liz/hacdc-wiki
liz/hacdc-wiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
c110577820
hacdc-wiki/Byzantium_Live_Distro.md
Elizabeth Cray c110577820 exported markdown
2024-06-12 21:48:44 -04:00

304 lines
13 KiB
Markdown
Executable File
Raw Blame History

## Description
We are building a portable live Linux distribution based on [Porteus
Linux](http://porteus.org/). Porteus itself is a fork of Slax that has
been brought up to date with Slackware 13.37 and uses a 2.6.38.8 kernel.
Porteus can use binary packages from Slackware 13.37 after conversion to
Porteus' native format.
## Code Repositories
[Github page](https://github.com/Byzantium/Byzantium)
[Subversion repo for Porteus
packages](http://svn.virtadpt.net/byzantium/)
## Goals
- Make it possible for people in emergency situations to communicate and
collaborate.
- Make it possible for people in areas where the communications
infrastructure is compromised to communicate and collaborate.
- Provide services to support communication and collaboration.
- Will be secure out of the box.
- Best practices for isolating running services will be followed.
- Best practices for configuration web applications will be followed.
- Least privilege will be followed wherever possible.
- Will be extensively documented.
- A Creative Commons-licensed book will be made available with the
Byzantium distribution as well as separately
- Will explain the finer points of setting up a mesh, as well as
accompanying projects (such as dialup gateways and long-haul
transports).
- Will be translated into as many languages as possible.
- Widely compatible.
- Users need to be able to boot their desktop/laptop/netbook from
Byzantium media and set up a node.
- As little fiddling with network drivers as possible.
- Rapidly deployable.
- Users need to be able to configure their Byzantium node rapidly and
with little assistance.
- Emergency situations.
- Control panel aims to be as self-documenting as possible.
- Aims to protect confidentiality of traffic.
- Opportunistic IPsec?
- All services default to SSLv3/TLSv1.
- Aims to protect integrity of traffic.
- SSLv3/TLSv1.
- Meshes should grow without the direction of a central authority.
- Anyone can set up a mesh node.
- Anyone can set up services on the mesh.
- Services packaged by default can be managed (activated and
deactivated) from the control panel
- Services packaged by default will come preconfigured with secure
defaults and a mobile-friendly theme where appropriate.
- This is a calculated risk. The threat models of Tor and I2P take
this into account as well.
- Byzantium nodes need to be rapidly clonable.
- One copy of the live distribution needs to become many on demand.
- Nodes need to be clonable without taking the node down.
- Persistent storage has to be an option.
- Built into [Porteus](http://porteus.org).
- save.dat file
- removable media
- media Porteus is installed to
- Dependencies will be automatically managed by the control panel.
## Features
- Can support multiple mesh routing protocols.
- Modular configuration back end.
- Multiple pre-packaged, pre-configured web applications for
communication and collaboration.
- All services can be independently activated and deactivated.
- Aims for security by default.
- Services are not active unless explicitly triggered.
- Services are configured using best practices for security.
- Services support strong cryptography by default.
- Supports gatewaying from the mesh to the Net over a live connection.
- Supports persistent (encrypted) storage on demand (not default).
- Note: When creating a save.dat file under Porteus, if the drive it's
on is formatted FAT-32 or less, the file MUST be \<1024MB, else, the
/linuxrc script that forms the core of the distro will pretend that
it can't locate the file, regardless of where you put it. This drove
me bonkers for two months!
- If possible we should try to make save.dat a second partition on
the thumbdrive (ala casper-rw for ubuntu liveUSBs) there are some
big benefits to this:
- it makes it harder for windows users to see that there is a
second partition in case big brother decides to inspect the
contents of all thumbdrives.
- it means we won't have to worry about file size limits.
### ToDo
- ~~[Node Control Panel](Byzantium_Live_Distro_CP "wikilink")~~ - DONE!
- ~~[Captive Portal](Byzantium_Live_Distro_Captive_Portal "wikilink")~~
-DONE!
- [Provided Services
Announcement](Byzantium_Live_Distro_Service_Announce "wikilink")
- [Wiki](Byzantium_Live_Distro_Wiki "wikilink") - suspended notion
- ~~[Microblog](Byzantium_Live_Distro_Microblog "wikilink")~~ - DONE!
- [File dump/Twitpic
work-alike](Byzantium_Live_Distro_FileDump "wikilink")
- [Voice chat/telephony server](Byzantium_Live_Distro_Tel "wikilink")
- ~~[Clientless web chat](Byzantium_Live_Distro_Chat "wikilink")~~ -
DONE!
- ~~[Blog](Byzantium_Live_Distro_Microblog "wikilink")~~ - see Microblog
- ~~[EtherPad-like thing](Byzantium_Live_Distro_EPad "wikilink")~~ -
DONE!
- [Streaming media
server](Byzantium_Live_Distro_StreamingMediaSrv "wikilink")
- [HTTP caching proxy](Byzantium_Live_Distro_WebProxy "wikilink")
- [Tor](https://www.torproject.org/)
- [IPset](IPset "wikilink")
Pick a web server to host applications:
- Converted the Apache, apr\*, and PHP packages of Slackware v13.37 into
Porteus modules. They Just Worked(tm).
~~We need to figure out how to properly install the control panel app on
a new system. The process should be as pythonic as possible.~~
We need to figure out how to bundle the already configured and populated
MySQL databases for the web apps!
- Packaging them into a module and activating it didn't work.
- ~~Write a script that detects the presence or absence of
/var/lib/db/\*/ and restores them from .sql dumps at boot-time.~~
[The Doctor's to-do list](The_Doctor's_to-do_list "wikilink")
## Packages built for Byzantium
- babeld - For great mesh routing.
- batman-adv - Kernel module which implements mesh routing at OSI
layer 2. We may not use it but it's there if we need it.
- batctl - Utility for configurating and manipulating batman-adv.
- Dependency of batman-adv.
- olsrd - from olsr.org
- ahcpd - For configuring mesh nodes that don't want to use the random
RFC-1918 IP address generator.
- CherryPy - Python module that implements a fast multi-threaded HTTP
(web application) server.
- Without this, there is no control panel.
- pySetupTools - Required for installing some Python modules.
- Mako - Python HTML templating system.
- Dependency of the control panel.
- MarkupSafe - Python library that implements a Unicode string that is
aware of HTML escaping rules and does automatic string escaping.
- Dependency of Mako.
- Git - Converted Slackware v13.37 package.
- Necessary for checking code out and into Github.
- Curl - Converted Slackware v13.37 package.
- Dependency of git.
- Note: To make git work without "error setting certificate verify
locations" errors, you need to run the following command as the root
user: git config --system http.sslcainfo
/usr/share/curl/ca-bundle.crt
- rrdtool - Used by traffic_stats.sh to monitor network traffic and
build graphs.
- sqlitebrowser - Used to develop SQLite database schemas and debug
database access code. Will not be in OS release.
- ~~nginx - Lightweight, fast HTTP(S) server. Much more lightweight than
Apache, at any rate. Custom build for Byzantium.~~
- Enough!
- gd - Dependency of PHP.
- Used for server side image manipulation.
- libmcrypt - Dependency of PHP.
- icu4c - International Components for Unicode. i18n dependency of PHP.
- openldap-client - Dependency of PHP to make it compile. Not pleased by
having to package it, but it won't build without it.
- Can we get away with not having it because I didn't have to compile
it for Apache? Let's try it!
- php - Converted Slackware v13.37 package.
- httpd - Apache v2.2.17. Converted Slackware v13.37 package.
- ..and then stuff started working!
- apr-util - Converted Slackware v13.37 package.
- Utility used for compiling Apache modules.
- apr - Converted Slackware v13.37 package.
- Package used for compiling Apache modules.
- t1lib - Converted Slackware v13.37 package. Used for font
manipulation.
- pcre - Converted Slackware v13.37 package.
- Perl Compatible Regular Expression library.
- Unicode aware for i18n support. status.net requires this for basic
functionality, whcih means that we get i18n for free.
- ~~Firefox v6.0.2~~
- Do not use! i_can_haz_firefox.sh builds a package with bad symlinks.
Haven't bothered to fix it so far.
- node - An event-driven I/O server-side JavaScript environment based on
V8. (from website and wikipedia).
- Required by Etherpad-lite.
- dnsmasq - All-in-one DHCP and caching DNS server.
- Much easier to work with in circumstances like this than ISC BIND or
even djbdns.
- ipcalc - Command-line IP networking calculator. Will be needed by the
control panel shortly.
- Removed the CGI-BIN script from the package when it was built.
- ngircd - Lightweight IRC server.
- Back-end for web chat application.
- Somehow we need to figure out a way to make them automagically hook
together into an IRC network. But that can wait.
- zope.interface - Required by Twisted.
- Twisted - Required by qwebirc.
- Satisfies the clientless web chat requirement.
## Links
Place links relevant to any part of the process of making the live
distro here.
[Porteus Official Website](http://porteus.org/)
[Processes for building Porteus
packages.](Processes_for_building_Porteus_packages. "wikilink")
[Process for manually installing
Byzantium.](Process_for_manually_installing_Byzantium. "wikilink")
[Byzantium 101](Byzantium_101 "wikilink") - How to get yourself set up.
[Hardware compatibility list](Hardware_compatibility_list "wikilink")
[User Feedback on Byzantium
0.1a](User_Feedback_on_Byzantium_0.1a "wikilink")
[Handy generic git notes](Git_Notes "wikilink")
## Timeline
- .....uhh....
- 20 October 2011 - Live demo, presentation, and networking at
[ContactCon](http://contactcon.com/).
- 12 May 2012 @ 1400 EST5EDT: Project Byzantium presentation at
[CarolinaCon](http://carolinacon.org/).
- 13-15 July 2012 @ TBA: Project Byzantium presentation at [HOPE Number
Nine](http://www.hopenumbernine.net/).
## Stuff
~~Need to edit /etc/hosts, add 'byzantium' to 127.0.0.1 so that the web
server will start up.~~
[Mobile devices and IPv6.](Mobile_devices_and_IPv6. "wikilink")
~~[DNSmasq](http://thekelleys.org.uk/dnsmasq/doc.html)~~
- ~~One nice thing about DNSmasq is the -H option, for additional
/etc/hosts-like files. We could use those to cache the IP addresses of
other Byzantium nodes, and then query them for the services they
run.~~
- Hostnames are IPv6 addresses of nodes.
- ifconfig wlan0 \| grep inet6 \| awk '{print \$3}' \| sed 's/:/-/g'
\| sed 's/\\64\$//' \| sed 's/\$/.byzantium.mesh/' ==
fe80--21c-bfff-fe35-84c2.byzantium.mesh
- ~~Put IP addresses and hostnames in /etc/hosts.mesh.~~
- This could also be used for status.net federation and IRC network
construction.
- ~~Move the **server=/byzantium.mesh/...** line into the generated
DNSmasq include file?~~
- ~~Make the '...' the mesh interface's IP address?~~
<!-- -->
- ~~Consulted with an expert about IP addressing. At first scratch, it
might be a good idea to stick wtih pseudo-randomly chosen 10/8's.
Configure the mesh interface for the .1 and give the clients .2-.254.
I'll re-work the control panel to do that.~~
Need to account for [APIPA](http://www.webopedia.com/TERM/A/APIPA.html)
addressing in the initial set of routes.
- ~~Added for the purpose of making networkconfiguration.py [detect
whether or not the proposed IP address for the mesh interface is in
use](http://www.cyberciti.biz/faq/linux-duplicate-address-detection-with-arping/).~~
- Byzantium does this now. It works like a champ.
List of public DNSes that we may wish to fall back upon in the event a
node is made into a gateway:
- [Google Public DNS](https://code.google.com/speed/public-dns/)
- [Public DNS servers](http://www.tech-faq.com/public-dns-servers.html)
- [OpenDNS](https://www.opendns.com/)
[Packaging NPM.](Packaging_NPM. "wikilink")
[Finding neighboring mesh
nodes](Finding_neighboring_mesh_nodes "wikilink")
[Fully distributed services](Fully_distributed_services "wikilink")
## Stuff to consider for later
- Consider adding [Iodine](http://code.kryo.se/iodine/) to Byzantium to
help tunnel gatewayed traffic onto the Net.
- Gateway nodes in hostile areas could use Iodine to tunnel traffic
out.
- Gateway nodes in non-hostile areas could accept Iodine connections
to help less fortunate nodes evade censorship.
- Consider adding (http\|proxy)tunnel with simplified usage of some kind
to allow encapsulating arbitrary data streams in http streams.
- Firewall evasion aids that will work well even in established internet
censorship systems?
Reference in New Issue View Git Blame Copy Permalink