Home Blog Page 2

How to limit container privilege with socket activation

Using socket activation with the –network=none option limits an intruder’s ability to use a compromised container as a starting point for attacks on other devices.

Read More at Enable Sysadmin

How to manage pods in Podman with the REST API

Learn how to configure, inspect, and start pods in Podman with the REST API.

Read More at Enable Sysadmin

People of Open Source: Neville Spiteri, Wevr

This post originally appeared on the Academy Software Foundation’s (ASWF) blog. The ASWF works to increase the quality and quantity of contributions to the content creation industry’s open source software base. 

Tell us a bit about yourself – how did you get your start in visual effects and/or animation? What was your major in college?

I started experimenting with the BASIC programming language when I was 12 years old on a ZX81 Sinclair home computer, playing a game called “Lunar Lander” which ran on 1K of RAM, and took about 5 minutes to load from cassette tape.

I have a Bachelor’s degree in Cognitive Science and Computer Science.

My first job out of college was a Graphics Engineer at Wavefront Technologies, working on the precursor to Maya 1.0 3D animation system, still used today. Then I took a Digital Artist role at Digital Domain.

What is your current role?

Co-Founder / CEO at Wevr. I’m currently focused on Wevr Virtual Studio – a cloud platform we’re developing for interactive creators and teams to more easily build their projects on game engines.

What was the first film or show you ever worked on? What was your role?

First film credit: True Lies, Digital Artist.

What has been your favorite film or show to work on and why?

TheBlu 1.0 digital ocean platform. Why? We recently celebrated TheBlu 10 year anniversary. TheBlu franchise is still alive today. At the core of TheBlu was/is a creator platform enabling 3D interactive artists/developers around the world to co-create the 3D species and habitats in TheBlu. The app itself was a mostly decentralized peer-to-peer simulation that ran on distributed computers with fish swimming across the Internet. The core tenets of TheBlu 1.0 are still core to me and Wevr today, as we participate more and more in the evolving Metaverse.

How did you first learn about open source software?

Linux and Python were my best friends in 2000.

What do you like about open source software? What do you dislike?

Likes: Transparent, voluntary collaboration.

Dislikes: Nothing.

What is your vision for the Open Source community and the Academy Software Foundation?

Drive international awareness of the Foundation and OSS projects.

Where do you hope to see the Foundation in 5 years?

A global leader in best practices for real-time engine-based production through international training and education.

What do you like to do in your free time?

Read books, listen to podcasts, watch documentaries, meditation, swimming, and efoiling!

Follow Neville on Twitter and connect on LinkedIn.  

The post People of Open Source: Neville Spiteri, Wevr appeared first on Linux Foundation.

Happy Sysadmin Appreciation Day: 2022’s top articles for sysadmins

Thank you to all of the system administrators who keep our systems up and running, patched, and deployed every day of the year. Check out our most popular articles for sysadmins.

Read More at Enable Sysadmin

What is the OpenGEH (Green Energy Hub) Project

The OpenGEH Project is one of the many projects at LF Energy. We want to share about it here on the LF blog. This originally appeared on the LF Energy site

OpenGEH ( GEH stands for Green Energy Hub ) enables fast, flexible settlement and hourly measurements of production and consumption of electricity. OpenGEH seeks to help utilities to onboard increased levels of renewables by reducing the administrative barriers of market-based coordination. By utilizing a modern DataHub, built on a modular and microservices architecture, OpenGEH is able to store billions of data points covering the entire workflow triggered by the production and consumption of electricity.

The ambition of OpenGEH is to use digitalization as a way to accelerate a market-driven transition towards a sustainable and efficient energy system. The platform provides a modern foundation for both new market participants and facilitates new business models through digital partnerships. The goal is to create access to relevant data and insights from the energy market and thereby accelerate the Energy Transition.

Initially built in partnership with Microsoft, Energinet (the Danish TSO) was seeking a critical leverage point to accelerate the Danish national commitment to 100% renewable energy in their electricity system by 2030. For most utilities, getting renewables onboard creates a technical challenge that also has choreography and administrative hurdles. Data becomes the mechanism that enables market coordination leading to increased decarbonization. The software was contributed to the LF Energy Foundation by Energinet.

Energinet sees open source and shared development as an opportunity to reduce the cost of software, while simultaneously increasing the quality and pace of development. It is an approach that they see gaining prominence in TSO cooperation. Energinet is not an IT company, and therefore does not sell systems, services, or operate other TSOs. Open source coupled with an intellectual property license that encourages collaboration, will insure that OpenGEH continues to improve, by encouraging a community of developers to add new features and functionality.

The Architectural Principles behind OpenGEH

By implementing Domain Driven Design, OpenGEH has divided the overall problem  into smaller independent domains. This gives developers the possibility to only use the domains that are necessary to solve for the needed functionality. As the domains trigger events when data changes, the other domains listen on these events to have the most updated version of data.

The architecture supports open collaboration on smaller parts of OpenGEH. New domains can be added by contributors, to extend the OpenGEH’s functionality, when needed to accelerate the green transition.

The Green Energy Hub Domains

The Green Energy Hub system consists of two different types of domains:

A domain that is responsible for handling a subset of business processes.
A domain that is responsible for handling an internal part of the system (Like log accumulation, secret sharing or similar).

Below is a list of these domains, and the business flows they are responsible for.

Business Process Domains

Metering Point

Create metering point
Submission of master data – grid company
Close down metering point
Connection of metering point with status new
Change of settlement method
Disconnection and reconnecting of metering point
Meter management
Update production obligation
Request for service from grid company

Aggregations

Submission of calculated energy time series
Request for historical data
Request for calculated energy time series
Aggregation of wholesale services
Request for aggregated tariffs
Request for settlement basis

Time Series

Submission of metered data for metering point
Send missing data log
Request for metered data for a metering point

Charges

Request for aggregated subscriptions or fees
Update subscription price list
Update fee price list
Update tariff price list
Request price list
Settlement master data for a metering point – subscription, fee and tariff links
Request for settlement master data for metering point

Market Roles

Change of supplier
End of supply
Managing an incorrect change of supplier
Move-in
Move-out
Incorrect move
Submission of customer master data by balance supplier
Initiate cancel change of supplier by customer
Change of supplier at short notice
Mandatory change of supplier for metering point
Submission of contact address from grid company
Change of BRP for energy supplier

Data Requests

Master data request

System Domains

Shared Resources

Secrets handling
DataBricks workspace

Validation Reports

Log accumulation for all domains

Post Office

Messaging service for outbound messages

API Gateway

Authentication and routing

5 things sysadmins should know about software development

Advances in edge computing, machine learning, and intelligent applications make sysadmins more important than ever in the software development process.

Read More at Enable Sysadmin

CRob on Software Security Education and SIRTs

In the Open Source Software Security Mobilization Plan released this past May, the very first stream – of the 10 recommended – is to “Deliver baseline secure software development education and certification to all.”

As the plan states, it is rare to find a software developer who receives formal training in writing software securely. The plan advocates that a modest amount of training – from 10 to ideally 40-50 hours – could make a significant difference in developer contributions to more secure software from the beginning of the software development life cycle. The Linux Foundation now offers a free course, Developing Secure Software, which is 15 hours of training across 3 modules (security principles, implementation considerations & software verification).

The plan proposes, “bringing together a small team to iterate and improve such training materials so they can be considered industry standard, and then driving demand for those courses and certifications through partnerships with educational institutions of all kinds, coding academies and accelerators, and major employers to both train their own employees and require certification for job applicants.”

Also in the plan is Stream 5 to, “Establish the OpenSSF Open Source Security Incident Response Team, security experts who can step in to assist open source projects during critical times when responding to a vulnerability.” They are a small team of professional software developers, vetted for security and trained on the specifics of language and frameworks being used by that OSS project. 30-40 experts would be available to go out in teams of 2-3 for any given crisis.

Christopher “CRob” Robinson is instrumental to the concepts behind, and the implementation of, both of these recommendations. He is the Director of Security Communications at Intel Product Assurance and also serves on the OpenSSF Technical Advisory Committee. At Open Source Summit North America, he sat down with TechStrong TV host Alan Shimel to talk about the origin of his nickname and, more importantly, software security education and the Open Source Product Security Incident Response Team (PSIRT) – streams 1 and 5 in the Plan.  Here are some key takeaways:

I’ve been with the OpenSSF for over two years, almost from the beginning. And currently I am the working group lead for the Developer Best Practices Working Group and the Vulnerability Disclosures Working Group. I sit on the Technical Advisory Committee. We help kind of shape, steer the strategy for the Foundation. I’m on the Public Policy and Government Affairs Committee. And I’m just now the owner of two brand new SIGs, special interest groups, underneath the working group. So I’m in charge of the Education SIG and the Open Source Cert SIG. We’re going to create a PSIRT for open source.
The idea is to try to find a collection of experts from around the industry that understand how to do incident response and also understand how to get things fixed within open source communities. . . I think, ultimately, it’s going to be kind of a mentorship program for upstream communities to teach them how to do incident response. We know and help them work with security researchers and reporters and also help make sure that they’ve got tools and processes in place so they can be successful.
A lot of the conference this week is talking about how we need to get more training and certification and education into the hands of developers. We’ve created another kind of Tiger team, and  we’re gonna be focusing on this. And my friend, Dr. David Wheeler, he had a big announcement where we have existing body of material, the secure coding fundamentals class, and he was able to transform that into SCORM. So now anybody who has a SCORM learning management system has the ability to leverage this free developer secure software training on their internal learning management systems.
We have a lot of different learners. We have brand new students, we have people in the middle of their careers, people are making career changes. We have to kind of serve all these different constituents.

Of course, he had a lot more to say. You can watch the full interview, including how CRob got his nickname, and read the transcript below.

Linux tool alternatives: 6 replacements for traditional favorites

Consider swapping Linux tools for these alternatives that provide more features and functionality.

Read More at Enable Sysadmin

Error injection using dm-dust

Clear and robust I/O related errors is v

Click to Read More at Oracle Linux Kernel Development

OSS Security Highlights from the 2022 Open Source Summit North America

By Ashwin Ramaswami

Last month, we just concluded the Linux Foundation’s 2022 Open Source Summit North America (OSS NA), when developers, technologists, and community leaders from industry, academia, and government converged in Austin, Texas, from June 21-24 to talk about all things open source. Participants and speakers highlighted open source innovation and efforts to ensure a sustainable open source ecosystem.

What did the summit tell us about the state of OSS security? Several parts of the conference addressed different aspects of this issue – OpenSSF Day, Critical Software Summit, SupplyChainSecurityCon, and the Global Security Vulnerability Summit. Overall, the summit demonstrated an increased emphasis on open source security as a community effort with various stakeholders. More ambitious and innovative approaches to handling the open source security problem – including collaboration, tools, and training – were also introduced. Finally, the summit highlighted the importance for open source users to give back to the community and contribute upstream to the projects they depend on.

Let’s explore these ideas in more detail!

Click on the list on the upper right of this video to view the entire OpenSSF Day playlist (13 videos)

Open source security as a community effort

Open source security is not just an isolated effort by users or maintainers of open source software. As OSS NA showed, the stakes of open source security have turned it into a community effort, where a wide variety of diverse stakeholders have an interest and are beginning to get involved.

As Todd Moore (IBM) mentioned in his keynote, incidents such as log4shell have made open source security a bigger priority for governments – and it is important for existing open source stakeholders, both users and maintainers, to work as a community to take a cohesive message back to the government to articulate our community’s needs and how we are responding to this challenge.Speakers at a panel discussion with the Atlantic Council’s Cyber Statecraft Initiative and the Open Source Security Foundation (OpenSSF) discussed the summit held by OpenSSF in Washington, DC on May 12 and 13, where representatives from industry and government met to develop the Open Source Software Security Mobilization Plan, a $150 million plan for better securing the open source ecosystem.A panel discussion explored how major businesses are working together to improve the security of the open source supply chain, particularly through the governance structure of the OpenSSF.

New approaches to address open source security

OSS NA featured several initiatives to address fundamental open source security issues, many of which were particularly ambitious and innovative.

The OpenSSF’s Alpha-Omega Project was announced to address software vulnerabilities for OSS projects that are most critical (alpha) and at the long tail (omega).Eric Brewer (Google) gave a keynote discussing the fundamental problem of ensuring accountability in the open source software supply chain. One way of solving this is through curation: creating a repository of vetted and secure packages.Standards continue to be important, as always: Art Manion (CERT/CC) discussed the history and future of the CVE Program, while Jennings Aske (New York-Presbyterian Hospital) and Melba Lopez (IBM) discussed the importance of a Software Bill of Materials (SBOM).The importance of security tooling was emphasized, with discussions on tools such as sigstore, automation of security checks through Infrastructure as Code tools, and CI/CD pipelines.David Wheeler (Linux Foundation) discussed how education in secure software development is critical to ensuring open source software security. Courses like the OpenSSF’s Secure Software Development Fundamentals Courses are available to help developers learn this topic.

Giving back to the community

Participants at the summit recognized that open source security is ultimately a matter of community, governance, and sustainability. Projects that don’t have the right resources or governance structure may not be able to ensure their projects are secure or accept the right funding to do so.

Steve Hendrick (Linux Foundation) and Matt Jarvis (Snyk) discussed the release of the 2022 State of Open Source Security report from Snyk and the Linux Foundation. The report noted that open source software is often a one-way street where users see significant benefits with minimal cost or investment. It is recommended that organizations need to close the loop and give back to OSS projects they use for larger open source projects to meet user expectations.Aeva Black (Microsoft) discussed approaches to community risk management through drafting and enforcing a code of conduct, and how ignoring community health can lead to sometimes catastrophic technical outcomes for OSS Projects.Sean Goggins (CHAOSS) discussed the relationship between community health and vulnerability mitigation in open source projects by using metrics models from the CHAOSS projects.Margaret Tucker and Justin Colannino (GitHub) discussed the role that package registries have in open source security, beginning to formulate some principles that would balance these registries’ responsibility for safety and reliability with the freedom and creativity of package maintainers.Naveen Srinivasan (Endor Labs) and Laurent Simon (Google) explored the OpenSSF Scorecard to more easily analyze the security of open source projects and proactively improve their security.Amir Montazery (OSTIF) discussed the Open Source Technology Improvement Fund’s efforts to help OSS maintainers to work with security experts to improve their projects’ security posture.

Conclusion

In sum, the talks and conversations at OSS Summit NA help paint a picture of how key stakeholders in the open source software ecosystem – OSS communities, industry, academia, and government – are thinking about conceptualizing big-picture issues and directing efforts around OSS security.

But these initiatives and talks still have a lot of room for input! Whether individually or through your institution, consider adding your voice to this discussion as we continue to support the open source software community. Join an OpenSSF working group, another initiative, or contribute upstream to open source projects that you depend on.

The post OSS Security Highlights from the 2022 Open Source Summit North America appeared first on Linux Foundation.