Open-source News

My journey with Kubernetes Mike Dame Fri, 08/19/2022 - 03:00 Register or Login to like Register or Login to like

Recently, I published my first book, The Kubernetes Operator Framework Book from Packt Publishing. Writing a book has always been a personal goal of mine, and so it seems fitting that I was able to check that off by writing about one of my favorite topics: Kubernetes.

My journey with Kubernetes began in 2016, as a software engineer for Red Hat OpenShift. There, I had the opportunity to work with (and learn from) some of the smartest folks in the open source community. I learned first-hand some of the best practices for Kubernetes development as they were applied to broad enterprise use cases. And as I watched the development of OpenShift 4 take shape, I got to witness the functionality of Kubernetes Operators cranked to the max as the platform was built almost entirely around the Operator pattern. There, Operators were not just minor automation or deployment controllers; they were literally powering an entire Kubernetes distribution. I just happened to be lucky enough to have front-row seats to a transformative display of Operators in action.

Unfortunately, I still meet people in the community who are confused about Operators, how they work, and the benefits they can bring to cloud developers and customers. It seems that Operators are a topic about which many are curious, but few have the resources to truly invest in exploring.

That's why I wanted to write this book: to provide a high-level introductory overview of Operators and the breadth of possibilities that their use offers, so that more people can learn and benefit from running them in their clusters. I felt that my experience gave me a novel perspective on Operator development and use cases such that I could explain them through a unique narrative.

That narrative builds a storyline for The Kubernetes Operator Framework Book that gives readers a holistic, big-picture guide through the development lifecycle of an Operator. The book begins by introducing the fundamental topics of Operators broken into three pillars: the Operator SDK, OLM, and OperatorHub. These pillars respectively represent the three main phases of an Operator's lifecycle: coding, deployment, and distribution.

More on Kubernetes What is Kubernetes? Free online course: Containers, Kubernetes and Red Hat OpenShift technical over… eBook: Storage Patterns for Kubernetes Test drive OpenShift hands-on An introduction to enterprise Kubernetes How to explain Kubernetes in plain terms eBook: Running Kubernetes on your Raspberry Pi homelab Kubernetes cheat sheet eBook: A guide to Kubernetes for SREs and sysadmins Latest Kubernetes articles

Following the introduction, the book goes on to explore some of the technical capabilities of Operators and identifies a sample use case for a basic Operator, which serves as the single example threaded throughout the rest of the book. That example strings together the different pillars of the Operator Framework into a unified tutorial for developing, running, and publishing an Operator (written in Go). Along the way, this includes topics like designing CRDs, using the Operator SDK tools, and implementing additional functionality like metrics reporting with Prometheus to add observability insights to your Operator. Finally, Operator developers' roles and responsibilities for ongoing maintenance are explored, such as when and how to release new versions and keep your dependencies in sync with the broader Kubernetes ecosystem of projects. All of these topics are then summarized with a few case studies of third-party Operators, which are clinically dissected to demonstrate the concepts learned through the book's tutorial in a real-world application.

The goal of the book is not to provide all the answers for building an Operator, but instead to provoke ideas about how Operators can best serve you and your users. By framing common software development concepts (such as understanding the specific needs of your users and tackling challenges such as deprecation) through the lens of Operator development, The Kubernetes Operator Framework Book reads differently than many textbooks which focus on deep technical details and advanced topics. It is a conversational introduction for the reader who is familiar with Kubernetes, has heard of Operators, and is curious to learn what kind of impact Operator development can have for their organization.

Researching and writing this book was an incredibly rewarding experience that would not have been possible without the countless mentors in the Kubernetes community who took the time to teach me about this wonderful technology. The Kubernetes Operator Framework Book is my attempt at paying that forward, and hopefully passing on some of what I have learned to all of the other eager learners who make this community so great. I hope you enjoy reading it as much as I enjoyed writing it.

I wrote The Kubernetes Operator Framework Book to pass on some of what I have learned to all of the other eager learners who make this open source community so great.

Kubernetes What to read next This work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License. Register or Login to post a comment.

5 note-taking apps for Linux Don Watkins Fri, 08/19/2022 - 03:00 Register or Login to like Register or Login to like

Notes are part of any writer's life. Most of my articles begin in a note-taking application and that’s usually Joplin for me. There are a large number of note-taking apps for Linux and you may use something other than my favorite. A recent blog article reminded me of a half dozen of them, so I assembled a list of my favorites.

Joplin Image by:

(Opensource.com, CC BY-SA 4.0)

Joplin is available on Linux, Windows, macOS, Android, and iOS. I like Joplin because it automatically saves whatever you add to it. Notes can be uploaded to NextCloud, OwnCloud, Joplin Cloud, and even closed source services like OneDrive, Dropbox, or any WebDav applications. Joplin supports encryption.

It’s easy to export notes in a variety of formats, too. It comes with eight different themes that allow you to tailor its look.

Joplin has an MIT license. Initially released in 2017 Joplin is under continuous development with a large community of contributors.

More Linux resources Linux commands cheat sheet Advanced Linux commands cheat sheet Free online course: RHEL technical overview Linux networking cheat sheet SELinux cheat sheet Linux common commands cheat sheet What are Linux containers? Our latest Linux articles Xournal Image by:

(Opensource.com, CC BY-SA 4.0)

Xournal is available on Linux, Windows, macOS, and Android. Its aim is to let you create notes containing nearly any media type you can imagine. It supports pressure-sensitive stylus and drawing tablets so you create sketchnotes. You can type into it, draw simple vectors, import graphics, record audio, and more. You can also use Xournal to annotate PDFs, which is how I have used it. It is released with a GPLv2 license, and you can export notes in a variety of formats.

Trillium Image by:

(Opensource.com, CC BY-SA 4.0)

Trillium is a hierarchical note-taking application with a focus on knowledge building bases. It features rich WYSIWYG editing with tables, images, and markdown. It has support for editing notes in source code with syntax highlighting. It's released under the Gnu Affero License.

Trilium is available as a desktop application for Linux and Windows, as well as a web application that you can host on your own Linux server.

Gnote Image by:

(Opensource.com, CC BY-SA 4.0)

Gnote is an open source note taking application written for Linux. It was cloned by Hubert Figuière from a project called Tomboy. Like Tomboy, Gnote uses a wiki-like linking system to allow you to link notes together.

GNote's source code is available on GitLab. The software is licensed with GPLv3.

CherryTree Image by:

(Opensource.com, CC BY-SA 4.0)

CherryTree supports hierarchical note-taking. In CherryTree everything is a node. Nodes can be plain text, rich text, syntax highlighting for a variety of programming languages. Each node can have child nodes each with a different format.

CherryTree features rich text and syntax highlighting, and can store data in a single XML or SQLite file. CherryTree can import from a variety of formats including Markdown, HTML, plain text, Gnote, Tomboy, and others. It can export files to PDF, HTML, plain text and its own CherryTree format.

CherryTree is licensed under the GPLv3, and can be installed on Linux, Windows, and macOS.

Use these open source tools for jotting down notes.

Image by:

Startup Stock Photos. Creative Commons CC0 license.

Linux What to read next This work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License. Register or Login to post a comment.

How to Create and Switch Workspaces in Linux Mint  It's FOSS

CyRC Case Study: Exploitable memory corruption using CVE-2020-25669 and Linux Kernel  Security Boulevard

For what used to be known as part of the KDE Software Compilation... Then most recently the straight-forward KDE Applications name to refer to the set of official KDE applications... Now KDE Gear is the current name for the official set of KDE applications. KDE Gear 22.08 is out today as the newest collection of KDE apps...

KaOS 2022.08 Brings PipeWire by Default, Improved Installer, and Latest KDE Goodies  9to5Linux

Dell's 2K webcam available today and new 13-inch tablet shipping next week, Linux powered XPS plus coming soon  OnMSFT.com

Following optional "__bf16" support being added to the x86-64 psABI as a special type for representing 16-bit Brain Floating Point Format for deep learning / machine learning applications, the GCC and LLVM compilers have now landed their __bf16 type support...

Get a couple treats in the new Linux & Thrills bundle on Steam  GamingOnLinux

Get a couple treats in the new Linux & Thrills bundle on Steam  GamingOnLinux

Made public back in June by Intel was the MMIO Stale Data vulnerabilities. The disclosure noted affected Intel products range from Haswell up through Rocket Lake on the client side or Xeon Scalable Ice Lake servers. However, pre-Haswell Intel CPUs might be impacted too while the Linux kernel to this point was incorrectly stating older CPUs are "not affected" by MMIO Stale Data...

Linux Update Acknowledges Your Old Intel CPUs Might Be Vulnerable To MMIO Stale Data  Phoronix

.NET 6 comes to Ubuntu – but where is MAUI for Linux? • DEVCLASS  DevClass

The original article appeared on the OpenSSF blog. The author, Harimohan Rajamohanan, is a Solution Architect and Full Stack Developer with Wipro Limited. Learn more about the Linux Foundation’s Developing Secure Software (LFD121) course. 

All software is under continuous attack today, so software architects and developers should focus on practical steps to improve information security. There are plenty of materials available online that talk about various aspects of secure development practices, but they are scattered across various articles and books. Recently, I had come across a course developed by the Open Source Security Foundation (OpenSSF), which is a part of the Linux Foundation, that is geared towards software developers, DevOps professionals, web application developers and others interested in learning the best practices of secure software development. My learning experience taking the DEVELOPING SECURE SOFTWARE (LFD121) course was positive, and I immediately started applying these learnings in my work as a software architect and developer.

“A useful trick for creating secure systems is to think like an attacker before you write the code or make a change to the code” – DEVELOPING SECURE SOFTWARE (LFD121)

My earlier understanding about software security was primarily focused on the authentication and the authorization of users. In this context the secure coding practices I was following were limited to:

• No unauthorized read
• No unauthorized modification
• Ability to prove someone did something
• Auditing and logging

It may not be broad enough to assume a software is secure if a strong authentication and authorization mechanism is present. Almost all application development today depends on open source software and it is important that developers verify the security of the open source chain of contributors and its dependencies. Recent vulnerability disclosures and supply chain attacks were an eye opener for me about the existing potential of vulnerabilities in open source software. The natural focus of majority of developers is to get the business logic working and deliver the code without any functional bugs.

The course gave me a comprehensive outlook on the secure development practices one should follow to defend from the kind of attacks that happen in modern day software.

What does risk management really mean?

The course has detailed practical advice on considering security as part of the requirements of a system. Being part of various global system integrators for over a decade, I was tasked to develop application software for my customers. The functional requirements were typically written down in such projects but covered only a few aspects of security in terms of user authentication and authorization. Documenting the security requirement in detail will help developers and future maintainers of the software to have an idea of what the system is trying to accomplish for security.

Key takeaways on risk assessment:

• Analyze security basics including risk management, the “CIA” triad, and requirements
• Apply secure design principles such as least privilege, complete mediation, and input validation
• Supply chain evaluation tips on how to reuse software with security in mind, including selecting, downloading, installing, and updating such software
• Document the high-level security requirements in one place

Secure design principles while designing a software solution

Design principles are guides based on experience and practice. The software will generally be secure if you apply the secure design principles. This course covers a broad spectrum of design principles in terms of the components you trust and the components you do not trust. The key principles I learned from the course that guide me in my present-day software design areas are:

• The user and program should operate using the least privilege. This limits the damage from error or attack.
• Every data access or manipulation attempt should be verified and authorized using a mechanism that cannot be bypassed.
• Access to systems should be based on more than one condition. How do you prove the identity of the authenticated user is who they claimed to be? Software should support two-factor authentication.
• The user interface should be designed for ease of use to make sure users routinely and automatically use the protection mechanisms correctly.
• Importance of understanding what kind of attackers you expect to counter.

A few examples on how I applied the secure design principles in my solution designs:

• The solutions I build often use a database. I have used the SQL GRANT command to limit the privilege the program gets. In particular, the DELETE privilege is not given to any program. And I have implemented a soft delete mechanism in the program that sets the column “active = false” in the table for delete use cases.
• The recent software designs I have been doing are based on microservice architecture where there is a clear separation between the GUI and backend services. Each part of the overall solution is authenticated separately. This may minimize the attack surface.
• Client-side input validation is limited to counter accidental mistakes. But the actual input validation happens at the server side. The API end points validates all the inputs thoroughly before processing it. For instance, a PUT API not just validates the resource modification inputs, but also makes sure that the resource is present in the database before proceeding with the update.
• Updates are allowed only if the user consuming the API is authorized to do it.
• Databases are not directly accessible for use by a client application.
• All the secrets like cryptographic keys and passwords are maintained outside the program in a secure vault. This is mainly to avoid secrets in source code going into version control systems.
• I have started to look for OpenSSF Best Practices Badge while selecting open source software and libraries in my programs. I also look for the security posture of open source software by checking the OpenSSF scorecards score.
• Another practice I follow while using open source software is to check whether the software is maintained. Are there recent releases or announcements from the community?

Secure coding practices

In my opinion, this course covers almost all aspects of secure coding practices that a developer should focus on. The key focus areas include:

1. Input validations
2. How to validate numbers
3. Key issues with text, including Unicode and locales
4. Usage of regular expression to validate text input
5. Importance of minimizing the attack surfaces
6. Secure defaults and secure startup.

For example, apply API input validation on IDs to make sure that records belonging to those IDs exists in the database. This reduces the attack surface. Also make sure first that the object in the object modify request exists in the database.

• Process data securely
• Importance of treating untrusted data as dangerous
• Avoid default and hardcoded credentials
• Understand the memory safety problems such as out-of-bounds reads or writes, double-free, and use-after-free
• Avoid undefined behavior
• Call out to other programs
• Securely call other programs
• How to counter injection attacks such as SQL injection and OS command injection
• Securely handle file names and file paths
• Send output
• Securely send output
• How to counter Cross-Site scripting (XSS) attacks
• Use HTTP hardening headers including Content Security Policy (CSP)
• Prevent common output related vulnerability in web applications
• How to securely format strings and templates.

Conclusion

“Security is a process – a journey – and not a simple endpoint” – DEVELOPING SECURE SOFTWARE (LFD121)

This course gives a practical guidance approach for you to develop secure software while considering security requirement, secure design principles, counter common implementation mistakes, tools to detect problems before you ship the code, promptly handle vulnerability reports. I strongly recommend this course and the certification to all developers out there.

About the author

Harimohan Rajamohanan is a Solution Architect and Full Stack Developer, Open Source Program Office, Lab45, Wipro Limited. He is an open source software enthusiast and worked in areas such as application modernization, digital transformation, and cloud native computing. Major focus areas are software supply chain security and observability.

The post Secure Coding Practice – A Developer’s Learning Experience of Developing Secure Software Course appeared first on Linux Foundation.

How to Setup A Bitcoin Full Node with Dojo in Linux  Make Tech Easier

5 Reasons Why You Should Use Linux  The Future of Things

Top Linux Insights From Gartner's Market Guide for CWPP  Morphisec Breach Prevention Blog

While the Qt Group (most recently known as The Qt Company) is known for its Qt toolkit and related Qt Creator integrated development environment, Qt Design Studio, and related software centered around their cross-platform toolkit, they have acquired German software maker Axivion GmbH as they expand their product portfolio beyond just Qt...

With Intel Xeon Sapphire Rapids expected to make more of a splash coming up, it's a good time to revisit the Intel Xeon Platinum 8380 "Ice Lake" performance to see how the Linux software performance has evolved since last year's launch. In this article are benchmarks of the dual Xeon Platinum 8380 server from May 2021 with CentOS Stream, Clear Linux, and Ubuntu compared to fresh installs now of those latest Linux distribution releases.

LibreOffice 7.4 is out today as the latest major update to this open-source, cross-platform office suite. This leading free software office suite now supports WebP images as well as a variety of other improvements to its various components...