Apache CloudStack Open Source Cloud updated for Security and Bug FixesBy Sean Michael Kerner | April 25, 2013
From the 'Multi-tenant VM Security' files:
Apache CloudStack is being updated to version 4.0.2 today fixing at least 40 bugs.
From my perspective two of the flaws are particularly interesting and those are the security flaws.
CVE-2013-2756 is a flaw that could potentially enable an attacker to gain unauthorized access to another person's virtual machines. That's a particularly scary thought, especially given the common refrain that multi-tenancy is a security concern when it comes to the cloud.
"An attacker with knowledge of CloudStack source code could gain unauthorized access to the console of another tenant's VM," John Kinsella wrote in a mailing list posting.
The other flaw is an information disclosure related issue.
URLs generated by Apache CloudStack to provide console access to virtual machines contained a hash of a predictable sequence, the hash of which was generated with a weak algorithm. While not easy to leverage,this may allow a malicious user to gain unauthorized console access
Both of the security issues were identified by a security team at Citrix, meaning that these issues were privately found and disclosed to Apache CloudStack while the first 4.0 release debuted in November of 2012.
Sean Michael Kerner is a senior editor at ServerWatch and InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals. Follow him on Twitter @TechJournalist.
Open Source MySQL REDUX as MariaDB merges with SkySQL for Commercial SupportBy Sean Michael Kerner | April 23, 2013
From the 'Did Sun Flush $1B Down the Toilet?' files:
Monty Widenius is well known in the open source community for creating the MySQL database. It started out as a community project, then went commercial with MySQL AB (and support) got acquired by Sun for $1 Billion in 2008, then acquired by Oracle as part of Oracle's acquisition of Sun.
Widenius actually left MySQL in 2009 while it was still owned by Sun, and began his own fork of my MySQL called MariaDB. Widenius wasn't happy with the way MySQL was being developed by its commercial overlords and went off to do it again -- only better.
I've seen Widenius talk about MariaDB a few times in recent years. At LinuxCon Boston in 2010 he gave a great talk about what it takes to build a successful community and why things went wrong at MySQL. What I understood was that as MySQL grew, Widenius' message of community got pushed back and that's where things started to go wrong.
Now flash forward to 2013 and MariaDB has its own open source Foundation and today is announcing a merger between SkySQL (a commercial service vendor staffed by lots of former MySQL AB types) and MariaDB's primary development team at Monty Program AB.
"The MySQL database is named after my first daughter, My. The MariaDB database is named after my second daughter, Maria," Michael ‘Monty’ Widenius, CTO of the MariaDB Foundation, stated. "With this merger and my own role in the MariaDB Foundation, I’m ensuring that the MariaDB project will remain ‘open source forever’, while knowing that enterprise and community users of both the MySQL & MariaDB databases will benefit from best-in-breed products, services and support provided by SkySQL. And who doesn’t want the best for their children?"
The way I see it, MariaDB is now insulated from the type of error that led Monty to leave Sun/MySQL in the first place. The open source project itself has both the Foundation (from the community perspective) and a commercial entity to push forward on adoption and bring in revenues.
The only challenge left is of course - MySQL itself.
While community Linux distributions have all now left MySQL in favor of MariaDB, I've heard time and again that the big Enterprise Linux distributions were sticking with Oracle's MySQL.
Now that MariaDB has the dual-community/commercial backing, I suspect that the situation will change.
Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals. Follow him on Twitter @TechJournalist.
OpenStack Nova Compute Gets New Leader & New Features for HavanaBy Sean Michael Kerner | April 18, 2013
From the 'Grizzled to Svelt' files:
PORTLAND. Vish Ishaya has been the project leader of the open source OpenStack Nova Compute project since the beginning of OpenStack. He's now stepping aside and Red Hat developer Russell Bryant is now taking the help of the core compute project that makes OpenStack, OpenStack.
At the OpenStack Summit here in Portland the two men talked about the past, present and future of Nova.
For the Grizzly release, Ishaya said that over 700 bugs were fixed and over 60 featreus were added. Among the really interesting highlights (that I didn't realize before the talk) was the ability to do full live snapshotting of running instances as well as the abiilty to hotplug network adapter.
For the Havana release, incoming Nova Compute Project Leader Russell Bryant said that the big themes would be live upgrades as well as improved security, scale, performance and reliability.
Bryant went through a laundry list of awesome new features that are currently under discussion. From my perspective the proposed scheduling improvements are neat. In Havana, the ability to schedule compute based on CPU utilization as well as the ability to reserve a host could be included. There is also a group scheduling capability that might land.
"People want to have a group of instances and then be able to add policy around that," Bryant said. "For example, I don't want any of a group of vm's to run on the same host for availability reasons."
Another proposed feature is the ability to 'mothball' a server. Bryant explained that mothballing would be for cases where the administrator doesn't want to delete an instance but they don't want to be running it either for resource reasons.
That's just the tip of the spear for a long list of what might land in the next major release of OpenStack Compute. We'll see how it shapes up over the next six months.
Sean Michael Kerner is a senior editor at InternetNews.com, the news service of the IT Business Edge Network, the network for technology professionals. Follow him on Twitter @TechJournalist.
NSA Building a Secure Version of OpenStackBy Sean Michael Kerner | April 17, 2013
From the 'No Such Agency' files:
PORTLAND. The NSA (America's super secret intelligence agency) is no stranger to open source software and apparently they aren't strangers to OpenStack either.
NSA developer Nathaniel Burton was speaking at the OpenStack summit today, though he joked that he couldn't reveal how many servers they had running OpenStack or what they are running on those OpenStack servers.
He did note that the NSA is using a mix of commercial, open source and in-house software. From a cloud perspective, it's all about leveraging Big Data and achieving scale and agility for workloads.
"Before OpenStack, it took too much time from idea to capability and we needed scale and capability," Burton said.
The NSA knows a thing or to about security and in its work with OpenStack they have made improvements to secure and lock down the system.
"We hope to release that work back to the community similar to what NSA has done with Linux in the past," Burton said.
Back in 2004, I first wrote about the NSA's work with Linux that become known as SELinux.SELinux today is a core component of many production Linux deployments and is key part of Red Hat Enterprise Linux.
Having an SE-OpenStack is an exciting prospect and could be the catalyst that will help adoption for highly-secure environments.
How to Get Code into OpenStackBy Sean Michael Kerner | April 16, 2013
PORTLAND. Lots of people are here at the OpenStack Summit this week talking about OpenStack but how do you actually get code into the open source cloud?
Rackspace developer Michael Still explained the process during a neat session. Still is a Core Reviewer for the OpenStack project.
The first step is to get a Launchpad account. All of the OpenStack development is plugged in via this Canonical service.
The second step is to actually sign into the Gerrit review system at: review.openstack.org
The prospective code commiter will then need to upload their public SSH key in order to interact with Gerrit.
The final step is to sign the Copyright LIcense Agreement - the long story short there is developers are assigning whatever rights to the code they might think they have to the OpenStack project.
Still also suggest that new devs sign up and be on the mailing list. The entire process - 20 minutes or less.
Still also detailed how a developer could set up their development environment. Developers need Git and PIP - which is how Python is deployed. Still also suggest the use of Tox.
And if you want a job like the one Still has - you just got to do the work.
"The way you become a code reviewer is you review a lot of code," he said.
Rackspace Building Security as a Service CloudKeep for #OpenStackBy Sean Michael Kerner | April 15, 2013
PORTLAND. Security is top of mind when it comes to the cloud, that's no surprise to anyone.
At the OpenStack Summit in Portland today, Rackspace developer Jarret Raim presented the CloudKeep project for OpenStack
The basic idea is to create a secure service for sharing secrets (the 'keys' to security). CloudKeep has four pieces:
Babrican which is the main REST API that provides provisioning, auditing and reporting.
Postern - is the agent that runs on the box and provides access to the keys.
Palisade is the web UI -
Keep is a command line client
The agent in turn works with the OpenStack Keystone service for identity, pairing and policy management.
Sure makes a lot of sense to me and the CloudKeep could well be the missing piece in the OpenStack security puzzle (when and if it matures).
The project is currently available at:
The current code is not yet production ready but it does show promise.
Who Wrote OpenStack Grizzly?By Sean Michael Kerner | April 15, 2013
From the 'Red Hat Linux Rulez' files:
The open source OpenStack Grizzly cloud platform release debuted the first week of April benefiting from over 480 contributors making over 7,600 updates.
While the base of contribution is broad, one vendor stands at the top of the list, in terms of number of code commits made. While the initial releases of OpenStack were dominated by code commits from Rackspace and Nebula, for Grizzly, Red Hat now leads the list.
Red Hat made 836 commits across core OpenStack projects and 1,854 commits across all OpenStack projects. Red Hat developers added 121,632 lines code and remove 87,145 lines of code.
Rackspace comes in second with 944 commits across all OpenStack projects, though Rackspace has added and deleted more lines of code. 183,484 lines were added and 156,066 lines were removed.
The top individual contributor by code commits was Red Hat's Mark McLoughlin who made 265 commits to Grizzly. McLoughlin also leads the list for closed tickets at 164 and is second only to OpenStack release manager Thierry Carrez (280 messages) for messages sent on the mailing lists (259).
Red Hat wasn't the first to jump on the OpenStack bandwagon, but they sure are making up for lost time real fast. While the number of commits or even lines added/removed is a very 'blunt' instrument for trying to measure participation it still has its merits.
For example, according to at least one source, I've written more about OpenStack than anyone else - does that make me the 'best' or even the most knowledgable? Not necessarily, but it sure doesn't hurt.
Volume alone isn't the arbiter of quality, but it is something that we can measure.
GitHub Turns 5 - Open Source Code RejoicesBy Sean Michael Kerner | April 11, 2013
From the 'open source coding' files:
When I first started aggressively using open source code , freshmeat and sourceforge.net were typically the first places I'd go to look.
In 2006, Google shook up the open source code repository market with Google Code and I started to find great stuff there.
Today, the VAST majority of all open source code that I seek, use and play with is all found on GitHub.
Github was officially founded, five years ago today and the open source code repository world hasn't been the same since.
"Now, five years later, I'm incredibly proud to be part of a company with 158 team members dedicated to helping our 3.5 million users collaborate across 6 million repositories. It’s been a wild ride and I couldn’t be happier with the amazing community of people who use and love GitHub every day," GitHub co-founder Tom Preston-Werner ('mojomobo) wrote in a blog post.
GitHub's success includes commercial success as well. In 2012, GitHub raised a total of $100 million in venture funding.
Git was created by Linux founder Linus Torvalds in 2005. Until GitHub came along in 2008, Git use was growing but it didn't have a real mega service. GitHub has become that mega service. When kernel.org had some security troubles in 2011, Linus Torvalds moved his own Linux kernel tree (temporarily to GitHub too).
There is good reason why GitHub dominates in this space. Git as a version control system is vastly superior in a collaborative development model than anything else. With Git (and Github) a wannabe developer like me can fork code and actually really play with code and contribute back in a way that no other system enables.
Thank you Tom Preston-Werner, Chris Wanstrath and PJ Hyett for having the vision to setup GitHub five year ago - you have made the world of software development a better place.
Mozilla CEO Kovacs On the Way OutBy Sean Michael Kerner | April 10, 2013
From the 'Too Busy for Open Source' files:
Mozilla CEO Gary Kovacs is leaving Mozilla. Kovacs became the CEO in October of 2010. I personally will not be among those that are sad to see him go.
You see in his entire tenure, I never spoke with him. Not once.
As opposed to other Mozilla leaders that I've known over the 15 year history of the open source effort, Kovacs was a business guy first and foremost. He was brought in cause of his mobile experience and had previous worked at Macromedia / Adobe, SAP and Sybase.
Though I've never managed to get Kovacs to talk to me, he does talk to business media. In an interview with AllThingsDhe said of his move out from Mozilla that," ..I wanted to move back to something more commercial."
Mozilla has moved a lot in the last two years. Under Kovacs direction (I hesitate to use the word leadership cause I've always seen Mitchell Baker and Brendan Eich as Mozilla's leaders), the open source effort has taken a bold step into the mobile space with FirefoxOS.
"Gary’s leadership has been hugely important in helping Mozilla develop deep mobile outlook and capabilities," Mozilla chief lizard wrangler Mitchell Baker said in a statement. "I want to thank Gary for all the contributions that he has made to the project during this period of our evolution."
With Kovac's exit, Baker expands her role to become the Executive Chair of Mozilla while a search starts for a new CEO.
Here's my suggestion for Mozilla - hire someone that loves open source and understands its commercial potential. Poach someone from Red Hat or a group that understand the community first model and isn't just itching for something 'more commercial.'
Mozilla is great because it is community driven and it is open source. The fact that it can fuel a commercial effort like FirefoxOS is interesting, but I just hope that with new leadership coming it will remain focussed on the promise that it has continued to deliver on for the past 15 years.
Mozilla Firefox 23 Will Block Mixed SSL ContentBy Sean Michael Kerner | April 09, 2013
From the 'open source browser' files:
A big change is coming for Mozilla Firefox 23 that will force a best practice on web users that is long overdue.
Many websites have long mixed SSL content with non-SSL content on the same page.
It's bad because it effectively nullifies the benefit of having SSL in the first place as the non-encrypted material is likely still valuable (and there is also the likely possibility that a session cookie with login info is part of the non-SSL mix).
The correct best practice is to not mix SSL with non-SSL on the same page, which is something that Firefox 23 will enforce by default.
preference in Firefox will be on by default in Firefox 23.
"That means insecure scripts, stylesheets, plug-in contents, inline frames, Web fonts and WebSockets are blocked on secure pages, and a notification is displayed instead," Mozilla developer, Norbert Yoshino wrote in a blog post.
No, this will not break the web. It will secure it.
There was a time when SSL really represented a performance overhead for websites and that's why there was a lot of mixed content. That's not really the case anymore and the time for mixed SSL content is now past due.
Will Mozilla Firefox 21 Be a Healthy Open Source Browser?By Sean Michael Kerner | April 08, 2013
From the 'Opt-in by Default' files:
Firefox 21 is now in Beta and it introduces a number of new features that will become generally available inside of the next 6 weeks.
At the top of the list is a new Health Reporting feature that Mozilla first publicly started talking about in September of 2012.
With the Health Report - users agree to send performance data to Mozilla. In return users get detailed information about their browser performance.
Oh but wait - users don't have to explicitly agree to opt-into the data sharing.
According to Mozilla's own documentation Data Sharing is on by DEFAULT.
While I understand this is all about improving performance for everyone and the information isn't necessarily user-identifiable. I personally think that it's hypocritical that Mozilla is pushing forward on new cookie and Do Not Track privacy policies on one hand and then automatically opting users in to share information about browser performance by default.
To be fair this is still in beta and users can opt out if they so choose. As a beta, Mozilla can still adjust the default policy before this is generally available too (and I'm hoping they do).
The Dell Alienware Linux Desktop Lands for GamersBy Sean Michael Kerner | April 05, 2013
From the 'Dude, You Want this Dell' files:
Gamers are the people that push PC hardware forward. Now for the first time a major Gamer PC vendor is offering Linux and it's loaded for max fragging.
Dell's Alienware division is now out with its X51 Ubuntu PC and it's the sweetest Linux rig we've ever seen from Dell (or any other major tier 1 PC vendor).
The top-end system is loaded with Intel Core i7-3770 3.4GHz Quad Core and 8GB Dual Channel DDR3 at 1600MHz (2 DIMMS) with a 1.5GB Nvidia GeForce GTX 660. All running Ubuntu.
The main gaming capability that Alienware is highlighting is by of Steam for Linux - which now has over 25 big name games on its platform and growing by the week. Lot of people (myself included) have long blamed a lack of gaming on Linux as being a barrier to Linux desktop adoption. While not every title is available on Steam for Linux, there is a healthy list.
Hey if there is a game that you still need/want, you could always still try and run it under WINE too. (I'm assuming that the GTX 660 will work in either case cause it's always the graphics driver that are the hangup right?).
Too early to tell if this is the beginning of a real market for Linux and Dell Alienware, but it sure looks like it's off to good start.
Apache OpenMeetings hits first Open Source Top Level Project ReleaseBy Sean Michael Kerner | April 05, 2013
From the 'open source meetings' files:
There is alot of excitement in the open source community about the emerging WebRTC standard that will enable browsers to become full real-time communications tools.
It's important to remember though that there are other open source tools and efforts that are already somewhat mature to enable open source real time communications via a browser. Though OpenMeetings (unlike WebRTC which is plug-in free) can and does benefit from the use of plugins (esp SWF/Flash).
This week the Apache OpenMeetings project released version 2.1 of its open source web conferencing platform. The OpenMeetings 2.1 release is the first release of the project since it graduated from the Apache Incubator to become a top level project, in December of 2012.
The new OpenMeetings 2.1.0 release provides improved integration with the open source Asterisk 11 PBX, which is required on the back-end to fully enable some of the web conferencing capabilities. The improved integration deliver enhanced sound and video.
As a full web conferencing solution, OpenMeetings also has chat capabilities. With the 2.1.0 release private chat amongst web conference users is now supported.
Google Blink Leaves Open Source WebKit Behind - Will Security Suffer?By Sean Michael Kerner | April 03, 2013
From the 'open source fork' files:
Google is moving away from WebKit. Google is now going its own way with a new rendering engine called - Blink
Shocking isn't it?
The announcement just went live and I still find it somewhat unbelievable that Google is forking away from the WebKit community which enabled it to create Chrome/Chromium and Chrome OS.
But regular open source that others use has never been good enough for Google, they have their own 'itch' and requirements. Google 'improved' Linux with wakelocks in Android, databases with Big Table and MapR etc etc. Now Google is going to 'improve' the web by leaving WebKit behind.
"Chromium uses a different multi-process architecture than other WebKit-based browsers, and supporting multiple architectures over the years has led to increasing complexity for both the WebKit and Chromium projects," Adam Barth, Software Engineer at Google blogged. " This has slowed down the collective pace of innovation - so today, we are introducing Blink, a new open source rendering engine based on WebKit."
Google has pledged to make the transition not too painful for web developers and they are running the effort as an open source project too.
According to Google's Blink page on Chromium, with Blink, large-scale architectural changes to the code can be made , without having to worry about breaking other consumers of WebKit.
"One change we’re planning is adding “out-of-process iframes”. These allow Chromium to separate individual parts of a page into separate sandboxed processes.... Another example is how we’d like to fix our networking code to be faster and simpler. Our current networking code in WebKit is limited by old Mac WebKit API obligations which cannot be changed.
All of this sounds good to me for Google and its direct line of users that benefit from Chromium via the Chrome Browser and Chrome OS.
But what about security for WebKit?
Google has been an AMAZING steward of WebKit security fixing more flaws than anyone else in recent years. With the shift to Blink, I suspect that flow will slow down, as architectural changes take hold.
Google plans on improving memory hardening in Blink and will be making some memory safety changes. This is a good thing for Blink, but not so good Apple Safari. Look through any recent Apple Safari update and you'll a dozen or more WebKit use-after-free memory errors found by Google. What will Apple do in the Blink era?
Overall, innovation is all about moving forward and not being always tied to the inertia of legacy deployments. It will be interesting to see what happens to WebKit in the year ahead and whether it continues to grow on its own, or if developers and browser vendors instead all choose to embrace a new model instead.
Mozilla Open Source Servo Moves Away from Gecko for Next Gen Mobile BrowserBy Sean Michael Kerner | April 03, 2013
From the 'Rust is Good' files"
Mozilla is partnering with mobile phone giant on an effort that i consider to be the most important in the entire history of Mozilla. For the first time (so far as I know) Mozilla could be leaving Gecko behind and moving to a new engine
"Servo is an attempt to rebuild the Web browser from the ground up on modern hardware, rethinking old assumptions along the way," Mozilla CTO, Brendan Eich wrote in a blog post. "This means addressing the causes of security vulnerabilities while designing a platform that can fully utilize the performance of tomorrow’s massively parallel hardware to enable new and richer experiences on the Web."
Servo is based on the Mozilla led Rust language- which itself is an attempt to replace 'c'.
Normally I'd just think that this is an interesting experiment, but wouldn't expect much to come of it. After all, Gecko is at the core of everything that Mozilla does (including Firefox OS right?).
Then again, Servo isn't necessarily competitive - it's an evolution of sorts. The fact that Mozilla is working Samsung is a clear indication to me that this is serious. Mozilla has experimented with non-Gecko browsers before - in 2012 there was a new WebKit based development called Junior- that seems to have gone nowhere.
Being bound to a c/gecko legacy isn't the way to build innovation so I salute Mozilla and its partner Samsung in breaking outside of 15 year plus thinking to try something new.
Apache Bloodhound Leads Open Source Trac ForwardBy Sean Michael Kerner | April 02, 2013
From the 'trac this' files:
For better or for worse, I tend to see a lot of bugzilla on any given day for bug related tracking. Though, I do see a whole lot of Trac, too.
Soon, I hope to see a lot more of a different project though - Apache Bloodhound.
Bloodhound in many respects is a fork of the open source Trac project. Like all other modern projects, it started out as an incubated project in December of 2011 and now is graduating to become a Top-Level-Project.
The graduation of Bloodhound didn't get officially promoted by Apache's PR outreach and press until today, though the official graduation occurred on March 20th. Since then a 0.5.2 release of Bloodhound has been issued. That's right, a graduated project that's not at a 1.0 milestone. That said, this project already as a sweet online demo (https://bh-demo1.apache.org/) that actually works and gives users a real taste of what Bloodhound is all about.
While I've long thought off trac as being a kinda/sorta competitor to bugzilla, Bloodhound is much more. It's not just about bug/defect tracking but about project management and code development.
"When Bloodhound entered the incubator it was a completely new project, though being built on top of the Trac framework has given it a strong foundation" said Gary Martin, Vice President of Apache Bloodhound in a statement. "Community growth and self-governing to the standards of a top-level project within The Apache Foundation has given the team invaluable experience." Bloodhound is the second major project that I track (no pun intended) that graduated in March. CloudStack also came out of the incubator last month.
OpenStack Grizzly Rounding ThirdBy Sean Michael Kerner | April 01, 2013
From the 'RC3' files:
The big OpenStack 2013.1 (aka Grizzly) open source cloud platform release is due out this week on 4/4.
I'm always curious about project stability and for me one possible leading indicator is the number of release candidates (RCs) that come out prior to a formal release. I'm not saying that more RCs mean more bugs, (I've seen plenty of projects issue a single RC and then issue piles of bugfixes post GA), but it is 'interesting' to see how the hot dog is made.
Some 10 days ago, I wrote about the RC1 for all the core OpenStack projects.
As of today's date (April 1st 'No Foolin'), five of the core projects are now at RC2 (Nova, Horizon, Keystone, Quantum, Glance and Swift). Only the Cinder project has needed an RC3 (so far). Cinder's RC3 was a result of an incomplete removal of the rtslib dependency in RC2.
To be fair, Nova and Glance only hit RC2 on March 30th, which is actually three days after Cinder hit RC3 on March 27th.
"Due to various reported bugs (including an issue upgrading from Nova Folsom to Grizzly), we created new Grizzly release candidates for OpenStack Compute ("Nova") and OpenStack Image Service ("Glance")," OpenStack release manager Thierry Carrez, wrote in a mailing list message.
Personally, I doubt we'll see any more RC3s this week. I just don't see any show-stopper kind of things right now. Looking at the Nova compute project right now shows a remarkable list of 'only' fixed bugs
That doesn't mean there still isn't a bug (or two) that needs to be fixed. It just means that those other bugs would be addressed post official general-availability of Grizzly.