Servers Leftovers: Toolforge, Kubernetes, OVHcloud and Red Hat

Server
  • A better Toolforge: a technical deep dive

    In the previous post, we shared the context on the recent Kubernetes upgrade that we introduced in the Toolforge service. Today we would like to dive a bit more in the technical details.

    With the Ingress controller, we want to ensure that Ingress objects only handle traffic to our internal domains, which by the time of this writing, are toolforge.org (our new domain) and tools.wmflabs.org (legacy). We safe-list the kube-system namespace and the tool-fourohfour namespace because both need special consideration. More on the Ingress setup later.

    The registry controller is pretty simple as well. It ensures that only our internal docker registry is used for user-scheduled containers running in Kubernetes. Again, we exclude from the checks containers running in the kube-system namespace (those used by Kubernetes itself). Other than that, the validation itself is pretty easy. For some extra containers we run (like those related to Prometheus metrics) what we do is simply upload those docker images to our internal registry. The controls provided by this admission controller helps us validate that only FLOSS software is run in our environment, which is one of the core rules of Toolforge.

  • A Better Docs UX With Docsy

    I'm pleased to announce that the Kubernetes website now features the Docsy Hugo theme.

    The Docsy theme improves the site's organization and navigability, and opens a path to improved API references. After over 4 years with few meaningful UX improvements, Docsy implements some best practices for technical content. The theme makes the Kubernetes site easier to read and makes individual pages easier to navigate. It gives the site a much-needed facelift.

    For example: adding a right-hand rail for navigating topics on the page. No more scrolling up to navigate!

  • OVHcloud drives flash storage strategy with LXD

    OVHcloud offers a wide range of cloud-based services, and two of them – Public Cloud Block Storage, and Cloud Disk Array – rely on Ceph. About a year and a half ago, the company set its sights on creating a next-generation Ceph solution with all flash storage. However, this kind of solution would require newer versions of Ceph – versions that OVHcloud’s existing software environment could not support.

    Filip Dorosz, DevOps Engineer at OVHcloud, explains: “We quickly realised that it would be impossible to run newer Ceph releases on our legacy software because they required systemd, and we didn’t run systemd at all: neither inside the containers nor on the hosts.”

    OVHcloud effectively uses containers as lightweight VMs and, at the time, it utilised Docker as an entry point. But this was an unusual use case for Docker, and not one that it was well-suited for in the long-term. It became clear that the company needed a new solution, with systemd support, that was designed for running a complete operating system within a container.

    LXD had emerged as the ideal solution, and now all that remained was to industrialise it for use on the enterprise scale. OVHcloud’s key requirement was a Puppet module for LXD so that it could manage containers via the host. At the time, there was no such module, so OVHcloud decided to build one itself – and it has recently open sourced the module on GitHub.

    The company is now moving to production with the new solution, enabling the switch to all flash storage with no HDDs.

  • Join us for the Red Hat Summit Virtual Experience Open House

    On July 15 Red Hat is opening its virtual doors for an Open House, building on the Red Hat Summit 2020 Virtual Experience from April with an additional set of sessions, more "Ask the Experts" sessions, and live access to C-level tech experts.

    If you missed the Red Hat Summit Virtual Experience the first time around, that content is still available on demand. You can log back in, or register for the first time, and watch the on-demand content through April of 2021. Registration is still free and grants access to hundreds of sessions about Red Hat's technologies, customer successes, and much more.

  • Red Hat CEO: we have a ‘head start’ over VMware, competitors in Kubernetes

    After 19 years at Red Hat, Paul Cormier, employee 120 and longtime product chief, ascended to the top job at the open-source software giant.

    But plans for the traditional world tour taken by new CEOs looking to confab with customers and partners were clipped by a global pandemic—Cormier took the helm of Red Hat as he and most other employees were working from home and grounded from travel.

    While the coronavirus crisis limited his ability to meet-and-greet and was replaced by virtual platforms, Cormier, who previously was responsible for roughly 60 percent of the company as president of products and technologies, already knew almost every facet of Red Hat’s business and had deep relationships with the ecosystem.

  • IBM Cloud Now: Intellect Design, IBM Edge Application Manager v4.1, and Watson Annotator
FOSS and GNU Leftovers

  • Devs can now dig around in the source code for three games from Blendo Games
  • Friend of Add-ons: Juraj Mäsiar

    Our newest Friend of Add-ons is Juraj Mäsiar! Juraj is the developer of several extensions for Firefox, including Scroll Anywhere, which is part of our Recommended Extensions program. He is also a frequent contributor on our community forums, where he offers friendly advice and input for extension developers looking for help. Juraj first started building extensions for Firefox in 2016 during a quiet weekend trip to his hometown. The transition to the WebExtensions API was less than a year away, and developers were starting to discuss their migration plans. After discovering many of his favorite extensions weren’t going to port to the new API, Juraj decided to try the migration process himself to give a few extensions a second life. “I was surprised to see it’s just normal JavaScript, HTML and CSS — things I already knew,” he says. “I put some code together and just a few moments later I had a working prototype of my ScrollAnywhere add-on. It was amazing!”

  • What is PostgreSQL? How Does PostgreSQL Work?

    PostgreSQL is the world’s most advanced enterprise-class open source database management system that is developed by the PostgreSQL Global Development Group. It is a powerful and highly-extensible object-relational SQL (Structured Query Language) database system popular for its reliability, feature robustness, and high performance. It is known to be highly scalable both in the amount of data it can store and manage and in the number of concurrent users it can accommodate. PostgreSQL is available and distributed under the PostgreSQL License, a liberal open source license. This implies that you can download the software, use, modify, and distribute it free of charge for any purpose. It is also cross-platform, it runs on Linux, Windows, and macOS, and many other operating systems.

  • Guix Further Reduces Bootstrap Seed to 25%

    We are delighted to announce that the second reduction by 50% of the Guix bootstrap binaries has now been officially released! The initial set of binaries from which packages are built now weighs in at approximately 60~MiB, a quarter of what it used to be. In a previous blog post we elaborate on why this reduction and bootstrappability in general is so important. One reason is to eliminate---or greatly reduce the attack surface of---a “trusting trust” attack. Last summer at the Breaking Bitcoin conference, Carl Dong gave a fun and remarkably gentle introduction and at FOSDEM2020 I also gave a short talk about this. If you choose to believe that building from source is the proper way to do computing, then it follows that the “trusting trust” attack is only a symptom of an incomplete or missing bootstrap story.

  • Alternate options for Adobe Acrobat, Photoshop, Illustrator, InDesign

    GIMP (GNU Picture [sic] Manipulation System) provides 130-furthermore awesome filters and exclusive consequences. See Alvin Alexander’s blog for all the neat stuff GIMP can do. I especially like the Borders Sparkles, Reflections, and Gradient Flare consequences and the Whirl and Pinch attributes. I also appreciate that GIMP is effective on several platforms, works by using minimum system resources, and is super-effortless to use.

Security Leftovers

  • Security updates for Monday

    Security updates have been issued by Debian (intel-microcode, libexif, mysql-connector-java, and thunderbird), Fedora (gnutls, grafana, kernel, kernel-headers, mingw-gnutls, mod_auth_openidc, NetworkManager, and pdns-recursor), Gentoo (adobe-flash, ansible, chromium, firefox, glibc, mailutils, nokogiri, readline, ssvnc, and webkit-gtk), Mageia (axel, bind, dbus, flash-player-plugin, libreoffice, networkmanager, and roundcubemail), openSUSE (java-1_8_0-openjdk, kernel, nodejs8, rubygem-bundler, texlive-filesystem, and thunderbird), Oracle (libexif and tomcat6), Red Hat (chromium-browser, flash-plugin, and libexif), Scientific Linux (tomcat6), SUSE (libEMF), and Ubuntu (fwupd).

  • Intel Confirms CET Security Support For Tiger Lake

    CET works by preventing ROP and COP/JOP style attacks through indirect branch tracking and a shadow stack. For nearly three years we have been talking about Control-Flow Enforcement Technology with the open-source Intel developers doing a fairly punctual job plumbing it into the open-source compilers, the necessary Linux kernel changes, etc. Just last month I provided the current state of Intel CET on Linux with most patches under review or landed but due to the GCC 11 requirement will not be all stabilized until early next year.

  • Customizing System-wide Cryptographic Policies in RHEL 8.2

Devices: Linux Plumbers Conference, RISC-V and Advantech

  • Linux Plumbers Conference: Linux Plumbers Conference Registration Opening Postponed

    The committee is relentlessly working on recreating online the Linux Plumbers Conference (LPC) experience that we have all come to appreciate, and take for granted, over the past few years. We had initially planned to open registration on June 15th. While travel planning is not one, there are still very many aspects of the conference being worked on. We are now aiming to open registration for Linux Plumbers Conference (LPC) on June 23rd. Right now we have shortlisted BigBlueButton as our online conferencing solution. One of our objectives is to run LPC 2020 online on a full open software stack.

  • Real-time Microconference Accepted into 2020 Linux Plumbers Conference

    We are pleased to announce that the Real-time Microconference has been accepted into the 2020 Linux Plumbers Conference! After another successful Real-time microconference at LPC last year, there’s still more to work to be done. The PREEMPT_RT patch set (aka “The Real-Time Patch”) was created in 2004 in the effort to make Linux into a hard real-time designed operating system. Over the years much of the RT patch has made it into mainline Linux, which includes: mutexes, lockdep, high resolution timers, Ftrace, RCU_PREEMPT, priority inheritance, threaded interrupts and much more. There’s just a little left to get RT fully into mainline, and the light at the end of the tunnel is finally in view. It is expected that the RT patch will be in mainline within a year (and possibly before Plumbers begins!), which changes the topics of discussion. Once it is in Linus’s tree, a whole new set of issues must be handled.

  • WCH CH32V103 General-Purpose RISC-V MCU Offers an Alternative to GD32V RISC-V Microcontroller

    Last year, WCH introduced their first RISC-V MCU with CH572 Bluetooth LE microcontroller which came with 10KB SRAM and a not so convenient 96KB OTP flash. But I’ve just been informed the company has introduced their first general-purpose RISC-V MCU family with several CH32V103 microcontrollers featuring up to 64KB Flash and 20KB SRAM, and all sort of peripherals you’d expect from a general-purpose MCU.

  • Linux-ready, 3.5-inch Coffee Lake SBC has four USB 3.1 Gen2 ports

    Advantech’s 3.5-inch “MIO-5393” SBC ships with Ubuntu 18.04 and Win 10 images and an 8th/9th Gen Coffee Lake-H CPU and offers triple display support, 2x GbE, 4x USB 3.1 Gen2, and 2x M.2 slots. Advantech has launched a semi-rugged 3.5-inch SBC that supports Intel’s 9th and 8th Gen Coffee Lake/Refresh processors. The Linux-ready MIO-5393 shares some features with the company’s less feature-rich, 3.5-inch MIO-5373, which runs on 8th Gen Whiskey Lake CPUs. Applications include military defense micro-servers, AOI machines, passenger information systems, outdoor kiosks, railways, and factory environments.

Small Things that Bug Me in Ubuntu: The Blank Snap Folder

I had to take new screenshots for our list of the best GTK themes this weekend and in doing become acutely aware of how much the “Snap” folder bugs me. Petty, I know. But you don’t need a magnifying glass or a particularly pedantic persuasion to appreciate why the directory irk. Heck, a quick glance at the hero image above should avail you of what the gripe is. Perhaps you’ve even noticed it yourself. See, Ubuntu badges each of the default Home directories (e.g., Downloads, Music, Videos etc) with a symbolic emblem to denote the content type apart from two: Desktop (which is shaped like a desktop, so it gets a pass), and the (annoyingly lowercase) ~/snap folder. Now appreciate I’m stating the obvious here but wouldn’t adding the Snapcraft logo to the Snap folder help roundup the aesthetic? Read more

