Nasty Lockup Issue Still Being Investigated For Linux 3.18

It might be related to the kernel’s watchdog code due to research by Linus Torvalds. “So I’m looking at the watchdog code, and it seems racy [with regard to] parking and startup…Quite frankly, I’m just grasping for straws here, but a lot of the watchdog traces really have seemed spurious…”

via [Phoronix] Nasty Lockup Issue Still Being Investigated For Linux 3.18.

Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild

What is it? A vulnerability in a command interpreter found on the vast majority of Linux and UNIX systems, including web servers, development machines, routers, firewalls, etc. The vulnerability could allow an anonymous attacker to execute arbitrary commands remotely, and to obtain the results of these commands via their browser. The security community has nicknamed the vulnerability “shellshock” since it affects computer command interpreters known as shells.

via Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild – Slashdot.

This is a very confusing issue.  I found the above comment to be the most informative right now as this issue unfolds.

How bad could it be? Very, very bad. The vulnerability may exist on the vast majority of Linux and UNIX systems shipped over the last 20 years, including web servers, development machines, routers, firewalls, other network appliances, printers, Mac OSX computers, Android phones, and possibly iPhones (note: It has yet to be established that smartphones are affected, but given that Android and iOS are variants of Linus and UNIX, respectively, it would be premature to exclude them). Furthermore, many such systems have web-based administrative interfaces: While many of these machines do not provide a “web server” in the sense of a server providing content of interest to the casual or “normal” user, many do provide web-based interfaces for diagnotics and administration. Any such system that provides dynamic content using system utilities may be vulnerable.

Be a kernel hacker

In this tutorial, we’ll develop a simple kernel module that creates a /dev/reverse device. A string written to this device is read back with the word order reversed (“Hello World” becomes “World Hello”). It is a popular programmer interview puzzle, and you are likely to get some bonus points when you show the ability to implement it at the kernel level as well. A word of warning before we start: a bug in your module may lead to a system crash and (unlikely, but possible) data loss.

via Be a kernel hacker | Linux Voice.

Docker: the Linux container engine

Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that will run virtually anywhere.

Docker containers can encapsulate any payload, and will run consistently on and between virtually any server. The same container that a developer builds and tests on a laptop will run at scale, in production*, on VMs, bare-metal servers, OpenStack clusters, public instances, or combinations of the above.

Common use cases for Docker include:

  • Automating the packaging and deployment of applications
  • Creation of lightweight, private PAAS environments
  • Automated testing and continuous integration/deployment
  • Deploying and scaling web apps, databases and backend services

via About Docker – Docker: the Linux container engine.

A list of four special Linux distributions for kids

Learning at an early age can be best enhanced in an environment that encourages exploration. There is no other operating system that offers such variety and autonomy to customize the system based on specific needs like Linux. Like toys and clothes for kids, the Linux community has developed specific operating systems that can offer them a fun learning environment. I believe that to boost curiosity in kids, it is important to create a set up that gives them a feeling of wonder.

via A list of four special Linux distributions for kids |

I haven’t installed any of these but found the concept interesting.

Munich open source switch ‘completed successfully’

In one of the premier open source software deployments in Europe, the city migrated from Windows NT to LiMux, its own Linux distribution. LiMux incorporates a fully open source desktop infrastructure. The city also decided to use the Open Document Format (ODF) as a standard, instead of proprietary options.

Ten years after the decision to switch, the LiMux project will now go into regular operation, the Munich City council said in a document published

via Munich open source switch ‘completed successfully’.

SteamOS will “really help” Linux on desktop

Should SteamOS gain traction among gamers and developers, that could force more hardware manufacturers to extend driver support beyond Windows

via Torvalds: SteamOS will “really help” Linux on desktop | News | PC Pro.

Amen.  Getting NVIDIA graphic drivers working is a mind boggling exercise and must be redone with every kernel upgrade.  This is one of the reasons I rarely upgrade Fedora — it’s too complicated getting video drivers working well enough to the point a video can be played and the desktop environment looks right.

Your next network operating system is Linux

Thus, the scale and agility of modern data centers put data center networking at odds with the existing network models. Some problems, such as the number of virtual networks, required the development of new technologies such as VXLAN, while others have required a redesign of the network architecture deployed in the data center. But the problem of managing the network is not rooted in any failure of networking, rather in the design of the network OS.

via Your next network operating system is Linux | Networking – InfoWorld.

Essentially, we can write the equivalent of a device driver to synchronize the kernel state of these data structures with the hardware. Silicon switching ports can be made to appear like NICs to the OS. Thanks to Linux’s Netlink model, a device driver can sit by the side and listen to everything that’s going on with the kernel state — interface up/down, routing entries added/deleted either by user or routing protocols, netfilter entries added or deleted — and synchronize that state with the hardware. Furthermore, the driver can sync the state of counters from the hardware with the kernel state allowing native Linux tools such as ethtool, iptables, or /proc/net/dev to display the correct information, completely unaware that these values are coming from the hardware. Cumulus Networks has developed the first such solution, but others with a similar model may not be far away.

The Navy’s newest warship is powered by Linux

The design of the Zumwalt solves that problem by using off-the-shelf hardware—mostly IBM blade servers running Red Hat Linux—and putting it in a ruggedized server room. Those ruggedized server rooms are called Electronic Modular Enclosures (EMEs), sixteen self-contained, mini data centers built by Raytheon.

Measuring 35 feet long, 8 feet high, and 12 feet wide, the 16 EMEs have more than 235 equipment cabinets (racks) in total. The EMEs were all configured and pre-tested before being shipped to Bath, Maine, to be installed aboard the Zumwalt.

via The Navy’s newest warship is powered by Linux | Ars Technica.

Putting all of the pieces together is a collection of middleware running on those IBM blade servers. Many of the shipboard systems use a commercial publish/subscribe middleware platform to send updates to operator consoles. But for other systems that need to be more tightly coupled (like, for example, missile launch commands), the Navy has specified the use of the Common Object Request Broker Architecture (CORBA)—the military’s favorite mission-critical middleware model. (The software for the Joint Tactical Radio System’s software-defined radios was also developed using CORBA.)

The Linux Backdoor Attempt of 2003

What did the change do? This is where it gets really interesting. The change modified the code of a Linux function called wait4, which a program could use to wait for something to happen. Specifically, it added these two lines of code:

if ((options == (__WCLONE|__WALL)) && (current->uid = 0)) 
     retval = -EINVAL;

via The Linux Backdoor Attempt of 2003.

Setting the user ID to zero is a problem because user ID number zero is the “root” user, which is allowed to do absolutely anything it wants—to access all data, change the behavior of all code, and to compromise entirely the security of all parts of the system. So the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words … it’s a classic backdoor.

The check should have been current -> uid == 0.  Sneaky!