Twitter
Home Blog Page 683

Understanding and Securing Linux Namespaces

By
Pam Baker
-

Richard Guy Briggs, a kernel security engineer and Senior Software Engineer at Red Hat, talked about the current state of Kernel Audit and Linux Namespaces at the Linux Security Summit. He also shared problems plaguing containers and what might be done to address them soon.

His insights are borne of deep experience. Briggs was an early adopter of Linux back in 1992, and has written UNIX and Linux device drivers for telecom, video and network applications and embedded devices.

Audit, which he describes as “Syslog on steroids,” exists as the means to securely document exactly what occurred where, when and by whom in case the need to pinpoint a problem in a court of law arises. It works well with SELinux and with other security modules in the kernel, and it only reports behavior; thus, it doesn’t interfere with anything running on the system. You can, however, panic the kernel and stop the run, that is, shut down the machine, if a situation exists that Audit is unable to document or report. Otherwise, configurable kernel filters render select activities of interest or more detail on something questionable while ignoring other behavior reports without interference with other activities.

To understand the current state of Kernel Audit, it’s important to understand its relationship with namespaces, which are kernel-enforced user space views. Currently, there are seven namespaces: peer namespaces which include the Mount namespace; the UTS namespace (hostname and domain information); the IPC namespace (no one really knows what this one does); NET namespaces which are peer systems, peer namespaces so the system comes up in the initial NET namespace and all of the physical devices appear in that namespace; and, three hierarchy namespaces – PID, User, and Cgroups –  so that the permissions are inherited from one to another.

The User namespaces are the most contentious, because there are a number of traps inherent to their use making securing them vexing. “As a result, there are number of distributions that have not enabled user namespaces by default yet, because there’s still some work to be done to iron out where these are going,” Briggs said.

There Can Be Only One

As to containers, there is no hard definition as to what they are and certainly the kernel has no concept of containers. As far as the kernel is concerned, it’s a concept that’s completely in user space at the moment.

There is interest in the community to move beyond the general consensus in defining containers as a combination of kernel namespaces, secure computing, seccomp, and cgroups, to a clearer definition of what a container is allowed to do in order to create a better auditing trail.

The biggest problem with containers is that a set of namespaces doesn’t work. “At this point, there can only be one audit daemon, and it has to live in the initial user and PID namespace and that’s locked down by kernel rules that basically say it detects what namespaces you’re in,” he explained.

There have been security weaknesses in the Mount namespace since its inception, but that was not overly concerning as they were not actually abusable. Until, that is, other namespaces and more ways to use them were added.  

Work is ongoing in addressing the security issues in User namespaces and newly exposed issues in Mount.

“In terms of audit, the audit daemon, it seems to make the most sense to tie the audit daemon in to the user namespace,” Briggs said.

“In terms of the network namespaces, the initial network namespace was the one that was originally listening and there were a number of proposals on how to try and deal with it. In the end, the least complex solution won out for the moment for the short term.”

Watch the complete presentation below:

linux-com_ctas_security_090716_452x150.jpg?itok=XsvIOO55

Sign up to access more than 40 recorded sessions from LinuxCon + ContainerCon, including keynotes from Joe Beda, Jim Whitehurst, Cory Doctorow, and more.

Solving Enterprise Monitoring Issues with Prometheus

By
Cloud Native Computing Foundation
-

Chicago-based ShuttleCloud helps developers import user contacts and email data into their applications through standard API requests. As the venture-backed startup began to acquire more customers, they needed a way to scale system monitoring to meet the terms of their service-level agreements (SLAs). They turned to Prometheus, the open source systems monitoring and alerting toolkit originally built at SoundCloud, which is now a project at the Cloud-Native Computing Foundation. 

In advance of Prometheus Day, to be held Nov. 8-9 in Seattle, we talked to Ignacio Carretero, a ShuttleCloud software engineer, about why they chose Prometheus as their monitoring tool and what advice they would give to other small businesses seeking a similar solution.

Ignacio P. Carretero, ShuttleCloud

Linux.com: Why did your enterprise start using a monitoring solution like Prometheus?

Ignacio Carretero: It started when our number of projects increased and new clients SLAs became more demanding. We had some systems in place to monitor the operation metrics (the status of our instances), business metrics (how we were performing) and if our external front ends were up and running. However, we did not have a centralized monitoring system or a standard alerting system. In addition, some business metrics had to be manually reviewed. All of the aforementioned have been solved with a monitoring solution like Prometheus.

Some of the reasons we chose Prometheus over other monitoring systems are its flexibility with the metric system (it doesn’t have to be fixed from the beginning), the independency from other external services (such as message buses or databases) and the simplicity of its installation and execution as it is a Go file.

Linux.com: What are the most important things for small businesses to know when bringing on an in-house monitoring stack?

Ignacio: The most important thing we would mention is that having a Prometheus-based in-house monitoring solution does not have to be expensive. It is possible to start monitoring a complete infrastructure with only one instance and not a lot of development/setup time. Apart from that, it is good to know that monitoring is not a goal but a journey, and we must confess that this has been a pleasant one. Throughout this journey you’ll fine tune alerts and progress through the stages of getting your infrastructure monitored. In the precise case of Prometheus, we are also very satisfied with the available exporters. They mostly can be integrated without investing a lot of time which is always important for small businesses.

Linux.com: What is the journey like to equip your infrastructure with monitoring technology? Is the process different for small businesses?

Ignacio: The main difference is that we do not have a specialized team that can take care of that process so the whole team has to be involved. Every single developer in our engineering team collaborates with what is being monitored by Prometheus and what remains monitored by the legacy systems. We all solve the alerts triggered so we can participate on the tuning of thresholds and adding missing alerts and removing unnecessary ones.

Linux.com: What lessons did you learn while deploying a monitoring technology?

Ignacio: At the beginning we were very constrained with the time we could dedicate to the implementation so we decided to start small. Therefore, we recycled some of the systems that we had already in place. To do so, we took some decisions that were against the design patterns of Prometheus. It might not be the ideal design but at least we had a starting point. From the starting point, we iterated and improved our system as we started to understand some of the things we were doing wrong and what things could be improved. If we had waited until we designed a perfect system, more than likely we would still have our old service in place.

Linux.com: What are the major benefits your environment has seen from using Prometheus?

Ignacio: The most important thing for us, the developers, is that we now totally trust our monitoring system. Before we were constantly checking if everything was alright and if there was any issue. We currently know that if any of the thresholds is reached, someone will be paged or an email will be sent depending on the urgency of the issue.

Another major benefit is that the system is fairly easy to maintain. We still do improvements and fine tuning but the overall maintenance overhead has been kept to a minimum, even if we continue growing.

Finally, we would like to point out that PromQL is really useful and logical (the Prometheus query language). The learning curve is definitely worth the effort. PromQL is also used for chart creation in Grafana, which is very easy to integrate with Prometheus.

For Linux.com readers only: get 20% off your CloudNativeCon + KubeCon & PrometheusDay passes with code CNKC16LNXCM. Register now.

WTF Is a Container?

By
TechCrunch
-

You can’t go to a developer conference today and not hear about software containers: Docker, Kubernetes, Mesos and a bunch of other names with a nautical ring to them. Microsoft, Google, Amazon and everybody else seems to have jumped on this bandwagon in the last year or so, but why is everybody so excited about this stuff?

To understand why containers are such a big deal, let’s think about physical containers for a moment. The modern shipping industry only works as well as it does because we have standardized on a small set of shipping container sizes. Before the advent of this standard, shipping anything in bulk was a complicated, laborious process. Imagine what a hassle it would be to move some open pallet with smartphones off a ship and onto a truck, for example. Instead of ships that specialize in bringing smartphones from Asia, we can just put them all into containers and know that those will fit on every container ship.

Read more at TechCrunch

Industrial Internet of Things Set to Rocket Towards 100bn Devices

By
The Australian
-

The explosive growth of the Internet of Things (IoT) is most often discussed in terms of consumer devices and products. But if you take a second to consider the scale of the industrial products sector and its potential for device connectivity throughout the supply chain, then you can start to see why exactly it is set to dwarf the size of consumer IoT by several magnitudes.

While a few billion consumer devices (think wearables, home automation devices and cars), will become IoT connected during the next five years, the equivalent global growth curve for the industrial IoT (IIoT) is set to rocket towards 100 billion devices as the technology becomes pervasive in industrial sectors worldwide.

Read more at The Australian

OpenStack & Private Cloud, at Scale, Are Cheaper Than Public Cloud

By
SDx Central
-

Beyond a certain scale, commercial private clouds and OpenStack distributions are cheaper than public clouds, according to the latest Cloud Price Index from 451 Research. However, private cloud still might be more difficult to plan for.

Commercial private cloud offerings from vendors such as VMware and Microsoft offer a lower total cost of ownership (TCO) when labor efficiency is lower than 400 virtual machines managed per engineer, according to the report, which was published today.

Read more at SDx Central.

InfraKit Hello World

By
More Than Seven
-

Docker just shipped InfraKit a few days ago at LinuxCon and, while at the Docker Distributed Systems Summit, I wanted to see if I could get a hello world example up and running. The documentation is lacking at the moment, epecially around how to tie the different components like instances and flavors together.

The following example isn’t going to do anything particularly useful, but it’s hopefully simple enough to help anyone else trying to get started. I’m assuming you’ve checked out and built the binaries as described in theREADME.

Read more at More Than Seven

Software-Defined Networking Puts Network Managers in the Driver’s Seat

By
Biz Tech
-

SDNs can help organizations keep up with evolving network demands in an app-centric IT environment and give network managers much more flexibility.

The strategy behind the network architecture inside many of today’s data centers was developed during the x86 era of server-desktop computing. Much has changed since then, and organizations must now give serious thought to a fresh approach to networking — software defined networking (SDN) — that more accurately reflects today’s computing reality.

Read more at BizTech

How to Secure Network Services Using TCP Wrappers in Linux

By
Tecmint
-

In this article we will explain what TCP wrappers are and how to configure them to restrict access to network services running on a Linux server. Before we start, however, we must clarify that the use of TCP wrappers does not eliminate the need for a properly configured firewall.

In this regard, you can think of this tool as a host-based access control list, and not as the ultimate security measure for your system. By using a firewall and TCP wrappers, instead of favoring one over the other, you will make sure that your server is not left with a single point of failure.

[[ This is a content summary only. Visit my website for full links, other content, and more! ]]

 

Read more at Tecmint

How Building Strong Open Source Teams Is Like Raising Chickens

By
Carla Schroder
-

Dr. Margaret Heffernan, in her LinuxCon North America keynote, tells an open source story that isn’t about software. It’s a story about chickens.

If your organization is struggling to build teams that work well together, and it feels more like The Hunger Games than a smoothly functioning team, let the tale of the two chicken flocks show you the open source way. Dr. Heffernan tells how a reseacher used two flocks of laying hens to study how to breed more productive egg-layers. One was an average, nothing special flock, just ordinary hens. The other flock was composed of super-chickens, hens who were highly productive egg layers. The researcher bred only the most productive of the super-chickens, and did no selective breeding in the first flock.

After six generations, Dr. Hefferman tells us what happened: “At the end of his experiment, what did he find? Well, he went back to the average flock, and what he discovered is they were more productive than they’d ever been. They were all really healthy, plump, fully feathered, and cranking out more eggs than ever. The super flock was a completely different story. Because the super flock, all but three were dead. They’d killed each other trying to be the super-est of the super flock.”

“When Muir revealed his research to many of his researchers, their eyes lit up and some of them said, “We know those super chickens. We work along side quite a lot of them.” As I’ve gone around the work talking about this, I always see this little flicker of recognition in people’s eyes, and they’ll say to me, “That’s my company. That’s my department. That’s the team I used to work in.”” Their working life resembled The Hunger Games more than a creative enterprise, with the expectation that “If you get everybody to compete fiercely somehow the best will stagger to the top, bloody with feathers hanging out”.

Dr. Heffernan then describes a research project designed to answer the question “Why is it that some teams are so much better than others?” The answer is not IQ, nor individual brilliance, but several distinct characteristics including empathy, helpfulness, trust, and diversity. Another key trait is curiosity, which leads to people discovering solutions to problems in fields that are outside of their areas of expertise. Which, of course, requires other people to listen to them and take them seriously.

Listen to Dr. Heffernan’s keynote (below) to learn more about what fuels effective teamwork.

Sign up to access more than 40 recorded sessions from LinuxCon + ContainerCon, including keynotes from Joe Beda, Jim Whitehurst, Cory Doctorow, and more.

Keynote: Beyond Measure: The True Power and Skill of Collaboration by Dr. Margaret Heffernan

By
The Linux Foundation
-

If your organization is struggling to build teams that work well together, and it feels more like The Hunger Games than a smoothly functioning team, let the tale of the two chicken flocks from Dr. Margaret Heffernan show you the open source way. 

1...682683684...10,743Page 683 of 10,743