Linux

A set of patches implementing async I/O IOCB_NOWAIT support for the loop block device is heading to the Linux 6.19 kernel with some performance improvements that will make loop block device users "wow".

Jens Axboe last week queued up the patches into the Linux block subsystem's "for-next" Git branch ahead of the Linux 6.19 merge window in early December

A short review of the recent MX Linux 25. Solid review and it's good to see a great distro like MX get some coverage.

Wayland Protocols 1.46 released this evening with new experimental protocols for text improvements as well as refinements to the color management protocol for HDR.

Wayland Protocols 1.46 brigns a new appendix and clarifications for the color-management-v1 protocol. A missing protocol error for color-representation-v1 is also added.

iDescriptor is a brand-new app that introduces a new way for Linux users to manage iPhones without relying on macOS or iTunes, something that the Linux ecosystem has always lacked.

The project consolidates several capabilities that previously required separate command-line tools or weren’t available at all, turning them into a graphical, cross-platform application that is available for Linux as an AppImage.

Written in C++, iDescriptor is built on top of the libimobiledevice stack and extends it with features that are typically difficult to access from Linux systems. Users can browse their device’s filesystem, import photos and videos, and install applications directly from the App Store using their Apple ID.

Ethan Sholly, the driving force behind selfh.st, one of the most recognized communities uniting self-hosting enthusiasts, has published the latest results of his annual survey on the community’s preferences, collecting 4,081 responses from self-hosting practitioners worldwide.

No surprise there: Linux is overwhelmingly dominant, chosen by more than four out of five self-hosters (81%). In other words, for self-hosters operating at bare-metal, virtualised, or container-based infrastructure, Linux remains the backbone.

In fact, this result aligns closely with broader trends: according to Wikipedia, Linux holds a 63% share of global server infrastructure. Aside from the hobby aspect, most respondents said privacy was their main reason for self-hosting, which, as you know, remains one of Linux’s strongest selling points. Now, back to the numbers.

The mailing list link

AWS engineers have been working on Linux kernel improvements to KVM's VMX code for enhancing the unamanged guest memory when dealing with nested virtual machines. The improved code addresses some correctness issues as well as delivering wild performance improvements within a synthetic benchmark.

On Friday Amazon/AWS engineer Fred Griffoul sent out the latest patches to the KVM nVMX code for improving the performance of unmanaged guest memory.

Linux 6.18-rc7 just arrived in the Git tree as the newest weekly test build leading up to Linux 6.18 stable hopefully debuting next Sunday, 30 November.

Linux 6.18-rc7 has continued landing many bug/regression fixes for this last kernel release of 2025. With this also being the last major Linux kernel version of 2025, Linux 6.18 is also anticipated to become the annual Long Term Support (LTS) kernel version.

More features continue piling on for the KDE Plasma 6.6 desktop, including an important performance fix this week for those running displays with a higher than 60Hz refresh rate.

KDE Plasma development highlights for the week have now been published by KDE developer Nate Graham.

Bottles, an open-source software tool built on top of Wine that helps users run Windows applications and games on Linux systems by providing a user-friendly GUI, has just released its latest version, 60.0.

The update introduces a native Wayland option directly in the bottle settings, giving users a more predictable experience on modern Linux desktops that have already shifted away from X11.

The 267th installment of the 9to5Linux Weekly Roundup is here for the week ending on November 23rd, 2025, keeping you updated with the most important things happening in the Linux world.

cross-posted from: https://leminal.space/post/28955576

I learned how to do this recently, and I wanted to share. Once you know what to do VPN confinement is easy to set up on NixOS.

The scenario: you want selected processes to run through a VPN, but you want everything else to not run through the VPN. On Linux you can do this with a network namespace. That's a kernel feature that defines a network stack that is isolated from your default network stack. Processes can be configured to run in a new namespace, and when they do they cannot access the usual not-VPN-protected network interfaces. Network namespaces work along with other types of namespaces, like process namespaces, to allow Docker containers to function almost as though they are separate machines from the host system. Actually Docker containers are regular processes that are carefully isolated using namespaces, cgroups, and private filesystems. Because of that isolation Docker containers are a popular choice for VPN confinement. But since all you really need is network isolation you can skip the middleman, and use network namespaces directly.

There is a third-party NixOS module that automates this, VPN-Confinement. Here's an example that runs a Borg backup job through a VPN connection. (This example also uses the third-party sops-nix module to encrypt VPN credentials.)

{ config, ... }:

let
  vpnNamespace = "wg";
in
{
  # Define the network namespace for VPN confinement. Creates a VPN network
  # interface in the namespace; creates a bridge; sets up routing; creates
  # firewall rules to prevent DNS leaking. The VPN-Confinement module requires
  # using Wireguard as the VPN protocol.
  vpnNamespaces.${vpnNamespace} = {
    enable = true;
    wireguardConfigFile = config.sops.secrets.wireguard_config.path;
  };

  # Set up whatever service should run via VPN
  services.borgbackup.jobs.homelab = {
    paths = "/home/jesse";
    encryption.mode = "none";
    environment.BORG_RSH = "ssh -i /home/jesse/.ssh/id_ed25519";
    repo = "ssh://offsite.sitr.us/backups/homelab";
    compression = "auto,zstd";
    startAt = "daily";
  };

  # Modify the systemd unit for your service to run its processes in the VPN
  # namespace.
  #
  # - sets Service.NetworkNamespacePath in the systemd unit
  # - sets Service.InaccessiblePaths = [ "/run/nscd" "/run/resolvconf" ] to prevent DNS leaking
  # - adds a dependency to the unit that brings up the VPN network namespace
  #
  # I found the name of the systemd service that services.borgbackups.jobs
  # creates by looking at the Borg module source. You can find the source for
  # NixOS modules by searching for config options on https://search.nixos.org/options
  systemd.services.borgbackup-job-homelab = {
    vpnConfinement = {
      enable = true;
      inherit vpnNamespace;
      # `inherit vpnNamespace;` has the same effect as `vpnNamespace = vpnNamespace;`
      # I used a variable to be certain that the value here matches the name
      # I used to set up the namespace on line 11.
    };
  };

  # Load your wireguard config file however you want. Your VPN provider probably
  # supports wireguard, and will likely generate a config file for you.
  sops.secrets.wireguard_config = {
    sopsFile = ./secrets.yaml;
    owner = "root";
    group = "root";
  };
}

This setup assumes using the Wireguard VPN protocol, and assumes that programs you want to be VPNed are run by systemd. VPN providers mostly support Wireguard, including Tailscale. But my understanding is that Tailscale's mesh routing requires additional setup beyond creating a Wireguard interface. So you'd likely want a different setup for confinement with Tailscale. You can run the Tailscale client in a network namespace (there is a start on such a setup here); or you might use Tailscale's subnet router feature to blend VPN and local network traffic instead of selective confinement.

Normally when you turn on a VPN your VPN client software creates a network interface that transparently sends traffic through an encrypted tunnel, and configures a default route to send network traffic through that interface. So traffic from all programs is routed through the tunnel. VPN-Confinement creates that network interface in the isolated namespace, and sets that default route in the namespace, so that only programs running in the namespace are affected. There is much more detail in this blog post. The VPN-Confinement module differs from the setup in that post in a couple of ways: it has some extra setup to block DNS requests that aren't properly tunneled; it creates a network bridge instead of a simple virtual ethernet cable for port forwarding; and it provides more options for firewall and routing configuration.

VPN-Confinement has an option to forward ports from the default network stack into the VPN namespace. This is useful if you want all outbound traffic to go through the VPN, but you want to accept inbound traffic from programs on the host, or from other machines on your local network, or anywhere else. This is handy if, for example, you're running a program on a headless server that provides a web UI for remote administration. Here's an expanded VPN namespace example:

vpnNamespaces.${vpnNamespace} = {
  enable = true;
  wireguardConfigFile = config.sops.secrets.wireguard_config.path;

  # Forward traffic to specified ports from the default network namespace to
  # the VPN namespace.
  portMappings = [{ from = 8080; to = 8080; }];
  accessibleFrom = [
    # Accept traffic from machines on the local network, and route through the
    # mapped ports.
    "192.168.1.0/24"
  ];
};

Requests to mapped ports from the host machine need to be addressed to the network bridge that VPN-Confinement sets up. You can configure its addresses using the bridgeAddress and bridgeAddressIPv6 options. By default the addresses are 192.168.15.5 and fd93:9701:1d00::1. If you're configuring addresses elsewhere in your NixOS config you can use an expression like this:

url = "http://${config.vpnNamespaces.${vpnNamespace}.bridgeAddress}:8080/";

If you look at the source for VPN-Confinement you'll see that namespace configuration and routing require a lot of stateful ip commands. I think it would be nice if there were an alternative, declarative interface to iproute2. But VPN-Confinement is able to encapsulate the stateful stuff in systemd ExecStart and ExecStopPost scripts.

I ran into an issue where mDNS stopped working while the VPN network namespace was active. I fixed that problem by configuring Avahi to ignore VPN-Confinement's network bridge:

services.avahi.denyInterfaces = [ "${vpnNamespace}-br" ];

Edit 2025-11-23: I deleted a comment that implied that if the VPN namespace string doesn't match in the two places where it is used traffic won't be tunneled. I tested again, and if the names don't match the service that is supposed to be protected won't start. You'll see an error like, Failed to restart test-unit.service: Unit wrong-name.service not found.. If you bypass VPN-Confinement by hand, and set Service.NetworkNamespacePath to a path that doesn't exist the unit will fail with an error like, test-unit.service: Failed to open network namespace path /run/netns/wrong-name: No such file or directory.

Heyho, recently asked for the silliest reasons, but as someone who has suggested linux to many people, I often encounter people having valid reasons for staying with Windows or switching back.

The most boring but valid one is "I have to use Windows for work. It is a requirement (of some software I have to use)". But there are also other answers that fit. My sister for example tried Linux, but while installing software constantly encountered issues that I helped her solve and eventually switched back because she felt like she had less control than over windows. While I am aware that this is fundamentally wrong, it is valid that some amateur users do not want to invest enough time to get over the initial hurdles of relearning how to install software.

What are the best reasons people have given you for not wanting to try Linux?

OQB @VoxAliorum@lemmy.ml

FreeBSD 15.0 is working toward its stable release in early December. As part of reaching that major release, FreeBSD 15.0-RC3 released today as what may be the final release candidate before FreeBSD 15.0-RELEASE.

There was expected to be a FreeBSD 15.0-RC4 milestone but due to release delays due to extra snapshots earlier in the cycle, FreeBSD 15.0-RC3 is currently set to be the last release candidate. If all goes well with that testing, FreeBSD 15.0-RELEASE could be announced on 2 December.

Just last week GNOME's Nautilus file manager "GNOME Files" made headlines for finally supporting Ctrl+INsert and Shift+Insert while this week there is more activity worth pointing out. Nautilus in GNOME 50 will be loading thumbnail images much faster than in prior versions.

With new thumbnail code merged this week for GNOME Files / Nautilus, the file manager is now making use of improvements in GTK4 and now allowing thumbnails to be loaded asynchronously.

I want to sort of recreate macOS 15's dynamic wallpaper, and downloaded this set of 8 wallpapers which are most / all the colors it cycles through. On Hyprland, I want to cycle through them throughout the day, but also slowly transition from one wallpaper to another for an hour or longer, crossfading / blending them.

I did some searching, and neither timewall or adi1090x/dynamic-wallpaper can do it. I looked at making my own script to blend images once every 60 secs, but I'm not sure how to quickly crossfade images. This command takes ~15 secs, I feel this should possible much faster with or without imagemagick: magick composite -blend 50 wallpaper1.png wallpaper2.png output.png.

Back in mid-2024, the Bavarian Linux PC vendor TUXEDO Computers teased plans for developing a Snapdragon X Elite Linux laptop. Initially they hoped to have it out by Christmas 2024. That didn't happen and now approaching Christmas 2025 they confirmed they have stopped their plans for shipping a Snapdragon X1 Elite laptop for Linux customers.

Earlier in 2025 they confirmed various obstacles they had been hitting with the Linux support around the Snapdragon X Elite effort. They did get to posting Linux kernel patches for the Device Tree on their planned laptop. As recently as in early November they posted the latest Linux DT patches for their ARM laptop with the effort appearing to still be ongoing -- even with Snapdragon X2 Elite laptops for Windows on ARM now coming about.

NVIDIA today issued the 580.94.11 driver release as their newest Vulkan beta driver for Linux customers. Most notable with this beta driver update is adding VK_EXT_hdr_metadata support.

The NVIDIA Windows driver has supported the VK_EXT_hdr_metadata extension (all the way back to 2018) and the open-source Mesa Linux drivers also supported this HDR metadata extension while only now is being enabled by the NVIDIA Linux driver. VK_EXT_hdr_metadata is used for dealing with SMPTE 2086 metadata and CATA 861.3 metadata for Vulkan swapchains.

Windows is getting worse, while gaming on Linux is getting better. I’m gonna move my desktop to CachyOS. Wish me luck.

Just learned of timers the other day, but I'm a cron guy, anybody out there using timers? Anything I'm missing out on?

The best one I've ever heard is they like the Microsoft wallpapers. Yes i told them you can use them on linux too. But they argued with me that they wouldn't be compatible.

OQB @lordnikon@lemmy.world