Twitter
Home Blog Page 548

OpenWhisk System Overview

By
GitHub
-

OpenWhisk is an event-driven compute platform also referred to as Serverless computing or as Function as a Service (FaaS) that runs code in response to events or direct invocations. The following figure shows the high-level OpenWhisk architecture. 

Examples of events include changes to database records, IoT sensor readings that exceed a certain temperature, new code commits to a GitHub repository, or simple HTTP requests from web or mobile apps. Events from external and internal event sources are channeled through a trigger, and rules allow actions to react to these events.

Read more at GitHub

Secure your Samba Authentications Automatically via OpenVPN

By
Kevin Korte
-

Samba 4 has become the tool of choice to provide Linux-based identity management to diverse clients.

However, a growing number of organizations are offering work from home options and manage distributed operations, like construction companies with a computer at every construction site or a medical service provider with one person doctors offices.

If these companies want to enjoy the advantages of single sign-on and policies that Samba provides, a VPN solution, which starts before the login, needs to be added to the domain. This how-to will describe how to add OpenVPN to an existing Samba 4 installation to automatically secure client authentications over an untrusted network.

Prerequisite

Most Linux distributions will come with the needed software preinstalled. For this tutorial, we assume that you already have Samba 4 and a certificate authority installed on your server. If you are looking for a distribution with Samba 4 and a certificate authority integrated, you can quickly spin up a Univention Corporate Server, that also makes user management easy. On Debian or Ubuntu, you can use the easy-rsa tools to manually create the certificate authority

The article https://www.linux.com/learn/intro-to-linux/2017/3/build-real-vpn-openvpn provides an intro no how to set up OpenVPNs PKI.

Further, the OpenVPN Documentation, in Debian at /usr/share/doc/openvpn/examples/easy-rsa/2.0/, provides many usefull tools to setting up a certificate authority for OpenVPN.

The server or virtual machine needs a fixed IP or utilize a service, such as DynDNS, to be locatable from the Internet without additional steps to be undertaken by the end user.

Installing OpenVPN

OpenVPN is an open source virtual network daemon, whose client allows a computer to access a remote server securely. Most distributions have OpenVPN included in their repository. Thus it can be installed using the package management system. On Debian-based systems such as Debian, Ubuntu, or UCS:

$ sudo apt-get install openvpn

 

Configuring OpenVPN Server

Upon startup of OpenVPN the software scans the directory /etc/openvpn for files ending in “.conf” and starts a separate server process for each of them. Thus, the following configuration files, copied into “/etc/openvpn/clientconnect .conf”, should automatically be run upon restarting the OpenVPN.

Please note, that lines starting with “#” denote a comment and that you will need to change values depending on your environment.

## The following entries should point to your certificate information.
## Encryption parameters
dh /etc/openvpn/dh2048.pem
## Certificate Authority Certificate
ca /etc/univention/ssl/ucsCA/CAcert.pem
## Server Certificate
cert /etc/univention/ssl/master/cert.pem
## Private key for the Server Certificate
key /etc/univention/ssl/master/private.key
## Certificate Revocation List
crl-verify /etc/openvpn/crl.pem

## Encryption Cypher to use for the VPN
cipher AES-256-CBC

##Compression algorithm to use
comp-lzo

## Persistent endpoint addresses
## Always give the same IP to a device
ifconfig-pool-persist ipp.txt

## Push route for the server network
push "route 10.210.0.0 255.255.0.0"
push "redirect-gateway def1"

## Set the current server as the DNS server for domain server
## Change the IP to the internal IP of the server
push "dhcp-option DNS 10.210.140.219"
## Push the server's domain as DNS domain
push "dhcp-option DOMAIN outsidevpn.univention.com"

## Additional server configuration
keepalive 10 120
persist-key
persist-tun

## Configure the logfile and the verbosity
verb 1
mute 5
status /var/log/openvpn-status.log

## The port on which the VPN Server should listen on
port 1194

## The network to use for communication within the VPN
server 172.24.1.0 255.255.255.0

## Additional network settings
management /var/run/management-udp unix
dev tun
topology subnet
proto udp

In most cases the diffie hellman parameters file has to be created. The matching command is

For UCS

$ sudo openssl dhparam -out "/etc/openvpn/dh2048.pem" 2048

 

For Debian/Ubuntu:

$ sudo ./easyrsa gen-dh

 

On UCS, the revoked certificates have to be converted between formats

sudo -- sh -c "/usr/bin/wget -qO /etc/openvpn/ca.crl http://$(/usr/sbin/ucr get ldap/master)/ucsCA.crl && /usr/bin/openssl crl -inform der -outform pem -in /etc/openvpn/ca.crl -out /etc/openvpn/crl.pem"

As certificates might be retracted when exposed, it would be advisable to set up a cron job to periodically convert the list.

Firewall

You might also need to open the firewall. Please note, the article assumes, that the port in the configuration above remains unchanged. If not, please change it in the following commands as well.

On UCS that can be achieved using the configuration registry

$ sudo ucr set security/packetfilter/udp/1194/all=ACCEPT
$ sudo service univention-firewall restart

 

On Debian and Ubuntu you can manually add the port to your IP tables configuration

$ sudo iptables -A INPUT -p "udp"  --dport 1194 -j ACCEPT

 

Creating the Client Configuration

The client configuration consists of two parts – one for the client certificates and one for the configuration file.

The client certificates are easy to set up:

On Debian/Ubuntu servers the following commands create the certificates for a single client.

$ sudo /usr/share/doc/openvpn/examples/easy-rsa/2.0/pkitool clientname

 

On the UCS Master, the following command creates the certificates for all current and future clients. They are saved in “/etc/univention/ssl/”

$ sudo ucr set ssl/host/objectclass='univentionDomainController,univentionMemberServer,univentionClient,univentionMobileClient,univentionCorporateClient,univentionWindows'
$ sudo univention-directory-listener-ctrl resync gencertificate

 

The client configuration file itself is the same for every system. Adapt the following settings according to your need and save it as clientconfig.opnv

## client protocol and devices
client
dev tun
proto udp

## Server address and port
## Change to match your external address
remote 52.211.178.248 1194

## Hostname of the server
verify-x509-name master name-prefix

## Clint configuration
resolv-retry infinite
nobind
persist-key
persist-tun

## Certificate names and locations
ca CAcert.pem
cert cert.pem
key private.key

## Encryption configuration
cipher AES-256-CBC
comp-lzo

## Logging verbosity
verb 3

 

Copy this configuration file, the root CA, on UCS /etc/univention/ssl/ucsCA/CAcert.pem, and the client certificates to C:Program FilesOpenVPNconfigclientconfig

Autostart the VPN Client

To automatically start OpenVPN on the client, go to control panel, select small icons, go to administrative tools and then services.

Here choose the OpenVPN service, right-click on properties, and change the startup type to automatic. At the next reboot, the configuration from above for OpenVPN will automatically start.

Domain Join

Due to the fact that NetBIOS is not transferred without any additional manual changes, the domain join has to be completed using the full domain name.

After a reboot, you should be able to log in to the client as a domain user.

Security Consideration

While the setup provides the most convenience of connecting a computer to an offsite Samba-based domain controller, it also presents a risk.

A stolen PC will always have access to the domain, allowing a thief to test numerous user name and password combinations. Strong password policies can help to minimize the risk as can organizational policies regarding stolen computers. Extending the setup with smart card encrypted certificates, however, would present the most secure option.

Conclusion

The automation of the VPN connection in conjunction with Samba-based DCs provides a convenient, yet secure access to central authentication and policy services. This technique allows offsite users and computers to authenticate using centralized credentials and load domain wide settings. It thus contributes to enforcing compliance policies. At the same time, it enhances the user experience by reducing the number of credentials and steps needed to start productive work. In conjunction with UCS, the combination of OpenVPN and Samba provides on top an easy to manage Linux-based identity management solution.

3 Developers Explain Why They Attend ApacheCon

By
Pam Baker
-

ApacheCon North America is right around the corner. Everyone is looking forward to this year’s event May 16-18 in Miami. There’s plenty new to see, hear, and do this year but that’s not the only attraction for developers.

The annual conference of The Apache Software Foundation is where users and contributors meet face-to-face to collaborate on the next generation of cloud, Internet, and Big Data tech. The Apache community is huge and has upwards of 4500 committers. There is ample opportunity to meet MVPs and project heroes plus swap war stories with fellow developers in the trenches.

However, the benefits of attending aren’t left behind at the conference. Here are three developers explaining why they attend ApacheCon and how they continue to benefit long after they’ve returned home.

To connect and network with the big players

“Whether you are looking for support for Hadoop, consultants for the HTTP Server, someone to help you hack on a plugin for Tomcat, have an exciting business proposal to share with others, or just someone to help you debug why CloudStack doesn’t do this or that, you can be pretty sure someone will know about it and be able to help you. It really is the who’s who of Apache software.” — Daniel Gruno, Chief Innovations Officer at Quenda.

Continue the conversation in the flesh

“One of the big reasons I attend is to meet with people I work with remotely year after year. The Apache Software Foundation is a huge network of people, the majority of whom work on Apache projects for love, not money, and from the bottom of their gardens, on trains, or elsewhere. To meet these people in the flesh provides a human aspect that discussions over email lack and helps foster relations for work in the future.” — Tom Barber, NASA JPL, Apache OODT Chair.

And strengthen bonds for real-world payoffs

“By meeting other people in my communities, we’ve been able to strengthen community bonds and work through interpersonal problems that were much more complicated via email. Putting faces to names and email addresses makes future online interaction seems more personal. I learned about features and projects that I hadn’t had time to learn on my own time, in high-bandwidth technical sessions. We also worked on closing bugs in focused hackathon sessions where we could discuss changes quickly and without the time-lag of email.” — Rich Bowen, VP Conferences at The Apache Software Foundation.

Which lead to work opportunities in the future

“ApacheCon got me where I am, professionally — I owe a lot of my life to Apache! It enabled me to meet my personal heroes in the software world and get exposed to the greater Apache community. It also taught me a great deal about how the greater Apache community is held together and how each piece in the machinery works. It created business opportunities and helped launch a ton of ideas I had rummaging around in my head, turning them into either helpful services or in some cases, new Apache projects with all the help and support that comes with being involved in Apache. At ApacheCon, you really get an excellent opportunity to scratch that itch you’ve been having for a while, and get professional and insightful people to help you out — for free!” — Daniel Gruno, Chief Innovations Officer at Quenda.

Plus, it’s just fun to go

“I first attended in 2012, and I’ve been to every ApacheCon since, it’s just that good — and addictive,” said Gruno.

“I’ve been attending ApacheCon since the event in Orlando in 2000, and have only missed one since then. ApacheCon is the highlight of my year, and I hope to be attending it for many years to come,” added Bowen.

And the more the merrier.

“It’s a fantastic event run by dedicated and enthusiastic staff at great locations, if you want to learn about the Apache Software Foundation and a lot of the projects it stewards there is no better place. This year I’m not speaking, instead I’m bringing people along because I think it’s important for them to understand how the ASF works and learn and this is the event to do it at,” said Barber.

Learn first-hand from the largest collection of global Apache communities at ApacheCon 2017 May 16-18 in Miami, Florida. ApacheCon features 120+ sessions including five sub-conferences: Apache: IoT, Apache Traffic Server Control Summit, CloudStack Collaboration Conference, FlexJS Summit and TomcatCon. Secure your spot now! Linux.com readers get $30 off their pass to ApacheCon. Select “attendee” and enter code LINUXRD5. Register now >>  

What Is Docker and Why Is It So Darn Popular?

By
ZDNet
-

If you’re in data center or cloud IT circles, you’ve been hearing about containers in general and Docker in particular non-stop for a few years now. With the release of Docker 1.0 in June 2014, the buzz became a roar.

Three years later, Docker is bigger than ever. Forrester analyst Dave Bartoletti thinks only 10 percent of enterprises currently use containers in production now, but up to a third are testing them. 451 Research agrees. By 451’s count, container technologies, most of it Docker, generated $762 million in revenue in 2016. In 2020, 451 forecasts revenue will reach $2.7 billion, for a 40 percent compound annual growth rate (CAGR).

So why does everyone love containers and Docker? James Bottomley, fomerly Parallels‘ CTO of server virtualization and a leading Linux kernel developer, explained VM hypervisors, such as Hyper-V, KVM, and Xen, all are “based on emulating virtual hardware. That means they’re fat in terms of system requirements.”

Read more at ZDNet

10 More Quick Tips to Make Linux Networking Easier

By
Jack Wallen
-

If you either work on a Linux desktop, or administer a Linux server, there might be times when frustration sets in over networking issues. Although Linux has made significant advances over the years, there are still instances where the standard troubleshooting or optimizations won’t work. To that end, you need to have some tricks and tips up your sleeve to make your life easier.

As an update to my original 10 quick tips to make Linux networking easier, I happen to have a few different tricks that I wanted to share with you. Hopefully one or more of these will assist you in either configuring, optimizing, or troubleshooting you Linux network woes.

Read more at TechRepublic

Open Source Helping Solve Humanity’s Greatest Challenges

By
Silicon Angle
-

While the original idea behind open-source software was to make licenses easier to share, it quickly developed into a new way of teaching individuals and organizations how to collaborate, forming common communities. Today, most innovation that occurs is happening via open-source communities.

“Now, [open source] is permeating almost every human endeavor to solve new challenges,” said Tim Yeaton, executive vice president of corporate marketing at Red Hat Inc.

In almost every field — including healthcare, education and agriculture — open source has moved from a basic collaboration mechanism to build better software to the front of innovation for technology, Yeaton stated.

Read more at SiliconAngle

So You Want to Onboard a DevOps/WebOps Engineer/Consultant

By
GitHub
-

At the moment everyone seems to be so concerned with recruiting DevOps Engineers but I feel the process of on-boarding them is still very hit and miss especially in busy organisations.

Making it easy to get work done from day one

Reduce the time spent learning the peculiarities of certain environments rather than improving or iterating them,

Here are some easy tips on how to make your environment easy to onboard:

Read more at GitHub

The IDAR Graph: An Improvement Over UML

By
ACM Queue
-

UML (Unified Modeling Language)6 is the de facto standard for representing object-oriented designs. It does a fine job of recording designs, but it has a severe problem: its diagrams don’t convey what humans need to know, making them hard to understand. This is why most software developers use UML only when forced to.1

For example, the UML diagrams in figures 1 and 2 portray the embedded software in a fax machine. While these diagrams are attractive, they don’t even tell you which objects control which others. Which object is the topmost controller over this fax machine? You don’t know. Which object(s) control the Modem object? You don’t know.

Read more at ACM Queue

Why the Next 10 Days Are Critical to the Internet’s Future

By
Mozilla
-

FCC Chairman Ajit Pai has announced his intention to gut net neutrality. His goal is clear: to overturn the 2015 order and create an Internet that’s more centralized. The FCC will vote to move his proposal forward on May 18 — just 10 days from today.

Net neutrality is about more than packets and data — it’s about upholding free speech, competition, innovation and user choice. To be clear:

Net neutrality is fundamental to free speech. Without net neutrality, big companies could censor your voice and make it harder to speak up online. Net neutrality has been called the “First Amendment of the Internet.”

Net neutrality is fundamental to competition. Without net neutrality, big Internet service providers can choose which services and content load quickly, and which move at a glacial pace. That means the big guys can afford to buy their way in, while the little guys are muscled out.

Read more at Mozilla

This Week in Open Source News: EdgeX Foundry Garners Attention, OSS Security Holes Abound & More

By
The Linux Foundation
-

This week in open source and Linux news, EdgeX Foundry is picking up attention among “cloud players,” recently published study finds many security issues in OSS & more! Keep reading, stay in the know.

1) Cloud players are getting serious about Edge Computing and efforts like EdgeX Foundry are a “step in the right direction.”

Linux Foundation Announces EdgeX Foundry To Drive Standardization of Edge Computing– Forbes

2) New study finds high number of ubiquitous open source security issues.

Open Source Security Audit ‘Should Be a Wake-Up Call’– ADT Magazine

3) New research comparing acceptance rates of contributions from men and women in an OSS community finds women’s contributions accepted more often than men’s — except when gender is identifiable.

Study Finds Gender Bias in Open-Source Programming– Phys.org

4) The latest version of Linux has been released under the moniker “Fearless Coyote.”

New Features and Fixes in Linux 4.11– SDTimes

5) New white paper by The Linux Foundation seeks to examine how [standards and open source] can live in harmony.

Linux Foundation Zeros in on Harmonizing Open Source, Standards– FierceWireless

1...547548549...10,743Page 548 of 10,743