The Linux community is dealing with another security flaw, with the latest bug impacting the runC container runtime that underpins Docker, cri-o, containerd, and Kubernetes.
The bug, dubbed CVE-2019-5736, allows an infected container to overwrite the host runC binary and gain root-level code access on the host. This would basically allow the infected container to gain control of the overarching host container and allow an attacker to execute any command.
“It is quite likely that most container runtimes are vulnerable to this flaw, unless they took very strange mitigations beforehand,” explained Aleksa Sarai, a senior software engineer at SUSE and a maintainer for runC, in an email posted on Openwall. Sarai added that the flaw is blocked by the proper implementation of user namespaces “where the host root is not mapped into the container’s user namespace.”
A patch for the flaw has been developed and is being sent out to the runC community. A number of vendor and cloud providers have already taken steps to implement the patch.
If you are familiar with instrumenting applications, you may have heard of OpenMetrics, OpenTracing, and OpenCensus. These projects aim to create standards for application performance monitoring and collecting metric data. Although the projects do overlap in terms of their goals, they each take a different approach to observability and instrumentation. In this post, we’ll provide an introduction to all three projects, along with some key differentiators of each, and how they best support application monitoring.
Key project differences
OpenMetrics aims to create a standard format for exposing metric data, while OpenTracing and OpenCensus focus on creating a standard for distributed tracing. Because the OpenCensus and OpenTracing projects share similar goals, there is a lot of overlap with their tracing APIs. They both employ a standard for tracking requests across process boundaries so you can visualize all the operations (e.g., database calls, caching) that go into fulfilling individual requests. This enables you to monitor application performance with one of the several backends (e.g., Datadog, Zipkin) that OpenTracing or OpenCensus supports.
OpenCensus is a part of the Google Open Source community, and OpenTracing and OpenMetrics are Cloud Native Computing Foundation(CNCF) projects. The OpenCensus and OpenTracing projects use similar mechanisms, though they refer to them in different terms:
Eric Biggers and Paul Crowley were unhappy with the disk encryption options available for Android on low-end phones and watches. For them, it was an ethical issue. Eric said:
We believe encryption is for everyone, not just those who can afford it. And while it’s unknown how long CPUs without AES support will be around, there will likely always be a “low end”; and in any case, it’s immensely valuable to provide a software-optimized cipher that doesn’t depend on hardware support. Lack of hardware support should not be an excuse for no encryption.
Unfortunately, they were not able to find any existing encryption algorithm that was both fast and secure, and that would work with existing Linux kernel infrastructure. They, therefore, designed the Adiantum encryption mode, which they described in a light, easy-to-read and completely non-mathematical way.
As I work, throughout the day, music is always playing in the background. Most often, that music is in the form of vinyl spinning on a turntable. But when I’m not in purist mode, I’ll opt to listen to audio by way of a streaming app. Naturally, I’m on the Linux platform, so the only tools I have at my disposal are those that play well on my operating system of choice. Fortunately, plenty of options exist for those who want to stream audio to their Linux desktops.
In fact, Linux offers a number of solid offerings for music streaming, and I’ll highlight five of my favorite tools for this task. A word of warning, not all of these players are open source. But if you’re okay running a proprietary app on your open source desktop, you have some really powerful options. Let’s take a look at what’s available.
Spotify for Linux isn’t some dumb-downed, half-baked app that crashes every other time you open it, and doesn’t offer the full-range of features found on the macOS and Windows equivalent. In fact, the Linux version of Spotify is exactly the same as you’ll find on other platforms. With the Spotify streaming client you can listen to music and podcasts, create playlists, discover new artists, and so much more. And the Spotify interface (Figure 1) is quite easy to navigate and use.
Figure 1: The Spotify interface makes it easy to find new music and old favorites.
You can install Spotify either using snap (with the command sudo snap install spotify), or from the official repository, with the following commands:
sudo echo deb http://repository.spotify.com stable non-free | sudo tee /etc/apt/sources.list.d/spotify.list
sudo apt-get update
sudo apt-get install spotify-client
Once installed, you’ll want to log into your Spotify account, so you can start streaming all of the great music to help motivate you to get your work done. If you have Spotify installed on other devices (and logged into the same account), you can dictate to which device the music should stream (by clicking the Devices Available icon near the bottom right corner of the Spotify window).
Clementine one of the best music players available to the Linux platform. Clementine not only allows user to play locally stored music, but to connect to numerous streaming audio services, such as:
Amazon Cloud Drive
Box
Dropbox
Icecast
Jamendo
Magnatune
RockRadio.com
Radiotunes.com
SomaFM
SoundCloud
Spotify
Subsonic
Vk.com
Or internet radio streams
There are two caveats to using Clementine. The first is you must be using the most recent version (as the build available in some repositories is out of date and won’t install the necessary streaming plugins). Second, even with the most recent build, some streaming services won’t function as expected. For example, with Spotify, you’ll only have available to you the Top Tracks (and not your playlist … or the ability to search for songs).
With Clementine Internet radio streaming, you’ll find musicians and bands you’ve never heard of (Figure 2), and plenty of them to tune into.
Figure 2: Clementine Internet radio is a great way to find new music.
Odio is a cross-platform, proprietary app (available for Linux, MacOS, and Windows) that allows you to stream internet music stations of all genres. Radio stations are curated from www.radio-browser.info and the app itself does an incredible job of presenting the streams for you (Figure 3).
Figure 3: The Odio interface is one of the best you’ll find.
Odio makes it very easy to find unique Internet radio stations and even add those you find and enjoy to your library. Currently, the only way to install Odio on Linux is via Snap. If your distribution supports snap packages, install this streaming app with the command:
sudo snap install odio
Once installed, you can open the app and start using it. There is no need to log into (or create) an account. Odio is very limited in its settings. In fact, it only offers the choice between a dark or light theme in the settings window. However, as limited as it might be, Odio is one of your best bets for playing Internet radio on Linux.
Streamtuner2 is an outstanding Internet radio station GUI tool. With it you can stream music from the likes of:
Internet radio stations
Jameno
MyOggRadio
Shoutcast.com
SurfMusic
TuneIn
Xiph.org
YouTube
Streamtuner2 offers a nice (if not slightly outdated) interface, that makes it quite easy to find and stream your favorite music. The one caveat with StreamTuner2 is that it’s really just a GUI for finding the streams you want to hear. When you find a station, double-click on it to open the app associated with the stream. That means you must have the necessary apps installed, in order for the streams to play. If you don’t have the proper apps, you can’t play the streams. Because of this, you’ll spend a good amount of time figuring out what apps to install for certain streams (Figure 4).
Figure 4: Configuring Streamtuner2 isn’t for the faint of heart.
VLC has been, for a very long time, dubbed the best media playback tool for Linux. That’s with good reason, as it can play just about anything you throw at it. Included in that list is streaming radio stations. Although you won’t find VLC connecting to the likes of Spotify, you can head over to Internet-Radio, click on a playlist and have VLC open it without a problem. And considering how many internet radio stations are available at the moment, you won’t have any problem finding music to suit your tastes. VLC also includes tools like visualizers, equalizers (Figure 5), and more.
Figure 5: The VLC visualizer and equalizer features in action.
The only caveat to VLC is that you do have to have a URL for the Internet Radio you wish you hear, as the tool itself doesn’t curate. But with those links in hand, you won’t find a better media player than VLC.
Always More Where That Came From
If one of these five tools doesn’t fit your needs, I suggest you open your distribution’s app store and search for one that will. There are plenty of tools to make streaming music, podcasts, and more not only possible on Linux, but easy.
Learn more about Linux through the free “Introduction to Linux” course from The Linux Foundation and edX.
If you want features, bells and whistles, and configurability in spades, your best choice of desktop is probably KDE’s Plasma desktop. Navigating and discovering all that’s on offer can be a challenge, though.
While many user interface designers advocate simplicity and simplified decision-making for users (which often results in no decision-making at all), the KDE community [1] has stubbornly gone the other way, jam-packing all manner of features and doodads into its Plasma [2] desktop (see the “KDE Is Not a Desktop” box).
KDE Is Not a Desktop
This has been the subject of much controversy and confusion, but, no, KDE is not the name of a desktop environment anymore and hasn’t been for some time now.
The desktop is called Plasma. KDE, on the other hand, is the name given to the community of developers, artists, translators, and so on that create the software. The reason for this shift is because the KDE community builds many things, like Krita, Kdenlive, digiKam, GCompris, and so on, not just Plasma. Many of these applications are not even tied to Linux, much less to the Plasma desktop, and can be run on many other graphical environments, including Mac OS X, Windows, Android, and others.
Also, much like KFC does not stand for Kentucky Fried Chicken anymore, neither does KDE stand for Kool Desktop Environment. KDE is not an acronym for anything. It is just … KDE.
To illustrate Plasma’s flexibility, I’ll show you some tricks you can use to emulate other desktops, starting with global menus. Both Unity and Mac OS use a global menu: It is the menu that appears in a bar at the top of the screen and shows a selected application’s options, instead of having them in a bar along the top of the application.
As the number of open-source projects booms, so does the need for resiliency and interoperability testing.
The Open Platform for NFV (OPNFV) community spent about four years of collective brainpower developing testing tools that can come in handy for open-source projects.
Here’s a brief overview of the three areas in the OPNFV testing ecosystem. Functional testing, called func test “a fairly evolved and fairly flexible framework,” that offers pre-integrated upstream test tools including RefStack,Tempest, OPNFV- specific VNF tests and application-level Kubernetes.
Fuzzing is an automated method for detecting bugs in software that works by feeding unexpected inputs to a target program. It is effective at finding memory corruption bugs, which often have serioussecurityimplications. Manually finding these issues is both difficult and time consuming, and bugs often slip through despite rigorous code review practices. For software projects written in an unsafe language such as C or C++, fuzzing is a crucial part of ensuring their security and stability.
In order for fuzzing to be truly effective, it must be continuous, done at scale, and integrated into the development process of a software project. To provide these features for Chrome, we wrote ClusterFuzz, a fuzzing infrastructure running on over 25,000 cores. Two years ago, we began offering ClusterFuzz as a free service to open source projects through OSS-Fuzz.
Today, we’re announcing that ClusterFuzz is now open source and available for anyone to use.
The goal of the Zowe project is to create a framework that enables developers to bring their latest tools to work on the mainframe. IBM, Broadcom, and Rocket Software worked together and open sourced their own technologies to achieve this. According to the project website, Zowe provides various components, including an app framework and a command-line interface, which lets users interact with the mainframe remotely and use integrated development environments, shell commands, Bash scripts, and other tools. It also provides utilities and services to help developers quickly learn how to support and build z/OS applications.
“What Zowe allows both end users and developers to do is enable a newer generation of users and developers to have access to all the critical data within all these financial, retail, and insurance systems living on the mainframe,” she said.
The fact is that almost all of the critical mainframe applications were written decades ago. Some of these companies are more than 100 years old, and they are using mainframe systems for their mission-critical workloads. So, what Zowe is trying to achieve is to open source some of these technologies to help companies bring their existing workloads into the modern day. This will also allow them to attract a new generation of users and developers.
In this article we’ll look at 15 Docker CLI commands you should know. If you haven’t yet, check out the rest of this series on Docker concepts, the ecosystem, Dockerfiles, and keeping your images slim. In Part 6 we’ll explore data with Docker. I’ve got a series on Kubernetes in the works too, so follow me to make sure you don’t miss the fun!
There are about a billion Docker commands (give or take a billion). The Docker docs are extensive, but overwhelming when you’re just getting started. In this article I’ll highlight the key commands for running vanilla Docker.
Overview
Recall that a Docker image is made of a Dockerfile + any necessary dependencies. Also recall that a Docker container is a Docker image brought to life. To work with Docker commands, you first need to know whether you’re dealing with an image or a container.
A Docker image either exists or it doesn’t.
A Docker container either exists or it doesn’t.
A Docker container that exists is either running or it isn’t.
The state of open source over the course of the past few decades has certainly changed. IBM last year purchased Red Hat, for example. But the original open source spirit of sharing remains intact — though the extent to which that is the case remains a subject of debate.
What open source really means today and how it has evolved were major themes of a podcast Alex Williams, founder and editor-in-chief of The New Stack, recently hosted at KubeCon + CloudNativeCon in Seattle. Among the open source thought leaders on hand to offer their observations were:
The differences between open source culture, and its underground-like feel over 20 years ago, and today’s explosion in commercial software enterprises based on open source code are stark, indeed.
