Recipes catalog and calculator in Rails 8 by gfilippetti

My wife needs a website to catalog and sell the products of her upcoming bakery, and I need to learn and practice modern Rails. So I'm using this Hack Week to build a modern store using the latest Ruby on Rails best practices, ideally up to the deployment.

TO DO

• Index page
• Product page
• Admin area -- Supplies calculator based on orders -- Orders notification
• Authentication
• Payment
• Deployment

Day 1

As my Rails knowledge was pretty outdated and I had 0 experience with Turbo (wich I want to use in the app), I started following a turbo-rails course. I completed 5 of 11 chapters.

Day 2

Continued the course until chapter 8 and added live updates & an empty state to the app. I should finish the course on day 3 and start my own project with the knowledge from it.

Hackweek 24

For this Hackweek I'll continue this project, focusing on a Catalog/Calculator for my wife's recipes so she can use for her Café.

Day 1

---

Fix RSpec tests in order to replace the ruby-ldap rubygem in OBS by enavarro_suse

Description

"LDAP mode is not official supported by OBS!". See: config/options.yml.example#L100-L102

However, there is an RSpec file which tests LDAP mode in OBS. These tests use the ruby-ldap rubygem, mocking the results returned by a LDAP server.

The ruby-ldap rubygem seems no longer maintaned, and also prevents from updating to a more recent Ruby version. A good alternative is to replace it with the net-ldap rubygem.

Before replacing the ruby-ldap rubygem, we should modify the tests so the don't mock the responses of a LDAP server. Instead, we should modify the tests and run them against a real LDAP server.

Goals

Goals of this project:

• Modify the RSpec tests and run them against a real LDAP server
• Replace the net-ldap rubygem with the ruby-ldap rubygem

Achieving the above mentioned goals will:

• Permit upgrading OBS from Ruby 3.1 to Ruby 3.2
• Make a step towards officially supporting LDAP in OBS.

Resources

• Replace ruby-ldap rubygem with net-ldap

---

Cluster API Provider for Harvester by rcase

Project Description

The Cluster API "infrastructure provider" for Harvester, also named CAPHV, makes it possible to use Harvester with Cluster API. This enables people and organisations to create Kubernetes clusters running on VMs created by Harvester using a declarative spec.

The project has been bootstrapped in HackWeek 23, and its code is available here.

Work done in HackWeek 2023

• Have a early working version of the provider available on Rancher Sandbox : *DONE *
• Demonstrated the created cluster can be imported using Rancher Turtles: DONE
• Stretch goal - demonstrate using the new provider with CAPRKE2: DONE and the templates are available on the repo

Goals for HackWeek 2024

• Add support for ClusterClass
• Add e2e testing
• Add more Unit Tests
• Improve Status Conditions to reflect current state of Infrastructure
• Improve CI (some bugs for release creation)
• Testing with newer Harvester version (v1.3.X and v1.4.X)
• Due to the length and complexity of the templates, maybe package some of them as Helm Charts.
• Other improvement suggestions are welcome!

DONE in HackWeek 24:

• Add more Unit Tests
• Improve Status Conditions for some phases
• Add cloud provider config generation
• Testing with Harvester v1.3.2
• Template improvements
• Issues creation

Thanks to @isim and Dominic Giebert for their contributions!

Resources

Looking for help from anyone interested in Cluster API (CAPI) or who wants to learn more about Harvester.

This will be an infrastructure provider for Cluster API. Some background reading for the CAPI aspect:

• Cluster infrastructure provider contract
• Machine infrastructure provider contract
• Provider implementers guide

---

ClusterOps - Easily install and manage your personal kubernetes cluster by andreabenini

Description

ClusterOps is a Kubernetes installer and operator designed to streamline the initial configuration and ongoing maintenance of kubernetes clusters. The focus of this project is primarily on personal or local installations. However, the goal is to expand its use to encompass all installations of Kubernetes for local development purposes.
It simplifies cluster management by automating tasks and providing just one user-friendly YAML-based configuration config.yml.

Overview

• Simplified Configuration: Define your desired cluster state in a simple YAML file, and ClusterOps will handle the rest.
• Automated Setup: Automates initial cluster configuration, including network settings, storage provisioning, special requirements (for example GPUs) and essential components installation.
• Ongoing Maintenance: Performs routine maintenance tasks such as upgrades, security updates, and resource monitoring.
• Extensibility: Easily extend functionality with custom plugins and configurations.
• Self-Healing: Detects and recovers from common cluster issues, ensuring stability, idempotence and reliability. Same operation can be performed multiple times without changing the result.
• Discreet: It works only on what it knows, if you are manually configuring parts of your kubernetes and this configuration does not interfere with it you can happily continue to work on several parts and use this tool only for what is needed.

Features

• distribution and engine independence. Install your favorite kubernetes engine with your package manager, execute one script and you'll have a complete working environment at your disposal.
  
• Basic config approach. One single config.yml file with configuration requirements (add/remove features): human readable, plain and simple. All fancy configs managed automatically (ingress, balancers, services, proxy, ...).
• Local Builtin ContainerHub. The default installation provides a fully configured ContainerHub available locally along with the kubernetes installation. This configuration allows the user to build, upload and deploy custom container images as they were provided from external sources. Internet public sources are still available but local development can be kept in this localhost server. Builtin ClusterOps operator will be fetched from this ContainerHub registry too.
• Kubernetes official dashboard installed as a plugin, others planned too (k9s for example).
• Kubevirt plugin installed and properly configured. Unleash the power of classic virtualization (KVM+QEMU) on top of Kubernetes and manage your entire system from there, libvirtd and virsh libs are required.
• One operator to rule them all. The installation script configures your machine automatically during installation and adds one kubernetes operator to manage your local cluster. From there the operator takes care of the cluster on your behalf.
• Clean installation and removal. Just test it, when you are done just use the same program to uninstall everything without leaving configs (or pods) behind.

Planned features (Wishlist / TODOs)

• Containerized Data Importer (CDI). Persistent storage management add-on for Kubernetes to provide a declarative way of building and importing Virtual Machine Disks on PVCs for

---

Hack on rich terminal user interfaces by amanzini

Description

TUIs (Textual User Interface) are a big classic of our daily workflow. Many linux users 'live' in the terminal and modern implementations have a lot to offer : unicode fonts, 24 bit colors etc.

Goals

• Explore the current available solution on modern languages and implement a PoC , for example a small maze generator, porting of a classic game or just display the HackWeek cute logo.
• Practice some Go / Rust coding and programming patterns
• Fiddle around, hack, learn, have fun
• keep a development diary, practice on project documentation

Follow this link for source code repository

• includes development diary

Some ideas for inspiration:

• https://github.com/coding-horror/basic-computer-games
• https://git.imzadi.de/acn/vt100-games
• https://github.com/skx/lighthouse-of-doom
• https://github.com/rothgar/awesome-tuis
• https://www.zq1.de/~bernhard/images/share/geeko/logo.txt

Related projects:

• https://hackweek.opensuse.org/24/projects/suse-rancher-supportconfig from @eminguez

Resources

• Python:

  • https://github.com/Textualize/rich

• Go:

  • https://charm.sh/
  • https://github.com/JoelOtter/termloop
  • https://github.com/gdamore/tcell
  • https://earthly.dev/blog/tui-app-with-go/
  • https://www.inngest.com/blog/interactive-clis-with-bubbletea
  • https://m.youtube.com/watch?v=uJ2egAkSkjg

• Rust:

  • https://ratatui.rs/
  • https://github.com/lemunozm/ruscii
  • https://gitlab.com/thustle/thardians-rs
  • https://www.youtube.com/live/qaaHhfPGde0

• Misc:

  • Book about programming mazes

---

ddflare: (Dynamic)DNS management via Cloudflare API in Kubernetes by fgiudici

Description

ddflare is a project started a couple of weeks ago to provide DDNS management using v4 Cloudflare APIs: Cloudflare offers management via APIs and access tokens, so it is possible to register a domain and implement a DynDNS client without any other external service but their API.

Since ddflare allows to set any IP to any domain name, one could manage multiple A and ALIAS domain records. Wouldn't be cool to allow full DNS control from the project and integrate it with your Kubernetes cluster?

Goals

Main goals are:

1. add containerized image for ddflare
2. extend ddflare to be able to add and remove DNS records (and not just update existing ones)
3. add documentation, covering also a sample pod deployment for Kubernetes
4. write a ddflare Kubernetes operator to enable domain management via Kubernetes resources (using kubebuilder)

Available tasks and improvements tracked on ddflare github.

Resources

• https://github.com/fgiudici/ddflare
• https://developers.cloudflare.com/api/
• https://book.kubebuilder.io

---

Cluster API Add-on Provider for Kubewarden by csalas

Description

Can we integrate Kubewarden with Cluster API provisioning?

Cluster API is a Kubernetes project focused on providing declarative APIs and tooling to simplify provisioning, upgrading, and operating multiple Kubernetes clusters. TLDR; CAPI let's you define Kubernetes clusters in plain YAML, and CAPI providers (infrastructure, control plane/bootstrap, etc.) manage provisioning and configuration for you.

What if we could create an add-on provider that automatically installs Kubewarden and deploys Policy Servers to CAPI clusters?

Goals

• As a user I'd like to set a cluster (or list of clusters) and have the provider install Kubewarden for me.
• As a user I'd like to set what policies must be enforced for a cluster (or list of clusters).

Resources

• Cluster API: https://cluster-api.sigs.k8s.io/
• Kubewarden: https://docs.kubewarden.io/

---

Kanidm: A safe and modern IDM system by firstyear

Kanidm is an IDM system written in Rust for modern systems authentication. The github repo has a detailed "getting started" on the readme.

Kanidm Github

In addition Kanidm has spawn a number of adjacent projects in the Rust ecosystem such as LDAP, Kerberos, Webauthn, and cryptography libraries.

In this hack week, we'll be working on Quokca, a certificate authority that supports PKCS11/TPM storage of keys, issuance of PIV certificates, and ACME without the feature gatekeeping implemented by other CA's like smallstep.

For anyone who wants to participate in Kanidm, we have documentation and developer guides which can help.

I'm happy to help and share more, so please get in touch!

---

Migrate from Docker to Podman by tjyrinki_suse

Description

I'd like to continue my former work on containerization of several domains on a single server by changing from Docker containers to Podman containers. That will need an OS upgrade as well as Podman is not available in that old server version.

Goals

• Update OS.
• Migrate from Docker to Podman.
• Keep everything functional, including the existing "meanwhile done" additional Docker container that is actually being used already.
• Keep everything at least as secure as currently. One of the reasons of having the containers is to isolate risks related to services open to public Internet.
• Try to enable the Podman use in production.
• At minimum, learn about all of these topics.
• Optionally, improve Ansible side of things as well...

Resources

A search engine is one's friend. Migrating from Docker to Podman, and from docker-compose to podman-compose.

---

Bot to identify reserved data leak in local files or when publishing on remote repository by mdati

Description

Scope here is to prevent reserved data or generally "unwanted", to be pushed and saved on a public repository, i.e. on Github, causing disclosure or leaking of reserved informations.

The above definition of reserved or "unwanted" may vary, depending on the context: sometime secret keys or password are stored in data or configuration files or hardcoded in source code and depending on the scope of the archive or the level of security, it can be either wanted, permitted or not at all.

As main target here, secrets will be registration keys or passwords, to be detected and managed locally or in a C.I. pipeline.

Goals

• Detection:

  • Local detection: detect secret words present in local files;
  • Remote detection: detect secrets in files, in pipelines, going to be transferred on a remote repository, i.e. via git push;

• Reporting:

  • report the result of detection on stderr and/or log files, noticed excluding the secret values.

• Acton:

  • Manage the detection, by either deleting or masking the impacted code or deleting/moving the file itself or simply notify it.

Resources

• Project repository, published on Github (link): m-dati/hkwk24;
• Reference folder: hkwk24/chksecret;
• First pull request (link): PR#1;
• Second PR, for improvements: PR#2;
• README.md and TESTS.md documentation files available in the repo root;
• Test subproject repository, for testing CI on push [TBD].

Notes

We use here some examples of secret words, that still can be improved.
The various patterns to match desired reserved words are written in a separated module, to be on demand updated or customized.

[Legend: TBD = to be done]

---

Contributing to Linux Kernel security by pperego

Description

A couple of weeks ago, I found this blog post by Gustavo Silva, a Linux Kernel contributor.

I always strived to start again into hacking the Linux Kernel, so I asked Coverity scan dashboard access and I want to contribute to Linux Kernel by fixing some minor issues.

I want also to create a Linux Kernel fuzzing lab using qemu and syzkaller

Goals

1. Fix at least 2 security bugs
2. Create the fuzzing lab and having it running

The story so far

• Day 1: setting up a virtual machine for kernel development using Tumbleweed. Reading a lot of documentation, taking confidence with Coverity dashboard and with procedures to submit a kernel patch
• Day 2: I read really a lot of documentation and I triaged some findings on Coverity SAST dashboard. I have to confirm that SAST tool are great false positives generator, even for low hanging fruits.
• Day 3: Working on trivial changes after I read this blog post: https://www.toblux.com/posts/2024/02/linux-kernel-patches.html. I have to take confidence with the patch preparation and submit process yet.
  • First trivial patch sent: using strtruefalse() macro instead of hard-coded strings in a staging driver for a lcd display
  • Fix for a dereference before null check issue discovered by Coverity (CID 1601566) https://scan7.scan.coverity.com/#/project-view/52110/11354?selectedIssue=1601566
• Day 4: Triaging more issues found by Coverity.
  • The patch for CID 1601566 was refused. The check against the NULL pointer was pointless so I prepared a version 2 of the patch removing the check.
  • Fixed another dereference before NULL check in iwlmvmparsewowlaninfo_notif() routine (CID 1601547). This one was already submitted by another kernel hacker :(
• Day 5: Wrapping up. I had to do some minor rework on patch for CID 1601566. I found a stalker bothering me in private emails and people I interacted with me, advised he is a well known bothering person. Markus Elfring for the record.

• Wrapping up: being back doing kernel hacking is amazing and I don't want to stop it. My battery pack is completely drained but changing the scope gave me a great twist and I really want to feel this energy not doing a single task for months.

  I failed in setting up a fuzzing lab but I was too optimistic for the patch submission process.

The patches

1

---

VulnHeap by r1chard-lyu

Description

The VulnHeap project is dedicated to the in-depth analysis and exploitation of vulnerabilities within heap memory management. It focuses on understanding the intricate workflow of heap allocation, chunk structures, and bin management, which are essential to identifying and mitigating security risks.

Goals

• Familiarize with heap
  • Heap workflow
  • Chunk and bin structure
  • Vulnerabilities
• Vulnerability
  • Use after free (UAF)
  • Heap overflow
  • Double free
• Use Docker to create a vulnerable environment and apply techniques to exploit it

Resources

• https://heap-exploitation.dhavalkapil.com/divingintoglibc_heap
• https://raw.githubusercontent.com/cloudburst/libheap/master/heap.png
• https://github.com/shellphish/how2heap?tab=readme-ov-file

---

YQPkg - Bringing the Single Package Selection Back to Life by shundhammer

tl;dr

Rip out the high-level YQPackageSelector widget from YaST and make it a standalone Qt program without any YaST dependencies.

See section "Result" at the bottom for the current status after the hack week.

Current Status

See the development status issue at the GitHub repo.

tl;dr: It's usable now with all the key features.

It does real package installation / removal / update with reasonable user feedback.

The Past and the Present

We used to have and still have a powerful software selection with the YaST sw_single module (and the YaST patterns counterpart): You can select software down to the package level, you can easily select one of many available package versions, you can select entire patterns - or just view them and pick individual packages from patterns.

You can search packages based on name, description, "requires" or "provides" level, and many more things.

The Future

YaST is on its way out, to be replaced by the new Agama installer and Cockpit for system administration. Those tools can do many things, but fine-grained package selection is not among them. And there are also no other Open Source tools available for that purpose that even come close to the YaST package selection.

Many aspects of YaST have become obsolete over the years; many subsystems now come with a good default configuration, or they can configure themselves automatically. Just think about sound or X11 configuration; when did you last need to touch them?

For others, the desktops bring their own tools (e.g. printers), or there are FOSS configuration tools (NetworkManager, BlueMan). Most YaST modules are no longer needed, and for many others there is a replacement in tools like Cockpit.

But no longer having a powerful fine-grained package selection like in YaST sw_single will hurt. Big time. At least until there is an adequate replacement, many users will want to keep it.

The Idea

YaST sw_single always revolved around a powerful high-level widget on the abstract UI level. Libyui has low-level widgets like YPushButton, YCheckBox, YInputField, more advanced ones like YTable, YTree; and some few very high-level ones like YPackageSelector and YPatternSelector that do the whole package selection thing alone, working just on the libzypp level and changing the status of packages or patterns there.

For the YaST Qt UI, the YQPackageSelector / YQPatternSelector widgets work purely on the Qt and libzypp level; no other YaST infrastructure involved, in particular no Ruby (or formerly YCP) interpreter, no libyui-level widgets, no bindings between Qt / C++ and Ruby / YaST-core, nothing. So it's not too hard to rip all that part out of YaST and create a standalone program from it.

For the NCurses UI, the NCPackageSelector / NCPatternSelector create a lot of libyui widgets (inheriting YWidget / NCWidget) and use a lot of libyui calls to glue them together; and all that of course still needs a lot of YaST / libyui / libyui-ncurses infrastructure. So NCurses is out of scope here.

Preparatory Work: Initializing the Package Subsystem

To see if this is feasible at all, the existing UI examples needed some fixing to check what is needed on that level. That was the make-or-break decision: Would it be realistically possible to set the needed environment in libzypp up (without being stranded in the middle of that task alone at the end of the hack week)?

Yes, it is: That part is already working:

https://github.com/yast/yast-ycp-ui-bindings/pull/71

---

Create an Android app for Syncthing as part of the Syncthing Tray project by mkittler

Description

There's already an app but code/features already in Syncthing Tray could be reused to create a nicer app with additional features like managing ignore patterns more easily. The additional UI code for the app could then in turn be re-used by other parts of Syncthing Tray, e.g. to implement further steps in the wizard as requested by some users. This way one "UI wrapper codebase" could serve GNU/Linux, Windows and Android (and in theory MacOS) at the same time which is kind of neat.

Goals

• DONE: Learn more about development for Android and development of UIs with Qt Quick
• DONE: Create an experimental app reusing as much existing Syncthing Tray code as possible
• DONE: Build Syncthing as a library also for Android and use it in the app (already done but needs further testing and integration with the rest of the app configuration)
• DONE: Update the Syncthing Tray website, documentation
• Extend the app so it has at least a start page and an import that can cope with an export of the other app
• Update forum thread
• Upload an experimental build on GitHub
• Extend the Syncthing API to download single files on demand (instead of having to sync the whole directory or use ignore patterns)

Resources

• Android SDK/NDK and emulator
• Qt Quick

---