Language Selection

English French German Italian Portuguese Spanish

Servers, SUSE, Red Hat and Fedora

Filed under
GNU
Linux
Red Hat
Server
SUSE
  • My Favorite Infrastructure

    PCI policy pays a lot of attention to systems that manage sensitive cardholder data. These systems are labeled as "in scope", which means they must comply with PCI-DSS standards. This scope extends to systems that interact with these sensitive systems, and there is a strong emphasis on compartmentation—separating and isolating the systems that are in scope from the rest of the systems, so you can put tight controls on their network access, including which administrators can access them and how.

    Our architecture started with a strict separation between development and production environments. In a traditional data center, you might accomplish this by using separate physical network and server equipment (or using abstractions to virtualize the separation). In the case of cloud providers, one of the easiest, safest and most portable ways to do it is by using completely separate accounts for each environment. In this way, there's no risk that a misconfiguration would expose production to development, and it has a side benefit of making it easy to calculate how much each environment is costing you per month.

    When it came to the actual server architecture, we divided servers into individual roles and gave them generic role-based names. We then took advantage of the Virtual Private Cloud feature in Amazon Web Services to isolate each of these roles into its own subnet, so we could isolate each type of server from others and tightly control access between them.

    By default, Virtual Private Cloud servers are either in the DMZ and have public IP addresses, or they have only internal addresses. We opted to put as few servers as possible in the DMZ, so most servers in the environment only had a private IP address. We intentionally did not set up a gateway server that routed all of these servers' traffic to the internet—their isolation from the internet was a feature!

    Of course, some internal servers did need some internet access. For those servers, it was only to talk to a small number of external web services. We set up a series of HTTP proxies in the DMZ that handled different use cases and had strict whitelists in place. That way we could restrict internet access from outside the host itself to just the sites it needed, while also not having to worry about collecting lists of IP blocks for a particular service (particularly challenging these days since everyone uses cloud servers).

    [...]

    Although I covered a lot of ground in this infrastructure write-up, I still covered only a lot of the higher-level details. For instance, deploying a fault-tolerant, scalable Postgres database could be an article all by itself. I also didn't talk much about the extensive documentation I wrote that, much like my articles in Linux Journal, walks the reader through how to use all of these tools we built.

    As I mentioned at the beginning of this article, this is only an example of an infrastructure design that I found worked well for me with my constraints. Your constraints might be different and might lead to a different design. The goal here is to provide you with one successful approach, so you might be inspired to adapt it to your own needs.

  • A Blunt Reminder About Security for Embedded Computing

    The ICS Advisory (ICSA-19-211-01) released on July 30th by the Cybersecurity and Infrastructure Security Agency (CISA) is chilling to read. According to the documentation, VxWorks is “exploitable remotely” and requires “low skill level to exploit.” Elaborating further, CISA risk assessment concludes, “Successful exploitation of these vulnerabilities could allow remote code execution.”
    The potential consequences of this security breech are astounding to measure, particularly when I look back on my own personal experiences in this space, and now as an Account Executive for Embedded Systems here at SUSE.

    [...]

    At the time, VxWorks was the standard go-to OS in the majority of the embedded production platforms I worked with. It was an ideal way to replace the legacy stove-piped platforms with an Open Architecture (OA) COTS solution. In light of the recent CISA warning, however, it is concerning to know that many of those affected systems processed highly-classified intelligence data at home and abroad.

  • Red Hat Recognized as a Leader by Independent Research Firm in Infrastructure Automation Platforms Evaluation [Ed: Forrester is not “Independent Research Firm”; It’s taking bribes to lie.]
  • Why Red Hat can take over the cloud sooner than you think
  • Red Hat Enterprise Linux 7.7: Final Full Support Update
  • Transport Layer Security version 1.3 in Red Hat Enterprise Linux 8

    TLS 1.3 is the sixth iteration of the Secure Sockets Layer (SSL) protocol. Originally designed by Netscape in the mid-1990’s to serve the purposes of online shopping, it quickly became the primary security protocol of the Internet. Now not limited just to web browsing, among other things, it secures email transfers, database accesses or business to business communication.

    Because it had its roots in the early days of public cryptography, when public knowledge about securely designing cryptographic protocols was limited, the first two iterations: SSLv2 and SSLv3 are now quite thoroughly broken. The next two iterations, TLS 1.0 and TLS 1.1 depend on the security of Message Digest 5 (MD5) and Secure Hash Algorithm 1 (SHA1).

  • Cute Qt applications in Fedora Workstation

    Fedora Workstation is all about Gnome and it has been since the beginning, but that doesn’t mean we don’t care about Qt applications, the opposite is true. Many users use Qt applications, even on Gnome, mainly because many KDE/Qt applications don’t have adequate replacement written in Gtk or they are just used to them and don’t really have reason to switch to another one.

    For Qt integration, there is some sort of Gnome support in Qt itself, which includes a platform theme reading Gnome configuration, like fonts and icons. This platform theme also provides native file dialogs, but don’t expect native look of Qt applications. There used to be a gtk2 style, which used gtk calls directly to render natively looking Qt widgets, but it was moved from qtbase to qt5-styleplugins, because it cannot be used today in combination with gtk3.

    For reasons mentioned above, we have been working on a Qt style to make Qt applications look natively in Gnome. This style is named adwaita-qt and from the name you can guess that it makes Qt applications look like Gtk applications with Adwaita style. Adwaita-qt is actually not a new project, it’s been there for years and it was developed by Martin Bříza. Unfortunately, Martin left Red Hat long time ago and since then a new version of Gnome’s Adwaita was released, completely changing colors and made the Adwaita theme look more modern. Being the one who takes care of these things nowadays, I started slowly updating adwaita-qt to make it look like the current Gnome Adwaita theme and voilà, a new version was released after 3 months of intermittent work.

  • Fedora Community Blog: Friday with Infra

    Friday with Infra is a new event done by CPE (Community Platform Engineering) Team, that will help potential contributors to start working on some of the applications we maintain. During this event members of the CPE team will help you to start working on those applications and help you with any issue you may encounter. At the end of this event you should be able to maintain the application by yourself.

More in Tux Machines

Wine 5.0's first release candidate

  • Wine Announcement
    The Wine development release 5.0-rc1 is now available.
    
    This is the first release candidate for the upcoming Wine 5.0. It
    marks the beginning of the yearly code freeze period. Please give this
    release a good testing to help us make 5.0 as good as possible.
    
    What's new in this release (see below for details):
      - Gecko update, with support for running from a global location.
      - Unicode data updated to Unicode version 12.1.
      - Initial version of the MSADO (ActiveX Data Objects) library.
      - Update installation support in the WUSA (Windows Update Standalone) tool.
      - More progress on the kernel32/kernelbase restructuring.
      - Support for signing with ECDSA keys.
      - Various bug fixes.
    
    The source is available from the following locations:
    
      https://dl.winehq.org/wine/source/5.0/wine-5.0-rc1.tar.xz
      http://mirrors.ibiblio.org/wine/source/5.0/wine-5.0-rc1.tar.xz
    
    Binary packages for various distributions will be available from:
    
      https://www.winehq.org/download
    
    You will find documentation on https://www.winehq.org/documentation
    
    You can also get the current source directly from the git
    repository. Check https://www.winehq.org/git for details.
    
    Wine is available thanks to the work of many people. See the file
    AUTHORS in the distribution for the complete list.
    
    
  • Wine 5.0-RC1 Released With Unicode 12.1 Support, Initial ActiveX Data Objects Library

    Making it into Wine 5.0-rc1 is an updated Mozilla Gecko revision, Unicode 12.1 support, an initial MSADO ActiveX Data Objects library implementation, updating the installation support within the WUSA (Windows Update Standalone_ utility, continued Kernel32/Kernelbase restructuring, support for signing with ECDSA keys, and the usual variety of bug fixes.

Pi for Everyone and Everything

Pi foundation released their first system-on-a-chip (SOC) in 2012, they had no idea how overwhelming the response would be. The credit-card-sized computer once meant to be an easy entry point for British students to get into programming and computer science has burgeoned into a whole community of add-on boards (“hats”), screens and extras that people all around the world are using for all kinds of things. Raspberry Pi computers have ARM processors on them and most Linux distributions that support those processors will run on them. There are also Windows 10 IOT (Internet of Things) embedded platforms that will run on them as well. The most popular operating system for it by far is Raspbian, which is a derivative of Debian Linux. The Raspberry Pi foundation also has an OS image called NOOBS, which will allow you to install a number of different options on it as well. Getting started is as easy as buying a Pi, a case and its accompanying necessities, which you might already own, namely a microSD card, a 5V-2A wall-wart-type supply with a micro USB connection, an HDMI cable and a USB keyboard and mouse. Several starter kits are available that include cases, power supplies and NOOBS already installed on a microSD card. If you already have access to a microSD card, it is simple enough to go to www.raspberrypi.org and download any of the OS images that they have there. There are also details on how to get the image onto the card. Read more

Fedora Deciding Whether CD/DVD Installation Issues Should Still Hold Up Releases

Fedora will continue producing ISO images of their distribution that can be installed to a DVD (or CD in the case of some lightweight spins) or more commonly these days copied to USB flash drives, but they are debating whether any CD/DVD optical media issues should still be considered blocker bugs in 2020 and beyond. Fedora optical media and any issues pertaining to that would be considered non-blocking for Fedora releases. This reflects the fact a majority of Linux users these days are copying their Linux distributions to USB flash drives and installing from there rather than still burning CDs/DVDs. Particularly with many computers these days lacking CD/DVD drives, not having to worry about optical install issues as blocker bugs would free up resources to deal with more pressing bugs around release time. Read more

today's leftovers

  • AMDVLK 2019.Q4.4 Released With Navi 14 Fixes, DoW 3 Perf Optimization

    As anticipated, AMD has now formally released a new version of their AMDVLK open-source Vulkan driver following this week's Radeon Software Adrenalin 2020 Windows driver release. The changes end up being what I was alluding to yesterday with VK_EXT_pipeline_creation_feedback support, subgroup cluster support, a performance optimization for the Dawn of War 3 game, CTS failure fixes for Navi 14, and other fixes.

  • Dominique Leuenberger: openSUSE Tumbleweed – Review of the week 2019/50

    Another week has passed – and we’re almost at the end of the year. During the last week we have released 4 snapshots for Tumbleweed (1206, 1207, 1210 and 1211) containing those noteworthy changes: gpg 2.2.18 libvirt 5.10.0 linux-glibc-devel 5.4 Mozilla Thunderbird 68.3.0 bluez 5.52 libxml 2.9.10 createrepo_c 0.15.4: beware: it is very strict and blocks any snapshot if there is a package with non-UTF8 chars or ASCII < 32 (except 9, 10 and 13) in a changelog. Double check your .changes files before submitting. GNOME 3.34.2 KDE Plasma 5.17.4

  • Why you need to know about Seeed hardware devices

    The microcontroller craze doesn't seem to be dying down—and that's a good thing because these products consistently succeed where the mobile market consistently fails: Users get open software and hardware, a portable form factor, and a wide choice of vendors and products that are built to last. Among the best of the open hardware and software vendors is Seeed, the self-proclaimed "IoT Hardware Enabler." I recently started seeing the Seeed logo on projects, so I contacted the company to learn about the interesting things they're doing. In response, they generously sent me one of their latest products: the Seeeduino Nano, a compact board that the company says is fully compatible with the Arduino Nano but at half the price and a quarter the size, along with a sample sensor to get me started. I spent a few days with it, and I'm already working on a project to improve my home garden and thinking of several others for home automation. Far from just another Arduino-like product, the Seeeduino Nano solves several problems new makers face when they get a microcontroller and want to use it.

  • Marco Zehe: A quick introduction to using Gutenberg

    Late in November, I published a personal opinion on the state of Gutenberg accessibility. Today, I’d like to give an introduction to Gutenberg from a screen reader user perspective. Gutenberg, the WordPress block editor, is the new way to create content and build sites in WordPress. It is a rich web application that uses many modern techniques such as dynamic updates, toolbars, side bars and other items to completely update the posting experience. It can also be quite daunting at first. Let us try to shed a little light on some of the mysteries around it.

  • Pitfalls for OMEMO Implementations – Part 1: Inactive Devices

    Smack’s OMEMO implementation received a security audit a while ago (huge thanks to the Guardian Project for providing the funding!). Radically Open Security, a non-profit pentesting group from the Netherlands focused on free software and ethical hacking went through the code in great detail to check its correctness and to search for any vulnerabilities. In the end they made some findings, although I wouldn’t consider them catastrophically bad (full disclosure – its my code, so I might be biased :D). In this post I want to go over two of the finding and discuss, what went wrong and how the issue was fixed.

  • Support FSF's copyleft and licensing work

    We launched our annual fundraiser with the goal of welcoming 600 new associate members before December 31st. New members are critical to the cause, and by becoming a member you will stand in solidarity with others who care about computer user freedom. As is the case with any social movement, the numbers matter, and it is a very powerful gesture to make for only $10 a month ($5 if you are a student). Please support the work that gives hope for a future with software freedom: make a donation or – better yet -- join us and become a member today. The Free Software Foundation is a global leader for copyleft, and the licensing team plays a vital role in disseminating useful knowledge about free software while working to protect it. We accomplish this in part by answering licensing questions from the public and by providing resources like our list of free software licenses. We also increase access to software freedom by managing the Respects Your Freedom certification program, and cataloging free software through our endorsed distributions program and the Free Software Directory. To protect free software, we handle license compliance for the GNU Project, resulting in a stronger community and more respect for the power of copyleft. We are proud to accomplish this as just two staff working with our executive director, board, and legal counsel. These resources combined make a potent force for software freedom, and your support will ensure our work continues with the aim to do an even better job in 2020. Let us share a bit about the work we did in 2019 and elaborate on why it is so vital that this work continues.

  • OpenJS Foundation Welcomes Electron As Its New Incubating Project [Ed: OpenJS is run by people from Microsoft]

    Initially developed by GitHub in 2013, today the framework is maintained by a number of developers and organization

  • Twitter Is Funding Effort To Create A 'Decentralized Standard?'For Social Media

    The project is called Bluesky and eventually, it should enable Twitter to "access and contribute to a much larger corpus of public conversation," pushing it to be far more innovative than in the past.