Linux In Novell’s East Region

A customer asked me how they might be able to restrict the use of certain apps to only be from certain networks. For example, say you want to only allow SSH access from a management network (192.168.2.0), but not from the general user network (192.168.1.0). How is this done in SUSE Linux Enterprise Server? In short, use a TCP Wrapper which is configured in the /etc/hosts.allow and /etc/hosts.deny files. You can simply use any text editor, such as VI to edit them…

The best documentation of the answer I found was here at Puschitz.com. Thanks go to Werner Puschitz for the insight!

If you know of other helpful sites or documentation on this topic, please post a comment so we can all benefit.

(Update 8/31/07) Some additional suggestions I received. Thanks Edward Clay and Peter Albrecht.

(Response #1) You could do this with iptables or The YaST firewall app.

I found the following example on the following website.

http://www.cyberciti.biz/faq/restrict-ssh-access-use-iptable/

iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d 195.55.55.78 --dport 22 -m state --state NEW,ESTABLISHED -j DROP

(Response #2) To use TCPwrapper for this, the application must be built with TCPwrapper
support. There are some daemons listed at the top of /etc/hosts.allow
which do support TCPwrapper.

If the application does not support TCPwrapper, I see two options:

1) Use iptables rules for limiting access. For an introduction to packet
filters, have a look at our course 3075: SLES 10 Security.

2) If the server is connected to the respective network (192.168.2.0 in
your example), you can configure sshd to listen only to that interface. The directive is ListenAddress in /etc/ssh/sshd_config. Several other
applications also provide such a configuration.

Linux, specifically SUSE Linux Enterprise, that’s why.

Techtarget has the first in what promises to be a series of articles reporting on the IBM SHARE conference, where a lot of new technology and software gets introduced and this year it was clear that Linux on the Mainframe (System Z) is growing the Mainframe market.

Read Robert Rosen’s first in the series of articles and keep checking for more, Mainframe Linux is the most exciting thing that has happened on that platform since, well, ever.

It could go without saying, but I’ll take the hit, SUSE Linux Enterprise Server is a runaway hit for the System Z Mainframes, we have over 85% market share and growing.

I do a lot of work with customers who have Linux on System Z, and IBM’s direction next year will focus more on server consolidation using the System Z as a platform for virtualization.  (Sounds of things ramping up in the background).

Enjoy,

RossB

To my knowledge, there is no EULA (pdf) limitation that says you can not use SUSE Linux Enterprise Desktop (SLED) for an HPC compute node. However, depending on the specific application and libraries required, SLED may not satisfy your needs in a supported way. SLED and SLES have the same core of SUSE Linux Enterprise code, but the applications and services offered (and more importantly supported) on these two Novell products (SLED and SLES) will differ.

For example, OpenOffice.org is included with SLED but not with SLES. I have no technical problem in running OpenOffice.org on a SLES server, however, it is not something I would be able to get support from Novell on if I ever needed it. The same would be true for any other application, package or library differences which might exist.

Wanna see what’s officially supported packages are part of SLED and SLES?
http://support.novell.com/products/server/supported_packages/
http://support.novell.com/products/desktop/supported_packages/

Alternatively, here’s an online list and description of all the packages included in SLED and SLES:
http://www.novell.com/products/server/packages.html
http://www.novell.com/products/desktop/packages.html

As you may have heard, Citrix recently decided to aquire XenSource (more here, here and here) – the commercial front on the Xen virtualization technology in SLES 10. InfoWorld’s David Marshall reviews some interesting perspectives on the Citrix aquisition of XenSource in this audio podcast. He reviews a brief Q&A session with Citrix execs and a blog entry from Barrons.comAs I suspected when I first heard the news, it looks like Citrix’s initial foray into virtualization will be related to the desktop virtualization market. Still, $500M smackers is a pretty steep hill to climb to profitability if you ask me. Maybe I’ll be proven wrong.

Are any of YOU considering a desktop virtualization initiative? Why or why not?

[NOTE - If you listen to podcasts regularly, you know that it's common practice to have some intro music. When listening to this podcast, just note that the music (annoying as it may be) doesn't stop. Oh boy! David, if you end up reading this... next time, could... you... please... speak... a... little... faster...? ]

It’s Not What You Say, it’s What You Do

We all know (or are about to find out) that the world of Open Source Software isn’t the same world as proprietary developers live in. OSS coders may or may not be paid to develop the projects they work on, regardless, it’s all about your contributions, how good you are and how well you’re perceived in the OSS community.

One’s reputation in the community is a valuable item. When everything you code or produce is freely available for the world to see and especially your peers to review and (ahem, constructively) criticize, the stakes are pretty high.

Automating the Process

An engine (not just) for the management of your reputation as a developer is Ohloh.net. As a collector and processor of what’s being written, committed and credit being given for in the Open Source develoopment world, what they do is catalogue code, do statistics on and report on the individual contributors to Open Source Projects. This is a fascinating use of technology to attempt to give credit where credit is due for Open Source coding.

The process can be summed up in these steps:

1. Project leader/administrator sets up project to be tracked by Ohloh
2. Individual contributor submits code to the public code repository
3. Ohloh connects regularly to the public repository and downloads the updated code
4. Ohloh analyzes the code changes, authorship, languages and licensing
5. Ohloh posts updated report data on their site
6. You query the Ohloh reports to see relevant reports about individuals, projects etc.

Decisions Require Data, So Get Some

Are you responsible for developers?  Want to have your people contribute to the community, but also you want to know how that time is being spent?  You can easily track who’s writing how much and contributing to what projects, as long as the project has given access to their code repository.  Ohloh makes it easy to track and report on things like:

• Project Name and Description
• Licensing Details, including compatibility with other licenses
• Tags to help searching
• User Reviews and Ratings
• Related projects and other software used by project users
• Calculated project cost in hours of development, configurable
• Activity map for contributor locations

For example, when I looked at the various media projects, such as VLC, Mplayer and Audacious, I was able to get all the salient facts about them on their individual pages, but even more interesting was the ability to compare the projects, showing the relative number of lines of code in each project, the number of commits ongoing and the total number of contributors.

Think about it, if you’re just getting started in the world of OSS development, and you want a smaller or nearly abandoned project to cut your teeth on, you should be able to find something quickly, as well as do some research to see who the really prolific developers are, so maybe you can hire someone, or contract with someone for similar work.

Spread the Word

The next time someone asks you if a project is an abandoned strip-mall or a thriving metropolis, don’t just tell them what you think, lead them over to a browser and show them exactly what’s going on, they’ll be amazed at the wealth of information Ohloh collects and processes, in a very pleasing visual manner, if I do say so. Ohloh is only truly useful if everyone enables tracking, so if you’re a contributor or lead for any OSS projects, consider the benefits of participating in Ohloh’s process.

Enjoy,

RossB

IBM’s Developerworks continues to impress me with the level and quality of content related to Linux and Open Source.

Continuing in that theme is the “Anatomy of the Linux Networking Stack” by M. Tim Jones. The article starts out at the OSI 7 layer model and all the way up to the device driver level.

A good read.

RossB

From the “Somewhere in Redmond someone is reaching for a family-sized bottle of TUMS” department, Google and Sun announced they will be providing StarOffice for free as part of the Google Pack, a set of applications that Google makes available for free, including Picasa, Google Earth and a lot of other Google-branded and 3rd party applications to make the desktop experience more interesting.

I can just hear the blood pressure rising out there in Microsoft land, this is a move sure to increase the public awareness of Star/OpenOffice, and personally I don’t care which version you use, they’re part of the same tree.

Google also offers their lightweight suite of Office Apps, such as Documents, but those aren’t for disconnected use, or where people are much more used to or prefer to have applications locally.

Last but not least, Google is predicted to be producing interoperability tools for Star/OpenOffice and it’s online Office apps so that businesses and partners can easily share documents between the two suites.

Lastly, anything that threatens the Microsoft Office hegemony will decrease revenues and cause problems for the Borg (er, our partner), so watch for the arrival of Hurricane FUD-tina at a news source near you.

• August 29, 2007 @ Novell Office, Vienna, VA (Tysons Corner)
• This seminar will provide a comprehensive overview of Novell’s latest Linux advances in desktop, server, deployment, virtualization and security. The session will provide you and your fellow business decision makers with a strategy update pertaining to key pain points within organizations. In addition to learning about time, energy and cost saving changes you can make within your organization, you’ll also have the opportunity to network with your peers.
• Register Now

More events in the East…

Overview

We know that over 50% of IT organizations currently use or are doing pilot programs using Virtualization, thanks to Forrester Research’s recent surveys, what we should know know more about is both the security benefits of virtualization and the best practices of how to secure those virtual servers.

Note: In this article a Virtualization Server (VS) is the machine that Virtual Machines (VM) are virtualized on. A VM can be anything that runs in a virtual container, desktop, server, appliances etc.

Security Benefits of Virtualization

The security benefits of running VSes are many, including:

• Isolation – Running an OS in a VM helps secure it from other apps, you can have each application in it’s own OS container, keeps bad things that happen to the individual VM from spreading to others
• Rollback – Experienced sysadmins know how important it is to be able to rollback changes that don’t work, getting the system to a previous stable state is paramount for production machines, and VM’s are much easier to rollback, being software only
• Abstraction – The VM’s have limited access to the physical hardware, the drivers are easier to manage and there is less chance of physical issues with the VM’s than with an OS that runs directly on the hardware
• Portability – The ease of which you can take the running VM and either migrate it to a new VS or get that VM up and running on another server can make the difference for disaster recovery. With the ability to virtualize the OS and data, it’s much easier to swap out to replacement machines, making patch testing and upgrading much easier too
• Deployment – Deploying instances of individual servers is 10x easier with VM technologies, physical machine deployments are much more dependent on the physical hardware. Individual machine and OS security settings on the VS are important and the ability to surround the VM’s with appropriate security from the VS is also important (such as using AppArmor to wrap a VM, allowing only a set number of functions) to the security of each VM instance

Security Drawbacks of Virtualization

The chief security drawback of Virtualization is anything that could affect the functioning of the VS, which include any applications, services or activities that might negatively affect the VS’s ability to provide services to and properly host it’s VMs. You would not believe the things we have seen running on VS hardware, everything from BitTorrent to MP3 Shoutcast Radio Stations to very intensive file and print sharing.

It’s important to pare down the VS’s processes to the bare minimum, remove or disable all daemons that might be running, using chkconfig or the YaST Runlevel Editor. The typical VS might have up to 100 running daemons in runlevels 3 and 5, most of which are not necessary. Running the VS in runlevel 3 (no X started by default) will save a number of MB or RAM used, and decrease the load on the CPU for graphical tasks.

Wrapup

SearchServerVirtualization has a set of articles (some of which “inspired” this article) by Anil Desai which are excellent and right to the point in helping you secure your VS’s and VM’s. In particular, his tip articles “Virtualization Security Benefits” and “Improving VM Security” are both good overviews and contain valuable drill-down explanations to help you secure your VS/VM environments.

Enjoy,

RossB

Our good friends over at TechTarget have posted an interesting article about capacity planning for virtualization, including a discussion of the various major products and some specialty products that allow you to do “what-if” scenarios for capacity planning.

Of course we at Novell have our own solution for this, the Zenworks DCA Orchestrator, which does so much more than just cap-planning, it’s a complete datacenter management overlay that has just been released into general availability.

RossB

I just found Sander van Vugt’s comprehensive article on TechTarget about how to configure and manage SLED desktops using just GNOME’s management features, it’s a good read and helps demystify some features of GNOME, such as:

• Changing the Desktop Settings
• Using the Desktop Profile Editor
• Locking Down the Desktop

Enjoy,

RossB

One of the coolest things about Novell’s SUSE Linux Enterprise Desktop (SLED) are its new “Desktop Effects”. Desktop Effects are really a combination of two opensource components written by Novell’s David Reveman, Compiz and Xgl.

Xgl is a new Xserver architecture layered on top of OpenGL. Xgl can perform intricate graphical operations, such as rendering anti-aliased fonts, noticeably faster than other available Xservers that do not use OpenGL. More important than speed alone, Xgl accelerates complex composite operations, making possible new stunning visual effects through OpenGL-enhanced composition/window managers like Compiz. Compiz combines together a window manager and a composite manager using OpenGL for rendering.

To make it easier to setup and configure XGL and Compiz Novell created a program named “Desktop Effects” in Control Center. If you have registered with Novell Customer center this will automatically install the video driver (if it’s not already installed) and configure your computer to use Xgl and compiz. While you can use the Desktop Effects application to configure your effects, there are some effects that are not configurable through this application.

GConf is a system used by the GNOME desktop environment for storing configuration settings for the desktop and applications. Effects like “Wobbly Windows” or “The Cube” are actually Compiz Plugins. Desktop Effects acts as a front end for configuring the settings for these plugins which are stored in each users ~/.gconf directory. The easiest way to configure GConf keys is with gconf-editor (/opt/gnome/bin/gconf-editor).

To see a list of all of the installed Compiz plugins, start up gconf-editor and navigate to /apps/compiz/plugins. The best way to learn is to play around with the different settings and see what they do.

Here are the locations of common things that people ask me how to configure:

• Rotate Cube around you: Rather than looking at the cube from the outside, rotate the cube around you as if you were inside it. /apps/compiz/plugins/cube/screen0/options/in

• Snap to the top of the cube: /apps/compiz/plugins/rotate/screen0/options/snap_top

• The picuture(s) on the top of the cube: You can place multiple pictures on the top of the cube. If you have snap to top enabled you can move through them like a slide show by using the spacebar and/or the backspace key. UPDATE: It seems that in order for this to work the image has to be in png format. On my machine I modified the dimensions of the picture so that it is 1024 px by 1024 px. /apps/compiz/plugins/cube/screen0/options/images (The easiest way to configure multiple picutres is by double clicking on images)

• Skydome: Enable this to see a picture in the background when you flip the cube. /apps/compiz/plugins/cube/screen0/options/skydome

• Skydome Image: This is the picture you see in the background when you flip the cube. By default it is a blueish gradient. UPDATE: It seems that in order for this to work the image has to be in png format. On my machine I modified the dimensions of the picture so that it is 1024 px by 1024 px. /apps/compiz/plugins/cube/screen0/options/skydome_image

• Skydome Animation: Make the skydome image shift as you rotate the cube. /apps/compiz/plugins/cube/screen0/options/skydome_animated

• Speed: The speed with which the cube flips. /apps/compiz/plugins/rotate/screen0/options/speed

• Maximize Effect: This makes windows wobble when you maximize them. /apps/compiz/plugins/wobbly/screen0/options/maximize_effect

• System Bell: This makes the window wobble when you invoke the system bell (like when you hit the backspace key too many times in gnome-terminal) /apps/compiz/plugins/wobbly/screen0/options/visual_bell

For more information about Compiz and Xgl checkout these websites:

Xgl

Compiz

The Setup

In another of my many “people are always asking me ______” moments, I thought I’d jot down the top reasons why we find customers wanting to switch from Red Hat Enterprise Linux to a SUSE Linux Enterprise environment. These points are gathered from countless discussions, presentations, questions and even osmosis. I hope that these points are useful for our customers who are SLES-curious, our partners who are representing SLE to customers and I welcome any feedback or suggestions you might have.

The List

Top 5 Reasons to Move from RHEL to SLE

• Cost – We subscribe on a machine level, one cost for unlimited virtualized machines, support for 32 hardware CPU sockets with any number of cores in them, Red Hat makes you pay 3x the price for unlimited virtual machines, artificially restricting customers to 4 VM’s in the base product.
• Management – Red Hat has about 40 individual tools (system-config-blahblah) that all have differing looks and feels, it’s a confusing environmenet, we have YaST, a single interface that’s well-organized, easy to use and very consistent. We also have Zenworks Linux Management (ZLM) where they have the Red Hat Network (RHN). ZLM is very easy to use and deploy, including the ability to provision, image, deploy software singly and in bundles, remote control and many other features. ZLM offers a single consistent console, manages both RHEL and SUSE Linux Enterprise and costs less than RHN.
• Deployment – Red Hat has the Kickstart service, which is good for limited deployments, but they don’t support nearly as many options as AutoYaST (SLE’s equivalent) does. For example, it’s difficult to script the presence of multiple NIC’s with Kickstart, AutoYaST does it easily.
• Interoperability – Novell started life in the pre-Open Source days, it’s got a huge patent portfolio, years of closed-source product development and many customers who use those products. Red Hat was begun to be and is aggressively Open Source, even when it doesn’t make sense, they have to adhere to that ideal. Novell enters into and works hard on agreements that increase it’s interoperability with other environments and makes it easy to just get things working. Novell’s agreement with Microsoft is a good example of two organizations that aggressively compete also setting aside differences to make the customers life easier.
• Customer Satisfaction – We have many interactions with customers who are running either mostly RHEL or mixed RHEL and SLE environments who have experienced significant challenges with getting RHEL support for issues that have already been resolved satisfactorily on the SLE side, or haven’t occurred due to pro-active patching etc. by Novell.

Feedback on this is much appreciated, please let me know your changes, suggestions or corrections to these.

RossB

When does it make sense to use a Virtual Server as opposed to a Physical Server? That’s a question that a lot of people are currently discussing amongst themselves and with us on the technology side.

Before an organization can think of using Physical or Virtual Servers, they will need to be aware of Virtualization as a whole.

Forrester Research recently reported that the number of IT organizations implementing or piloting virtualization reached and exceeded 50% in 2006 with the split being roughly 40% implementations and 11% piloting. The growth year on year was about 11% for implementations and flat for piloting. The number of respondents that were aware of virtualization stands at 92%, with only 8% professing to know nothing about the technology.

I’d say that awareness of virtualization is pretty high among our readers, but we all know someone who is just happy in their distributed server single instance world, either they haven’t had any situations where virtualization was an answer, or more likely, they can’t quite grok the concept of what is going on.

Rackspace (a hosting provider) recently polled their own customers (and therefore already a savvy bunch) and found that 57% of their hosting customers had virtualized infrastructure and over 70% of those surveyed said they would host mission-critical apps on virtualized platforms.

Not surprisingly,  of those surveyed who would host such applications on a virtual platform, over 70% said it would be preferable to do so with a hosted provider’s help, like say, Rackspace?  Also not a shocker was the fact that of the 60%+ that didn’t currently use virtualization said they would try it with the help of a hosting provider, again, Rackspace.

The reasons customers used virtualization turned out to be primarily Development and Testing (37%), followed by Web Applications with (22%) and lastly Application Servers at (12%).  No mention of virtualized firewalls or storage.

Last but not least was the mix of virtualization platforms and vendors, with VMWare (60%) Microsoft’s Virtual Server (14%) and Xen (11%).  Of course our own SLES 10 SP1 uses the Xen hypervisor to great advantage, you can get an evaluation version (no timeout, but limited support for 60 days) for any of the platforms you support.

RossB

I won’t bore you with my analysis, TechTarget’s Jack Loftus gives an impassioned report of Ron Hovsepian’s Linux World Expo keynote and the slightly-less-than-controversy surrounding the press reaction to it.  A good read, and some great points.

RossB

In a rare method-acting appearance, Tim O’Reilly gave his best shot at Chicken Little’s famous refrain, telling the world that he thinks:

“I will predict that virtually every open-source company (including Red Hat) will eventually be acquired by a big proprietary software company.”

Sure, there have been a few acquisitions by large companies of Open Source companies and the founders behind projects, but Tim, you’re a very smart man, surely you remember that all that CODE is Open Source, right?

This is just the market making sure that the right people get to buy houses and put their children (ok, developers, so maybe child processes???) in the schools of their choice, if someone bolluxes up an Open Source company, the braintrust of developers and such will just move to make another one.

This is not the emergency you’re looking for, move along.

RossB

AutoYaST is a capability built into SUSE Linux Enterprise that allows you to do scripted installation of servers or desktops.  Here are a couple of my favorite overview articles on AutoYaST.

Automating Installations with AutoYaST

and

SUSE Linux Enterprise Desktop 10 for the Masses: Discover the Power of Network-Based, Hands-Free Installations

and of course you can also refer to this blog and search on the term AutoYaST to get the latest.

ZDnet’s Executive Editor David Berlind did a “technology shakedown” of MS Vista recently and discovered that when logged in as a “Standard” user, and Vista downloads and installs some patches/updates which requires a reboot, Vista will automatically go ahead and reboot you.  That is, it will reboot your machine whether you’re at a stopping point in your day/document/webconference or not.  In fact, it will show you the “Remind me later” button so you can delay the reboot — but it’s grayed out (as if to mock users)!!  YIKES!! David then found that by reconfiguring the workstation as an Administrator, he did indeed have the rights to delay the reboot.  Anyone else see a problem with this?

Am I being picky?  Am I just pointing this out to be mean?  No, not entirely… I was in a meeting today and we were discussing some of the security differences between Linux and Windows.  Part of Windows’ problem is that they have many applications and services which are granted “Administrative” priviledges in order to do their work.  These can then represent potential backdoors into the system for security. In addition, many organizations simply give users Administrative rights out-right which can lead to other complications.  Linux by comparison, does not automatically grant administrative rights to apps and processes.

So, to avoid running into this problem it would appear that you might need to deploy Vista and give users Administrative rights.  (Don’t worry, I’m sure users won’t do anything undesirable to their PCs…    Alternatively, you could just force users to reboot whenever the OS feels it’s necessary and simply not give users any way to stop or delay it.  If you ask me, that’s quite the “rock” and the” hard place.”

I suspect MS might hear enough complaints about this “feature” from Vista users (as soon as they get enough of those, that is) and will issue some sort of patch or optional add-on which will resolve this for IT guys who care.  In the meantime, we’ll be waiting…

Okay, so perhaps the headline was a little sensational, but I was still very alarmed when I learned of this, and I think you should at least be aware of it.  Thus this post.  I guess that’s just one more (albeit relatively minor) reason to choose SUSE Linux Enterprise Desktop instead.
What do you think?  Am I over-reacting?

A Vancouver B.C. law firm has overruled Microsoft Windows’ objection to being replaced with SUSE Linux Enterprise Desktop (SLED) 10. The firm’s IT manager, Richard Giroux says that level of downtime he’s seen in other firms is:

“Simply unacceptable.”

After testing a number of competitive desktop Linux distributions, Giroux chose SLED 10, citing it’s speed and included applications as a deciding factor in SUSE’s favor. To handle a number of problem or non-cross-platform applications the firm uses Citrix clients running on SLED, including it’s dictation and audio functions, along with Microsoft Office suite and other applications that primarily run on Microsoft Windows.

“Having an open environment with Linux gives us the opportunity to select from thousands of high-quality open source programs,”

One of the other features about SLED that Giroux likes is the subscription model, as it’s not categorized as a capital outlay expense, rather it’s an operational expense. The flat subscription costs are much more predictable for budgeting and the inclusion of many standard applications in SLED is an added plus.

“By nature, open source software has to integrate well with other applications, so we can implement them easily and cost-effectively. One application for transcription playback has already saved us thousands of dollars.”

As a final shot across Microsoft’s bows, Giroux cites his ability to do the entire office upgrade in a single weekend and the (conservative estimate) 20% maintenance savings effective immediately.

Read more about Whitelaw-Twining’s summary judgement in favor of Open Platform Solutions in the Novell Customer Showcase.

Enjoy,

RossB

Seems that Citrix just announced they will purchase XenSource, the commercial entity formed to make money off of the Xen Virtualization open source project.

I’ve read all I can about it, I just don’t see the “synergies” that are supposed to be there, it just doesn’t make much sense.  Of course Xen is an open source project and the vast majority of development takes place at Novell, other distributions and independent developers, so XenSource’s acquisition may not affect much other than Citrix’s stock price.  Also anyone who has purchased the Xenterprise product (XenSource’s commercial Virtualization Server offering) is probably trying to figure out how to download SUSE Linux Enterprise Server 10 SP1, (hint: just click on the link, it’s really easy to set up and run, we know that for a fact).

Should be interesting to watch this one!

RossB