Home Blog Page 2

Building a healthy relationship between security and sysadmins

Learn how to bridge the gap between operations/development and security.
Read More at Enable Sysadmin

How to report security vulnerabilities to the Linux Foundation

We at The Linux Foundation (LF) work to develop secure software in our foundations and projects, and we also work to secure the infrastructure we use. But we’re all human, and mistakes can happen.

So if you discover a security vulnerability in something we do, please tell us!

If you find a security vulnerability in the software developed by one of our foundations or projects, please report the vulnerability directly to that foundation or project. For example, Linux kernel security vulnerabilities should be reported to <security@kernel.org> as described in security bugs. If the foundation/project doesn’t state how to report vulnerabilities, please ask them to do so. In many cases, one way to report vulnerabilities is to send an email to <security@DOMAIN>.

If you find a security vulnerability in the Linux Foundation’s infrastructure as a whole, please report it to <security@linuxfoundation.org>, as noted on our contact page.

For example, security researcher Hanno Böck recently alerted us that some of the retired linuxfoundation.org service subdomains were left delegated to some cloud services, making them potentially vulnerable to a subdomain takeover. Once we were alerted to that, the LF IT Ops Team quickly worked to eliminate the problem and will also be working on a way to monitor and alert about such problems in the future. We thank Hanno for alerting us!

We’re also working to make open source software (OSS) more secure in general. The Open Source Security Foundation (OpenSSF) is a broad initiative to secure the OSS that we all depend on. Please check out the OpenSSF if you’re interested in learning more.

David A. Wheeler

Director, Open Source Supply Chain Security, The Linux Foundation

The post How to report security vulnerabilities to the Linux Foundation appeared first on The Linux Foundation.

How to report security vulnerabilities to the Linux Foundation

We at The Linux Foundation (LF) work to develop secure software in our foundations and projects, and we also work to secure the infrastructure we use. But we’re all human, and mistakes can happen.

So if you discover a security vulnerability in something we do, please tell us!

If you find a security vulnerability in the software developed by one of our foundations or projects, please report the vulnerability directly to that foundation or project. For example, Linux kernel security vulnerabilities should be reported to <security@kernel.org> as described in security bugs. If the foundation/project doesn’t state how to report vulnerabilities, please ask them to do so. In many cases, one way to report vulnerabilities is to send an email to <security@DOMAIN>.

If you find a security vulnerability in the Linux Foundation’s infrastructure as a whole, please report it to <security@linuxfoundation.org>, as noted on our contact page.

For example, security researcher Hanno Böck recently alerted us that some of the retired linuxfoundation.org service subdomains were left delegated to some cloud services, making them potentially vulnerable to a subdomain takeover. Once we were alerted to that, the LF IT Ops Team quickly worked to eliminate the problem and will also be working on a way to monitor and alert about such problems in the future. We thank Hanno for alerting us!

We’re also working to make open source software (OSS) more secure in general. The Open Source Security Foundation (OpenSSF) is a broad initiative to secure the OSS that we all depend on. Please check out the OpenSSF if you’re interested in learning more.

David A. Wheeler

Director, Open Source Supply Chain Security, The Linux Foundation

The post How to report security vulnerabilities to the Linux Foundation appeared first on The Linux Foundation.

How to create a Linux RPM package

You’ve written a great script that you want to distribute, so why not package it as an RPM?
Read More at Enable Sysadmin

How to handle a Linux kernel panic

How to handle a Linux kernel panic

Here is a collection of resources to help you deal with kernel panic events.
Peter Gervase
Wed, 11/11/2020 at 4:26am

Image

A kernel panic often lives up to its name, causing panic for the admin. But the good news is that all is not lost; there are steps you can take.

So, first off, what is a kernel panic? As defined in the Computer Security Resource Center (CSRC) Glossary, a kernel panic is “a system error that cannot be recovered from, and requires the system to be restarted.” As we all know, a forced restart is never good.

Topics:  
Linux  
Linux Administration  
Read More at Enable Sysadmin

Looking forward to Linux network configuration in the initial ramdisk (initrd)

One of the tasks that the initrd might be responsible for is network configuration.
Read More at Enable Sysadmin

Linux patch management: How to back out a failed patch

Linux patch management: How to back out a failed patch

A good patch management plan always includes a good patch backout plan.
Sreejith Anujan
Tue, 11/10/2020 at 5:57pm

Image

Photo by Nathan Hilton from Pexels

Keeping servers up to date is one of a system administrator’s primary responsibilities. However, updates do not always work the way you expect, so it’s equally important that you know how to a) revert a patch to get the server back to the previous state and b) apply patches in subsets to get more flexibility.

Topics:  
Linux  
Linux Administration  
Backups  
Patch management  
Read More at Enable Sysadmin

CNCF Releases Free Training Course Covering Basics of Service Mesh with Linkerd

Introduction to Service Mesh with Linkerd is the newest training course from CNCF and The Linux Foundation. This course, offered on the non-profit edX learning platform, can be audited by anyone at no cost. The course is designed for site reliability engineers, DevOps professionals, cluster administrators, and developers who want to learn more about service mesh and Linkerd, the open source service mesh hosted by CNCF and focused on simplicity, speed, and low resource usage.

Read more: Linux Foundation Training

Renewing my thrill at work with Ansible

Renewing my thrill at work with Ansible

Ansible empowered me to utilize my own technical strengths and passion to improve processes and enjoy my time.
Joseph Tejal
Mon, 11/9/2020 at 9:08pm

Image

Image by Michal Jarmoluk from Pixabay

Sitting on my work-from-home desk, sipping black coffee, and watching the cool demos at AnsibleFest 2020 on demand—it all flashed back to me: The challenges of a few years ago when I was a Linux systems admin at another company. Back then, you strove to reduce the number of incidents, stabilized customer systems, put standard maintenance procedures in place, scripted the mundane tasks, documented everything well, and finally, ensured others could do your job, etc.

Topics:  
Linux  
Automation  
Ansible  
Read More at Enable Sysadmin

DevOps Replaces Developers As Most Sought After Skill Set

The 2020 Open Source Jobs Report just came out so we took the opportunity to speak with Clyde Seepersad, Senior Vice President and General Manager of Training and Certification at the Linux Foundation, about the significance of the report and the insights it provides on the current open source landscape. He touched on the effects of COVID-19 on hiring trends, the open source skills that are in high demand, and how the Foundation is helping organizations meet this demand through high-quality intensive training. Bottom line, he says “We still don’t have enough open source talent. The urgency of finding new ways to bring talent into the market continues to be something that should be front and center for all of us.”

Swapnil Bhartiya: What is the importance of this report? Not only for the open source ecosystem, but companies outside of the open source ecosystem, because today almost everybody’s leveraging open source in one capacity or another.

Clyde Seepersad: One of the things that we didn’t realize several years ago is that there is a lot of data around general employment reports and a few around IT and technology in general, but there was really this gap when it comes to what’s happening on open source talent, and we kept hearing anecdotally that people can’t hire or can’t find enough talent.

And so what we wanted to do was put a really clear spotlight on what’s going on specifically when it comes to the talent pool around open source, to be able to share with the market a sort of non-anecdotal state of the world, but also to be able to inform our own strategy and our own mission, which is to try to ensure not just that there is fantastic code coming out of open source projects, but also that there is enough talent to implement and use it as tool.

Swapnil Bhartiya: What are some of the key highlights of this report?

Clyde Seepersad: A couple of things. One is the rise of DevOps skills. I think everybody knows cloud is hot. It’s been that way for a while, but the companion piece to that around DevOps and the importance of understanding CI/CD pipelines and also the cultural difference of working in that sort of continuous delivery. The rise of that, I think, is something that maybe most people are not quite as aware of.

The second thing I would highlight is that there were a lot of questions about what’s happening to tech hiring in response to the COVID pandemic. We have some answers for that, that says that although hiring slowed down, it did not slow down nearly as much as people might have worried at the outset. In fact, it’s now accelerating.

The top-level thing, which is continuing to be the case, is we still don’t have enough open-source talent. The urgency of finding new ways to bring talent into the market continues to be something that should be front and center for all of us.

Swapnil Bhartiya: So if we look at this report, what are the skills that are kind of not only most in demand, but also hardest to find? That is like a chicken-and-egg solution, right?

Clyde Seepersad: Yeah. Obviously, it’s the cloud skills, right? A lot of the smaller companies, more conservative companies, they kind of make us push them to be much more active on the cloud. What that’s done is raise the stakes in terms of people who are familiar with cloud-native development, cloud-native architecture, Kubernetes orchestration, and then what does CI/CD pipelines look like in a cloud world because obviously, there’s some changes there when you’re running that sort of infrastructure. So those interwoven skillsets, right?

Of course, sitting underneath all of that is what operating system does the cloud run on? I think we all know now that the vast, fast 98% of instances are running on Linux. So you have this tiered approach where understanding from basic Linux competence is a baseline and then you’re building on top of that, looking for cloud-native development, cloud-native orchestration, and then what the CI/CD pipelines look like to bring that to life.

Swapnil Bhartiya: So when we look at this shortage of talent and, at the same time, the demand for talent, in addition to just coming out with this report, do you have any kind of advice or suggestion to the hiring managers? What can they do to attract top developers or talent to their organizations because there is heavy demand and everybody wants them?

Clyde Seepersad: Right. Well, some of the things actually have happened in response to the pandemic, right? One of the trends we saw last year was people wanting the flexibility to be able to work from home. Of course, now we all work from home so that helps. But what came out in the report that was really interesting is that more and more talent managers are realizing that you don’t just have to go externally for talent, that you can, in fact, upskill people who are currently in your organization.

The data suggests that a lot more people are waking up and realizing that trolling LinkedIn for your next hire is a zero-sum game because other people are doing the same. They’re starting to invest more in training, especially online training. They’re starting to invest more in certifications for their employees. And just in general, they’re starting to be much more proactive in looking at investing into their talent pool and finding ways to provide new opportunities for development. Of course, that also comes with new job opportunities for the existing employee base.

Swapnil Bhartiya: I just want to talk a little bit more about COVID-19. A couple of things are happening with COVID-19: a lot of companies that are scaling down. They’re cutting budgets and everything. At the same time, since people are able to work remotely, you don’t have to relocate yourself or you don’t have to find talent in the same area. You have access to almost everybody wherever they are. So how has COVID-19 affected the hiring process itself in terms of while they do have to scale down to some extent, the beauty is, I should not say that, the world that we are living in is all powered by cloud and technology. All the purchases that I was making even in my Indian grocery, they now have a website. I can just go and place an order. It was not the case earlier. So, cloud actually enabled companies to stay in business. That also means that you do need developers and all those talents to keep those businesses running. At the same time, you have the advantage of not having to relocate. So talk a bit about it.

Clyde Seepersad: Yeah, that’s true. I don’t think that’s tied together, right? So as people have been forced to use the cloud more, I had the same experience you did. My local Chinese restaurant suddenly developed a website and they have an ordering business that they did not previously have. Every business is now an e-commerce business is true, right? So there’s this broader footprint.

On the flip side of it, you also have people who are now having to work from home, where they maybe didn’t use to, either for practical or maybe cultural reasons within the company. That also then intersects with the sort of cultural change and the cultural norms of CI/CD and DevOps, right? This idea that you have to be in person together versus this idea that you have a well-documented pipeline and everybody can contribute to that pipeline and do their commits and do their code, that whole tooling ecosystem of cloud native and DevOps has actually made it, made it easier—and I would argue, possible—to do what’s happened and what we’ve seen over the past several months, which is people being productive, working from home, working with people they haven’t worked with before, onboarding new team members, and being able to get them provisioned with the right access and up skill on the right systems. It’s all really come together. In my view, we have been lucky that we’ve got the technology infrastructure that we have today because I don’t know that we would have been able to stay as productive and focused in a sudden shift to remote work if we were trying to do this even five years ago,

Swapnil Bhartiya: I’m a good example of that because I have been working from home ever since I moved out of India. What I realized was that I work when I feel that I’m most productive instead of hey, I have to clock in at 9:00 AM and I have to clock out at 5:00 PM. I have to sit there and do something. It doesn’t matter how I feel. And then sometimes, there are personal issues. Somebody is sick in the family and your mind is there, but you have to come to the office. I think remote working offers the best balance between work and life. Of course, it is actually more challenging because you may end up working all the time, but still, it offers a better balance. Earlier you were talking about how you don’t have to go out to hire people; you can also internally train people. So when we look at organizations and they look at all these new cloud-native technologies and they want to retain or prepare their own workforce, what resources are available there, especially from the Linux Foundation so that they can better equip their own workforce when there is already a shortage of a lot of talent?

Clyde Seepersad: Yeah, it’s a good question, Swapnil. From a practical perspective, the portfolio that we have provided, which is very heavily focused on self-paced e-learning that you take online, but at the same time, very skills-based, very lab-intensive online training, because ultimately, what do you care about as a colleague or as a hiring manager? It’s not whether they check the box and they have a certificate saying they completed a course. What you care about is the skills, right? Did they actually develop those skills? So, we’ve got a pretty big portfolio of very hands-on, self-paced e-learning programs to help people develop the skills. And then we’ve continued to build our portfolio of performance-based certification exams. So this is not your grandad’s pick an answer out of a lineup, right? These are live systems with variable questions, and you have to demonstrate your skills under the pressure of time, under the pressure of being proctored by an independent person. I think it’s that one-two punch of really focusing on skills.

I joke with people all the time. We get feedback sometimes that our courses aren’t don’t have enough video. And I say, “Well, true, because we’re not trying to entertain you. We’re trying to develop skills and the way you develop skills is not by staring at a screen and listening to a video. The way you develop skills is by doing a lab.” So we’ve got a very lab-centric mindset in terms of the training side of it and that carries on into the certification side of it, where it’s all about performance. Show that you can do the work, take the time to develop the skills because that’s what your colleagues are going to be looking for. That’s what your employers are going to be looking for. That’s what’s going to benefit you personally, as an individual — to be able to have that broader skill set and to be able to do that in a remote way and not have to rely on a senior trainer coming onto site and working with you. I think that’s going to be the new normal.

Swapnil Bhartiya: The advantage of this crisis is that people are realizing that they don’t have to move. Actually, they can move to the ideal pace they wanted to live. It could be a big ranch, it could be a beach, and they can work for companies who are operating in Silicon Valley, which also means you can also cross national boundaries. The whole idea of hope is open source is the best and the brightest people from around the globe. So how do you enable these people? People come from different cultural backgrounds, different education backgrounds, and different languages. Do you also help them irrespective of where they’re coming from, whether it’s internationalizing or supporting different languages so people can get training?

Clyde Seepersad: Yeah. Our LS training, we do that. Obviously, the online format helps because it’s truly available 24/7 globally, nights and weekends. So that really has expanded the footprint of what we’re able to do and who we are able to reach. We’ve also done some translations, particularly for the certification exams to make those available in languages that we know folks may not otherwise be comfortable with, for Japan and China, for instance.

What we’re trying to do is mirror what we’re seeing in the workforce. The shift towards more remote work has actually opened up the pipeline. When you think about hiring and talent management, if you think about somebody who is in the US or in Western Europe, your pool is not as limited. You really can reach out to this global pool of talent in non-traditional markets. We’ve seen sectors get hot. Obviously, India has a lot of workshops today. There’s a ton of stuff happening in Eastern Europe now, but it really is global, right? We’ve got folks on our team in South America being super productive in this new remote way of working. I think that’s becoming more and more typical. Because of the rise of cloud native, because of the rise of Cloud Native, because of the rise of this sort of collaborative DevOps mindset, we are able to collaborate across regions, across countries, across time zones, much more effectively than they ever have before.

Swapnil Bhartiya: Awesome. Clyde, thank you so much for talking to me today about not only this report, but also how to help hiring managers not only get more talent, but also not retrain their own employees. I look forward to talking to you again. Thank you.

Clyde Seepersad: Hey, it’s always a pleasure to be with you, Swap. Thank you.