Peerbox-raspi-v0.25-RC1 discussion thread

[center][size=14pt]Peerbox-raspi-v0.25-RC1[/size][/center]
[center][/center]

Downloads:

GZIP (795M): http://peerbox.me/download/Peerbox-raspi-v0.25-RC1.img.gz
[size=8pt]sha256 sum: 644224d8ce4031ea5c4aefcc42c554d4bd05aa9bde24e76befa8ecd0e6470df4[/size]

XZ (529MB): http://peerbox.me/download/Peerbox-raspi-v0.25-RC1.img.xz
[size=8pt]sha256 sum: 5150cd88a17af529940b3f15a1d5472c957bc06961decc54100a8423802e92b3[/size]

First of all, sorry for keeping this release private for so long. I had quite bumpy road to this release, issues with kernel configuration, toolchain and Berkeley Db incompatibility with btrfs which made me loose hours and hours of development time.
At first I planned this release as simple update on v0.24 with resize2fs and Yubikey functionality but I have realized that I need to step up the game to ensure ease of development in the future. So I have forked ArchLinuxArm repository, Peerbox has it’s own now. http://peerbox.me/repo/testing/armv6h/
This sound far simple than it is. It involved weeks of testing and polishing. It is not complete yet, but I am getting there.

By having dedicated repository I enable far easier control over all packages for Peerbox. Now I control version of every single package and can freeze entire repository if I feel it is stable enough. This will avoid breakages which tend to happen with rolling-release distributions like ArchLinux. I have moved to Manjaro Linux type of repository, where they freeze upstream ArchLinux repository and then build release upon it. Downside is that I have to follow upstream of every package and make sure I don’t miss security updates and bug fixes.
I will also GPG sign every single package in this repository in the future which is level up in security. Also, all packages will be compiled with hardened toolchain and with I will harden as much packages I can with -fPIE and --fstack-protector-strong compile flags. This is also a drastic security improvement.

v0.25 will be series of -RC releases until I implement all desired features. Then I will release stable 0.26 release.
Think of this branch as testing/development branch not intended to be used by everyone, just for people who are willing to use latest code and help me with testing. Probably this release contains a lot of bugs and needs a lot of polishing.
It should be stable enough for running a node however, also it is a lot more secure than v0.24 branch.

Changelog:

• Updated kernel to latest point release and latest grsecurity patch;

• Updated kernel config, some more hardening;

• kernel compiled with hardened toolchain;

• Ssh daemon now does not run all the time, only when you “call” it by trying to log in. I’ve used systemd socket activation for this feature.
  (http://www.freedesktop.org/software/systemd/man/systemd.socket.html) ;

• ppcoind is now hardened with -fPIE (position independent executable) and patched to support latest openssl (https://github.com/Peerunity/Peerunity/commit/0cf0117abdb01ec71dfc0b52bcce8f897eaa517b) ;

• fixed some issues with peerbox-info and implemented new features, see dedicated thread for more info ;

• removed some unused packages which were installed by default ;

• maybe something else I can’t remember right now.

Peerbox project news:

Design of new Peerbox site has been finished, implementation is still under way as I want it to contain blog system. This blog implementation, which I consider important is reason why the webiste is delayed. This and low Peercoin price have also caused going over budget for the website which in turn caused depleting Peerbox fund on peer4commit.

I ask kindly to help me to finish this, I might require some extra funds to make it perfect.
Also, I am thinking of acquiring Raspberry Pi 2 and start developing for that platform too. However I do not have funds to buy it right now, as my funds have been invested in my other project which should go public soon.

Thanks to:

All donators to this project

Irritant for donating two Raspberry Pi’s which have made Peerbox development and testing far easier.

Willy for hosting Peerbox repository and website

All people in the community for support

edit:

Re-uploaded images, now properly cleaned.

Good work. Time to donate here: http://peer4commit.com/projects/92

need to spread the word on the Peerbox project, it should be mentioned in such articles as these but it is not yet

Fuzzybear

[quote=“FuzzyBear, post:3, topic:3334”]need to spread the word on the Peerbox project, it should be mentioned in such articles as these but it is not yet

Fuzzybear[/quote]
Has it been announced here? http://www.raspberrypi.org/forums/viewforum.php?f=15&sid=7c3fa5af24b86a8012a1974d5935ec92 I only see one mention by you and it is pointing to dead url

@FuzzyBear

Yes it should be, but I still refrain from reaching wider public as product is quite incomplete. There should definitely be marketing campaign when some more features are implemented, like Yubikey and G-auth with full disk encryption and other cool stuff like that.

About that article, yes that was my mini marketing attempt. I wrote a tutorial and than linked it on raspberry pi forum. It brought quite some views to website. I need to do this more often.

I’m still facing the same issue:

ssh sunny@peerbox ssh: connect to host peerbox port 22: Connection refused

My subnet at home is 192.168.66.0/24, which isn’t compatible with the default iptables settings that are established by peerbox after its first boot.

My bad, I forgot to clean installation before uploading it (again).
Just mount SD card and remove /etc/pcf/firewall/.lock on ROOT partition.

I will upload new image soon.

[quote=“peerchemist, post:7, topic:3334”]My bad, I forgot to clean installation before uploading it (again).
Just mount SD card and remove /etc/pcf/firewall/.lock on ROOT partition.

I will upload new image soon.[/quote]

Thanks peerchemist, will test it again from scratch with the new uploaded image.

try now

It’s working! Thank you peerchemist, you rock.

is there a way to use raspberry as media station/player and ppc minting
at the same time? i don’t have one but i am thinking buy it

[quote=“seki, post:11, topic:3334”]is there a way to use raspberry as media station/player and ppc minting
at the same time? i don’t have one but i am thinking buy it[/quote]

I wouldn’t recommend it. By design Peerbox’s aim to deliver a very secure, hardened and firewalled environment that is also washed from unnecessary and potentially unsafe binaries/libs/modules. So, you won’t be able to install anything on it easily (so no media station/player).

You can still try to make your Peerbox run in a VM directly your RPi2. And use your RPI2 for other purposes too.

@ seki

Yes it is possible and you will not loose any security by doing so.
Just is is possible that you will lack some packages needed to set up media station. Also, Rasberry Pi is too slow to handle both at the same time. Peerbox is 5-10% slower than classic Raspberry Pi distributions due to hardening and ppcoind will spike CPU usage every block and cause all else to stutter/pause or even crash.
It should be possible with Raspberry Pi 2 - I would even be willing to deliver needed packages for media player in Peerbox to avoid people choosing security over functionality as they can have both with Peerbox and raspi2.

@ Thireus

It is true that Peerbox is striped, but stuff can be installed to it. It is quite easy to install stuff, especially on v0.24 branch which still uses upstream repository with features over 10k packages.

You can still try to make your Peerbox run in a VM directly your RPi2. And use your RPI2 for other purposes too.

This would be easiest solution, if VM is not LXC container but real virtual machine (KVM for example). LXC are lightweight containers and come without performance penalty. This should be ideal for weak Raspberry Pi and will probably be recommended on Raspberry Pi when this idea hits mainstream.
A lot of Peerbox security comes from Grsecurity hardened kernel, and LXC containers use host OS kernel (not hardened).
So real solution would be to use KVM for this stuff. However KVM is a lot heavier and requires a lot more dependencies so this may not be useful of Raspberry.

Another one is to make hardened kernel for Raspbian distribution with nice and easy PPA repository for it and issue Peerbox as LXC container. This should enable easy usage of upstream Raspbian/Ubuntu/Whatever for various purposes and still have Peerbox on the same machine.

thanks both!
then i will buy the Pi2 and try it.
but perhaps it is better to use win10 when available,
then perhaps peerbox software becomes obsolete for Pi2
or rewritten to work with win10?

[quote=“seki, post:14, topic:3334”]then perhaps peerbox software becomes obsolete for Pi2
or rewritten to work with win10? ;)[/quote]

;D Who’s still using Windows for “security”? (Edit: did I even say still?)

Don’t worry seki, Windows will never be used for Peerbox’s base OS

Never ever

[quote=“seki, post:14, topic:3334”]thanks both!
then i will buy the Pi2 and try it.
but perhaps it is better to use win10 when available,
then perhaps peerbox software becomes obsolete for Pi2
or rewritten to work with win10? ;)[/quote]

there isnt a peerbox version for the new model 2 rpi yet, or im missing something

[quote=“irritant, post:17, topic:3334”][quote=“seki, post:14, topic:3334”]thanks both!
then i will buy the Pi2 and try it.
but perhaps it is better to use win10 when available,
then perhaps peerbox software becomes obsolete for Pi2
or rewritten to work with win10? ;)[/quote]

there isnt a peerbox version for the new model 2 rpi yet, or im missing something[/quote]

There isn’t a custom/optimized armv7 Peerbox for this new model yet. But the current Peerbox should be running fine on the RPI2, just that you’ll run armv6 instructions instead of armv7, which is not a problem at all.

Advantages: more memory, more CPU cores.

[quote=“Thireus, post:18, topic:3334”][quote=“irritant, post:17, topic:3334”][quote=“seki, post:14, topic:3334”]thanks both!
then i will buy the Pi2 and try it.
but perhaps it is better to use win10 when available,
then perhaps peerbox software becomes obsolete for Pi2
or rewritten to work with win10? ;)[/quote]

there isnt a peerbox version for the new model 2 rpi yet, or im missing something[/quote]

There isn’t a custom/optimized armv7 Peerbox for this new model yet. But the current Peerbox should be running fine on the RPI2, just that you’ll run armv6 instructions instead of armv7, which is not a problem at all.

Advantages: more memory, more CPU cores.[/quote]

did you try? i did, and it wouldnt boot

It needs armv7 kernel. I did not get chance to compile that.

But as far as I know you only need armv7 kernel and latest firmware and you can use it on Raspi v2.