September, 2007

Does this script work for you?

Recently, we asked our readers to share some of their Linux scripts with us. Our first script comes to us from Diethard Ohrt, who sent us a script named “survf”. He writes:

The script “survf” monitors a file so you can check whether this file is growing (e.g. during ftp transfer). If you link it to the name “survp,” it monitors a running process… when the process terminates it sounds a bell and terminates.

Take a look at survf and give it a try. Diethard adds that he originally wrote it for the Korn shell on a Unix box a few years ago (so you might want to tweak it with “proper, real bash syntax.”)

Thank you, Diethard! To show our appreciation, we are sending you a gift certificate for some Starbucks coffee. Enjoy.

Let us know what you think of the script or send us one of your own. If we use it, you can earn yourself a Starbucks gift certificate plus you’ll be helping out other users.

If you would like some more scripts, check out our tips section. Whether it is help with Linux migrations or managing high-volume CPU processes, our SearchEnterpriseLinux experts help you navigate through the Linux world.

Hope you like the script. Keep them coming.


!/bin/bash

Novell microsite targets virtualization

I received an email today from Novell touting a new virtualization microsite, so I thought I’d fire off a micropost to the Enterprise Linux Log with a few details.

From Novell:

Novell has created a new microsite to provide the open source community with Virtualization resources such as whitepapers, customer case studies and video interviews (including Novell’s Kurt Garloff and Intel’s Doug Fisher).

You can check out the site at the below link:

http://www.novell.com/virtualization/

Ubuntu bests Jesus — Apocalypse imminent?!

So, dear readers, who is more popular: A Linux distribution with a funky name or a funky fella who could supposedly turn water into wine and walk on water?

If you answered Ubuntu, then give yourself a star. If you answered Jesus, then you were right last year, but Google Trends has proved you wrong today. If you answered Mark Shuttleworth, then I suggest you get your head examined, because while Ubuntu is an insanely popular Linux distro right now, the man behind it cannot perform literal miracles (the last time I checked, anyway).

Here’s the evidence, provided by the blog Venture Cake:

Venture Cake also has a hilarious comparison between Ubuntu and the bearded one up on their site today, so I encourage you to hit that link and check it out.

SELinux — is it *really* too complex?

I read a post this afternoon that surprised me a little, which is tough to do because I work on the Internet and I’ve basically seen everything humanity has to offer. Believe me, it’s not much.

What surprised me today is that the old axiom “SELinux is so difficult to use that most IT managers just switch it off” has bubbled to the surface again over at Kerneltrap.org.

The post at Kerneltrap is actually a snippet from a larger rant on the OpenBSD mailing list, which compares the security of SELinux to OpenBSD’s default security.

A thread on the OpenBSD-misc mailing list compared the security of SELinux in the 2.6 Linux kernel to what’s available in OpenBSD. The general opinion was that SELinux and its policy language are too complex, leading Damien Miller to note, “every medium to large Linux deployment that I am aware off has switched SELinux off. Once you stray from the default configurations that the system distributors ship with, the default policies no longer work and things start to break.” Ted Unangst summarized, “the problem with security by policy is that the policy is always wrong.”

I’ve written a few articles about SELinux over the past year and a half for this sole reason: complexity. I’m certainly no expert on the subject, but in 2006 and ‘07 I did get to hear from people at various Linux conferences and from interviews for other security stories that SELinux was a great piece of software — perhaps “too great.” As was argued above in the OpenBSD list, people were shutting it off because its NSA-powered muscles were breaking their systems. When that happens, you’ll find 9 times out of 10 an administrator will opt to shut the thing off and find another fix rather than invest the extra time and money, regardless of the features being promised him/her. So I started asking, “what’s being done? Who’s doing what?” and so on.

The folks at Red Hat were the most helpful, for obvious reasons (SELinux is baked into Red Hat Enterprise Linux), but I also interviewed a few SELinux experts for my research, including Karl MacMillan and Frank Mayer, co-authors of SELinux By Example. Mayer even wrote us a nice article on SELinux, called Five Ways SELinux may surprise you, that still does well traffic-wise on SearchEnterpriseLinux.com today. I also interviewed the guys in the trenches who had decided to shut the thing off and deal with it later.

What I discovered is that part of SELinux’s current dilemma is more easily fixable than the other, because it has nothing to do with technological chops and everything to do with public perception. Jim Klein, the director of information services and technology at the California-based Saugus Union School District, put it best: “The biggest problem for SELinux is mindshare,” Klein told me. “It developed a stigma early on due to the lack of tools for configuration and troubleshooting, which led people to simply turn it off.” Currently, Klein is one of the many IT guys who has the SELinux switch in the “off” position.

But Red Hat was ready for that, or so it seemed. At the Red Hat Summit in May their SELinux guru Dan Walsh was beating the setroubleshoot tool drum as proof that his developers were listening and SELinux was turning a corner towards simplicity. Also known as SELinux Troubleshooter, setroubleshoot is a tool that watches the audit log files for access vector cache (AVC) messages and send reports to the IT manager when things go wrong, right or whatever. Walsh said SELinux has a new GUI in RHEL 5 to assist in management, as well as a set of configurable Booleans (read: if, then statements) that allow IT managers to modify network ports, file labeling and event user mappings. That particular session was one of the more packed ones I attended in San Diego that week. Does that mean anything in particular? Not really, as security is always popular topic, but it was interesting given what’s still being debated today.

As Red Hat talks GUIs and tools and setroubleshoot (oh my!) those crafty OpenBSD guys are ready with a pithy retort (or is that snark?):

If the policy language was halfway sane then this wouldn’t be so bad - a skilled administrator could adjust the policy. Unfortunately:

1) skilled administrators are hard to come by, and their time is usually better spent *not* tweaking brittle mandatory access control policies

2) the SELinux policy language is nowhere near sane.

OpenBSD’s systrace suffers from #1 - it is a generic problem with these sorts of access control mechanisms, and it is one reason why it has never been enabled by default. The brittleness is a real problem - I use systrace for a few things and often need to update my policies because of software upgrades or libc changes. Oh, and “skilled administrator” means someone deeply familiar with the Unix system interface - not a just a graduate of certification course de jour.

The Linux solution to #2 seems to be to add various wizards and other abstraction between the administrator and the policy, rather than tossing the horrid mess and replacing it with something more comprehensible.

What this all means to me is if we can find similar thoughts being shared outside of an OpenBSD mailing list (where Linux or SELinux surely don’t have the home field advantage they’re used to in, say, Linus Torvalds’ backyard), we might be onto to something. That something? That SELinux should in fact be turned off indefinitely until this complexity issue is resolved.

Until then, however, I think we all should probably look into some advice I found in the Kerneltrap comment section:

If I wanted a fair comparison of OpenBSD and SELinux, the last place I would ask would be the openbsd-misc mailing list.

Could be good advice.

Related info: Our site expert James Turnbull has a brief comparison of SELinux and AppArmor (the latter being what Novell SUSE has to offer).

Red Hat reports second quarter results, promotions

Red Hat, Inc. today announced financial results for its second fiscal quarter ended August 31, 2007, and the results are again pretty solid.

According to a release that’s still pretty hot after being cut and pasted from my email Inbox, total Red Hat revenue for the quarter was $127.3 million, an increase of 28% from the year ago quarter and 7% from the prior quarter. Subscription revenue, where Red Hat makes its bread and butter, was “$109.2 million, up 29% year-over-year and 6% sequentially,” the release stated.

On the income side of the aisle (take a deep breath before reading this one aloud), net income for the quarter was $18.2 million, or $0.09 per diluted share, compared with $16.2 million, or $0.08 per diluted share, for the prior quarter and $11.0 million, or $0.05 per diluted share, in the year ago quarter. Non-GAAP adjusted net income for the quarter was $36.9 million, or $0.17 per diluted share, after adjusting for stock compensation and tax expense as detailed in the tables below. This compares to non-GAAP adjusted net income of $33.7 million, or $0.16 per diluted share, in the prior quarter and $24.5 million, or $0.12 per diluted share, in the year ago period.

Other highlights of the quarter included the following:

- Red Hat surpassed the milestone of more than 3,000 applications certified on Red Hat Enterprise Linux.
- Following three consecutive years of Red Hat being ranked first in value for enterprise software in the CIO Insight survey, Red Hat Japan was ranked the number one technology vendor in Japan that customers intend to conduct business with in the future according to the Nikkei Market Access survey.
- Red Hat released the beta version of the Red Hat Developer Studio, an integrated Eclipse-based set of open source development tools and runtime environment.
- Red Hat released JBoss Enterprise Application Platform 4.2, an enterprise-ready platform on which to migrate legacy applications to an open source architecture.

Red Hat also appointed two new financial executives today: Mark Cook was promoted to Vice President, Finance and Controller; and Paul Argiry joined Red Hat as Vice President and Treasurer.

GPLv3 growth flattens out, LGPLv3 adds 49 projects

For a month that saw a GNU GPL lawsuit and nearly 20% growth in GPLv3 project conversions, September has quickly become yet another month set to go out like a lamb (I’m looking at you, March).

At the beginning of the month, I cited a Palamida report that had tracked the number of GPLv3 adoptions among open source projects at a 15-20% increase month-over-month. Today? The numbers have cooled slightly, although the GPL’s younger brother the LGPL has taken up some of the slack.

Again, Palamida provides some of the licensing numbers they’ve been tracking for the period of September 10 through the 21rst:

Wow for the LGPL v3 (Relatively)
The last two weeks have seen a 17% increase over last in the number of projects that have adopted GPLv3. As of 3pm PDT, September 21, 2007, our research indicates that 683 projects have officially adopted GPLv3, as compared to 585 projects on September 7th. A whopping 31 new projects have adopted LGPLv3 bringing the total LGPLv3 projects to 76.

Palamida is also pretty good at keeping people up to date on some of the specific projects being converted to the GPLv3 (they aren’t just about statistics, people!).

Some of the latest conversions:

• mySerialz: A Web application that allows users to keep track of their serial keys.
• gPodder: A Podcast receiver/catcher written in Python and pyGTK. It manages podcast feeds for you, and automatically downloads all podcasts from as many feeds as you like. If you are interested in Podcast feeds, simply put the feed URLs into gPodder and it will download all episodes for you automatically. If there is a new episode, it will get it for you. It supports download resume, if the server supports it.
• Version Control Control (VC”): A tool that integrates with off-the-shelf version control systems and monitors file system access in order to enhance awareness among users. The tool warns about actions made by other users and suggests conflict avoiding actions.
• GNU Emacs: Emacs is the extensible, customizable, self-documenting real-time display editor. Emacs is a text editor and more. At its core is an interpreter for Emacs Lisp (“elisp”, for short), a dialect of the Lisp programming language with extensions to support text editing.
• yWiCo: SyWiCo is a tool for managing concurrent modifications of shared files between unconnected computers. It can be used as a synchronization tool relying on email.
• Portaneo Open Source Homepage (POSH): Posh is a open source personalizable portal (Netvibes, iGoogle, …) developed with PHP/MySQL/Ajax.

I assume the last one has no relation to Becks.

Bonus link: More on the FSF lawsuit against Monsoon Multimedia.

UPDATE: Hate to kick you while you’re down, buddy, but InformationWorld is reporting that developers are shunning GPLv3.

Novell shows off open source ATI drivers

As this relates to one of our most popular blog posts ever here at the Enterprise Linux Log, I thought it was worth a mention. Apparently, Novell has released an alpha level video driver for ATI Radeon R5xx/R6xx boards. Seriously, at 77 comments, our original post from the Red Hat Summit last May on the open source drivers topic is the most read and most discussed post in our short little history. Kudos to Jan Stafford on the scoop.

The Inquirer has more to say (and, really, when don’t they?):

The software release comes just eight days after AMD open sourced the register specs for the cards. It supports only initial mode settings at the moment, but SUSE developers plan to add support for more hardware, RanR 1.2, video overlay and 2D acceleration soon.

Novell’s ATI Radeon R5xx/R6xx video drivers are available in a multi-distribution package that supports the Fedora, Mandriva, and all SUSE flavours of Linux

This was a big deal when AMD announced a similar item way back in May, and it appears that it will remain a big deal for some time to come. The topic is kind of outside the focus of our parent site, SearchEnterpriseLinux.com, but you can be sure updates will find their way here to the blog when they happen.

Monday morning Linux kernel news

It’s kernel update time. This is the single security bug fix edition:

We (the -stable team) are announcing the release of the 2.6.22.7 kernel. It contains a single security bugfix for the x86_64 architecture. There is potential for local privilege escalation, so all x86_64 users are certainly encouraged to upgrade.

CVE-2007-4573: x86_64: Zero extend all registers after ptrace in 32bit entry path.

I’ll also be replying to this message with a copy of the patch between 2.6.22.6 and 2.6.22.7.

I’m going to go out on a limb and guess this won’t be the last we hear from lwn.net.

Apples or oranges? What is JeOS?

Are you planning on juicing anytime soon? How about JeOSing?

Confused yet? Here’s a hint: Both those sentences sound exactly the same when you say them aloud. What’s different about them is a case of apples and oranges however, and I’m not talking about Tropicana. I’m not even talking about pro sports figures and questionable performance enhancing tactics that may or or may not lead to asterisks being placed next to stats and failed Hall of Fame bids.

What I’m not going to talk about today is the Cream or the Clear; what I am going to talk about is virtualization, virtual appliances, and a little Linux distro called Ubuntu. As of this month they’re all being blended into a concoction the folks at Canonical Ltd. and VMware are affectionately calling JeOS.

Each of those topics are pretty well known now (virtual appliances still being a bit “new car smell,” but whatever), so how does JeOS bring something new to the table? Is it a product to be sold, or is it an architecture with which to build new exiting things that my colleagues and I will be writing about for years to come? One executive I’ve read recently who’s been at this a while has a rough idea.

By taking a short Internet boat ride over to rPath CEO Billy Marshall’s blog today, we find him addressing that very question.

JeOS (pronounced “juice”) is a concept first described in writing by Srinivas Krishnamurti of VMware in this blog entry. With the pronouncement this week by Canonical that the Ubuntu distribution of Linux is now a JeOS product, I thought I would make the argument that JeOS is a packaging architecture, not an operating system product. I also believe that the hypervisor is the replacement for the product formerly labeled as the general purpose operating system.

[...]

Now that the hypervisor is going to become the new operating system that supports the hardware, should the JeOS that supports any given application be a product with the same architecture as the legacy general purpose operating system? i.e. a collection of components defined by the operating system vendor as supportable and maintainable? so long as you don’t change the assumptions the operating system vendor made when the collection was assembled and tested and released? so long as you don’t change any of the components because that makes the collection unsupportable? How is that possible, when by definition, the collection of components that the application vendor is going to use is going to change depending on the needs of the application? Think about it.

And off we go. By Marshall’s reasoning, and I’m inclined to believe him, the JeOS cannot be squeezed into an operating system product role because it must become a packaging or testing architecture. In lieu of any other approach, JeOS must be assembled by ISVs around an application with the smallest possible footprint. This is because, you’ll remember, VMware is promoting JeOS (and Virtual Appliances in general) as an opertaing system sans system interfaces, functions, and libraries; and without the unnecessary services that the application does not require. “By tailoring it to the needs of the application,” Krishnamurti said on his blog, “you are now down to a lithe, high performing, secure operating system - Just Enough of the Operating System, that is, or JeOS.”

But Marshall then argues that the appliance must also confirm that this “closed loop set” is reasonable based upon the testing scenario for the application. “It must subsequently enable the integration of the various maintenance streams for the components with the server set to provide an elegant life cycle experience for the application vendor and its customers. In this scenario, the application provider takes on a much broader responsibility for the support of the operating system, and at the surface level this can seem very scary,” he said.

Before you go scurrying behind a UPS unit in fear, just wait a second. Seems that you might have been living with this approach for some time already. Marshall, a former Red Hat employee, explains that “the application vendor or their customer was already assuming this burden in the legacy model where the general purpose OS was modified on premise to support the application.”

Add to that equation JeOS — as a packaging architecture (instead of a “one size fits all” product, Marshall says) — the component set that must be maintained is much smaller and much more intimately related to the application than even what VMware described at VMWorld for tHe launch of JeOS (due out October 12).

“By definition, the application vendor will be in a good position to determine and resolve problems given this tight definition and technical affinity with the application, Marshall said. “No doubt they will still want the technical expertise of a vendor with deep operating system skills as a backstop, but the product they acquire from that vendor will look very different than the product historically labeled as a general purpose operating system.”

In conclusion (I sound like an 8th grade research paper here, but oh well), JeOS is, always has been, and will be a packaging architecture. Marshall states JeOS should be billed as a system software reference platform with a build/test methodology. “Anything else defies logic in a world where every server has a hypervisor and every application arrives as a virtual appliance with JeOS,” he said.

What really fascinates me in all this is the role Linux will play in driving the adoption of VA’s by ISVs, who will then provide them to customers to run virtually in the tens of dozens on multi-core, super powerful servers that, in a hat tip to my colleagues at SearchDataCenter.com, are spaced correctly with adequate cooling. It’s a low cost, secure operating system and that seems to be working perfectly for vendors like rPath, VMware, Canonical and many more. We’re only on the cusp of this vast virtualization precipice, and as a writer I like that. But now I’m thirsty.

NASDAQ serves SCO with delisting notice

There’s piling on, and then there’s what happened to the hapless SCO today. Just to recap, SCO basically lost its years-long case against Novell and the Linux operating system earlier this month and then just this week announced it would enter into chapter 11 bankruptcy protection.

And today? SCO fired off a press release announcing it received a notice from The Nasdaq Stock Market indicating that the company’s securities will be de-listed from Nasdaq on September 27, 2007, pending an appeal.

The bare bones press release:

The Nasdaq Staff Determination Letter received on September 18, 2007 indicated that as a result of the Company’s having filed for protection under Chapter 11 of the U.S. Bankruptcy Code, the Nasdaq Staff has determined, using its discretionary authority under Nasdaq Marketplace Rules 4300 and IM-4300, that the Company’s securities will be delisted from The Nasdaq Stock Market and that trading in the Company’s common stock will be suspended unless the Company requests a hearing to review the determination. Pursuant to Nasdaq Marketplace Rule 4804(b), the Company is making a public announcement disclosing receipt of the letter.

The suspension of the Company’s common stock is currently set to occur at the opening of business on September 27, 2007. However, an appeal will stay the suspension of the trading of the Company’s securities pending a panel decision by a Nasdaq Listing Qualifications Panel. The Company intends to request a hearing to review the determination. There can be no assurance that the panel will grant the Company’s request for continued listing.

As this now infamous case (and it’s getting a bit tiresome too, no?) begins to wind down with a series of weekly sputters, coughs and stumbles, I can’t help but think of how irrelevant it’s all become to our audience here at the Log and on SearchEnterpriseLinux.com. So, barring any unforeseen apocalyptic events stemming from the appeals process that’s sure to come, I will not be reporting much on SCO anymore.

Good riddance? Not really. Just irrelevant.