This week in Linux and open source news, Facebook announces new networking hardware technology, The Linux Foundation’s board expands with three new additions, and more! Get up to speed on the latest headlines with this weekly digest:
Facebook wants to change the data center hardware market and is one step closer after releasing its new voyager device. Learn more in Jonathan Vanian’s latest Fortune article.
1) Facebook announces creation of a new type of hardware to be used to send data “quickly across long distances and multiple data centers.”
Linux depends upon administrative user permission. Without the elevated permission of root, many commands could not be run. For distributions, such as Red Hat, gaining root permissions means changing to the root user with the command su. Other distributions, such as Ubuntu Linux, opt for a different route. That route is sudo. By taking advantage of the sudo system, an administrator gains far more control over who can do what on a system. An added benefit of using the sudo command is that all sudo incidents are logged (Red Hat-based systems log to /var/log/securewhereas Debian-based systems log to /var/log/auth.log).
Say, for example, you want to give certain users permission to use a certain command, without having to enter their sudo password. With sudoyou can do that. You can also join users into groups, to make controlling who can do what much easier.
Now that I have your interest piqued, how do you manage/configure sudo on your Linux machine? The answer is simple…sudoers. In the file/etc/sudoers, you’ll find everything you need to wrestle control over sudo.
A word of caution
Taking on the /etc/sudoersfile must be done with care. You should never open that file with a standard text editor (such as nano or vi). Instead, use the built-in visudotool. This tool will parse the file to see if there are any problems. Once you’ve made changes to the file, you can even run the command sudo visudo -c to run a second automatic parse of the file. Should visudo find issues, fix them immediately before closing your terminal (otherwise, you can wind up locked out of all command that require sudo (trust me, I did this once…it’s no fun)
It is also important to understand:
The sudo binary is setuid root, which means that when any user runs a command through sudo, they are instantly granted root permissions. Because of this, you must take extra precaution when working with the /etc/sudoersfile; otherwise, you could find your system at serious risk.
The sudo command reads the sudoers file in top-to-bottom order. In other words, the last line in /etc/sudoers will overwrite previous conflicts with the setup. Because of this, you should always enter your new lines at the bottom of each /etc/sudoers section.
The sudo command includes a number of defaults that can be set within /etc/sudoers. To find a listing of these defaults, issue the command sudo -L.
Now that you clearly understand the importance of editing/etc/sudoerswith visudo, let’s take a look and see what you can do.
The file
There are a few sections of the sudoersfile you need to know about:
Defaults: These are the default variables for sudo(remember, sudo -L is your friend)
Alias: You can create aliases for host, user, and commands
User privilege: This is where you specify user privilege
Groups: This is where you define groups
You may be surprised to find out the default sudoers file is only 31 lines long (at least in Ubuntu 16.10). It’s not overly complicated, nor is it much of a challenge to understand. However, understanding the breakdown of user privilege lines is very important. The structure of these lines is:
user host=(accounts) commands
The breakdown of this line is:
user: The account for which the privilege will be associated
host: The system from which the account is able to run these sudo commands (sudoers can be shared across systems)
accounts: The other accounts on the machine for which the user running sudo can act
commands: The commands the user can run as sudo
If you issue the command sudo visudo, the default /etc/sudoersfile will open. In that file, there will only be one line under user privilege. That line is:
rootALL=(ALL:ALL) ALL
According to our breakdown, that command means the rootuser from all hosts from any accountcan run all commands.
Aliases
Before we get into adding user permission entries to sudoers, it is important to understand how aliases work. Sudoers aliases come in the form of:
User_Alias — specifies a group of users by username
Runas_Alias — specifies a group of users by UID
Host_Alias — specifies a list of hostnames
Cmnd_Alias — specifies a list of commands and directories
A typical alias looks like:
User_Alias USERS = bethany, jamal, morgan, josh
The above alias would include bethany, jamal, morgan, and josh with the alias named USERS. You can also include groups with aliases, such as:
User_Alias ADMINS = %admin
The percent sign indicates to sudothat adminis a system group. To include netgroups, you would prefix the group name with the + symbol. You can also exclude users from an alias by prefixing their name with the ! symbol. Say, for instance, you want to create an alias for restricted users, based on previous aliases. Say users bethany, jamal, morgan, josh, and jonathan are all members of the ADMINS alias, and you want to create an alias for WEBMASTER that does not include the user jonathan. Instead of entering every user, to be included, you could add the admin group and then exclude jonathan like so:
User_Alias WEBMASTER = ADMINS, !johnathan
That’s how aliases work.
Adding entries
Remember, to edit the /etc/sudoersfile, we do so with the command sudo visudo.
Our example will be to enable certain users to shutdown the system without having to enter a password. To do this, we will first create a User_Alias for ADMINS. Under the User alias section, add the line:
User_Alias ADMINS = usernames
Where usernames is the list of names to be included with the alias.
Next we create a Cmnd_Alias for the shutdown commands. Under the Cmnd alias section, enter this line:
Finally, under the User privilege section (below the default entry of ALL=(ALL:ALL) ALL), enter the following:
ADMINS ALL=(ALL) NOPASSWD: SHUTDOWN
Save the file and then (for added assurance that everything is okay), issue the command sudo visudo -c. You should see the same output as shown in Figure 1.
Figure 1: Everything is okay and ready to test.
To test the new sudoers entry, you’ll need to logout and log back in. Once you’ve done that, open up a terminal window and issue the command shutdown -h now as one of the users listed in the user alias ADMINS. Your system should shut down without prompting for a password.
An eye on security
Obviously, with regards to security, this isn’t the greatest example. However, it does perfectly illustrate how powerful sudoers can be. You will certainly want to tailor your sudoersfile to meet your admin needs on every level. Most likely, you won’t create an entry that would allow just any user to shutdown the system without entering a password. However, with a keen eye toward security, you can make sudoerswork well for you.
During LinuxCon North America in Toronto, The Linux Foundation organized a women’s networking lunch that included more than 100 women from different walks of life. What’s most exciting about this event was that instead of having one speaker, or a panel of speakers delivering speeches, each attendee was allowed to introduce herself, which turned all those 100 attendees into speakers and audiences.
Vinu Charanya, Software Engineer at Twitter
Vinu Charanya, a software engineer working for the Cloud Infrastructure Management team at Twitter, was one of the attendees. Outside her day job, Charanya is also a core team member for a non-profit organization called Women Who Code.
Charanya holds a Masters degree in Computer Science from SUNY at Buffalo and a Bachelors in Computer Science & Engineering from Anna University, India. Charanya started off as a Research Assistant at SUNY at Buffalo, working on the Android platform where they built PhoneLab — a large scale smartphone testbed. They deployed about 1000 smartphones across the campus and built an experimentation framework for academicians to create and run experiments on this testbed.
Charanya moved to San Francisco in 2013 and began working on web application development on Ruby on Rails at a startup. At that company, they built a product to help small-medium businesses have a stronger presence on social media. That’s when she joined Women Who Code — a nonprofit organization focused on helping women excel in their careers in the tech industry. Currently, she is a core team member at Women Who Code, where she commits code to open source projects and advises on product direction. She also recently gave a talk at #WWConnect 2016 on the pros and cons of working in a startup versus a large company.
Tweeting at Twitter
Charanya is also involved with building the internal cloud platform at Twitter. The stack consists of distributed back-end services written in Scala and Python and user interfaces powered by ReactJS. They recently launched a product called Chargeback — a system that provides visibility and accountability for infrastructure utilization and compute cost. This product enabled Twitter to reduce inefficiencies around resource utilization and improve overall efficiency of Twitter’s infrastructure. Charanya gave a tech talk at ContainerCon/LinuxCon 2016 on this very topic.
Personally, Charanya enjoys building apps on iOS and has participated along with several other women and won several hackathons. One such hackathon is #ChimeHack, which focuses on connecting the tech community to issue experts and non profits to create mobile app solutions to support girls and women. They won for building a trick or treat app, which UNICEF later used, she said.
Challenges for women in the tech world
A huge gender gap exists in the tech world; however, companies and organizations are now consciously trying to address the issue. Charanya said that in her experience working in this industry, there are two key problems. One is unconscious bias. There is an inherent bias to associate women with jobs other than engineering. Thus, when it comes to hiring a woman or promoting a woman, there is more scrutiny than when hiring or promoting a man. Unfortunately, these biases also influence daily interactions between co-workers, which may lead to a toxic workplace. The second issue is lack of support for work/life balance.
“Many times, women decide to quit their jobs in technology sector to pursue better work/life balance (for example, when you become a parent). Sadly, not all organizations have favorable policies,” she said.
Woman to woman networking
Tech conferences are great place for people to meet new people and friends. However, it can be hard to find and connect with other women.
“Technology events are very important irrespective of gender. It is not just about the talk. It is about the connections you make, the exposure you get, and being out there to inspire and motivate yourself and others,” Charanya said.
Additionally, a lot of conferences are at the initial phase of increasing the diversity of their participants. Woman-focused networking events make a lot of difference for the participants. Google IO has been doing Women TechMaker dinners for all the women participants for the past few years, and the connections made through such events go way past the conference itself.
The Apache Calcite data management framework contains many pieces of a typical database management system but omits others, such as storage of data and algorithms to process data. In his talk at the upcoming Apache: Big Data conference in Seville, Spain, Atri Sharma, a Software Engineer for Azure Data Lake at Microsoft, will talk about developing applications using Apache Calcite‘s advanced query planning capabilities. We spoke with Sharma to learn more about Calcite and how existing applications can take advantage of its functionality.
Atri Sharma, Software Engineer, Azure Data Lake, Microsoft
Linux.com: Can you provide some background on Apache Calcite? What does it do?
Atri Sharma: Calcite is a framework that is the basis of many database kernels. Calcite empowers you to build your custom database functionality and use the required resources from Calcite. For example, Hive uses Calcite for cost-based query optimization, Drill and Kylin use Calcite for SQL parsing and optimization, and Apex uses Calcite for streaming SQL.
Linux.com: What are some features that make Apache Calcite different from other frameworks?
Atri: Calcite is unique in the sense that it allows you to build your own data platform. Calcite does not manage your data directly but rather allows you to use Calcite’s libraries to define your own components. For eg, instead of providing a generic query optimizer, it allows defining custom query optimizers using the Planners available in Calcite.
Linux.com: Apache Calcite itself does not store or process data. How does that affect application development?
Atri: Calcite is a dependency in the kernel of your database. It is targeted for data management platforms that wish to extend their functionalities without writing a lot of functionality from scratch.
Linux.com: Who should be using it? Can you give some examples?
Atri: Any data management platform looking to extend their functionalities should use Calcite. We are the foundation of your next high-performance database!
Specifically, I think the biggest examples would be Hive using Calcite for query optimization and Flink for parsing and streaming SQL processing. Hive and Flink are full-fledged data management engines, and they use Calcite for highly specialized purposes. This is a good case study for applications of Calcite to further strengthen the core of a data management platform.
Linux.com: What are some new features that you’re looking forward to?
Atri: Streaming SQL enhancements are something I am very excited about. These features are exciting because they will enable users of Calcite to develop real-time streaming applications much faster, and the strength and capabilities of these applications will be manifold. Streaming applications are the new de facto, and the strength to have query optimization in streaming SQL will be very useful for a large crowd. Also, there is discussion ongoing about temporal tables, so watch out for more!
Hear from leading open source technologists from Cloudera, Hortonworks, Uber, Red Hat, and more at Apache: Big Data and ApacheCon Europe on November 14-18 in Seville, Spain. Register Now >>
If you can’t reach your favorite Linux developer by IM or email today, it’s because they’re under a Denial of Service (DoS) attack. The top programmers are all at the Linux Plumbers conference, which is being hammered by an internet attacker.
According to James Bottomley, an IBM Research distinguished engineer and a member of the Linux Plumbers Conference committee, “Since yesterday we are being attacked from the outside. The attack follows us as we switch external IP and the team has identified at least one inside node which looks suspicious.”
It has become apparent that Internet of Things devices need a major security upgrade. Most of these changes need to be made at the software level, including the operating systems being used. Canonical announced Ubuntu Core 16, which focuses on providing additional security for IoT devices. Additionally, the new version will improve the validation of snap apps.
One of the most significant changes to be found in Ubuntu Core 16 is how failed software updates will be handled. In most cases, the OS would continually try to update to the latest version if the process failed for some unknown reason.
In this series on network functions virtualization (NFV), we’ve been spending time talking about some of the pitfalls and challenges involved in adopting NFVI components – and how to plan for deployment. This week we’re going to spend some time breaking down what to look for in moving to NFV hardware components.
The information I have gathered is based on feedback from various service providers and product experts on how to get NFVI ready for prime time. They have identified many of the key areas to look for in NFV hardware components. …Setting up a carrier cloud platform requires careful selection and guidelines for each component.
Containers and microservices have revolutionized application development and infrastructure management. They have also introduced new security challenges without solving the old ones. What are some of the new security challenges, and what can you do about them?
New technologies, new challenges
Microservices are changing everything. Immutable infrastructure, share-nothing architecture, and containerized applications (microservices) are the focus of most of the enterprise roadmaps today. Microservices provide a way of exposing a business functionality in a small, autonomous, and self-sustainable capacity, performing a unit task within a given scope of business context.
In light of the recent Dirty Cow exploit, said by experts to be the “Most serious” Linux privilege-escalation bug ever, CloudLinux has decided to push forward their prior plans to offer KernelCare for free for nonprofit organizations so that they can protect themselves from critical vulnerabilities including the Dirty Cow CVE-2016-5195.
KernelCare provides Linux kernel security updates without the need to reboot servers. Once KernelCare is installed – without a reboot – it will bring kernels up-to-date with all security patches instantly. KernelCare supports most popular Linux distributions, installs in just minutes with a single line of code.
Since most nonprofit organizations have limited IT resources and are unable to consistently update kernels, KernelCare can help tremendously by bringing kernels up to date with all security patches and keep them secure going forward.
KernelCare delivers a super-fast release of security patches for new vulnerabilities, like the recent Dirty COW privilege escalation. It helps keep Linux secure and stable but now also free for nonprofit organizations. Regular KernelCare pricing is under $3 per server per month, but if you are a nonprofit organization and would like to use out-of-the-box KernelCare, you can request a complimentary unlimited license by writing to nonprofit [ at ] kernelcare.com.
(As originally published on Softpedia, November 3, 2016)
Today, November 3, 2016, Collabora informs us about the contributions done by its multimedia team on the release of the powerful, free, open-source and cross-platform GStreamer 1.10 multimedia framework.
We reported the other day the release of GStreamer 1.10, which appears to be a major update that has been in development for the past seven months. During all this time, various developers have made smaller or bigger contributions, but it looks like Collabora’s devs have contributed a great deal of work to make GStreamer a lot better.
“Our contributions had two main targets: improve GStreamer’s overall reliability and improve support for hardware accelerated plugins. We’ve also contributed a number of improvements that we’ve done in relation to the work we do with our clients,” said Olivier Crête, Multimedia Domain Lead at Collabora, in a blog announcement.
Here are Collabora’s major contributions to GStreamer 1.10
Among the major contributions added by Collabora’s devs to GStreamer 1.10, we can mention the implementation of a GstTracer plugin for tracing memory leaks in GStreamer plugins and apps, which actually help them address many leaks, support for ALSA devices with multiple audio channels, mostly present in the industrial environments, and memory leak fixes in the new decodebin3/playbin3 code.
There’s also Acoustic Echo Cancellation (AEC) support, which might come in handy if you have a microphone capable of capturing the output of the speaker when doing phone calls, support for multiple threads in the libvpx decoder (for VP8 and VP9 streams) on multi-core systems, various improvements to the V4L2 (Video4Linux) elements, as well as support for the video meta, which allows for zero-copy operations.
Furthermore, Collabora’s developers enabled the GObject property notification for name changes of GstObject, cleaned up the rfbsrc element, added Wayland support for the new wl_viewporter extensions to allow for video cropping and scaling, improved both the AAC parser and Ogg Vorbis elements, fixed bugs in the fdkaac elements and gst-rtps-server, and Enhanced AC-3 support to the MPEG Transport Stream demultiplexer.
And it looks like their work won’t stop here, as Olivier Crête notes on a second blog post that “We’re already working on new improvements for the next major GStreamer version, in particular, Nicolas is working hard to have perfectly controlled latency in waylandsink to have guaranteed A/V sync under 15ms and automatic negotiation of dmabuf between the Wayland, vaapi and OpenGL plugins.”
All the above have been contributed by a total of seven Collabora developers, namely Guillaume Desmottes, Nicolas Dufresne, Vincent Penquer’ch, Xavier Claessens, Wonchul Lee, Thibault Saunier, and Olivier Crête. For more details about these new GStreamer improvements, also check out the links above. In the meantime, you can download GStreamer 1.10 right now via the Softpedia website.
