Skip to main content

Feed aggregator

Managing Docker Instances with Puppet

Linux Journal - jeu, 07/20/2017 - 08:40

In a previous article, "Provisioning Docker with Puppet", in the December 2016 issue, I covered one of the ways you can install the Docker service onto a new system with Puppet. By contrast, this article focuses on how to manage Docker images and containers with Puppet. more>>

Catégories: Linux News

Getting Sticky with It

Linux Journal - mer, 07/19/2017 - 08:33

Although they might not be so good for credit cards or floppy disks, magnets are one of those things that always have fascinated me. For the past few years, I've wanted to get a set of the round Zen Magnets to play with—they're sort of like an extra science-y version of LEGOs. Unfortunately, before I was able to purchase any, the US government banned their sale! more>>

Catégories: Linux News

Scissors, Paper or Rock?

Linux Journal - mar, 07/18/2017 - 06:05

In this article, I'm going to tackle a children's game that's extraordinarily complicated, with many variations, and the programming task is going to be quite tricky. Just kidding! Rock Paper Scissors (or RPS, as it's known) is pretty darn easy to simulate because there aren't really many variants or possible outcomes. more>>

Catégories: Linux News

Celtra's AdCreator Platform

Linux Journal - lun, 07/17/2017 - 06:53

Mobile advertising campaigns today are often hampered by broken, non-viewable ads with a poor UX experience. An important open-source initiative aimed at solving this problem and making the web better for all is the AMP Project, which enables the creation of websites and ads that are consistently fast, beautiful and high-performing across devices and distribution platforms. more>>

Catégories: Linux News

All Your Accounts Are Belong to Us

Linux Journal - jeu, 07/13/2017 - 08:47

Last weekend my work phone suddenly stopped working. Not the phone itself, but rather all service stopped. I first noticed (of course) due to an inability to load any web pages. Then I tried calling someone and realized my phone was disconnected. In fact, when someone tried to call me, it said the line was no longer in service. more>>

Catégories: Linux News

Applied Expert Systems, Inc.'s CleverView for TCP/IP on Linux

Linux Journal - mer, 07/12/2017 - 10:13

The contemporary data center is typified by an ever-increasing amount of traffic occurring between servers, observes Applied Expert Systems, Inc. (AES), sagely. Fulfilling the logical need to facilitate improved server-to-server communications, AES created CleverView for TCP/IP on Linux, now at v2.7. CleverView provides IT staff access to current and more>>

Catégories: Linux News

Sysadmin 101: Alerting

Linux Journal - mar, 07/11/2017 - 05:59

This is the first in a series of articles on system administrator fundamentals. These days, DevOps has made even the job title "system administrator" seem a bit archaic, much like the "systems analyst" title it replaced. more>>

Catégories: Linux News

Android Candy: Exploding Kittens!

Linux Journal - lun, 07/10/2017 - 07:18

I don't very often play games. I know that seems odd, because I do often write about gaming. Honestly though, I very rarely actually take the time to play video games. Recently, however, there has been an exception to that rule. more>>

Catégories: Linux News

Mistral Solutions' 820 Nano SOM

Linux Journal - ven, 07/07/2017 - 09:56

One of the smallest System on a Module (SOM) solutions currently available in the market—measuring a mere 51mm x 26mm—is Mistral Solutions' 820 Nano SOM. The company predicts that its new 820 Nano SOM solution is "destined to be a preferred SoM in the industry". more>>

Catégories: Linux News

Linux for Everyone—All 7.5 Billion of Us

Linux Journal - jeu, 07/06/2017 - 05:58

Linux has long since proven it's possible for one operating system to work for everyone—also that there's an approach to development that opens and frees code so everyone can use it, improve it and assure its freedoms spread to everyone doing the same. more>>

Catégories: Linux News

Analyzing Videos for Fun and Profit

Linux Journal - mer, 07/05/2017 - 05:46

People's phones and all of the various sensors that may be built in to them is a source of scientific data logging that almost everyone carries around. Although the selection of sensors varies from phone to phone, they almost all have a camera. In this article, I take a look at a piece of software called Tracker that can be used to analyze videos you take of experiments. more>>

Catégories: Linux News

My free software activities, June 2017

Anarcat - lun, 07/03/2017 - 11:37
Debian Long Term Support (LTS)

This is my monthly Debian LTS report. This time I worked on Mercurial, sudo and Puppet.

Mercurial remote code execution

I issued DLA-1005-1 to resolve problems with the hg server --stdio command that could be abused by "remote authenticated users to launch the Python debugger, and consequently execute arbitrary code, by using --debugger as a repository name" (CVE-2017-9462).

Backporting the patch was already a little tricky because, as is often the case in our line of work, the code had changed significantly in newer version. In particular, the commandline dispatcher had been refactored which made the patch non-trivial to port. On the other hand, mercurial has an extensive test suite which allowed me to make those patches in all confidence. I also backported a part of the test suite to detect certain failures better and to fix the output so that it matches the backported code. The test suite is slow, however, which meant slow progress when working on this package.

I also noticed a strange issue with the test suite: all hardlink operations would fail. Somehow it seems that my new sbuild setup doesn't support doing hardlinks. I ended up building a tarball schroot to build those types of packages, as it seems the issue is related to the use of overlayfs in sbuild. The odd part is my tests of overlayfs, following those instructions, show that it does support hardlinks, so there maybe something fishy here that I misunderstand.

This, however, allowed me to get a little more familiar with sbuild and the schroots. I also took this opportunity to optimize the builds by installing an apt-cacher-ng proxy to speed up builds, which will also be useful for regular system updates.

Puppet remote code execution

I have issued DLA-1012-1 to resolve a remote code execution attack against puppetmaster servers, from authenticated clients. To quote the advisory: "Versions of Puppet prior to 4.10.1 will deserialize data off the wire (from the agent to the server, in this case) with a attacker-specified format. This could be used to force YAML deserialization in an unsafe manner, which would lead to remote code execution."

The fix was non-trivial. Normally, this would have involved fixing the YAML parsing, but this was considered problematic because the ruby libraries themselves were vulnerable and it wasn't clear we could fix the problem completely by fixing YAML parsing. The update I proposed took the bold step of switching all clients to PSON and simply deny YAML parsing from the server. This means all clients need to be updated before the server can be updated, but thankfully, updated clients will run against an older server as well. Thanks to LeLutin at Koumbit for helping in testing patches to solve this issue.

Sudo privilege escalation

I have issued DLA-1011-1 to resolve an incomplete fix for a privilege escalation issue (CVE-2017-1000368 from CVE-2017-1000367). The backport was not quite trivial as the code had changed quite a lot since wheezy as well. Whereas mercurial's code was more complex, it's nice to see that sudo's code was actually simpler and more straightforward in newer versions, which is reassuring. I uploaded the packages for testing and uploaded them a year later.

I also took extra time to share the patch in the Debian bugtracker, so that people working on the issue in stable may benefit from the backported patch, if needed. One issue that came up during that work is that sudo doesn't have a test suite at all, so it is quite difficult to test changes and make sure they do not break anything.

Should we upload on fridays?

I brought up a discussion on the mailing list regarding uploads on fridays. With the sudo and puppet uploads pending, it felt really ... daring to upload both packages, on a friday. Years of sysadmin work hardwired me to be careful on fridays; as the saying goes: "don't deploy on a friday if you don't want to work on the weekend!"

Feedback was great, but I was surprised to find that most people are not worried worried about those issues. I have tried to counter some of the arguments that were brought up: I wonder if there could be a disconnection here between the package maintainer / programmer work and the sysadmin work that is at the receiving end of that work. Having myself to deal with broken updates in the past, I'm surprised this has never come up in the discussions yet, or that the response is so underwhelming.

So far, I'll try to balance the need for prompt security updates and the need for stable infrastructure. One does not, after all, go without the other...

Triage

I also did small fry triage:

Hopefully some of those will come to fruitition shortly.

Other work

My other work this month was a little all over the place.

Stressant

Uploaded a new release (0.4.1) of stressant to split up the documentation from the main package, as the main package was taking up too much space according to grml developers.

The release also introduces limited anonymity option, by blocking serial numbers display in the smartctl output.

Debiman

Also did some small followup on the debiman project to fix the FAQ links.

Local server maintenance

I upgraded my main server to Debian stretch. This generally went well, althought the upgrade itself took way more time than I would have liked (4 hours!). This is partly because I have a lot of cruft installed on the server, but also because of what I consider to be issues in the automation of major Debian upgrades. For example, I was prompted for changes in configuration files at seemingly random moments during the upgrade, and got different debconf prompts to answer. This should really be batched together, and unfortunately I had forgotten to use the home-made script I established when i was working at Koumbit which shortens the upgrade a bit.

I wish we would improve on our major upgrade mechanism. I documented possible solutions for this in the AutomatedUpgrade wiki page, but I'm not sure I see exactly where to go from here.

I had a few regressions after the upgrade:

  • the infrared remote control stopped working: still need to investigate
  • my home-grown full-disk encryption remote unlocking script broke, but upstream has a nice workaround, see Debian bug #866786
  • gdm3 breaks bluetooth support (Debian bug #805414 - to be fair, this is not a regression in stretch, it's just that I switched my workstation from lightdm to gdm3 after learning that the latter can do rootless X11!)
Docker and Subsonic

I did my first (and late?) foray into Docker and containers. My rationale was that I wanted to try out Subsonic, an impressive audio server which some friends have shown me. Since Subsonic is proprietary, I didn't want it to contaminate the rest of my server and it seemed like a great occasion to try out containers to keep things tidy. Containers may also allow me to transparently switch to the FLOSS fork LibreSonic once the trial period is over.

I have learned a lot and may write more about the details of that experience soon, for now you can look at the contributions I made to the unofficial Subsonic docker image, but also the LibreSonic one.

Since Subsonic also promotes album covers as first-class citizens, I used beets to download a lot of album covers, which was really nice. I look forward to using beets more, but first I'll need to implement two plugins.

Wallabako

I did a small release of wallabako to fix the build with the latest changes in the underlying wallabago library, which led me to ask upstream to make versionned releases.

I also looked into creating a separate documentation site but it looks like mkdocs doesn't like me very much: the table of contents is really ugly...

Small fry

That's about it! And that was supposed to be a slow month...

Catégories: External Blogs

eCosCentric Limited's eCosPro

Linux Journal - lun, 07/03/2017 - 08:25

In contrast to general-purpose operating systems for the Raspberry Pi, the new eCosPro from eCosCentric Limited is a lightweight, multithreaded, industrial-strength RTOS delivering reduced latency with bounded response times. eCosPro's resource requirements are a fraction of those demanded by a general-purpose OS and maximize the RAM resources available to applications. more>>

Catégories: Linux News

FreeDOS Is 23 Years Old, and Counting

Linux Journal - ven, 06/30/2017 - 15:49

The FreeDOS Project has just reached its 23rd birthday! This is a major milestone for any free software or open-source software project. more>>

Catégories: Linux News

J. and K. Fidler's Cut the Cord, Ditch the Dish, and Take Back Control of Your TV (Iron Violin Press)

Linux Journal - ven, 06/30/2017 - 11:05

Prospective TV cable-cutters, even those with technical abilities, often are flummoxed in the face of choosing between all of the content options and new technologies available. Reliable sources of complete and neutral information in this space are hard to find, and the fun evaporates rapidly when you're faced with hours of stumbling through forums and strings of searches. more>>

Catégories: Linux News

Testing Models

Linux Journal - jeu, 06/29/2017 - 06:20

In my last few articles, I've been dipping into the waters of "machine learning"—a powerful idea that has been moving steadily into the mainstream of computing, and that has the potential to change lives in numerous ways. more>>

Catégories: Linux News

AWS Quickstart for Kubernetes

Linux Journal - mer, 06/28/2017 - 11:27
Kubernetes is an open-source cluster manager that makes it easy to run Docker and other containers in production environments of all types (on-premises or in the public cloud). What is now an open community project came from development and operations patterns pioneered at Google to manage complex systems at internet scale.

more>>

Catégories: Linux News

Steve Suehring's CompTIA Linux+ and LPIC Practice Tests (Sybex)

Linux Journal - mer, 06/28/2017 - 10:48

Possessing Linux skills is valuable in today's IT job market where demand for talent outstrips supply. Getting certified proves you have the chops to do the job, and two well worn paths to Linux certification are the Computing Technology Industry Association's CompTIA Linux+ and the Linux Professional Institute Certification (LPIC). more>>

Catégories: Linux News

Ubuntu Kylin, a Linux Distribution with a Microsoft Windows Experience

Linux Journal - mar, 06/27/2017 - 09:48

Ubuntu Kylin is an open-source Linux distribution based on Ubuntu since 2013, mainly developed by a Chinese team alongside dozens of Linux developers all over the world. It contains the basic features you would expect from Ubuntu, plus features a desktop environment and applications. more>>

Catégories: Linux News

SUSE CaaS Platform

Linux Journal - lun, 06/26/2017 - 06:33

There are a lot of decisions to be made before enterprises are ready for production and deployment of container apps, asserts SUSE. more>>

Catégories: Linux News
Syndiquer le contenu