August 2007


A customer asked me how they might be able to restrict the use of certain apps to only be from certain networks. For example, say you want to only allow SSH access from a management network (192.168.2.0), but not from the general user network (192.168.1.0). How is this done in SUSE Linux Enterprise Server? In short, use a TCP Wrapper which is configured in the /etc/hosts.allow and /etc/hosts.deny files. You can simply use any text editor, such as VI to edit them…

The best documentation of the answer I found was here at Puschitz.com. Thanks go to Werner Puschitz for the insight!

If you know of other helpful sites or documentation on this topic, please post a comment so we can all benefit.

(Update 8/31/07) Some additional suggestions I received. Thanks Edward Clay and Peter Albrecht.

(Response #1) You could do this with iptables or The YaST firewall app.

I found the following example on the following website.

http://www.cyberciti.biz/faq/restrict-ssh-access-use-iptable/

iptables -A INPUT -p tcp -s 0/0 --sport 513:65535 -d 195.55.55.78 --dport 22 -m state --state NEW,ESTABLISHED -j DROP

 

(Response #2) To use TCPwrapper for this, the application must be built with TCPwrapper
support. There are some daemons listed at the top of /etc/hosts.allow
which do support TCPwrapper.

If the application does not support TCPwrapper, I see two options:

1) Use iptables rules for limiting access. For an introduction to packet
filters, have a look at our course 3075: SLES 10 Security.

2) If the server is connected to the respective network (192.168.2.0 in
your example), you can configure sshd to listen only to that interface. The directive is ListenAddress in /etc/ssh/sshd_config. Several other
applications also provide such a configuration.

Linux, specifically SUSE Linux Enterprise, that’s why.

Techtarget has the first in what promises to be a series of articles reporting on the IBM SHARE conference, where a lot of new technology and software gets introduced and this year it was clear that Linux on the Mainframe (System Z) is growing the Mainframe market.

Read Robert Rosen’s first in the series of articles and keep checking for more, Mainframe Linux is the most exciting thing that has happened on that platform since, well, ever.

It could go without saying, but I’ll take the hit, SUSE Linux Enterprise Server is a runaway hit for the System Z Mainframes, we have over 85% market share and growing.

I do a lot of work with customers who have Linux on System Z, and IBM’s direction next year will focus more on server consolidation using the System Z as a platform for virtualization.  (Sounds of things ramping up in the background).

Enjoy,

RossB

To my knowledge, there is no EULA (pdf) limitation that says you can not use SUSE Linux Enterprise Desktop (SLED) for an HPC compute node. However, depending on the specific application and libraries required, SLED may not satisfy your needs in a supported way. SLED and SLES have the same core of SUSE Linux Enterprise code, but the applications and services offered (and more importantly supported) on these two Novell products (SLED and SLES) will differ.

For example, OpenOffice.org is included with SLED but not with SLES. I have no technical problem in running OpenOffice.org on a SLES server, however, it is not something I would be able to get support from Novell on if I ever needed it. The same would be true for any other application, package or library differences which might exist.

Wanna see what’s officially supported packages are part of SLED and SLES?
http://support.novell.com/products/server/supported_packages/
http://support.novell.com/products/desktop/supported_packages/

Alternatively, here’s an online list and description of all the packages included in SLED and SLES:
http://www.novell.com/products/server/packages.html
http://www.novell.com/products/desktop/packages.html

As you may have heard, Citrix recently decided to aquire XenSource (more here, here and here) – the commercial front on the Xen virtualization technology in SLES 10. InfoWorld’s David Marshall reviews some interesting perspectives on the Citrix aquisition of XenSource in this audio podcast. He reviews a brief Q&A session with Citrix execs and a blog entry from Barrons.comAs I suspected when I first heard the news, it looks like Citrix’s initial foray into virtualization will be related to the desktop virtualization market. Still, $500M smackers is a pretty steep hill to climb to profitability if you ask me. Maybe I’ll be proven wrong.

Are any of YOU considering a desktop virtualization initiative? Why or why not?

[NOTE – If you listen to podcasts regularly, you know that it’s common practice to have some intro music. When listening to this podcast, just note that the music (annoying as it may be) doesn’t stop. Oh boy! David, if you end up reading this… next time, could… you… please… speak… a… little… faster…? 🙂 ]

It’s Not What You Say, it’s What You Do

We all know (or are about to find out) that the world of Open Source Software isn’t the same world as proprietary developers live in. OSS coders may or may not be paid to develop the projects they work on, regardless, it’s all about your contributions, how good you are and how well you’re perceived in the OSS community.

One’s reputation in the community is a valuable item. When everything you code or produce is freely available for the world to see and especially your peers to review and (ahem, constructively) criticize, the stakes are pretty high.

Automating the Process

An engine (not just) for the management of your reputation as a developer is Ohloh.net. As a collector and processor of what’s being written, committed and credit being given for in the Open Source develoopment world, what they do is catalogue code, do statistics on and report on the individual contributors to Open Source Projects. This is a fascinating use of technology to attempt to give credit where credit is due for Open Source coding.

The process can be summed up in these steps:

  1. Project leader/administrator sets up project to be tracked by Ohloh
  2. Individual contributor submits code to the public code repository
  3. Ohloh connects regularly to the public repository and downloads the updated code
  4. Ohloh analyzes the code changes, authorship, languages and licensing
  5. Ohloh posts updated report data on their site
  6. You query the Ohloh reports to see relevant reports about individuals, projects etc.

Decisions Require Data, So Get Some

Are you responsible for developers?  Want to have your people contribute to the community, but also you want to know how that time is being spent?  You can easily track who’s writing how much and contributing to what projects, as long as the project has given access to their code repository.  Ohloh makes it easy to track and report on things like:

  • Project Name and Description
  • Licensing Details, including compatibility with other licenses
  • Tags to help searching
  • User Reviews and Ratings
  • Related projects and other software used by project users
  • Calculated project cost in hours of development, configurable
  • Activity map for contributor locations

For example, when I looked at the various media projects, such as VLC, Mplayer and Audacious, I was able to get all the salient facts about them on their individual pages, but even more interesting was the ability to compare the projects, showing the relative number of lines of code in each project, the number of commits ongoing and the total number of contributors.

Think about it, if you’re just getting started in the world of OSS development, and you want a smaller or nearly abandoned project to cut your teeth on, you should be able to find something quickly, as well as do some research to see who the really prolific developers are, so maybe you can hire someone, or contract with someone for similar work.

Spread the Word

The next time someone asks you if a project is an abandoned strip-mall or a thriving metropolis, don’t just tell them what you think, lead them over to a browser and show them exactly what’s going on, they’ll be amazed at the wealth of information Ohloh collects and processes, in a very pleasing visual manner, if I do say so. Ohloh is only truly useful if everyone enables tracking, so if you’re a contributor or lead for any OSS projects, consider the benefits of participating in Ohloh’s process.

Enjoy,

RossB

IBM’s Developerworks continues to impress me with the level and quality of content related to Linux and Open Source.

Continuing in that theme is the “Anatomy of the Linux Networking Stack” by M. Tim Jones. The article starts out at the OSI 7 layer model and all the way up to the device driver level.

A good read.

RossB

From the “Somewhere in Redmond someone is reaching for a family-sized bottle of TUMS” department, Google and Sun announced they will be providing StarOffice for free as part of the Google Pack, a set of applications that Google makes available for free, including Picasa, Google Earth and a lot of other Google-branded and 3rd party applications to make the desktop experience more interesting.

I can just hear the blood pressure rising out there in Microsoft land, this is a move sure to increase the public awareness of Star/OpenOffice, and personally I don’t care which version you use, they’re part of the same tree.

Google also offers their lightweight suite of Office Apps, such as Documents, but those aren’t for disconnected use, or where people are much more used to or prefer to have applications locally.

Last but not least, Google is predicted to be producing interoperability tools for Star/OpenOffice and it’s online Office apps so that businesses and partners can easily share documents between the two suites.

Lastly, anything that threatens the Microsoft Office hegemony will decrease revenues and cause problems for the Borg (er, our partner), so watch for the arrival of Hurricane FUD-tina at a news source near you.

Next Page »