End-user computing (EUC) is changing quickly, and dramatically. In my work, I hear just how vital it is that organizations deliver better security, manageability and user experience every day. This is creating increasing pressure on the status quo of operating systems for end-user devices: Windows. And Windows simply can’t keep up with the requirements.
What you may not know is that this pressure is also giving rapid rise to the broad use of Linux on endpoint devices. In fact, according to a new IDC InfoBrief, Linux is the only endpoint operating system (OS) growing at a global level. (Full disclosure: IGEL sponsored the report.) While Windows market share remains flat, at 39% in 2015 and 2017, Linux has grown from 30% in 2015 to 35% in 2017, worldwide. And the trend is accelerating.
So, what is it about Linux that makes it so attractive for endpoint devices? Consider these factors:
Serverless architecture is not needed to use Function as a Service (FaaS). In fact, 54 percent of FaaS users without production deployments say their organization does not utilize a serverless architecture, according to a survey conducted in August 2018. In comparison, 96 percent of organizations with FaaS broadly deployed say they use a serverless architecture. Our upcoming Guide to Serverless Technologies covers serverless architecture, technology and computing, and will include the complete study results.
The survey defined FaaS as typically providing event-driven computing where developers run and manage application code with functions that are triggered by events or HTTP requests. Serverless architecture broadly describes an application design that incorporates third-party Backend as a Service (BaaS) services, and/or that includes custom code run in managed environments on a FaaS platform. In many ways, serverless architecture looks similar to other application designs focused on events and microservices.
If you’re the type of person who uses the word “vuln” as a shorthand for code vulnerabilities, you should check out the presentation from the recent Linux Security Summit called “Security in Zephyr and Fuchsia.” In the talk, two researchers from the National Security Agency discuss their contributions to the nascent security stacks of two open source OS projects: Zephyr and Fuchsia.
Microsoft’s Ryan Fairfax explained how to fit an entire Linux stack into 4 MiB of RAM in this presentation. Yet, the hard part, according to Fairfax, was not so much the kernel modification, as it was the development of the rest of the stack. This includes the custom Linux Security Module, which coordinates with the Cortex-M4’s proprietary Pluton security code using a mailbox-based protocol.
In this article, Swapnil Bhartiya interviewed Linux kernel maintainer Greg Kroah-Hartman about how the kernel community is hardening Linux against vulnerabilities. You can see excerpts from their talk in the accompanying video.
The next Linux Security Summit Europe, coming up October 25 – 26 in Edinburgh, offers more essential security information, with refereed presentations, discussion sessions, subsystem updates, and more. There’s still time to register and attend! Check out the full scheduleand stay tuned for more coverage.
“It is very surprising to people just how much open source software is used in modern software development,” observed Jeff Luszcz, Vice President of Product, Management at US software specialist Flexera, during a recent Automotive World webinar. According to Flexera research, more than 50% of all code written today is open source. “If we look at any software product ten to 20 years ago, OSS was just filling in the gaps, but my experience is that 100% of IT organisations are using OSS today.”
Digital trends
Software content has become a differentiator for automakers, who had once relied on factors such as drivability or exterior design to sell their cars. Today, software-based features are often the focal point for advertising campaigns.
This software is derived from a multitude of different sources, and rarely originates from a single developer. Many vehicles today leverage Linux, an open source operating system. “Every device in a modern vehicle contains anywhere between 80 to 100 million lines of code. Some vendors have ten or more Linux computers running at the same time, and while these computers may have very similar software stacks, they will likely have been put together by different development teams, and have different reasons for existing,” added Luszcz.
Open source networking has become the ‘new norm,’ and many at the recent Open Networking Summit Europe said they’re seeing it play out in the industry.
If you weren’t in Amsterdam for Open Networking Summit Europe 2018, you missed an extremely exciting conferenceThis Linux Foundation event drew more than 700 networking, development and operations leaders and enterprise users from open source service providers, cloud companies, and more.
Chief among the conference themes was the idea that open source networking is the “new norm,” with lots of vendors attesting to how this theme is playing out in the IT industry. Dan Kohn who leads the Linux Foundation’s Cloud Native Computing Foundation cites cost savings, improved resilience and higher development velocity for both bug fixes and the rolling out of new features for this change. Arpit Joshipura, General Manager of Networking at The Linux Foundation used the term “open-sourcification” in his keynote.
If you’re a Linux systems administrator, one of the first tools you will turn to for troubleshooting are log files. These files hold crucial information that can go a long way to help you solve problems affecting your desktops and servers. For many sysadmins (especially those of an old-school sort), nothing beats the command line for checking log files. But for those who’d rather have a more efficient (and possibly modern) approach to troubleshooting, there are plenty of options.
In this article, I’ll highlight a few such tools available for the Linux platform. I won’t be getting into logging tools that might be specific to a certain service (such as Kubernetes or Apache), and instead will focus on tools that work to mine the depths of all that magical information written into /var/log.
Speaking of which…
What is /var/log?
If you’re new to Linux, you might not know what the/var/logdirectory contains. However, the name is very telling. Within this directory is housed all of the log files from the system and any major service (such as Apache, MySQL, MariaDB, etc.) installed on the operating system. Open a terminal window and issue the command cd /var/log. Follow that with the command ls and you’ll see all of the various systems that have log files you can view (Figure 1).
Figure 1: Our ls command reveals the logs available in /var/log/.
Say, for instance, you want to view the syslog log file. Issue the command less syslog and you can scroll through all of the gory details of that particular log. But what if the standard terminal isn’t for you? What options do you have? Plenty. Let’s take a look at few such options.
Logs
If you use the GNOME desktop (or other, as Logs can be installed on more than just GNOME), you have at your fingertips a log viewer that mainly just adds the slightest bit of GUI goodness over the log files to create something as simple as it is effective. Once installed (from the standard repositories), open Logs from the desktop menu, and you’ll be treated to an interface (Figure 2) that allows you to select from various types of logs (Important, All, System, Security, and Hardware), as well as select a boot period (from the top center drop-down), and even search through all of the available logs.
Figure 2: The GNOME Logs tool is one of the easiest GUI log viewers you’ll find for Linux.
Logs is a great tool, especially if you’re not looking for too many bells and whistles getting in the way of you viewing crucial log entries, so you can troubleshoot your systems.
KSystemLog
KSystemLog is to KDE what Logs is to GNOME, but with a few more features to add into the mix. Although both make it incredibly simple to view your system log files, only KSystemLog includes colorized log lines, tabbed viewing, copy log lines to the desktop clipboard, built-in capability for sending log messages directly to the system, read detailed information for each log line, and more. KSystemLog views all the same logs found in GNOME Logs, only with a different layout.
From the main window (Figure 3), you can view any of the different log (from System Log, Authentication Log, X.org Log, Journald Log), search the logs, filter by Date, Host, Process, Message, and select log priorities.
Figure 3: The KSystemLog main window.
If you click on the Window menu, you can open a new tab, where you can select a different log/filter combination to view. From that same menu, you can even duplicate the current tab. If you want to manually add a log to a file, do the following:
Open KSystemLog.
Click File > Add Log Entry.
Create your log entry (Figure 4).
Click OK
Figure 4: Creating a manual log entry with KSystemLog.
KSystemLog makes viewing logs in KDE an incredibly easy task.
Logwatch
Logwatch isn’t a fancy GUI tool. Instead, logwatch allows you to set up a logging system that will email you important alerts. You can have those alerts emailed via an SMTP server or you can simply view them on the local machine. Logwatch can be found in the standard repositories for almost every distribution, so installation can be done with a single command, like so:
sudo apt-get install logwatch
Or:
sudo dnf install logwatch
During the installation, you will be required to select the delivery method for alerts (Figure 5). If you opt to go the local mail delivery only, you’ll need to install the mailutils app (so you can view mail locally, via the mail command).
All Logwatch configurations are handled in a single file. To edit that file, issue the command sudo nano /usr/share/logwatch/default.conf/logwatch.conf. You’ll want to edit the MailTo = option. If you’re viewing this locally, set that to the Linux username you want the logs sent to (such as MailTo = jack). If you are sending these logs to an external email address, you’ll also need to change the MailFrom = option to a legitimate email address. From within that same configuration file, you can also set the detail level and the range of logs to send. Save and close that file. Once configured, you can send your first mail with a command like:
logwatch --detail Med --mailto ADDRESS --service all --range todayWhere ADDRESS is either the local user or an email address.
For more information on using Logwatch, issue the command man logwatch. Read through the manual page to see the different options that can be used with the tool.
Rsyslog
Rsyslog is a convenient way to send remote client logs to a centralized server. Say you have one Linux server you want to use to collect the logs from other Linux servers in your data center. With Rsyslog, this is easily done. Rsyslog has to be installed on all clients and the centralized server (by issuing a command like sudo apt-get install rsyslog). Once installed, create the /etc/rsyslog.d/server.conf file on the centralized server, with the contents:
# Provide UDP syslog reception$ModLoad imudp$UDPServerRun 514# Provide TCP syslog reception$ModLoad imtcp$InputTCPServerRun 514# Use custom filenaming scheme$template FILENAME,"/var/log/remote/%HOSTNAME%.log"*.* ?FILENAME$PreserveFQDN on
Save and close that file. Now, on every client machine, create the file /etc/rsyslog.d/client.confwith the contents:
Where SERVER_IP is the IP address of your centralized server. Save and close that file. Restart rsyslog on all machines with the command:
sudo systemctl restart rsyslog
You can now view the centralized log files with the command (run on the centralized server):
tail -f /var/log/remote/*.log
The tail command allows you to view those files as they are written to, in real time. You should see log entries appear that include the client hostname (Figure 6).
Figure 6: Rsyslog showing entries for a connected client.
Rsyslog is a great tool for creating a single point of entry for viewing the logs of all of your Linux servers.
More where that came from
This article only scratched the surface of the logging tools to be found on the Linux platform. And each of the above tools is capable of more than what is outlined here. However, this overview should give you a place to start your long day’s journey into the Linux log file.
Learn more about Linux through the free “Introduction to Linux” course from The Linux Foundation and edX.
As the Chief Technologist at Red Hat for the western region, Christian Van Tuin has been architecting solutions for strategic customers and partners for over a decade. He’s lived through the rise of DevOps and containers. And in his role, he’s found that security is the highest adoption barrier for enterprises interested in harnessing the power of containers.
After all, “Now we’re seeing an increasing level of threats for geopolitical reasons, and we’re seeing the dissolving security perimeter,” says Van Tuin. “Everything doesn’t sit behind the firewall in your data center anymore, and there’s a shift to software-based storage, networking and compute. The traditional network base, the fences, are no longer good enough.”
But as he will share duringhis talk at OpenFinTech Forumin New York City, Oct. 10-11, there are security best practices in the areas of DevOps, containers, and Kubernetes that companies can adopt so that everyone can sleep better at night.
“We’re seeing this evolution to DevSecOps,” he says. “It’s all about reducing security and business risk, lowering costs, speeding up delivery and reaction time, falling in line with DevOps. And we’re doing this with automation process optimization and continuous security improvement.”
This is particularly relevant for FinTech companies. “With the move from physical to digital banking, DevSecOps ensures security is integrated into the process from the start of development rather than appended on in production,” says Van Tuin. “At the same time, it still allows for rapid and frequent releases without security becoming a bottleneck or burden on development.” For instance, OpenSCAP can be used to scan container images for compliance with PCI DSS (Payment Card Industry Security Standard) and customer security policies for banking.
Van Tuin’s best practices are wide-ranging: addressing security risks such as container images, builds, registry, hosts, and network; automating and integrating security vulnerability management and compliance checking in a DevOps CI/CD pipeline; and deployment strategies for container security updates. And he’s hopeful that there will be more improvements to security around Kubernetes with the growth of Istio service mesh and CoreOS operators.
“One of the keys to DevSecOps is to ensure that you can enable your developers to rapidly innovate and experiment,” says Van Tuin. And the first thing that needs to happen? “Embrace security into the culture of the company.”
To hear all about Chris’s strategies for continuous security with DevOps, containers, and Kubernetes, plus talks from other open source leaders, come to OpenFinTech Forum in New York City October 10-11. You can still register here!
Everything old is new again. In the 1960s, IBM’s OS/650 mainframe operating system had two modes, MFT and MVT, in which process got its own address space and couldn’t interface with others processes running parallel with it. This was the ancestor to both virtual machines (VM) and containers. Fast forward to now, and IBM Secure Service Container for IBM Cloud Private enables you to run an operating system and applications in containers with their own address space and walls to keep them from interacting with other programs.
Of course, you can do a wee bit more with Secure Service Containers (SSC) on IBM LinuxONE and Z mainframes than you could on a 360 mainframe with a maximum of 1MB of memory. IBM Cloud Private is a Platform as a Service (PaaS) environment for developing and managing containerized applications. It’s built on top of the Kubernetes container orchestrator Kubernetes.
The physical ports on your computer allow communicate with peripheral devices such as your keyboard and mouse and to connect with internet devices via Ethernet cables.
Within computer networking, ports serve a similar purpose. When a computer system seeks to connect to another computer, the port serves as a communication endpoint. It is also possible for different services running on the same computer to expose various ports and communicate with one another using these ports. In simple terms, if a software application or service needs to communicate with others, it will expose a port. Ports are identified with positive 16-bit unsigned integers, ranging from 0 to 65535. Other services use this port number to communicate with the service or app. Port numbers are divided into three ranges: well-known ports, registered ports, and dynamic or private ports.
Well-known ports (also known as system ports) are numbered from 0 through 1023. For example, to connect to the host example.com via SSH, I would use this command:
It’s odd that printk() would pose so many problems for kernel development, given that it’s essentially just a replacement for printf() that doesn’t require linking the standard C library into the kernel.
And yet, it’s famously a mess, full of edge cases, corner cases, deadlocks, race conditions and a variety of other tough-to-solve problems. The reason for this is, unlike printf(), the printk() system call has to produce reasonable behavior even when the entire system is in the midst of crashing. That’s really the whole point—printk() needs to report errors and warnings that can be used to debug whatever strange and unexpected catastrophe has just hit a running system.
Trying to fix all the deadlocks and other problems at the same time would be too large a task for anyone, especially since each one is a special case defined by the particular context in which the printk() call appeared. But, sometimes a bunch of instances in a particular region of code can be addressed all together.
