Sunday, January 31, 2016

CentOS Dojo 2016 Notes after lunch

This is a second part of my personal notes from this year's CentOS Dojo before Fosdem, first part includes notes from talks until lunch. So, after lunch, we returned to our chairs and heard these interesting talks.

4. Quickstart. Contributing packages to a CentOS Special Interest Group

Brian talked about basics in centos build system, how to jojn SIGs and how to build a package in CBS for a particular SIG. Really a "must seen" for every newbie in centos SIG.

5. Path from Software Collections to Containers for OpenShift

My talk about experiences with creating Containers for Open Shift included two dozens of tips from various fields. We closely looked how to create a nice, Open Shift friendly container image (yes, it was about Docker) for PostgreSQL and Python. These two examples covered the most important information that one needs to create any similar database or application builder image. Later I went quickly through list of images that are already out there, made by Red Hat or CentOS and that are based on Software Collections packages. In the end I shortly introduced the concept of Nulecule and what this project is intended for.

6. Getting started with kubernetes

Kubernetes was described the same as other orchestration systems, even condor which development started already in 1987. What makes the technologies different from the PoV of potential developer folks is language chosen to be written in.
Mesos was secretly influenced by Borg, a group run by Google. It means guys creating k8s know what they do, because we may see k8s as a new version of Mesos.
Basics of Kubernetes explained clearly and on simple examples -- what pods, services, replication controller do.
Atomic was presented as the solution to use k8s on CentOS.
For learning k8s use gh.c/skippbox/...8s
Terraform plan for deploying k8s on AWS with atomic host and flannel.
A demo showed automatically created k8s nodes and let them scale in AWS.

7. Atomic Developer Bundle - Containerized development made easy

Atomic developer bundle, guys showed why there is something like ABD, stating problems devels face today during application development, all on real user stories. They showed Vagrant devel environment, running docker secured by TLS, user being able to connect from host machine by evaling 'vagrant adbinfo' output that defines devel environment on host.
Another example showed Eclipse running on the host, connecting to remote docker, which is a scenario that might work from any OS, even windows. Although the demo did not work and we could see the live-demo Murphy's law in practice again, we got the point and I'm sure it worked fine just before the talk.
ADB supports the OpenShift and other orchestrations technologies as well.
Why centos? Because of community, that might give the needed feedback. In the end the list of available links were mentioned and community was called to action.
The future is so bright, I gotta wear shades.
Architecture is still a thing to be changed, they plan to make vagrantfiles easier.
Landrush does not work and some help is needed..
In the end guys tried the demo again but with poor Internet connectivity and Murphy's law working better, we saw only one step further.

Description of the talks and hopefully soon also slides and recording available at:

CentOS Dojo 2016 Notes until lunch

This post is meant mostly as notes from the CentOS Dojo before Fosdem 2016, but maybe someone else finds it useful as well.

1. State of the CentOS Project

Well, the Dojo didn't begin very well, my phone decided to turn off during night and since I arrived after midnight, I easily overslept and thus missed the first talk, where Karanbir talked about where CentOS is today, so hopefully I'll see it from recording.

2. Relax-and-Recover simplifies Linux Disaster Recovery

Rear presentation about "relax and recovery" solution, recently also included in RHEL 7, presented by its author, Gratien, who supports these tools for living. It allows to solve recovery scenarios easily, but it is not a backup solution. Live demo showed a recovery on a virtual machine in less than 3 minutes. Interesting stuff even for people without admin experiences.

3. Desktop security, keeping the keys to the castle safe

Michel Scherer talked about security treats of various types, from stealing a computer and putting its RAM into a different computer (coldboot), through stealing a password by various ways to firewire DMA attack.

Big portion of the talk was about protecting the operating system, while many tips were given to protect various specific things. Phishing, password managers, firewall and other technologies were described from interesting point of view, mostly wrapped by a statement that they must be used properly to work properly.

What surprised me was that virus scanners were found insecure themselves, because all tested scanners could be cracked by a file send to be scanned and the fact that they usually run with pretty big privileges makes them quite dangerous.

From desktop world, few technologies were mentioned, but most focus was given to browsers. Chrome mentioned as good at some points like separating processes, but generally taken as proprietary thing by Michael, so not very good from security PoV. Firefox, better integrated alternative, seems to be better alternative for those who believe Mozzila Foundation, as Michael does, but with keeping some rules, like removing Flash, not only disabling it. Same for Java, except where really necessary. No Javascript with noscript module, which makes web faster, but also often broken.
Remove CAs not trusted.

Think about privacy in connection of surveilance. Adblock and cookiemaster, maybe even using Tor or trail...

Local attacks mean a need to protect the laptop from not only colleages, by screensaver with password, not leaving root shell opened, use credential expiration, disable ptrace by SElinux. Use password on SSH keys, use smartcards to store keys, like yubikey.

Server side security is about auditing, making hard/slow to delete data, machine learning on events may help to prevent attacks that are suspicious from its form, like very fast root session, which is always suspicious.
Ideally disable direct access to data at all, use backup, IDS is a lot of work and has same issues as anti viruses. Read-only OS like OStree may work, but update may be hard.
 After this talk we moved to the lobby, where we found a nice refreshments.

Description of the talks and hopefully soon also slides and recording available at:

See also the notes after lunch.