Since Docker democratized software containers four years ago, a whole ecosystem grew around containerization and in this compressed time period it has gone through two distinct phases of growth. In each of these two phases, the model for producing container systems evolved to adapt to the size and needs of the user community as well as the project and the growing contributor ecosystem.
The Moby Project is a new open-source project to advance the software containerization movement and help the ecosystem take containers mainstream. It provides a library of components, a framework for assembling them into custom container-based systems and a place for all container enthusiasts to experiment and exchange ideas.
Let’s review how we got where we are today. In 2013-2014 pioneers started to use containers and collaborate in a monolithic open source codebase, Docker and few other projects, to help tools mature.
Whether you’re taking up programming for the first time, or learning your 50th language, you might ask, “What’s the best way to learn to program?” I surveyed dozens of people who taught themselves to program in Rust as part of my OSCON talk in 2016, and asked the expert autodidacts what advice they would give to others for picking up a new language. I found that despite their diverse backgrounds, all of my interviewees shared five common approaches to building new programming skills.
1. Learn by doing.
Predicting what will happen when your code runs is, perhaps, the essence of programming. The best way to find out what will happen when a piece of code gets modified is to run it before and after that change, and compare the results.
I’ve been working with Docker on a semi-regular basis for a couple months now. I am the technical lead for a product that not only has the usual dev and test, but multiple user-facing deployments. These deployments may have 5 or 50 users (or more), and may be accessed over the internet by external users, or available only on a company intranet with no outside connectivity. Docker seemed to be a good way to streamline the deployments – anywhere Docker can be installed, our software stack can be installed as well.
Twenty-eight years ago, British computer scientist Tim Berners-Lee proposed a system to link text documents across a computer network. It changed the way the world communicates and does business. From its humble beginnings, the Internet has become a complex, dynamic, and heterogeneous environment.
Today, the Internet revolution’s main instrument, the Web browser, exposes users to unbounded malicious content and has become unmanageable.
How did browsers become such a liability? Because they’re based on an ancient set of communication rules, protocols that assume connections are secure and content is safe. The openness and utility of the protocols led to enormous innovation. But today, with all its sophistication, the Web is still based on protocols that weren’t designed for security or enterprise-class management.
nano is a Command Line Interface text editor for GNU/Linux designed to emulate Pico text editor. It is the standard de facto text editor of Linux for system maintainers, comes pre-installed on Ubuntu and its derivative including Linux Mint. It’s fairly advanced for newbies but not too hard to get accustomed to. Well, there is a saying that everything has a learning curve.
MesosCon is an annual conference held in three locations around the globe and organized by the Apache Mesos community in partnership with The Linux Foundation. The events bring together users and developers of the open source orchestration framework to share and learn about the project and its growing ecosystem.
The MesosCon program committee is now seeking proposals for MesosCon North America and MesosCon Europe from speakers with fresh ideas, enlightening case studies, best practices, or deep technical knowledge.
All MesosCon events this year will be held directly following Open Source Summit in China, North America, and Europe. Event dates and locations are as follows:
MesosCon EuropeOctober 26 – 27, 2017 in Prague, Czech Republic
Last year, experts from Uber, Twitter, PayPal, and Hubspot, among many others shared how they use Apache Mesos at MesosCon North America.
Best practices, lessons learned, and case studies are again among the topics the program committee is seeking for 2017. Some sample proposal topics include:
Best practices and lessons on deploying and running Mesos at scale
Deep dives and tutorials into Mesos
Interesting extensions to Mesos (e.g., new communication models, support for new containerizers, new resource types and allocation models, etc.)
Improvements/additions to the Mesos ecosystem (packaging systems, monitoring, log aggregation, load balancing, service discovery)
New frameworks
Microservices design
Continuous Delivery / DevOps (automating into production)
Apache, Apache Mesos, and Mesos are either registered trademarks or trademarks of the Apache Software Foundation (ASF) in the United States and/or other countries. MesosCon is run in partnership with the ASF.
The Linux Foundation’s open source Zephyr Project received considerable attention at this February’s Embedded Linux Conference (ELC). Although there are still no shipping products running this lightweight real-time operating system (RTOS) for microcontrollers, Fabien Parent and Neil Armstrong of the French embedded firm BayLibre shared their experiences in developing a wearable device that may end up being the first Zephyr-based consumer electronics product.
BayLibre’s device has an ARM Cortex-A SoC connected via an SPI bus to a Cortex-M4 STM32L4xx. This is linked via I2C to other, more lightweight Cortex-M cores. Parent and Armstrong could say no more about the design, but they explained why they chose Zephyr and discussed the project’s pros and cons.
Parent and Armstrong needed a free, permissively licensed RTOS for a small-footprint wearable device, and they required drivers for UART, I2C master, and SPI slave. They also needed features like a scheduler, timers, tasks, threads, and locks. The list was quickly narrowed down to the Apache 2.0 licensed Zephyr, the 3-clause BSD licensed NuttX, or rolling an OS of their own. After having already committed to Zephyr, Apache myNewt launched, and they realized this might have worked, as well.
Parent and Armstrong first considered the DIY approach. “Developing our own OS had the advantage of being fun,” said Armstrong. “It could be tailored to our needs and our development process, and we would better understand the entire code base. The drawback is that it takes time, and there is no community to help. It would be hard to maintain, and there would be little time to mature and fix the bugs.”
With BayLibre’s customer deadline essentially negating the homegrown option, the developers looked into NuttX, which had the advantage of being around longer than Zephyr. Although Parent and Armstrong were embedded Linux developers and fairly new to RTOSes, Parent had become familiar with NuttX from working for two years at Google’s recently abandoned Project Ara. NuttX is best known for running on Pixhawk drone controllers.
“NuttX had the advantage of being familiar, and it already supported our STM32L4xx SoC,” said Parent. “But the build system is completely unreliable. At Project Ara, whenever we changed the configuration, we could not be sure it would work. Also, there’s no real NuttX community — it’s basically one guy who wrote almost everything, and there is basically no peer review.” Finally, despite NuttX’s BSD license, “inside its repository there is a lot of code with licenses such as GPL, so there’s a chance you might accidentally include some, which is scary,” added Parent.
Zephyr pros and cons
Zephyr had only been announced a few weeks before they began the project, yet it already had several appealing features. “It’s much like Linux in the coding style, build system, and the concept of maintainers,” said Armstrong. “Zephyr also has great documentation, and they are quickly growing a strong community. Zephyr supports low memory usage, and it’s highly configurable and modular. It offers modern cooperative and preemptive threading, and will eventually add security pre-certification.”
At the time, Zephyr’s biggest drawback was its immaturity, and the fact that it did not support the STM32L4xx SoC, only an older STM32F1xx model. The latter turned out to be a much easier challenge than they had imagined. The SoCs turned out to be very similar, so updating the port took only a day and a half, with testing finished within a week. “Most of the time was spent on I2C and SPI, and debugging a stupid register issue,” said Armstrong.
The challenges came with the upstreaming process itself, and the fact that Zephyr was changing so quickly. “We made the bad choice of waiting a month before upstreaming the code,” said Parent. “When we did the first rebase, nothing worked, and we had to rewrite the power management code three times. As soon as you have clean code, try to upstream it. Otherwise, you will spend hours rebasing everything.”
The upstream patch review process, which is now undergoing revision, was also more cumbersome compared to Linux. “Zephyr uses Gerrit for patch review, and JIRA for the feature requests, and there’s also a mailing list,” said Parent. “Sometimes you don’t know where to look for answers.”
Gerrit makes it easy to not forget patches, but “it’s really slow, and is very complicated,” said Parent. “One of the biggest issues is that you have to individually select the reviewers instead of broadcasting. There is no concept of patch series, so you have to add topics to your patch series, which makes sending patches more complicated. Its archive search is really bad, and it’s really hard to get a full view of a patch.”
JIRA also posed some challenges. “JIRA is manager friendly and makes it easy to do graphs, but it’s not developer friendly, and there’s no good information on how to use it,” said Parent. “It’s yet another communication medium that is overlapping with mailing lists and Gerrit.”
A HAL of a surprise
Parent and Armstrong uploaded the ST port patches to Gerrit and waited for reviews. There was no response, but they kept pinging the maintainer on IRC. They waited almost a month for a review response, and when it came it was rather vague.
They also received a discouraging note from a Zephyr developer from a large corporation. “He said please stop your work because we want to push our own HAL to Zephyr based on the STM32 Cube SDK,” related Armstrong. “He said that after he did his proposal we could redo our patch.”
They were surprised about the acceptance of HAL(Hardware Abstraction Layer) technology. “Our patch was fully rewritten in native code with no external links to anything,” said Armstrong. “We were used to the Linux kernel, where you can only have native, maintainable code. And the maintainers never told us from the start about HALs.”
“There was a discussion on the Zephyr mailing list as to whether we should use HALs before moving to native code,” added Parent. “Input was requested from the maintainers, but there was no reply. Right now, most of the Zephyr maintainers are from SoC companies. The result is that vendor HALs are slowly replacing native drivers, or at least for ST. Personally, I would love to not have HALs.”
Parent noted that the Linux kernel project prefers that their top-level maintainers do not work for SoC companies. He asked Linux DRM maintainer Dave Airlie about the situation, and Airlie was quoted as saying: “The reason the top-level maintainer (me) doesn’t work for Intel or AMD or any vendors it that I can say NO when your maintainers can’t or won’t say it.”
Parent also suggested that the Zephyr Project is not as transparent as some other open source projects. The technical leadership is determined by voting members of the Zephyr Technical Steering Committee (TSC). The TSC is open to community members to participate, but you must be invited to attend the meetings.
“Most meeting minutes require permission to access, and it can take up to two weeks,” he said. “Decisions are spread across JIRA, Gerrit, and the mailing lists, and blog posts are controlled through a separate committee, which makes it kind of hard to post a blog.”
There are also challenges in working with a new project driven by “top-down development,” said Parent. The priorities appear to be planned features like a Unified Kernel, a new IP stack, and Thread protocol support, he added. “They need to clarify their priorities and let us know if planned features have priority vs. community contributions.”
In conclusion, Armstrong summed up their first Zephyr experience. “We don’t like the HALs, and the review tools made us really sad,” he said. “The code is still really young and the APIs change fast, so you need to test your code for every release to see if it’s still working.”
Yet, Armstrong also emphasized Zephyr’s advantages, not least of which is the fact that it’s one of the few open source RTOSes optimized for wearables. “Zephyr is a good design for low memory or low performance on small CPUs,” said Armstrong. “It’s really similar to Linux, and the APIs are simple and well documented. There’s a real and active community, and the flaws are getting fixed very quickly.”
Armstrong also noted a possible improvement on the reviews front: “There was a rumor this morning that Zephyr is moving from Gerrit to GitHub,” he said. “It’s not perfect. but it’s better than Gerrit for sure.”
Other Zephyr sessions from ELC 2017 now available on YouTube include:
Intel’s Anas Nashif summarizes Zephyr’s progress, as well as plans for next year.
Linaro’s Andy Gross talks about plans to integrate device tree in Zephyr.
Intel’s Marcel Holtmann discusses using Zephyr on the BBC micro:bit board.
Intel’s Sakari Poussa explains how to jumpstart Zephyr development by using JavaScript Runtime for Zephyr, including a “shell” developer mode and Web USB.
ARM’s Vincenzo Frascino, who works on the Linaro LITE group, describes how Zephyr runs on the ARM Beetle test-chip implementation of the IoT subsystem for Cortex-M processors.
Intel’s Johan Hedberg discusses Zephyr’s Bluetooth support, including its IPv6/6LoWPAN stack for implementing IPv6 over BLE and the emerging Bluetooth Mesh.
You can watch the full “War Story” video on Zephyr development below:
Connect with the Linux community at Open Source Summit North America on September 11-13. Linux.com readers can register now with the discount code, LINUXRD5, for 5% off the all-access attendee registration price. Register now to save over $300!
We all know and love netstat (network statistics), because it is a wonderful tool for viewing detailed network connection information. An interesting alternative is ss, socket statistics. ss is part of the iproute2 suite of network tools.
ss displays statistics about your network sockets, which includes TCP, UDP, RAW, and UNIX domain sockets. Let us briefly review what these are.
Transmission Control Protocol (TCP) is a fundamental networking protocol. It is part of the Internet protocol suite and operates in the transport layer. All networking transmissions are broken up into packets. TCP guarantees that all packets arrive, in order, and without errors. This requires a lot of back-and-forth communication, as this joke illustrates:
“Hi, I’d like to hear a TCP joke.”
“Hello, would you like to hear a TCP joke?”
“Yes, I’d like to hear a TCP joke.”
“OK, I’ll tell you a TCP joke.”
“Ok, I will hear a TCP joke.”
“Are you ready to hear a TCP joke?”
“Yes, I am ready to hear a TCP joke.”
“Ok, I am about to send the TCP joke. It will last 10 seconds, it has two characters, it does not have a setting, it ends with a punchline.”
“Ok, I am ready to get your TCP joke that will last 10 seconds, has two characters, does not have an explicit setting, and ends with a punchline.”
“I’m sorry, your connection has timed out. Hello, would you like to hear a TCP joke?”
User Datagram Protocol (UDP is simpler and has less overhead. It is a connection-less protocol with no error checking or correction mechanisms, and does not guarantee delivery. There are UDP jokes, too:
I would tell you a UDP joke but you might not get it.
A UDP packet walks into a bar.
A UDP packet walks into a bar.
RAW sockets are naked. TCP and UDP encapsulate their payloads, and the kernel manages all the packets. RAW sockets transport packets without encapsulating them in any particular protocol, so we can write applications that manage network packets. Some applications that take advantage of RAW sockets are tcpdump and nmap.
UNIX sockets, also called inter-process communication (IPC) sockets, are internal sockets that processes use to communicate with each other on your Linux computer.
Dumping Sockets
Now we get to the fun part, dumping sockets! This is not quite as much fun as dumping a load from a backhoe, but it has its charms. These commands print the current state of TCP, UDP, RAW, and UNIX sockets respectively:
$ ss -ta
$ ss -ua
$ ss -wa
$ ss -xa
See how your UNIX sockets are verbose and numerous. If your Linux distribution uses systemd you’ll see it all over the place. This little incantation counts all the systemd lines:
$ ss -xa | grep systemd | wc -l
53
ss -a dumps everything. Let’s take a look at what the columns mean.
Netid displays the socket type and transport protocol.
State is the socket state, which are the standard TCP states. You’ll see ESTAB and LISTEN the most.
Recv-Q and Send-Q display the amount of data queued for receiving and sending, in bytes.
Local Address:Port is the open socket on your computer, and Peer is the address of the remote connection, if there is one.
Cool Examples
It’s always good to check for open ports. This shows all listening sockets:
$ ss -l
Seeing all the UNIX sockets isn’t necessary when you’re concerned about anything that might be open to the outside world, so this displays only listening TCP, UDP, and RAW sockets:
UNCONN, unconnected, is the same as LISTEN. This example shows that pings are not blocked, bootpc is listening for DHCP assignments, MySQL is listening for local connections only, and SSH and HTTP are open to all requests, including external. *:* means all IPv4 addresses, and :::* means all IPv6 addresses.
You can see which processes are using sockets, which can be quite enlightening. This example shows the activity generated by a bit of Web surfing:
Want to see the domain names? Add -r, for “resolve”:
$ ss -tpr
State Recv-Q Send-Q Local Address:Port Peer Address:Port
ESTAB 0 0 studio:48720 ec2-50-18-192-250.
us-west-1.compute.amazonaws.com:https users:(("firefox",pid=3663,fd=71))
ESTAB 0 0 studio:57706 www.pandora.com:https
users:(("firefox",pid=3663,fd=69))
ESTAB 0 0 studio:49992 edge-star-mini-shv-01-
sea1.facebook.com:https users:(("chromium-browse",pid=2933,fd=77))
Use the -D [filename] to dump your results into a text file, or use tee so you can see the output in your terminal and also store it in a file:
$ ss -tpr | tee ssoutput.txt
The more you know about TCP/IP, the more tools like ss will work effectively for you. The fine man ss contains a lot of useful examples, and if you install the iproute2-doc package you’ll find more help.
Learn more about Linux through the free “Introduction to Linux” course from The Linux Foundation and edX.
It is tempting to believe that the security problem can be solved with yet more technical wizardry and a call for heightened vigilance. And it is certainly true that many firms still fail to take security seriously enough. That requires a kind of cultivated paranoia which does not come naturally to non-tech firms. Companies of all stripes should embrace initiatives like “bug bounty” programmes, whereby firms reward ethical hackers for discovering flaws so that they can be fixed before they are taken advantage of.
But there is no way to make computers completely safe. Software is hugely complex. Across its products, Google must manage around 2bn lines of source code—errors are inevitable. The average program has 14 separate vulnerabilities, each of them a potential point of illicit entry. Such weaknesses are compounded by the history of the internet, in which security was an afterthought (see article).
OpenWhisk can merge the power of Watson with the simple beauty of serverless computing. As we delve into Watson services, we’ll cover the building blocks here.
This three-part series will help you understand the in-depth features of Serverless Computing via OpenWhisk. OpenWhisk offers an easy way to chain services where an output of the first action acts as an input to the second action and so on in a sequence.
OpenWhisk achieves the chaining of services via sequences on Bluemix. By the end of Part 3, You will be chaining Watson services and exposing the sequence as a REST API via OpenWhisk API Gateway.
This post describes the resource requirements for performing this lab. The two sub-sections are:
