From 23ac9f57b9b4c761cb8edc5bfa0c0de77ec89326 Mon Sep 17 00:00:00 2001 From: Silvio Rhatto Date: Sat, 30 Sep 2017 14:06:22 -0300 Subject: Change extension to .md --- suckless/cli.md | 16 ++++++++ suckless/cli.mdwn | 16 -------- suckless/messaging.md | 103 ++++++++++++++++++++++++++++++++++++++++++++++++ suckless/messaging.mdwn | 103 ------------------------------------------------ suckless/sites.md | 90 ++++++++++++++++++++++++++++++++++++++++++ suckless/sites.mdwn | 90 ------------------------------------------ suckless/virtual.md | 101 +++++++++++++++++++++++++++++++++++++++++++++++ suckless/virtual.mdwn | 101 ----------------------------------------------- 8 files changed, 310 insertions(+), 310 deletions(-) create mode 100644 suckless/cli.md delete mode 100644 suckless/cli.mdwn create mode 100644 suckless/messaging.md delete mode 100644 suckless/messaging.mdwn create mode 100644 suckless/sites.md delete mode 100644 suckless/sites.mdwn create mode 100644 suckless/virtual.md delete mode 100644 suckless/virtual.mdwn (limited to 'suckless') diff --git a/suckless/cli.md b/suckless/cli.md new file mode 100644 index 0000000..8dd9c01 --- /dev/null +++ b/suckless/cli.md @@ -0,0 +1,16 @@ +[[!meta title="The New Command Line Manifesto"]] + +Idea: let all new commands to support also machine-readable +formats as inputs and outputs. + +This, along with UNIX pipes and daemon interfacing, brings CLI +to a new era of services that are: + +* Still based on small programs that do one thing but one thing right. +* But also are capable of interacting with each other in an uniform way. + +So let them support parameters like `--json` and `--yaml` for it's I/O. + +In other words, with parsers and serializers it's possible to keep an +ecosystem of UNIX microservices interacting with each other using a +consistent API. diff --git a/suckless/cli.mdwn b/suckless/cli.mdwn deleted file mode 100644 index 8dd9c01..0000000 --- a/suckless/cli.mdwn +++ /dev/null @@ -1,16 +0,0 @@ -[[!meta title="The New Command Line Manifesto"]] - -Idea: let all new commands to support also machine-readable -formats as inputs and outputs. - -This, along with UNIX pipes and daemon interfacing, brings CLI -to a new era of services that are: - -* Still based on small programs that do one thing but one thing right. -* But also are capable of interacting with each other in an uniform way. - -So let them support parameters like `--json` and `--yaml` for it's I/O. - -In other words, with parsers and serializers it's possible to keep an -ecosystem of UNIX microservices interacting with each other using a -consistent API. diff --git a/suckless/messaging.md b/suckless/messaging.md new file mode 100644 index 0000000..81c80a6 --- /dev/null +++ b/suckless/messaging.md @@ -0,0 +1,103 @@ +[[!meta title="Mensageria Suckless"]] + +Quem não comunica se trumbica. Mas quem comunica também. Porque tá cheio de +sistema por aí que te afaga e te apedreja ao mesmo tempo. Oferece serviço de +vigilância gratuita que possui funcionalidade de comunicação. + +Aqui queremos a boa e velha mensageria suckless, que também é uma merda, mas é +uma merda menor do que o enlatado baseado em soluções proprietárias oferecido +pelas startups turbocapitalistas. + +Isto aqui é um esboço! Patches são bem vindos :) + +Requisitos +---------- + +* Seja independente de plataforma e independente de um computador móvel como + smartphones. + +* Sessão persistente: podem te enviar mensagem mesmo que você não esteja online. + Melhor ainda, que você conste como online mesmo que não esteja acessando a + mensageria. + +* Um mínimo de privacidade: conexão cifrada com o servidor, criptografia + ponta-a-ponta com negação plausível pra falar com os/as amiguinhos, sem logs. + +Ingredientes +------------ + +1. Conta shell num servidor com bom uptime e acesso SSH. + +2. Mutiplexador de terminal. + + É uma espécie de "gerenciador de janelas" para + a linha de comando que permite manter programas + rodando em background mesmo quando o terminal + é fechado. + + Ele permite que malandros deixem a mensageria + IRC rodando no servidor mesmo que não estejam + conectados via SSH. + + Exemplos: tmux e screen + +3. Cliente de IRC + + Exemplos: irssi e weechat + +Howto +----- + +Logando e instalando: + + ssh servidor-remoto + sudo apt install tmux irssi irssi-plugin-otr + +Criando uma sessão para o IRC: + + tmux + +Abrindo o cliente e se conectando no rolê: + + irssi + +Para sair da sessão sem encerrar a mensageria, digite Ctrl B D +(control sequence do tmux mais o comando "detach"). Depois é +só encerrar a shell do servidor remoto. + +Para se reconectar, basta + + ssh servidor-remoto tmux attach + +Básico do IRC +------------- + + /network add -nick -realname freenode + /server add -auto -ssl_verify -ssl_capath /etc/ssl/certs -network freenode chat.freenode.net 7000 + /save + /connect freenode + /join #canal + +Bônus +----- + +* Tor. +* Bitlbee. + +Privacidade +----------- + +Note que uma sessão persistente implica no cliente rodando num +servidor. Isso pode degradar sua privacidade, uma vez que o servidor +pode ser comprometido de várias formas. É importante ter consciência +disso. + +Da mesma forma que seu celular pode ser invadido, roubado e ter dados extraídos, +um servidor também é um ponto vulnerável na sua comunicação, especialmente +se for nele que as chaves criptográficas estiverem armazenadas. + +Assim, a sessão persistente de mensageria oferece um nível de segurança apenas +intermediário, servindo para a comunicação do dia-a-dia que não for sensível. + +Para comunicação sensível, o melhor é rodar o cliente de mensageria diretamente +a partir do seu [Console Físico Confiável](https://opsec.fluxo.info/specs/tpc). diff --git a/suckless/messaging.mdwn b/suckless/messaging.mdwn deleted file mode 100644 index 81c80a6..0000000 --- a/suckless/messaging.mdwn +++ /dev/null @@ -1,103 +0,0 @@ -[[!meta title="Mensageria Suckless"]] - -Quem não comunica se trumbica. Mas quem comunica também. Porque tá cheio de -sistema por aí que te afaga e te apedreja ao mesmo tempo. Oferece serviço de -vigilância gratuita que possui funcionalidade de comunicação. - -Aqui queremos a boa e velha mensageria suckless, que também é uma merda, mas é -uma merda menor do que o enlatado baseado em soluções proprietárias oferecido -pelas startups turbocapitalistas. - -Isto aqui é um esboço! Patches são bem vindos :) - -Requisitos ----------- - -* Seja independente de plataforma e independente de um computador móvel como - smartphones. - -* Sessão persistente: podem te enviar mensagem mesmo que você não esteja online. - Melhor ainda, que você conste como online mesmo que não esteja acessando a - mensageria. - -* Um mínimo de privacidade: conexão cifrada com o servidor, criptografia - ponta-a-ponta com negação plausível pra falar com os/as amiguinhos, sem logs. - -Ingredientes ------------- - -1. Conta shell num servidor com bom uptime e acesso SSH. - -2. Mutiplexador de terminal. - - É uma espécie de "gerenciador de janelas" para - a linha de comando que permite manter programas - rodando em background mesmo quando o terminal - é fechado. - - Ele permite que malandros deixem a mensageria - IRC rodando no servidor mesmo que não estejam - conectados via SSH. - - Exemplos: tmux e screen - -3. Cliente de IRC - - Exemplos: irssi e weechat - -Howto ------ - -Logando e instalando: - - ssh servidor-remoto - sudo apt install tmux irssi irssi-plugin-otr - -Criando uma sessão para o IRC: - - tmux - -Abrindo o cliente e se conectando no rolê: - - irssi - -Para sair da sessão sem encerrar a mensageria, digite Ctrl B D -(control sequence do tmux mais o comando "detach"). Depois é -só encerrar a shell do servidor remoto. - -Para se reconectar, basta - - ssh servidor-remoto tmux attach - -Básico do IRC -------------- - - /network add -nick -realname freenode - /server add -auto -ssl_verify -ssl_capath /etc/ssl/certs -network freenode chat.freenode.net 7000 - /save - /connect freenode - /join #canal - -Bônus ------ - -* Tor. -* Bitlbee. - -Privacidade ------------ - -Note que uma sessão persistente implica no cliente rodando num -servidor. Isso pode degradar sua privacidade, uma vez que o servidor -pode ser comprometido de várias formas. É importante ter consciência -disso. - -Da mesma forma que seu celular pode ser invadido, roubado e ter dados extraídos, -um servidor também é um ponto vulnerável na sua comunicação, especialmente -se for nele que as chaves criptográficas estiverem armazenadas. - -Assim, a sessão persistente de mensageria oferece um nível de segurança apenas -intermediário, servindo para a comunicação do dia-a-dia que não for sensível. - -Para comunicação sensível, o melhor é rodar o cliente de mensageria diretamente -a partir do seu [Console Físico Confiável](https://opsec.fluxo.info/specs/tpc). diff --git a/suckless/sites.md b/suckless/sites.md new file mode 100644 index 0000000..a1f47c5 --- /dev/null +++ b/suckless/sites.md @@ -0,0 +1,90 @@ +[[!meta title="We are the static site generation!"]] + +# Current practice + +Currently [ikiwiki](http://ikiwiki.info) is adopted by the following reasons: + +1. There is a [Debian package](https://packages.debian.org/stable/ikiwiki). +2. It's flexible enough to support both local or remote side static compilation: + * Local compilation by calling the `ikiwiki` command directly. + * Remotelly by using a [git hook](http://ikiwiki.info/rcs/git/). + +When it's said **both** it means that you don't need to choose either of the two options: you can choose or both simultaneously. + +## Static site example + +Here comes the mandadoty "Hello world" example from the statically generated site realm: + + mkdir blog && cd blog + echo "Hello world..." > index.mdwn + ikiwiki --rebuild --exclude www . www + +That's it! You have a generated site sitting at your `www` subfolder which can be copied remotelly using `rsync`. + +## Version control + +It's a good pratice to keep your work under version control: + + git init + echo "/.ikiwiki" > .gitignore + echo "/recentchanges" >> .gitignore + echo "/www" >> .gitignore + git add . + git commit -m "Initial import" + +## Add a bit of sofistication + +* Use [this Makefile](/Makefile) as an starting point to refresh and publish your wiki by simply running `make web`. +* Use a [complete ikiwiki template](https://git.fluxo.info/?p=templates.git;a=tree;f=ikiwiki;h=HEAD) and change to your needs. +* If you're a automation junkie, try the [puppet-ikiwiki](https://git.fluxo.info/puppet-ikiwiki.git) module. + +## Theming + +Currently using [Ikiwiki](http://ikiwiki.info) with [Bootstrap](http://twitter.github.io/bootstrap/): + +* [Templates](https://github.com/tgpfeiffer/ikiwiki-bootstrap-template). +* [Bootswatch](http://bootswatch.com) themes. + +## Deployment + +You can create passwordless SSH keys and use [rrsync](http://www.guyrutenberg.com/2014/01/14/restricting-ssh-access-to-rsync/) ([2](http://wiki.hands.com/howto/passphraseless-ssh/)) to restrict access. Then add an entry into your `~/.ssh/config`: + + Host blog.example.org blog + HostName blog.example.org + User blog + IdentityFile ~/.ssh/blog@blog.example.org + +Now simply run `make web_deploy` with the above mentioned `Makefile` do sync your static site! + +## Ikiwiki references + +* [Ikiwiki](http://ikiwiki.info). +* [Improving Ikiwiki style with Bootstrap](https://ceops.eu/posts/Improving%20Ikiwiki%20style%20with%20Bootstrap/). +* [How to have a nice design for ikiwiki](http://www2.tblein.eu/posts/How_to_have_a_nice_design_for_ikiwiki/). +* [gsliepen/ikistrap: Bootstrap 4 theme for ikiwiki](https://github.com/gsliepen/ikistrap/). + +# Alternatives + +* [The updated big list of static website generators for your site, blog or wiki](https://iwantmyname.com/blog/2014/05/the-updated-big-list-of-static-website-generators-for-your-site-blog-or-wiki). +* [Top Open-Source Static Site Generators - StaticGen](https://www.staticgen.com/). +* [Static Site Generators](https://staticsitegenerators.net/). +* [Static Site Generators at GitHub](https://github.com/skx/static-site-generators). +* [Replacing Jekyll with Pandoc and a Makefile](https://tylercipriani.com/2014/05/13/replace-jekyll-with-pandoc-makefile.html). +* [Brane Dump: Static Comments in Jekyll](http://www.hezmatt.org/~mpalmer/blog/2011/07/19/static-comments-in-jekyll.html). +* [Hyde](https://github.com/lakshmivyas/hyde/) ([package](https://packages.debian.org/stable/hyde)). +* [Gollum](https://github.com/gollum/gollum). +* [Hugo](https://gohugo.io/). +* [Amber](https://github.com/leapcode/amber). +* [Grav](http://getgrav.org/). +* [Hakyll](http://jaspervdj.be/hakyll/) ([package](https://packages.debian.org/sid/libghc-hakyll-dev)). +* [Jekyll](http://jekyllrb.com/) ([package](https://packages.debian.org/stable/jekyll)). +* [Static site generators for building web sites](https://lwn.net/Articles/541299/). +* [Pelican Static Site Generator, Powered by Python](http://blog.getpelican.com/) ([package](https://packages.debian.org/sid/python-pelican)). +* [Middleman: Hand-crafted frontend development](https://middlemanapp.com/). +* [Juvia: a commenting server similar to Disqus and IntenseDebate](https://github.com/phusion/juvia). +* [gitit](https://github.com/jgm/gitit/tree/master/). +* [Sphinx](http://sphinx-doc.org/) ([package](https://packages.debian.org/stable/python-sphinx)). +* [Utterson: a minimal static blog generator written using old-school unix tools (make, ksh, m4, awk, procmail and a pinch of elisp)](https://github.com/stef/utterson). +* [werc - A sane web anti-framework](http://werc.cat-v.org/). +* [cfenollosa/bashblog: A single Bash script to create blogs. Download, run, write, done!](https://github.com/cfenollosa/bashblog). +* [blogofile](https://packages.debian.org/stable/blogofile) diff --git a/suckless/sites.mdwn b/suckless/sites.mdwn deleted file mode 100644 index a1f47c5..0000000 --- a/suckless/sites.mdwn +++ /dev/null @@ -1,90 +0,0 @@ -[[!meta title="We are the static site generation!"]] - -# Current practice - -Currently [ikiwiki](http://ikiwiki.info) is adopted by the following reasons: - -1. There is a [Debian package](https://packages.debian.org/stable/ikiwiki). -2. It's flexible enough to support both local or remote side static compilation: - * Local compilation by calling the `ikiwiki` command directly. - * Remotelly by using a [git hook](http://ikiwiki.info/rcs/git/). - -When it's said **both** it means that you don't need to choose either of the two options: you can choose or both simultaneously. - -## Static site example - -Here comes the mandadoty "Hello world" example from the statically generated site realm: - - mkdir blog && cd blog - echo "Hello world..." > index.mdwn - ikiwiki --rebuild --exclude www . www - -That's it! You have a generated site sitting at your `www` subfolder which can be copied remotelly using `rsync`. - -## Version control - -It's a good pratice to keep your work under version control: - - git init - echo "/.ikiwiki" > .gitignore - echo "/recentchanges" >> .gitignore - echo "/www" >> .gitignore - git add . - git commit -m "Initial import" - -## Add a bit of sofistication - -* Use [this Makefile](/Makefile) as an starting point to refresh and publish your wiki by simply running `make web`. -* Use a [complete ikiwiki template](https://git.fluxo.info/?p=templates.git;a=tree;f=ikiwiki;h=HEAD) and change to your needs. -* If you're a automation junkie, try the [puppet-ikiwiki](https://git.fluxo.info/puppet-ikiwiki.git) module. - -## Theming - -Currently using [Ikiwiki](http://ikiwiki.info) with [Bootstrap](http://twitter.github.io/bootstrap/): - -* [Templates](https://github.com/tgpfeiffer/ikiwiki-bootstrap-template). -* [Bootswatch](http://bootswatch.com) themes. - -## Deployment - -You can create passwordless SSH keys and use [rrsync](http://www.guyrutenberg.com/2014/01/14/restricting-ssh-access-to-rsync/) ([2](http://wiki.hands.com/howto/passphraseless-ssh/)) to restrict access. Then add an entry into your `~/.ssh/config`: - - Host blog.example.org blog - HostName blog.example.org - User blog - IdentityFile ~/.ssh/blog@blog.example.org - -Now simply run `make web_deploy` with the above mentioned `Makefile` do sync your static site! - -## Ikiwiki references - -* [Ikiwiki](http://ikiwiki.info). -* [Improving Ikiwiki style with Bootstrap](https://ceops.eu/posts/Improving%20Ikiwiki%20style%20with%20Bootstrap/). -* [How to have a nice design for ikiwiki](http://www2.tblein.eu/posts/How_to_have_a_nice_design_for_ikiwiki/). -* [gsliepen/ikistrap: Bootstrap 4 theme for ikiwiki](https://github.com/gsliepen/ikistrap/). - -# Alternatives - -* [The updated big list of static website generators for your site, blog or wiki](https://iwantmyname.com/blog/2014/05/the-updated-big-list-of-static-website-generators-for-your-site-blog-or-wiki). -* [Top Open-Source Static Site Generators - StaticGen](https://www.staticgen.com/). -* [Static Site Generators](https://staticsitegenerators.net/). -* [Static Site Generators at GitHub](https://github.com/skx/static-site-generators). -* [Replacing Jekyll with Pandoc and a Makefile](https://tylercipriani.com/2014/05/13/replace-jekyll-with-pandoc-makefile.html). -* [Brane Dump: Static Comments in Jekyll](http://www.hezmatt.org/~mpalmer/blog/2011/07/19/static-comments-in-jekyll.html). -* [Hyde](https://github.com/lakshmivyas/hyde/) ([package](https://packages.debian.org/stable/hyde)). -* [Gollum](https://github.com/gollum/gollum). -* [Hugo](https://gohugo.io/). -* [Amber](https://github.com/leapcode/amber). -* [Grav](http://getgrav.org/). -* [Hakyll](http://jaspervdj.be/hakyll/) ([package](https://packages.debian.org/sid/libghc-hakyll-dev)). -* [Jekyll](http://jekyllrb.com/) ([package](https://packages.debian.org/stable/jekyll)). -* [Static site generators for building web sites](https://lwn.net/Articles/541299/). -* [Pelican Static Site Generator, Powered by Python](http://blog.getpelican.com/) ([package](https://packages.debian.org/sid/python-pelican)). -* [Middleman: Hand-crafted frontend development](https://middlemanapp.com/). -* [Juvia: a commenting server similar to Disqus and IntenseDebate](https://github.com/phusion/juvia). -* [gitit](https://github.com/jgm/gitit/tree/master/). -* [Sphinx](http://sphinx-doc.org/) ([package](https://packages.debian.org/stable/python-sphinx)). -* [Utterson: a minimal static blog generator written using old-school unix tools (make, ksh, m4, awk, procmail and a pinch of elisp)](https://github.com/stef/utterson). -* [werc - A sane web anti-framework](http://werc.cat-v.org/). -* [cfenollosa/bashblog: A single Bash script to create blogs. Download, run, write, done!](https://github.com/cfenollosa/bashblog). -* [blogofile](https://packages.debian.org/stable/blogofile) diff --git a/suckless/virtual.md b/suckless/virtual.md new file mode 100644 index 0000000..51c01c1 --- /dev/null +++ b/suckless/virtual.md @@ -0,0 +1,101 @@ +[[!meta title="Virtualized GUI environments"]] + +Can't or don't want to use [Qubes OS](https://www.qubes-os.org/)? Here comes a straightforward sollution +that, while not offering the same level of security, is practical enough to be implemented in the confort +of your current FOSS OS! + +A picture +--------- + +Could you spot the difference between the Tor Browser running in the host for the one inside the virtual machine? That's what we want to achieve! + +![Screenshot](screenshot.png) + +First things first +------------------ + +What you can do: + +1. Create a virtual machine image of the operating system of your choice like [this example](https://padrao.fluxo.info/boxes/). +2. Setup basic X11 environment with automatic login and startup programs. +3. Configure your hypervisor to hide icons and additional decorations around the virtual machine. +4. Setup key bindings on your window manager to start/resume and stop/suspend the virtual machine. + +Debian desktop +-------------- + +When using a debian virtual machine as a virtual desktop, consider the following: + + apt-get install lightdm ratpoison + +Make sure to configure `/etc/lightdm/lightdm.conf` with something like + + autologin-user=vagrant + autologin-user-timeout=0 + +If using VirtualBox, you might also want to try [virtualbox-guest-x11](https://packages.debian.org/stable/virtualbox-guest-x11). + +Features +-------- + +* Good security through isolation. +* Improved start/stop of your application by using virtual machine suspend/resume. +* Minor performance penalties while running the virtual machine. + +Limitations +----------- + +* Memory and disk consumption. +* Clipboard might still be available to the virtual environment, see [this discussion](http://theinvisiblethings.blogspot.com.br/2011/04/linux-security-circus-on-gui-isolation.html). + +Future +------ + +* This should be better documented! +* Automated expendable snapshots for one-time-use virtual machines. +* Automated recipes (puppet/ansible). +* Vagrant integration for fast provisioning of golden images. +* Alternatives to the VirtualBox hypervisor. + +References +---------- + +Applications: + +* [kvmx script](https://kvmx.fluxo.info). +* [vbox script](https://git.fluxo.info/vbox). +* [plymouth - Debian Wiki](https://wiki.debian.org/plymouth). +* [SPICE Project](http://www.spice-space.org/). + +Other implementations: + +* [Marco Carnut: Ambiente "Auto-Limpante" via Virtualização Ultra-Leve Descartável - Tempest Blog](http://blog.tempest.com.br/marco-carnut/ambiente-auto-limpante-via-virtualizacao-ultra-leve-descartavel.html). +* [Subgraph OS and Mail](https://subgraph.com/sgos/index.en.html). + +Tips: + +* If using Firefox, try to disable hardware graphics acceleration as it might impact performance and produce graphics artifacts. This behavior was seem on VMs running with qemu-kvm with SPICE. + +Spice and KVM: + +* http://www.linux-kvm.org/page/SPICE +* https://www.spice-space.org/spice-user-manual.html +* https://kuther.net/content/convert-virtualbox-kvmqemu +* http://www.ubuntugeek.com/how-change-display-resolution-settings-using-xrandr.html +* https://bugzilla.redhat.com/show_bug.cgi?id=1020393 +* https://people.freedesktop.org/~teuf/spice-doc/html/ch03.html +* http://askubuntu.com/questions/107228/how-to-resize-virtual-machine-disk#481887 +* http://wiki.qemu.org/Documentation/9psetup +* https://ask.fedoraproject.org/en/question/8080/shared-folder-with-qemu-kvm/ + +Mounting guest images: + +* [Mounting raw and qcow2 VM disk images](https://alexeytorkhov.blogspot.com.br/2009/09/mounting-raw-and-qcow2-vm-disk-images.html) using `losetup` or `qemu-nbd`. +* [guestmount](http://libguestfs.org/guestmount.1.html) from [libguestfs, a library for accessing and modifying VM disk images](http://libguestfs.org/). + +Image optimization: + +* [Tip: Making a disk image sparse | Richard WM Jones](https://rwmj.wordpress.com/2010/10/19/tip-making-a-disk-image-sparse/). +* [How to convert a non-sparse image to a sparse image – Patrick's Blog(2)](https://blog.laimbock.com/2013/10/31/how-to-convert-a-non-sparse-image-to-sparse/). + + ionice -c 3 nice -n 19 virt-sparsify --tmp /tmp --convert qcow2 --compress box.img box.new && mv box.new box.img diff --git a/suckless/virtual.mdwn b/suckless/virtual.mdwn deleted file mode 100644 index 51c01c1..0000000 --- a/suckless/virtual.mdwn +++ /dev/null @@ -1,101 +0,0 @@ -[[!meta title="Virtualized GUI environments"]] - -Can't or don't want to use [Qubes OS](https://www.qubes-os.org/)? Here comes a straightforward sollution -that, while not offering the same level of security, is practical enough to be implemented in the confort -of your current FOSS OS! - -A picture ---------- - -Could you spot the difference between the Tor Browser running in the host for the one inside the virtual machine? That's what we want to achieve! - -![Screenshot](screenshot.png) - -First things first ------------------- - -What you can do: - -1. Create a virtual machine image of the operating system of your choice like [this example](https://padrao.fluxo.info/boxes/). -2. Setup basic X11 environment with automatic login and startup programs. -3. Configure your hypervisor to hide icons and additional decorations around the virtual machine. -4. Setup key bindings on your window manager to start/resume and stop/suspend the virtual machine. - -Debian desktop --------------- - -When using a debian virtual machine as a virtual desktop, consider the following: - - apt-get install lightdm ratpoison - -Make sure to configure `/etc/lightdm/lightdm.conf` with something like - - autologin-user=vagrant - autologin-user-timeout=0 - -If using VirtualBox, you might also want to try [virtualbox-guest-x11](https://packages.debian.org/stable/virtualbox-guest-x11). - -Features --------- - -* Good security through isolation. -* Improved start/stop of your application by using virtual machine suspend/resume. -* Minor performance penalties while running the virtual machine. - -Limitations ------------ - -* Memory and disk consumption. -* Clipboard might still be available to the virtual environment, see [this discussion](http://theinvisiblethings.blogspot.com.br/2011/04/linux-security-circus-on-gui-isolation.html). - -Future ------- - -* This should be better documented! -* Automated expendable snapshots for one-time-use virtual machines. -* Automated recipes (puppet/ansible). -* Vagrant integration for fast provisioning of golden images. -* Alternatives to the VirtualBox hypervisor. - -References ----------- - -Applications: - -* [kvmx script](https://kvmx.fluxo.info). -* [vbox script](https://git.fluxo.info/vbox). -* [plymouth - Debian Wiki](https://wiki.debian.org/plymouth). -* [SPICE Project](http://www.spice-space.org/). - -Other implementations: - -* [Marco Carnut: Ambiente "Auto-Limpante" via Virtualização Ultra-Leve Descartável - Tempest Blog](http://blog.tempest.com.br/marco-carnut/ambiente-auto-limpante-via-virtualizacao-ultra-leve-descartavel.html). -* [Subgraph OS and Mail](https://subgraph.com/sgos/index.en.html). - -Tips: - -* If using Firefox, try to disable hardware graphics acceleration as it might impact performance and produce graphics artifacts. This behavior was seem on VMs running with qemu-kvm with SPICE. - -Spice and KVM: - -* http://www.linux-kvm.org/page/SPICE -* https://www.spice-space.org/spice-user-manual.html -* https://kuther.net/content/convert-virtualbox-kvmqemu -* http://www.ubuntugeek.com/how-change-display-resolution-settings-using-xrandr.html -* https://bugzilla.redhat.com/show_bug.cgi?id=1020393 -* https://people.freedesktop.org/~teuf/spice-doc/html/ch03.html -* http://askubuntu.com/questions/107228/how-to-resize-virtual-machine-disk#481887 -* http://wiki.qemu.org/Documentation/9psetup -* https://ask.fedoraproject.org/en/question/8080/shared-folder-with-qemu-kvm/ - -Mounting guest images: - -* [Mounting raw and qcow2 VM disk images](https://alexeytorkhov.blogspot.com.br/2009/09/mounting-raw-and-qcow2-vm-disk-images.html) using `losetup` or `qemu-nbd`. -* [guestmount](http://libguestfs.org/guestmount.1.html) from [libguestfs, a library for accessing and modifying VM disk images](http://libguestfs.org/). - -Image optimization: - -* [Tip: Making a disk image sparse | Richard WM Jones](https://rwmj.wordpress.com/2010/10/19/tip-making-a-disk-image-sparse/). -* [How to convert a non-sparse image to a sparse image – Patrick's Blog(2)](https://blog.laimbock.com/2013/10/31/how-to-convert-a-non-sparse-image-to-sparse/). - - ionice -c 3 nice -n 19 virt-sparsify --tmp /tmp --convert qcow2 --compress box.img box.new && mv box.new box.img -- cgit v1.2.3