There’s some cool commentary going on at Slashdot this morning about SELinux. And wouldn’t you know it, it’s about one of articles here at SearchEnterpriseLinux.com.
The article was a mash-up of some stuff I had left over from May’s Red Hat Summit in San Diego, an interview with author and SELinux expert Frank Meyer, and an exchange with our new blog contributor Jim Klein, the the director of information services and technology at California-based Saugus Union School District. (Link: With RHEL5, Red Hat goes to bat for SELinux)
The comments at Slashdot are arriving from readers on all sides of the SELinux aisle. Some agree that SELinux has come a long way and that people like Red Hat’s Dan Walsh are right to ask it be turned on all the time; others agree with the assertion that its already been typecast as too complex; while some fall in the middle asking for more advice. Oh, and some just plain hate it.
Here’s some of that straightforward advice, from Slashdot reader BigBuckHunter:
Step 1: Install RHEL, disable SELinux
Step 2: Install and configure your stack (apache, jboss, tomcat, mysql, whatever)
Step 3: Enable permissive mode, light up the stack, watch logs
Step 4: Tweak the rules, repeat step 3 until the logs are clean.
Step 5: Enable Enforcing Mode
You can now rest a little bit easier knowing that you have SELinux enabled. The only drawback is that you sometimes have to repeat the process as new versions of your stack are released (mysql, jboss). It’s basically a monthly process.
This is not the last of our coverage on SELinux. Watch for more as it continues to mature.
While the Linux blogosphere stews over Xandros’ apparent defection to the dark side of the force, ZDNet blogger Ed Burnette waxes cynically on the future of Linux:
One by one, free and open source software providers are signing agreements with “the dark side”, the poster child for proprietary software, and (many say) the antithesis of open source: Microsoft.
Linux fans spew righteous indignation all over the blogosphere, and “poison pill” legalese is added to the most popular free software license to fight it, but the deals show no sign of slowing. Why do you think this is the case? At some point in the future, will Linux be available only from Microsoft and “approved” vendors?
I hope not. The best competition, and therefore best opportunities for we journalists 🙂 exists in an atmosphere of many choices. Not *just* Microsoft. Haven’t we already seen that play anyway?
MORE UPDATES (o6/07/07): ComputerWorld is reporting this morning that LG has also jumped on board with Microsoft for a patent protection deal. That makes five such deals in recent memory.
Microsoft Corp. on Wednesday announced a cross-licensing deal with Korean consumer electronics maker LG Electronics Inc. It is the fifth such deal in recent months that involves Redmond’s controversial granting of Linux patent ‘protection’ — in this case, to LG-made cell phones and other devices.
Microsoft will pay LG an undisclosed amount of money for patents related to operating systems and computer systems, it said in a press release, while LG will make ongoing payments to Microsoft “for the value of Microsoft patents as they relate to Linux-based embedded devices that LGE produces.”
If this keeps up, my blog headline for this post takes on an eerily prophetic quality. But on a more serious note, many people assumed Xandros entered into an agreement like this on Monday because “they needed to money.” Is it as easy to argue that LG “needs the money” too?
Attorney Jeff Seul and I got a lot of flak for a recent interview on the GPLv3, mostly because his comments weren’t exactly what free software advocates wanted to hear about the latest iteration of the most popular open source license out there. That’s completely fair, and to be expected when something as significant as the GPL gets a makeover, no?
In the name of decency and professional journalism I won’t reprint any of the hate mail I received for our interview on the GPL here (GPLv3 draft gets thumbs down from patent attorney), but suffice to say we were both accused of being on the Redmond, Wash. payroll. It’s a line you get used to hearing if you cover the Linux vs. Microsoft world in any great detail. The beat is enjoyable but requires thick skin.
That was April. Now — if you’ll grant me a quick aside — people say being crazy means you do the same thing over and over again and expect a different result. What I did next fits the bill. Nearly a month after the interview, against all sense of reason, I interviewed another IP attorney, John Rabena, who is an intellectual property attorney based in the Washington, D.C., offices of Sughrue Mion.
Luckily for me, things “went differently,” and I cannot officially consider myself throwing-chairs-Steve-Ballmer crazy. Not just yet anyway.
That’s because the interview was not so much about the GPL’s looming changes as it was about the true intentions behind Microsoft’s saber rattling regarding the 235 alleged patent infringements in Linux and/or open source software. I say and/or, of course, because the folks in Redmond made no mention of what, exactly, was being infringed upon. All we got from Gates and Company was an accusation of wrongdoing without any proof. It was par for the course given similar Microsoft allegation in the past, but that, according to Rabena, was precisely the point.
In our interview, Microsoft’s anti-Linux patent claims: Arm-twisting for Novell-like deals, Rabena addressed in one fell swoop many of the concerns raised by the 235 alleged wrongdoings:
“The fact that they did not name specific patents does not have any real significance yet, so I would expect this could be Microsoft looking for a broad agreement across the industry. If that agreement does not come, then I would expect them to start getting more specific about the patents in question.”
Lo and behold, Rabena’s premonition played out today, as Microsoft and Xandros issued a joint press release detailing a collaboration agreement that mimics the one penned by Novell in November.
My first thoughts immediately drifted back to my discussion with Seul. We went over the now infamous section 11 of the GPLv3 draft, which allows the Novell-MS patent agreement via a grandfather clause, but bans any such future agreements from taking place. What the heck happened, I thought, that allows Xandros to enter an almost identical agreement to the one MS made with Novell? Was the mother of all legal battles imminent? Seems I wasn’t alone in my dark, cynical thoughts, as Matthew Aslett over at the Open Source Weblog used that very same thought in a post on Microsoft and the GPL from June 1.
Next, my inquisitorial nature led me to believe that the spigot was open even more, and that other companies, like Novell and Xandros before them, would start falling in line with Microsoft. Xandros is a young company, and by no means a deal breaker for anyone in this space, but that doesn’t reduce the significance of the announcement. Regardless of what free software advocates say about MS’s shady intentions, there are now two Linux companies out there that have subscribed to its view of interoperability.
We don’t really cater to lawyers much here at SearchEnterpriseLinux.com. As much as we speak with them about IP and patents, we really try to craft the interviews to cover issues that affect the IT manager, not other attorneys. In that vein, I want to know what a piling on of companies signing on with MS would mean to the everyday IT guy. Would it affect your business plan? Your outlook on Linux and open source apps in the data center? What does this news mean to you? If this starts happening more often, does the landscape change? Does it really matter at all?
No word on any IP protection going the other way, incidentally. In the meantime, as previously noted, it appears that given the terms of the last call draft of the GPLv3, Xandros has signed itself out of GPLv3 code.
I also wrote that any deal with Xandros would negate my suggestion that Microsoft could be poised to mount a legal challenge to the FSF.
I’ve had second thoughts on that. This could be the deal that it uses to prove that the FSF is blocking its attempts to “build bridges”. We’ll see.
It’s still early, I know. And it’s a bit early to be striking “It’s the year of … ” posts or articles. However, I’d like to get a jump on this topic and get a feel for what IT managers are saying.
UPDATE 06/05/07: Steven Walli makes a good point on his blog:
Xandros is looking for love (possibly in all the wrong places). A quick tour of DistroWatch for the comparative view for Xandros over the past 12, 6, 3, and one month periods shows it falling from 25th to 28th to 31st to 40th respectively. Ubuntu sat in first until the past month when it dropped to second in interest behind PCLinuxOS. The harsh part of the story is that regardless of which period you view, there are a lot of well know, well packaged systems ahead of Xandros including Ubuntu, OpenSuSE, Fedora, Debian, Gentoo, and Mandriva and that’s just staying in the top dozen. Even FreeBSD consistently ranks above Xandros on distrowatch.
UPDATE (06/07/07): Now that the LG news has hit the fan, I’m revisited this post with the fresh information. Is this year really going to be all about Linux and patents? When my editors and I begin to craft the inevitable “Year of…” articles in December, will this be the issue that dominates our discussions? I hope not (too dry, you see), but with yet another company coming on board with MS on this issue, that outcome is now more likely today than it was yesterday.
Offers XML-based config files, virtual machine life-cycle management operations and secure XML-RPC. All of these will serve to significantly improve the manageability of the virtual environment, especially the secure XML-RPC piece. One of the big problems with Xen in the past has been its relatively weak remote management interface over insecure http. While you could technically perform a number of virtual machine management functions from a remote workstation with it, no one ever turned it on because it was wide open with no security features (save firewall rules, which really don’t work for this sort of thing in a dynamic environment.) This new API will enable the community to develop strong management tools for both operations and life-cycle. Look for the Fedora team to enable the “Remote Xen Host” field in virt-manager, as well as a variety of other remote management capabilities, now that it can be done safely.
Near feature parity for HVM guests
With Xen 3.0.x, Hardware Virtual Machine (HVM) guests running unmodified OSes (such as Windows) did not enjoy the same life-cycle capabilities as paravirtualized guests (such as Linux.) With the release of 3.1, Xen can now save, restore and migrate running HVM guests. In addition, memory can now be dynamically allocated to a running HVM guest. These capabilities are an absolute necessity in an agile virtualized infrastructure, and by adding them in version 3.1 Xen has matured to match VMWare in terms of enterprise readiness.
Native 64-bit and 32-bit guests on 64-bit hosts
Xen 3.1 steps out to lead the competition by being the first to enable native 64-bit guests, as well as enabling 64-bit hosts to run a mix of 32-bit and 64-bit guests. It’s now possible to run any supported operating system in 32- or 64-bit mode, including 64-bit Oracle, Microsoft Exchange 2007, etc. In addition, 32-bit guests on 64-bit hosts allows for maximum flexibility and resource utilization, as segregating 32-bit and 64-bit guests to specific hosts is no longer required. Both serve to make Xen a very robust platform for any virtualized environment.
So what does this mean for the major players in Xen virtualization?
The next release of XenEnterprise, due to be released later this summer, will include the Xen 3.1 core. This release is expected to bring missing enterprise features into the XenEnterprise product, such as live migration and life-cycle capabilities. In the current release, based on Xen 3.0.4, the migration of live virtual machines from host to host was not enabled, largely due to XenSource’s incessant reliance on their self-imposed, non-shareable “storage repository” design, whose focus on ease of use severely limits storage flexibility. Unfortunately, the situation won’t improve much with the new release, as XenSource will only offer one shared storage mechanism for running guests — NFS — which is semi-easy, but certainly less than ideal. But it will make live migration possible and XenSource currently plans to include the tools necessary to do so in their management console. Don’t get me wrong, XenEnterprise works very, very well overall, and is still an excellent choice, especially if you will be virtualizing Windows servers.
Expect to see Xen 3.1 included in the first update to RHEL 5, due later this year. Since the Xen engine is standard in RHEL, expect to be able to take advantage of all the new features of Xen 3.1, without limitations. Red Hat engineers have also stated that they expect to continue to add features to their management tool set, including multi-host management and easy access to migration and life-cycle functions. Don’t expect paravirtualized drivers for Windows, however, as they probably won’t appear until version 5.2. Until then, Windows in RHEL 5 Xen will probably not be viable for most workloads. Also, while the management console will certainly improve, it’s not likely to match XenEnterprise’s offering just yet. On the flip side, RHEL offers far more flexibility as a general purpose operating system with tons of hardware and vendor support, which, depending on your needs, can certainly make up for a bit less ease of use.
Xen 3.1 represents the fruition of some of the last key elements missing in the Xen engine, bringing near feature parity with VMWare’s core capabilities. Look for rapid development of the tools to manage the engine in the coming months. Or, if you want to try it out now, Fedora 7 just came out — go download a copy!
Phoronix has a nice interview up today with Canonical’s Mark Shuttleworth, the millionaire backer of Ubuntu.
Phoronix: Among the many new features in Ubuntu Feisty Fawn are network roaming improvements and easy codec installation. If you had to select one “killer feature” for Feisty Fawn what would it be and why?
Mark: For Feisty I would say that there are two things that are really interesting for end users. The first is the Windows migration tool that was really just a sparkle in someone’s eye six months before the release and I didn’t think of it as a serious feature that we would commit to for Ubuntu but the guys involved typed away at it and it came together quite nicely. It’s very much a first release of the technology but it’s been surprisingly popular amongst people who are installing Linux as a dual-boot option next to Windows. The other is the easy to install codecs. Really what we are trying to do there is to help people make the right decision in regards to intellectual property issues that are associated with codecs. For many of our users it’s perfectly legal for them to install and run those codecs so we try to give them a straightforward framework to exercise those rights. Then for other people they are living in countries where there are restrictions in their ability to use free software for certain codec operations so we try to help them make a smarter decision about that.
Ubuntu is a hot topic for us on the main site right now. People love that Dell is making small steps to include it in their big plan, and users are really digging Feisty’s new features. Reviews have been mostly favorable. Whether that translates into server side stuff, and therefore something this blog and SearchEnterpriseLinux can really cover in depth, remains to be seen.
Red Hat’s press release on the news:
The Fedora Project, a Red Hat, Inc. sponsored and community-supported open source collaboration, today announced that the latest version of its distribution, Fedora 7, is now available. The Fedora Project provides the best of next-generation open source technologies and, in its latest version, features a new build capacity that allows for the creation of custom distributions. Fedora 7 now offers a completely open source build process that greatly simplifies the creation of appliances that can be targeted to meet individual needs.
Fedora 7 provides the first appliance development platform that is 100 percent open source with an entirely free distribution build toolchain. The Fedora 7 source code is hosted in a public version control system, the RPMs are built on an external build system and the distributions are built with an external, open source compose tool that allows access by the entire Fedora community.
Through Fedora 7, the community is given an enhanced role that encourages greater openness and collaboration. As a result of its flexible, public build environment, Fedora 7 provides users with the ability to customize like never before. With these capabilities, combined with live CD, DVD and USB technology, the possibilities for appliance creation are endless. After customization, Fedora can be loaded onto various forms of bootable media, allowing users to run their operating system without a hard disk installation.
There’s also some virtualization news to be had, as Fedora 7 features Kernel-based Virtual Machine (KVM) and Qemu virtualization technologies (in addition to Xen). This makes sense given the inclusion of KVM in the mainline kernel. All implementations can be managed using the Fedora graphical virtualization manager.
On the community level, Fedora 7’s new single repository is accessible to Red Hat employees and community members alike, giving the community more influence over Fedora than ever before, Red Hat said in its statement.
[kml_flashembed movie="http://youtube.com/v/Pa1RCg-Ccp0" width="425" height="350" wmode="transparent" /]
Yes, I know, YouTube and embedded flash movies are so 2006, but this is basically a test post to make sure we can handle it. Looks like we can. And yes, this clip from Novell BrainShare is also old as dirt, but it’s what came up under a “Linux” search on YouTube.
Apparently Dell did not bury their new Ubuntu hardware 1,000 pages deep, as many Linux conspiracy theorists had feared would be the case.
Dell’s front page:
Front page of Dell.com? Mark Shuttleworth’s going to Disney Land! (Please note, this is not MY desktop screen grab, so stop fishing around 🙂 ).
I think people may have been holding their breath over this Dell and Ubuntu thing, so please take a deep breath now and stop killing yourself over it — Dell is now *officially* offering Ubuntu desktops and laptops.
It’s finally here. Later today, Dell will offer U.S customers three different systems with Ubuntu 7.04 installed: the XPS 410n and Dimension E520n desktops and the Inspiron E1505n notebook. These systems are now available at www.dell.com/open today. Starting price for the E520n desktop and the E1505n notebook is $599; the XPS 410n starts at $899 $849. Note from Lionel: My apologies, but I had included an incorrect starting price for the XPS 410n. It will be $849.
Hardware support will come from Dell. Beyond that, users can turn to the Linux section of the Dell Community Forum for help and also get the latest updates from our Linux team at http://linux.dell.com. Users also have fee-based options for operating system support through Canonical, including 30-day Get Started, One-year Basic and One-year Standard.
Now, I suppose we all just sit back and see where this thing takes off from here, no?
Just a quick Samba update to mark my return from the beaches of North Carolina:
- Major bug fixes included in Samba 3.0.25a are:
- Missing supplementary Unix group membership when using “force group”.
- Premature expiration of domain user passwords when using a Samba domain controller.
- Failure to open the Windows object picker against a server configured to use “security = domain”.
- Authentication failures when using security = server.
The uncompressed tarballs and patch files have been signed using GnuPG (ID 6568B7EA). The source code can be downloaded from: http://download.samba.org/samba/ftp/