Audience was technical Linux on System z practitioners. Steps through the Linux on System z development process, what is included in RHEL for System z (now + future), provisioning and patch management, and broad security updates (SELinux, Auditing, Crypto).
2009-09-24 Get the Hype on System z Webinar with IBM, Current & Future Linux ...Shawn Wells
Joint webinar series with Hans Picht (Linux on System z Lead, IBM). Covered recent release of Red Hat Enterprise Linux 5.4, which had the inclusion of Named Saved Segments (NSS), updated fiber channel, and rebasing of s390utils. Stepped through roadmap for RHEL on System z and gave update on CMM2 development activities.
2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...Shawn Wells
Briefed the National Security Agency's Open Source User Group on Red Hat's System z capabilities. Joined by Jim Stann (Solution Architect, Intelligence Programs). Briefed RHEL5 roadmap for System z/s390x.
Redhat 7 book, this is not a book ,its way to do pass RHCSA ,almost complete syllabus and of course solved.
Without Practice you cant remember linux commands for long time,
2009-09-24 Get the Hype on System z Webinar with IBM, Current & Future Linux ...Shawn Wells
Joint webinar series with Hans Picht (Linux on System z Lead, IBM). Covered recent release of Red Hat Enterprise Linux 5.4, which had the inclusion of Named Saved Segments (NSS), updated fiber channel, and rebasing of s390utils. Stepped through roadmap for RHEL on System z and gave update on CMM2 development activities.
2010-01-28 NSA Open Source User Group Meeting, Current & Future Linux on Syst...Shawn Wells
Briefed the National Security Agency's Open Source User Group on Red Hat's System z capabilities. Joined by Jim Stann (Solution Architect, Intelligence Programs). Briefed RHEL5 roadmap for System z/s390x.
Redhat 7 book, this is not a book ,its way to do pass RHCSA ,almost complete syllabus and of course solved.
Without Practice you cant remember linux commands for long time,
Long-term Maintenance Model of Embedded Industrial Linux DistributionSZ Lin
To introduce a robust, secure and reliable platform for the industrial environments is a key challenge; moreover, the platform needs to survive for a long time (more than 10+ years). There are many good solutions aiming to meet these requirements, such as LTSI (Long Term Support Initiative) and CIP (Civil Infrastructure Platform). However, it still needs a high amount of maintenance and development costs in handling SoC/ hardware board in-house patch, non-upstream driver and keep source code consistent with different SoC and platform afterwards.
In this presentation, SZ Lin will introduce how to operate long-term maintenance model of embedded industrial Linux distribution. In addition, he will also address the building, deploying and testing architecture and workflow for producing a robust, secure and reliable platform.
Kernel Recipes 2015: Kernel packet capture technologiesAnne Nicolas
Sniffing through the ages
Capturing packets running on the wire to send them to a software doing analysis seems at first sight a simple tasks. But one has not to forget that with current network this can means capturing 30M packets per second. The objective of this talk is to show what methods and techniques have been implemented in Linux and how they have evolved over time.
The talk will cover AF_PACKET capture as well as PF_RING, dpdk and netmap. It will try to show how the various evolution of hardware and software have had an impact on the design of these technologies. Regarding software a special focus will be made on Suricata IDS which is implementing most of these capture methods.
Eric Leblond, Stamus Networks
Intel trusted execution environment, SGX, offers an attractive solution for protecting one's private data in the public cloud environment, even in the presence of a malicious OS or VMM.
In this talk, we will:
* explore how SGX mitigates various attack surfaces and the caveats of naively using the technology to protect applications,
* discuss the performance implications of SGX on common applications and understand the new bottlenecks created by SGX, which may lead to a 5X performance degradation.
* describe an optimized SGX interface, HotCalls, that provides a 13-27x speedup compared to the built-in mechanism supplied by the SGX SDK.
* discuss how it is possible for the OS to manage secure memory without having access to it.
* explore various attack surfaces and published attacks which require collusion with the OS. Specifically, page-fault and page-fault-less “controlled channel attacks”, branch-shadowing attacks and potential mitigations.
Ofir Weisse is a Researcher PhD Student at University of Michigan.
Video available at: https://www.youtube.com/watch?v=I3TCctdnOEc
Building, deploying and testing an industrial linux platform @ Open source su...SZ Lin
To introduce a robust, secure and reliable platform for the industrial environments is a key challenge. Therefore, running with the industrial-grade Linux distribution to fulfill the requirements mentioned above is imperative. The Linux distribution includes the Linux kernel and user space. Based on this testing design, the distribution will be built, deployed and tested in the device under automatic test by using continuous integration development practice to withstand the harsh industrial environments. In this presentation, SZ Lin will introduce how the industrial-grade Linux distribution is built, deployed and tested without human intervention, and review the test scope in both Linux kernel and user space. In addition, he will also address the design architecture of 24/7 long-term automated testing in all device under test with each release of new update.
DPDK (Data Plane Development Kit) Overview by Rami Rosen
* Background and short history
* Advantages and disadvantages
- Very High speed networking acceleration in L2
- How this acceleration is achieved (hugepages, optimizations)
- rte_kni (and KCP)
- VPP (and FD.io project) , providing routing and switching.
- TLDK (Transport Layer Development Kit, TCP/UDP)
* Anatomy of a simple DPDK application.
* Development and governance model
* Testpmd: DPDK CLI tool
* DDP - Dynamic Device Profiles
Rami Rosen is a Linux Kernel expert, the author of "Linux Kernel Networking", Apress, 2014.
Rami had published two articles about DPDK in the last year:
"Network acceleration with DPDK"
https://lwn.net/Articles/725254/
"Userspace Networking with DPDK"
https://www.linuxjournal.com/content/userspace-networking-dpdk
Kernel Recipes 2016 - New hwmon device registration API - Jean DelvareAnne Nicolas
The hwmon subsystem originates from the 1998 project lm-sensors. Along the way, there have been a lot of effort done to have all drivers present a standard interface to user-space, and consolidate the common plumbing into an easy-to-use, hard-to-get-wrong API. The final step of this long-running effort is happening right now.
Jean Delvare, SUSE
How Linux Processes Your Network Packet - Elazar LeibovichDevOpsDays Tel Aviv
With buzz on eBPF, XDP, bpfilter etc,, it's important to get the basics right. We will show the route of a networ packet from kernel driver to TCP/IP stack to userspace socket and explain how and where it's processed en route.
Modern environment uses a lot of the Linux networking stack capability.
Every docker container requires a dedicated bridge, usually a few iptables entries to expose port, and a dnsmasq daemon, and masquarading to allow internet access.
It is hence important to understand Linux network fundumentals. From the driver interrupt/NAPI, to the network stack, the various filters it passes through and the various hooks you have at your disposal to alter and view the network packets flow.
We will first review the theory, and then present useful tools to apply the theory and debug problems in common situations.
We will survey common containers situations and see how packets move from the hardware to the container's veth.
A talk presented at the Automotive Grade Linux All-Members meeting on September 8, 2015. The focus on why AGL should adopt systemd, and highlights two of the more difficult integration issues that may arise while doing so. The embedded SVG image, courtesy Marko Hoyer of ADIT, is at http://she-devel.com/2015-07-23_amm_demo.svg
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System zShawn Wells
Red Hat Update at IBM Teach the Teacher (IBM T3) Conference in Endicott, NY. Covering Red Hat's community development model, System z announcements, SELinux, SCAP, and Red Hat Network Satellite for Systems Management.
Talk from Embedded Linux Conference, http://elcabs2015.sched.org/event/551ba3cdefe2d37c478810ef47d4ca4c?iframe=no&w=i:0;&sidebar=yes&bg=no#.VRUCknSQQQs
Long-term Maintenance Model of Embedded Industrial Linux DistributionSZ Lin
To introduce a robust, secure and reliable platform for the industrial environments is a key challenge; moreover, the platform needs to survive for a long time (more than 10+ years). There are many good solutions aiming to meet these requirements, such as LTSI (Long Term Support Initiative) and CIP (Civil Infrastructure Platform). However, it still needs a high amount of maintenance and development costs in handling SoC/ hardware board in-house patch, non-upstream driver and keep source code consistent with different SoC and platform afterwards.
In this presentation, SZ Lin will introduce how to operate long-term maintenance model of embedded industrial Linux distribution. In addition, he will also address the building, deploying and testing architecture and workflow for producing a robust, secure and reliable platform.
Kernel Recipes 2015: Kernel packet capture technologiesAnne Nicolas
Sniffing through the ages
Capturing packets running on the wire to send them to a software doing analysis seems at first sight a simple tasks. But one has not to forget that with current network this can means capturing 30M packets per second. The objective of this talk is to show what methods and techniques have been implemented in Linux and how they have evolved over time.
The talk will cover AF_PACKET capture as well as PF_RING, dpdk and netmap. It will try to show how the various evolution of hardware and software have had an impact on the design of these technologies. Regarding software a special focus will be made on Suricata IDS which is implementing most of these capture methods.
Eric Leblond, Stamus Networks
Intel trusted execution environment, SGX, offers an attractive solution for protecting one's private data in the public cloud environment, even in the presence of a malicious OS or VMM.
In this talk, we will:
* explore how SGX mitigates various attack surfaces and the caveats of naively using the technology to protect applications,
* discuss the performance implications of SGX on common applications and understand the new bottlenecks created by SGX, which may lead to a 5X performance degradation.
* describe an optimized SGX interface, HotCalls, that provides a 13-27x speedup compared to the built-in mechanism supplied by the SGX SDK.
* discuss how it is possible for the OS to manage secure memory without having access to it.
* explore various attack surfaces and published attacks which require collusion with the OS. Specifically, page-fault and page-fault-less “controlled channel attacks”, branch-shadowing attacks and potential mitigations.
Ofir Weisse is a Researcher PhD Student at University of Michigan.
Video available at: https://www.youtube.com/watch?v=I3TCctdnOEc
Building, deploying and testing an industrial linux platform @ Open source su...SZ Lin
To introduce a robust, secure and reliable platform for the industrial environments is a key challenge. Therefore, running with the industrial-grade Linux distribution to fulfill the requirements mentioned above is imperative. The Linux distribution includes the Linux kernel and user space. Based on this testing design, the distribution will be built, deployed and tested in the device under automatic test by using continuous integration development practice to withstand the harsh industrial environments. In this presentation, SZ Lin will introduce how the industrial-grade Linux distribution is built, deployed and tested without human intervention, and review the test scope in both Linux kernel and user space. In addition, he will also address the design architecture of 24/7 long-term automated testing in all device under test with each release of new update.
DPDK (Data Plane Development Kit) Overview by Rami Rosen
* Background and short history
* Advantages and disadvantages
- Very High speed networking acceleration in L2
- How this acceleration is achieved (hugepages, optimizations)
- rte_kni (and KCP)
- VPP (and FD.io project) , providing routing and switching.
- TLDK (Transport Layer Development Kit, TCP/UDP)
* Anatomy of a simple DPDK application.
* Development and governance model
* Testpmd: DPDK CLI tool
* DDP - Dynamic Device Profiles
Rami Rosen is a Linux Kernel expert, the author of "Linux Kernel Networking", Apress, 2014.
Rami had published two articles about DPDK in the last year:
"Network acceleration with DPDK"
https://lwn.net/Articles/725254/
"Userspace Networking with DPDK"
https://www.linuxjournal.com/content/userspace-networking-dpdk
Kernel Recipes 2016 - New hwmon device registration API - Jean DelvareAnne Nicolas
The hwmon subsystem originates from the 1998 project lm-sensors. Along the way, there have been a lot of effort done to have all drivers present a standard interface to user-space, and consolidate the common plumbing into an easy-to-use, hard-to-get-wrong API. The final step of this long-running effort is happening right now.
Jean Delvare, SUSE
How Linux Processes Your Network Packet - Elazar LeibovichDevOpsDays Tel Aviv
With buzz on eBPF, XDP, bpfilter etc,, it's important to get the basics right. We will show the route of a networ packet from kernel driver to TCP/IP stack to userspace socket and explain how and where it's processed en route.
Modern environment uses a lot of the Linux networking stack capability.
Every docker container requires a dedicated bridge, usually a few iptables entries to expose port, and a dnsmasq daemon, and masquarading to allow internet access.
It is hence important to understand Linux network fundumentals. From the driver interrupt/NAPI, to the network stack, the various filters it passes through and the various hooks you have at your disposal to alter and view the network packets flow.
We will first review the theory, and then present useful tools to apply the theory and debug problems in common situations.
We will survey common containers situations and see how packets move from the hardware to the container's veth.
A talk presented at the Automotive Grade Linux All-Members meeting on September 8, 2015. The focus on why AGL should adopt systemd, and highlights two of the more difficult integration issues that may arise while doing so. The embedded SVG image, courtesy Marko Hoyer of ADIT, is at http://she-devel.com/2015-07-23_amm_demo.svg
2008-07-30 IBM Teach the Teacher (IBM T3), Red Hat Update for System zShawn Wells
Red Hat Update at IBM Teach the Teacher (IBM T3) Conference in Endicott, NY. Covering Red Hat's community development model, System z announcements, SELinux, SCAP, and Red Hat Network Satellite for Systems Management.
Talk from Embedded Linux Conference, http://elcabs2015.sched.org/event/551ba3cdefe2d37c478810ef47d4ca4c?iframe=no&w=i:0;&sidebar=yes&bg=no#.VRUCknSQQQs
Here is the new syllabus for CCNA which can be usefull in major projects and synopsis please use these notes only for education purpose only
The Technical Zone
2009-06-18 CAVMEN System z Users Group UpdateShawn Wells
Invited to return to CAVMEN, gave update on RHEL for System z. Was asked to discuss Red Hat Community Contributions and how the upstream->Fedora->RHEL model works. Discussed Libvirt as API capable of communicating to multiple hypervisors.
Handling Kernel Upgrades at Scale - The Dirty Cow StoryDataWorks Summit
Apache Hadoop at Yahoo is a massive platform with 36 different clusters spread across YARN, Apache HBase, and Apache Storm deployments, totaling 60,000 servers made up of 100s of different hardware configurations accumulated over generations, presenting unique operational challenges and a variety of unforeseen corner cases. In this talk, we will share methods, tips and tricks to deal with large scale kernel upgrade on heterogeneous platforms within tight timeframes with 100% uptime and no service or data loss through the Dirty COW use case (privilege escalation vulnerability found in the Linux Kernel in late 2016).
We will dive deep into our three phased approach that led to eventual success of the program - pre work, kernel upgrade itself, and post work / cleanup. We will share the details on automation tools, UIs, and reporting tools developed and used to achieve the stated objectives of 800+ server upgrades per hour, track the upgrade progress, validate and report data blocks, and recover quickly from bad blocks encountered. Throughout the talk, we will highlight the importance of process management, communicating with 100s of custom teams to ensure they are onboard and aware, and successful coordination tactics with SREs and Site Operations. We will also touch upon some of the unique challenges we faced along with way such as BIOS updates necessary on over 20,000 hosts along the way, and explain system rolling upgrade support we added to HBase and Storm for avoiding service disruption to low latency customer during these upgrades.
Linux Containers and Docker SHARE.ORG Seattle 2015Filipe Miranda
This slide deck shows us an introduction to Linux Containers (LXC) and Docker for Linux on IBM z Systems.
One example of a commercial use of Linux Containers (and Docker) is Red Hat Openshift, which is is also covered at the end.
LCC17 - Securing Embedded Systems with the Hypervisor - Lars Kurth, CitrixThe Linux Foundation
Hypervisors were once seen as purely cloud and server technologies, but have slowly seeped into the embedded space providing extra layers of security. This discussion will showcase how companies from security vendors to automotive are using open source hypervisors (particularly Xen Project) to secure embedded systems, what challenges they face and how they have overcome it. We will also explore what this might mean to IoT at large and how to get started in securing your embedded system with a hypervisor-first approach.
SHARE.ORG in Boston Aug 2013 RHEL update for IBM System zFilipe Miranda
Red Hat Enterprise Linux update for IBM System z
Presented at SHARE in Aug 23 2013
More information about SHARE can be found here: https://share.confex.com/share/121/webprogram/Session13857.html
www.share.org
Containers are incredibly convenient to package applications and deploy them quickly across the data center.
This talk will introduce RunX, a new project under LF Edge that aims at bringing containers to the edge with extra benefits. At the core, RunX is an OCI-compatible container runtime to run software packaged as containers as Xen micro-VMs. RunX allows traditional containers to be executed with a minimal overhead as virtual machines, providing additional isolation and real-time support.
It also introduces new types of containers designed with edge and embedded deployments in mind. RunX enables RTOSes, and baremetal apps to be packaged as containers, delivered to the target using the powerful containers infrastructure, and deployed at runtime as Xen micro-VMs. Physical resources can be dynamically assigned to them, such as accelerators and FPGA blocks.
This presentation will go through the architecture of RunX and the new deployment scenarios it enables. It will provide an overview of the integration with Yocto Project via the meta-virtualization layer and describe how to build a complete system with Xen and RunX.
The presentation will come with a live demo on embedded hardware.
Similar to 2008-11-13 CAVMEN RHEL for System z Deep Dive (20)
2017-07-11 GovLoop: Changing the Open Hybrid Cloud Game (Deploying OpenShift ...Shawn Wells
Microsoft and Red Hat have certified OpenShift Container Platform to run on Microsoft Azure. This talk steps through the reference architecture and ongoing work to accelerate government ATOs.
First Steps with Globus Compute Multi-User EndpointsGlobus
In this presentation we will share our experiences around getting started with the Globus Compute multi-user endpoint. Working with the Pharmacology group at the University of Auckland, we have previously written an application using Globus Compute that can offload computationally expensive steps in the researcher's workflows, which they wish to manage from their familiar Windows environments, onto the NeSI (New Zealand eScience Infrastructure) cluster. Some of the challenges we have encountered were that each researcher had to set up and manage their own single-user globus compute endpoint and that the workloads had varying resource requirements (CPUs, memory and wall time) between different runs. We hope that the multi-user endpoint will help to address these challenges and share an update on our progress here.
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I ...Juraj Vysvader
In 2015, I used to write extensions for Joomla, WordPress, phpBB3, etc and I didn't get rich from it but it did have 63K downloads (powered possible tens of thousands of websites).
Unleash Unlimited Potential with One-Time Purchase
BoxLang is more than just a language; it's a community. By choosing a Visionary License, you're not just investing in your success, you're actively contributing to the ongoing development and support of BoxLang.
Strategies for Successful Data Migration Tools.pptxvarshanayak241
Data migration is a complex but essential task for organizations aiming to modernize their IT infrastructure and leverage new technologies. By understanding common challenges and implementing these strategies, businesses can achieve a successful migration with minimal disruption. Data Migration Tool like Ask On Data play a pivotal role in this journey, offering features that streamline the process, ensure data integrity, and maintain security. With the right approach and tools, organizations can turn the challenge of data migration into an opportunity for growth and innovation.
Accelerate Enterprise Software Engineering with PlatformlessWSO2
Key takeaways:
Challenges of building platforms and the benefits of platformless.
Key principles of platformless, including API-first, cloud-native middleware, platform engineering, and developer experience.
How Choreo enables the platformless experience.
How key concepts like application architecture, domain-driven design, zero trust, and cell-based architecture are inherently a part of Choreo.
Demo of an end-to-end app built and deployed on Choreo.
Globus Compute wth IRI Workflows - GlobusWorld 2024Globus
As part of the DOE Integrated Research Infrastructure (IRI) program, NERSC at Lawrence Berkeley National Lab and ALCF at Argonne National Lab are working closely with General Atomics on accelerating the computing requirements of the DIII-D experiment. As part of the work the team is investigating ways to speedup the time to solution for many different parts of the DIII-D workflow including how they run jobs on HPC systems. One of these routes is looking at Globus Compute as a way to replace the current method for managing tasks and we describe a brief proof of concept showing how Globus Compute could help to schedule jobs and be a tool to connect compute at different facilities.
A Comprehensive Look at Generative AI in Retail App Testing.pdfkalichargn70th171
Traditional software testing methods are being challenged in retail, where customer expectations and technological advancements continually shape the landscape. Enter generative AI—a transformative subset of artificial intelligence technologies poised to revolutionize software testing.
SOCRadar Research Team: Latest Activities of IntelBrokerSOCRadar
The European Union Agency for Law Enforcement Cooperation (Europol) has suffered an alleged data breach after a notorious threat actor claimed to have exfiltrated data from its systems. Infamous data leaker IntelBroker posted on the even more infamous BreachForums hacking forum, saying that Europol suffered a data breach this month.
The alleged breach affected Europol agencies CCSE, EC3, Europol Platform for Experts, Law Enforcement Forum, and SIRIUS. Infiltration of these entities can disrupt ongoing investigations and compromise sensitive intelligence shared among international law enforcement agencies.
However, this is neither the first nor the last activity of IntekBroker. We have compiled for you what happened in the last few days. To track such hacker activities on dark web sources like hacker forums, private Telegram channels, and other hidden platforms where cyber threats often originate, you can check SOCRadar’s Dark Web News.
Stay Informed on Threat Actors’ Activity on the Dark Web with SOCRadar!
Code reviews are vital for ensuring good code quality. They serve as one of our last lines of defense against bugs and subpar code reaching production.
Yet, they often turn into annoying tasks riddled with frustration, hostility, unclear feedback and lack of standards. How can we improve this crucial process?
In this session we will cover:
- The Art of Effective Code Reviews
- Streamlining the Review Process
- Elevating Reviews with Automated Tools
By the end of this presentation, you'll have the knowledge on how to organize and improve your code review proces
Gamify Your Mind; The Secret Sauce to Delivering Success, Continuously Improv...Shahin Sheidaei
Games are powerful teaching tools, fostering hands-on engagement and fun. But they require careful consideration to succeed. Join me to explore factors in running and selecting games, ensuring they serve as effective teaching tools. Learn to maintain focus on learning objectives while playing, and how to measure the ROI of gaming in education. Discover strategies for pitching gaming to leadership. This session offers insights, tips, and examples for coaches, team leads, and enterprise leaders seeking to teach from simple to complex concepts.
Exploring Innovations in Data Repository Solutions - Insights from the U.S. G...Globus
The U.S. Geological Survey (USGS) has made substantial investments in meeting evolving scientific, technical, and policy driven demands on storing, managing, and delivering data. As these demands continue to grow in complexity and scale, the USGS must continue to explore innovative solutions to improve its management, curation, sharing, delivering, and preservation approaches for large-scale research data. Supporting these needs, the USGS has partnered with the University of Chicago-Globus to research and develop advanced repository components and workflows leveraging its current investment in Globus. The primary outcome of this partnership includes the development of a prototype enterprise repository, driven by USGS Data Release requirements, through exploration and implementation of the entire suite of the Globus platform offerings, including Globus Flow, Globus Auth, Globus Transfer, and Globus Search. This presentation will provide insights into this research partnership, introduce the unique requirements and challenges being addressed and provide relevant project progress.
Experience our free, in-depth three-part Tendenci Platform Corporate Membership Management workshop series! In Session 1 on May 14th, 2024, we began with an Introduction and Setup, mastering the configuration of your Corporate Membership Module settings to establish membership types, applications, and more. Then, on May 16th, 2024, in Session 2, we focused on binding individual members to a Corporate Membership and Corporate Reps, teaching you how to add individual members and assign Corporate Representatives to manage dues, renewals, and associated members. Finally, on May 28th, 2024, in Session 3, we covered questions and concerns, addressing any queries or issues you may have.
For more Tendenci AMS events, check out www.tendenci.com/events
Enhancing Research Orchestration Capabilities at ORNL.pdfGlobus
Cross-facility research orchestration comes with ever-changing constraints regarding the availability and suitability of various compute and data resources. In short, a flexible data and processing fabric is needed to enable the dynamic redirection of data and compute tasks throughout the lifecycle of an experiment. In this talk, we illustrate how we easily leveraged Globus services to instrument the ACE research testbed at the Oak Ridge Leadership Computing Facility with flexible data and task orchestration capabilities.
Cyaniclab : Software Development Agency Portfolio.pdfCyanic lab
CyanicLab, an offshore custom software development company based in Sweden,India, Finland, is your go-to partner for startup development and innovative web design solutions. Our expert team specializes in crafting cutting-edge software tailored to meet the unique needs of startups and established enterprises alike. From conceptualization to execution, we offer comprehensive services including web and mobile app development, UI/UX design, and ongoing software maintenance. Ready to elevate your business? Contact CyanicLab today and let us propel your vision to success with our top-notch IT solutions.
How Recreation Management Software Can Streamline Your Operations.pptxwottaspaceseo
Recreation management software streamlines operations by automating key tasks such as scheduling, registration, and payment processing, reducing manual workload and errors. It provides centralized management of facilities, classes, and events, ensuring efficient resource allocation and facility usage. The software offers user-friendly online portals for easy access to bookings and program information, enhancing customer experience. Real-time reporting and data analytics deliver insights into attendance and preferences, aiding in strategic decision-making. Additionally, effective communication tools keep participants and staff informed with timely updates. Overall, recreation management software enhances efficiency, improves service delivery, and boosts customer satisfaction.
Developing Distributed High-performance Computing Capabilities of an Open Sci...Globus
COVID-19 had an unprecedented impact on scientific collaboration. The pandemic and its broad response from the scientific community has forged new relationships among public health practitioners, mathematical modelers, and scientific computing specialists, while revealing critical gaps in exploiting advanced computing systems to support urgent decision making. Informed by our team’s work in applying high-performance computing in support of public health decision makers during the COVID-19 pandemic, we present how Globus technologies are enabling the development of an open science platform for robust epidemic analysis, with the goal of collaborative, secure, distributed, on-demand, and fast time-to-solution analyses to support public health.
Quarkus Hidden and Forbidden ExtensionsMax Andersen
Quarkus has a vast extension ecosystem and is known for its subsonic and subatomic feature set. Some of these features are not as well known, and some extensions are less talked about, but that does not make them less interesting - quite the opposite.
Come join this talk to see some tips and tricks for using Quarkus and some of the lesser known features, extensions and development techniques.
How to Position Your Globus Data Portal for Success Ten Good PracticesGlobus
Science gateways allow science and engineering communities to access shared data, software, computing services, and instruments. Science gateways have gained a lot of traction in the last twenty years, as evidenced by projects such as the Science Gateways Community Institute (SGCI) and the Center of Excellence on Science Gateways (SGX3) in the US, The Australian Research Data Commons (ARDC) and its platforms in Australia, and the projects around Virtual Research Environments in Europe. A few mature frameworks have evolved with their different strengths and foci and have been taken up by a larger community such as the Globus Data Portal, Hubzero, Tapis, and Galaxy. However, even when gateways are built on successful frameworks, they continue to face the challenges of ongoing maintenance costs and how to meet the ever-expanding needs of the community they serve with enhanced features. It is not uncommon that gateways with compelling use cases are nonetheless unable to get past the prototype phase and become a full production service, or if they do, they don't survive more than a couple of years. While there is no guaranteed pathway to success, it seems likely that for any gateway there is a need for a strong community and/or solid funding streams to create and sustain its success. With over twenty years of examples to draw from, this presentation goes into detail for ten factors common to successful and enduring gateways that effectively serve as best practices for any new or developing gateway.
How to Position Your Globus Data Portal for Success Ten Good Practices
2008-11-13 CAVMEN RHEL for System z Deep Dive
1. 1
Red Hat Deep Dive SessionsRed Hat Deep Dive Sessions
Linux on System zLinux on System z
Shawn Wells (swells@redhat.com)
W/W Lead Architect, Linux on System z
Team Lead, System z SMEs
5. 5
Linux on System z Development
Community
Development with “upstream” communities
Kernel, glibc, etc
Collaboration with partners, IBM,
open source contributors
6. 6
Linux on System z Development
Fedora
Bleeding Edge
Sets direction for RHEL
technologies
Community Supported
Released ~6mo cycles
Fedora 8,9,10 = RHEL6
Fedora 8; http://fedoraproject.org/wiki/Releases/8/FeatureList
Fedora 9; http://fedoraproject.org/wiki/Releases/9/FeatureList
Fedora 10; http://fedoraproject.org/wiki/Releases/10/FeatureList
7. 7
Linux on System z Development
Red Hat Enterprise Linux
Stable, mature, commercial product
Extensive Q&A, performance testing
Hardware & Software Certifications
7yr maintenance
Core ABI compatibility
guarantee
Major releases 2-3yr cycle
8. 8
Support Cycle
Extended Product Lifecycle
Years 1 - 4 Yr 6,7Yr 5
Production 1
Production 2
Production 3
Security Patches
Bug Fixes
Hardware Enablement
Software Enhancements
X
X
X
Full
X
X
Partial
X
X
None
9. 9
Linux on System z Subscriptions
Product Source & Binaries
Upgrades to New Versions
Stable Application Interfaces
Hardware & Application Certifications
Security, Bug Fixes
Regular H/W & S/W Updates
Web Support. 2 Day SLABASIC
Phone/Web
1-4 Business Hour SLA
STANDARD
24x7 Phone/Web
1 Hour SLAs
PREMIUMS
U
P
P
O
R
T
Red Hat Enterprise Linux
Subscription
No Upgrade Costs
No Client Access Fee
Unlimited Support
Incidents
For System z:
Priced Per IFL
Unlimited VMs per IFL
Customers can consolidate
subscriptions to or from other
platforms
10. 10
Linux on System z Support
Support via Red Hat
T
E
C
H
A
C
C
N
T
M
G
R
S
Level 1: Front Line Support
Known Issues, Initial Troubleshooting,
Everyone is minimum RHCE
Level 2: Advanced Support
Reproduce Problems,
Grouped via Skillsets
Level 3: Special Engineering
Custom Patches, Code Re-writes,
Interim Patches, Application Redesign
C
O
N
S
U
L
T
A
N
T
S
11. 11
Linux on System z Support
Support via Red Hat
T
E
C
H
A
C
C
N
T
M
G
R
S
Level 1: Front Line Support
Known Issues, Initial Troubleshooting,
Everyone is minimum RHCE
Level 2: Advanced Support
Reproduce Problems,
Grouped via Skillsets
Level 3: Special Engineering
Custom Patches, Code Re-writes,
Interim Patches, Application Redesign
C
O
N
S
U
L
T
A
N
T
S
Support via IBM
Level 1: First Responders
Basic Support
Level 2: Advanced Support
Reproduce Problems,
Category Specialists
P
A
R
T
N
E
R
T
A
M
15. 15
RHEL Now: RHEL 5.2
Support for z10
Dynamic CHPID reconfiguration
Improved “ssh -X” with VPN during installation process
Better network performance with skb scatter-gather support
Implementation of SCSI dump infrastructure
16. 16
RHEL Now: RHEL 5.2
Accelerated inkernel Crypto
Support for crypto algorithms of z10
SHA-512, SHA-384, AES-192, AES-256
Two OSA ports per CHPID; Four port exploitation
Exploit next OSA adapter generation which offers two ports within one CHPID. The
additional port number 1 can be specified with the qeth sysfs-attribute “portno”
Support is available only for OSA-Express3 GbE SX and LX on z10, running in LPAR
or z/VM guest (PFT for z/VM APAR VM64277 required!)
17. 17
RHEL Now: RHEL 5.2
Large Page Support
This adds hugetblfs support on System z, using both hardware large page support if
available, and software large page emulation (with shared hugetblfs pagetables) on
older hardware
skb scatter-gather support for large incoming messages
This avoids allocating big chunks of consecutive memory and should increase
networking throughput in some situations for large incoming packets
Full Release Notes At: redhat.com
http://www.redhat.com/docs/en-
US/Red_Hat_Enterprise_Linux/5.2/html/Release_Notes/s390x/index.html
18. 18
RHEL Now: RHEL 5.2
Lightweight userspace priority inheritance (PI) support for futexes, useful for
realtime applications (2.6.18)
Assists priority inversion handling. Ref: http://lwn.net/Articles/178253/
High resolution timers (2.6.16)
Provide fine resolution and accuracy depending on system configuration and
capabilities - used for precise in-kernel timing
New Pipe implementation (2.6.11)
30-90% perf improvement in pipe bandwidth
Circular buffer allow more buffering rather than blocking writers
"Big Kernel Semaphore": Turns the Big Kernel Lock into a semaphore
Latency reduction, by breaking up long lock hold times and adds voluntary
preemption
19. 19
RHEL Now: RHEL 5.2
Process Events Connector (2.6.15)
Reports fork, exec, id change, and exit events for all processes to userspace
Useful for accounting/auditing (e.g. ELSA), system activity monitoring,
security, and resource management
kexec & kdump (2.6.13)
Provide new crash-dumping capability with reserved, memory-resident kernel
Extended device mapper multipath support
Address space randomization:
Address randomization of multiple entities – including stack & mmap() region
(used by shared libraries) (2.6.12; more complete implementation than in
RHEL4)
Greatly complicates and slows down hacker attacks
Audit subsytem
Support for process-context based filtering (2.6.17)
More filter rule comparators (2.6.17)
20. 20
RHEL Now: RHEL 5.2
Add nf_conntrack subsystem: (2.6.15)
Common IPv4/IPv6 generic connection tracking subsystem
Allows IPv6 to have a stateful firewall capability (not previously possible)
Increased security
Enables analysis of whole streams of packets, rather than only checking
the headers of individual packets
SELinux per-packet access controls
Replaces old packet controls
Add Secmark support to core networking
Allows security subsystems to place security markings on network
packets (2.6.18)
21. 21
RHEL Tomorrow: RHEL 5.3
Currently in beta
Interested in being a beta tester?
NSS
CPU Affinity
ETR Support
Device-multipath support for xDR
RHT BugZilla: 184770
IBM LTC 18425-62140
22. 22
RHEL Tomorrow: Fedora
Fedora is Red Hat's bleeding edge, an incubator for new
technologies and features
Fedora sets our direction for Red Hat Enterprise Linux, and gives you a good
idea of what will be in our next RHEL release (... and in other Linux distros, too)
Fedora 8; http://fedoraproject.org/wiki/Releases/8/FeatureList
Fedora 9; http://fedoraproject.org/wiki/Releases/9/FeatureList
Fedora 10; http://fedoraproject.org/wiki/Releases/10/FeatureList
Fedora 8,9,10 = RHEL6
23. 23
RHEL Tomorrow: “In Place” Upgrade
Currently a beta feature in RHEL 5.3
“In Place” Upgrades: preupgrade
Will download files needed to upgrade,
Store them locally on disk
Reboot you into the installer
Not a true inplace upgrade (yet)!
Benefit
The longest part of an install is when packages are
downloaded to the local machine
PreUpgrade downloads and stores packages locally,
while the machine is running/in production
Reboot directly into the installer
28. 28
RHEL Tomorrow: gnome-control-center
gnomecontrolcenter
It is not YaST (yet)
It is a unified GUI for package management and system configuration
Benefit
Progress towards a YaST-like tool in RHEL (currently we have the
systemconfig* GUIs/TUIs)
29. 29
RHEL Tomorrow: PackageKit
PackageKit
Abstraction layer for YUM, apt, conary, etc
Provides a common set of abstractions that can be used by GUI/TUI
package managers
rpm dpkg ipkg
30. 30
RHEL Tomorrow: PackageKit
PackageKit
Abstraction layer for YUM, apt, conary, etc
Provides a common set of abstractions that can be used by GUI/TUI
package managers
PackageKit
rpm dpkg ipkg
31. 31
RHEL Tomorrow: PackageKit
PackageKit
Abstraction layer for YUM, apt, conary, etc
Provides a common set of abstractions that can be used by GUI/TUI
package managers
PackageKit
YaST RHN
rpm dpkg ipkg
49. 49
Linux Access Control Problems
Access is based off users' access
Example: Firefox can read SSH keys
Fundamental Problem: Security properties not specific
enough. Kernel can't distinguish applications from users.
# ps -x | grep firefox
shawn 21375 1 35 11:38 ? 00:00:01 firefox-bin
# ls -l id_rsa
-rw------- 1 shawn shawn 1743 2008-08-10 id_rsa
50. 50
Linux Access Control Problems
2) Processes can change security properties
Example: Mail files are readable only by me..... but
Thunderbird could make them world readable
Fundamental Problems:
Standard access control is discretionary
Includes concept of “resource ownership”
Processes can escape security policy
51. 51
Linux Access Control Problems
3) Only two privilege levels: User & root
Example: Apache gets hacked, allowing remote access to
root. Entire system is compromised.
Fundamental Problems:
Simplistic security policy
No way to enforce least-privilege
52. 52
SELinux: Building Security Openly
NSA Develops
SELinux
Integrated into
Linux Kernel
Integrated into
Open Source
Project
Enabled By
DEFAULT In RHEL
Customers, NSA, Community, and
Red Hat continue evolution
53. 53
Red Hat Security Certifications
NIAP/Common Criteria: The most evaluated operating system platform
● Red Hat Enterprise Linux 2.1 – EAL 2 (Completed: February 2004)
● Red Hat Enterprise Linux 3 EAL 3+/CAPP (Completed: August 2004)
● Red Hat Enterprise Linux 4 EAL 4+/CAPP (Completed: February 2006)
● Red Hat Enterprise Linux 5 EAL4+/CAPP/LSPP/RBAC (Completed: June 2007)
DII-COE
● Red Hat Enterprise Linux 3 (Self-Certification Completed: October 2004)
● Red Hat Enterprise Linux: First Linux platform certified by DISA
DCID 6/3
● Currently PL3/PL4: ask about kickstarts.
● Often a component in PL5 systems
DISA SRRs / STIGs
● Ask about kickstarts.
FIPS 140-2
● Red Hat / NSS Cryptography Libraries certified Level 2
54. 54
Security Standards Work
Extensible Configuration Checklist Description Format (XCCDF)
Enumeration for configuration requirements
DISA FSO committed to deploying STIG as XCCDF
Others working with NIST
Security policy becomes one file
Open Vulnerability & Assessment Language (OVAL)
Machine-readable versions of security advisories
Common Vulnerability and Exposures (CVE) Compatibility
Trace a vulnerability through multiple vendors
56. 56
Linux Access Control Introduction
Linux access control involves the kernel controling
Processes (running programs), which try to access...
Resources (files, directories, sockets, etc)
For example:
Apache (process) can read web files
But not the /etc/shadow file (resource)
Traditional methods do not clearly separate the privileges of
users and applications acting on the users behalf, increasing
the damage that can be caused by application exploits.
So, how should these decisions be made?
57. 57
Security Architecture
Every subject (i.e process) and object (i.e. data files) are
assigned collections of security attributes, called a
security context
1) Security context of subject & object passed to SELinux
2) Kernel/SELinux check, verify access
2a) Grant access. Record allowance in AVC (Access Vector
Cache)
2b) Deny access, log error
63. 63
SELinux Policy
● Policies are matrices of statements which tell
SELinux if certain actions are allowed based on the
context of the objects attempting those actions.
● There are three SELinux Policy Types
64. 64
The Three SELinux Policy Types
Targeted Policy
Default policy in RHEL5. Supported by HelpDesk.
Targets specific applications to lock down.
Allows all other applications to run in the unconfined
domain (unconfined_t)
Applications running in the unconfined domain run as
if SELinux were disabled
65. 65
The Three SELinux Policy Types
2) Strict Policy
Denies access to everything by default
Complete protection for all processes on the system
Requires that policies be written for all applications,
often requires customization
Strict is type enforcement with added types for users
(e.g. user_t and user_firefox_t).
Not enabled by Red Hat as default
66. 66
The Three SELinux Policy Types
3) Multi-Level Security (MLS)
Focuses on confidentiality (i.e. separation of multiple
classifications of data)
Ability to manage {processes, users} with varying
levels of access. (i.e. “the need to know”)
Uses category & sensitivity levels
67. 67
The Three SELinux Policy Types
3) Multi-Level Security (MLS)
(a) Sensitivity Labels
Mostly used by the government – Top Secret, Secret,
Unclassified, etc
s0 Unclassified
s1 Secret
s2 Top Secret
68. 68
The Three SELinux Policy Types
3) Multi-Level Security (MLS)
(b) Category Labels
Separation of data types, compartments, projects,
etc
Unclassified Secret Top Secret
Project A
Project B
Alpha
Bravo
Charlie
Delta
s0 s1 s1
c0
c1
c2
c3
c0
c1
69. 69
The Three SELinux Policy Types
3) Multi-Level Security (MLS)
(b) Polyinstantiation & pam_namespace
The pam_namespace PAM module sets up a private
namespace for a session with polyinstantiated
directories
A polyinstantiated directory provides a different
instance of itself based on user name, or when using
SELinux, user name, security context or both
70. 70
The Three SELinux Policy Types
3) Multi-Level Security (MLS)
(b) Polyinstantiation & pam_namespace
# id Z
staff_u:WebServer_Admin_r:WebServer_Admin_t:s0:c0
# ls l /data
secretfile1
secretfile 2
# id Z
staff_u:WebServer_Admin_r:WebServer_Admin_t:s1:c0
# ls l /data
secretfile1
secretfile 2
topsecretfile1
71. 71
The Three SELinux Policy Types
Multi-Level Security (MLS) & Common Criteria
The Common Criteria (CC) is an international
security standard against which systems are
evaluated. Many government customers require CC
evaluated systems.
Red Hat Enterprise Linux 5 meets EAL4+ with
RBAC/LSPP/CAPP endorcements
84. 84
System Administrator Perspective
● semanage
Configure elements of SELinux policy without
modification/recompilation of policy sources
. . . . aka on the fly
Example: Dynamically Allowing Apache to listen on
port 1234
# semanage port a t httpd_port_t p tcp 1234
85. 85
System Administrator Perspective
● semanage (more examples)
Example: Allow shawn to join “webadmin_u” group
# semanage login a s webadmin_u shawn
Example: Relabel files for access by Apache
# semanage fcontext a t
httpd_sys_content_t "/data/webpages(/.*)?"
86. 86
System Administrator Perspective
● semanage (most important example)
You don't need to disable SELinux to fix a single error!
type=SYSCALL msg=audit(1204719775.306:738): arch=40000003 syscall=54
success=no exit=19 a0=4 a1=8933 a2=bfcec1bc a3=bfcec1bc items=0
ppid=3900 pid=5003 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="ip" exe="/sbin/ip"
subj=user_u:system_r:ifconfig_t:s0 key=(null)
The Fix:
# semanage permissive a ifconfig_t
87. 87
System Administrator Perspective
● audit2allow
Allows generation of SELinux policy rules from
logs of denied operations
Example: Fix all the errors on the system (completely not a
good idea on a real system)
# cat /var/log/audit/audit.log | audit2allow M FixAll
Generating type enforcment file: FixAll.te
Compiling policy: checkmodule M m o FixAll.mod FixAll.te
Building package: semodule_package o FixAll.pp m FixAll.mod
# semodule i FixAll.pp
89. 89
Scenario: Fixing the RHT corporate
VPN “update”
● Red Hat has a Corporate Standard Build (CSB) for
desktop environments
● Red Hat pushes updates to said CSB
● I “tweak” my configuration files
● When RHT pushed a CSB update, it broke my VPN
settings