Language Selection

English French German Italian Portuguese Spanish

Linux Foundation, Linux Kernel, FUD, and LWN Articles (Paywall Lapsed Today)

Filed under
Linux
  • EdgeX Foundry Hits Major Milestone with 5 Million+ Container Downloads and a New Release that Simplifies Deployment for AI, Data Analytics and Digital Transformation

    EdgeX Foundry, a project under the LF Edge umbrella organization within the Linux Foundation that aims to establish an open, interoperable framework for IoT edge computing independent of connectivity protocol, hardware, operating system, applications or cloud, today announced a major milestone of hitting 5 million container downloads and the availability of its “Geneva” release. This release offers more robust security, optimized analytics, and secure connectivity for multiple devices.

    “EdgeX Foundry is committed to developing an open IoT platform for edge-related applications and shows no signs of slowing down the momentum,” said Arpit Joshipura, general manager, Networking, Edge and IoT, the Linux Foundation. “As one of the Stage 3 projects under LF Edge, EdgeX Foundry is a clear example of how member collaboration and diversity are the keys to creating an interoperable open source framework across IoT, Enterprise, Cloud and Telco Edge.”

  • Check Point fixes a 20-year-old Linux security issue

    For around two decades now, hackers have exploited the design of the memory management system used by Linux programs in order to take control of a target's computer.

    Now though researchers at Check Point have introduced a new security mechanism for Linux users called 'safe-linking' which means attackers will need more than one vulnerability in order to take over the program.

  • Check Point released an open-source fix for common Linux memory corruption security hole
  • Intel Volleys New Sandy Bridge CPU Microcode

    For reasons currently unknown, Intel released new CPU microcode on Wednesday for their Sandy Bridge processors.

    Intel released the 20200520 CPU Microcode Update and it only consists of Sandy Bridge family updates. This is a bit strange with Sandy Bridge being nine years old and other Intel CPU families not seeing similar microcode updates this week.

  • Intel Sends Out Patches Bringing Up The "DG1" Graphics Card Under Linux

    For months now Intel's open-source driver developers have been working on the "Gen12" graphics support needed most notably for Tiger Lake and more recently is also confirmed for Rocket Lake. But Gen12 is also needed for the highly anticipated Xe Graphics with the discrete graphics offerings to come in the months ahead by Intel. Building off the existing Gen12 graphics driver code, Intel today published the first DG1 patches for enabling their first discrete graphics card under Linux.

  • Completing and merging core scheduling

    Core scheduling is a proposed modification to the kernel's CPU scheduler that allows system administrators to control which processes can be running simultaneously on the same processor core. It was originally proposed as a security mechanism, but other use cases have shown up over time as well. At the 2020 Power Management and Scheduling in the Linux Kernel summit (OSPM), a group of some 50 developers gathered online to discuss the current state of the core-scheduling patches and what is needed to get them into the mainline kernel.

    [...]

    One open area, Pillai said, was in the area of load balancing, which doesn't currently work well with core scheduling. This could perhaps be improved by selecting a single run queue to hold the shared information needed for core scheduling. When a scheduling event happens, the highest-priority task would be chosen as usual. Then any sibling processors can be populated with matching tasks from across the system, should any exist.

    Core scheduling currently uses CPU control groups for grouping; there is a cpu.tag field that can be set to assign a "cookie" identifying the scheduling group a task belongs to. This was done for a quick and easy implementation, he said, and need not be how things will work in the end. There is a red-black tree in each run queue, ordered by cookie value, that is used to select tasks for sibling processors.

    The patch series is up to version 5, which includes some load-balancing improvements. Earlier versions did not understand load balancing at all, so if a task was migrated to a CPU running (incompatible) tagged tasks, it could end up being starved for CPU time. A sixth revision is coming soon, he said.

    One challenge that has to be dealt with is comparing the priority of tasks across siblings. Within a run queue, a task's vruntime value is used to determine whether it should run next. This value is a sort of virtual run time, indicating how much CPU time the task has received relative to others (though it is scaled by the process priority and adjusted in various other ways), but this value is specific to each run queue. A vruntime in one run queue cannot be directly compared to a vruntime in another queue.

  • O_MAYEXEC — explicitly opening files for execution

    Normally, when a kernel developer shows up with a proposed option that doesn't do anything, a skeptical response can be expected. But there are exceptions. Mickaël Salaün is proposing the addition of a new flag (O_MAYEXEC) for the openat2() system call that, by default, will change nothing. But it does open a path toward tighter security in some situations.

    Executing a file on a Unix-like system requires that said file have an applicable execute-permission bit set. The file must also not reside on a filesystem that has been mounted with the noexec option. These checks can prevent the execution of unwanted code on a tightly controlled system, but there is a significant hole in this protection: interpreters that will happily read and execute code found in a file. If a file contains Perl code, for example, it cannot be executed by typing its name if it fails either of the above two tests. If an attacker is able to pass that file as a parameter to a perl -e command, though, its contents will still be executed.

    The new O_MAYEXEC flag is a way for language interpreters (or other programs, such as dynamic linkers, that execute code) to indicate to the kernel that a file is being opened with the intent of executing its contents. This flag is totally ignored by open() which, because it never checked for invalid flags, is difficult to extend in general. The newer openat2() system call, instead, does fail when unknown flags are passed to it; it has been extended to recognize O_MAYEXEC. But, by default, nothing will change if that flag is present.

  • Blocking userfaultfd() kernel-fault handling

    The userfaultfd() system call is a bit of a strange beast; it allows user space to take responsibility for the handling of page faults, which is normally a quintessential kernel task. It is thus perhaps not surprising that it has turned out to have some utility for those who would attack the kernel's security as well. A recent patch set from Daniel Colascione is small, but it makes a significant change that can help block at least one sort of attack using userfaultfd().
    A call to userfaultfd() returns a file descriptor that can be used for control over memory management. By making a set of ioctl() calls, a user-space process can take responsibility for handling page faults in specific ranges of its address space. Thereafter, a page fault within that range will generate an event that can be read from the file descriptor; the process can read the event and take whatever action is necessary to resolve the fault. It should then write a response describing that resolution to the same file descriptor, after which the faulting code will resume execution.

    This facility is normally intended to be used within a multi-threaded process, where one thread takes on the fault-handling task. There are a number of use cases for userfaultfd(); one of the original cases was handling live migration of a process from one machine to another. The process can be moved and restarted on the new system while leaving most of its memory behind; the pages it needs immediately can then be demand-faulted across the net, driven by userfaultfd() events. The result is less downtime while the process is being moved.

    Since the kernel waits for a response from the user-space handler to resolve a fault, page faults can cause an indefinite delay in the execution of the affected process. That is always the case, of course; for example, a process generating a fault on memory backed by a file somewhere else on the network will come to an immediate halt for an unknown period of time. There is a difference with userfaultfd(), though: the time it takes to resolve the fault is under the process's direct control.

  • Private loop devices with loopfs

    A loop device is a kernel abstraction that allows a file to be presented as if it were a physical block device. The typical use for a loop device is to mount a filesystem image stored in a file. Loop devices are global and shared between users, which causes a number of problems for container workloads where the instances are expected to be isolated from each other. Christian Brauner has been working on this problem; he has posted a patch set solving it by adding a small virtual filesystem called loopfs.

    Loop devices typically appear under /dev with names like /dev/loopN. The special /dev/loop-control file can be used to create and destroy loop devices or to find the first available loop device. Associating a file with a specific device, or setting other parameters like offsets or block sizes, is done with ioctl() calls on the device itself. The loop(4) man page has the details on how it all works.

EdgeX Foundry Hits 5 Million+ Container Downloads

  • EdgeX Foundry Hits 5 Million+ Container Downloads

    EdgeX Foundry, a project under the LF Edge umbrella organization within the Linux Foundation, has announced a major milestone of hitting 5 million container downloads and the availability of its “Geneva” release.

    [...]

    Keith Steele, EdgeX Foundry Chair of the Technical Steering Committee, added: “With at least 50% of data being stored, processed and analyzed at the edge we need an open, cloud-native edge ecosystem enabled by EdgeX to minimize reinvention and facilitate building and deploying distributed, interoperable applications from the edge to the cloud. In 3 short years, EdgeX has achieved incredible global momentum and is now being designed into IOT systems and product roadmaps.”

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Android Leftovers

Proton GE compatibility layer has a big new release up

Proton GE, the community-built fork of the Proton compatibility layer for Linux has a big new release out. Need a quick reminder? Wine is a compatibility layer that can help to run Windows apps and games on Linux. Valve have their own version called Proton which is included with the Linux Steam Client in Steam Play, and Proton GE is a special version of it built by user "GloriousEggroll". Why use it? You might find certain games need adjustments not currently in the official Proton and Proton GE can make them run "out of the box". Proton-5.9-GE-3-ST is the brand new release aimed to now be the stable Proton GE release. It pulls in tons of fixes to help various Windows games run on Linux including GTA V, Metal Gear Solid V: Ground Zeroes, Planet Zoo, Jurassic World: Evolution, Origin client fixes and much more. Read more

COVID-19 has not stalled Linux development

Linus Torvalds and Dirk Hohndel have been telling anyone who will listen that while COVID-19 has slowed down many technologies, while speeding up other tech developments, it hasn't affected Linux development much at all. Torvalds said that none of his co-developers have been hugely impacted either. “I was worried for a while because one of our developers was offline for a month or two.... [But,] it turned out that it was just RSI [repetitive strain injury], and RSI is kind of an occupational hazard to deal with." He added. "One of the things that is so interesting about the Linux community is how much it has always been email-based and remote, how rarely we get together in person.." Torvalds took time out to praise his new AMD Threadripper 3970x-based processor-powered developer desktop. Torvalds later added that, although he had been concerned about its fan noise it actually works well for him. Torvalds moved to this new homebrew computer because he needed the speed. Read more

today's howtos