Everyone is talking about unikernels today and the magical things they can do.
Unikernels are ultra light-weight secure applications cross-compiled to virtual machines. That is – they don’t run linux, but they can run *on* linux. They are coupled with drivers to talk to the disk and network and that’s about it along with your app code.
They’re similar to RTOS’s like the one on the Mars Rover but they run ordinary web application software designed for intel x86 in the datacenter – it doesn’t need to run on a different planet.
But Why?
Beacuse of security and because of performance.
Unikernels are single process systems by design so they completely thwart shell code exploits and most remote code execution problems by design. They can also be faster than native software simply because they have less context switching. When you couple with PCI passthrough we’re talking about performance better than what you could get on ‘bare metal’.
There are tons of articles and presentations out there on what unikernels are but very little on how you can run them today on your very own laptop – no cloud required. So if you want to run unikernels but you don’t now how this article is for you. This article assumes you are running Linux (or at least some bastardized form of BSD :).
Quick Start:
Just to get a hello world example running download the local unikernel runner virgo and grab an account to get a pre-built unikernel.
Fork/Compile/Run a unikernel on deferpanic and then run it locally.
Install:
To get going you just need to install the virgo unikernel runner:
go get github.com/deferpanic/dpcli/dpcli
go install github.com/deferpanic/dpcli/dpcli
go install
echo "mytoken" > ~/.dprc
Pull a Unikernel Project:
Pull will yank down unikernel projects from the only unikernel hub out there in use. This allows you to run existing unikernels with ease and not have to compile your own if you don’t want to. It also allows you to share unikernels you have built yourself and works with any unikernel implementation.
virgo pull html
Run a Unikernel Project:
This is the part you were looking for – run a unikernel on your own laptop. It’s literally this easy.
virgo run html
Kill a local Unikernel Project:
Want to stop running that unikernel? Kill it with one command.
virgo kill html
Fetch the log for the Unikernel Project:
Trying to figure out what is wrong with your unikernel? Grab the logs from this handy command.
virgo log html
List all Unikernels that are Installed:
You can easily build up a library of unikernels that you are working with locally. Grep for your favorites here.
virgo images
List the Running Unikernels:
Not sure what is running locally? Grab the process list of unikernels that are currently running.
virgo ps
Remove a local Unikernel Project:
Ready to delete that hello world project and move onto something better? Go ahead and reclaim that disk space with a simple ‘rm’ command.
What with all the furor around containers and orchestrators, it can be easy to lose sight of some of their highly useful features. The portability and extensible nature of containers is a modern convenience to be cherished, but from my professional perspective it’s sometimes all too easy to get carried away and pay less attention to security.
There’s a lesser-known feature in the venerable Docker that I like using from a security perspective, which I’ll take a quick look at now.
Ye olde feature I have in mind has been around for a whopping 20 months at the time of writing. Believe me when I say that’s a millennium when it comes to containers, which have evolved their feature-sets at hyperspeed. From Docker version 1.10, it’s been possible to run your containers with a temporary storage, or temporary volume mount to be more precise. From the release notes of Docker v1.10, we can see the feature announcement as described below as follows:
“Temporary filesystems: It’s now really easy to create temporary filesystems by passing the –tmpfs flag to docker run. This is particularly useful for running a container with a read-only root filesystem when the piece of software inside the container expects to be able to write to certain locations on disk.”
In Figure 1, we can see the key difference between temporary and standard volumes. If you’re interested in some of the discussions around the naming of the temporary filesystem feature, then there’s some chatter available on one of Moby’s GitHub repositories.
Figure 1: Temporary filesystems are written to RAM (or to your swap file if RAM is filling up) and not to the host or the container’s own filesystem layer at Docker.com: Docker tmpfs. (Image: Docker)
For the aforementioned versioning reason, I will caveat the following with a note that, even though the feature below might not work exactly as you expect it to, the concepts should help you to flex your lateral-thinking muscles nonetheless. In other words, check your Docker runtime version and its accompanying docs in case there’s a syntax change or the feature has been deprecated or enhanced in some way. We will see in a moment that there’s more than one way to mount a temporary volume, for example.
Let’s have a look at putting this feature to good use. Consider a scenario where you had a container ticking over nicely in read-only mode. You chose to do this because you were aware that for security reasons it helped prevent any successful attacks, which compromised your container, persisting after it had been stopped and then restarted. In other words, your container was quite happy to save any relevant session data internally but not commit any actual changes to its original files, because it used the –read-only option when it was started up.
That configuration is ideal for many purposes, but what if you need to save data of some sort that your container has captured? For simplicity, let’s imagine that your container was running a website and you captured visitor data through a form on the site. You know the sort I mean I’m sure: a few input HTML boxes, a pull-down menu, and a radio button here or there, all presented nicely with a sprinkling of CSS.
To store your captured data, you have a handful of options. We will leave databases, emails, and message brokers aside and aim more along the lines of writing our captured data to disk.
In standard Docker terms, there’s an obvious way of achieving this namely by creating a standard volume and mounting it to a directory on your host machine. For example, /home/chrisbinnie/storage on my host might be /storage inside my container.
However what if you were running a whole heap of similar containers and you didn’t want the data to get mixed up in the directory on the host? Or, you didn’t need the data to be available for long or even that you were worried that it could contain unwelcome, dangerous code because the big, bad Internet had submitted the data.
Thankfully, Docker thought about our quandary in advance and provides exactly what you need in the form of ephemeral, or short-lived, volumes. Incidentally, I’ve heard called this very option called volatile volumes too in the past.The best bit from a security standpoint is that when your container stops your ephemeral volume just automatically disappears into the ether along with your (un)saved data.
Let’s have a look at the command syntax required to get this working (my current runtime version is 17.06.2-cefor reference).
$ docker run -d --read-only -it --mount type=tmpfs,destination=/var/tmp nginx
In Figure 2, we can receive some welcome news having run a $ docker inspect d7c0c command (I have abbreviated the container’s hash, replace it with your container ID).
Figure 2: A temporary read/write volume pointing at our container’s innards.
Another way of running this command is the more concise –tmpfs option as shown below. This doesn’t allow additional options in quite the same way, however.
$ docker run -d --read-only -it --tmpfs /var/tmp nginx
We can also chuck in — sorry, I mean “enhance” — our useful feature with a few other sophisticated options by following the –mount option in the man pages as so:
If you’re struggling to find the right detail within man pages, then simply use this command and search for “tmpfs” in lowercase:
$ man docker run
As we’ve seen, there’s a host of features which help pump Docker’s pistons and many are easy to forget or can be simply missed due to the vast number available. I hope you can put temporary volumes to good use in one form or another in the future. You can store a variety of different types of data to disk and even tiny files such as one-off, time-limited passwords which might be required to allow a container to instantiate an external service.
Chris Binnie’s latest book, Linux Server Security: Hack and Defend, shows how hackers launch sophisticated attacks to compromise servers, steal data, and crack complex passwords, so you can learn how to defend against these attacks. In the book, he also talks you through making your servers invisible, performing penetration testing, and mitigating unwelcome attacks. You can find out more about DevSecOps and Linux security via his website (http://www.devsecops.cc).
Comcast’s involvement in open source was a gradual process that evolved over time. The company eventually created two open source program offices, one for the NBC business and another for the cable side of the business, which is the subject of this profile.
Comcast began contributing to open source around 2006 when Jon Moore, Chief Software Architect, made a patch contribution to Apache HTTP. He showed the management team that it was more cost effective to have the patch incorporated into the main project than it was to maintain it separately.
Working with an interdisciplinary team, Moore worked to set up an open source advisory council, which consisted of legal and technical subject matter experts. They reviewed contributions and created internal guidelines focused on good open source practices and community building. In 2013, when they started tracking these contributions, they had 13. This year, they plan to do almost 10x that.
“When companies establish open source practices they send a big message saying that we’re serious about open source and that we want to invest in it,” said Nithya Ruff, Senior Director of the Open Source Practice at Comcast (@nithyaruff).
“If you’re not being actively inclusive then you’re being exclusive,” said Swarna Podila at the Diversity Empowerment Summit, a day of talks on increasing diversity, inclusion, and empowerment in the open source community. The event took place at Open Source Summit in Los Angeles and was produced by Angela Brown, VP of Events at The Linux Foundation, who helped me summarize the day’s highlights in this 5-minute video.
As a serial entrepreneur, I already care a great deal about building diverse and inclusive environments. However, the Diversity Empowerment Summit made me realize I honestly didn’t know the half of it. Here are the resources mentioned in the video:
Amy Chen created Ladies Storm Hackathons, a Facebook group dedicated to closing the gender gap in hackathons.
Tameika Reed created Women in Linux, a community supporting women in Linux-centric tech careers.
Emma Irwin and Larissa Shapiro spoke about the research they did at Mozilla and what they found to promote diversity and inclusion in Open Source.
Rupa Dachere created Codechix, dedicated to the education, advocacy, and mentoring of women engineers in industry and academia.
Nicole Huesman & Daniel Izquierdo led us through OpenStack’s Gender Diversity Report, which examines gender diversity and retention within the OpenStack community.
Marina Zhurakhinskaya from Red Hat taught us about Outreachy, which provides 3-month internships for people from groups traditionally underrepresented in tech.
It was an empowering day which left me with a bunch of new tools to help me play a part in creating a more diverse and inclusive tech community.
Concepts such as decentralizing strategy, delegating direction, and fierce transparency in communication are part of the backbone of successful open source projects. In my presentation at Open Source Summit EU in Prague, I will explore how these concepts are not only applicable to volunteer-run organizations but can also help growing corporations avoid some of the coordination overhead that often comes with growing teams and organizations.
We’ll look at some of the key aspects of how project members collaborate at The Apache Software Foundation (ASF). After that, we’ll take a closer look at German FinTech company Europace AG, which decided to move toward self-organization two years ago. We’ll highlight parallels between Europace AG’s organizing approaches and those of open source projects.
Let’s start with some of the core values of ASF projects.
Community over Code
One main principle is the concept of “community over code” — which means that without a diverse and healthy team of contributors to a project, there is no project. It puts the team front and center, as highlighted in the Apache project maturity model.
In January of 2015, the Open vSwitch (OVS) team announced they planned to start a new project within OVS called OVN (Open Virtual Network). The timing could not have been better for me as I was looking around for a new project. I dove in with a goal of figuring out whether OVN could be a promising next generation of Open vSwitch integration for OpenStack and have been contributing to it ever since.
OVN has now had multiple releases. As a community we have also built integration with OpenStack, Docker, and Kubernetes.
OVN is a system to support virtual network abstraction. OVN complements the existing capabilities of OVS to add native support for virtual network abstractions, such as virtual L2 and L3 overlays and security groups. A recent videoexplains more about the inner workings of OVN.
The Linux Foundation’s Hyperledger project, which is focused on open source blockchain technology, divides its work into five sub projects. Hyperledger Executive Director Brian Behlendorf said Hyperledger’s technical steering committee must approve each new sub project, and it’s looking for projects that “represent different thinking.”
The first five projects are: Fabric, Sawtooth, Indy, Burrow, and Iroha.
“Every one of these projects started life outside of Hyperledger, first, by a team that had certain use cases in mind,” said Behlendorf. Each project must bring something unique to the open source group, and its technology must be applicable to other companies.
Fabric
Fabric is Hyperledger’s most active project to date. The Fabric 1.0 release was issued in July. IBM initiated the Fabric project. It’s intended as a foundation for developing blockchain distributed ledger applications with a modular architecture. It allows components, such as consensus and membership services, to be plug-and-play.
Linux server administrators will want to patch their systems as soon as possible.
Sometimes old fixed bugs come back to bite us. That’s the case with CVE-2017-1000253, a Local Privilege Escalation Linux kernel bug. … The problem is that the bug lived on in long-term support (LTS) versions of Linux, which are often used in server Linux distributions.
If you’re running an up-to-date Linux desktop, you have nothing to worry about. These use modern kernels rather than LTS kernels.
Your work as an open leader will be more transparent when you apply this decision-making technique..
One of the most powerful ways to make your work as a leader more transparent is to take an existing process, open it up for feedback from your team, and then change the process to account for this feedback. The following exercise makes transparency more tangible, and it helps develop the “muscle memory” needed for continually evaluating and adjusting your work with transparency in mind.
I would argue that you can undertake this activity this with any process—even processes that might seem “off limits,” like the promotion or salary adjustment processes.
Opening up processes and making them more transparent builds your credibility and enhances trust with team members.
If there is one flavor of Linux that is best suited to help users transition from their current platform to Linux, I would have to go with ZorinOS. This conclusion might surprise a good number of Linux faithful. Why? Unlike most of the distributions claiming to hold sway of the “universal use,” ZorinOS doesn’t opt for the standard fare. Instead, ZorinOS offers its own desktop (aptly called Zorin Desktop). And, this pretty remarkable interface makes ZorinOS a great choice for new users, old users, and everything in-between.
Why? Because the Zorin Desktop can be easily reconfigured to look and feel like the desktop you are leaving behind. Is your platform of choice Windows 7 or XP? Zorin OS has you covered. If your prefered desktop is macOS, Unity, or GNOME 2, Zorin Ultimate can take care of you. If your interface of choice has been GNOME 3, Zorin Desktop can do that as well. Zorin Desktop is a veritable chameleon when it comes to change. With the Zorin Desktop, you can easily switch from a Windows 7/XP, macOS, Unity, or GNOME 2/3 interface — without having to install a single third-party piece of software.
It’s that Windows 7-like appearance that should attract new users. ZorinOS does one of the best jobs of mimicking Windows 7, than any other Linux desktop. So if you miss Windows 7, ZorinOS might be your next platform.
Let’s look at what Zorin OS offers that might make you want to flip the switch and finally either migrate to Linux or switch distributions.
The versions
It’s important to note that Zorin OS 12 is a complete rebuild from previous versions. Because of this, there may be bugs. Upon installation of Zorin OS Core, I’ve yet to experience a bug, but as with any major release, they will occur.
Zorin OS comes in three different flavors: Ultimate, Core, and Lite. Which version you select will depend on your hardware, how much software you want preinstalled, which desktop you want, and whether or not you require support.
The Lite Version
The Lite version is free and is streamlined to work on older, less-powered hardware. Zorin claims their Lite version will run hardware up to 14 years old. This version includes a lite version of the Zorin Desktop, LibreOffice, PlayOnLinux (via Wine), and the standard collection of Linux tools (e.g., terminal window, settings, multimedia viewer, etc.). With the Lite version, the developers moved away from the previous base LXDE environment and opted for a base of Xfce. This change allows the Zorin Lite desktop to better resemble the more powerful/flexible desktops of Core and Ultimate. That means that one thing missing from the Lite version is the ability easily switch between desktop layouts. So, if you’re looking for the ability to switch desktops, Lite might not be what you want.
Step up to the Core version, and you get the real ZorinOS experience. Out of the box, Zorin Desktop (based on GNOME) is set up to resemble Windows 7 (Figure 1).
Figure 1: The default ZorinOS desktop.
Want to switch to a different type of Windows look (one that more closely resembles Windows XP) or even a standard GNOME desktop? Click on the Z menu (in the left corner of the desktop) and then click Settings. From within the Settings window, click Zorin Appearance. In the resulting window (Figure 2), you can configure your desktop to perfectly suit your needs.
Figure 2: The Zorin Desktop Appearance tool in action.
Along with the ability to theme the desktop, the Core version offers a more suitable platform for getting your work done. You will still find LibreOffice (as in the Lite version), as well as the standard tools that come along with the GNOME desktop, the GIMP image editor, Pitivi video editor, Samba (with included file manager integration), Geary email client, Empathy messaging app, Chromium web browser, and more.
Speaking of web browser, Zorin includes a tool that every Linux distribution should have: the Zorin Web Browser Manager. With this app, users can easily install Firefox, Midori, or Epiphany. At one point, this tool also included Chrome, but it seems that is no more. You can click on the Z menu, go to Internet, and then click Zorin Web Browser Manager to easily install your browser of choice (Figure 3).
Figure 3: If you don’t like the default web browser, you can quickly install something different.
As I mentioned earlier, ZorinOS 12 (the latest release being 12.2) is a complete rewrite from previous versions. ZorinOS 11 also offered users the ability to switch to other styles of desktops, but it depended upon Avant Window Navigator (AWN) to do so. AWN is a dock-like bar that can be configured, in both form and function, to behave exactly as you like it. With ZorinOS 12, AWN is no more. From what I’ve seen so far, that choice has paid off in spades.
Although the ZorinOS 12.2 dock isn’t nearly as configurable as it was in the 11th iteration, it’s much more stable. I remember, in previous iterations of the Zorin Desktop, when you switched from one style to another, the desktop could come to a crashing halt in doing so. Now, the switch is smooth as butter, and it’s dependable. This is all thanks to the GNOME base (which is one the single most stable desktops on the market). Speaking of GNOME… regardless of which style of desktop you choose, you have access to the GNOME Activities Overview. This is a great addition for those that multitask and use virtual desktops. How you get to the Activities overview will depend upon which style of desktop you are using. If you’re working on either the Windows 7 or XP styles, click on the Z button and then click Activities Overview to open the tool (Figure 4). If you’re using the straight-up GNOME interface, just click the Activities button at the top left corner of the desktop.
Figure 4: The GNOME Activities overview as seen from the Windows 7 style Zorin Desktop.
The PlayOnLinux inclusion should not be overlooked. Considering that ZorinOS is aimed primarily at users hoping to migrate from Windows, having the ability to easily install Windows applications is a serious bonus. Open up the tool, click Install a Program, select a category, find the software you want to install (Figure 5), and click Install. It’s that easy. Do note that many of the software titles, found in PlayOnLinux, require installation media (be it from a physical media or a download file).
Figure 5: PlayOnLinux offers the ability to install plenty of games and other types of Windows-specific software.
The inclusion of PlayOnLinux also makes Zorin OS a much more flexible platform. Developers, designers, artists — users of nearly every ilk — will have more tools at their disposal.
The Core version can be downloaded for a donation of 5, 10, or 25 Euros, or a custom donation, from the ZorinOS Download page.
The Ultimate Version
If you’re looking for a version of Zorin OS that packs everything (even the kitchen sink), Zorin OS Ultimate is what you want. This version includes everything from Zorin OS Core and adds the following:
MIXXX DJ Software
Blender 3D Suite
LMMS Music producer
KDEnlive Video Editor
MyPaint
Ardour Audio Workstation
Audacity Sound Editor
Inkscape Vector Editor
Builder IDE
Over 20 games
Added MacOS, GNOME 3, and Unity desktop layouts
Video wallpapers
Zorin Support (directly from the team of Zorin developers)
Understand that many of the above included software titles can be installed on the Core version (for free). The only thing you won’t find are the optional desktops, the video wallpaper, and the support — for those you must pay up for the Ultimate edition. All of the above can be had for a mere 19 Euros. For business users, that added support option will be key. From a user perspective, having the MacOS, Unity, and GNOME 2.x interfaces could be a real deal maker.
Windows, macOS, and GNOME users unite
No matter your desktop of choice, chances are you will feel right at home on the Zorin Desktop. With the latest release, ZorinOS has done a remarkable job of taking something that was already impressive and made it more stable, more usable, and more accessible than ever. If you’re a Windows 7 user, dreading having to migrate to Windows 10, you no longer have to sweat that change. Adopt ZorinOS 12 and keep working as you’ve done for years.
Learn more about Linux through the free “Introduction to Linux” course from The Linux Foundation and edX.
