AppArmor has been adopted as the default Mandatory Access Control solution for both the Ubuntu and Mandriva distributions. I’ve sung its praises before, and as evidenced by writing my now third column about it, clearly I’m still a fan.

But, you should know that AppArmor’s future is uncertain. In late 2007, Novell laid off its full-time AppArmor developers, including project founder Crispin Cowan (who subsequently joined Microsoft).

Thus, Novell’s commitment to AppArmor is open to question. It doesn’t help that the AppArmor Development Roadmap on Novell’s Web site hasn’t been updated since 2006, or that Novell hasn’t released a new version of AppArmor since 2.3 Beta 1 in July 2008, nearly a year ago at the time of this writing.

But, AppArmor’s source code is GPL’d: with any luck, this apparent slack in AppArmor leadership soon will be taken up by some other concerned party—for example, Ubuntu and Mandriva developers. By incorporating AppArmor into their respective distributions, the Ubuntu and Mandriva teams have both committed to at least patching AppArmor against the inevitable bugs that come to light in any major software package.

Given this murky future, is it worth the trouble to use AppArmor? My answer is an emphatic yes, for a very simple reason: AppArmor is so easy to use—requiring no effort for packages already having distribution provided profiles and minimal effort to create new profiles—that there’s no reason not to take advantage of it for however long it remains an officially supported part of your SUSE, Ubuntu or Mandriva system.

Source of Information : Linux Journal 185 September 2009

Moonlight is an open-source implementation of Microsoft’s Silverlight. In case you’re
not familiar with Silverlight, it’s a Web browser plugin that runs rich Internet applications. It provides features such as animation, audio/video playback and vector graphics.

Moonlight programming is done with any of the languages compatible with the Mono runtime environment. Among many others, these languages include C#, VB.NET and Python. Mono, of course, is a multiplatform implementation of ECMA’s Common Language Infrastructure (CLI), aka the .NET environment. A technical collaboration deal between Novell and Microsoft has provided Moonlight with access to Silverlight test suites and gives Moonlight users access to licensed media codecs for video and audio. Moonlight currently supplies stable support for Silverlight 1.0 and Alpha support for Silverlight 2.0.



Source of Information : Linux Journal 185 September 2009

In our second Upfront installment highlighting non-Linux FOSS projects, we present SharpDevelop. SharpDevelop (aka #Develop) is an IDE for developing .NET applications in C#, F#, VB.NET, Boo and IronPython. SharpDevelop includes all the stuff you’d expect in a modern IDE: syntax highlighting, refactoring, forms designer, debugger, unit testing, code coverage, Subversion support and so on. It runs on all modern versions of the Windows platform. SharpDevelop is a “real” FOSS project; it’s not controlled by any big sinister corporation (and we all know who I’m talking about). It has an active community and is actively upgraded. At the time of this writing, version 3.0 just recently has been released. Even if you use only Linux, you may be indirectly using SharpDevelop. If you use any Mono programs, they probably were developed using the MonoDevelop IDE. MonoDevelop was forked from SharpDevelop in 2003 and ported to GTK.




Source of Information : Linux Journal Issue 182 June 2009

Apart from the ISO images of four FOSS distributions in this month’s DVD, we have also managed to pack in some of the best content management systems (CMS). We hope you deploy and test them all. Well, if you really do, let us know your feedback on them, or write a comparison article if you have the time :-)

Drupal is a FOSS modular framework and CMS written in PHP. It is used as a back-end system for many different types of websites, ranging from small personal blogs to large corporate and political sites. The standard release of Drupal, known as “Drupal core”, contains basic features common to most CMSs. These include the ability to register and maintain individual user accounts, administration menus, RSS-feeds, customizable layout, flexible account privileges, logging, a blogging system, an Internet forum, and options to create a classic brochure-ware website or an interactive community website.

Joomla CMS enables you to build websites and powerful online applications. Many aspects, including its ease-of-use and extensibility, have made Joomla the most popular website software available. Best of all, Joomla is an open source solution that is freely available to everyone.

WebGUI is a platform for managing all your Web-based content and applications. WebGUI is modular, powerful, secure, and user-friendly. Most users find themselves managing content within hours, and developers can easily plug-in functionality to maximise a site’s potential. It is an easy to use content management system, which has ability to create and install custom applications. With WebGUI, you can publish articles, participate in forums, create photo galleries and can even create interactive event calendars.

WordPress is a state-of-the-art Web publishing platform with a focus on aesthetics, Web standards, and usability. It’s arguably the de-facto blogging platform.

TYPO3 is a free and open source content management system written in PHP. TYPO3 offers full flexibility and extendibility while featuring an accomplished set of readymade interfaces, functions and modules. The system is based on templates. People can choose an existing template and change features such as logo, colours, and fonts, or they can construct their own templates using a configuration language called TypoScript.

Mambo ( formerly named Mambo Open Source or MOS) is a free software/open source content management system (CMS) for creating and managing websites through a simple Web interface. It has attracted many users due to its ease of use. Mambo includes advanced features such as page caching to improve performance on busy sites, advanced templating techniques, and a fairly robust API. It can provide RSS feeds and automate many tasks, including web indexing of static pages.

e107 is a content management system written in PHP and using the popular open source MySQL database system for content storage. It’s completely free, totally customizable and in constant development.

XOOPS is an extensible, object oriented, easy to use dynamic Web CMS written in PHP. XOOPS is an ideal tool for developing small to large dynamic community websites, intra company portals, corporate portals, blogs and much more.

Plone is a free and open source CMS built on top of the Zope application server. It is suited for an internal website or may be used as a server on the Internet, playing such roles as a document publishing system and group ware collaboration tool. Plone is designed to be extensible.

OpenCms is a professional, easy-to-use website CMS. The fully browser-based user interface features configurable editors for structured content with well-defined fields. Alternatively, content can be created using an integrated WYSIWYG editor similar to well known office applications. A sophisticated template engine enforces a site-wide corporate layout and W3C standard compliance for all content.

Moodle is a Learning Management System (LMS). It is a free Web application that educators can use to create effective online learning sites. It’s open source licence and modular design means that people can develop additional functionality.

Source of Information : Linux For You May 2009

The LVS (Linux Virtual Server) project was launched in 1998 and is meant to eliminate Single Point of Failures (SPOF). According to the linuxvirtualserver.org website: “LVS is a highly scalable and available server built on a cluster of real servers, with the load balancer running on Linux. The architecture of the server cluster is fully transparent to the end user, and the users interact as if it were a single high-performance virtual server. The real servers and the load balancers may be interconnected by either a high speed LAN or by a geographically dispersed WAN.”

The load balancer is the single entry point into the cluster. The client connects to a single known IP address, and then inside the virtual server the load balancer redirects the incoming connections to the server(s) that actually does the work according to the scheduling algorithm chosen. The nodes of the cluster (real servers) can be transparently added/removed, providing a high level of scalability. The LVS detects node failures on-the-fly and reconfigures the system accordingly, automatically, thus providing high availability. Theoretically, the load balancer can either run IPVS or KTCPVS techniques for load balancing, but owing to a very high stability of IPVS, it is used in almost all the implementations I have seen. See the sidebar titled “IPVS v/s KTCPVS” for a brief note on the differences between the two. IPVS provides Layer 4 load balancing and KTCPVS provides Layer 7 load balancing (see the sidebar).

There are three load balancing techniques used in IPVS:
LVS/NAT – Virtual Server via NAT
LVS/TUN – Virtual Server via Tunnelling
LVS/DR – Virtual Server via Direct Routing



IPVS v/s KTCPVS
IPVS or IP Virtual Server is an implementation of Layer 4 load balancing inside the Linux kernel. Layer 4 load balancing works on OSI Layer 4 (Transport Layer) and distributes requests to the servers at the transport layer without looking at the content of the packets.

KTCPVS or Kernel TCP Virtual Server is an implementation of Layer 7 load balancing in the Linux kernel. Layer 7 load balancing is also known as application-level load balancing. The load balancer parses requests in the application layer and distributes requests to servers based on the content. The scalability of Layer 7 load balancing is not high because of the overhead of parsing the content.



IPVS Load Balancing Techniques
LVS/NAT: This technique is one of the simplest to set up but could present an extra load on the load balancer, because the load balancer needs to rewrite both the request and response packets. The load balancer needs to also act as a default gateway for all the real servers, which does not allow the real servers to be in a geographically different network. The packet flow in this technique is as follows:

• The load balancer examines the destination address and port number on all incoming packets from the client(s) and verifies if they match any of the virtual services being served.

• A real server is selected from the available ones according to the scheduling algorithm and the selected packets are added to the hash tables recording the connections.

• The destination address and port numbers on the packets are rewritten to match that of the real server and the packet is forwarded to the real server.

• After processing the request, the real server passes the packets back to the load balancer, which then rewrites the source address and port of the packets to match that of the real service and sends it back to the client.

LVS/DR: DR stands for Direct Routing. This technique utilises MAC spoofing and demands that at least one of the load balancer’s NIC and real server’s NIC are in the same IP network segment as well as the same physical segment. In this technique, the virtual IP address is shared by the load balancer as well as all the real servers. Each real server has a loop-back alias interface configured with the virtual IP address. This loop-back alias interface must be NOARP so that it does not respond to any ARP requests for the virtual IP. The port number of incoming packets cannot be remapped, so if the virtual server is configured to listen on port 80, then real servers also need to service on port 80. The packet flow in this technique is as follows:

• The load balancer receives the packet from the client and changes the MAC address of the data frame to one of the selected real servers and retransmits it on the LAN.

• When the real server receives the packet, it realises that this packet is meant for the address on one of its loopback aliased interfaces.

• The real server processes the request and responds directly to the client.

LVS/TUN: This is the most scalable technique. It allows the real servers to be present in different LANs or WANs because the communication happens with the help of the IP tunnelling protocol. The IP tunnelling allows an IP datagram to be encapsulated inside another IP datagram. This allows IP datagrams destined for one IP address to be wrapped and redirected to a different IP address. Each real server must support the IP tunnelling protocol and have one of its tunnel devices configured with the virtual IP. If the real servers are in a different network than the load balancer, then the routers in their network need to be configured to accept outgoing packets with the source address as the virtual IP. This router reconfiguration needs to be done because the routers are typically configured to drop such packets as part of the anti-spoofing measures. Like the LVS/DR method, the port number of incoming packets cannot be remapped. The packet flow in this technique is as follows:

• The load balancer receives the packet from the client and encapsulates the packet within an IP datagram, and forwards it to a dynamically selected real server.

• The real server receives the packet, ‘de-encapsulates’ it and finds the inner packet with a destination IP that matches with the virtual IP configured on one of its tunnel devices.

• The real server processes the request and returns the result directly to the user.

Source of Information : Linux For You May 2009

Understanding the OpenVZ way of virtualisation and getting started with it.

Virtualisation is going mainstream, with many predicting that it will expand rapidly in the next few years. Virtualisation is a term that can refer to many different techniques. Most often, it is just software that presents a virtual hardware on which other software can run. Virtualisation is also done at a hardware level, like in the IBM mainframes or in the latest CPUs that feature the VT or SVM technologies from Intel and AMD, respectively. Although a fully featured virtual machine can run unmodified operating systems, there are other techniques in use that can provide special virtual machines, which are nevertheless very useful.


Performance and virtualisation
The x86 architecture is notorious for its virtualisation unfriendly nature. Explaining why this is the case requires a separate article on the subject. The only way to virtualise x86 hardware was to emulate it at the instruction level or to use methods like ‘Binary Translation’ and ‘Binary Patching’ at runtime. Well known software in this arena are QEMU, Vmware and the previously well-known Bochs. These programs emulate a full PC and can run unmodified operating systems.

The recent VT and SVM technologies provided by Intel and AMD, respectively, do away with the need to interpret/patch guest OS instruction streams. Since these recent CPUs provide hardware-level virtualisation, the virtualisation solution can trap into the host OS for any privileged operation that the guest is trying to execute. Although running unmodified operating systems definitely has its advantages, there are times when you just need to run multiple instances of Linux, for example. Then why emulate the whole PC? VT and SVM technologies virtualise the CPU very well, but the various buses and the devices sitting on them need to be emulated. This hits the performance of the virtual machines.

As an example, let us take the cases of QEMU, Xen, KVM and UML. This comparison is kind of funny, since the guys who wrote these software, never wanted to end up in a table like Table 1. This is like comparing apples to oranges, but all we want to understand from this table is whether the VMM can run an unmodified operating system, at what level it runs, and how the performance is compared to natively running it.


Introducing OpenVZ
Let us suppose you want to run only Linux, but want to make full use of a physical server. You can run multiple instances of Linux for hosting purposes, education and in testing environments, for example. But do you have to emulate a full PC to run these virtual, multiple instances? Not really. A solution like User Mode Linux (UML) lets you run Linux on the Linux kernel, where each Linux is a separate, isolated instance. To get a simplified view of a Linux system, let us take three crucial components that make up a system. They are: the kernel, the root filesystem, and the processes that are created as the system boots up and runs. The kernel is, of course, the core of the operating system; the root filesystem is what holds the programs and the various configuration files; and the processes are running instances of the programs created from binaries on the root file system. They are created as the system boots up and runs.

In UML, there is a host system and then there are guests. The host system has a kernel, and the root file system and its set of processes. Each guest has a kernel, a root file system and its own set of processes.

Under OpenVZ, things are a bit different. There is a single kernel and there are multiple root file systems. The guest’s root file systems are directory trees under the host file system. A guest under OpenVZ is called a Virtual Environment (VE) or Virtual Private Server (VPS). Each VPS is identified using a name or a number, where VPS 0 is the host itself. Processes created by these VEs remain isolated from others. That is, if VPS 101 creates five processes and VPS 102 creates seven, they can’t ‘see’ each other. This may sound a lot like chroot jails, but you must note the differences as well. A chroot jail provides only filesystem isolation. The processes in a chroot jail still share processes, networks and other namespaces with the host. For example, if you run ps -e from a chroot jail, you still see a list of systemwide processes. If you run a socket program from the chroot environment and listened on localhost, you can connect to it from outside the chroot jail. This simply means there is no isolation at the process or the network level. You can also verify this by running netstat –a from the chroot jail. You will be able to see the status of system wide networking connections.

OpenVZ is rightly called a container technology. In case of OpenVZ, there is no real virtual machine. The OpenVZ kernel is a modification of the Linux kernel that isolates namespaces and contains or separates processes created by one VPS from another. By doing so, the overhead of running multiple kernels is avoided and maximum performance is obtained. In fact, the worse case overhead compared to native performance in OpenVZ is said to be rarely more than 3 per cent. So, on a server with a few gigs of RAM, it is possible to run tens of VPSs and still have decent performance. Since there is only one kernel to deal with, memory consumption is also under check.


User bean counters
OpenVZ is not just about the isolation of processes. There are various resources on a computer system that processes compete for. These are resources like CPU, memory, disk space and at a finer level, file descriptors, sockets, locked memory pages and disk blocks, among others. At a VPS level, it is possible in OpenVZ to let the administrator set limits for each of these items so that resources can be guaranteed to VPSs and also to ensure that no VPS can misuse available resources. OpenVZ developers have chosen about 20 parameters that can be tuned for each of the VPSs.


The OpenVZ fair scheduler
Just as various resources are guaranteed to VPSs, CPU time for a VPS can also be guaranteed. It is possible to specify the minimum CPU units a VPS will receive. To make sure this happens, OpenVZ employs a two-level scheduler. The first level fair scheduler makes sure that no VPS is starved of its minimum CPU guarantee time. It basically selects which VPS has to run on the CPU next. At the scheduler level, a VPS is just a set of processes. Then, this set is passed on to the regular Linux kernel scheduler and one from the set is scheduled to run. In a VPS Web hosting environment, the hosting provider can thus guarantee the customer some minimum CPU power.


Installing OpenVZ
To install OpenVZ and have it work, you need to download or build an OpenVZ kernel, and also build or download pre-built OpenVZ tools. When you install the OpenVZ tools, it also installs the init scripts that take care of setting up OpenVZ. During system start-up and shut down, VEs are automatically started and shut down along with the Hardware Node (HN). Once the tools are installed, you can see that a directory named ‘vz’ is created in the root directory and it also contains other directories. On a production server, you may want ‘/vz’ on a separate partition.

Source of Information : Linux For You May 2009