uncompiled.com

Red Hat is pursuing a certification for its Linux OS and virtualization, paving the way for government agencies to use the technology to create secure, virtualized IT environments and private clouds.

The Linux vendor has entered into an agreement with Atsec information security to certify Red Hat Enterprise Linux 6 under Common Criteria at Evaluation Assurance Level (EAL) 4, according to a Red Hat blog post.

Common Criteria is a standard evaluation rating issued by the National Information Assurance Partnership that government customers use to evaluate the security of IT products before making purchasing decisions.

The pursuit of certification also will cover the KVM hypervisor on both Red Hat Enterprise Linux 5 and Red Hat Enterprise Linux 6. A hypervisor enables an OS to run virtually without the need for a physical server, reducing the number of energy resources a data center requires.

KVM, or Kernel-based Virtual Machine (KVM), is the virtualization infrastructure for the Linux kernel. Red Hat’s virtualization leverages RHEL’s Security-Enhanced Linux feature, a joint project development by the National Security Agency and the Linux community to provide high levels of security.

SELinux in particular ensures virtual resources run in separate containers, which protects each one individually in case of intrusion. Protecting each virtualized resource individually is one guideline the National Institute of Standards and Technology recently offered as a way to address common concerns about implementing virtualization.

By including hypervisor technology in its certification, Red Hat will enable government customers to host multiple tenants on a single machine, allowing for a private cloud-computing infrastructure, according to the vendor.

The federal government increasingly is using virtualization to create more efficient and cost-effective data centers as part of an agency-wide consolidation effort.

Security often has been an area of concern for people using virtualization technology, but that perception is beginning to change as the technology becomes more sophisticated and widely used, and security issues taken into consideration by those developing hypervisors.

Red Hat already has achieved Common Criteria certification 13 different times on four different Linux platforms.

Source

Novell disclosed details of a deal with Amazon Web Services (AWS) to provide hourly pricing and support services for SUSE Linux Enterprise Server (SLES) 10 and 11 on Amazon Elastic Compute Cloud (Amazon EC2). The announcement was made last week at LinuxCon in Boston.

Under the contract, both end customers and independent software vendors will pay only for the hours of SLES they use. In addition, Novell is providing a maintenance contract on AWS to allow customers to keep SLES current with bug fixes, patches, and features.

Amazon EC2 customers can buy maintenance subscriptions for enterprise Linux directly on Amazon’s site without signing a separate license agreement, according to Novell.
“Amazon Web Services provides enterprise customers with secure, reliable, and utility-priced computing infrastructure as an on-demand service,” said Terry Wise, director of business development at AWS, in a statement. “We are pleased to see Novell providing an easy way for customers to leverage the enterprise class SUSE Linux distribution on the Amazon EC2 platform. This offering provides enterprise customers and ISVs with a commercially maintained and supported Linux distribution that is easy-to-use and purchase.”

Novell solution providers participating in the developer’s SUSE Cloud Program can resell Novell technical support or offer customers their own support services, backed by Novell’s offerings. Under the SUSE Cloud Program, Novell provides partners with certified Linux applications, a versatile Linux platform, and SUSE Studio, a solution for building cloud-based workloads, said Markus Rex, senior VP and general manager of open platform solutions at the company.

AWS, which expects to hit the $20-billion mark, joins service providers such as Fujitsu, IBM, Tencent, and Vodacom Business in the SUSE Cloud Program. The program includes more than 5,000 ISV applications, according to Novell.

“We are pleased that industry leaders like Amazon Web Services are able to leverage the SUSE Cloud Program to provide even more choices to their customers,” Rex said in a statement.

Source

After several delays and many months behind schedule, Debian 6.0 appears to be one step closer to release. As of August 6, the testing branch is now frozen except for fixes and translation updates. This puts Final on track to possibly be released by the end of the year.

Neil McGovern, Debian Release Team manager, wrote in from DebCon10 in New York to announce this milestone for Debian 6.0. Freeze had been delayed until Python 2.6 migration and updating Glibc was completed. Now only critical bug fixes, documentation changes, and translation updates will be accepted into the Testing branch as a general rule. This will give developers the opportunity to polish 6.0 for final release. The last two major versions have seen a four month stabilization period before final release, allowing estimates that 6.0 will arrive sometime in December.

It was over a year ago that Debian developers had announced a fixed release schedule much like other popular Linux distributions, but scheduling freeze dates every two years instead of release dates. 6.0 was scheduled to be frozen in December 2009 with final release estimated for Spring of this year. The freeze was delayed at that time due to a large number of critical bugs, and while the number has decreased, it is still quite high at 554 affecting Squeeze. That number could very well delay release until early Spring 2011.

The upcoming release will bring some exciting changes. Startup, Debian’s version of Upstart, is a parallel booting system that will bring faster system starts. GNOME 2.30, KDE 4.4.5, Linux 2.6.32, X.org 7.5, GCC 4.4, and OpenOffice 3.2.1 are on the menu as well.

Live Squeeze Alpha2 was released July 22.

Source

Hello everyone,

Spacewalk 1.1 has been released!

Server:

* http://spacewalk.redhat.com/yum/1.1/RHEL/5//
* http://spacewalk.redhat.com/yum/1.1/Fedora/12//
* http://spacewalk.redhat.com/yum/1.1/Fedora/13//

Client:

* http://spacewalk.redhat.com/yum/1.1-client/RHEL/5//
* http://spacewalk.redhat.com/yum/1.1-client/Fedora/12//
* http://spacewalk.redhat.com/yum/1.1-client/Fedora/13//

For new installations, consult:

* https://fedorahosted.org/spacewalk/wiki/HowToInstall

For upgrades, consult:

* https://fedorahosted.org/spacewalk/wiki/HowToUpgrade

Features and enhancements:

* First Spacewalk release built in a publicly available build system
- http://koji.spacewalkproject.org/koji

* Spacewalk 1.1 runs on Fedora 13

* Introduction of spacecmd, a command line interface to Spacewalk
- https://fedorahosted.org/spacewalk/wiki/spacecmd

* Support for synchronization of comps files
- https://fedorahosted.org/spacewalk/wiki/Features/CompsSyncing

* support for staging content
- ability to have all updates pulled off Spacewalk onto registered
systems prior to the start of maintenance window

* support for eliminating orphaned (duplicate) profiles
- https://fedorahosted.org/spacewalk/wiki/DuplicateProfiles

* new API calls:
- channel.software.getChannelLastBuildById
- configchannel.listSubscribedSystems
- kickstart.profile.downloadRenderedKickstart
- org.setSoftwareFlexEntitlements
- schedule.rescheduleActions
- system.convertToFlexEntitlement
- system.deletePackageProfile
- system.deleteSystem
- system.listDuplicatesByHostname
- system.listDuplicatesByIp
- system.listDuplicatesByMac
- system.listEligibleFlexGuests
- system.listFlexGuests
- system.listLatestAvailablePackage
- system.listPackageProfiles
- systemgroup.scheduleApplyErrataToActive

* localization updates

Known issues:

* Wrong tomcat6 directory permissions on Fedora 13
- https://bugzilla.redhat.com/show_bug.cgi?id=574593
- https://bugzilla.redhat.com/show_bug.cgi?id=586364
- https://bugzilla.redhat.com/show_bug.cgi?id=605335
- workaround:
chmod g+w /var/log/tomcat6 /etc/tomcat6/Catalina/localhost \
/var/cache/tomcat6 /var/cache/tomcat6/temp /var/cache/tomcat6/work

* cobbler – related SELinux denials on Fedora 12 and Fedora 13:
- https://bugzilla.redhat.com/show_bug.cgi?id=620503
- https://bugzilla.redhat.com/show_bug.cgi?id=621095
- solution: install updated selinux-policy-targeted as noted in
the above bugs

* Deprecation warning during osa-dispatcher start on Fedora 12
and Fedora 13:
- https://bugzilla.redhat.com/show_bug.cgi?id=621204
- https://bugzilla.redhat.com/show_bug.cgi?id=621206

* Documentation search does not work, other searches are unaffected

Contributors:

Thank you goes out to the following people who contributed to
Spacewalk 1.1 release:

* Aron Parsons
* Colin Coe
* James Hogarth
* Joshua Roys
* Lukáš Ďurfina
* Maxim Burgerhout
* Paul Morgan
* Satoru SATOH

Regards
Milan Zázrivec

Source

So normally Linux User Groups (LUGs) are a safe-haven for Q&A. Not tonight. Tonight a CentOS develop named Russ Herrold needed a soapbox. He took what is an often asked question of any distribution “Why don’t the packages remain more up-to-date?” and used it to not only be a complete asshole about the matter, but even linked the mailing list to a CentOS newsletter with his featurette/biography.

For what it’s worth, the question had been answers a few times before this e-mail was even sent, in much nicer and helpful ways. To be fair Larry got a bit over-excited in the first place, but having a CentOS developer reply like this is strikingly unnecessary.

Please Linux developers and OSS contributors around the world, don’t be this guy.

Date: Fri, 6 Aug 2010 18:56:18 -0400 (EDT)
From: R P Herrold
To: Larry Siden
cc: LUGWASH Subject: [WLUG] out-of-date packages on Redhat/Centos

On Thu, 5 Aug 2010, Larry Siden wrote:

> I’ve been using Linux at home for about 7 or 8 years now, first with Gentoo
> (for masochists, I assure you!), and then Ubuntu (so I could have a life
> again). Now I’m beginning to work on several apps on hosted sites that uses
> RH/Centos (I’m not sure which, I just know that I have to install everything
> with yum). When I got my own VPS, I had a choice between Centos and Ubuntu
> 8.10 (again, out-of-date!) and I chose Centos so that I could get to know it
> better.
>
> Whats been “grinding my gears” is that almost everything I use in my day to
> day work is out-of-date.
… snip rant …
> Is there a reason everything has to be so f@#$king out of date on Centos
> installs? Are there more current repositories that I can point yum to, at
> least on the systems I have root access to, without breaking anything?

Well, several reasons actually. Take a deep breath or six if
it ‘grinds your gears’ and consider WHY RHEL/CentOS exist

CentOS is a distribution intended for people who consider a
computer a tool for getting a function done, rather than a toy
to be played with. It does not hurt the CentOS folks feelings
a bit that you want more — but you are not gonna’ get it from
CentOS — perhaps from the adjunct archives mentioned. It is
just not our mission nor goal to cater to such

RHEL, and CentOS are for people who just want a system to run
[and run and run and run, for a seven year span without
physically touching the unit if need be], to be securable, to
have regular updates, and dont feel the need to chase the
latest fad

As a production colo, or VPS unit is going to (properly
adminned) NOT have a GUI interface, I don’t even notice the
window manager ‘art’ or colors it might use when started in X
– it is never going to be in R/L 5 anyway. I don’t care it
lacks an audio player by default that handles patent
encumbered MP3 support as the fans in the DC drown out good
listening anyway. I don’t care it give a hoot that wireless
support is a PITA, as it is going to be running all packets
over wired ethernet anyway. I LIKE IT that volatile devices
such as USB thumb drives require me to mount them (as I am
going to remove the automounter, anyway) to prevent casual
exposure of data

We have full doco at: http://www.centos.org/docs/, a ton of
original content at http://wiki.centos.org/, forums, mailing
lists, IRC support channels, and more.

Not for everyone, just for folks who don’t want to spend time
tending computers, and would rather get work done.

see:

http://wiki.centos.org/Newsletter/0904

bullet 5

– Russ herrold
herrold@centos.org

Puppet Labs today unveiled Puppet 2.6, the newest and most comprehensive release of the popular open source configuration management software

PORTLAND, OR – OSCON – July 19, 2010 – Puppet Labs, the leader in data center automation, today released Puppet 2.6, a major upgrade with a focus on improvements for enterprise environments. Puppet 2.6 includes new functionality and features that make managing servers even easier. To download Puppet 2.6, visit www.puppetlabs.com/.

“The 2.6 release places an even stronger emphasis on the enterprise while also opening up new opportunities for people with varied skill sets to use Puppet,” said Luke Kanies, CEO of Puppet Labs. “Since our last release was 0.25.5, we say that it’s ‘eleventy times better.’ The changes are truly significant because Puppet is now even more capable of making traditionally painful, manual process easier for systems administrators. We’ve also dramatically improved the ability to integrate Puppet with existing systems, making it a platform for automating your infrastructure.”

New features include:

REST API, making it easier to integrate Puppet with other systems.
Preliminary Windows support for heterogeneous computing environments.
Language enhancements & an Internal DSL so administrators who know and want to use pure Ruby for infrastructure development, can easily do so.
Event model, which lays the foundation for powerful reporting and monitoring. It provides structure to data generated by the system and facilitates reporting and analysis, simplifying the identification of infrastructure problems.
Easy to deploy and maintain, Puppet simplifies many standard tasks for systems administrators, while ensuring consistent environments for application engineers. Puppet is cloud-ready, but can also be used with current infrastructure: internal or external clouds, virtual environments, or in physical infrastructure. Puppet is supported on a variety of operating systems: Red Hat, CentOS, Fedora, Debian, Ubuntu, SuSE, Solaris, HP-UX, AIX, BSD, Windows, and OS X.

Other additions with Puppet 2.6 include significant work in the core of Puppet to make it easier to work with configuration data, including enhancing how Puppet reports on what it does, adding more audit capabilities and helping export information about the infrastructure environment. The command line interface has also been completely redesigned to allow using a single executable to interact with all of Puppet’s functionality.

Today Puppet Labs also announced a $5 million Series B round of funding from Kleiner Perkins Caufield & Byers, True Ventures, Radar Partners, and Emerson St. Partners. With this new funding, Puppet Labs plans to accelerate the expansion of its engineering team.

For more information about Puppet, visit www.puppetlabs.com. For more information about the 2.6 release visit www.puppetlabs.com/2dot6.

Source

Imagine a world where code used by the biggest clouds is freely available to any developer, anywhere. A world where that code was a standard used to build private clouds as well as a variety of new service offers. In this world, workloads could be moved around these clouds easily – you could fire your cloud provider for bad service or lack of features, but not have to rewrite the software to do it. Imagine an open source cloud operating system that lifts IT to the next level of innovation, just as Linux drove the web to new heights.

Today, we at Rackspace launched an ambitious project called OpenStack that aims to make this new world a reality.

I want to lay out the thinking that got us here and why we think this moment will change computing forever.

“The cloud” at its most fundamental level is all about a massive supply increase in computing power. The PC era was all about putting a computer on every desk. The cloud era goes a step further, putting the power of supercomputing at the literal fingertips of every individual at anytime. Whether it’s enabling a youth soccer coach to schedule practice across the online calendars of 18 families, or helping a scientist fold proteins to design new cancer drugs, or encouraging a frontline employee to instantly and cheaply test a new marketing campaign, the exponential growth in computing power and applications is changing every corner of our economy and society. And, this era is truly just beginning. We have seen only a tiny fraction of the potential gains that arise from cheap, ubiquitous computing power.

As this landscape has evolved, some have dismissed cloud computing as just a return to the mainframe era. This view is fundamentally wrong. Mainframes were available to only the smartest employees at the richest companies. The cloud is accessible to all, and usable by anyone, at low cost. Its ubiquity is the source of its power.

However, there is one area where mainframe concepts are intruding into the cloud – the vertically integrated technology stack. As hardware and software merge into services, the danger of locked down proprietary software stacks are emerging in the cloud space. The cloud world changes everything, and that is not good to many entrenched interests of the old guard. Core technologies from operating systems to hypervisors to databases are being used to tie cloud customers into an integrated view of the world.

If the web has taught us anything, it is that open systems, portability, and choice drive innovation. The open Linux system brought us a mountain of software and tools to help accomplish almost any task. And, each component, whether a database or a widget could be moved in and out freely based on the job getting done.

We at Rackspace have long talked about an “open” cloud. And as a service provider built on our Fanatical Support difference, we have never had an interest in creating technical walls around our service. But, given that no standards tools have emerged to build massively scalable clouds, we too have had to build custom software that creates some level of wall around our cloud offerings. For months we have debated how to drive greater standards and increase the velocity of cloud technologies in general. We finally converged on the obvious answer: open source our cloud technology.

Today, we announced a new open source project that includes those core technologies: OpenStack. And, we are not alone. As we looked at all the projects that already existed to drive standards we saw that other efforts were underway that complemented what we have done. We saw a ton of promise in the Nebula computing project built by NASA and are making it a core part of the project. Taking the contributions of Rackspace and NASA as a starting point, OpenStack forms a powerful foundation of technologies including, a scalable compute provisioning engine – OpenStack Compute – and a fully distributed storage engine – OpenStack Object Storage.

The community, which we plan to actively support and drive, is live today at openstack.org with code available for download.

Last week we assembled a strong group of cloud community leaders and developers to meet and review the architecture, engage on technology direction and contribute code. The effort attracted more than 100 participants from 25 companies including hosting companies, telecom providers, hardware manufacturers, cloud ecosystem companies and beyond. This enthusiasm and collaboration around OpenStack has laid the foundation for a vibrant and innovative approach to building the core software to power the future cloud world.

What do we expect OpenStack to mean for the cloud community? Some pretty major things. One, anyone will be able to run this cloud and do it anywhere. Enterprises and governments will be able to build private clouds. Service providers will have the same technology used by Rackspace and NASA to build new offers. Choice and portability are inevitable in this world. Two, the whole tech ecosystem can build around this foundation. With wide adoption, there will be a market for new services all around this core engine. From storage systems to monitoring tools to management systems, there is no end to what can be attached to the core project. Three, the cloud will advance faster than ever. Between just NASA and Rackspace, an army of developers are committed to the continued advancement of OpenStack. With our emerging supporters in the project, we expect to dramatically expand that army. Finally, a core set of standards will be freely available and totally open. New technologies can be attached. Better solutions will be driven into the product. And, the use of this powerful technology will not tie you to the use of any other technologies.

For our customers, we think there are many benefits that flow from these community gains. Not only will this help our offers develop faster and more transparently, but our customers can run private editions of our core systems in house or in our managed hosting operation.

We could not be more excited about the launch of this project and the enthusiasm around it. As a company that has invested a great deal in the development of cloud technologies, we did not take the decision to open source lightly. We think this decision will serve our interests and those of our customers. While we at Rackspace hire top developers and engineers to make sure our technology is second to none, seeking a technology advantage has never been our approach. We have our own vision about how to deploy this technology and serve customers – by giving them seamless access to scalable computing with the trusting partnership that comes through Fanatical Support. But, there will be many approaches and winning formulas. We think by welcoming those approaches and driving standards and more rapid innovation we will all win.

We hope you join us in this cause. We know there are many parties who might want to join us in the effort, please reach out to us.

We look forward to updating you as we make progress.

Source

The openSUSE Project is pleased to announce the release of the latest
incarnation of openSUSE, with support for 32-bit and 64-bit systems. openSUSE
11.3 [1] is packed with new features and updates including SpiderOak to sync
your files across the Internet for free, Rosegarden for free editing of your
audio files, improved indexing with Tracker, and updates to Mozilla Firefox,
and Thunderbird.

Among these many new features, openSUSE also provides support for netbooks and
the Btrfs file system support. Users can expect to see improved hardware
support with the 2.6.34 Linux kernel and updated graphics drivers. And support
for the next generation of interactive computing for touchscreens like the HP
TouchSmart.

openSUSE continues its tradition of delivering the popular KDE, GNOME and Xfce
desktop environments, and now also provides the lightweight LXDE desktop
environment. With GNOME, you can use the latest 2.30.1 version or take your
installation for a drive with a preview of the upcoming GNOME 3.0. Or choose
KDE SC 4.4.4 for the latest updates. They all feature the polish and
integration that the openSUSE distro has been known for.

For a full view check the complete collection of screenshots [2] or install it
right away [3]. As we expect very large demand for the ISOs we suggest you
check out BitTorrent as download method ;-)

For servers and development platforms, administrators can take full advantage
of the new MariaDB and MySQL Cluster services as well as Conntrack to filter
network packets for iptables. Developers will appreciate the plethora of tools
available at their fingertips with GCC, GDB and Mono and IDEs such as
Netbeans, Qt-Creator and many others. This is all on top of the countless
libraries available through the openSUSE Build Service [4] (OBS).

Visit our Product Highlights [5] page for a detailed list of new features.

The next release will be openSUSE 11.4 in March, 2011.

Thank you, and have a lot of fun!

[1] http://wiki.opensuse.org/Portal:11.3
[2] http://wiki.opensuse.org/Screenshots
[3] http://software.opensuse.org/113/en
[4] https://build.opensuse.org/
[5] http://wiki.opensuse.org/Product_highlights

Source

You can now use the Linux kernel of your choice when you boot up an Amazon EC2 instance.

We have created a set of AKIs (Amazon Kernel Images) which contain the PV-Grub loader. This loader simply chain-boots the kernel provided in the associated AMI (Amazon Machine Image). Net-net, your instance ends up running the kernel in the AMI instead of the kernel specified in the boot process.

You need to install an “EC2 compatible” kernel and create an initrd (initial RAM disk) as part of your AMI. You also need to create a menu (/boot/grub/menu.lst) for the Grub boot loader. Once you’ve done this you can create the AMI and then launch instances by using one of the PV-Grub “kernels” as described above. You may find this document to be helpful if you want to learn more about the Linux boot process.

To be compatible with EC2, a Linux kernel must support Xen’s pv_ops (paravirtual ops) infrastructure with XSAVE disabled or the Xen 3.0.2 interface. The following kernels have been tested and/or have vendor support:

Fedora 8-12 Xen kernels
SLES/openSUSE 10x, 11.0, and 11.1 Xen kernels
SLES/openSUSE 11.x EC2 Variant
Ubuntu EC2 Variant
RHEL 5.x
CentOS 5.x
Other kernels may not start reliably within EC2. We’re working with the providers of popular AMIs to make sure that they will start to use PV-Grub in the near future.

You can read more about this in our “Enabling User Provided Kernels in Amazon EC2″ document.

– Jeff;

Source

With a typical configuration the use of sudo provides no real protection. The user either enters their own password or the root password to gain full root access, in either case the attacker can exploit their session and get the password. A session exploit can be easily arranged by creating a shell function or alias that makes sudo run something else (such as using netcat to send the password out over the network).

One way of making this sort of attack more difficult is to make root own the user home directory, files such as ~/.login that are used by the user shell, the ~/.ssh directory and the ~/.ssh/authorized_keys file. This way a hostile party can’t change the configuration, so a successful attack has to involve a long running process that uses ptrace to intercept the shell and divert an attempt to run sudo.

If the non-root user is prevented from using ptrace then things start to become a little more difficult for the attacker. In some quick tests I was able to capture about half the data through messing with /proc/X/fd/0 and /proc/X/fd/1 for a target process, but it seems that it would be difficult to get an entire password that way. To disable ptrace you could compile a kernel without ptrace support, use a SE Linux policy that prevents prevent ptrace access for the sessions in question, or make the user’s shell SETGID.

If the root account and the account used for su or sudo use different authentication methods, where the options include ssh authorized keys, password, and security token (maybe both password and token for the root account) then it does seem that it would provide some Defense in Depth benefits.

sudo can be used to only permit executing certain commands. While this is a real security benefit it doesn’t allow full sysadmin work, merely delegating some portions of operations to people who don’t have full sysadmin rights. As someone needs to have full access to fix any problem that might occur on the machine someone needs to have access to run any command as root. So while sudo is great for providing limited administrative access to certain junior people, it’s not going to stop an attack on a member of the sysadmin team.

Source