• Secure your containers with SELinux | Opensource.com

  When things aren't working correctly in your Linux environment, the easiest thing to do is disable Security-Enhanced Linux (SELinux). Things suddenly begin to work, and you forget about it—but this is a common pitfall that means you've lost a very powerful security tool.

  Threats are rising alongside the rise of containers, microservices, and distributed architecture. This is due to an old, well-known issue: velocity. The advantage of containers is that they enable you to move fast, do more, and change quickly. This means container adoption has gone off the roof, but the speed it affords also means you will encounter more issues and vulnerabilities. This happens naturally when you're doing more things faster and quicker.

• How to fix Linux EFI secure-boot shim bootloop issue - Hans' hacking log — LiveJournal

  How to fix the Linux EFI secure-boot shim bootloop issue seen on some systems.

  Quite a few Bay- and Cherry-Trail based systems have bad firmware which completely ignores any efibootmgr set boot options. They basically completely reset the boot order doing some sort of auto-detection at boot. Some of these even will given an error about their eMMC not being bootable unless the ESP has a EFI/Microsoft/Boot/bootmgfw.efi file!

  Many of these end up booting EFI/Boot/bootx64.efi unconditionally every boot. This will cause a boot loop since when Linux is installed EFI/Boot/bootx64.efi is now shim. When shim is started with a path of EFI/Boot/bootx64.efi, shim will add a new efibootmgr entry pointing to EFI/fedora/shimx64.efi and then reset. The goal of this is so that the firmware's F12 bootmenu can be used to easily switch between Windows and Linux (without chainloading which breaks bitlocker). But since these bad EFI implementations ignore efibootmgr stuff, EFI/Boot/bootx64.efi shim will run again after the reset and we have a loop.

• How security and compliance automation can help achieve a more secure hybrid cloud

  In hybrid cloud environments, where workloads are deployed in physical hosts, virtual machines and containers across on-premise and cloud environments, security becomes more and more complex. As a part of the AnsibleFest Virtual Experience, Lucy Kerner, a Red Hat security strategist and evangelist, and Justin Lacey, a Red Hat solution architect, led the breakout session "Implementing a secure hybrid cloud using security and compliance automation." The session highlighted a combination of Red Hat technologies that can help simplify and improve security and compliance in a hybrid cloud environment at scale using automation. Missed out on this session? We’re recapping some key points here.

• Renewing my thrill at work with Ansible | Enable Sysadmin

  Ansible empowered me to utilize my own technical strengths and passion to improve processes and enjoy my time.

• Using Multus and DataVolume in KubeVirt - Red Hat Developer

  KubeVirt is a cloud-native virtual machine management framework based on Kubernetes. KubeVirt orchestrates workloads running on virtual machines in the same way that Kubernetes does for containers. KubeVirt has many features for managing the network, storage, images, and the virtual machine itself. This article focuses on two mechanisms for configuring network and storage requirements: Multus-CNI and CDI DataVolumes. You will learn how to configure these KubeVirt features for use cases that require high performance, security, and scalability.

  [...]

  As a cloud-native virtual machine management framework, KubeVirt adopts cloud-native technologies alongside its own inventions. As a result, KubeVirt APIs and controllers support flexible and scalable virtual machine configurations and management that can integrate well with many technologies in the cloud-native ecosystem. This article focused on KubeVirt’s network and storage mechanisms. We look forward to sharing more exciting features in the future, including KubeVirt’s mechanisms for handling CPU, memory, and direct device access.

• Addressing Modern IT Infrastructure Management with SUSE Manager and SUSE Manager for Retail

  Applications hide in containers, systems hide in other systems, new configurations appear and disappear with a single mouse click, and every file is a potential threat. It is no wonder that CIOs and IT managers are looking for new tools and a new approach that will bring harmony, safety and economy to precious IT assets in changing times. Welcome to the new world of IT infrastructure management.

• SUSE Manager certified on Nutanix Acropolis Hypervisor

  Nutanix provides a fully software-defined stack that integrates compute, virtualization, storage, networking, and security to power any application at any scale. Nutanix Acropolis Hypervisor is their enterprise-ready hypervisor, offering integrated virtualization, app mobility, management, operational insights, and security.

  We are very excited that SUSE Manager is now certified on Nutanix Acropolis Hypervisor. As part of the Nutanix Ready Program SUSE Manager is now a recommended and trusted application. With this certification SUSE Manager can run confidently on Nutanix infrastructure.

Yes, but this time, it is the regular board election that is happening. The previous elections that were conducted during the past year were due to ad-hoc and unforeseen circumstances. However, as per the regular election cycle, we have three seats that are going to be vacant on the openSUSE Board in December. They are the seats of Axel Braun, Marina Latini and Stasiek Michalski. Note that Stasiek was elected this year to replace Christian Boltz whose term ends in 2020. However, Stasiek is opting out from this election due to personal commitments.

My friend from the Election Committee, Ariez Vachha, made the election announcement on the project mailing list yesterday. The election wiki page has been updated accordingly, which includes the usual election schedule poster. That’s courtesy of our friends from the openSUSE Indonesia community.

Some minor email changes have affected the Tumbleweed snapshot reviewer, so reviewer ratings won’t be listed.

The latest snapshot, 20201111, updated a half dozen RubyGems. The 4.11.0 rubygem-mini_magick package fixed the fetching of metadata when there are GhostScript warnings and fixed some method redefined warnings. The rubygem-web-console 4.1.0 package update added support for Rails 6.1.

KDE Applications 20.08.3 arrived in snapshot 20201110. In the 20.08.3 apps update, a fix for Okular addressed a wrong memory access that could cause a crash and a fix for the fast scrolling with Shift+Scroll. Video editor kdenlive provided a fix for the monitor displayed frames per second with high fps values and fixed the playlist clips that had a no audio regression. There were several other app fixes and konsole provided an important fix for closing the split view with ‘Alt+C’. Mozilla Firefox 82.0.3 fixed regressions introduced in the pervious minor version and took care of a Common Vulnerabilities and Exposures, which in certain circumstances, the MCallGetProperty opcode would emit with unmet assumptions that could result in an exploitable use-after-free condition. GStreamer 1.18.1 provided some important security and memory leak fixes while providing various stability and reliability improvements. Hardware identification and configuration data package hwdata 0.341 updated the Peripheral Component Interconnect, USB and vendor identifications. The multi-purpose desktop calculator qalculate 3.14.0 improved the plot speed for functions that are defined using expressions. Other packages updated in the snapshot were libbluray 1.2.1, a month and a half of updates for libiscsi and udisks2 2.9.1.

An update of the Xfce file manager package thunar to version 1.8.16 was the lone update in snapshot 20201108. The newer version updated translations, fixed an error for custom date formats and added a missing parameter to the ThunarBrowserPokeDeviceFunc function.

Four openSUSE Tumbleweed snapshots were released since our last blog more than a week ago.

These four snapshots had a variety of package updates that included updates for LLVM, Wireshark, Node.js, Plasma and Xfce.

A few hours ago, the first snapshot of the month of November was released with snapshot 20201104, which started trending at a rating of 90 on the Tumbleweed snapshot reviewer. The snapshot brought the new major version of LLVM 11. More than half the changelog covers the additions and changes for this compiler. Generic improvements to Clang as a whole were made and new compiler flags like -fstack-clash-protection will provide protection against the stack clash attack for x86, s390x and ppc64 architectures. The edict package, which is a Japanese-English Dictionary in machine readable form received more than a year’s worth of updates in it’s 20201102 release. Node.js 14.15.0 had no major changes, but the Long-Term-Support version had a International Components for Unicode version bump. LibreOffice’s update to version 7.0.3.1 in Tumbleweed provided some bug fixes and translation updates. The update of Perl 5.32.0 brought in support of unicode 13.0 and Wireshark 3.2.8 took care of a build failure caused from the bison parser. The Xfce desktop fixed a memory leak when reconnecting to a DisplayPort monitor with the update of the xfdesktop 4.14.3 package.

Also: openSUSE Tumbleweed – Review of the week 2020/45 – Dominique a.k.a. DimStar (Dim*)