Any OpenStack installation that hosts services and VMs for several customers poses a challenge for the security-conscious admin. Hardening the overall system can turn the porous walls into a fortress – but you’ll need more than a little mortar.
One of the biggest concerns about virtualization is that an attacker could succeed in breaking out of the virtual machine (VM) and thus gain access to the resources of the physical host. The security of virtual systems thus hinges on the ability to isolate resources of the various VMs on the same server.
A simple thought experiment shows how important it is that the boundaries of VM and host are not blurred. Assume you have a server that hosts multiple VMs that all belong to the same customer. In this scenario, a problem occurs if a user manages to break out from a VM and gain direct access to the server: In the worst case, the attacker now has full access to the VMs on the host and can access sensitive data at will, or even set up booby traps to fish for even more information.
To gain unauthorized access, attackers need to negotiate multiple obstacles: First, they must gain access to the VM itself. If all VMs belong to the same customer and the same admins regularly maintain them, this risk is minimized, but it cannot be ruled out. In the second step, an attacker needs to negotiate the barrier between the VM and the host. Technologies such as SELinux can help to minimize the risks of an attacker crossing the VM barrier.
In this article, we’ll talk a bit about Docker Volumes and networking. To create a volume, we use the docker volume create command. And, to list the volumes, we use the docker volume list command.
To mount the volume inside a container, we need to use the -v option with the docker container run command. For example, we can mount the myvol volume inside the container at the /data location. After moving into the /data folder, we create two files there.
Next, we come out of the container and create a new container from the busybox image, but mounting the same myvol volume. The files that we created in the earlier container are available under /data. This way, we can share the content between the containers using the volumes. You can watch both of the videos below for details.
To review Docker networking, we first create a container from the nginx image. With the docker container inspect command, we can get the container’s IP address, but that IP address would be given by the docker0 bridge, which would not be accessible from the external world.
To access the container from the external world, we need to do port mapping between the host port and the container port. So, with the -p option added to the docker container run command, we can map the host port with the container port. For example, we can map Port 8080 of the host system with Port 80 of the container.
Once the port is mapped, we can access the container from the dockerhost by accessing the dockerhost on Port 8080.
This online course is presented almost entirely on video, and the material is prepared and presented by Neependra Khare (@neependra), Founder and Principal Consultant at CloudYuga, Docker Captain, and author of the Docker Cookbook.
This week in open source and Linux news, GitHub takes their Friday enthusiasm beyond casual Friday in creating a weekly “Open Source Day”, a new Linux Foundation Project was announced, and much more! Read on, stay open-source-informed.
1) GitHub encourages companies to devote time every Friday for their employees to work on open source projects.
Over the years, Arch Linux has had the misfortune of being maligned as one of the more challenging modern Linux distributions. That’s a shame, because Arch Linux is one of the most solid distributions you’ll find. Nonetheless, new users finding their way over to the official Arch Linux installation guide may choose to return to the likes of Ubuntu or Linux Mint. Now, however, there are other options, due to the release of some very user-friendly takes on the Arch Linux distribution, including Antergos.
According to the official website, the purpose of Antergos is:
…to provide a modern, elegant, and powerful operating system based on one of the best Linux distributions available, Arch Linux. Users need not be linux experts nor developers in order to use Antergos. From long-time linux users to linux users of only a few months, Antergos is for everyone.
After giving Antergos a thorough kick of the tires, I have to say, the developers have done a remarkable job in making Arch Linux accessible to the masses. There’s not one thing in the way of preventing the average user from getting the most out of this distribution. In fact, there are a couple of tricks up the old Antergos sleeve that other distros might want to note.
Let me explain.
Installation
The bulk of the installation is really nothing new. It’s incredibly simple (as we have come to know and love with most Linux distributions), and it’s about as streamlined as an operating system installation can get. During the installation, however, the user is given a couple of very interesting choices (one of which takes me back about 15 years). The first choice (the one that hearkens back to the earlier days of Linux), gives the user a choice of which desktop environment they’d like to use. The choices are (Figure 1) Base (console only), Cinnamon, GNOME, KDE, MATE, Openbox, and Xfce).
Figure 1: Choosing your Antergos desktop is as simple as a single click.
This is an absolutely fantastic addition to an already solid installation. Instead of requiring the user to download a specific ISO image for their desktop of choice, let them download a single ISO and choose their interface during installation. This means users could download that one installation image and install a variety of desktops on different machines. Back in the day, every Linux installation offered multiple choices for desktop environment. I get it, though; most distributions look to save space on downloads, so they opt for different ISO images for each desktop. Antergos proves this can be done and keep the downloadable image below the 2GB range. The latest release of Antergos is 1.9GB. Compare that to the daily build of Ubuntu 17.10 and you’ll see only .4GB difference in size (Ubuntu 17.10 coming in at 1.5GB). That extra .4GB is worth having the added selection.
The next step in the installation that gives the users a unique choice relates to web browsers and a few extras, you won’t find in other installations. That’s right, Antergos has made the choice of web browsers a step in the installation process (Figure 2).
Figure 2: Selecting your browser during installation.
The selection is limited to only Chromium and Firefox, but you can also enable Flash plugins, Bluetooth, the Arch User Repository, and the LTS kernel. For those that do not know, the LTS kernel is a Long Term Support kernel that gets minor upgrades to bug fixes and security vulnerabilities, even when the “standard” support for the version has stopped. With this, you could continue on using that particular kernel (all the while receiving minor upgrades and bug fixes), even after the distribution has migrated to the next version of the kernel.
As for the Arch User Repository (AUR), know that it is a repository of packages created solely by users and any use of those packages is at your own risk. For a complete listing of packages that can be found in the AUR, check out this page.
The remainder of the installation is very straightforward. All told, the process takes about 20 minutes (depending upon your hardware).
Usage
Upon reboot, you can log into your Antergos desktop and enjoy. I opted to go with the GNOME desktop (it ships with 3.24.2) and was pleasantly surprised to find the Dash to Dock extension already installed (Figure 3).
Figure 3: The GNOME desktop in all its glory.
The first thing I did (as you should do) was run the update manager. Click on the Show Applications button (the square of dots in the dock) and then type updatein the search field. Select Software Update and apply any available updates.
Once I had the system updated, I was greeted by something I’d never before experienced: the Antergos System Message. This message (Figure 4) warned me that an alert containing important system information could be viewed. I clicked on the link to find out there was a critical bug that had been patched. From the alert:
Systems installed by Cnchi prior to v0.14.287 have weaker password hashes than they should. This is only significant if an attacker has a way of obtaining the password hashes. Nevertheless, the security of users’ systems is a serious matter and we feel it’s important that we give our users the information they need to decide what (if any) mitigation actions to take.
Figure 4: Heed the Antergos system alert.
This is important. Not just the bug itself (because it is), but that Antergos is taking the time to alert users as to what is going on under the hood and why these bug fixes are important. I applaud the developers for this added effort—it is welcome and, I believe, necessary.
The only warning I will give you is that Antergos does not ship with an office suite pre-installed. That isn’t a problem, as you can simply open up the Add/Remove Software tool, search for LibreOffice, and install with a couple of quick clicks. Currently, the version of LibreOffice available in the repository is 5.3.4-1. This is actually a newer version than you’ll find in, say, Ubuntu 17.10 (which ships with 5.3.3.2).
Cast off those assumptions
Beyond that, you won’t find much in the way of gotchas with Antergos (beyond the lack of an office suite). In fact, using this particular take on Arch Linux does an astounding job of doing away with all the assumptions one might have of Arch Linux and delivers a platform that is rock solid and ready for anyone to use.
If you’re looking for your next Linux distribution, you’d be remiss in not giving Antergos a shot. Download an ISO, burn it to a DVD or USB, select your desktop, and enjoy your seriously impressive desktop.
Learn more about Linux through the free “Introduction to Linux” course from The Linux Foundation and edX.
Note that registration for DES is included in Open Source Summit registration fees at no additional cost. Anyone in open source who wants to learn more about furthering diversity and inclusion in the community, as well as the broader technology industry, is encouraged to attend.
Onsite resources to increase accessibility to the event include:
Quiet room where conversation and interaction are not allowed
Communication stickers to indicate an attendee’s requested level of interaction
Non-binary restrooms
Strictly enforced Code of Conduct
The full lineup of all Open Source Summit North America sessions, including those at the DES, features more than 200 sessions covering everything from Cloud and Containers, to Security and Networking, to Linux and Kernel Development. Register now & Save $150!
The operations (Ops) required to keep an organization’s increasingly important technical infrastructure up and running is a key part of any company. The roles and duties performed by those working in the Ops space vary widely by company, industry, geography, and infrastructure type. This report looks into what operations professionals do, how much they are compensated, how they are seen within their companies, and how they rate different aspects of their jobs.
Based on the responses, we found that Ops encompasses a wide range of tasks and we saw evidence of shifting roles for Ops professionals. Infrastructure is moving to the cloud, and physical work (like laying cables and racking servers) is on the wane, giving way to tasks that require new types of skills; for example, automation, configuration, virtualization, and containerization. Our survey results provide helpful insights into the skills, tools, experience, and responsibilities that most affect Ops salaries.
Some key points include the following:
The median salary of all respondents is $100,000.
Ops professionals at larger companies earn more money.
Despite working long hours, more than half of respondents said they were happy with their work–life balance.
Read more at O’Reilly[Registration is required to read the entire article.]
We might start to think about agile approaches as a project change. However, if you want to “scale” agile, the entire culture changes. Here is a list of the series and how everything changes the organization’s culture:
The Container Host *is* the Container Engine, and Container Image Compatibility Matters
Have you ever wondered, how are containers are so portable? How it’s possible to run Ubuntu containers on CentOS, or Fedora containers on CoreOS? How is it that all of this just magically works? As long as I run the docker daemon on all of my hosts, everything will just work right? The answer is….no. I am here to break it to you – it’s not magic. I have said it before, and I will say it again, containers are just fancy Linux processes. There is not even a container object in the Linux kernel, there never has been. So, what does all of this mean?
Staying competitive in the managed services business today means keeping on top of the latest DevOps trends and developments. Here’s a look at how the DevOps world is evolving now.
It’s 2017, and Docker containers and continuous delivery are old news. More innovative developments are now shaping the world of DevOps.
They include:
Serverless computing. Serverless computing is not new. Serverless platforms have been around since the mid-2000s. But modern serverless services, such AWS Lambda and OpenWhisk, have made serverless computing more accessible and cost-efficient. Organizations seeking leaner, meaner solutions for deploying applications will increasingly look toward serverless computing.
Developers with Canonical pushed out a handful of patches for the Linux-based operating system Ubuntu this week, including one that resolves a bug that could have let an attacker cause a denial of service or execute arbitrary code with a TCP payload.
Chris Coulson, a software and electronics engineer with the company, discovered the vulnerability, an out-of-bounds write (CVE-2017-9445) in Ubuntu’s systemd-resolved system service. The service-an init system used in Linux distributions–is a network name resolution manager and helps provide network name resolution to local apps.
Coulson warned earlier this week the bug could affect any Linux distribution running an unpatched version of systemd.
