This document summarizes a presentation about CentOS 8 and alternatives to Docker like Podman and Buildah. It discusses what CentOS is, key changes in CentOS 8 like using DNF and Python 3.6 by default. It also covers how long support lasts for CentOS 6, 7, and 8. Alternatives to Docker like Podman and Buildah are presented as being more secure since they don't require running a daemon process as root. Demo videos are linked showing how to install Podman and pull a Docker image. Risks of upgrading from CentOS 7 to 8 are discussed.
This talk will cover the problems currently with why applications are not being sandboxed to lessen the attack surface. Mostly this is based upon the existing tools being not user friendly and requiring a low level knowledge of syscalls that is hard to find in application developers.
Seccomp is one of these tools. It defines syscall filters that allow an application to define what syscalls it allows or denies. It is commonly used in the highly-regarded Chrome sandbox.
Integrating things like seccomp filters into programming languages at build time could allow for creating a perfect set of filters based off the application code. In practice, some try to mock this behavior at runtime but it often fails due to certain functions not being called during testing and missing specific syscalls. Therefore causing the user to turn it off completely. By integrating it into the code at build time we can ensure that all the syscalls are accounted for.
This talk will also show a proof of concept with this in Golang.
This talk will cover the problems currently with why applications are not being sandboxed to lessen the attack surface. Mostly this is based upon the existing tools being not user friendly and requiring a low level knowledge of syscalls that is hard to find in application developers.
Seccomp is one of these tools. It defines syscall filters that allow an application to define what syscalls it allows or denies. It is commonly used in the highly-regarded Chrome sandbox.
Integrating things like seccomp filters into programming languages at build time could allow for creating a perfect set of filters based off the application code. In practice, some try to mock this behavior at runtime but it often fails due to certain functions not being called during testing and missing specific syscalls. Therefore causing the user to turn it off completely. By integrating it into the code at build time we can ensure that all the syscalls are accounted for.
This talk will also show a proof of concept with this in Golang.
The containers and particularly Docker have been one of the buzzwords of the last years, but do they offer what they promise?
In this talk will see a basic Docker 101 introduction and then will see how we can take advantages of all its features for developing and deploying our Grails applications.
Buildout: creating and deploying repeatable applications in pythonCodeSyntax
We use buildout to deploy and create our python applications based on Plone or django.
This presentation explains the source of our work, the past and how and why we use buildout.
This presentation was used at PySS 14 conference in Donostia - San Sebastian
The containers and particularly Docker have been one of the buzzwords of the last years, but do they offer what they promise?
In this talk will see a basic Docker 101 introduction and then will see how we can take advantages of all its features for developing and deploying our Grails applications.
Buildout: creating and deploying repeatable applications in pythonCodeSyntax
We use buildout to deploy and create our python applications based on Plone or django.
This presentation explains the source of our work, the past and how and why we use buildout.
This presentation was used at PySS 14 conference in Donostia - San Sebastian
Remix of two other open source presentations along with my own content, 40 slides set to play at 20 seconds auto-timed (similar to Pecha-Kucha style timing). This was delivered via Caribbean Tech Dev forum's monthly Google Hangout in November 2015, and video can be viewed at https://www.youtube.com/watch?v=xANrsSin_-0
Docker is the Open Source container engine. It lets you author, run, and manage software containers. Escape from dependency hell, and make deployment a breeze! This presentation includes the standard Docker intro (actualized for Docker 0.11) as well as some insights about how to perform orchestration and multi-host container linking.
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Codemotion
In less than two years Docker went from first line of code to major Open Source project with contributions from all the big names in IT. Everyone is excited, but what's in for me - as a Dev or Ops? In short, Docker makes creating Development, Test and even Production environments an order of magnitude simpler, faster and completely portable across both local and cloud infrastructure. We will start from Docker main concepts: how to create a Linux Container from base images, run your application in it, and version your runtimes as you would with source code, and finish with a concrete example.
Docker and Containers for Development and Deployment — SCALE12XJérôme Petazzoni
Docker is an Open Source engine to build, run, and manage containers. We'll explain what are Linux Containers, what powers them (under the hood), and what extra value Docker brings to the table. Then we'll see what the typical Docker workflow looks like from a developer point of view. We'll also give an Ops perspective, including deployment options. If you already saw a "Docker 101", consider this presentation as the February 2014 update! :-)
Linux Security and How Web Browser Sandboxes Really Work (NDC Oslo 2017)Patricia Aas
The Linux Security and Isolation APIs have become the basis of some of the most useful features server-side, providing the isolation required for efficient containers.
However, these APIs also form the basis of the Chromium Sandbox on Linux, and we will study them in that context. This is the sandbox used in the Vivaldi, Brave, Chrome and Opera browsers among others. The Chromium Sandbox has a very platform specific implementation, using the platform APIs available to construct it. In this talk we will describe the requirements of the Chromium Sandbox in detail and go through how the Linux implementation fulfills these requirements.
Central Iowa Linux Users Group: August 2020 Jupyter LabAndrew Denner
Setting up Jupyter Lab, virtual env and other Linux fun
Video at: https://youtu.be/3_r0LqzMAD8
Version control at: https://gitlab.com/denner1/cialug-august-2020-jupyter-lab
July 18, 2018 Central Iowa Linux User's Group: Tor onion servicesAndrew Denner
Or How I learned to stop worrying about my ip address and love the tor
Download link: https://www.evernote.com/shard/s84/sh/c12a4017-fa1f-4acd-a5da-0ba7fe9a4999/1f5d5977939c24b7
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Central Iowa Linux Users Group October Meeting: Centos 8
1.
2. WELCOME TO
CIALUG
Hello to those on the
livestream
We are trying to record this as
well…
How is it going?
Thoughts/Feedback, future
topics? Let me know
https://cialug.org is our
website
Listserve
Slack/IRC
3. ABOUT ME
Insert witty comment here
By day a slinger of code, by
night I still do computer
things
My actions are my own not
those of my employer…
I have a website!!
http://denner.co
Twitter @adenner
5. LINUX NEWS (A BRIEF OVERVIEW)
Python 3.8 released Includes assignment operator… so much drama! Positional only argument and
vector call mechanism
Pypy 7.2 released arm64 bit support, python 3.6 no longer beta, 3.7 is next CFFI backend new, new json
decoder
Security updates
RMS and GNU… more drama
Tensor Flow v2.0 API breaking changes and the keras api support
New verson of RPM (4.15.0 is out) faster parallel builds new if statements in spec builds
Librem 5 phone… fully free GNU/linux phone
Sudo Security bug (see next page)
6. SU-DOH (CVE-2019-14287)
Requires non standard config
i.e sudoers file (allow bob to run program as any user except root):
Mybox bob = (all !root) /usr/bin/vi
Bob can then run command
Sudo –u #-1 vi
7. CENTOS 8 IS FINALLY HERE
THE SEARCH FOR CENTOS 9 BEGINS
ANDREW DENNER
CIALUG OCTOBER 16, 2019
8. WHAT THE @*** IS CENTOS?
“CentOS is a Linux distribution that provides a free, community-supported computing platform
functionally compatible with its upstream source, Red Hat Enterprise Linux.” –Wikipedia answer!
It’s not “Redhat” or at least legally…
But is sponsored by redhat? And governed by them?
So that makes it more “free” (at least as in beer)
No support
Is always playing catchup
No certs, but redhat
9. HOW LONG DO I
HAVE?
Centos 6 EOL is 30 Nov 2020
Centos 7 EOL is 30 June 2024
Centos 8 EOL is 31 May 2029
10. WHAT’S NEXT?
CENTOS STREAM
Latest and greatest of
everything, with updates several
time a day
Don’t use for production!!
Think of it as a “after Fredora
but before RHEL” linux
Old school Centos is not going
anywhere
11. WHAT
CHANGED
Linux Kernel 4.18
Yum is now based on DNF
Git 2.18 as well as Mercurial 4.8 and Subversion 1.10
Python 3.6 is now default, but not auto installed (you still can use
python 2.7 but really?)
Node.js 10.01 PHP 7.2 Ruby 5.26 and SWIG 3.0
GCC 8.2 now with newer C++ language standards, optimizations
warnings and hardware support
MariaDB 10.3, MySQL8 Postgres 10 and Redis 5, Apache 2.4 and
nginx 1.14
Gnome 3.28 and Wayland (you still can use x.org if you need/want)
Networking: nftables replaced iptables as well as firewalld daemon
is using it as it’s backend.
No Docker (see next slide)
12. THE END OF DOCKER? (PODMAN AND
BUILDAH)
With docker there is a daemon process that runs as root (ignore
rootless for now) responsible for everything
Single point of failure
Single owner of all child processes leading to orphans on failure
Security issues as well (has to run everything as root authority)
Podman simply directly interacts with image registry and storage
Linux kernel interactions via runC container runtime process (no
daemon)
Good news is it is drop in compatible with docker (they claim can
just run alias docker=podman)
13.
14. PODMAN CONT.
Added convience --all for rm and rmi
Non root abilities (like rootless
docker)
By default stores images and containers in home
directory ~/.local/share/containers
Local image repo is /var/lib/containers (new OCI standard)
Images are compatible OCI (you can use quay.io, dockerhub, gitlab etc
Registries are setup in registries.conf by default docker hub first
It makes move to K8 easier “podman generate kub”
15. BUILDAH
Podman build does work, but buidlah is more powerful
Can use bash scripts to build images, like how write docker file
Fine grain image control of layers
Out of scope to dive too deeply, this is another month’s presentation
18. HOW DO I UPGRADE FROM CENTOS 7?
Official answer is you don’t!
Why? Apparently no one cares enough to work on it (or is willing to put enough time into it)
Redhat does support some migrations, i.e. using the Leapp app, but this is not supported for centos, and
apparently almost no one cares… https://bugs.centos.org/view.php?id=16116
That said, why not ¯_(ツ)_/¯ Notes from one man’s journey is at https://cromwell-intl.com/open-
source/rhel-centos-5-6-7-8/
Standard disclaimer “Don’t do this on a machine you haven’t backed up, care about, or is in production!”
line = f.readline()
while line:
... # process line
line = f.readline()
while line := f.readline():
Linux kernel 4.18 is an older kernel but we are all about stability
DNF=Dandified Yum… still same command line interfae but should be faster
Docker daemon needed to push and pull images
Make local copies of images and add layers
Commit containers and remove images from host
Ask kernel to run containers with right namespace/cgroup
See https://opensource.com/article/19/2/how-does-rootless-podman-work