Weekend Reading: Containers

containers

The software enabling this technology comes in many forms, with Docker as the most popular. The recent rise in popularity of container technology within the data center is a direct result of its portability and ability to isolate working environments, thus limiting its impact and overall footprint to the underlying computing system. To understand the technology completely, you first need to understand the many pieces that make it all possible. Join us this weekend as we learn about Containers.

Before we get started, many ask what the difference is between a container and virtual machines? Editor Petros Koutoupis explains: Both have a specific purpose and place with very little overlap, and one doesn't obsolete the other. A container is meant to be a lightweight environment that you spin up to host one to a few isolated applications at bare-metal performance. You should opt for virtual machines when you want to host an entire operating system or ecosystem or maybe to run applications incompatible with the underlying environment.

Everything You Need to Know about Linux Containers, Part I: Linux Control Groups and Process Isolation

Truth be told, certain software applications in the wild may need to be controlled or limited—at least for the sake of stability and, to some degree, security. Far too often, a bug or just bad code can disrupt an entire machine and potentially cripple an entire ecosystem. Fortunately, a way exists to keep those same applications in check. Control groups (cgroups) is a kernel feature that limits, accounts for and isolates the CPU, memory, disk I/O and network's usage of one or more processes.

Everything You Need to Know about Linux Containers, Part II: Working with Linux Containers (LXC)

Part I of this Deep Dive on containers introduces the idea of kernel control groups, or cgroups, and the way you can isolate, limit and monitor selected userspace applications. Here, I dive a bit deeper and focus on the next step of process isolation—that is, through containers, and more specifically, the Linux Containers (LXC) framework.

Tor Browser for Android (Alpha) Now Available, Feral Interactive Announces Total War: THREE KINGDOMS Coming to Linux Spring 2019, Ubuntu 18.10 Cosmic Cuttlefish Final Beta Released, Four New openSUSE Tumbleweed Snapshots and More

News briefs for September 28, 2018.

The Tor Browser for Android (alpha) is now available. This mobile browser has the "highest privacy protections ever available and is on par with Tor Browser for desktop". You can download the alpha release from Google Play, or you can get the apk directly from here. You also will need Orbot, which is a proxy application to connect the Tor Browser for Android with the Tor network. (When the stable version is released early next year, you won't need to do this.)

In other Tor news, Tor is looking for a software developer for its anti-censorship team. If you're interested, see the Tor Project page for details and how to apply.

Feral Interactive announced that Total War: THREE KINGDOMS is coming to Linux and macOS in spring of 2019, shortly after the Windows release, which is scheduled for March 7, 2019. The game is the first of the Total War series to be set in ancient China. You can view the trailer here.

Ubuntu 18.10 (Cosmic Cuttlefish) final beta has been released. This release includes images not only for Ubuntu Desktop, Server and Cloud, but also for Kubuntu, Lubuntu, Ubuntu Budgie, UbuntuKylin, Ubuntu MATE, Ubuntu Studio and Xubuntu. To upgrade to Ubuntu 18.10 beta from Ubuntu 18.04, go here. See the release notes for more information.

This week brought four new openSUSE Tumbleweed snapshots that update packages like vim, Xen, Git and ImageMagick.

Sailfish 3 is coming soon. According to the Official Jolla Blog, it will be rolled out next month, with early access releases by the end of October. It will include many new features such as VPN improvements and MDM (Mobile Device Management) functionalities.

Understanding Bash: Elements of Programming

Bash

Ever wondered why programming in Bash is so difficult? Bash employs the same constructs as traditional programming languages; however, under the hood, the logic is rather different.

The Bourne-Again SHell (Bash) was developed by the Free Software Foundation (FSF) under the GNU Project, which gives it a somewhat special reputation within the Open Source community. Today, Bash is the default user shell on most Linux installations. Although Bash is just one of several well known UNIX shells, its wide distribution with Linux makes it an important tool to know.

The main purpose of a UNIX shell is to allow users to interact effectively with the system through the command line. A common shell action is to invoke an executable, which in turn causes the kernel to create a new running process. Shells have mechanisms to send the output of one program as input into another and facilities to interact with the filesystem. For example, a user can traverse the filesystem or direct the output of a program to a file.

Although Bash is primarily a command interpreter, it's also a programming language. Bash supports variables, functions and has control flow constructs, such as conditional statements and loops. However, all of this comes with some unusual quirks. This is because Bash attempts to fulfill two roles at the same time: to be a command interpreter and a programming language—and there is tension between the two.

All UNIX shells, including Bash, are primarily command interpreters. This trait has a deep history, stretching all the way to the very first shell and the first UNIX system. Over time, UNIX shells acquired the programming capabilities by evolution, and this has led to some unusual solutions for the programming environment. As many people come to Bash already having some background in traditional programming languages, the unusual perspective that Bash takes with programming constructs is a source of much confusion, as evidenced by many questions posted on Bash forums.

In this article, I discuss how programming constructs in Bash differ from traditional programming languages. For a true understanding of Bash, it's useful to understand how UNIX shells evolved, so I first review the relevant history, and then introduce several Bash features. The majority of this article shows how the unusual aspects of Bash programming originate from the need to blend the command interpreter function seamlessly with the capabilities of a programming language.

System76 Launching a New Open-Source Computer, Krita 4.1.3 Released, the Hyperledger Project Gains 14 New Members, Distro Maintainers Need to Merge Kernel Security Fixes Faster and Java 11 Now Available

News briefs for September 27, 2018.

System76 is launching a new open-source computer, which will be available for pre-order next month. Before announcing the finalized hardware, the company will be releasing a four-part animation each week with "design updates hidden within a game portion of the story". That story will contain "different worlds, each representing an antithesis to open source ideals. These themes are utilized to draw attention to the importance of open source in the evolution of technology". If you're interested, you can sign up here to follow the saga and receive updates leading up to the pre-order.

Krita 4.1.3 was released today. The team reports there are about 100 fixes, so update soon. This version features a new welcome screen, and several improvements, including working with selections and exporting EPUBs, and much more. Also, here's a reminder that Krita's Squash the Bugs fundraiser is still live.

Fourteen new members have joined The Linux Foundation's Hyperledger open-source blockchain project. According to the press release, new members include "BetaBlocks, Blockchain Educators, Cardstack, Constellation Labs, Elemential Labs, FedEx, Honeywell International Inc., KoreConX, Northstar Venture Technologies, Peer Ledger, Syncsort and Wanchain".

Google Project Zero researcher Jann Horn claims that distro maintainers need to merge kernel security fixes quicker. ZDNET quotes Horn regarding Debian and Ubuntu: "Debian stable ships a kernel based on 4.9, but as of 2018-09-26, this kernel was last updated 2018-08-21. Similarly, Ubuntu 16.04 ships a kernel that was last updated 2018-08-27. Android only ships security updates once a month."

Java 11 is now available. There are several changes and updates with this release, so see the release notes for all the changes. You can download it from here.

Take Your Git In-House

gitlab logo

If you're wary of the Microsoft takeover of GitHub, or if you've been looking for a way to ween yourself off free public repositories, or if you want to ramp up your DevOps efforts, now's a good time to look at installing and running GitLab yourself. It's not as difficult as you might think, and the free, open-source GitLab CE version provides a lot of flexibility to start from scratch, migrate or graduate to more full-fledged versions.

In today's software business, getting solid code out the door fast is a must, and practices to make that easier are part of any organization's DevOps toolset. Git has risen to the top of the heap of version control tools, because it's simple, fast and makes collaboration easy.

For developers, tools like Git ensure that their code isn't just backed up and made available to others, but nearly guarantees that it can be incorporated into a wide variety of third-party development tools—from Jenkins to Visual Studio—that make continuous integration and continuous delivery (CI/CD) possible. Orchestration, automation and deployment tools easily integrate with Git as well, which means code developed on any laptop or workstation anywhere can be merged, branched and integrated into deployed software. That's why version control repositories are the future of software development and DevOps, no matter how big or small you are, and no matter whether you're building monolithic apps or containerized ones.

Getting Started with Git

Git works by taking snapshots of code on every commit, so every version of contributed code is always available. That means it's easy to roll back changes or look over different contributors' work.

If you're working in an environment that uses Git, you can do your work even when you're offline. Everything is saved in a project structure on your workstation, just as it is in the remote Git repository, and when you're next online, your commits and pushes update the master (or other) code branch quickly and easily.

Most Git users (even newbies) use the Git command-line tools to clone, commit and push changes, because it's easy, and for nearly 28-million developers, GitHub has become the de facto remote Git-based repository for their work. In fact, GitHub has moved beyond being just a code repository to become a multifaceted code community featuring 85-million projects. That's a lot of code.

GitLab is gaining popularity as a remote code repository too, but it's smaller and bills itself as more DevOps-focused, with CI/CD tool included for free. Both repositories offer free hosted accounts that allow users to create a namespace, and start contributing and collaborating right away. The graphical browser interfaces offered by the GitHub- and GitLab-hosted services make it easy to manage projects and project code, and also to add SSH keys, so you easily can connect from your remote terminal on Linux, Windows or Mac.

Cisco Confirms 88 Products Vulnerable to FragmentStack Bug, KDE neon Rebased on Ubuntu 18.04 LTS, GNOME 3.30.1 Released, Rust Announces Version 1.29.1 and Mozilla Launches Firefox Monitor

News briefs for September 26, 2018.

Cisco confirms that 88 of its products that rely on the Linux kernel are vulnerable to the FragmentStack bug. According to ZDNet, "the bug can saturate a CPU's capacity when under a low-speed attack using fragmented IPv4 and IPv6 packets, which could cause a denial-of-service condition on the affected device." Affected products include "Nexus switches, Cisco IOS XE software, and equipment from its lines of Unified Computing and Unified Communications brands, several TelePresence products, and a handful of wireless access points."

The KDE neon team announces the rebase of its packages onto Ubuntu 18.04 LTS "Bionic Beaver" and encourages users to upgrade now. You also can download a clean installation from here.

GNOME 3.30.1 has been released. This release contains only bugfixes. If you want to compile it, you can use the BuildStream project snapshot. See the list of updated modules and changes here.

The Rust Team yesterday announced Rust 1.29.1. This new version fixes a security vulnerability in the standard library "where if a large number was passed to str::repeat, it could cause a buffer overflow after an integer overflow. If you do not call the str::repeat, function you are not affected." See the release notes on GitHub for all the details.

Mozilla yesterday launched Firefox Monitor, a free service that alerts you if you've been part of a data breach. Enter your email at Firefox Monitor for a basic scan.

Support for a GNSS and GPS Subsystem

Recently, there was a disagreement over whether a subsystem really addressed its core purpose or not. That's an unusual debate to have. Generally developers know if they're writing support for one feature or another.

In this particular case, Johan Hovold posted patches to add a GNSS subsystem (Global Navigation Satellite System), used by GPS devices. His idea was that commercial GPS devices might use any input/output ports and protocols—serial, USB and whatnot—forcing user code to perform difficult probes in order to determine which hardware it was dealing with. Johan's code would unify the user interface under a /dev/gnss0 file that would hide the various hardware differences.

But, Pavel Machek didn't like this at all. He said that there wasn't any actual GNSS-specific code in Johan's GNSS subsystem. There were a number of GPS devices that wouldn't work with Johan's code. And, Pavel felt that at best Johan's patch was a general power management system for serial devices. He felt it should not use names (like "GNSS") that then would be unavailable for a "real" GNSS subsystem that might be written in the future.

However, in kernel development, "good enough" tends to trump "good but not implemented". Johan acknowledged that his code didn't support all GPS devices, but he said that many were proprietary devices using proprietary interfaces, and those companies could submit their own patches. Also, Johan had included two GPS drivers in his patch, indicating that even though his subsystem might not contain GNSS-specific code, it was still useful for its intended purpose—regularizing the GPS device interface.

The debate went back and forth for a while. Pavel seemed to have the ultimate truth on his side—that Johan's code was at best misnamed, and at worst, incomplete and badly structured. Although Johan had real-world usefulness on his side, where something like his patch had been requested by other developers for a long time and solved actual problems confronted by people today.

Finally Greg Kroah-Hartman put a stop to all debate—at least for the moment—by simply accepting the patch and feeding it up to Linus Torvalds for inclusion in the main kernel source tree. He essentially said that there was no competing patch being offered by anyone, so Johan's patch would do until anything better came along.

Pavel didn't want to give up so quickly, and he tried at least to negotiate a name change away from "GNSS", so that a "real" GNSS subsystem might still come along without a conflict. But with his new-found official support, Johan said, "This is the real gnss subsystem. Get over it."

WLinux Distro for Windows Subsystem for Linux Now Available, openSUSE Call for Hosts, New Firefox Bug, Firefox Collecting Telemetry Data and Creative Commons Releases Significant CC Search Update

News briefs for September 25, 2018.

Whitewater Foundry recently launched WLinux, a Linux distribution optimized for use on the Windows Subsystem for Linux (WSL). Because the distro is created specifically for WSL, it has "sane defaults" and also allows for "faster patching of security and compatibility issues". You can download it from the Microsoft Store, and it's currently on sale for $9.99.

openSUSE announced that it's accepting proposals to host the openSUSE 2020 conference. The "Call for Hosts" is open until April 15, 2019. See the Conference How to Check List and the Conference How to bid wiki pages if you're interested.

Security researcher Sabri Haddouche has discovered a new Firefox bug that causes your browser and sometimes your PC (on Linux, Mac and Windows) to crash. In an interview with ZDNet, Haddouche explained, "What happens is that the script generates a file (a blob) that contains an extremely long filename and prompts the user to download it every one millisecond". See also the bug report for more information.

In other Firefox news, the browser evidently is collecting telemetry data via hidden add-ons, ITWire reports. The ITWire post also quotes Mozilla's Marshall Eriwn, director of Trust and Security: "...we will measure Telemetry Coverage, which is the percentage of all Firefox users who report telemetry. The Telemetry Coverage measurement will sample a portion of all Firefox clients and report whether telemetry is enabled. This measurement will not include a client identifier and will not be associated with our standard telemetry."

Creative Commons released a significant update to its beta of the CC Search project yesterday. This iteration "integrates access to more than 10 million images across 13 content providers". It also features AI image tags generated from Clarifai, the "best in class image classification software that provides tagging support and visual recognition". In addition, CC Search has a new design making it easy for users to "search by category, see popular images, and search more accurately across a wide range of content". And finally, users can share content and create public lists of images without needing an account.

Bytes, Characters and Python 2

Python logo

Moving from Python 2 to 3? Here's what you need to know about strings and their role in in your upgrade.

An old joke asks "What do you call someone who speaks three languages? Trilingual. Two languages? Bilingual. One language? American."

Now that I've successfully enraged all of my American readers, I can get to the point, which is that because so many computer technologies were developed in English-speaking countries—and particularly in the United States—the needs of other languages often were left out of early computer technologies. The standard established in the 1960s for translating numbers into characters (and back), known as ASCII (the American Standard Code for Information Interchange), took into account all of the letters, numbers and symbols needed to work with English. And that's all that it could handle, given that it was a seven-byte (that is, 128-character) encoding.

If you're willing to ignore accented letters, ASCII can sort of, kind of, work with other languages, as well—but the moment you want to work with another character set, such as Chinese or Hebrew, you're out of luck. Variations on ASCII, such as ISO-8859-x (with a number of values for "x"), solved the problem to a limited degree, but there were numerous issues with that system.

Unicode gives each character, in every language around the globe, a unique number. This allows you to represent (just about) every character in every language. The problem is how you can represent those numbers using bytes. After all, at the end of the day, bytes are still how data is stored to and read from filesystems, how data is represented in memory and how data is transmitted over a network. In many languages and operating systems, the encoding used is UTF-8. This ingenious system uses different numbers of bytes for different characters. Characters that appear in ASCII continue to use a single byte. Some other character sets (for example, Arabic, Greek, Hebrew and Russian) use two bytes per character. And yet others (such as Chinese and emojis) use three bytes per character.

In a modern programming language, you shouldn't have to worry about this stuff too much. If you get input from the filesystem, the user or the network, it should just come as characters. How many bytes each character needs is an implementation detail that you can (or should be able to) ignore.

Why do I mention this? Because a growing number of my clients have begun to upgrade from Python 2 to Python 3. Yes, Python 3 has been around for a decade already, but a combination of some massive improvements in the most recent versions and the realization that only 18 months remain before Python 2 is deprecated is leading many companies to realize, "Gee, maybe we finally should upgrade."

The major sticking point for many of them? The bytes vs. characters issue.

YubiKey 5 Series Launched, Google Chrome’s Recent Questionable Privacy Practice, PlayOnLinux Alpha Version 5 Released, Android Turns Ten, and Fedora 29 Atomic and Cloud Test Day

News briefs September 24, 2018.

Yubico announced the launch of the YubiKey 5 series this morning, which are the first multi-protocol security keys to support FIDO2/WebAuthn and allow you to replace "weak password-based authentication with strong hardware-based authentication". You can purchase them here for $45.

Google Chrome recently has begun automatically signing your browser in to your Google account for you every time you log in to a Google property, such as Gmail, without asking and without notification. See Matthew Green's blog post for more information on the huge privacy implications of this new practice.

PlayOnLinux released the alpha version of PlayOnLinux and PlayOnMac 5 ("Phoencis") over the weekend. The interface has been completely redesigned and is now decentralized, so if the website has issues, the program will still work. In addition, the script is now available on GitHub. This alpha version supports 135 games and apps. See the full list here.

Android celebrated its 10th birthday this weekend. See TechRadar, Engadget and TechCrunch for different takes on Android's history.

Fedora 29 Atomic and Fedora 29 Cloud development is wrapping up, and they now provide the latest versions of packages in Fedora 29, including all new features and bug fixes. Fedora Atomic Working Group and Cloud SIG are organizing a Test Day, Monday, October 1st. See the wiki page if you're interested in participating.

YubiKey 5 Series Launched, Google Chrome’s Recent Questionable Privacy Practice, PlayOnLinux Alpha Version 5 Released, Android Turns Ten, and Fedora 29 Atomic and Cloud Test Day

News briefs September 24, 2018.

Yubico announced the launch of the YubiKey 5 series this morning, which are the first multi-protocol security keys to support FIDO2/WebAuthn and allow you to replace "weak password-based authentication with strong hardware-based authentication". You can purchase them here for $45.

Google Chrome recently has begun automatically signing your browser in to your Google account for you every time you log in to a Google property, such as Gmail, without asking and without notification. See Matthew Green's blog post for more information on the huge privacy implications of this new practice.

PlayOnLinux released the alpha version of PlayOnLinux and PlayOnMac 5 ("Phoencis") over the weekend. The interface has been completely redesigned and is now decentralized, so if the website has issues, the program will still work. In addition, the script is now available on GitHub. This alpha version supports 135 games and apps. See the full list here.

Android celebrated its 10th birthday this weekend. See TechRadar, Engadget and TechCrunch for different takes on Android's history.

Fedora 29 Atomic and Fedora 29 Cloud development is wrapping up, and they now provide the latest versions of packages in Fedora 29, including all new features and bug fixes. Fedora Atomic Working Group and Cloud SIG are organizing a Test Day, Monday, October 1st. See the wiki page if you're interested in participating.

ModSecurity and nginx

nginx is the web server that's replacing Apache in more and more of the world's websites. Until now, nginx has not been able to benefit from the security ModSecurity provides. Here's how to install ModSecurity and get it working with nginx.

Earlier this year the popular open-source web application firewall, ModSecurity, released version 3 of its software. Version 3 is a significant departure from the earlier versions, because it's now modularized. Before version 3, ModSecurity worked only with the Apache web server as a dependent module, so there was no way for other HTTP applications to utilize ModSecurity. Now the core functionality of ModSecurity, the HTTP filtering engine, exists as a standalone library, libModSecurity, and it can be integrated into any other application via a "connector". A connector is a small piece of code that allows any application to access libModSecurity.

A Web Application Firewall (WAF) is a type of firewall for HTTP requests. A standard firewall inspects data packets as they arrive and leave a network interface and compares the properties of the packets against a list of rules. The rules dictate whether the firewall will allow the packet to pass or get blocked.

ModSecurity performs the same task as a standard firewall, but instead of looking at data packets, it inspects HTTP traffic as it arrives at the server. When an HTTP request arrives at the server, it's first routed through ModSecurity before it's routed on to the destination application, such as Apache2 or nginx. ModSecurity compares the inbound HTTP request against a list of rules. These rules define the form of a malicious or harmful request, so if the incoming request matches a rule, ModSecurity blocks the request from reaching the destination application where it may cause harm.

The following example demonstrates how ModSecurity protects a WordPress site. The following HTTP request is a non-malicious request for the index.php file as it appears in Apache2's log files:


GET /index.php HTTP/1.1

This request does not match any rules, so ModSecurity allows it onto the web server.

WordPress keeps much of its secret information, such as the database password, in a file called wp-config.php, which is located in the same directory as the index.php file. A careless system administrator may leave this important file unprotected, which means a web server like Apache or nginx happily will serve it. This is because they will serve any file that is not protected by specific configuration. This means that the following malicious request:


GET /wp-config.php HTTP/1.1

will be served by Apache to whomever requests it.

ModSecurity and nginx

nginx is the web server that's replacing Apache in more and more of the world's websites. Until now, nginx has not been able to benefit from the security ModSecurity provides. Here's how to install ModSecurity and get it working with nginx.

Earlier this year the popular open-source web application firewall, ModSecurity, released version 3 of its software. Version 3 is a significant departure from the earlier versions, because it's now modularized. Before version 3, ModSecurity worked only with the Apache web server as a dependent module, so there was no way for other HTTP applications to utilize ModSecurity. Now the core functionality of ModSecurity, the HTTP filtering engine, exists as a standalone library, libModSecurity, and it can be integrated into any other application via a "connector". A connector is a small piece of code that allows any application to access libModSecurity.

A Web Application Firewall (WAF) is a type of firewall for HTTP requests. A standard firewall inspects data packets as they arrive and leave a network interface and compares the properties of the packets against a list of rules. The rules dictate whether the firewall will allow the packet to pass or get blocked.

ModSecurity performs the same task as a standard firewall, but instead of looking at data packets, it inspects HTTP traffic as it arrives at the server. When an HTTP request arrives at the server, it's first routed through ModSecurity before it's routed on to the destination application, such as Apache2 or nginx. ModSecurity compares the inbound HTTP request against a list of rules. These rules define the form of a malicious or harmful request, so if the incoming request matches a rule, ModSecurity blocks the request from reaching the destination application where it may cause harm.

The following example demonstrates how ModSecurity protects a WordPress site. The following HTTP request is a non-malicious request for the index.php file as it appears in Apache2's log files:


GET /index.php HTTP/1.1

This request does not match any rules, so ModSecurity allows it onto the web server.

WordPress keeps much of its secret information, such as the database password, in a file called wp-config.php, which is located in the same directory as the index.php file. A careless system administrator may leave this important file unprotected, which means a web server like Apache or nginx happily will serve it. This is because they will serve any file that is not protected by specific configuration. This means that the following malicious request:


GET /wp-config.php HTTP/1.1

will be served by Apache to whomever requests it.

Weekend Reading: Scary Tales from the Server Room

scary sys admin

It's always better to learn from someone else's mistakes than from your own. This weekend we feature Kyle Rankin and Bill Childers as they tell stories from their years as systems administrators. It's a win-win: you get to learn from their experiences, and they get to make snide comments to each other. 

It's Always DNS's Fault!

by Kyle Rankin and Bill Childers

I was suffering, badly. We had just finished an all-night switch migration on our production Storage Area Network while I was hacking up a lung fighting walking pneumonia. Even though I did my part of the all-nighter from home, I was exhausted. So when my pager went off at 9am that morning, allowing me a mere four hours of sleep, I was treading dangerously close to zombie territory...

Zoning Out

by Kyle Rankin and Bill Childers

Sometimes events and equipment conspire against you and your team to cause a problem. Occasionally, however, it's lack of understanding or foresight that can turn around and bite you. Unfortunately, this is a tale of where we failed to spot all the possible things that might go wrong.

Panic on the Streets of London

by Kyle Rankin and Bill Childers

I was now at the next phase of troubleshooting: prayer. Somewhere around this time, I had my big breakthrough...

Unboxing Day

by Kyle Rankin and Bill Childers

As much as I love working with Linux and configuring software, one major part of being a sysadmin that always has appealed to me is working with actual hardware. There's something about working with tangible, physical servers that gives my job an extra dimension and grounds it from what might otherwise be a completely abstract job even further disconnected from reality. On top of all that, when you get a large shipment of servers, and you view the servers at your company as your servers, there is a similar anticipation and excitement when you open a server box as when you open Christmas presents at home. This story so happens to start during the Christmas season...

 

 

 

Purism Launches the Librem Key, Mir 1.0 Released, Solus 3 ISO Refresh Now Available, New Malware as a Service Botnet Discovered and Sparky 5.5 Is Out

News briefs September 21, 2018.

Purism yesterday launched Librem Key, the "first and only OpenPGP smart card providing a Heads-firmware-integrated tamper-evident boot process". The Librem key is the size of an average thumb drive, allows you to keep your secret encryption keys in your pocket, and it alerts you if anyone tampers with your kernel or BIOS while you're away from your laptop. The key works with all laptops but has extended features with Purism's Librem laptop line. You can order one from here for $59. See also Kyle Rankin's post for more details on the Librem key.

The Mir team announces the milestone release of the Mir 1.0 display server today. This release is "targeted at IoT device makers and enthusiasts looking to build thenext-generation of graphical solutions". Mir's goal is to "unify the graphical environment across all devices, including desktop, TV, and mobile devices and continues to be developed with new features and modern standards". See the Mir website for more information.

Solus 3 ISO Refresh was released yesterday. This refresh of the operating system designed for home computing "enables support for a variety of new hardware released since Solus 3, introduces an updated set of default applications and theming, as well as enables users to immediately take advantage of new Solus infrastructure". You can download Solus Budgie, Solus GNOME or Solus MATE from here.

A new botnet in the "Malware as a Service" arena has been discovered that touts "Android-based payloads to potential cybercriminals". The botnet was developed by a Russian-speaking group called "The Lucy Game", which already has provided demos for potential subscribers. See ZDNet for more details.

New install ISO images of Sparky 5.5 "Nibiru", which is based on Debian testing "Buster", are now available for download. Changes include Linux kernel 4.18.6, Calamares installer updated to v. 3.2.1, GCC 8 is now the default and much more. You can download new ISO images from here.

FOSS Project Spotlight: Nitrux, a Linux Distribution with a Focus on AppImages and Atomic Upgrades

Nitrux Distribution

Nitrux is a Linux distribution with a focus on portable, application formats like AppImages. Nitrux uses KDE Plasma 5 and KDE Applications, and it also uses our in-house software suite Nomad Desktop.

What Can You Use Nitrux For?

Well, just about anything! You can surf the internet, word-process, send email, create spreadsheets, listen to music, watch movies, chat, play games, code, do photo editing, create content—whatever you want!

Nitrux's main feature is the Nomad Desktop, which aims to extend Plasma to suit new users without compromising its power and flexibility for experts. Nomad's features:

  • The System Tray replaces the traditional Plasma version.
  • An expanded notification center allows users to manage notifications in a friendlier manner.
  • Easier access to managing networks: quick access to different network settings without having to search for them.
  • Improved media controls: a less confusing way to adjust the application's volume and integrated media controls.
  • Calendar and weather: displays the traditional Plasma calendar but also adds the ability to see appointments and the ability to configure location settings to display the weather.
  • Custom Plasma 5 artwork: including Look and Feel, Plasma theme, Kvantum theme, icon theme, cursor themes, SDDM themes, Konsole theme and Aurorae window decoration.

Nitrux is a complete operating system that ships the essential apps and services for daily use: office applications, PDF reader, image editor, music and video players and so on. We also include non-KDE or Qt applications like Chromium and LibreOffice that together create a friendly user experience.

Available Out of the Box

Nitrux includes a selection of applications carefully chosen to perform the best when using your computer:

  • Dolphin: file manager.
  • Kate: advanced text editor.
  • Ark: archiving tool.
  • Konsole: terminal emulator.
  • Chromium: web browser.
  • Babe: music player.
  • VLC: multimedia player.
  • LibreOffice: open-source office suite.
  • Showimage: image viewer.

Explore a Universe of Apps in Nitrux

The NX Software Center is a free application that provides Linux users with a modern and easy way to manage the software installed on their open-source operating systems. Its features allow you to search, install and manage AppImages. AppImages are faster to install, easier to create and safer to run. AppImages aim to work on any distribution or device, from IoT devices to servers, desktops and mobile devices.

Figure 1. The Nomad Software Center

Canonical Announces Extended Security Maintenance for Ubuntu 14.04 LTS, Mozilla to Discuss the Future of Advertising at ICDPPC, Newegg Attacked, MetaCase Launches MetaEdit+ 5.5 and MariaDB Acquires Clustrix

News briefs for September 20, 2018.

Canonical yesterday announced the Extended Security Maintenance for Ubuntu 14.04 LTS "Trusty Tahr", which means critical and important security patches will be available beyond the Ubuntu 14.04 end-of-life date (April 2019).

Mozilla to hold a high-level panel discussion on "the future of advertising in an open and sustainable internet ecosystem" at the 40th annual International Conference of Data Protection and Privacy Conference in Brussels, Belgium October 22–26, 2018. The discussion is titled "Online advertising is broken: Can ethics fix it?", and it's scheduled for October 23, 2018.

Attackers stole credit-card information from Newegg by injecting 15 lines of skimming code on the online payments page, which remained undetected from August 14th to September 18, 2018, TechCrunch reports. Yonathan Klijnsma, threat researcher at RiskIQ, told TechCrunch that "These attacks are not confined to certain geolocations or specific industries—any organization that processes payments online is a target." If you entered your credit-card data during that period, contact your bank immediately.

MetaCase this morning announced the launch of MetaEdit+ 5.5 for Linux, which brings collaborated models to Git and other version control systems. It's "aimed at expert developers looking to gain productivity and quality by generating tight code directly from domain-specific models". You can download a free trial from here.

MariaDB has acquired Clustrix, the "pioneer in distributed database technology". According to the press release, this acquisition gives "MariaDB's open source database the scalability and high-availability that rivals or exceeds Oracle and Amazon while foregoing the need for expensive computing platforms or high licensing fees."

Investigating Some Unexpected Bash coproc Behavior


Recently while refreshing my memory on the use of Bash's coproc feature, I came across a reference to a pitfall that described what I thought was some quite unexpected behavior. This post describes my quick investigation of the pitfall and suggests a workaround (although I don't really recommend using it).

Ampere eMAG for Hyperscale Cloud Computing Now Available, LLVM 7.0.0 Released, AsparaDB RDS for MariaDB TX Announced, New Xbash Malware Discovered and Kong 1.0 Launched

News briefs for September 19, 2018.

Ampere, in partnership with Lenovo, announced availability of the Ampere eMAG for hyperscale cloud computing. The first-generation Armv8-A 64-bit processors provide "high-performance compute, high memory capacity, and rich I/O to address cloud workloads including big data, web tier and in-memory databases". Pricing is 32 cores at up to 3.3GHz Turbo for $850 or 16 cores at up to 3.3GHz Turbo for $550.

LLVM 7.0.0 is out. This release is the result of six months of work by the community and includes "function multiversioning in Clang with the 'target' attribute for ELF-based x86/x86_64 targets, improved PCH support in clang-cl, preliminary DWARF v5 support, basic support for OpenMP 4.5 offloading to NVPTX, OpenCL C++ support, MSan, X-Ray and libFuzzer support for FreeBSD, early UBSan, X-Ray and libFuzzer support for OpenBSD, UBSan checks for implicit conversions, many long-tail compatibility issues fixed in lld which is now production ready for ELF, COFF and MinGW, new tools llvm-exegesis, llvm-mca and diagtool." See the release notes for details, and go here to download.

Alibaba Cloud and MariaDB announce AsparaDB RDS for MariaDB TX, which is "the first public cloud to incorporate the enterprise version of MariaDB and provide customer support directly from the two companies. ApsaraDB RDS for MariaDB TX provides Alibaba Cloud customers the latest database innovations and most secure enterprise solution for mission-critical transactional workloads." See the press release for more information.

Unit 42 researchers have discovered a new malware family called Xbash, which they have connected to the Iron Group, that targets Linux and Microsoft Windows severs. Besides ransomware and coin-mining capabilities, "Xbash also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya). It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organizations' network (again, much like WannaCry or Petya/NotPetya)." See the Palo Alto Networks post for more details on the attack and how to protect your servers.

Kong Inc. yesterday announced the launch of Kong 1.0, the "only open-source API purpose built for microservices, cloud native and server less architectures". According to the press release, Kong 1.0 is feature-complete: "it combines sub-millisecond low latency, linear scalability and unparalleled flexibility with a robust feature set, support for service mesh patterns, Kubernetes Ingress controller and backward compatibility between versions." See also the Kong GitHub page.

Moving Compiler Dependency Checks to Kconfig

The Linux kernel config system, Kconfig, uses a macro language very similar to the make build tool's macro language. There are a few differences, however. And of course, make is designed as a general-purpose build tool while Kconfig is Linux-kernel-specific. But, why would the kernel developers create a whole new macro language so closely resembling that of an existing general-purpose tool?

One reason became clear recently when Linus Torvalds asked developers to add an entirely new system of dependency checks to the Kconfig language, specifically testing the capabilities of the GCC compiler.

It's actually an important issue. The Linux kernel wants to support as many versions of GCC as possible—so long as doing so would not require too much insanity in the kernel code itself—but different versions of GCC support different features. The GCC developers always are tweaking and adjusting, and GCC releases also sometimes have bugs that need to be worked around. Some Linux kernel features can only be built using one version of the compiler or another. And, some features build better or faster if they can take advantage of various GCC features that exist only in certain versions.

Up until this year, the kernel build system has had to check all those compiler features by hand, using many hacky methods. The art of probing a tool to find out if it supports a given feature dates back decades and is filled with insanity. Imagine giving a command that you know will fail, but giving it anyway because the specific manner of failure will tell you what you need to know for a future command to work. Now imagine hundreds of hacks like that in the Linux kernel build system.

Part of the problem with having those hacky checks in the build system is that you find out about them only during the build—not during configuration. But since some kernel features require certain GCC versions, the proper place to learn about the GCC version is at config time. If the user's compiler doesn't support a given feature, there's no reason to show that feature in the config system. It should just silently not exist.

Linus requested that developers migrate those checks into the Kconfig system and regularize them into the macro language itself. This way, kernel features with particular GCC dependencies could identify those dependencies and then show up or not show up at config time, according to whether those dependencies had been met.

That's the reason simply using make wouldn't work. The config language had to represent the results of all those ugly hacks in a friendly way that developers could make use of.