itprotoday: To understand the basics of what Kata is doing, one has to look no further than the company's tagline, which promises "the speed of containers, the security of VM's.
Alexei Starovoitov posted some patches to allow the kernel to load regular ELF binaries (aka plain executables) as kernel modules. These modules would be able to run user-mode helper routines instead of being absolutely confined to kernel space.
Alexei listed a variety of benefits for this. For one thing, as a user process, an ELF-based module could crash without bringing down the rest of the kernel. And although the ELF modules would run with root privileges, he said that a security breach would not lead directly into accessing the kernel's inner workings, but at least initially would be confined to userspace. The ELF module also could be terminated by the out-of-memory (OOM) killer, in case of need, or ended directly by a human administrator. It additionally would be feasible to subject ELF-based modules to regular userspace debugging and profiling, using the vast array of tools available for that.
Initially there were various technical questions and criticisms, but no one spoke out immediately against it. Linus Torvalds said he liked the feature, but he wanted one change: to make the type of module visible in the system logs. He said:
When we load a regular module, at least it shows in lsmod afterwards, although I have a few times wanted to really see module load as an event in the logs too. When we load a module that just executes a user program, and there is no sign of it in the module list, I think we *really* need to make that event show to the admin some way.
And he said specifically, "I do *not* want this to be a magical way to hide things."
Andy Lutomirski raised a pertinent question: why not just retool the modprobe program to handle ELF binaries as desired, rather than doing anything with kernel code at all? In other words, why couldn't this feature be implemented entirely outside the kernel?
But Linus replied:
The less we have to mess with user-mode tooling, the better.
We've been *so* much better off moving most of the module loading logic to the kernel, we should not go back in the old broken direction.
I do *not* want the kmod project that is then taken over by systemd, and breaks it the same way they broke firmware loading.
Keep modprobe doing one thing, and one thing only: track dependencies and mindlessly just load the modules. Do *not* ask for it to do anything else.
Right now kmod is a nice simple project. Lots of testsuite stuff, and a very clear goal. Let's keep kmod doing one thing, and not even have to care about internal kernel decisions like "oh, this module might not be a module, but an executable".Go to Full Article
GamingOnLinux: Here's a look at some seriously interesting Linux games coming out across the rest of 2018.
Learn basic Docker container management with the help of these 8 commands.
Today Bloomberg reports GitHub was acquired by Microsoft, the announcement being made as early as Monday. "GitHub preferred selling the company to going public and chose Microsoft partially because it was impressed by Chief Executive Officer Satya Nadella, said one of the people, who asked not to be identified discussing private information." Bloomberg goes on to say, "Terms of the agreement weren’t known on Sunday. GitHub was last valued at $2 billion in 2015."
Microsoft, who was once generally opposed to open-source development, is now one of the biggest contributors to GitHub.
Updated 4:48am GMT June 3, 2018
For those interested, we're compiling a list of some open-source GitHub alternatives. Please write others in the comment section. We'll update the story as verified alternatives come in.
- Gitea - https://gitea.io/en-us/
- Apache Allura - https://allura.apache.org/
- GitBucket - https://gitbucket.github.io/
- GitLab: https://about.gitlab.com/
Updated 3:37pm GMT June 4, 2018
HowToForge: Since every process (except the very first one) in a Linux system has a parent, it sometimes makes things easier to understand if all processes are displayed in a tree structure.
Linuxize: A properly configured firewall is one of the most important aspects of the overall system security
LinuxUprising: Looking for a way to change the notification bubbles position in Gnome Shell?
ostechnix: Vim-plug is a free, open source, very fast, minimalist vim plugin manager.
Kubeflow project aims to make it easy for everyone to develop, deploy, and manage composable, portable, and scalable machine learning on Kubernetes.
This PDF merging and splitting tool hasn't been packaged in Fedora for a while, but that doesn't mean it's off limits to you.
Photo Funnel is a simple tool for importing photos and RAW files from storage cards to a Linux machine.
Tecmint: The RPM database is made up of files under the /var/lib/rpm/ directory in CentOS and other enterprise Linux distributions such as RHEL, openSUSE, Oracle Linux and more.