Share on Twitter.
Get the most dependable SMTP service for your business. You wished you got it sooner!
July 24, 2013
With all the recent revelations that the NSA is spying on just about everything we can think of, maybe it's time for the Linux
community to make a very serious and detailed analyzis at the NSA-developed Security Enhanced Linux, in an effort to help improve
and expand its security.
Security Enhanced Linux (SEL) was originally developed and integrated by the U.S. National Security Agency and it comprises a kernel patch to add extra security
features, and other patches to specific applications to help determine the security domain in which to run various Linux processes.
But now there's a new debate about SE Linux.
The original code is still under the GPLv2, the same licence as the kernel. Numerous individuals and companies have made contributions
to the project. The initiative is still ongoing and documented to a certain degree.
But recently, Cyanogenmod, one of the more popular forks of the Android mobile operating systems, announced it would be incorporating
SE Linux as part of its security features for mobile devices. That got the attention of some observers in the Linux community.
Asked whether a code audit was needed now, Russell Coker, a Melbourne-based open source developer for the Debian GNU/Linux project, and
who is also listed as a contributor to SE Linux, says-- "The SE Linux source is free for anyone to review. It's probably better reviewed
than most kernel code because someone who finds a bug or a security issue would get more fame for doing so than for finding bugs in
most kernel code."
Coker's view on the topic is shared by many in the Linux community. After all, and for the past few years, he has ported and packaged SE Linux
for Debian and he added-- "It doesn't seem plausible that there would be anything inappropriate in security patches publicly submitted
by the NSA."
"Given that anyone and anywhere in the world can submit a patch, I don't think that we need to worry about patches coming from .gov
email addresses," he added.
Brian May, another Debian developer who is based in Melbourne, is credited with backporting Russell's work to Woody, a Debian
release made in July 2002.
May, an open-source consultant, says that he was no longer the maintainer for SE Linux for the stable release of Debian, but that
he still has an interest in overseeing the project, and in making sure that the project is ongoing.
"But unfortunately, that's not the case," he said, when the question of him being the maintainer arose. "I looked into SE Linux
some years ago, but ran out of time to really get into it. But I am a Debian developer, however."
But May was still confident about the integrity of the code, nevertheless. "SE Linux is entirely open source software, that has
been reviewed by many, many people," he added. "It has been merged into the mainline Linux kernel since version 2.6.0-test 3, released
on August 8, 2003. That's ten years ago."
"And overall, Linux always has a reputation of being very conservative for allowing new features, especially when it concerns
security, and this means that everything would have been reviewed even more times by more people while pushing to have it accepted
in the kernel release. If there were any concerns it would have been rejected," May was quick to point out.
"I am sure there would be a number of people very keen on finding backdoors in SE Linux for the sole purpose of discrediting
NSA. But so far, I haven't seen any reports of anyone finding anything-- ever. I can only conclude that this is because there are
no hidden backdoors," May added.
"But on the other hand, PRISM, if the allegations are found to be true in the next few months, was completely designed around
complete secrecy on the part of the NSA. But SE Linux has been a very open and transparent project for many years, so the parallel
we are seeing today in comparing PRISM and SE Linux is unfounded and unfair in my view," May said.
In other Linux news
Linus Torvalds says he has released the first candidate for the new Linux 3.11 kernel late yesterday.
It's initially a new version that didn't come without some choice words from the Linux creator. In a direct response to a GIT
request on the x86 update for the new 3.11 kernel, Torvalds wrote: "What the f***, guys? This piece-of-s*** commit is marked for
stable release, but you clearly never even test-compiled it, did you?"
Overall, the Linux 3.11 rc1 release milestone comes two weeks after the Linux 3.10 release.
"This merge window was smaller in terms of the number of commits than the 3.10 merge window, but we actually have more new lines," Torvalds wrote in his Linux 3.11
"And most of that seems to be in staging. A full thirty-two percent of all changes by line-count is staging, and merging
in Lustre is the bulk of that," he added.
Lustre is a high performance computing (HPC) filesytem initiative that has a number of different masters in recent years.
It was first backed by Cluster File Systems which was acquired by Sun Microsystems in 2007.
Sun then became part of Oracle in 2010. Oracle never really pushed Lustre forward, instead others in the open source community,
including Whamcloud, stepped up to the plate.
And then Whamcloud itself was acquired a year ago by Intel in July of 2012, so there's been quite a bit of moving around in
In February of this year, Xyratex Ltd acquired the name 'Lustre' and its associated intellectual property assets from Oracle.
Lustre isn't the only filesystem in Linux 3.11. Both Ext4 and XFS receive notable improvements in the first release of 3.11.
Linux kernel developer Ted Ts'o noted in an lkml message that there are lots of bug fixes, cleanups and optimizations for the ext4
file system in Lustre.
In other Linux news
SUSE Linux said earlier this morning that it has upgraded its Enterprise Server 11 variant of Linux with its Service Pack 3, adding
more features to the suite, and better security.
Among them, the SP3 update also brings support for new and emerging hardware to the operating system, and that should make some
system admins happy.
The news were largely expected in the Linux community.
SUSE is the open source operating system arm of the Attachmate conglomerate owned by the private equity trio of Francisco
Partners, Golden Gate Capital, and Thomas Bravo. SUSE already moved to the Linux 3.0 kernel with SLES 11 SP2 in February of
Matthias Eckermann, senior product manager for SUSE Linux Enterprise says that the company has rolled up all the recent patches
and security updates to the Linux kernel and back-ported them to the 3.0 kernel already certified in SLES 11 SP2.
That specific kernel design had support for up to 4,096 virtual processors, and now with the SP3 update, the operating system can
address up to 16 TB of physical memory on a single kernel.
"As far as I know it, no one has ever tested a server that large," says Eckermann. "It will get interesting when you go beyond
64 TB for a data warehouse because you cannot always partition a database. So it's good to have a very large memory segment in my opinion."
The Itanium and PowerPC/Power kernels can scale up to 1 PB of main memory, theoretically, while IBM's System z mainframes top
out at 4 TB and 64-bit x86 processors peak at 64 TB.
The tested and certified limit on an Itanium machine is 8 TB, on a mainframe is 256 GB, and on x86 machines it's now 16 TB. With
the SP3 update, the PowerPC/Power kernel has been tested up to 16 TB as well,as you can see in the release notes.
The SP3 update supports IBM's latest eight-core Power7+ processors, which rolled out last fall in some machines and this
spring in others, and according to Eckermann has been updated so that the kernel can boot on IBM's future Power8 chips, which
are expected sometime next year.
Future UV shared memory systems from Silicon Graphics are also enabled with SP3, and although the release notes are not specific,
that has to mean a variant of the UV 2 system using Intel's "Ivy Bridge" Xeon E5 chips expected in the third quarter, probably around
September if the rumors are right.
The kernel supports other Ivy Bridge machines including future "Ivy Bridge-EX" Xeon E7 processors. Intel's current "Haswell"
Core chips for PCs and Xeon E3 chips for servers and workstations are also enabled with SP3, as is the Opteron 4300 and 6300 processors
On the server virtualization front, the latest KVM 1.4 and Xen 4.2 hypervisors have been pulled into SLES 11 SP3, and the virtual
CPU and virtual memory limits of their virtual machines have been consequently expanded from the SP2 release.
KVM now supports up to 160 virtual CPUs and 2 TB of virtual memory per guest partition, with up to eight virtual network interfaces.
There is no limit on the number of guests, but the total virtual CPUs across guest partitions cannot exceed a number that is equal
to eight times the number of cores in the physical machine.
On a two-socket Xeon E5 server with 32 threads, that is 256 virtual CPUs max. The Xen hypervisor, still in use by plenty of SUSE
Linux developers, can span 255 processors or threads, whichever is the larger number in the system and span 2 TB of physical memory.
A virtual machine running atop Xen can access 32 virtual CPUs and 512GB of virtual memory. Both the KVM and Xen hypervisors
have been tweaked to support a whole slew of new instructions in the Haswell family of chips, such as fused multiply add, 256-bit
integer vectors, and MOVBE support, which will apparently help the performance of both hypervisors.
Microsoft and SUSE Linux have worked to bring the memory-ballooning support for virtualized memory to SLES 11 SP3 when it runs
atop Microsoft's Hyper-V hypervisor.
Hyper-V also now supports host-initiated guest backups using the Windows VSS framework, and the Hyper-V Vmbus protocol that is
a virtual link between the hypervisor and guest has been brought up to the Windows Server 2012/Windows 8 level.
This is a more efficient implementation of that interconnect protocol, SUSE Linux says. Linux containers, the virtual private
server alternative to hypervisor virtualization, has been updated with the latest patches, as well.
LXC, like Solaris containers on Sparc and x86, Parallels on x86 iron, and workload partitions on AIX, have a shared kernel and
file system underneath a list of operating system runtime sandboxes that are logically separated from each other.
With SP3, SUSE Linux is adding the Oracle Cluster File System 2 (OCFS 2) file system to the stack of supported file systems,
which includes ext3, ReiserFS 3.6, XFS, and Btrfs.
Eckermann says that customers are using XFS and ReiserFS in production address more than 8 TB in one file system. XFS, which
has been in SLES for nearly eleven years now, is the preferred file system for those with heavy loads and parallel read and write
operations, such as serving up Samba or NFS.
The ext4 file system is fully supported in SP3, but only as a read-only file system, and the company would much prefer that you
Btrfs, which first appeared in production-grade with SLES 11 SP2 a little more than a year ago has been patched with the latest
"Many people are still looking at it, but not many people are placing it into production, at least not for now, anyway. But
this is typical of new kernels," says Eckermann.
And there are no major technology previews in SLES 11 SP3, but there are a few smaller ones. The KVM hypervisor is being shown
in the early stages running on IBM mainframes.
Nested virtualization support, which was already available for AMD's Opteron processors, is now in preview for Intel Xeon
chips that sport the VT virtualization extensions.
SUSE Linux is also rolling out the libguestfs tool, which is used to access and modify virtual machine disk images. Hot-add
memory for Xeon, Itanium, and Power machines is still in tech preview, too.
All in all, there are 70 driver updates with SP3 in addition to the tweaking of the kernel to support the new processors and
related chipsets, says Eckermann. These includes a slew of 8 Gb/sec and 16 Gb/sec Fibre Channel storage adapters, 10 Gb/sec and
40 Gb/sec Ethernet adapters, and the Open Fabrics Enterprise Distribution (OFED) 1.5.4 open source driver set for InfiniBand and
Ethernet adapters to bring Remote Direct Memory Access (RDMA) support to those adapters.
RDMA reduces latency by allowing network cards to access the main memory of other servers on the network without going through
the network stack in the operating system.
In other Linux OS news
Fedora 19, codenamed Schrodinger's Cat, follows the much-delayed Fedora 18 and the good news is things looks to be back on
track for the Fedora team.
Not only is the release just a week away but it also sees Fedora returning to its core focus-- building useful software for
developers and the Linux community.
The Ubuntu Linux distribution is busy tricking out its new touch-based interfaces and getting ready for the first Ubuntu-based
phones and tablets to arrive. However, the project still hasn't had any precious time to offer the still-dominant desktop and laptop
users of late, particularly Linux developers.
But not so with Fedora-- it never is, really. Yes, the GNOME project is pursuing its own tablet and mobile dreams - though thus far no
one seems interested, well at least for now, but underneath the GNOME trappings, Fedora does have a couple of great new pieces of
software designed to make developers' lives easier.
But perhaps the most intriguing of these is the new "Developer's Assistant", which aims to make setting up your development
environment a bit simpler.
The concept behind Developer's Assistant is to make it easy for new Linux developers, as well as seasoned developers new to Fedora, to get
up and running with all the dev tools they need quickly.
You'll need to install Developer's Assistant yourself from the Fedora repos and unfortunately there's not much in the way of
documentation at the moment.
We would suggest reading through the devassistant main page to get an idea of how it works. Once you've got your head wrapped
around the syntax, you can create entire working environments with a single line in the shell.
There are setups available for pretty much every language and most major projects within languages – for example, Django for
Python devs and Rails for Ruby developers.
There are even some setups for Vim, Eclipse and Git. To use the latter, you'll need to have a GitHub account, but provided you've
got your GitHub login info handy, Developer's Assistant makes sharing your code on the web dead simple.
Using the Developer's Assistant is just a matter of invoking the devassistant tool. For example, devassistant python django -n
~/newproject will give you a fully loaded, working Django project with what devassistant's developers call "sane defaults".
But of course, those defaults may not exactly match the way you're used to working, however. Developer's Assistant can't be
all things to all developers, so it tends to stick close to the best practices for each project and language.
To stick with the Django example, what you get from Developer's Assistant is very close to how the Django documentation suggests
setting up your projects.
Chances are that seasoned developers have workflows and environments that are idiosyncratic enough that a tool like devassistant
won't produce ideal results, but for new developers looking to set up a workable environment quickly, devassistant is a nice tool.
The other big developer news in Fedora 19 is OpenShift Origin, a new set of tools to build your own Platform-as-a-Service like
Red Hat's OpenShift.
OpenShift is a hosted service designed to allow developers to quickly build and run cloud-based applications without worrying
about server management or virtualisation details. Think of OpenShift as RedHat's answer to Microsoft's Azure or a more closely
managed version of Amazon's web services.
Get the most reliable SMTP service for your business. You wished you got it sooner!
Share on Twitter.
All logos, trade marks or service marks on this website are the property of their respective
companies or owners.
Linux News Today.org is read by over 450,000 people involved in the field of Linux application development,
professional Web hosting services, Linux
security, Linux Web development, etc.
Inquire about our reasonable advertising rates
on our news website. One of our advertising representatives will be in touch with you. Simply email us to learn
about our ad rates and how we can help drive relevant traffic to your website. Advertising space is limited.