Language Selection

English French German Italian Portuguese Spanish

Compartmentalized computing with CLIP OS

Filed under
OS
Gentoo

The design of CLIP OS 5 includes three elements: a bootloader, a core system, and the cages. The system uses secure boot with signed binaries. Only the x86 architecture was supported in the previous versions, and there are no other architectures in the plan for now. The core system is based on Hardened Gentoo. Finally, the cages provide user sessions, with applications and documents.

Processes running in separate cages cannot communicate directly. Instead, they must pass messages using special services on the core system; these services are unprivileged and confined on the cage system, but privileged on the core. These communication paths are shown in this architecture diagram from the documentation. Cages are also isolated from the core system itself — all interactions (system calls, for example) are checked and go through mediation services. The isolation between applications will be using containers, and the team plans to use the Flatpak format. The details of the CLIP OS 5 implementation are not available yet, as this feature is planned for the stable release.

A specific Linux security module (LSM) inspired from Linux-VServer will be used to add additional isolation between the cages, and between the cages and the core system. Linux-VServer is a virtual private server implementation designed for web hosting. It implements partitioning of a computer system in terms of CPU time, memory, the filesystem, and network addressing into security contexts. Starting and stopping a new virtual server corresponds to setting up and tearing down a security context.

Read more

More in Tux Machines

New Raspberry Pi A+ board shrinks RPi 3B+ features to HAT dimensions

A HAT-sized, $25, Raspberry Pi 3 Model A+ will soon arrive with the same 1.4GHz quad-A53 SoC, dual-band WiFi, and 40-pin GPIO of the RPi 3B+, but with only 512MB RAM, one USB, and no LAN. As promised, Raspberry Pi Trading has revived its old mini-size, four-year old Raspberry Pi Model A+ SBC with a new Raspberry Pi 3 Model A+ model. Measuring the same 65 x 56mm as the earlier $20 RPi A+, the SBC will go on sale in early December for $25. Read more

Android Leftovers

Canonical Extends Ubuntu 18.04 LTS Linux Support to 10 Years

BERLIN — In a keynote at the OpenStack Summit here, Mark Shuttleworth, founder and CEO of Canonical Inc and Ubuntu, detailed the progress made by his Linux distribution in the cloud and announced new extended support. The Ubuntu 18.04 LTS (Long Term Support) debuted back on April 26, providing new server and cloud capabilities. An LTS release comes with five year of support, but during his keynote Shuttleworth announced that 18.04 would have support that is available for up to 10 years. "I'm delighted to announce that Ubuntu 18.04 will be supported for a full 10 years," Shuttleworth said. "In part because of the very long time horizons in some of industries like financial services and telecommunications but also from IOT where manufacturing lines for example are being deployed that will be in production for at least a decade ." Read more

Benchmarking Packet.com's Bare Metal Intel Xeon / AMD EPYC Cloud

With the tests earlier this week of the 16-way AMD EPYC cloud comparison the real standout of those tests across Amazon EC2, Packet, and SkySilk was Packet's bare metal cloud. For just $1.00 USD per hour it's possible to have bare metal access to an AMD EPYC 7401P 24-core / 48-thread server that offers incredible value compared to the other public cloud options for on-demand pricing. That led me to running some more benchmarks of Packet.com's other bare metal cloud options to see how the Intel Xeon and AMD EPYC options compare. Packet's on-demand server options for their "bare metal cloud" offerings range from an Intel Atom C2550 quad-core server with 8GB of RAM at just 7 cents per hour up to a dual Xeon Gold 6120 server with 28 cores at two dollars per hour with 384GB of RAM and 3.2TB of NVMe storage. There are also higher-end instances including NVIDIA GPUs but those are on a dynamic spot pricing basis. Read more