SShortSingh.
Back to feed

Developer Builds CIS-Hardened CentOS 9 Golden Images with Packer and QEMU on WSL2

0
·1 views

A software developer has published a method for building production-grade CentOS 9 Stream golden images entirely on a Windows laptop using WSL2 with nested KVM, eliminating the need for a cloud builder or dedicated Linux machine. The pipeline uses Packer and QEMU to produce a QCOW2 image that is CIS Level 1 hardened via the ansible-lockdown role and pre-loaded with PingAccess 8.3.5 on a JRE 17 runtime. The build process is split into two sequential Packer stages — one for base OS hardening and one for application layering — each driven by a single shell script with targeted build options. A signed Software Bill of Materials (SBOM) and VEX attestations are generated so that Trivy vulnerability scans can distinguish actually exploitable issues from theoretical ones. The guide also documents WSL2-specific pitfalls, such as a CIS sudoers rule that deadlocks Ansible pipelining and a noexec-mounted /tmp partition that breaks PingAccess installation assumptions.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

How to fix Claude Code sessions broken by lone UTF-16 surrogates in transcripts

Claude Code sessions can become permanently unusable when a lone UTF-16 surrogate character gets written into the session's on-disk JSONL transcript file. This happens when a large, emoji-heavy tool output is truncated mid-character, leaving an orphaned surrogate half that the API's strict JSON parser rejects on every subsequent request. Because Claude Code replays the full session history to the API on each turn, the corrupted line poisons every future request until the file is manually repaired. The fix involves closing the session, stripping only the invalid surrogate code points (U+D800–U+DFFF) from the offending line using a Python script, and resuming the session — leaving all valid emoji and text intact. A byte-level pre-filter can speed up transcript scanning significantly, making automated checks on session start a practical option for content-heavy projects prone to repeat occurrences.

0
ProgrammingDEV Community ·

CommitBrief uses SHA-256 content addressing to cache LLM code reviews at zero cost

CommitBrief, a tool that automates code review using large language models, caches every LLM response to eliminate redundant API calls and associated costs. Each cache entry is keyed by a SHA-256 hash of all inputs that affect the output, including the diff, system prompt, model, provider, language, and schema version. Because the key is derived entirely from the inputs, any change automatically produces a new key, making stale cache entries impossible without any explicit invalidation logic. Cache hits are resolved through a simple disk read and JSON unmarshal, bypassing token usage and cost estimation entirely. The design also ensures that adding new optional features does not invalidate existing cache entries, since new parameters only extend the key when present.

0
ProgrammingDEV Community ·

Developer Explains How Solana NFTs Work Under the Hood Using Token Extensions

A developer exploring Solana's NFT infrastructure discovered that NFTs are not a distinct asset type but simply tokens configured with specific properties, including a supply of one, zero decimals, and revoked mint authority. Metadata stored on-chain gives each NFT its identity, covering details like name, description, and image. Historically, most Solana NFT projects relied on Metaplex, an open-source protocol that standardized metadata and collection management. Solana's newer Token Extensions now allow developers to embed metadata, collection grouping, and custom business logic directly into the token without depending on external frameworks. The developer concluded that NFTs have practical uses well beyond digital art, including tickets, memberships, certificates, and gaming assets.

0
ProgrammingDEV Community ·

Why Your Project's README Is Its Most Important First Impression

A software developer writing for DEV Community argues that a README file is far more than technical documentation — it is the first experience a visitor has with a project. Drawing on experience contributing to an open-source Python project that lacked a clear introduction, the author observed that even high-quality codebases can be overlooked when their README fails to quickly explain what the project does. Visitors typically scan repositories within seconds to decide whether a project is worth their time, making clarity and brevity critical. The author notes a 'README paradox': overly long or technical files can overwhelm newcomers just as much as ones that are too sparse. The key recommendation is to prioritize a concise Quick Start section that answers basic questions first, leaving detailed documentation for separate files.

Developer Builds CIS-Hardened CentOS 9 Golden Images with Packer and QEMU on WSL2 · ShortSingh