I’ve collected 50 UNIX / Linux sysadmin related tutorials that we’ve posted so far. This is lot of reading. Bookmark this article for your future reference and read it whenever you get free time.
Category Archives: Operating Systems
tc: Linux HTTP Outgoing Traffic Shaping (Port 80 Traffic Shaping)
I‘ve 10Mbps server port dedicated to our small business server. The server also act as a backup DNS server and I’d like to slow down outbound traffic on port 80. How do I limit bandwidth allocation to http service 5Mbps (burst to 8Mbps) at peak times so that DNS and other service will not go down due to heavy activity under Linux operating systems?
You need use the tc command which can slow down traffic for given port and services on servers and it is called traffic shaping:
via tc: Linux HTTP Outgoing Traffic Shaping (Port 80 Traffic Shaping).
Your visual how-to guide for SELinux policy enforcement
Note: SELinux does not let you side step DAC Controls. SELinux is a parallel enforcement model. An application has to be allowed by BOTH SELinux and DAC to do certain activities. This can lead to confusion for administrators since the process gets Permission Denied. Administrators see Permission Denied means something is wrong with DAC, not SELinux labels.
via Your visual how-to guide for SELinux policy enforcement | opensource.com.\
DAC=Discretionary Access Control
SELinux is a powerful labeling system, controlling access granted to individual processes by the kernel. The primary feature of this is type enforcement where rules define the access allowed to a process is allowed based on the labeled type of the process and the labeled type of the object.
For regular users SELinux can be a complete PITA which usually needs to be disabled or set to just log the violation only. I recall in past years installing some service and trying to figure out why it wouldn’t work until the logs revealed I didn’t have things set up in a way SELinux wants. Currently I try and minimize SELinux violations because it seems like it has a point most of the time.
The second operating system hiding in every mobile phone
The insecurity of baseband software is not by error; it’s by design. The standards that govern how these baseband processors and radios work were designed in the ’80s, ending up with a complicated codebase written in the ’90s – complete with a ’90s attitude towards security. For instance, there is barely any exploit mitigation, so exploits are free to run amok. What makes it even worse, is that every baseband processor inherently trusts whatever data it receives from a base station (e.g. in a cell tower). Nothing is checked, everything is automatically trusted. Lastly, the baseband processor is usually the master processor, whereas the application processor (which runs the mobile operating system) is the slave.
via The second operating system hiding in every mobile phone.
From: Baseband Hacking: A New Frontier for Smartphone Break-ins
Previously, mobile hacking attempts have involved the phone’s operating system or other software, but this one focuses on breaking into a phone’s baseband processor, which is the hardware that sends and receives radio signals to cell towers.
SteamOS will “really help” Linux on desktop
Should SteamOS gain traction among gamers and developers, that could force more hardware manufacturers to extend driver support beyond Windows
via Torvalds: SteamOS will “really help” Linux on desktop | News | PC Pro.
Amen. Getting NVIDIA graphic drivers working is a mind boggling exercise and must be redone with every kernel upgrade. This is one of the reasons I rarely upgrade Fedora — it’s too complicated getting video drivers working well enough to the point a video can be played and the desktop environment looks right.
Your next network operating system is Linux
Thus, the scale and agility of modern data centers put data center networking at odds with the existing network models. Some problems, such as the number of virtual networks, required the development of new technologies such as VXLAN, while others have required a redesign of the network architecture deployed in the data center. But the problem of managing the network is not rooted in any failure of networking, rather in the design of the network OS.
via Your next network operating system is Linux | Networking – InfoWorld.
Essentially, we can write the equivalent of a device driver to synchronize the kernel state of these data structures with the hardware. Silicon switching ports can be made to appear like NICs to the OS. Thanks to Linux’s Netlink model, a device driver can sit by the side and listen to everything that’s going on with the kernel state — interface up/down, routing entries added/deleted either by user or routing protocols, netfilter entries added or deleted — and synchronize that state with the hardware. Furthermore, the driver can sync the state of counters from the hardware with the kernel state allowing native Linux tools such as ethtool, iptables, or /proc/net/dev to display the correct information, completely unaware that these values are coming from the hardware. Cumulus Networks has developed the first such solution, but others with a similar model may not be far away.
netfilter/iptables project homepage
nftables is the project that aims to replace the existing {ip,ip6,arp,eb}tables framework. Basically, this project provides a new packet filtering framework, a new userspace utility and also a compatibility layer for {ip,ip6}tables. nftables is built upon the building blocks of the Netfilter infrastructure such as the existing hooks, the connection tracking system, the userspace queueing component and the logging subsystem.
via netfilter/iptables project homepage – The netfilter.org “nftables” project.
From: Nftables: a new packet filtering engine
Packet filtering and firewalling has a long history in Linux. The first filtering mechanism, called “ipfwadm,” was released in 1995 for the 1.2.1 kernel. This code was used until the 2.2.0 stable release (January, 1999), when the new “ipchains” module took over. While ipchains was useful, it only lasted until 2.4.0 (January, 2001), when it, too, was replaced by iptables/netfilter, which remains in the kernel now. If netfilter maintainer Patrick McHardy has his way, though, iptables, too, will be gone in the future, replaced by yet another mechanism called “nftables.” This article will give an overview of how nftables works, followed by a discussion of the motivations behind this change.
The Navy’s newest warship is powered by Linux
The design of the Zumwalt solves that problem by using off-the-shelf hardware—mostly IBM blade servers running Red Hat Linux—and putting it in a ruggedized server room. Those ruggedized server rooms are called Electronic Modular Enclosures (EMEs), sixteen self-contained, mini data centers built by Raytheon.
Measuring 35 feet long, 8 feet high, and 12 feet wide, the 16 EMEs have more than 235 equipment cabinets (racks) in total. The EMEs were all configured and pre-tested before being shipped to Bath, Maine, to be installed aboard the Zumwalt.
via The Navy’s newest warship is powered by Linux | Ars Technica.
Putting all of the pieces together is a collection of middleware running on those IBM blade servers. Many of the shipboard systems use a commercial publish/subscribe middleware platform to send updates to operator consoles. But for other systems that need to be more tightly coupled (like, for example, missile launch commands), the Navy has specified the use of the Common Object Request Broker Architecture (CORBA)—the military’s favorite mission-critical middleware model. (The software for the Joint Tactical Radio System’s software-defined radios was also developed using CORBA.)
Linux-capable Arduino TRE debuts at Maker Faire Rome
As Zoe Romano puts it in an Arduino blog post, “the Arduino TRE is two Arduinos in one.” Basically, the new ARM Cortex-A8-based Sitara AM335x’s job is to run Linux applications and manage the SBC’s PC-style interfaces (video, audio, Ethernet, USB, optional WiFi, etc.), while an Atmel ATmega microcontroller takes care of the SBC’s real-world I/O (analog inputs, digital I/O, PWM outputs, etc) and handles the interface to shields (Arduino expansion modules) in a fully AVR-compatible manner. Best of all, Romano points out, the 1GHz TI ARM processor offers up to “100 times more performance” than Arduino’s earlier Leonardo and Uno boards, writes Romano.
via Linux-capable Arduino TRE debuts at Maker Faire Rome · LinuxGizmos.com.
What’s unique about the TRE, however, is that its Linux OS runs on an ARM processor that’s truly integrated into the SBC’s basic architecture, as opposed to being a collateral benefit of a WiFi add-on module. As a result, the TRE will support a “full Linux” OS in contrast to the Yun’s Linino OS, a custom version of the lightweight OpenWRT embedded Linux distribution.
OSv, a new open-source operating system for virtual machines
These days, most applications running on virtual machines in the cloud run on top of Linux. We all love Linux, but as an all-encompassing operating system for everything from phones to supercomputers, Linux was never really designed for virtual machines; It is big and complex, and it offers features (such as multi-user and multi-process) which are today made redundant by the hypervisor and slow it down. Linux’s APIs are many times set in stone by decades of legacy code. All these cost in application performance, and make it harder to innovate.
This is why we developed OSv, a new operating system designed to run a single application on a virtual machine. As it runs a single application there is no need for kernel-userspace isolation, reducing context switch costs and unnecessary copying. A design from scratch allowed us to experiment with new ideas like lock-free mutexes (solving the Lock-Holder Preemption problem that plagues operating systems on virtual machines), extremely fast context switches, Van Jacobson’s network channels (see http://www.lemis.com/grog/Documentation/vj/lca06vj.pdf), and more. Also, OSv is released under the more permissive BSD license (not GPL like Linux), is tiny compared to Linux, and takes less than one second to boot and start the user’s application.
via Announce: OSv, a new open-source operating system for virtual machines.
Presentation slides can be seen here.