Scott Dowdle's blog

Video: Docker Container Security

| |

Red Hat's Dan Walsh is *THE* SELinux expert. He gave a presentation on Docker container security at the recent DockerCon 14. If you have any interest in containers or Docker, this is probably worth viewing. Enjoy!

Opinion: Is online privacy lost? Forever?

|

I have a Barnes & Noble Nook HD+ Android-based tablet. I put a fairly recent version of CyanogenMod on it. I mainly bought it because it has fairly nice hardware specs at a fairly low price even if it is missing some features. I bought it because I felt that as an IT person that I must keep up with mobile technology and software. I sit at a computer all day at work. I have a desktop at home that I use a lot even if I'm not sitting directly in front of it. I have a netbook and I frequently use a more powerful laptop from work. I'm not really mobile very often... except when I'm either in the car or on the Streamline bus to/from work. I don't want to pay for multiple Internet access services so I don't have a data plan nor a cell phone.

What Privacy? - Another aspect of mobile devices is the software environments they run and how there is virtually no privacy offered by them. Again, I'm not really a privacy nut. No, no, really. I have my tablet that I don't use much... but I turn it on periodically so it can update a dozen or more apps. Every once in a while one or more of the apps will not auto-update because they are wanting to change their permissions. Take today for example. I charged up the tablet, turned it on... and 15 apps updated but the 16th one needed approval. It was the Google Search app... which is very much a core program provided by Google with Android. It wanted the following permissions:

1) Device and App history, 2) Identity, 3) Contacts/Calendar, 4) Location, 5) SMS, 6) Phone, 7) Photos/Media/Files, 8) Camera/Microphone, 9) Wi-Fi conneciton information, 10) Device ID and call information, and 11) Other

It turns out that Other is "Contacts data in Google accounts".

You'd think that Google would be a model citizen and an example for their third-party developers. Well they are, but in a bad way. Android created this whole permission ecosystem as a way for users to have more control over what gets shared with the software companies and their outside world. As time has passed it appears that almost no one cares what permissions an app asks for... they will grant whatever they ask for... because they want to use the application. In fact some wish the acceptance process was automated so they wouldn't even be asked.

The saying goes that some free-of-cost software (not to be confused with Free and Open Source Software) is paid for with privacy... and that is very much the truth. It is also true of much of the software people do pay for. The practical reality is that a large number of applications want access to everything just so they can have the data... not that they really need much of it to serve their application function.

Questions That Pop Into My Head - How much data is gathered on a mobile software environment user? How many overlapping, slightly different copies exist across the millions of servers around the world? How much of that data is being troved or intelligently processed for deriving additional information? How much of that is protected with reasonable use policies? How much is sold over and over again? How much of it is collected by governments either by them asking for it or them being a transmission man-in-the-middle? How many of the data collections have been hacked into by unauthorized third-parties who make their own copies or have continuous access? Yeah, lots of fairly intangible questions... that are just mind blowing and numbing at the same time.

Does I sound like I'm complaining? Does it do any good to complain? Sorry. :)

Divided and Conquered - Some people are completely oblivious to privacy concerns. Some people are somewhat aware but don't think there is anything they can do about it so they just live with it. Others think it is just the way things are and need to be if you want the benefits of intelligent software. How many don't even try to understand any of it because it is too darn complicated?

Rebels With A Cause - Yet... some... other people... are building different systems that seem to care about privacy. I saw a few blog posts on Fedora Planet today. One was entitled, Desktop Containers - The Way Forward. Another, Sandboxed applications for GNOME. And yet another, Project Atomic + Docker: A post-package world?. The main focus on those is using application containers to change how software is developed and distributed... but in the context of this blog post... how they can also provide application isolation which translates into better privacy.

Wow, someone seems to still care about privacy. Everything isn't lost... but then again... how successful will such projects be? ...and being on Linux, how much market penetration will they really get into the masses currently giving everything away with their mobile lives? I also have to wonder just how many of the developers of these projects are also mobile users giving away their own data?

Same As It Ever Was - Another sad thing about this is that the mobile world is really only following the pattern of the desktop world. Well, more precisely, the web browser world. While a web browser application on the desktop operating system may not be accessing all of the data from other programs and sharing it with the browser maker... be certain that the vast majority of web sites are trying to gather as much information about the user as possible. Tiny bits and pieces of content on each web page, most of it hosted on servers other than the one providing the main content, are analyzing the web browser environment to determine the best way to gather information. If the browser has "Do Not Track" features, then they are trying to find ways around that... and there are tons of ways. Various commercial data gathering services are busy sharing their bits with others' bits to correlate information to derive yet more information. They pretty much know what websites we visit, what files we download, what we search for... what we care about and don't care about... and some form of who we are. They don't really care about knowing us, they just want to use all the information to increase their bottom lines.

How different is desktop computing than mobile? A lot but not so much. And we just take it, don't we? Well, to some degree. There are tools out there. Some of them simple browser add-ons like AdBlock Plus, HTTPS Everywhere, Ghostery, etc... that help end users get some understanding of what is going on and offer a little better control on how they are being (ab)used. Then there is Tor, The Onion Router... and a few mini-home-router projects that are trying to make anonymity somewhat possible. And of course there are some in government who think that people who care about such things and use such products might have something to hide... and need even more scrutiny.

While I don't have (much) anything to hide, I don't like the idea of being bare naked for anyone wanting to have a peek. How about you?

What is the way forward? - Is privacy already gone forever with the war being lost... or are there still some battles that may determine better outcomes for a subset of the human population? I guess I'll just have to wait and see. In the mean time, I continue to fight off the little voice in my head that says I need a smart phone... and I try to learn more about and utilize some of the desktop tools that make me look suspicious. :) Oh, and I didn't even bring up... Ocial_Say Etworks_Nay, did I?

CentOS 7 Released

| |

The mirrors are syncing and the release announcement has been made... although the main website needs to be updated... and oddly distrowatch.com is dead.

Anyway, I uploaded contributed OpenVZ OS Templates built from the the final release with updates applied... and I have a LiveDVD that includes GNOME3, KDE4, Firefox, LibreOffice, GIMP and Inkscape for anyone who is interested.

I'm guessing Scientific Linux 7 will be out in another two weeks.


Scientific Linux 7 Alpha released - LiveDVD and OS Templates built

| | |

One of the Scientific Linux developers sent out an announcement to the SL-devel mailing list just a couple of hours ago about SL 7 Alpha being released. They have a netinstall CD iso and a 6GB DVD. I got the entire tree downloaded in about 30-ish minutes... and got to work building a LiveDVD as well as OpenVZ OS Templates... using the scripts I had used for CentOS and Oracle... again with a tiny bit of editing.

Everything built and I have a LiveDVD that is 1.5GB in size that includes GNOME3, KDE4, Firefox, LibreOffice, GIMP, and Inkscape. What more does a person need? :)

Google: Everything from Cradle to Grave?

|

As most people who know me know, I don't own a smart nor feature cell phone. I do have some "mobile" devices in the family though including two B and N Nook HD+ tablets (one running stock B and N firmware and the other CyanogenMod), a Amazon Kindle Fire HD, and a 1st gen iPad. Just so you know, the iPad was given to my younger son as a gift by a friend of ours who bought a newer iPad.

Some might also know that I'm not a big fan of Google. When they were just starting out and were an underdog, sure... they were great... but the years have passed and now Google is the king of so many things... and they are first an advertising company... because that's where about 80% of their revenue comes from... and they are gathering so much information in so many different areas about so many people... I just find it scary. That isn't to say that I'm paranoid or am a privacy freak. To the contrary... hey I have my address, phone number and email address in the footer of every page on this here website, right? Anyway, I was on Google+ for a while but decided to delete my account... and have been trying to ween myself from as much Google as possible. I use Duck Duck Go for my searches, I avoid using Google online services... but yes I do have a gmail account (I don't use much). I have a YouTube account and as a result a Google+ profile was created for me but I don't use it... although I do occasionally get "notifications" from people who want to add me to a circle or something... ARGH! I do use Google Voice to talk to my parents long distance on my land line.

Anyway... while I'm not that big of a Google fan, I do try to keep up on what they are doing. I would feel more comfortable if Google was broken up into a handful of independent companies... rather than them doing everything. As you probably know, Google has an annual developer conference called Google I/O and this year it was last week and lasted two days. There was a lot of stuff covered but who really has about 3 hours to watch the keynote? Here's a good summary video for those who want the core distilled for them. For some reason the video omits the virtual reality stuff and Google Cardboard... but I'm sure there will be more on that later.

I guess it is now later because here is a video showing some Google Cardboard V/R info.

But wait, there's more. Isn't there always more? Here's a video that does a good job showing Google Wear.

Enjoy!

Oracle Linux 7 RC Released - Another RHEL 7 Clone

| | |

Oracle Linux 7 RC - KDE 4 with FirefoxOracle Linux 7 RC - KDE 4 with FirefoxI noticed on DistroWatch yesterday that Oracle released Oracle Linux 7 RC... with RC being "release candidate". Having done all of the work recently building a CentOS 7 Public QA LiveDVD as well as OpenVZ OS Templates I thought I'd give it a try with Oracle Linux. The race is on. Who will release GA first? CentOS or Oracle?

Oracle is a little different - First of all, I'm not even sure what the name of the thing is. I've heard of OEL (Oracle Enterprise Linux), Oracle Linux, and a few other names. I think I'll just call it OEL. OEL is a pay distro *BUT* they do offer free downloads of their install media as well as updates. Originally updates were pay-only but they opened that up a while back when they had a promotional campaign claiming they were faster with updates than CentOS (turns out they aren't but close). I guess their business plan is you can use OEL for free and have updates... but there are some value add features (like Ksplice and Dtrace, etc) and support that cost extra. To download their iso install media you have to have an account on their system but that is cost-free and it just so happens I already had one because I've downloaded previous releases like OEL6.

Setting up the LiveDVD build environment - I downloaded the install media. I copied all of the .rpm files from the install media to a directory on a local web server and ran "createrepo ." within that directory. Then I made a four line oracle-7-rc.repo file pointing to the local package repo I just made.

Then I booted the install DVD inside of a newly created KVM virtual machine and did an install selecting that I wanted a GUI desktop (this is Server install media and "minimal" is the default) which is GNOME 3... and added to that the KDE desktop environment. After the install was over the machine was up and running. Then I installed the livecd-tools package previously mentioned made by that CentOS guy. Oracle was missing two perl-something-something packages needed for the livecd-tools dependencies so I just copied the missing two packages (along with the livecd-tools packages and epel-release) to my Oracle 7 RC package repo directory and re-ran createrepo. BTW, you don't have to turn off SELinux anymore for livecd-creator to work. That probably changed a long time ago but I only recently noticed. Ding, build environment complete.

Oracle Linux 7 RC - GNOME 3 ClassicOracle Linux 7 RC - GNOME 3 ClassicFixing up the kickstart - Then I copied my centos-7-pubqa.ks kickstart file and modified it. Within that kickstart I had referred to a number of package groups but in my local package repo package groups weren't working well for me. I don't know if package group names are different between CentOS and Oracle (probably) or if I needed more package metadata than I had with my simple, local package repository. As a result I needed to cough up a more complete and accurate package list for my kickstart. Hey, I liked the install I had in my KVM machine so I just did an 'rpm -qa --qf "%{n}\n" | sort > packages.txt' to generate a complete package list with the version portion stripped off suitable for a kickstart file. I emptied out everything in the package section of the kickstart an then just inserted the contents of the packages.txt file. Then I ran livecd-creator giving it the appropriate flags to generate an iso from the kickstart with the desired name (oracle-7-rc-001-x86_64.iso). After about an hour and approximately 1,400 packages... I had a 1.2GB .iso. I then tested that inside of a KVM virtual machine and it worked great... both as a try-it-before-you-install-it Live Desktop... and as an installer too.

OpenVZ OS Template building - I took the scripts (regular and minimal) I had created for CentOS 7 Public QA to build OpenVZ OS Templates and made the minor modifications needed to point to my local Oracle package repo. I had to change a few of the package names (like centos-release became oraclelinux-release and centos-logos became oracle-logos... and had to add in the rhn-client-tools package) and the desired output file name... but other than that, a simple edit. Those took about 10 minutes to build. I copied the .tar.xz files over to an OpenVZ host node and made a few containers to test things out. They worked as expected.

What else is different? - Turns out Oracle didn't have packages for LibreOffice on their install DVD. I thought that was weird because they had GNOME 3, KDE and some desktop applications including Firefox, GIMP, and Inkscape... but no LibreOffice. I assume after GA happens and their full package repositories become available that those packages will be included. The DVD includes just a little shy of 4,300 packages.

Where to go from here? - I will be releasing the OpenVZ OS Templates after Oracle's GA release but I don't think I can publicly release the LiveDVD as that might violate their license agreement. I don't read legalize so I'm not certain, but I just showed you above how you can make your own. I've attached the .ks I used as well as the scripts for OpenVZ to this post. You'll have to put in the correct URL for your own local repo or the one made available by Oracle after GA. And of course you'll want to modify the package set as desired. My kickstart probably has a some junk in it left over from the Fedora kickstart I based it on, but it does build and work just fine. Feel free to clean it up and make it more perfect if you want.

Enjoy!

Weather in Montana?

| | | |

I'm not sure exactly when the big storm was today... but when I got home from work around 7PM it was fairly clear. Driving by a few places in Belgrade on my way home from the bus stop... the lower level parking lots were a bit flooded.

When I got home I saw something weird in my front yard. I mean, this is June 26th... just a few days before the 4th of July holiday, right?

Poorly shot video but you get the point. For some reason Google Chrome doesn't like the webm files I create with ffmpeg anymore... but it will play fine in Firefox.

hail-front-yard-20140626.webm Enjoy.

OpenVZ: Contributed OS Template of CentOS 7 Public QA

|

I wondered if I could make an OS Template of the CentOS 7 Public QA release... and I could. Here's more info copied and pasted from the email I sent to the OpenVZ Users Mailing list announcing its availability:

Greetings,

As you may already know, Red Hat released Red Hat Enterprise Linux 7 on Tuesday (June 10th). A while ago the two main CentOS developers got hired by Red Hat to work on CentOS because Red Hat is now the sponsor behind CentOS... like they are behind Fedora. Anyway... the CentOS folks are working hard and fast to try to get CentOS 7 out ASAP... although they are going to keep their high release quality standards (it's as good as RHEL and as bad as RHEL, hehe). Something new they are doing now is trying to be as transparent and public as possible. They have placed their build system in the open, all of the package code in git, etc.

On June 13th CentOS announced that they have made the initial built of (most of) the rpm packages for CentOS 7. On June 14th they announced the build-tree was fairly complete including a boot.iso that could be used for a network install. Anyway, for the full story, read http://seven.centos.org/.

I've been busy working with the "CentOS 7 Public QA" release making an installable LiveDVD (check) and making an OpenVZ OS Template (check). The later is what this email is about. I have uploaded "centos-7-pubqa-20140615.tar.xz" (and .asc GPG sig file) to the OpenVZ contributed OS Templates directory. A few notes:

1) CentOS 5 uses SysV init. CentOS 6 uses Upstart basically in SysV compatibility mode. CentOS 7 uses systemd. If you create a container from an OS Template named centos-{something} I think it'll use the current CentOS config scripts provided by vzctl... which probably won't work because of the big change in init systems. CentOS 7 is a LOT like the last few releases of Fedora that have also been systemd-based... so what I did on my OpenVZ host where I wanted to use this centos-7-pubqa-20140615.tar.xz contributed OS Template was... make a symlink in /vz/templace/cache/ named fedora-19-x86_64.tar.xz that points to centos-7-pubqa-20140615.tar.xz. Then when I used vzctl to create the container, I told it to use the fedora19 OS template. Of course if you already have an OS Template named fedora-19-x86_64.tar.* make the symlink named something else and refer to it appropriately. I asked for a clarification from Kir on that... because maybe I'm imagining the issue.

2) The current CentOS 7 Public QA build-tree does not provide /etc/yum.repos.d/centos*.repo files. Why? Because the location of the current build system and all of the rpm packages is in a temporary place and won't be finalized until the final release comes out. In my OS Template I created /etc/yum.repos.d/centos-7-public-qa-20140615.repo that refers to the *CURRENT* location of all of the packages. Doing that makes yum work... and you can install and remove software as desired. I'm sure they will be updating the build-tree and package location quite a bit between now and final release... so if the current location goes away or there is a newer build... you'll have to update the .repo file to point to wherever it needs to point. It was working fine when I uploaded it.

3) RHEL7 is only offered in a 64bit flavor... and as a result... the OS Template is 64bit. It will not run on a 32bit OpenVZ host node. Don't even try it. It won't hurt anything but you'll get an error and if you don't know what the issue is, you'll probably go to IRC and bug people there about it... which would be a waste of everyone's time... but if you do do that... hopefully we'll be able to tell you what the problem is. The OS Template name I gave was already long enough and I didn't want to add x86_64 to it... because people would probably think there was a missing i686 build coming. There isn't.

4) How did I make this OS Template? It was rather simple. I created a CentOS 7 KVM virtual machine installing from the network media currently available. I did a minimal install. Then I rsync'ed the contents of VM's virtual disks to an OpenVZ host node. Then I made the minor changes needed... (not all but most) mentioned in the OpenVZ p2v wiki page. Then I tar.xz'ed it up and plopped it in /vz/template/cache... made a container out of it... and it worked first attempt. Then I cleaned it up by removing unneeded packages (grub2, kernel, firmware packages, unwanted services [firewalld, ipr*, etc], etc). Then I added a few things I like (httpd, screen, mc, nano, links, etc). Then I tested it. Then I made a new OS Template by tar.xz'ing up the container's directory. Then I made a new container out of the new OS Template and tested. Works pretty darn well. I'm sure there are some lingering dirs/files from packages I removed... and probably another handful or two of packages that could be removed to make it smaller but hey... it is ~98MB as a .tar.xz. Installed it takes up slightly less than 700MB. Not too bad for a first attempt.

If you have any comments or questions, just ask. Enjoy!

Update: One of the heads of the CentOS Project told me that he thought releasing such an OS Template was a little too "user facing" for a Public QA release and asked me to take it down, so I did. I'll continue to build the testing OS Templates until the QA version comes out at which point I should have a final CentOS 7 OS Template out on release day.


Montana Enterprise Linux 7?

| |

CentOS 7 Public QA - KDE Desktop with FirefoxCentOS 7 Public QA - KDE Desktop with FirefoxIf you didn't hear the news, Red Hat released Red Hat Enterprise Linux 7 on Tuesday, June 10th. I've done three installs so far at work... and have been reading through their wonderful documentation. I'm really digging the newer versions of things and systemd... yes, especially systemd. No, no, really!

As you also probably know, Red Hat sponsors the CentOS Project now... and they are working hard on getting CentOS 7 done. Andrew from the BillingsLUG predicts CentOS 7 will be out within two weeks of RHEL 7... so that would be by June 24th. My guess is 6 weeks... which would be by July 22nd. If they don't make it in 6 weeks, my next guess is August 10th, because that's my 50th birthday.

Anyway. So yeah, the CentOS Project has been hard AND they have been, unlike in the past, doing everything out in the open... transparency it is called. Yesterday they announced they had the packages building. Then someone on the centos-devel mailing list said they had a Docker CentOS 7 container image. I gave that a try. Then the centos-devs said they had the first build attempt completed although they have NOT gone through all of the packages yet and removed Red Hat's branding... so it's a very preliminary build. Then they announced they had a network install CD (~ 341MB). I gave that a try and it worked great.

Then I decided I wanted to work on my own remix if possible. I used reposync to download all of the packages... and wget to get the handful of other dirs/files in the install tree. Then I made a KVM virtual machine via a network install pointed at my own copy of the tree. Then I added the livecd-creator package that one CentOS developer ported from Fedora. Then I installed fedora-kickstarts from Fedora 19... and hacked on their KDE LiveCD kickstart until I had it building CentOS 7. The first build didn't go so well. For whatever reason, all of the GUI stuff was there except for Xorg. I was able to use that first install, get it going in text-only mode to figure out what packages I needed to add to my kickstart's package list to get X going. Bingo... only three additional lines although two of them had an asterisk in them.

It built. It booted. It installed. It booted and worked post-install. Not bad.

What does it contain? Well, I'm a KDE fan. EL7 only offers GNOME 3 and KDE anyway. So, it has KDE... but oddly they don't offer KDM (KDE Display Manager aka GUI login screen) so it uses GDM (GNOME Display Manager). While Red Hat defaults to the XFS filesystem in their install media (they don't have any Live media by the way, just install-only) livecd-creator would not build the .iso if I set the default to xfs... so I had to set it to ext4. So, the system you get from the live installer has ext4 partitions. While it is the KDE desktop I added some stuff that isn't KDE-specific... like Firefox, Libre Office, GIMP, and Inkscape. I didn't refer to the EPEL 7 repository in my kickstart so the first good build only includes stock packages. Later I'll probably add in EPEL and add some additional packages like tmux, x2goserver... and a few other sundry packages. Any suggestions?

I should have included some screenshots with this post but I'm too lazy and tired after spending about 6 hours working on this little project today. If you want to give it a try let me know and I can email you the URL to the .iso file. Oh, btw... the installed system does not include a working centos.repo file so after a fresh install is booted, one has to manually add one by creating a file named /etc/yum.repos.d/qa-nightly.repo. Put in it the following:

[qa-nightly]
name=qa-nightly
baseurl=http://buildlogs.centos.org/centos/7/os/x86_64-latest
enabled=1
gpgcheck=0

Then you can use yum to install anything else you'd like. I recommend you also add EPEL 7 (epel-release-7-0.1.noarch.rpm). Enjoy! MEL (Montana Enterprise Linux), kiss my grits!

Update: CentOS has since released Public QA LiveMedia of their own.

Firefox Resolution Tester feature?

|

Fedora 20 updated to the recently released Firefox 30. Are you using it yet? I am.

I just accidentally discovered a feature I didn't even know existed. What feature? I'll call it the Firefox Resolution Tester feature although I'm sure that is NOT the real name of it. I don't know how long it has been a feature of Firefox... maybe for a long time... but like I said... I just found it in Firefox 30. How do you access it? Hit CONTROL-SHIFT-m. That's it.

I accidentally discovered it when I wasn't paying attention to which application window I was using had the focus. I thought it was konsole (KDE GUI terminal). CONTROL-SHIFT-m in konsole toggles the menu on and off. In Firefox it takes the current web page you are viewing and puts a black border around that has a control menu at the top left of that black border. The control menu allows you to pick from several pre-defined resolutions or even add additional presets if desired. Picking a different resolution resizes the view of the page (and increases the black border around it accordingly) to the desired resolution. It also has a screenshot feature (saves to your default download directory and auto-names images something like "Screen Shot 2014-06-01 at 07.42.29.png"). You can also rotate the resolution to simulate a mobile device. It has a "Simulate Touch Event" button but I'm not sure what that does. Anyone?

What good is that feature? Well if you do any web development it should be fairly obvious. While this site doesn't display well at all on smaller screens the current trend is that more and more web traffic is from mobile devices... and there is a push for "responsive design". Haven't heard of "responsive design" yet? It is a combination of CSS and probably some javascript... to make pages resize like magic. Menus move around jumping from horizontal layout to vertical. Images magically resize themselves to fit. It is smooth like butter when it works. Why doesn't this site have a responsive design? Well I'm still using Drupal 4 which was EOLed (end of life) several years ago. I have been testing the Drupal 8 development version and its default and admin themes are responsive. As a result I've been looking around at various websites and responsive themes and wow, they are awesome. Yet again I'll make the claim that I'm going to switch this site over to next Drupal release when it comes out... so I can have all of the new features including responsiveness. Knock on wood.

At work they recently licensed a commercial web content management system that primarily targets larger educational institutions -- OmniUpdate Campus. The web developers (which I am not one) at work have created a nice responsive theme that everyone can use for their departmental websites and it works great. Don't have a responsive site handy? You can try this temporary testing one I made in OmniUpdate. That's just a shell but it'll show you responsiveness.

Anyway, I kind of got off track. Yeah, Firefox. Try CONTROL-SHIFT-m and enjoy. Can anyone tell me what version of Firefox first included this feature?

Syndicate content