Twitter
Home Blog Page 461

How to Align Your Team Around Microservices

By
OpenSource.com
-

Microservices have been a focus across the open source world for several years now. Although open source technologies such as Docker, Kubernetes, Prometheus, and Swarm make it easier than ever for organizations to adopt microservice architectures, getting your team on the same page about microservices remains a difficult challenge.

For a profession that stresses the importance of naming things well, we’ve done ourselves a disservice with microservices. The problem is that that there is nothing inherently “micro” about microservices. Some can be small, but size is relative and there’s no standard measurement unit across organizations. A “small” service at one company might be 1 million lines of code, but far fewer at another organization.

Some argue that microservices aren’t a new thing at all, 

Read more at OpenSource.com

DevOps for NFV: OPNFV Infrastructure and Continuous Integration

By
Amar Kapadia
-

In this article series, we have been discussing the Understanding OPNFV book. Previously, we provided an introduction to network functions virtualization (NFV), discussed the role of OPNFV in network transformation, and looked at how OPNFV integrates and enhances upstream projects. We continue our series with in-depth insight into the OPNFV DevOps toolchain, hardware labs, continuous integration (CI) pipeline, and deployment tools (installers) from chapters 6 and 7 of the book.                    

As mentioned previously, OPNFV integrates a number of upstream projects along with code contributions from the OPNFV community. To integrate and test these projects and contributions in an automated manner, the OPNFV project uses a variety of DevOps tools, hardware labs and a sophisticated CI pipeline. In fact, there is no better way for a telecom operator to absorb the principles of DevOps than by joining OPNFV.

Chapter 6 starts by discussing each of the various software and cloud-based tools used by OPNFV for DevOps:

  • Collaboration: JIRA/Confluence

  • Source code management and code review: Git, Gerrit, and GitHub

  • CI/software automation: Jenkins

  • Artifact repository: Google cloud storage and Docker hub

Let’s take a closer look at Gerrit, for example.

Code Reviews – Gerrit

Committing to master requires an approval process, and this process is managed through a tool called Gerrit. Gerrit is an open source web-based code review tool developed by Google. All changes pushed by contributors using a git push or git review command are reviewed in Gerrit by a set of reviewers, who view and inspect the patch. Reviewers also get to see the results of a continuous integration (CI) build and automated verify test run. Reviewers provide scores of +2, +1, -1 or -2. A +2 is a definite accept, while a -2 is a definite reject. A +1 or -1 may result in the change being accepted, rejected or sent back for changes.

OPNFV Gerrit

The chapter then describes the hardware labs used for automated integration and testing jobs. OPNFV has defined a standardized set of hardware, called a Pharos lab, consisting of 6 nodes and associated switches to automatically deploy OPNFV software by using the CI pipeline. The Pharos lab concept has been very successful with 16 labs distributed all around the world working seamlessly.

Centre of Excellence in Next Generation Networks Pharos Lab

Chapter 6 continues by describing the CI pipeline in detail, where changes in upstream projects or community code contributions trigger integration jobs and specific time-durations (such as daily, weekly) trigger testing jobs. The CI pipeline diagram from the book is shown below:

OPNFV CI Pipeline

Chapter 7 start by exploring the concept of OPNFV scenarios. Since OPNFV allows for multiple choices for different software layers, numerous permutations are possible. In addition to the different upstream projects described in the previous blog, OPNFV also allows for diversity in installers. The list of scenarios represents a subset of all possible permutations; effectively each scenario is a tested reference architecture. Examples of scenarios are:

  • OpenStack + ODL + L3 FD.io + High Availability (HA) using the Apex installer, or

  • OpenStack + OpenContrail + HA using the JOID installer

The OPNFV Danube release had 55 scenarios. However, if we ignore non-HA scenarios and the specific installer used, we are down to 21 distinct usable scenarios.

The chapter continues by providing an overview of the 4 major installers used in the Danube release: Apex, Compass, Fuel and JOID, and ends with a discussion of additional deployment related projects such as Daisy (a new installer), IPv6, Parser, ARMBand (to run OPNFV on ARM), and FastDataStacks (FD.io with OPNFV).

Want to learn more? You can check out the previous blog post that discussed the broader NFV transformation complexities and how OPNFV solves an important piece of the puzzle, download the Understanding OPNFV ebook in PDF (in English or Chinese), or order a printed version on Amazon.

Samsung’s Phone-As-Desktop Concept Now Runs Linux

By
Engadget
-

Samsung’s DeX is a clever way to turn your phone into a desktop computer. However, there’s one overriding problem: you probably don’t have a good reason to use it instead of a PC. And Samsung is trying to fix that. It’s unveiling Linux on Galaxy, an app-based offering that (surprise) lets you run Linux distributions on your phone. Ostensibly, it’s aimed at developers who want to bring their work environment with them wherever they go. You could dock at a remote office knowing that your setup will be the same as usual.

Read more at Engadget

3 Simple, Excellent Linux Network Monitors

By
Carla Schroder
-

You can learn an amazing amount of information about your network connections with these three glorious Linux networking commands. iftop tracks network connections by process number, Nethogs quickly reveals what is hogging your bandwidth, and vnstat runs as a nice lightweight daemon to record your usage over time.

iftop

The excellent iftop listens to the network interface that you specify, and displays connections in a top-style interface.

This is a great little tool for quickly identifying hogs, measuring speed, and also to maintain a running total of your network traffic. It is rather surprising to see how much bandwidth we use, especially for us old people who remember the days of telephone land lines, modems, screaming kilobits of speed, and real live bauds. We abandoned bauds a long time ago in favor of bit rates. Baud measures signal changes, which sometimes were the same as bit rates, but mostly not.

If you have just one network interface, run iftop with no options. iftop requires root permissions:

$ sudo iftop

When you have more than one, specify the interface you want to monitor:

$ sudo iftop -i wlan0

Just like top, you can change the display options while it is running.

  • h toggles the help screen.
  • n toggles name resolution.
  • s toggles source host display, and d toggles the destination hosts.
  • s toggles port numbers.
  • N toggles port resolution; to see all port numbers toggle resolution off.
  • t toggles the text interface. The default display requires ncurses. I think the text display is more readable and better-organized (Figure 1).
  • p pauses the display.
  • q quits the program.

Figure 1: The text display is readable and organized.

When you toggle the display options, iftop continues to measure all traffic. You can also select a single host to monitor. You need the host’s IP address and netmask. I was curious how much of a load Pandora put on my sad little meager bandwidth cap, so first I used dig to find their IP address:

$ dig A pandora.com
[...]
;; ANSWER SECTION:
pandora.com.            267     IN      A       208.85.40.20
pandora.com.            267     IN      A       208.85.40.50

What’s the netmask? ipcalc tells us:

$ ipcalc -b 208.85.40.20
Address:   208.85.40.20   
Netmask:   255.255.255.0 = 24
Wildcard:  0.0.0.255  
=>
Network:   208.85.40.0/24

Now feed the address and netmask to iftop:

$ sudo iftop -F 208.85.40.20/24 -i wlan0

Is that not seriously groovy? I was surprised to learn that Pandora is easy on my precious bits, using around 500Kb per hour. And, like most streaming services, Pandora’s traffic comes in spurts and relies on caching to smooth out the lumps and bumps.

You can do the same with IPv6 addresses, using the -G option. Consult the fine man page to learn the rest of iftop’s features, including customizing your default options with a personal configuration file, and applying custom filters (see PCAP-FILTER for a filter reference).

Nethogs

When you want to quickly learn who is sucking up your bandwidth, Nethogs is fast and easy. Run it as root and specify the interface to listen on. It displays the hoggy application and the process number, so that you may kill it if you so desire:

$ sudo nethogs wlan0

NetHogs version 0.8.1

PID USER   PROGRAM              DEV    SENT   RECEIVED       
7690 carla /usr/lib/firefox     wlan0 12.494 556.580 KB/sec
5648 carla .../chromium-browser wlan0  0.052   0.038 KB/sec
TOTAL                                 12.546 556.618 KB/sec

Nethogs has few options: cycling between kb/s, kb, b, and mb, sorting by received or sent packets, and adjusting the delay between refreshes. See man nethogs, or run nethogs -h.

vnstat

vnstat is the easiest network data collector to use. It is lightweight and does not need root permissions. It runs as a daemon and records your network statistics over time. The vnstat command displays the accumulated data:

$ vnstat -i wlan0
Database updated: Tue Oct 17 08:36:38 2017

   wlan0 since 10/17/2017

          rx:  45.27 MiB      tx:  3.77 MiB      total:  49.04 MiB

   monthly
                     rx      |     tx      |    total    |   avg. rate
     ------------------------+-------------+-------------+---------------
       Oct '17     45.27 MiB |    3.77 MiB |   49.04 MiB |    0.28 kbit/s
     ------------------------+-------------+-------------+---------------
     estimated        85 MiB |       5 MiB |      90 MiB |

   daily
                     rx      |     tx      |    total    |   avg. rate
     ------------------------+-------------+-------------+---------------
         today     45.27 MiB |    3.77 MiB |   49.04 MiB |   12.96 kbit/s
     ------------------------+-------------+-------------+---------------
     estimated       125 MiB |       8 MiB |     133 MiB |

By default it displays all network interfaces. Use the -i option to select a single interface. Merge the data of multiple interfaces this way:

$ vnstat -i wlan0+eth0+eth1

You can filter the display in several ways:

  • -h displays statistics by hours.
  • -d displays statistics by days.
  • -w and -m displays statistics by weeks and months.
  • Watch live updates with the -l option.

This command deletes the database for wlan1 and stops watching it:

$ vnstat -i wlan1 --delete

This command creates an alias for a network interface. This example uses one of the weird interface names from Ubuntu 16.04:

$ vnstat -u -i enp0s25 --nick eth0

By default vnstat monitors eth0. You can change this in /etc/vnstat.conf, or create your own personal configuration file in your home directory. See man vnstat for a complete reference.

You can also install vnstati to create simple, colored graphs (Figure 2):

$ vnstati -s -i wlx7cdd90a0a1c2 -o vnstat.png

Figure 2: You can create simple colored graphs with vnstati.

See man vnstati for complete options.

Learn more about Linux through the free “Introduction to Linux” course from The Linux Foundation and edX.

IoT Cybersecurity: What’s Plan B?

By
Schneier on Security
-

In August, four US Senators introduced a bill designed to improve Internet of Things (IoT) security. The IoT Cybersecurity Improvement Act of 2017 is a modest piece of legislation. It doesn’t regulate the IoT market. It doesn’t single out any industries for particular attention, or force any companies to do anything. It doesn’t even modify the liability laws for embedded software. Companies can continue to sell IoT devices with whatever lousy security they want.

What the bill does do is leverage the government’s buying power to nudge the market: any IoT product that the government buys must meet minimum security standards. It requires vendors to ensure that devices can not only be patched, but are patched in an authenticated and timely manner; don’t have unchangeable default passwords; and are free from known vulnerabilities. It’s about as low a security bar as you can set,…

Read more at Scheier on Security

ACME​ ​Support​ ​in​ ​Apache​ ​HTTP​ ​Server​ ​Project

By
The Linux Foundation
-

We’re excited that support for getting and managing TLS certificates via the ACME protocol is coming to the Apache HTTP Server Project (httpd). ACME is the protocol used by Let’s Encrypt, and hopefully other Certificate Authorities in the future. We anticipate this feature will significantly aid the adoption of HTTPS for new and existing websites.

We created Let’s Encrypt in order to make getting and managing TLS certificates as simple as possible. For Let’s Encrypt subscribers, this usually means obtaining an ACME client and executing some simple commands. Ultimately though, we’d like for most Let’s Encrypt subscribers to have ACME clients built in to their server software so that obtaining an additional piece of software is not necessary. The less work people have to do to deploy HTTPS the better!

Read more at The LInux Foundation

How Containers and Microservices Change Security

By
InfoWorld
-

Cloud-native applications and infrastructure require a radically different approach to security. Keep these best practices in mind.

Today organizations large and small are exploring the adoption of cloud-native software technologies. “Cloud-native” refers to an approach that packages software within standardized units called containers, arranges those units into microservices that interface with each other to form applications, and ensures that running applications are fully automated for greater speed, agility, and scalability.

Because this approach fundamentally changes how software is built, deployed, and run, it also fundamentally changes how software needs to be protected. Cloud-native applications and infrastructure create several new challenges for security professionals, who will need to establish new security programs that support their organization’s use of cloud-native technologies.

Read more at InfoWorld

Why Use Docker with R? A DevOps Perspective

By
R-Bloggers
-

There have been several blog posts going around about why one would use Docker with R.
In this post I’ll try to add a DevOps point of view and explain how containerizing
R is used in the context of the OpenCPU system for building and deploying R servers.

1: Easy Development

The flagship of the OpenCPU system is the OpenCPU server:
a mature and powerful Linux stack for embedding R in systems and applications.

Read more at R-bloggers

 

A Chat with Chef about the DevOps Movement and Habitat Builder

By
Node.js
-

Last week at our annual user conference, Node.js Interactive, we announced several new members to the Node.js Foundation. One of the members that joined is Chef. Chef works with more than a thousand companies around the world to deliver their vision of digital transformation.

We sat down with the team at Chef to talk about how Node.js fits within the DevOps movement, why they joined the Node.js Foundation, and also about a new offering from the group called Habitat Builder.

Read more at Node.js

 

Tips to Secure Your Network in the Wake of KRACK

By
Konstantin Ryabitsev
-

The KRACK attacks vulnerability is now more than 48 hours old and has been discussed in detail on a number of technology-related sites, so I won’t repeat the technical details of the attack here. To summarize:

  • A flaw in the WPA2 wireless handshake protocol allows attackers to sniff or manipulate the traffic between your device and the wi-fi access point.

  • It is particularly bad for Linux and Android devices, due either to ambiguous wording in the WPA2 standard or to misunderstanding during its implementation. Effectively, until the underlying OS is patched, the vulnerability allows attackers to force all wireless traffic to happen without any encryption at all.

  • This vulnerability can be patched on the client, so the sky hasn’t fallen and the WPA2 wireless encryption standard is not obsoleted in the same sense that the WEP standard is (do NOT “fix” this problem by switching to WEP).

  • Most popular Linux distributions are already shipping updates that fix this vulnerability on the client, so apply your updates dutifully.

  • Android will be shipping fixes for this vulnerability Very Soon. If your device is receiving Android security patches, you will receive a fix before long. If your device is no longer receiving such updates, then this particular vulnerability is merely another reason why you should stop using old, unsupported Android devices.

That said, from my perspective, Wi-Fi is merely another link in the chain of untrusted infrastructure and we should altogether avoid treating it as a trusted communication channel.

Wi-Fi as untrusted infrastructure

If you’re reading this article from your laptop or your mobile device, then your chain of communication probably looks something like this:

Blank Network Diagram - Basics.png

The KRACK attack targets the link between your device and the Wi-Fi access point, which is probably a router either in your home, your office, your neighborhood library, or your favorite cafe.

Blank Network Diagram - Where Kracks happen (1).png

In reality, this diagram should look something like this:

Blank Network Diagram - Everywhere (1).png

Wi-Fi is merely the first link in a long chain of communication happening over channels that we should not trust. If I were to guess, the Wi-Fi router you’re using has probably not received a security update since the day it got put together. Worse, it probably came with default or easily guessable administrative credentials that were never changed. Unless you set up and configured that router yourself and you can remember the last time you updated its firmware, you should assume that it is now controlled by someone else and cannot be trusted.

Past the Wi-Fi router, we enter the zone of generally distrusting the infrastructure at large — depending on your general paranoia levels. Here we have upstream ISPs and providers, many of whom have been caught monitoring, altering, analyzing, and selling our personal traffic in an attempt to make additional money off our browsing habits. Often their own security patching schedules leave a lot to be desired and end up exposing our traffic to malicious eyes.

On the Internet at large, we have to worry about powerful state-level actors with ability to manipulate core networking protocols in order to carry out mass surveillance programs or perform state-level traffic filtering.

HTTPS Protocol

Thankfully, we have a solution to the problem of secure communication over untrusted medium, and we use it every day — the HTTPS protocol encrypts our Internet traffic point-to-point and ensures that we can trust that the sites we communicate with are who they say they are.

The Linux Foundation initiatives like Let’s Encrypt make it easy for site owners worldwide to offer end-to-end encryption that helps ensure that any compromised equipment between our personal devices and the websites we are trying to access does not matter.

Blank Network Diagram - HTTPS (1).png

Well… almost does not matter.

DNS remains a problem

Even if we dutifully use HTTPS to create a trusted communication channel, there is still a chance that an attacker with access to our Wi-Fi router or someone who can alter our Wi-Fi traffic — as is the case with KRACK — can trick us into communicating with the wrong website. They can do so by taking advantage of the fact that we still greatly rely on DNS — an unencrypted, easily spoofed protocol from the 1980s.

Blank Network Diagram - LOL DNS.png

DNS is a system that translates human-friendly domain names like “linux.com” into IP addresses that computers can use to communicate with each other. To translate a domain name into an IP address, the computer would query the resolver software — usually running on the Wi-Fi router or on the system itself. The resolver would then query a distributed network of “root” nameservers to figure out which system on the Internet has what is called “authoritative” information about what IP address corresponds to the “linux.com” domain name.

The trouble is, all this communication happens over unauthenticated, easily spoofable, cleartext protocols, and responses can be easily altered by attackers to make the query return incorrect data. If someone manages to spoof a DNS query and return the wrong IP address, they can manipulate where our system ends up sending the HTTP request.

Fortunately, HTTPS has a lot of built-in protection to make sure that it is not easy for someone to pretend to be another site. The TLS certificate on the malicious server must match the DNS name you are requesting — and be issued by a reputable Certificate Authority recognized by your browser. If that is not the case, the browser will show a big warning that the host you are trying to communicate with is not who they say they are. If you see such warning, please be extremely cautious before choosing to override it, as you could be giving away your secrets to people who will use them against you.

If the attackers have full control of the router, they can prevent your connection from using HTTPS in the first place, by intercepting the response from the server that instructs your browser to set up a secure connection (this is called “the SSL strip attack”). To help protect you from this attack, sites may add a special response header telling your browser to always use HTTPS when communicating with them in the future, but this only works after your first visit. For some very popular sites, browsers now include a hardcoded list of domains that should always be accessed over HTTPS even on the first visit.

The solution to DNS spoofing exists and is called DNSSEC, but it has seen very slow adoption due to important hurdles — real and perceived. Until DNSSEC is used universally, we must assume that DNS information we receive cannot be fully trusted.

Use VPN to solve the last-mile security problem

So, if you cannot trust Wi-Fi — and/or the wireless router in the basement that is probably older than most of your pets — what can be done to ensure the integrity of the “last-mile” communication, the one that happens between your device and the Internet at large?

One acceptable solution is to use a reputable VPN provider that will establish a secure communication link between your system and their infrastructure. The hope here is that they pay closer attention to security than your router vendor and your immediate Internet provider, so they are in a better position to assure that your traffic is protected from being sniffed or spoofed by malicious parties. Using VPN on all your workstations and mobile devices ensures that vulnerabilities like KRACK attacks or insecure routers do not affect the integrity of your communication with the outside world.

Blank Network Diagram - VPN.png

The important caveat here is that when choosing a VPN provider you must be reasonably assured of their trustworthiness; otherwise, you’re simply trading one set of malicious actors for another. Stay far away from anything offering “free VPN,” as they are probably making money by spying on you and selling your traffic to marketing firms. This site is a good resource that would allow you to compare various VPN providers to see how they stack against each other.

Not all of your devices need to have VPN installed on them, but the ones that you use daily to access sites with your private personal information — and especially anything with access to your money and your identity (government, banking sites, social networking, etc.) must be secured. VPN is not a panacea against all network-level vulnerabilities, but it will definitely help protect you when you’re stuck using unsecured Wi-Fi at the airport, or the next time a KRACK-like vulnerability is discovered.

Learn more in “A SysAdmin’s Essential Guide to Linux Workstation Security” from The Linux Foundation. Download the free ebook and checklist now!

1...460461462...10,742Page 461 of 10,742