Linux Journal

Kernel 5.2-rc1 Is Out, Xfce 4.14 Pre-Release Now Available, Microsoft Open-Sources Its SPTAG Algorithm, South Korean Government Switching to Linux and Arduino Launches Four New Nano Boards

11 hours 10 minutes ago

News briefs for May 20, 2019.

Linux kernel 5.2-rc1 is out. Linus Torvalds writes: "Things look fairly normal. Just about two thirds of the patch is drivers (all over), with the bulk of the rest being arch updates, tooling, documentation and vfs/filesystem updates, of which there were more than usual (the unicode tables for ext4 case insensitivity do end up being a big part of the "bulk" side). But there's core networking, kernel and vm changes too - it's just that the other areas tend to simply be much bulkier."

The the first pre-release of Xfce 4.14 is now available. Simon Steinbeiß's blog post covers only the changes in the latest development release, as the Xfce 4.12 was four years ago. Highlights include FailSafeSession has been fixed, improvements to vertical blanking support, a new colord front end was added, and much more.

Microsoft recently released its SPTAG algorithm as MIT-licensed open source on GitHub. Ars Technica reports that this algorithm is part of what gives Bing its smarts, noting that "Developers can use this algorithm to search their own sets of vectors and do so quickly: a single machine can handle 250 million vectors and answer 1,000 queries per second." This release is part of the company's effort to "Democratize AI".

The South Korean government plans to switch to Linux as the end of Windows 7 support nears. According to ZDNet, "the nation's Interior Ministry last week announced plans for a potentially major Linux deployment as part of a plan to cut tech costs and reduce its reliance on a single operating system. It's not known what mix of Windows 7 and Windows 10 the Korean government currently uses, however the plan to adopt Linux more widely comes as organizations around the world prepare for the end of Windows 7 support on January 14, 2020."

The Arduino team announced the launch of four new Nano boards: Arduino Nano Every, "perfect for everyday projects"; Arduino Nano 33 IoT, "small, secure, and Internet-connected"; Arduino Nano 33 BLE, "small, low-power, and Bluetooth-connected"; and Arduino Nano BLE Sense, "small, low-power, and Bluetooth-connected with a wide range of on-board sensors". The boards start at just $9.90 for the Nano Every. Arduino co-founder Massimo Banzi commented that the new Nanos "are for those millions of makers who love using the Arduino IDE for its simplicity and open source aspect, but just want a great value, small and powerful board they can trust for their compact projects".

News kernel XFCE Microsoft Machine Learning AI Arduino Government open source
Jill Franklin

Data in a Flash, Part II: Using NVMe Drives and Creating an NVMe over Fabrics Network

14 hours 8 minutes ago
by Petros Koutoupis

By design, NVMe drives are intended to provide local access to the machines they are plugged in to; however, the NVMe over Fabric specification seeks to address this very limitation by enabling remote network access to that same device.

This article puts into practice what you learned in Part I and shows how to use NVMe drives in a Linux environment. But, before continuing, you first need to make sure that your physical (or virtual) machine is up to date. Once you verify that to be the case, make sure you're able to see all connected NVMe devices:

$ cat /proc/partitions |grep -e nvme -e major major minor #blocks name 259 0 3907018584 nvme2n1 259 1 3907018584 nvme3n1 259 2 3907018584 nvme0n1 259 3 3907018584 nvme1n1

Those devices also will appear in sysfs:

$ ls /sys/block/|grep nvme nvme0n1 nvme1n1 nvme2n1 nvme3n1

If you don't see any connected NVMe devices, make sure the kernel module is loaded:

petros@ubu-nvme1:~$ lsmod|grep nvme nvme 32768 0 nvme_core 61440 1 nvme

Next, install the drive management utility called nvme-cli. This utility is defined and maintained by the very same NVM Express committee that defined the NVMe specification. The nvme-cli source code is hosted on GitHub. Fortunately, some operating systems offer this package in their internal repositories. Installing it on the latest Ubuntu looks something like this:

petros@ubu-nvme1:~$ sudo add-apt-repository universe petros@ubu-nvme1:~$ sudo apt update && sudo apt install ↪nvme-cli

Using this utility, you're able to list more details of all connected NVMe drives (note: the tabular output below has been reformatted and truncated to better fit here):

$ sudo nvme list Node SN Model Namespace Usage Format FW Rev -------------------------------------------------------------- /dev/nvme0n1 PHLF814001... Dell Express Flash NVMe P4500 4.0TB SFF 1 ↪4.00 TB / 4.00 TB 512 B + 0 B QDV1DP12 /dev/nvme1n1 PHLF814300... Dell Express Flash NVMe P4500 4.0TB SFF 1 ↪4.00 TB / 4.00 TB 512 B + 0 B QDV1DP12 /dev/nvme2n1 PHLF814504... Dell Express Flash NVMe P4500 4.0TB SFF 1 ↪4.00 TB / 4.00 TB 512 B + 0 B QDV1DP12 /dev/nvme3n1 PHLF814502... Dell Express Flash NVMe P4500 4.0TB SFF 1 ↪4.00 TB / 4.00 TB 512 B + 0 B QDV1DP12

Note: if you don't have a physical NVMe drive connected to your machine but still want to follow along (in limited form), you can install and simulate an NVMe controller plus drive(s) in the latest VirtualBox virtualization application.

Go to Full Article
Petros Koutoupis

Hewlett Packard Enterprise to Buy Cray, ManagedKube Launches k8sBot, Purism's Librem One Suite Surpasses Crowdfunding Goal, Cloudflare Announces Support of BinaryAST and the Zombieload Intel Processor Vulnerability

3 days 11 hours ago

News briefs for Friday, May 17, 2019.

Hewlett Packard Enterprise to buy Supercomputer-maker Cray. Bloomberg reports that the deal is "valued at about $1.4 billion as the firm works to become more competitive in high-end computing", and "Cray investors will get $35 a share in cash".

ManagedKube launches k8sBot, "an app that provides a point-and-click user interface for Kubernetes in Slack", available on the Google Cloud Platform (GCP) Marketplace. From the press release: "Companies can now ensure that all their team members have access to Kubernetes information. ManagedKube's k8sBot provides an easy-to-use interface in Slack so users can retrieve pod status, get pod logs, and get real-time troubleshooting recommendations with just one click. DevOps teams can get more done with k8sBot by easily sharing Kubernetes information in Slack, where team discussions are already happening, and automating DevOps support by democratizing access to Kubernetes information." You can install ManagedKube's k8sBot from here.

Purism's Librem One Suite surpasses its Crowdfunding goal after two weeks, demonstrating the "demand for ethical alternatives to Big Tech as data privacy snafus continue to plague users on a weekly basis". The Librem One Suite includes "end-to-end encrypted chat, end-to-end encrypted mail, and end-to-end encrypted VPN, as well as an open public social network. More services, such as end-to-end encrypted cloud storage, payments, and phone service, will be built in the future and added to the bundle. All current and future services in Librem One have no ads, do not track users, do not look at, sell, or share anything people create or send, and are available on popular platforms like Android and iOS." See Founder and CEO Todd Weaver's blog post 5000 Happy Librem One Users!" for more details.

Cloudflare this morning announces its support of BinaryAST. From the press release: "BinaryAST is a new over-the-wire format for JavaScript proposed and actively developed by Mozilla that aims to speed up parsing while keeping the semantics of the original JavaScript intact." See also the Cloudflare blog post "Faster script loading with BinaryAST" and VentureBeat's "Cloudflare-supported BinaryAST promises dramatically faster JavaScript apps" for more information.

Researchers have discovered another Intel processor vulnerability called Zombieload. According to ZDNet, "The researchers have shown a Zombieload exploit that can look over your virtual shoulder to see the websites you're visiting in real-time. Their example showed someone spying on another someone using the privacy-protecting Tor Browser running inside a virtual machine (VM)." But there's some good news: "To defend yourself, your processor must be updated, your operating system must be patched, and for the most protection, Hyper-Threading disabled. When Meltdown and Spectre showed up, the Linux developers were left in the dark and scrambled to patch Linux. This time, they've been kept in the loop."

News Hewlett Packard Enterprise supercomputing Cray ManagedKube k8sBot Kubernetes Purism Librem One Security Privacy Cloudflare BinaryAST Mozilla Zombieload Intel
Jill Franklin

FOSS Project Spotlight: Bareos, a Cross-Network, Open-Source Backup Solution

3 days 13 hours ago
by Heike Jurzik a…

Bareos (Backup Archiving Recovery Open Sourced) is a cross-network, open-source backup solution that preserves, archives and recovers data from all major operating systems. The Bareos project started 2010 as a Bacula fork and is now being developed under the AGPLv3 license.

The client/server-based backup solution is actually a set of computer programs (Figure 1) that communicate over the network: the Bareos Director (BD), one or more Storage Dæmons (SD) and the File Dæmons (FD). Due to this modular design, Bareos is scalable—from single computer systems (where all components run on one machine) to large infrastructures with hundreds of computers (even in different geographies).

Figure 1. A Typical Bareos Setup: Director (with Database), File Dæmon(s), Storage Dæmon(s) and Backup Media

The director is the central control unit for all other dæmons. It manages the database (catalog), the connected clients, the file sets (they define which data Bareos should back up), the configuration of optional plugins, before and after jobs (programs to be executed before or after a backup job), the storage and media pool, schedules and the backup jobs. Bareos Director runs as a dæmon.

The catalog maintains a record of all backup jobs, saved files and volumes used. Current Bareos versions support PostgreSQL, MySQL and SQLite, with PostgreSQL being the preferred database back end.

The File Dæmon (FD) must be installed on every client machine. It is responsible for the backup as well as the restore process. The FD receives the director's instructions, executes them and transmits the data to the Bareos Storage Dæmon. Bareos offers pre-packed file dæmons for many popular operating systems, such as Linux, FreeBSD, AIX, HP-UX, Solaris, Windows and macOS. Like the director, the FD runs as a dæmon in the background.

The Storage Dæmon (SD) receives data from one or more File Dæmons (at the director's request). It stores the data (together with the file attributes) on the configured backup medium. Bareos supports various types of backup media, as shown in Figure 1, including disks, tape drives and even cloud storage solutions. During the restore process, the SD is responsible for sending the correct data back to the FD(s). The Storage Dæmon runs as a dæmon on the machine handling the backup device(s).

Backup Jobs

A backup job defines what to back up (FileSet directive for the client), when to back up (schedule) and where to back up (for example, on a disk, tape, etc.). Bareos is quite flexible, and you can mix different directives. So you can have different job definitions (resources), backing up different machines, but using the same schedule, the same FileSet and even the same backup medium.

Go to Full Article
Heike Jurzik and Maik Aussendorf

IPFire 2.23 - Core Update 131 Has a New Intrusion Prevention System, The Linux Foundation Launches the Urban Computing Foundation, the Atomic Pi Hits Retail, IBM to Expand Its "New Collar" Program to France, and New Capabilities and Services for IBM Z

4 days 11 hours ago

News briefs for May 16, 2019.

IPFire 2.23 - Core Update 131 has been released. This release brings a new Intrusion Prevention System that makes your networks "more secure by deeply inspecting packets and trying to identify threats". See the IPFire blog for more details and instructions on how to migrate to the new IPS.

The Linux Foundation announces the formation of the Urban Computing Foundation "to accelerate open source software that improves mobility, safety, road infrastructure, traffic congestion and energy consumption in connected cities. Initial contributors include developers from Uber, Facebook, Google, HERE Technologies, IBM, Interline Technologies, Senseable City Labs, StreetCred Labs and University of California San Diego (UCSD)." The Foundation's first project is kepler.gl, "an open-source geospatial analysis tool created by Uber for building large-scale data sets".

The Atomic Pi has recently hit retail channels after its successful Kickstarter campaign (although it's currently sold out). Phoronix reports that the $35 Atomic Pi "offers an Intel Atom x5-Z8350 quad-core, 2GB DDR3L-1600 memory, 16GB eMMC, SD slot, USB 3.0/2.0 ports, 802.11ac WiFI, Bluetooth 4.0, and Gigabit Ethernet". The article also notes that "It's quite a board for the price and to compete with the likes of the Raspberry Pi." Go to Digital Loggers for more information.

IBM announces it will expand its "New Collar" program into France, "s part of a commitment to help prepare the French workforce for the business and social transformation being driven by hybrid cloud, digital and AI technologies." IBM plans to launch P-TECH schools in France to "provide technical and professional educational opportunities to young people, primarily from disadvantaged backgrounds". It also is launching "SkillsBuild, a new digital platform, which provides job seekers—including those returning to work after leave, the long-term unemployed, migrants, veterans and those changing professions—with the digital content, personalized coaching and experiential learning they need to gain technical and professional skills required to re-enter the workforce." Read the press release for more details.

In other IBM news, IBM this week announced new services and capabilities for IBM Z. One new feature is Tailored Fit Pricing, which is "pricing adjusts with usage, removing the need for complex and restrictive capping, and includes aggressive pricing for growth". The other new feature is IBM z/OS Container Extensions: "With z/OS Container Extensions, customers will be able to access the most recent development tools and processes available in Linux on the Z ecosystem, giving developers the flexibility to build new, cloud-native containerized apps and deploy them on z/OS without requiring Linux or a Linux partition."

News IPFire Security The Linux Foundation Urban Computing Foundation Atomic Pi SBCs IBM
Jill Franklin

Signing Git Commits

4 days 13 hours ago
by Kyle Rankin

Protect your code commits from malicious changes by GPG-signing them.

Often when people talk about GPG, they focus on encryption—GPG's ability to protect a file or message so that only someone who has the appropriate private key can read it. Yet, one of the most important functions GPG offers is signing. Where encryption protects a file or message so that only the intended recipient can decrypt and read it, GPG signing proves that the message was sent by the sender (whomever has control over the private key used to sign) and has not been altered in any way from what the sender wrote.

Without GPG signing, you could receive encrypted email that only you could open, but you wouldn't be able to prove that it was from the sender. But, GPG signing has applications far beyond email. If you use a modern Linux distribution, it uses GPG signatures on all of its packages, so you can be sure that any software you install from the distribution hasn't been altered to add malicious code after it was packaged. Some distributions even GPG-sign their ISO install files as a stronger form of MD5sum or SHA256sum to verify not only that the large ISO downloaded correctly (MD5 or SHA256 can do that), but also that the particular ISO you are downloading from some random mirror is the same ISO that the distribution created. A mirror could change the file and generate new MD5sums, and you may not notice, but it couldn't generate valid GPG signatures, as that would require access to the distribution's signing key.

Why Sign Git Commits

As useful as signing packages and ISOs is, an even more important use of GPG signing is in signing Git commits. When you sign a Git commit, you can prove that the code you submitted came from you and wasn't altered while you were transferring it. You also can prove that you submitted the code and not someone else.

Being able to prove who wrote a snippet of code isn't so you know who to blame for bugs so the person can't squirm out of it. Signing Git commits is important because in this age of malicious code and back doors, it helps protect you from an attacker who might otherwise inject malicious code into your codebase. It also helps discourage untrustworthy developers from adding their own back doors to the code, because once it's discovered, the bad code will be traced to them.

How to Sign Git Commits

The simplest way to sign Git commits is by adding the -S option to the git commit command. First, figure out your GPG key ID with:

Go to Full Article
Kyle Rankin

Nextcloud Partners with Nitrokey, Unauthorized Version of Arch Linux Available from the Microsoft Store, VirtualBox 6.0.8 Released, Help Test Plasma Theme Switching and Intel Announces Major Clear Linux Update

5 days 11 hours ago

News briefs for May 15, 2019.

Nextcloud this morning announced a new partnership with Nitrokey, maker of highly secure, open-source encryption USB keys. From the press release: "The Nitrokey Pro 2 and Nitrokey Storage 2 devices have been verified to work easily with Nextcloud's one-time passwords for secure two-factor authentication (2FA). This protects users' accounts in the event of compromised passwords. Furthermore the USB keys feature a password manager, a cryptographic key store for email encryption and SSH administration. In addition the Nitrokey Storage 2 contains an encryption mass storage drive with the option of hidden volumes." In addition, Nextcloud and Nitrokey will explore further collaboration "especially in the area of end-to-end encryption and secure storage of cryptographic keys". See the Nextcloud blog for more details.

An unauthorized version of Arch Linux for WSL is now available from the Microsoft Store. Bleeping Computer reports that "an Arch Linux team member has also pointed out that the distribution on the Microsoft Store added an unknown repository to the pacman.conf file, so if you install packages through it, it is not known if they have been tampered with."

VirtualBox 6.0.8 has been released. According to Softpedia News, this is a maintenance and stability release, but it does fix some important problems, such as saved state resume failures and mouse click pass-through issues. For Linux platforms, this release also adds "support for shared folders on systems powered by Linux kernel 3.16.35 LTS, support for correctly handling the read-only flag of shared folders, and support for successfully building the VirtualBox kernel module in both non-default and debug build setups." See the full changelog for more information.

KDE needs your help with testing Plasma Theme switching: "Please get one of the Live images with latest code from the Plasma developers hands (or if you build manually yourself from master branches, last night's code should be fine) and give the switching of Plasma Themes a good test, so we can be sure things will work as expected on arrival of Plasma 5.16: KDE neon Unstable Edition and openSUSE Krypton. If you find glitches, please report them here in the comments, or better on the #plasma IRC channel.

Intel announces a major update to Clear Linux and a new developer edition. ZDNet reports that "In the new developer edition, besides giving developers a Linux designed to make the most of Intel hardware, its basic programmer bundles are curated to provide all the relevant developer tools with one installation command." With this update, Clear Linux also includes "Intel hardware optimized programmer software stacks for Deep Learning and Data Analytics".

News Nextcloud Security Nitrokey Privacy Arch Linux Microsoft VirtualBox KDE Plasma Intel Clear Linux
Jill Franklin

Puppet Redefines Infrastructure Automation

5 days 13 hours ago
by Petros Koutoupis

Puppet has long been regarded as nothing more than an open-source software configuration management tool. The company has become a standard for automating the delivery and operation of the software that powers everything around us. Well, this is about to change. Puppet has evolved and has positioned itself to tackle enterprise-grade problems. All of this and more, was announced on May 2, 2019.

So what makes this announcement so exciting? I sat down with Matt Waxman, Puppet's Head of Products to learn more.

Petros Koutoupis: Please introduce yourself to our readers.

Matt Waxman: I have been the Head of Products at Puppet since 2017. I have been in the Product space for at least 20 years, largely focused on infrastructure. Before coming to Puppet, I was in data storage backup, replication and disaster recovery. I am the guy who deals with roadmaps and user experience across our product portfolio.

Petros: What can you tell us about this announcement?

Matt Waxman: Automation of more than just the state of your virtual machines, containers and so on is extremely important. How do you enable more teams? It is all about service, safety and quality of delivery. This is what we are doing with Puppet to serve those exact needs. And with our latest release 2019.1, we simplify the experience in automation to meet those demands.

We enhanced our agentless and agent-based capabilities, such as supporting the automation of network devices (for example, Cisco and Palo Alto) and giving users the ability to automate anything and anywhere quickly, efficiently, safely and at scale. But some of our most notable changes are centered around our agentless task runner, Bolt. We introduced it about a year and a half ago. Bolt is an automation tool built to automate anything in your infrastructure without the hassle. It was very well received by the Open Source community. What is new here though is we have found that more and more customers and users are starting to automate from a development perspective. Developers have a constant need to stand up an infrastructure quickly for both testing and support. Not only did we make Bolt more user-friendly for the broader community, but we also added YAML support.

Petros: Why is this announcement so exciting?

Matt Waxman: The demand for infrastructure-focused automation is growing, and many companies are unable to scale to meet that demand. With release 2019.1, we made a lot of investment in not only addressing this challenge but also in simplifying the experience.

Go to Full Article
Petros Koutoupis

Update WhatsApp Now, Adobe Warning Creative Cloud Users with Older Apps, Kernels Older than 5.0.8 Are Vulnerable to Remote Code Execution, Schools in Kerala Choose Linux and MakeOpenStuff Is Launching the HestiaPi Touch Smart Thermostat

6 days 11 hours ago

News briefs for May 14, 2019.

A vulnerability in WhatsApp allows spyware to be installed from a single unanswered phone call. The Verge reports that the "spyware, developed by Israel's secretive NSO group, can be installed without trace and without the target answering the call, according to security researchers and confirmed by WhatsApp. Once installed, the spyware can turn on a phone's camera and mic, scan emails and messages, and collect the user's location data. WhatsApp is urging its 1.5 billion global users to update the app immediately to close the security hole."

Adobe warns Creative Cloud users with older apps. According to Engadget, "The software company has sent out emails to customers warning them of being "at risk of potential claims of infringement by third parties" if they continue using outdated versions of CC apps, including Photoshop and Lightroom. These emails even list the old applications installed on the subscribers' systems, and in some cases, they mention what the newest available versions are." Users are being told they are no longer licensed to use the apps and that they need to update to the latest authorized version.

Linux systems running distros with kernels older than 5.0.8 are vulnerable to remote code execution. From Bleeping Computer: "Potential attackers could exploit the security flaw found in Linux kernel's rds_tcp_kill_sock TCP/IP implementation in net/rds/tcp.c to trigger denial-of-service (DoS) states and to execute code remotely on vulnerable Linux machines. The attacks can be launched with the help of specially crafted TCP packets sent to vulnerable Linux boxes which can trigger use-after-free errors and enable the attackers to execute arbitrary code on the target system." The vulnerability is being tracked as CVE-2019-11815.

Schools in the Indian state of Kerala have chosen Linux as their OS, which will save them roughly $428 million. According to It's FOSS, Kerala is "the first 100% literate Indian state". IT classes have been mandatory since 2003, and the schools started adopting free and open-source software a few years later, with the plan of getting rid of proprietary software in the schools. "As a result, the state claimed to save around $50 million per year in licensing costs in 2015. Further expanding their open source mission, Kerala is going to put Linux with open source educational software on over 200,000 school computers."

MakeOpenStuff is launching a Crowd Supply campaign for HestiaPi Touch, "an open source, smart thermostat for controlling HVAC and water systems". Linux Gizmos writes that the thermostat "runs a Linux-based openHAB stack on an RPI Zero W along with relays, a 3.5-inch display, and temperature, humidity, and pressure sensors". The HestiaPi Touch will cost $95 (without a case) or $145 (with case), and it's expected to ship in October or November. Linux Gizmos notes that "The hackable device competes directly with the $249 Google Nest Learning Thermostat. Unlike the Nest devices, it does not require a cloud connection thereby ensuring privacy and offering full control to the user."

News Security WhatsApp Adobe kernel Education HestiPi Touch Raspberry Pi Privacy
Jill Franklin

CGroup Interactions

6 days 13 hours ago
by Zack Brown

CGroups are under constant development, partly because they form the core of many commercial services these days. An amazing thing about this is that they remain an unfinished project. Isolating and apportioning system elements is an ongoing effort, with many pieces still to do. And because of security concerns, it never may be possible to present a virtual system as a fully independent system. There always may be compromises that have to be made.

Recently, Andrey Ryabinin tried to fix what he felt was a problem with how CGroups dealt with low-memory situations. In the current kernel, low-memory situations would cause Linux to recuperate memory from all CGroups equally. But instead of being fair, this would penalize any CGroup that used memory efficiently and reward those CGroups that allocated more memory than they needed.

Andrey's solution to this was to have Linux recuperate unused memory from CGroups that had it, before recuperating any from those that were in heavy use. This would seem to be even less fair than the original behavior, because only certain CGroups would be targeted and not others.

Andrey's idea garnered support from folks like Rik van Riel. But not everyone was so enthralled. Roman Gushchin, for example, pointed out that the distinction between active and unused memory was not as clear as Andrey made it out to be. The two of them debated this issue quite a bit, because the whole issue of fair treatment hangs in the balance. If Andrey's whole point is to prevent CGroups from "gaming the system" to ensure more memory for themselves, then the proper approach to low-memory conditions depends on being able to identify clearly which CGroups should be targeted for reclamation and which should be left alone.

At the same time, the situation could be seen as a security concern, with an absolute need to protect independent CGroups from each other. If so, something like Andrey's patch would be necessary, and many more security-minded developers would start to take an interest in getting the precise details exactly right.

Note: if you're mentioned above and want to post a response above the comment section, send a message with your response text to ljeditor@linuxjournal.com.

Go to Full Article
Zack Brown