Category Archives: Ubuntu

OpenStack: a .deb guy on (the) board

 

The elections for the new OpenStack board are coming closer
and this time the Open Source community has a great
opportunity of representation: Giuseppe Paternò is standing as a candidate for the board.

Although Giuseppe is considered by HP and Forrester Research
among the top talented consultants in the world,
Gippa (as he’s largely known in the industry) is still “one of us”,
a “nerd” that grew up with a keyboard on his hands.
As he’s one of the candidates of the OpenStack board,
Fabio Marzocca – wishing to know more – has interviewed him.

[FM] The hard question. You’re a techie. Why the hell are you running for the board?

[GP] This is indeed a good question ☺ It all started as a challenge from some clients and friends that are working in the OpenStack project. The truth is that the board and most of the management of the foundation are from vendors. I’m not questioning here if they do a good job or not, it is very likely that they tend to protect their own interests. In my opinion it lacks some “community spirit” that have fostered Linux development such as Debian and Ubuntu. That’s why I’m running for it, to bring the community where it should be.

[FM] Back to Debian and Ubuntu, could you tell us your story with Linux?

[GP] I discovered Linux in 1994, but only in 1996 things were serious. By the time I just finished high school and I applied for a job in a local Internet Service Provider. At 15 years I was well known in the local community as I was installing and maintaining several BBSes, so it wasn’t hard to get the job. I can say it was love at first sight. I started with Slackware (was the first distro), but I moved into redhat first and then debian. When I was working for the IBM Linux Technology Center, I was in charge of helping porting Linux to PowerPC and backporting LVM to make it similar to AIX. Sun was also a good playground as they acquired Cobalt, a hardware appliance based on debian. Then I shifted more towards Enterprise Linux adoption with 6 years in RedHat and then I went to Canonical. I was happy to go back to Debian and Ubuntu community, because I still believe that Ubuntu Developer Summits (UDS) were the real spirit of a Linux community.

[FM] Another hard question. We know you’re somehow involved in the “rebellion” of Devuan.org. What is your opinion about systemd?

[GP] Let me tell you that it’s not totally black/white and let’s see the two sides here. Something like systemd was indeed needed. Each distro has its own way of init’ing the system and for a package maintainer or commercial software maker, maintaining different init behaviour is insane. And as an init replacement it totally makes sense. However, IMHO systemd went too far away, incorporating into its code something that should not happen. A DHCP client into an init system, seriously? I doubt it was in the spirit of the Unix and Linux system…
However, in the real world of “pets vs cattle”, where application matters more than systems, having a systemd as it is, doesn’t change that much.

[FM] OpenStack was incubated in Ubuntu and the roots are quite clear. Is there something else that you would like to see from Debian and Ubuntu in OpenStack?

[GP] Stability, if I can name just one. Currently OpenStack is released every 6 months, which was probably the best choice to speed up the development. However, this is now becoming a weakness, as enterprise customers can’t upgrade their critical infrastructures every 6 months. Traditionally Debian is “maniacally” focused on given a bullet-proof distribution, this is something that in my opinion is missing from OpenStack.

[FM] Gippa, tell us just 2 or 3 topics you will bring to action in case of election

[GP] I’d like to introduce an OpenStack “LTS” process, following the Ubuntu approach: while releasing every 6 months is fair enough for development and testing environments, having a stable release every 2-3 years can give enterprise customers the peace of mind they need while running production environments.
I’d also love to see a consolidation of the core (Nova/Neutron/Cinder/Swift): vendors and developers are introducing new features and projects while I’d love to see –for example- a more stable and scalable Neutron and a more stable connection to Oslo (in particular rabbitmq).
In general, I would encourage more attention to who is actually deploying, integrating and using OpenStack every day. I would also try to foster the ecosystem of ISVs in order to release and certify their software for OpenStack. And – last but not least- to see interoperation between “regional” datacenters: I dream of a world where companies in a given territory can “work together”, and this is only possible through standards. I hope that OpenStack can represent this standard.

[FM] When are the elections and how can we vote?

[GP] Individual Member Director elections for the 2016 Board will be held online from Monday January 11, 2016 to Friday January 15, 2016. More informations on the website.

Pallinux: Olly Olly Oxen Free!

 

Pallinux: Artwork by Fabio "Pixel" Colinelli

Pallinux: Artwork by Fabio “Pixel” Colinelli

In a world far away, in the dark Land of Digitos only populated by machines and computers, the evil Mister Woo was ruling over all. Over time, this terrible dictator was becoming a horrendous fire-eyed giant, walking the whole day by vibrating the heavy steps into his Kingdom, leaving behind him a trail of smoke and terror. Mr. Woo always wore a long, shabby and dirty top hat that had once been white, so old and ragged that he could not even keep it up straight on his head.

Throughout the Land of Digitos, the inhabitants – computers – were scattered, each…

<Read more…>

How to have a successful OpenStack project

It’s no secret that OpenStack is becoming the de-facto standard for private cloud and a way for telecom operators to differentiate against big names such as Amazon or Google.
OpenStack has already been adopted in some specific projects, but the wide adoption in enterprises is starting now, mostly because people simply find it difficult to understand. VMWare is still something to compare to, but OpenStack and cloud is different. While cloud implies virtualization, virtualization is not cloud.

gpaterno_ebook_webCloud is a huge shift in your organization and will change forever your way of working in the IT projects, improving your IT dramatically and cutting down costs.

In order to get the best of OpenStack, you need to understand deeply how cloud works. Moreover, you need to understand the whole picture beyond the software itself to provide new levels of agility, flexibility, and cost savings in your business.

Giuseppe Paterno’, leading European consultant and recently awarded by HP, wrote OpenStack Explained to guide you through the OpenStack technology and reveal his secret ingredient to have a successful project. You can download the ebook for a small donation to provide emergency and reconstruction aid for Nepal. Your donation is certified by ZEWO , the Swiss federal agency that ensures that funds go to a real charity project.

… but hurry up, the ebook is in a limited edition and it ends on July 2015.

Donate & Download here: https://life-changer.helvetas.ch/openstack

Handling identities in distributed Linux cloud instances

I’ve many distributed Linux instances across several clouds, be them global, such as Amazon or Digital Ocean, or regional clouds such as TeutoStack or Enter.

Probably many of you are facing the same issue: having a consistent UNIX identity across all multiple instances. While in an ideal world LDAP would be a perfect choice, letting LDAP open to the wild Internet is not a great idea.

So, how to solve this issue, while being secure? The trick is to use the new NSS module for SecurePass.

While SecurePass has been traditionally used into the operating system just as a two factor authentication, the new beta release is capable of holding “extended attributes”, i.e. arbitrary information for each user profile.

We will use SecurePass to authenticate users and store Unix information with this new capability. In detail, we will:

  • Use PAM to authenticate the user via RADIUS
  • Use the new NSS module for SecurePass to have a consistent UID/GID/….

 SecurePass and extended attributes

The next generation of SecurePass (currently in beta) is capable of storing arbitrary data for each profile. This is called “Extended Attributes” (or xattrs) and -as you can imagine- is organized as key/value pair.

You will need the SecurePass tools to be able to modify users’ extended attributes. The new releases of Debian Jessie and Ubuntu Vivid Vervet have a package for it, just:

# apt-get install securepass-tools

ERRATA CORRIGE: securepass-tools hasn’t been uploaded to Debian yet, Alessio is working hard to make the package available in time for Jessie though.

For other distributions or previous releases, there’s a python package (PIP) available. Make sure that you have pycurl installed and then:

# pip install securepass-tools

While SecurePass tools allow local configuration file, we highly recommend for this tutorial to create a global /etc/securepass.conf, so that it will be useful for the NSS module. The configuration file looks like:

[default]
app_id = xxxxx
app_secret = xxxx
endpoint = https://beta.secure-pass.net/

Where app_id and app_secrets are valid API keys to access SecurePass beta.

Through the command line, we will be able to set UID, GID and all the required Unix attributes for each user:

# sp-user-xattrs user@domain.net set posixuid 1000

While posixuid is the bare minimum attribute to have a Unix login, the following attributes are valid:

  • posixuid → UID of the user
  • posixgid → GID of the user
  • posixhomedir → Home directory
  • posixshell → Desired shell
  • posixgecos → Gecos (defaults to username)

Install and Configure NSS SecurePass

In a similar way to the tools, Debian Jessie and Ubuntu Vivid Vervet have native package for SecurePass:

# apt-get install libnss-securepass

For previous releases of Debian and Ubuntu can still run the NSS module, as well as CentOS and RHEL. Download the sources from:

https://github.com/garlsecurity/nss_securepass

Then:

./configure
make
make install (Debian/Ubuntu Only)

For CentOS/RHEL/Fedora you will need to copy files in the right place:

/usr/bin/install -c -o root -g root libnss_sp.so.2 /usr/lib64/libnss_sp.so.2
ln -sf libnss_sp.so.2 /usr/lib64/libnss_sp.so

The /etc/securepass.conf configuration file should be extended to hold defaults for NSS by creating an [nss] section as follows:

[nss]
realm = company.net
default_gid = 100
default_home = "/home"
default_shell = "/bin/bash"

This will create defaults in case values other than posixuid are not being used. We need to configure the Name Service Switch (NSS) to use SecurePass. We will change the /etc/nsswitch.conf by adding “sp” to the passwd entry as follows:

$ grep sp /etc/nsswitch.conf
 passwd:     files sp

Double check that NSS is picking up our new SecurePass configuration by querying the passwd entries as follows:

$ getent passwd user
 user:x:1000:100:My User:/home/user:/bin/bash
$ id user
 uid=1000(user)  gid=100(users) groups=100(users)

Using this setup by itself wouldn’t allow users to login to a system because the password is missing. We will use SecurePass’ authentication to access the remote machine.

Configure PAM for SecurePass

On Debian/Ubuntu, install the RADIUS PAM module with:

# apt-get install libpam-radius-auth

If you are using CentOS or RHEL, you need to have the EPEL repository configured. In order to activate EPEL, follow the instructions on http://fedoraproject.org/wiki/EPEL

Be aware that this has not being tested with SE-Linux enabled (check off or permissive).

On CentOS/RHEL, install the RADIUS PAM module with:

# yum -y install pam_radius

Note: as per the time of writing, EPEL 7 is still in beta and does not contain the Radius PAM module. A request has been filed through RedHat’s Bugzilla to include this package also in EPEL 7

Configure SecurePass with your RADIUS device. We only need to set the public IP Address of the server, a fully qualified domain name (FQDN), and the secret password for the radius authentication. In case of the server being under NAT, specify the public IP address that will be translated into it. After completion we get a small recap of the already created device. For the sake of example, we use “secret” as our secret password.

Configure the RADIUS PAM module accordingly, i.e. open /etc/pam_radius.conf and add the following lines:

radius1.secure-pass.net secret 3
radius2.secure-pass.net secret 3

Of course the “secret” is the same we have set up on the SecurePass administration interface. Beyond this point we need to configure the PAM to correct manage the authentication.

In CentOS, open the configuration file /etc/pam.d/password-auth-ac; in Debian/Ubuntu open the /etc/pam.d/common-auth configuration and make sure that pam_radius_auth.so is in the list.

auth required   pam_env.so
auth sufficient pam_radius_auth.so try_first_pass
auth sufficient pam_unix.so nullok try_first_pass
auth requisite  pam_succeed_if.so uid >= 500 quiet
auth required   pam_deny.so

Conclusions

Handling many distributed Linux poses several challenges, from software updates to identity management and central logging.  In a cloud scenario, it is not always applicable to use traditional enterprise solutions, but new tools might become very handy.

To freely subscribe to securepass beta, join SecurePass on: http://www.secure-pass.net/open
And then send an e-mail to info@garl.ch requesting beta access.

LADI Tools: first stable release is out!

During the last month I worked as upstream maintainer of LADI Tools and now I’m happy to introduce the first stable release! So, to answer the usual question “What’s new?”, here is a short description of the changes introduced (taken from the NEWS file included in the release tarball):

Laditools 1.0 «Lady “O”»

Apart from wladi and g15ladi, most of ladi* tools have been renamed:

  • ladicontrol -> ladi-control-center
  • ladilog -> ladi-system-log
  • laditray -> ladi-system-tray

Moreover, a new component has joined the LADI Tools suite: ladi-player. LADI Player is a convenient, graphical VLC-style application providing an all-in-one control interface to start, stop and monitor JACK as well as the session handler. It also provides basic controls for managing studios.

Goodbye PyGTK!

All the code was ported to GTK+ 3 and the new GObject Introspection mechanism.

Code refactoring and cleanup

The code has been reorganized in order to allow the use of Python objects by 3rd party applications.

To start writing code using the classes provided by laditools, simply do the following:

from laditools import *

Two-in-one solution for LADI System Tray

Formerly laditray was an implementation of GtkStatusIcon to put a nice right-clickable icon into the system tray to allow users access JACK controls easy way. It’s been mostly rewritten and now it shows an AppIndicator icon (if the library is available), or fall back to the Freedesktop.org’s old-fashioned System Tray Protocol Spec-compliant icon.

Project’s new homepage

The project’s homepage is now hosted by Launchpad.net, the code is hosted by repo.or.cz and it’s available here for browsing.
Please use the following links to contact the development team:

New up-to-date packages will hit both Debian and Ubuntu soon!

Manage your font collection with Font Manager

Already available in both Maverick and Debian sid, it provides many interesting features.

I’m talkin’ about Font Manager, a small application written in C and Python by Jerry Casiano, which allows users to easily install, remove and compare font files on own system.

Here are few nice screenshots:

To install the application, as usual type:

sudo apt-get install font-manager

Let me know what you think! 😉

Links

What a beautiful day

I have two nice news to tell you today!

  1. Nautilus Pastebin has been entered Debian’s unstable archive (PTS page).
  2. Yesterday morning I opened my mailbox and the first email began with the following:

    Hi,

    Congratulations! This e-mail confirms that Canonical would like to offer you sponsorship in the form of accommodation and travel to the Ubuntu Developers Summit in Dallas for the Ubuntu 10.04 Lucid Lynx release – http://wiki.ubuntu.com/UDS

I can’t describe what I feel, I just want to thank Canonical for giving me this opportunity.