this post was submitted on 07 Dec 2023
46 points (89.7% liked)
Linux
47993 readers
1194 users here now
From Wikipedia, the free encyclopedia
Linux is a family of open source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991 by Linus Torvalds. Linux is typically packaged in a Linux distribution (or distro for short).
Distributions include the Linux kernel and supporting system software and libraries, many of which are provided by the GNU Project. Many Linux distributions use the word "Linux" in their name, but the Free Software Foundation uses the name GNU/Linux to emphasize the importance of GNU software, causing some controversy.
Rules
- Posts must be relevant to operating systems running the Linux kernel. GNU/Linux or otherwise.
- No misinformation
- No NSFW content
- No hate speech, bigotry, etc
Related Communities
Community icon by Alpár-Etele Méder, licensed under CC BY 3.0
founded 5 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
This Arch story reminds me a lot of a r/talesfromtechsupport story that went remarkably similar but had a less happy ending for the Linux enthusiast, where he basically disabled the TPM and couldn't access the company network because the network seemed to only allow trusted machines.
Can't find it right now but maybe I can do some digging once I'm on a computer
Funny you should mention the company network.
To tell the next part of my story, when I did all of what I described, I first backed up the KDE neon install onto a tiny little partiton. So I still had it to go back to if I needed to.
And after I'd been using Arch for a good while, the VPN folks decided to retire OpenVPN and switch to something called "GlobalProtect".
They run BMC, a remote machine management program, on all freshly-imaged machines. That lets them (un)install shit without the user's knowledge and stuff. Windows users had lots of horror stories about "the great Java uninstall of 2018" where the PC Support folks just randomly decided one day to uninstall OpenJDK from every Windows user's machine. While we were trying to write/maintain Java software written in-house. (This happened multiple times within a few years.)
One of the biggest benefits to running Linux (even if it was KDE Neon) was that the PC Support folks were scared of Linux and stayed very hands-off. They never (un)installed stuff remotely for KDE Neon users.
...until they switched to GlobalProtect. They wouldn't give out the .deb for GlobalProtect to let folks install it themselves. They'd only install it for you via BMC.
But since I was running Arch and had never installed BMC, (actually I have another story about BMC on Arch, but I'll save it for when I have more time), my machine was passed over when they installed GlobalProtect on all the KDE Neon machines.
So I rebooted into KDE Neon, asked pretty please that they install GlobalProtect, and have been using KDE Neon ever since.
Now, I've done nothing to disable the TPM or anything on Arch. I don't think even if GlobalProtect uses the TPM that there's any reason it couldn't do so while on Arch. But I tried just copying the install from KDE Neon to Arch file-for-file and running it. It didn't work. I had to strace it to get more info and... don't remember what the error was about now. Some inter-process communication thing I had never heard of before wasn't able to talk to the daemon process.
I keep telling myself I'm going to get GlobalProtect running on Arch again so I don't have to keep using KDE Neon, but it's been a while since I've worked on that any.
Also, one of my coworkers had been working for years by connecting to the company VPN from a personal machine. And I told him he needed to figure out his VPN situation months before they actually turned off OpenVPN. But he didn't heed my warnings and when they shut off OpenVPN, he was screwed. He took the Mac they'd sent him when he was first hired off of mothballs and tried to get it running. They ended up just telling him they needed to send him a new machine. So he basically couldn't work for almost two weeks while he waited for the new KDE Neon machine he ordered to get set up/imaged/etc and then shipped halfway across the country. He uses KDE Neon on a company laptop now.
There are some great stories about how we've messed with PC Support at this company. Lol.
Edit: Ok. I'll tell the BMC-on-Arch story now.
Same company. Back before they were issuing secureboot'd machines, and before they offered the option of a Linux machine (or without special manager approval, a Mac, actually), I installed Arch on my host on a forgiveness-rather-than-permission basis.
When they started supporting Linux, they got BMC set up for Linux. (It had worked on Windows prior, of course.) And then they started sending me nagging emails about installing BMC. They knew my boss would back me up if they pressed me to switch back to Windows, so they didn't push for that. But they wanted me to install BMC just to get the feature that it periodically phoned home to let PC Support know it was still in use and all that. (I think it also offered features like if I ever reported it stolen, they set it up so it would wipe its own hard drive next time it phoned home. To protect any trade secrets.)
I kindof ignored them for a while. Eventually they visited my desk in person. (This was before I was working remotely.) I was like "yeah, ok, tell me what to do" (I figured it was a good compromise that would let me keep Arch) and they were like "we'll send you the installer."
Now, the Linux distro they supported at the time wasn't KDE Neon. It was Ubuntu. And I was on Arch. And I asked "the installer was probably was packaged for Ubuntu, right? BMC is supposed to run as a daemon and Arch doesn't even use the same init system. I'd be surprised if it worked." And one of the PC support guys looked me right in the eye and passed his hand over his head in a "you're talking over my head" gesture. And then walks away.
I received the installer. Tried to run it. It immediately choked for exactly the reason I suspected. Basically it looked at my system, didn't find the init system it expected, and aborted before extracting the files to be installed.
So, was I going to give up and switch to Ubuntu? No! I wasn't daunted.
So I broke out strace and gdb and managed to trick the installer into extracting the files. (Basically when it checked for the init system, I altered a variable from false to true to make it not abort before extracting.)
And then I just had to stick it at the right place on the filesystem. I never made a service file for it. I just manually ran it every now and then. And killed it a little while later. No one nagged me again.
Now, I wasn't the only one who ran Arch. I had a coworker there who also ran Arch and somehow he was never nagged to install BMC. Not sure why. But when I left the company, I left all my work with this other coworker in case he ever needed it.
And then I returned to this company. It was after that that I did the Archbunkenstein thing because they'd started using machines that enforced secureboot. The coworker who was still running Arch when I returned had lost my BMC installer reverse engineering work. And still had never been nagged by PC Support. I expected to be nagged again, but I ran Archbunkenstein for a good year or so without anyone nagging me. When I switched back to KDE Neon for the VPN, it had BMC installed, so I've been using BMC ever since.
You may wish to investigate Bedrock linux, it allows you to Frankenstein 2 (or more) distros together. I'm sure there's a way you could have your KDE neon kernel plus BMC while having everything else Arch
https://bedrocklinux.org/