658]: Writing rpmdb...done
Jan 26 06:50:18 crc-hsl9k-master-0 bash[1658]: Writing OSTree commit...done
Jan 26 06:50:19 crc-hsl9k-master-0 bash[1658]: Staging deployment...done
Jan 26 06:50:20 crc-hsl9k-master-0 systemd[1]: Stopping Install custom runc...
Jan 26 06:50:20 crc-hsl9k-master-0 systemd[1]: install-runc.service: Succeeded.
Jan 26 06:50:20 crc-hsl9k-master-0 systemd[1]: Stopped Install custom runc.
Jan 26 06:50:20 crc-hsl9k-master-0 systemd[1]: install-runc.service: Consumed 94ms CPU time
-- Reboot --
Jan 26 06:51:10 crc-hsl9k-master-0 bash[1656]: runc-1.0.3-992.rhaos4.10.el8.x86_64
Jan 26 06:51:09 crc-hsl9k-master-0 systemd[1]: Started Install custom runc.
Jan 26 06:51:09 crc-hsl9k-master-0 systemd[1]: install-runc.service: Succeeded.
Jan 26 06:51:09 crc-hsl9k-master-0 systemd[1]: install-runc.service: Consumed 11ms CPU time</code></p>
<ul>
<li>For the cgroup2, run the below from the node:</li>
</ul>
<p><code>sh
mount | grep cgroup2</code></p>
<p><code>raw
cgroup2 on /sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,seclabel)
cgroup on /var/lib/containers/storage/overlay/1ec73edf3e99a0772aaab2ba0f27110bb879a9fe86f607acc9de822489a4a9e1/merged/sys/fs/cgroup type cgroup2 (rw,nosuid,nodev,noexec,relatime,seclabel)</code></p>
<ul>
<li>For the kernelarguments, run the below from the node:</li>
</ul>
<p><code>sh
# check kernel args in the node boot
cat /proc/cmdline</code></p>
<p><code>raw
BOOT_IMAGE=(hd0,gpt3)/ostree/rhcos-36fd944867b0e491991a65f6f3b7209c937fe3bd7cdbd855c7c5d5a7070ce570/vmlinuz-4.18.0-305.28.1.el8_4.x86_64 random.trust_cpu=on console=tty0 console=ttyS0,115200n8 ignition.platform.id=qemu ostree=/ostree/boot.1/rhcos/36fd944867b0e491991a65f6f3b7209c937fe3bd7cdbd855c7c5d5a7070ce570/0 root=UUID=91ba4914-fd2b-4a7c-b498-28585a80a40e rw rootflags=prjquota systemd.unified_cgroup_hierarchy=1 cgroup_no_v1=all psi=1</code></p>
<ul>
<li>For the subid configuration we run the below from the node:</li>
</ul>
<p><code>sh
cat /etc/subuid
cat /etc/subgid</code></p>
<p><code>raw
core:100000:65536
containers:200000:268435456</code></p>
<p><code>raw
core:100000:65536
containers:200000:268435456</code></p>
<p>And we can observe that entries for container user and group exists too:</p>
<p><code>sh
getent passwd containers
getent group containers</code></p>
<p><code>raw
containers:x:1001:995:User for housing the sub ID range for containers:/var/home/containers:/sbin/nologin</code></p>
<p><code>raw
containers:x:995:</code></p>
<ul>
<li>For the cri-o configuration we run the below from the node:</li>
</ul>
<p><code>sh
cat /etc/crio/crio.conf.d/99-crio-userns.conf</code></p>
<p><code>raw
# https://github.com/cri-o/cri-o/blob/main/docs/crio.conf.5.md#crioruntimeruntimes-table
[crio.runtime.runtimes.runc]
allowed_annotations=["io.kubernetes.cri-o.userns-mode"]</code></p>
<p>Now we can use the annotation below to enable user namespaces for a particular Pod:</p>
<p><code>yaml
apiVersion: v1
kind: Pod
metadata:
name: test-userns
annotations:
io.kubernetes.cri-o.userns-mode: "auto:size=65536"
spec:
serviceAccountName: test-userns
containers:
- name: userns-test
image: quay.io/fedora/fedora:35
command: ["sleep", "3600"]</code></p>
<p>Let's try quickly with the below:</p>
<p><code>sh
# Create a namespace
oc new-project test-userns
# Create the 'test-userns' service account to be used
oc create sa test-userns
# Add edit role to the sa
oc adm policy add-role-to-user edit -z test-userns
# Add anyuid security context constraint to the sa
oc adm policy add-scc-to-user anyuid -z test-userns
# We create the service
oc create -f pod.yaml --as system:serviceaccount:$( oc project -q ):test-userns</code></p>
<p>When the pod is ready, we check the user namespace by:</p>
<p><code>sh
oc exec pod/test-userns -- cat /proc/1/uid_map</code></p>
<p><code>raw
0 200000 65536</code></p>
<p>This means that the [0..65535] uids inside the container are mapped to
[200000..265535] into the parent container.</p>
<p>When the user namespace is not used, the content of this file will be:</p>
<p><code>raw
0 0 4294967295</code></p>
<h2>Wrap-up</h2>
<p>With this configuration we can quickly set up our OCP cluster to quickly
experiment with and investigate user namespace.</p>
<h2>Knowledgements</h2>
<ul>
<li>Thanks to <a href="https://frasertweedale.github.io/blog-redhat">Fraser Tweedale</a>
for his sessions to understand better the user namespaces.</li>
</ul>
<h2>References</h2>
<ul>
<li><a href="https://frasertweedale.github.io/blog-redhat/posts/2021-07-22-openshift-systemd-workload-demo.html">Fraser's blog - Demo: namespaced systemd workloads on OpenShift</a>.</li>
<li><a href="https://static.sched.com/hosted_files/devconfcz2022/d5/%5BDevConf.CZ%2022%5D%20SCCs%20Presentation.pdf">Introduction to Security Context Constraints</a>.</li>
</ul>Stopping systemd workloads in OpenShift2021-11-29T17:00:00+01:002026-02-13T10:00:00+01:00Alejandro Visiedotag:avisiedo.github.io,2021-11-29:/blog/stopping-systemd-workloads-in-openshift.html<p>How to integrate systemd workloads in OpenShift</p><p>Are you using systemd workloads? Then this article could be of interest.
In this article we are going to see how workloads based on systemd
can be stopped gracefully on OpenShift.</p>
<p>We are going to do hands-on activities, using a simple systemd workload
which runs an nginx service. We will see the differences between using the
workload in Podman and using the workload in OpenShift. Finally we will see
how to overcome the limitation in OpenShift by using container lifecycle hooks.</p>
<p><strong>Prerequisites</strong></p>
<ul>
<li><a href="https://podman.io/">Podman</a> is installed in your environment.</li>
<li><a href="https://docs.openshift.com/container-platform/4.9/cli_reference/openshift_cli/getting-started-cli.html#installing-openshift-cli">OpenShift client</a> is installed into your environment.</li>
<li>You have access to an OpenShift cluster.</li>
</ul>
<blockquote>
<p>You can install a single node OpenShift using
<a href="https://github.com/karmab/kcli">kcli</a> or
<a href="https://github.com/code-ready/crc">Code Ready Containers</a>.</p>
</blockquote>
<p><strong>Updates</strong>:</p>
<ul>
<li>This is happening in OpenShift but it will be fixed in 4.10 (verified on
OpenShift 4.10.0-ci-20220107).</li>
<li>Here is the change at cri-o that fix this situation:
https://github.com/cri-o/cri-o/pull/5366</li>
</ul>
<h2>Defining the workload</h2>
<p>We are going to use the following simple <code>Dockerfile.stopsignal-systemd</code> Dockerfile to build our workload.</p>
<div class="highlight"><pre><span></span><code><span class="k">FROM</span><span class="w"> </span><span class="s">quay.io/fedora/fedora:35</span>
<span class="k">RUN</span><span class="w"> </span>dnf<span class="w"> </span>-y<span class="w"> </span>install<span class="w"> </span>procps<span class="w"> </span>nginx<span class="w"> </span><span class="se">\</span>
<span class="w"> </span><span class="o">&&</span><span class="w"> </span>dnf<span class="w"> </span>clean<span class="w"> </span>all<span class="w"> </span><span class="se">\</span>
<span class="w"> </span><span class="o">&&</span><span class="w"> </span>systemctl<span class="w"> </span><span class="nb">enable</span><span class="w"> </span>nginx
<span class="k">EXPOSE</span><span class="w"> </span><span class="s">80</span>
<span class="c"># https://docs.docker.com/engine/reference/builder/#stopsignal</span>
<span class="c"># https://www.freedesktop.org/software/systemd/man/systemd.html#SIGRTMIN+3</span>
<span class="k">STOPSIGNAL</span><span class="w"> </span><span class="s">SIGRTMIN+3</span>
<span class="k">ENTRYPOINT</span><span class="w"> </span><span class="p">[</span><span class="s2">"/sbin/init"</span><span class="p">]</span>
</code></pre></div>
<blockquote>
<p>The <code>STOPSIGNAL</code> instruction is not needed by podman as it detects that
the signal to be sent by <code>podman stop</code> should be <code>SIGRTMIN+3</code>,
because the container process is systemd.</p>
</blockquote>
<p>Now we build:</p>
<div class="highlight"><pre><span></span><code><span class="nb">export</span><span class="w"> </span><span class="nv">IMG</span><span class="o">=</span><span class="s2">"quay.io/avisied0/demos:stopsignal-systemd"</span>
podman<span class="w"> </span>build<span class="w"> </span>-t<span class="w"> </span><span class="s2">"</span><span class="si">${</span><span class="nv">IMG</span><span class="si">}</span><span class="s2">"</span><span class="w"> </span>-f<span class="w"> </span>Dockerfile.stopsignal-systemd<span class="w"> </span>.
</code></pre></div>
<h2>Runnning container with podman</h2>
<p>Firstly, let's see what happens with the workload when running with podman or
docker:</p>
<div class="highlight"><pre><span></span><code><span class="nv">CONTAINER_ID</span><span class="o">=</span><span class="k">$(</span><span class="w"> </span>podman<span class="w"> </span>run<span class="w"> </span>-it<span class="w"> </span>-d<span class="w"> </span><span class="s2">"</span><span class="si">${</span><span class="nv">IMG</span><span class="si">}</span><span class="s2">"</span><span class="w"> </span><span class="k">)</span>
podman<span class="w"> </span>logs<span class="w"> </span>--follow<span class="w"> </span><span class="s2">"</span><span class="si">${</span><span class="nv">CONTAINER_ID</span><span class="si">}</span><span class="s2">"</span><span class="w"> </span><span class="p">&</span>
podman<span class="w"> </span>stop<span class="w"> </span><span class="s2">"</span><span class="si">${</span><span class="nv">CONTAINER_ID</span><span class="si">}</span><span class="s2">"</span>
</code></pre></div>
<p>And we get a result like the below:</p>
<div class="highlight"><pre><span></span><code>[<span class="w"> </span>OK<span class="w"> </span>]<span class="w"> </span>Removed<span class="w"> </span>slice<span class="w"> </span>Slice<span class="w"> </span>/system/getty.
[<span class="w"> </span>OK<span class="w"> </span>]<span class="w"> </span>Removed<span class="w"> </span>slice<span class="w"> </span>Slice<span class="w"> </span>/system/modprobe.
[<span class="w"> </span>OK<span class="w"> </span>]<span class="w"> </span>Stopped<span class="w"> </span>target<span class="w"> </span>Graphical<span class="w"> </span>Interface.
[<span class="w"> </span>OK<span class="w"> </span>]<span class="w"> </span>Stopped<span class="w"> </span>target<span class="w"> </span>Multi-User<span class="w"> </span>System.
[<span class="w"> </span>OK<span class="w"> </span>]<span class="w"> </span>Stopped<span class="w"> </span>target<span class="w"> </span>Login<span class="w"> </span>Prompts.
[<span class="w"> </span>OK<span class="w"> </span>]<span class="w"> </span>Stopped<span class="w"> </span>target<span class="w"> </span>Timer<span class="w"> </span>Units.
[<span class="w"> </span>OK<span class="w"> </span>]<span class="w"> </span>Stopped<span class="w"> </span>dnf<span class="w"> </span>makecache<span class="w"> </span>--timer.
[<span class="w"> </span>OK<span class="w"> </span>]<span class="w"> </span>Stopped<span class="w"> </span>Daily<span class="w"> </span>rotation<span class="w"> </span>of<span class="w"> </span>log<span class="w"> </span>files.
[<span class="w"> </span>OK<span class="w"> </span>]<span class="w"> </span>Stopped<span class="w"> </span>Daily<span class="w"> </span>Cleanup<span class="w"> </span>of<span class="w"> </span>Temporary<span class="w"> </span>Directories.
.
.
.
[<span class="w"> </span>OK<span class="w"> </span>]<span class="w"> </span>Stopped<span class="w"> </span>target<span class="w"> </span>Swaps.
[<span class="w"> </span>OK<span class="w"> </span>]<span class="w"> </span>Reached<span class="w"> </span>target<span class="w"> </span>System<span class="w"> </span>Shutdown.
[<span class="w"> </span>OK<span class="w"> </span>]<span class="w"> </span>Reached<span class="w"> </span>target<span class="w"> </span>Unmount<span class="w"> </span>All<span class="w"> </span>Filesystems.
[<span class="w"> </span>OK<span class="w"> </span>]<span class="w"> </span>Reached<span class="w"> </span>target<span class="w"> </span>Late<span class="w"> </span>Shutdown<span class="w"> </span>Services.
<span class="w"> </span>Starting<span class="w"> </span>System<span class="w"> </span>Halt...
Sending<span class="w"> </span>SIGTERM<span class="w"> </span>to<span class="w"> </span>remaining<span class="w"> </span>processes...
Sending<span class="w"> </span>SIGKILL<span class="w"> </span>to<span class="w"> </span>remaining<span class="w"> </span>processes...
All<span class="w"> </span>filesystems,<span class="w"> </span>swaps,<span class="w"> </span>loop<span class="w"> </span>devices,<span class="w"> </span>MD<span class="w"> </span>devices<span class="w"> </span>and<span class="w"> </span>DM<span class="w"> </span>devices<span class="w"> </span>detached.
Halting<span class="w"> </span>system.
Exiting<span class="w"> </span>container.
[1]+<span class="w"> </span>Done<span class="w"> </span>podman<span class="w"> </span>logs<span class="w"> </span>--follow<span class="w"> </span>"<span class="cp">${</span><span class="n">CONTAINER_ID</span><span class="cp">}</span>"
</code></pre></div>
<h2>What about OpenShift?</h2>
<p>Let's try now our workload on OpenShift; you will need an OpenShift cluster
or a single node OpenShift (you can get one by using
<a href="https://github.com/karmab/kcli">kcli</a> or
<a href="https://github.com/code-ready/crc">Code Ready Containers</a>).</p>
<ul>
<li>Push the image to your image registry:</li>
</ul>
<p><code>sh
# Previously IMG was defined as below:
# export IMG="quay.io/avisied0/demos:stopsignal-systemd"
podman push "${IMG}"</code></p>
<blockquote>
<p>Ensure the repository is public so that the cluster can pull
the image.</p>
</blockquote>
<ul>
<li>Access your cluster as a cluster admin and create a new project:</li>
</ul>
<p><code>sh
oc login -u kubeadmin https://api.crc.testing:6443
oc new-project stopsignal</code></p>
<ul>
<li>Create a serviceaccount with the necessary permissions for creating and
running the workload; this is, edit role and anyuid
SecurityContextConstraint:</li>
</ul>
<p><code>sh
oc create serviceaccount runasanyuid
oc adm policy add-scc-to-user anyuid -z runasanyuid --as system:admin
oc adm policy add-role-to-user edit -z runasanyuid --as system:admin</code></p>
<ul>
<li>Create the Pod from the following <code>pod-stopsignal-systemd.yaml</code> file:</li>
</ul>
<p><code>yaml
apiVersion: v1
kind: Pod
metadata:
name: stopsignal-systemd
labels:
app: nginx
spec:
serviceAccountName: runasanyuid
automountServiceAccountToken: false
containers:
- name: nginx
image: quay.io/avisied0/demos:stopsignal-systemd
imagePullPolicy: Always
command: ["/sbin/init"]
tty: true
privileged: false</code></p>
<ul>
<li>Create the workload using the new serviceaccount:</li>
</ul>
<p><code>sh
oc create -f pod-stopsignal-systemd.yaml --as system:serviceaccount:stopsignal:runasanyuid
oc get all</code></p>
<ul>
<li>Print out and follow the logs in the background.</li>
</ul>
<p><code>sh
oc logs pod/stopsignal-systemd -f --as system:serviceaccount:stopsignal:runasanyuid &</code></p>
<ul>
<li>Try to stop the workload.</li>
</ul>
<p><code>sh
oc delete -f pod-stopsignal-systemd.yaml --as system:serviceaccount:stopsignal:runasanyuid</code></p>
<p>We get something like the below in the log output, but systemd and
the pod are still running:</p>
<div class="highlight"><pre><span></span><code>pod "systemd-nginx" deleted
systemd-nginx login: systemd v249.7-2.fc35 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN +IPTC +KMOD +LIBCRYPTSETUP +LIBFDISK +PCRE2 +PWQUALITY +P11KIT +QRENCODE +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +XKBCOMMON +UTMP +SYSVINIT default-hierarchy=unified)
Detected virtualization podman.
Detected architecture x86-64.
</code></pre></div>
<p>We can see that systemd does not begin the stop sequence as was the
case with podman. This is because OpenShift did not translate the
<code>STOPSIGNAL</code> instruction specified in the Dockerfile (this will be fixed
at OpenShift 4.10). To work around this situation we will
use <a href="https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/">container lifecycle hooks</a>,
to explicitly send <code>SIGRTMIN+3</code> to PID 1 (systemd).</p>
<h2>Trying more isolated</h2>
<p>Let's see if this happens only for <code>SIGRTMIN+3</code> or for any signal
specified via the <code>STOPSIGNAL</code> instruction. To investigate that, we
will use the following <code>Dockerfile.stopsignal-demo</code> Dockerfile:</p>
<div class="highlight"><pre><span></span><code><span class="k">FROM</span><span class="w"> </span><span class="s">quay.io/fedora/fedora:35</span>
<span class="k">COPY</span><span class="w"> </span>demo-signal.sh<span class="w"> </span>/demo-signal.sh
<span class="k">RUN</span><span class="w"> </span>chmod<span class="w"> </span>a+x<span class="w"> </span>/demo-signal.sh
<span class="k">STOPSIGNAL</span><span class="w"> </span><span class="s">SIGINT</span>
<span class="k">CMD</span><span class="w"> </span><span class="p">[</span><span class="s2">"/demo-signal.sh"</span><span class="p">]</span>
</code></pre></div>
<p>The <code>demo-signal.sh</code> should have execute permission. The content is:</p>
<div class="highlight"><pre><span></span><code><span class="ch">#!/bin/bash</span>
<span class="k">function</span><span class="w"> </span>trap_signal<span class="w"> </span><span class="o">{</span>
<span class="w"> </span><span class="nb">local</span><span class="w"> </span><span class="nv">signal</span><span class="o">=</span><span class="s2">"</span><span class="nv">$1</span><span class="s2">"</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span>-e<span class="w"> </span><span class="s2">"\nExiting by </span><span class="si">${</span><span class="nv">signal</span><span class="si">}</span><span class="s2">"</span><span class="w"> </span>><span class="p">&</span><span class="m">2</span>
<span class="w"> </span><span class="nb">exit</span><span class="w"> </span><span class="m">0</span>
<span class="o">}</span>
<span class="k">for</span><span class="w"> </span>signal<span class="w"> </span><span class="k">in</span><span class="w"> </span>SIGINT<span class="w"> </span>SIGTERM<span class="w"> </span>SIGUSR1<span class="w"> </span><span class="s2">"SIGRTMIN+3"</span>
<span class="k">do</span>
<span class="w"> </span><span class="nb">trap</span><span class="w"> </span><span class="s2">"trap_signal '</span><span class="si">${</span><span class="nv">signal</span><span class="si">}</span><span class="s2">'"</span><span class="w"> </span><span class="s2">"</span><span class="si">${</span><span class="nv">signal</span><span class="si">}</span><span class="s2">"</span>
<span class="k">done</span>
<span class="k">while</span><span class="w"> </span>true<span class="p">;</span><span class="w"> </span><span class="k">do</span>
<span class="w"> </span><span class="nb">echo</span><span class="w"> </span>-n<span class="w"> </span><span class="s2">"."</span>
<span class="w"> </span>sleep<span class="w"> </span><span class="m">1</span>
<span class="k">done</span>
</code></pre></div>
<blockquote>
<p>Update: Script updated based on PR at:
https://github.com/avisiedo/freeipa-kustomize/blob/idmocp-331-stopping-with-kind-and-podman/incubator/013-signalstop/demo-signal.sh</p>
</blockquote>
<p>Finally we define a workload with the following <code>pod-stopsignal-demo.yaml</code>:</p>
<div class="highlight"><pre><span></span><code><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">v1</span>
<span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Pod</span>
<span class="nt">metadata</span><span class="p">:</span>
<span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">stopsignal-demo</span>
<span class="w"> </span><span class="nt">labels</span><span class="p">:</span>
<span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">stopsignals</span>
<span class="nt">spec</span><span class="p">:</span>
<span class="w"> </span><span class="nt">automountServiceAccountToken</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span>
<span class="w"> </span><span class="nt">containers</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">main</span>
<span class="w"> </span><span class="nt">image</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">quay.io/avisied0/demos:stopsignal-demo</span>
<span class="w"> </span><span class="nt">imagePullPolicy</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">Always</span>
<span class="w"> </span><span class="nt">command</span><span class="p">:</span>
<span class="w"> </span><span class="p p-Indicator">-</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">/demo-signal.sh</span>
<span class="w"> </span><span class="nt">tty</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
<span class="w"> </span><span class="nt">privileged</span><span class="p">:</span><span class="w"> </span><span class="l l-Scalar l-Scalar-Plain">false</span>
</code></pre></div>
<p>Build the image and push:</p>
<div class="highlight"><pre><span></span><code><span class="nb">export</span><span class="w"> </span><span class="nv">IMG</span><span class="o">=</span><span class="s2">"quay.io/avisied0/demos:stopsignal-demo"</span>
podman<span class="w"> </span>build<span class="w"> </span>-t<span class="w"> </span><span class="s2">"</span><span class="si">${</span><span class="nv">IMG</span><span class="si">}</span><span class="s2">"</span><span class="w"> </span>-f<span class="w"> </span>Dockerfile.stopsignal-demo<span class="w"> </span>.
podman<span class="w"> </span>push<span class="w"> </span><span class="s2">"</span><span class="si">${</span><span class="nv">IMG</span><span class="si">}</span><span class="s2">"</span>
</code></pre></div>
<p>And we try the scenario by:</p>
<div class="highlight"><pre><span></span><code>oc<span class="w"> </span>create<span class="w"> </span>-f<span class="w"> </span>pod-stopsignal-demo.yaml<span class="w"> </span>--as<span class="w"> </span>system:serviceaccount:stopsignal:runasanyuid
oc<span class="w"> </span>logs<span class="w"> </span>pod/stopsignal-demo<span class="w"> </span>-f<span class="w"> </span>--as<span class="w"> </span>system:serviceaccount:stopsignal:runasanyuid<span class="w"> </span><span class="p">&</span>
oc<span class="w"> </span>delete<span class="w"> </span>-f<span class="w"> </span>pod-stopsignal-demo.yaml<span class="w"> </span>--as<span class="w"> </span>system:serviceaccount:stopsignal:runasanyuid
</code></pre></div>
<p>Getting the output below:</p>
<div class="highlight"><pre><span></span><code><span class="n">pod</span><span class="w"> </span><span class="s2">"stopsignal-demo"</span><span class="w"> </span><span class="n">deleted</span>
<span class="o">............</span>
<span class="n">Exiting</span><span class="w"> </span><span class="n">by</span><span class="w"> </span><span class="n">SIGINT</span>
</code></pre></div>
<p>When the <code>SIGINT</code> is specified into the STOPSIGNAL instruction in the Dockerfile
OpenShift is sending SIGINT signal to the pod when we delete the resource.</p>
<blockquote>
<p>When the <code>STOPSIGNAL 37</code> (<code>RTMIN+3</code>) is specified as a numeric value, OpenShift
is sending SIGTERM instead of the expected <code>SIGRTMIN+3</code> indicated into the
Dockerfile file.</p>
</blockquote>
<p><strong>Update</strong>:</p>
<blockquote>
<p>Another test was made in OpenShift 4.10 ci build on Wed Jan 5, 2022 and it worked
as expected, by sending the <code>SIGRTMIN+3</code> to the container workload. So this will
be fixed in future releases.</p>
</blockquote>
<h2>Solution: container lifecycle hooks</h2>
<ul>
<li>Create <code>pod-stopsignal-lifecycle.yaml</code> with the content below:</li>
</ul>
<p><code>yaml
apiVersion: v1
kind: Pod
metadata:
name: stopsignal-lifecycle
labels:
app: nginx
spec:
serviceAccount: runasanyuid
containers:
- name: nginx
image: quay.io/avisied0/demos:stopping-systemd
imagePullPolicy: Always
command: ["/sbin/init"]
tty: true
privileged: false
lifecycle: # (1)
preStop: # (2)
exec: # (3)
command: ["kill", "-RTMIN+3", "1"] # (4)</code></p>
<ul>
<li>(1) The lifecycle hooks for that container.</li>
<li>(2) A <code>preStop</code> hook is called before stopping the container.</li>
<li>(3) It will be an <code>exec</code> command.</li>
<li>
<p>(4) The command to be executed; the executable must exist in the container.</p>
</li>
<li>
<p>And we try again by:</p>
</li>
</ul>
<p><code>sh
oc create -f pod-stopsignal-lifecycle.yaml --as=system:serviceaccount:stopsignal:runasanyuid
oc logs pod/stopsignal-lifecycle -f --as=system:serviceaccount:stopsignal:runasanyuid &
oc delete -f pod-stopsignal-lifecycle.yaml --as=system:serviceaccount:stopsignal:runasanyuid</code></p>
<p>And the log output immediately shows the below:</p>
<div class="highlight"><pre><span></span><code><span class="n">pod</span><span class="w"> </span><span class="ss">"systemd-nginx"</span><span class="w"> </span><span class="n">deleted</span>
<span class="n">systemd</span><span class="o">-</span><span class="n">nginx</span><span class="w"> </span><span class="nl">login</span><span class="p">:</span><span class="w"> </span><span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Removed</span><span class="w"> </span><span class="n">slice</span><span class="w"> </span><span class="n">Slice</span><span class="w"> </span><span class="o">/</span><span class="k">system</span><span class="o">/</span><span class="n">getty</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Removed</span><span class="w"> </span><span class="n">slice</span><span class="w"> </span><span class="n">Slice</span><span class="w"> </span><span class="o">/</span><span class="k">system</span><span class="o">/</span><span class="n">modprobe</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">Graphical</span><span class="w"> </span><span class="n">Interface</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">Multi</span><span class="o">-</span><span class="k">User</span><span class="w"> </span><span class="k">System</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">Login</span><span class="w"> </span><span class="n">Prompts</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">Timer</span><span class="w"> </span><span class="n">Units</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">dnf</span><span class="w"> </span><span class="n">makecache</span><span class="w"> </span><span class="o">--</span><span class="n">timer</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">Daily</span><span class="w"> </span><span class="n">rotation</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="nf">log</span><span class="w"> </span><span class="n">files</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">Daily</span><span class="w"> </span><span class="n">Cleanup</span><span class="w"> </span><span class="k">of</span><span class="w"> </span><span class="k">Temporary</span><span class="w"> </span><span class="n">Directories</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Closed</span><span class="w"> </span><span class="n">Process</span><span class="w"> </span><span class="n">Core</span><span class="w"> </span><span class="k">Dump</span><span class="w"> </span><span class="n">Socket</span><span class="p">.</span>
<span class="w"> </span><span class="n">Stopping</span><span class="w"> </span><span class="n">Console</span><span class="w"> </span><span class="n">Getty</span><span class="p">...</span>
<span class="w"> </span><span class="n">Stopping</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="n">nginx</span><span class="w"> </span><span class="n">HTTP</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="nf">reverse</span><span class="w"> </span><span class="n">proxy</span><span class="w"> </span><span class="n">server</span><span class="p">...</span>
<span class="w"> </span><span class="n">Stopping</span><span class="w"> </span><span class="k">User</span><span class="w"> </span><span class="n">Login</span><span class="w"> </span><span class="n">Management</span><span class="p">...</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">Console</span><span class="w"> </span><span class="n">Getty</span><span class="p">.</span>
<span class="w"> </span><span class="n">Stopping</span><span class="w"> </span><span class="n">Permit</span><span class="w"> </span><span class="k">User</span><span class="w"> </span><span class="n">Sessions</span><span class="p">...</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="k">User</span><span class="w"> </span><span class="n">Login</span><span class="w"> </span><span class="n">Management</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">Permit</span><span class="w"> </span><span class="k">User</span><span class="w"> </span><span class="n">Sessions</span><span class="p">.</span>
<span class="n">systemd</span><span class="w"> </span><span class="n">v249</span><span class="mf">.7</span><span class="o">-</span><span class="mf">2.</span><span class="n">fc35</span><span class="w"> </span><span class="n">running</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="k">system</span><span class="w"> </span><span class="n">mode</span><span class="w"> </span><span class="p">(</span><span class="o">+</span><span class="n">PAM</span><span class="w"> </span><span class="o">+</span><span class="n">AUDIT</span><span class="w"> </span><span class="o">+</span><span class="n">SELINUX</span><span class="w"> </span><span class="o">-</span><span class="n">APPARMOR</span><span class="w"> </span><span class="o">+</span><span class="n">IMA</span><span class="w"> </span><span class="o">+</span><span class="n">SMACK</span><span class="w"> </span><span class="o">+</span><span class="n">SECCOMP</span><span class="w"> </span><span class="o">+</span><span class="n">GCRYPT</span><span class="w"> </span><span class="o">+</span><span class="n">GNUTLS</span><span class="w"> </span><span class="o">+</span><span class="n">OPENSSL</span><span class="w"> </span><span class="o">+</span><span class="n">ACL</span><span class="w"> </span><span class="o">+</span><span class="n">BLKID</span><span class="w"> </span><span class="o">+</span><span class="n">CURL</span><span class="w"> </span><span class="o">+</span><span class="n">ELFUTILS</span><span class="w"> </span><span class="o">+</span><span class="n">FIDO2</span><span class="w"> </span><span class="o">+</span><span class="n">IDN2</span><span class="w"> </span><span class="o">-</span><span class="n">IDN</span><span class="w"> </span><span class="o">+</span><span class="n">IPTC</span><span class="w"> </span><span class="o">+</span><span class="n">KMOD</span><span class="w"> </span><span class="o">+</span><span class="n">LIBCRYPTSETUP</span><span class="w"> </span><span class="o">+</span><span class="n">LIBFDISK</span><span class="w"> </span><span class="o">+</span><span class="n">PCRE2</span><span class="w"> </span><span class="o">+</span><span class="n">PWQUALITY</span><span class="w"> </span><span class="o">+</span><span class="n">P11KIT</span><span class="w"> </span><span class="o">+</span><span class="n">QRENCODE</span><span class="w"> </span><span class="o">+</span><span class="n">BZIP2</span><span class="w"> </span><span class="o">+</span><span class="n">LZ4</span><span class="w"> </span><span class="o">+</span><span class="n">XZ</span><span class="w"> </span><span class="o">+</span><span class="n">ZLIB</span><span class="w"> </span><span class="o">+</span><span class="n">ZSTD</span><span class="w"> </span><span class="o">+</span><span class="n">XKBCOMMON</span><span class="w"> </span><span class="o">+</span><span class="n">UTMP</span><span class="w"> </span><span class="o">+</span><span class="n">SYSVINIT</span><span class="w"> </span><span class="k">default</span><span class="o">-</span><span class="n">hierarchy</span><span class="o">=</span><span class="n">unified</span><span class="p">)</span>
<span class="n">Detected</span><span class="w"> </span><span class="n">virtualization</span><span class="w"> </span><span class="n">podman</span><span class="p">.</span>
<span class="n">Detected</span><span class="w"> </span><span class="n">architecture</span><span class="w"> </span><span class="n">x86</span><span class="o">-</span><span class="mf">64.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">The</span><span class="w"> </span><span class="n">nginx</span><span class="w"> </span><span class="n">HTTP</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="nf">reverse</span><span class="w"> </span><span class="n">proxy</span><span class="w"> </span><span class="n">server</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">Network</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">Online</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="k">Host</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">Network</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="n">Lookups</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">Remote</span><span class="w"> </span><span class="k">File</span><span class="w"> </span><span class="n">Systems</span><span class="p">.</span>
<span class="w"> </span><span class="n">Stopping</span><span class="w"> </span><span class="n">Home</span><span class="w"> </span><span class="n">Area</span><span class="w"> </span><span class="n">Activation</span><span class="p">...</span>
<span class="w"> </span><span class="n">Stopping</span><span class="w"> </span><span class="n">Network</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="n">Resolution</span><span class="p">...</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">Network</span><span class="w"> </span><span class="n">Name</span><span class="w"> </span><span class="n">Resolution</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">Home</span><span class="w"> </span><span class="n">Area</span><span class="w"> </span><span class="n">Activation</span><span class="p">.</span>
<span class="w"> </span><span class="n">Stopping</span><span class="w"> </span><span class="n">Home</span><span class="w"> </span><span class="n">Area</span><span class="w"> </span><span class="n">Manager</span><span class="p">...</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">Home</span><span class="w"> </span><span class="n">Area</span><span class="w"> </span><span class="n">Manager</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">Basic</span><span class="w"> </span><span class="k">System</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="k">Path</span><span class="w"> </span><span class="n">Units</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">Dispatch</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="err">…</span><span class="n">ts</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">Console</span><span class="w"> </span><span class="n">Directory</span><span class="w"> </span><span class="n">Watch</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">Forward</span><span class="w"> </span><span class="n">Password</span><span class="w"> </span><span class="n">R</span><span class="err">…</span><span class="n">uests</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">Wall</span><span class="w"> </span><span class="n">Directory</span><span class="w"> </span><span class="n">Watch</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">Slice</span><span class="w"> </span><span class="n">Units</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Removed</span><span class="w"> </span><span class="n">slice</span><span class="w"> </span><span class="k">User</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="k">Session</span><span class="w"> </span><span class="n">Slice</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">Socket</span><span class="w"> </span><span class="n">Units</span><span class="p">.</span>
<span class="w"> </span><span class="n">Stopping</span><span class="w"> </span><span class="n">D</span><span class="o">-</span><span class="n">Bus</span><span class="w"> </span><span class="k">System</span><span class="w"> </span><span class="n">Message</span><span class="w"> </span><span class="n">Bus</span><span class="p">...</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">D</span><span class="o">-</span><span class="n">Bus</span><span class="w"> </span><span class="k">System</span><span class="w"> </span><span class="n">Message</span><span class="w"> </span><span class="n">Bus</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Closed</span><span class="w"> </span><span class="n">D</span><span class="o">-</span><span class="n">Bus</span><span class="w"> </span><span class="k">System</span><span class="w"> </span><span class="n">Message</span><span class="w"> </span><span class="n">Bus</span><span class="w"> </span><span class="n">Socket</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="k">System</span><span class="w"> </span><span class="n">Initialization</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="k">Local</span><span class="w"> </span><span class="n">Verity</span><span class="w"> </span><span class="n">Protected</span><span class="w"> </span><span class="n">Volumes</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="k">Update</span><span class="w"> </span><span class="k">is</span><span class="w"> </span><span class="n">Completed</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">Rebuild</span><span class="w"> </span><span class="k">Dynamic</span><span class="w"> </span><span class="n">Linker</span><span class="w"> </span><span class="n">Cache</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">Rebuild</span><span class="w"> </span><span class="n">Journal</span><span class="w"> </span><span class="k">Catalog</span><span class="p">.</span>
<span class="w"> </span><span class="n">Stopping</span><span class="w"> </span><span class="n">Record</span><span class="w"> </span><span class="k">System</span><span class="w"> </span><span class="n">Boot</span><span class="o">/</span><span class="k">Shutdown</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">UTMP</span><span class="p">...</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">Record</span><span class="w"> </span><span class="k">System</span><span class="w"> </span><span class="n">Boot</span><span class="o">/</span><span class="k">Shutdown</span><span class="w"> </span><span class="ow">in</span><span class="w"> </span><span class="n">UTMP</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="k">Create</span><span class="w"> </span><span class="n">Volatile</span><span class="w"> </span><span class="n">Files</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">Directories</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="k">Local</span><span class="w"> </span><span class="k">File</span><span class="w"> </span><span class="n">Systems</span><span class="p">.</span>
<span class="w"> </span><span class="n">Unmounting</span><span class="w"> </span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">hostname</span><span class="p">...</span>
<span class="w"> </span><span class="n">Unmounting</span><span class="w"> </span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">hosts</span><span class="p">...</span>
<span class="w"> </span><span class="n">Unmounting</span><span class="w"> </span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">resolv</span><span class="p">.</span><span class="n">conf</span><span class="p">...</span>
<span class="w"> </span><span class="n">Unmounting</span><span class="w"> </span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">lock</span><span class="p">...</span>
<span class="w"> </span><span class="n">Unmounting</span><span class="w"> </span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">secrets</span><span class="o">/</span><span class="n">kubernetes</span><span class="p">.</span><span class="n">io</span><span class="o">/</span><span class="n">serviceaccount</span><span class="p">...</span>
<span class="w"> </span><span class="n">Unmounting</span><span class="w"> </span><span class="k">Temporary</span><span class="w"> </span><span class="n">Directory</span><span class="w"> </span><span class="o">/</span><span class="n">tmp</span><span class="p">...</span>
<span class="w"> </span><span class="n">Unmounting</span><span class="w"> </span><span class="o">/</span><span class="nf">var</span><span class="o">/</span><span class="nf">log</span><span class="o">/</span><span class="n">journal</span><span class="p">...</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="k">Create</span><span class="w"> </span><span class="k">System</span><span class="w"> </span><span class="n">Users</span><span class="p">.</span>
<span class="o">[</span><span class="n">FAILED</span><span class="o">]</span><span class="w"> </span><span class="n">Failed</span><span class="w"> </span><span class="n">unmounting</span><span class="w"> </span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">hosts</span><span class="p">.</span>
<span class="o">[</span><span class="n">FAILED</span><span class="o">]</span><span class="w"> </span><span class="n">Failed</span><span class="w"> </span><span class="n">unmounting</span><span class="w"> </span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">lock</span><span class="p">.</span>
<span class="o">[</span><span class="n">FAILED</span><span class="o">]</span><span class="w"> </span><span class="n">Failed</span><span class="w"> </span><span class="n">unmounting</span><span class="w"> </span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">sec</span><span class="err">…</span><span class="o">/</span><span class="n">kubernetes</span><span class="p">.</span><span class="n">io</span><span class="o">/</span><span class="n">serviceaccount</span><span class="p">.</span>
<span class="w"> </span><span class="n">Unmounting</span><span class="w"> </span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">secrets</span><span class="p">...</span>
<span class="o">[</span><span class="n">FAILED</span><span class="o">]</span><span class="w"> </span><span class="n">Failed</span><span class="w"> </span><span class="n">unmounting</span><span class="w"> </span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">resolv</span><span class="p">.</span><span class="n">conf</span><span class="p">.</span>
<span class="o">[</span><span class="n">FAILED</span><span class="o">]</span><span class="w"> </span><span class="n">Failed</span><span class="w"> </span><span class="n">unmounting</span><span class="w"> </span><span class="k">Temporary</span><span class="w"> </span><span class="n">Directory</span><span class="w"> </span><span class="o">/</span><span class="n">tmp</span><span class="p">.</span>
<span class="o">[</span><span class="n">FAILED</span><span class="o">]</span><span class="w"> </span><span class="n">Failed</span><span class="w"> </span><span class="n">unmounting</span><span class="w"> </span><span class="o">/</span><span class="nf">var</span><span class="o">/</span><span class="nf">log</span><span class="o">/</span><span class="n">journal</span><span class="p">.</span>
<span class="o">[</span><span class="n">FAILED</span><span class="o">]</span><span class="w"> </span><span class="n">Failed</span><span class="w"> </span><span class="n">unmounting</span><span class="w"> </span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">hostname</span><span class="p">.</span>
<span class="o">[</span><span class="n">FAILED</span><span class="o">]</span><span class="w"> </span><span class="n">Failed</span><span class="w"> </span><span class="n">unmounting</span><span class="w"> </span><span class="o">/</span><span class="n">run</span><span class="o">/</span><span class="n">secrets</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Stopped</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">Swaps</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Reached</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="k">System</span><span class="w"> </span><span class="k">Shutdown</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Reached</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">Unmount</span><span class="w"> </span><span class="ow">All</span><span class="w"> </span><span class="n">Filesystems</span><span class="p">.</span>
<span class="o">[</span><span class="n"> OK </span><span class="o">]</span><span class="w"> </span><span class="n">Reached</span><span class="w"> </span><span class="n">target</span><span class="w"> </span><span class="n">Late</span><span class="w"> </span><span class="k">Shutdown</span><span class="w"> </span><span class="n">Services</span><span class="p">.</span>
<span class="w"> </span><span class="n">Starting</span><span class="w"> </span><span class="k">System</span><span class="w"> </span><span class="n">Halt</span><span class="p">...</span>
<span class="n">Sending</span><span class="w"> </span><span class="n">SIGTERM</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">remaining</span><span class="w"> </span><span class="n">processes</span><span class="p">...</span>
<span class="n">Sending</span><span class="w"> </span><span class="n">SIGKILL</span><span class="w"> </span><span class="k">to</span><span class="w"> </span><span class="n">remaining</span><span class="w"> </span><span class="n">processes</span><span class="p">...</span>
<span class="ow">All</span><span class="w"> </span><span class="n">filesystems</span><span class="p">,</span><span class="w"> </span><span class="n">swaps</span><span class="p">,</span><span class="w"> </span><span class="n">loop</span><span class="w"> </span><span class="n">devices</span><span class="p">,</span><span class="w"> </span><span class="n">MD</span><span class="w"> </span><span class="n">devices</span><span class="w"> </span><span class="ow">and</span><span class="w"> </span><span class="n">DM</span><span class="w"> </span><span class="n">devices</span><span class="w"> </span><span class="n">detached</span><span class="p">.</span>
<span class="n">Halting</span><span class="w"> </span><span class="k">system</span><span class="p">.</span>
<span class="n">Exiting</span><span class="w"> </span><span class="n">container</span><span class="p">.</span>
</code></pre></div>
<h2>Wrap up</h2>
<p>In this article we have seen that:</p>
<ul>
<li>systemd workloads need <code>SIGRTMIN+3</code> for stopping the workload gracefully.</li>
<li>OpenShift does not send the signal specified in the container
image (via the <code>STOPSIGNAL</code> instruction). It does starting in OpenShift 4.10.</li>
<li>We can use a container lifecycle hook to
interact with the workload when stopping the container until the fix is
available. For this scenario, we can use the <code>kill</code> binary (which must exist in the
container) to send <code>SIGRTMIN+3</code> to PID 1 (systemd).</li>
</ul>
<p><strong>Updates</strong>:</p>
<ul>
<li>The reason the STOPSINAL instruction is not interpreted in OpenShift is
because the signal name RTMIN+3 is not properly parsed. Actually there
are a fix for this situation (<a href="https://github.com/cri-o/cri-o/pull/5366">this PR</a>),
that has been seen that will be included in OpenShift 4.10. Until this
version is released, the solution above could make the works.</li>
</ul>
<h2>References</h2>
<ul>
<li><a href="https://developers.redhat.com/blog/2019/04/24/how-to-run-systemd-in-a-container?source=sso#other_cool_features_about_podman_and_systemd">How to run systemd in a container</a>.</li>
<li><a href="https://www.freedesktop.org/software/systemd/man/systemd.html#SIGRTMIN+3">Systemd SIGRTMIN+3</a>.</li>
<li><a href="https://docs.docker.com/engine/reference/builder/#stopsignal">Dockerfile - STOPSIGNAL</a>.</li>
<li><a href="https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/">Container Lifecycle Hooks</a>.</li>
<li><a href="https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/">Attach Handlers to Container Lifecycle Events</a>.</li>
<li><strong>UPDATE</strong>: <a href="https://bugzilla.redhat.com/show_bug.cgi?id=2000877">BZ 2000877</a>.</li>
</ul>