__ __ __
\ \_________\ \____________\ \___
\ _ \ _\ _ \ _\ __ \ __\ /
\___/\__/\__/ \_\ \___/\__/\_\_\
Bedrock Linux
Introductory Material
Current Release (0.7 Poki)
Miscellaneous
Community
Bedrock Linux is a meta Linux distribution which mixes-and-matches components from other distributions and integrates them into one largely cohesive system.
Traditional Linux distributions distribute software which includes the Linux kernel. This is done with the aim of providing users a Linux based operating system.
Meta Linux distributions share the eventual goal of a Linux based operating system, but do so in a means other than distributing the end-goal software itself.
Other meta Linux distributions include:
Bedrock provides a means to compose a target of the user's desired system from a potentially eclectic mix of parts of other distros.
No. Rather, Bedrock's install process replaces another distro install
then adds the previous install as a new Bedrock stratum. It does this
sufficiently quickly and smoothly that it is easy to misinterpret the process.
The significance here is that Bedrock becomes integral to the system after
the install while the hijacked stratum's files may be trivially swapped
out and removed.
When one installs a traditional distro, the preceding install is wiped. It is
best to model installing Bedrock as similar, even if the process to get
there is unusual. Along these lines, consider the hijacked stratum
simply a default collection of software, where any and all may be replaced.
Bedrock's goal is to provide users access to features of other distros. For example, Bedrock makes other distro init systems and fonts available. Bedrock itself is unopinionated about the choices; it doesn't care which init system or font the user wants.
To Bedrock, the install process is another feature that Bedrock should make available from other distros. It achieves this by having users first install a distro that has the install process he or she prefers, then providing a low-friction method of converting that install into a Bedrock install.
This process is referred to as hijacking to emphasize the forceful way
Bedrock takes control from the previous install.
Whichever offers the install process you like the most.
Once you've had Bedrock hijack the install, you're no longer running that distro - you're running Bedrock. You can then can swap out everything specific to the hijacked distro with parts from other distros. Once you've configured the system to your liking, the result is functionally the same irrelevant of which install process you happened to use to get there.
The exact details may change drastically from release-to-release. A detailed white paper is planned once things stabilize around a 1.0 release.
Bedrock has different strategies for different subsystems. Its most widely used strategy is to:
strata. Think
of these as chroots with selective holes punched in them.stratum
boundaries via a FUSE filesystem called crossfs that alters files
on-the-fly to make them portable across stratum boundaries.crossfs. This way, they usually cannot conflict with each other.crossfs. For example, cross
binary locations are added to the $PATH so that bash can find them.Please note that this is not the only strategy Bedrock leverages, and that different subsystems may require radically different strategies to provide cross-distro features. See the planned white paper once it releases for a comprehensive and detailed explanation.
If you have experience with a number of Linux distributions and find whenever you're on one distro you miss a feature provided by another, Bedrock may provide a suitable means of getting the best of multiple worlds.
strata. It may result in
noticeable disk overhead compared to traditional distros./etc access. Workflows which access /etc
excessively (e.g., hundreds of times a second) may exhibit noticeable
slowdown. Don't run a performance sensitive database out of /etc.A Bedrock Linux system is composed of software from other distributions. If you limit yourself to packages from secure, well-proven, hardened distros, security could be comparable to those distros themselves. If you use less secure packages from less secure distros, Bedrock Linux's security will suffer accordingly.
In addition to code from other distros, Bedrock's own code introduces a couple theoretical potential weak points:
strat command is cap_sys_chroot=ep. This means it can call
chroot() irrelevant of the user that runs it. It takes great care to
ensure it is only used per root-set configuration.etcfs and
crossfs. Both of these take efforts to reduce their own permissions to
those of the caller before taking actions.Additionally, Bedrock provides a brl fetch command which bootstraps
minimal sets of files from other distros. To get around a catch-22 of needing
a distro's packages to bootstrap the distro, an early part of this bootstrap
process may occur without cryptographic signature checking.
Moreover, Bedrock's efforts to make things work cross-distro breaks expectations from many Linux hardening techniques. It is possible to create Mandatory Access Control policies for Bedrock, but policies written for other distros will not work as-is on Bedrock.
Since Bedrock's first public release in 2012 there have been:
/run).Generally, once a Bedrock install is running well, it keeps running well.
However, Bedrock does have a number of known compatibility issues, and likely some unknown ones as well. It is wise to install Bedrock in a VM or spare machine and exercise your expected workflow to shake these out before installing it on a production machine.
While Bedrock just works for many workflows, others require further development effort. How things align for your particular workflow is difficult to predict without exercising it and finding out.
Typically issues become evident in relatively early use. Consider trying Bedrock in a VM or on a spare machine and exercise your expected workflow as a test. If that goes smoothly, Bedrock may indeed be suitable for you. Otherwise, consider revisiting it down the line.
Bedrock Linux does not do very much by itself; rather, it is the foundation upon which parts of other Linux distributions are placed. Initial ideas for a name were intent on reflecting this fact. Other proposed names included "Foundation Linux", "Frame Linux" and "Scaffolding Linux". The choice was made without consideration of the television show The Flintstones or videogame Minecraft.
All of the Bedrock Linux releases are named after characters from the Nickelodeon television programs Avatar: The Last Air Bender and The Legend of Korra.
The techniques Bedrock Linux utilizes are fairly specific to Linux. While it may be possible to create a similar meta-distro for other kernels, they would require substantial new R&D and are not being pursued by anyone on the Bedrock Linux team.
While Android does use the Linux kernel, its userland is sufficiently distant that it, too, would require substantial R&D and is not currently being pursued.
See the distro compatibility page.
Bedrock development officially started on the 9th of June, 2009.
The first internal release occurred 2011.
The first public release occurred the third of August, 2012.
In 2008, paradigm experimented with creating a Linux sandbox technology. Particular focus was given to fluidly transitioning resources between security contexts to minimize friction without opening exploitable security holes.
In 2009, it became evident that Tomoyo Linux would be mainlined into the Linux kernel. Tomoyo was found to be a greatly preferable to paradigm's experimental sandbox system, and so the sandbox effort was abandoned.
Also around this time, paradigm became frustrated with the amount of packages he had to compile and maintain himself, as no distro provided everything desired.
Serendipitously, the technologies developed to fluidly transition between security contexts were found to be perfect for fluidly transitioning between Linux distro contexts. Further experimentation here lead to paradigm founding Bedrock Linux.