So you have an application that is composed around containers. You have lightweight base images, a centralized container registry, and integration with the deployment and continuous integration (CI) pipeline — everything needed to get containers working at full scale on your hardware. For running a multitier application, you spent time on using a service discovery mechanism for your application containers. You have a logging mechanism that pulls out the information from each container and ships them to a server to be indexed. Using a monitoring tool that is well suited for this era when machines are disposable, you see an aggregate of your monitoring data, giving you a view of the data grouped around container roles. Everything falls nicely into place.
Yasin Sekabirais a graduate of the computer science program at Makerere University in Kampala, Uganda, where he taught himself Linux through the free Intro to Linux course on edX and other online resources. He was one of 14 aspiring IT professionals to receive a 2016 Linux Foundation Training (LiFT) scholarship, announced last month.
He is in the process of bootstrapping a startup and a technology hub to introduce technology to local children who do not have access to computer science education.
Yasin Sekabira is a 2016 LiFT scholarship winner in the Linux newbies category.
Linux.com: Can you tell me more about Kampala?
Yasin Sekabira: Kampala is Uganda’s national and commercial capital city, and it’s a hotbed for young tech entrepreneurs and independent business people. I was born and grew up in KATWE, one of Kampala’s finest suburbs and a center of many DIY technicians, craftsmen and artisans.
Linux.com: What kind of technology training is available?
Yasin: Kampala is surrounded by an increasing number of higher institutions of education offering technology-based degree courses, and short professional courses. Plus, there are also tech business incubators that have done a great job, helping university students to really work on interesting projects. Through these hubs, most students have turned their ideas into tech startups to fully funded tech businesses.
I’m currently working hard on my hub Katwe COLAB. In KATWE, many young men resort to minor theft and it grows from there. Many kids drop out from school mainly due to fees and bad urban tribes. And I just wish the Hub can change that through technology innovation.
Linux.com: What kind of business is your new startup?
Yasin: We are iterating in search of that Facebook Million Dollar idea. But our business is focused at the moment on designing and developing Mobile/Web Apps and providing IT Consultancy to our clients.
Linux.com: How did you start it?
Yasin: It all started back in the hood, in Katwe where I grew up, many young men are independent business owners, I grew up really with these big dreams to follow the lead. Then we were lucky: our big brother bought us an IBM Pentium 3 Desktop PC. I loved it. It changed our thinking. I played a lot of games and really learned how to use a computer, then my other brother had just finished form six (high school), in his vacation he joined a small institution to learn computer networks, then luckily he taught me IP addressing. I was just 14 years old.
Then my brother figured out how to make money with computers and he started a Computer Repair Workshop. It was fun, it paid us, and we established ourselves. This helped me to start, in 2011 during my first year at college, an internet café and it helped shape my little admin skills. I didn’t focus on it very much. College was fun and I fell in love with programming and Linux. The splash screen during booting blew my mind, and I jumped on the OpenSuse wagon.
And then in 2012 me and my buddy won the Orange innovation awards from the French telecom, Orange, which sold their Ugandan stake to Africell in 2014. Orange Uganda organized innovation awards every year for the most impressive ideas in mobile app development. These awards allowed young developers in Uganda to suggest an innovative application that could be used in agriculture, health, or education. The award came with a stipend and an internship at the telecom giant. Plus, lessons on how to do a legal entrepreneurial business and ace your startup.
We started a business, but doing a startup is not romantic. It takes commitment. Long hours of work, money problems, all of these things force you to get employed and maybe do a startup part-time. Especially in UG where tech is still in its infancy. Many people are changing slowly, and change takes some time. You have to be patient and stay focused.
Linux.com: How do you plan to use your LiFT Scholarship?
Yasin: Being a LiFT Scholarship 2016 recipient on paper is like a dream come true. It’s an opportunity to work even harder, train harder, and stay competitive in what you really do best,
Today open source and Linux are absolutely up there in the top, it’s an opportunity to sharpen my open source skills from newbie to Ninja Pro. With The Linux Foundation and Linus Torvalds, you just feel like you’re learning and mastering Kung fu from Bruce-Lee.
The LiFT Scholarship will help me to prepare for my LFCE (Linux Foundation Certified Engineer), and hopefully pass it and add it to my belt. The LFCE badge really shows the world that you can play like Messi or Score like T.Henry of Arsenal.
Linux.com: How will it help you advance your start-up?
Yasin: I think I always wanted to work on an open source project, and down in my mind I always felt like I don’t have the skills. With the LiFT Scholarship, it has motivated me ever since I received the mail that I was a winner of the LiFT Scholarship 2016. Since then, I have been reading a lot and I think I’m leveling up. I just feel the energy, and hopefully I can tinker with any open source project at my start-up.
Secondly, I think LiFT Scholarship will help me to pimp my Katwe CoLAB that I’m recently working on and hopefully inspire the next generation in KATWE to think differently.
Security of the boot chain is a vital component of any other security solution, said Matthew Garrett of CoreOS in his presentation at Linux Security Summit. If someone is able to tamper with your boot chain then any other security functionality can be subverted. And, if someone can interfere with your kernel, any amount of self-protection the kernel might have doesn’t really matter.
“The boot loader is in a kind of intermediate position,” Garrett said. It can modify the kernel before it passes control to it, and then there’s no way the kernel can verify itself once it’s running. In the Linux ecosystem, he continued, the primary protection in the desktop and server space is UEFI secure boot, which is a firmware feature whereby the firmware verifies a signature on the bootloader before it executes it. The bootloader in turn verifies a signature on the next step of the boot process, and so on.
Garrett admitted that it’s difficult to protect against hardware attacks in any straightforward way. If someone has a hardware keylogger, for example, secure boot will not help you there. But, he said, “there are other things we can protect against, and measured boot is a component of such protection.”
“Measured boot is based around trusted computing,” Garrett explained. One of the hardware components of trusted computing is the trusted platform module (TPM).
Something Magical
At boot time, Garrett said, we measure things, and we store those measurements in platform configuration registers (PCRs). The idea is to store something that represents the next part of the boot process. So, the firmware measures the boot sector, the boot sector measures the boot loader, and the boot loader measures the kernel. PCRs, however, are not directly writable; you have to ask the TPM to store some data in there and then “something magical happens.”
If you could set PCR values directly, you could potentially change values at any point and defeat the object entirely. To prevent this, the existing value of the PCR is taken along with the new value, and they are concatenated, producing a 40-byte value. Then, the hash of that value is taken and that is the value that is stored. Like magic.
Outside system memory, there’s an associated log, and each measurement event also results in a new log entry describing the value. However, it’s stored in RAM and is easily overwritten — more on this later.
To have measured boot, Garrett continued, you need to be able to measure each component, which means you need firmware that can do this and you need support in the later part of the bootchain. However, no standard Linux bootloader does this out of the box, he said.
So, Garrett decided to write his own support code, which is partly based on trusted GRUB and partly written from scratch. And, now he has a bootloader that supports measuring the kernel, but things are not so simple. Other things can occur to alter the security of the system, Garrett said. The configuration that’s passed to the kernel, for example, is very relevant. The command line is relevant. And, measuring what happens during the GRUB phase is pretty important.
Known Policy
Let’s go back to the logfile mentioned earlier — it’s just stored in RAM so it can be overwritten, but Garrett described improvements that involve matching a known policy against log entries. Where does this policy come from? CoreOS builds it automatically. As of three months ago, Garrett said, every release they build ships with a file describing the known good hashes for every component of the operating system and a policy that describes a valid GRUB configuration. Nonetheless, he said, this approach is not complete. You still need to validate firmware — which is not provided by CoreOS — and he doesn’t know any firmware vendors doing that.
Garrett said you could also ask the TPM to encrypt data and only decrypt it if the PCR values match the imposed policy. He described an example using a one-time password (OTP) generator. You run this, it prints a QR code, and you scan the QR code with your phone. When the system boots, it shows you a 6-digit number, and you make sure that the 6-digit number on your phone is the same as the one on your computer. If the TPM decrypted this number, you know your system has not been tampered with.
An unsolved problem, Garrett said, is that when you upgrade the firmware, the PCR values will change and the disk will refuse to decrypt your OTP key. And then your system won’t boot. A solution is needed that seals the information when you perform system updates, and this problem needs to be solved to make measured boot truly usable, he said.
An audience member asked whether there were plans to upstream Garrett’s trusted GRUB 2 code. The short answer is yes. Garrett said, “After a certain amount of discussion with Richard Stallman, I finally managed to convince him that we could use TPMs for purposes of good rather than being intrinsically evil.”
However, Garrett said, GRUB 2 has new maintainers, with whom he will need to work out some copyright issues. Part of the new code is based on old GRUB, and Garrett can’t assign copyright for code he didn’t write. Ideally, these issues will be addressed, and the code will be upstreamed.
Watch the complete presentation below:
You won’t want to miss the stellar lineup of keynotes, 185+ sessions and plenty of extracurricular events for networking at LinuxCon + ContainerCon Europe in Berlin. Secure your spot before it’s too late! Register now.
When it comes to OpenStack cloud computing distributions, now offered by a variety of vendors, we are at a tipping point. As businesses and organizations demand flexible solutions for deploying cloud solutions based on OpenStack, competition is fierce. With so many vendors competing in this arena, market consolidation was bound to arrive, and it is here. What will the key differentiator be going forward? That would be support.
Just last month, Red Hat announced its latest platform:OpenStack Platform 9. One day later, VMware introduced VMware Integrated OpenStack 3. Both distributions are based on the OpenStack Mitaka release. From Mirantis to Canonical, Hewlett-Packard and others, there are now several OpenStack distribution providers competing with each other, and updates arrive at a rapid-fire pace.
At the same time, there is pronounced market consolidation, which is helping to highlight the importance of hardened, top-notch support. As The Next Platformrecently noted: “For commercial-grade OpenStack, the options are pretty much Red Hat, Canonical, Mirantis, Cisco Systems, IBM, Hewlett-Packard Enterprise, and Rackspace Hosting at this point…Mirantis is the last of the free-standing OpenStack distros, unless you count Canonical, which has done well with OpenStack, but Rackspace has the technical chops to compete with its hosted variant and maniacal support.”
A look at the history of seminal technology platforms shows that the winners in this competition will be the players that provide the best support. For example, in the enterprise Linux space, Red Hat has carved out an enormously advantageous position for itself by providing time-tested, solid support. The majority of Red Hat’s existing enterprise customers regularly renew their support subscriptions each year. That creates a constant positive flywheel effect for the company, which now books more than $2 billion in revenues each year — remarkable for a company focused solely on open source.
At this point, most of the key vendors competing in the OpenStack space base their distributions on the same frequently updated open source OpenStack core releases. At their cores, the distributions are not enormously different from each other, but support options and the quality of support vary widely.
Some of the smarter players in the OpenStack arena are banking on this. The folks at Red Hat, of course, know that hardened support for their OpenStack distribution is as important as it is on the Linux side of the company’s business. Rackspace refers early and often, in every forum it can, to its “fanatical support.”
Likewise, Mirantis is circling its wagons around flexible OpenStack support options. The company hasannounced a joint collaboration with SUSE to offer Mirantis OpenStack customers support for enterprise Linux. Both companies will collaborate technically to establish SUSE Linux Enterprise Server as a development platform for use with Mirantis OpenStack. Most notably of all, though, is a unique twist on this support strategy. Specifically, Mirantis and SUSE will collaborate to support Red Hat Enterprise Linux and CentOS, making Mirantis a one-stop shop for OpenStack support on several leading enterprise Linux distributions.
Consider that for a moment. Mirantis competes directly with Red Hat, but its new partnership will extend an olive branch toward supporting its competitor’s platform.
“Many of our larger customers run two or three different Linux flavors. Now OpenStack users can get support for their major Linux distributions in one place from Mirantis,” said Mirantis co-founder and CMO, Boris Renski. “Thousands of enterprises worldwide across major industries count on SUSE because they offer enterprise-grade, high reliability, bet-your-business service level agreements. Partnering with SUSE gives Mirantis customers access to this support as they build their private cloud.”
A couple of years ago, Renski authoredan interesting post on how important broad, flexible support — and lack of vendor lock-in — would eventually become in the OpenStack space. “In this new era it is important to provide compatibility and support for your operating system, running on a variety of virtualization technologies, and across different private and public clouds,” he wrote. It’s even more important now.
Support is a giant cost center for companies that provide it, but those that do it well succeed. In the case of many open source projects, lack of quality support and incomplete documentation are often cited by administrators and decision makers when asked why they don’t favor this or that solution. In the OpenStack race, support is now the critical differentiator.
Want to learn the basics of OpenStack? Take the new, free online course from The Linux Foundation and EdX. Register Now!
Managing log files is becoming increasingly harder with growing amounts of data and differing file formats. Giovanni Bechis, in his upcoming talk at LinuxCon Europe, describes a solution using the ELK stack (ElasticSearch, Logstash, Kibana), which he says let’s you easily collect, parse, and manage log files from different sources.
We talked with Bechis, a Software Engineer at SNB S.r.l., a to learn more about how ELK can be used to aggregate any kind of data in a productive way.
Giovanni Bechis, Software Engineer at SNB S.r.l.Linux.com: Can you briefly explain what ELK is?
Giovanni Bechis: ELK stands for Elastic Stack, and it is composed of Elasticsearch, a search engine; Logstash, a log collector; and Kibana, a powerful web interface. The Elastic Stack makes searching and analyzing data easier than ever before by delivering actionable insights in real time from almost any type of structured and unstructured data source.
Linux.com: How does ELK make log management easier?
Giovanni: Log management is easier than before because unstructured log files are now saved on a non-relational database and can be analyzed through a web interface. Through Kibana, you can then create graphs and summarize important informations without writing complex programs.
It is easier to manage and merge, for example, log files coming from different email software (e.g., Postfix and OpenSMTPD) and you can look at log files in real time even if they are coming from different hosts. There are also no problems due to the management of very big text files.
Linux.com: Who should be using ELK and why?
Giovanni: Every system administrator that manages more than one server should switch to ELK; managing log files in a multi-server environment could be very complicated and analyzing data to provide fancy graphs could create lot of headaches without a good framework to work with.
In an ELK world, all log files have a similar structure (JSON); this way it’s easier to create programs to query log files.
Linux.com: What are some examples of data other than log files that ELK could be used for?
Giovanni: For some customers, we use ELK to analyze data coming from their management software to be able to detect possible problems on their warehouses. Salesforce and Microsoft use ELK to analyze events generated from their CRM.
Elasticsearch is used without the other parts of the stack as a very powerful search engine by many web sites, from Facebook to MSN, to the New York Times.
Linux.com: Are there other features you’d like to implement? If so, what?
Giovanni: I am working on software to easily create alarms or execute actions if a log entry matches an expression. It will be an open source alternative to “watcher” — an Elasticsearch BV commercial product. We are using it at work to detect anomalies on our email servers and XSS attacks on our hosting platform.
You won’t want to miss the stellar lineup of keynotes, 185+ sessions and plenty of extracurricular events for networking at LinuxCon + ContainerCon Europe in Berlin. Secure your spot before it’s too late! Register now.
Software-defined storage (SDS) is one of those terms that has been readily hijacked by vendors over the past few years. The term developed from the adoption of software-defined networking (SDN), used to define the separation of control and data traffic in the networking world, which provides the abstraction needed to deliver more efficient network management and to virtualise network functionality.
…Part of the problem with finding an adequate definition is that data storage has two components: both a persistent side for storing and recalling data, and a transmission side to cover how data passes from host to external storage. SDN by contrast only has to worry about the data transit definitions, so has fewer concerns around performance and throughput as far as an individual host is concerned. To add to the confusion, storage is moving back into the server with hyper-converged solutions, making it more difficult to come up with a consistent definition.
The story starts with Stephen M. Cabrinety, the Stanford University Libraries, and NIST’s National Software Reference Library (NSRL). Cabrinety collected more than 50,000 pieces of commercial software and nearly 300 functioning microcomputer systems—some dating back to the mid-1980s. Stanford University Libraries acquired Cabrinety’s collection in 2009, fourteen years after Cabrinety died from Hodgkin’s lymphoma. The acquisition and preservation of the collection had been a dream of his.
One has to wonder why the NIST and NSRL became involved. Truth be told, it’s their job. The agency has been tasked with collecting, archiving, and making verifiable forensic information on individual pieces of software available to public and private organizations. In fact, NSRL is likely the largest publicly-held repository of digital software in the world. The NIST press release Digital Forensics Rescues Retro Video Games and Software explains why the collection is important:…
The Industrial Internet Consortium (IIC) , which was founded by AT&T, Cisco, GE, IBM, and Intel, released a common framework for security that it hopes will help industrial Internet of Things (IoT) deployments better address securityproblems. Security is critical to industrial IoT because attacks could have dire consequences, such as impacting human lives or the environment, said Hamed Soroush, senior research security engineer with Real-Time Innovations and the co-chair of the IIC security working group.
The IIC doesn’t create standards but instead is a consensus-building group that will provide recommendations for organizations building industrial IoT systems. The group’s security framework assesses various types of threats and helps companies protect themselves by providing best practices and strategies to thwart these attacks…
The USB storage drive automatically detects USB flash or hard drives. You can quickly force and disable USB storage devices under any Linux distribution. The modprobe program used for automatic kernel module loading. It can be configured not load the USB storage driver upon demand. This will prevent the modprobe program from loading the usb-storage module, but will not prevent root (or another privileged program) from using the insmod/modprobe program to load the module manually. USB sticks containing harmful malware may be used to steal your personal data. It is not uncommon for USB sticks to be used to carry and transmit destructive malware and viruses to Linux based computers.
OpenDaylight’s fifth release of its SDN platform puts a focus on the cloud, NFV, performance and tools.
The OpenDaylight Project effort to create a common platform for network virtualization continues to mature with the unveiling of the group’s fifth release, dubbed “Boron.”
The industry consortium announced the Boron release Sept. 21, a week before the OpenDaylight Summit kicks off in Seattle Sept. 27. Project officials said the new release brings with it improvements around the cloud and network-functions virtualization (NFV), and is the result of contributions by consortium members in a range of areas, including performance and tools.
