Surgut

Linux kernel getting a livepatch whilst running a marathon. Generated with AI. Livepatch service eliminates the need for unplanned maintenance windows for high and critical severity kernel vulnerabilities by patching the Linux kernel while the system runs. Originally the service launched in 2016 with just a single kernel flavour supported. Over the years, additional kernels were added: new LTS releases, ESM kernels, Public Cloud kernels, and most recently HWE kernels too. Recently livepatch support was expanded for FIPS compliant kernels, Public cloud FIPS compliant kernels, and as well IBM Z (mainframe) kernels. Bringing the total of kernel flavours support to over 60 distinct kernel flavours supported in parallel. The table of supported kernels in the documentation lists the supported kernel flavours ABIs, the duration of individual build's support window, supported architectures, and the Ubuntu release. This work was only possible thanks to the collaboration with the Ubuntu C...

Photo by Pixabay Ubuntu systems typically have up to 3 kernels installed, before they are auto-removed by apt on classic installs. Historically the installation was optimized for metered download size only. However, kernel size growth and usage no longer warrant such optimizations. During the 23.10 Mantic Minatour cycle, I led a coordinated effort across multiple teams to implement lots of optimizations that together achieved unprecedented install footprint improvements. Given a typical install of 3 generic kernel ABIs in the default configuration on a regular-sized VM (2 CPU cores 8GB of RAM) the following metrics are achieved in Ubuntu 23.10 versus Ubuntu 22.04 LTS: 2x less disk space used (1,417MB vs 2,940MB, including initrd) 3x less peak RAM usage for the initrd boot (68MB vs 204MB) 0.5x increase in download size (949MB vs 600MB) 2.5x faster initrd generation (4.5s vs 11.3s) approximately the same total time (103s vs 98s, hardware dependent) For minimal cloud images that do not in...

Example of website that only supports TLS v1.0, which is rejected by the client Overivew TLS v1.3 is the latest standard for secure communication over the internet. It is widely supported by desktops, servers and mobile phones. Recently Ubuntu 18.04 LTS received OpenSSL 1.1.1 update bringing the ability to potentially establish TLS v1.3 connections on the latest Ubuntu LTS release. Qualys SSL Labs Pulse report shows more than 15% adoption of TLS v1.3. It really is time to migrate from TLS v1.0 and TLS v1.1. As announced on the 15th of October 2018 Apple , Google , and Microsoft will disable TLS v1.0 and TLS v1.1 support by default and thus require TLS v1.2 to be supported by all clients and servers. Similarly, Ubuntu 20.04 LTS will also require TLS v1.2 as the minimum TLS version as well. To prepare for the move to TLS v1.2, it is a good idea to disable TLS v1.0 and TLS v1.1 on your local systems and start observing and reporting any websites, systems and applications that...

xkcd #538: Security Went into blogger settings and enabled TLS on my custom domain blogger blog. So it is now finally a https://blog.surgut.co.uk  However, I do use feedburner and syndicate that to the planet. I am not sure if that is end-to-end TLS connections, thus I will look into removing feedburner between my blog and the ubuntu/debian planets. My experience with changing feeds in the planets is that I end up spamming everyone. I wonder, if I should make a new tag and add that one, and add both feeds to the planet config to avoid spamming old posts. Next up went into gandi LiveDNS platform and enabled DNSSEC on my domain. It propagated quite quickly, but I believe my domain is now correctly signed with DNSSEC stuff. Next up I guess, is to fix DNSSEC with captive portals. I guess what we really want to have on "wifi" like devices, is to first connect to wifi and not set it as default route. Perform captive portal check, potentially with a reduced DNS server capabil...

Ubuntu Snowsports and Friends Team After talking to a bunch of people, I've realized that a lot of free & open source, debian / ubuntu, etc people do ski or snowboard. So I have this crazy idea, that maybe we can get enough people together to form a social team on Launchpad. And maybe if we have enough people there, to possibly try to organize a ski trip with or without conference talks. Kind of like a team building meetup / community event / UDS - Ubuntu Developer Snowsports trip, or maybe an Ubucon Snow. So here we go - please consider joining  https://launchpad.net/~ubuntu-snowsports team, join the mailing list there, and/or hop onto IRC to join #ubuntu-snow on freenode. I hope we can get more members than  https://launchpad.net/~ubuntu-cyclists

Sorry, the web page you have requested is not available through your internet connection. We have received an order from the Courts requiring us to prevent access to this site in order to help protect against Lex Julia Majestatis infridgement. If you are a home broadband customer, for more information on why certain web pages are blocked, please click  here . If you are a business customer, or are trying to view this page through your company's internet connection, please click  here . ∞

Not so long ago I went to effectively recompile NetworkManager and fix up minor bug in it. It built fine across all architectures, was considered to be installable etc. And I was expecting it to just migrate across. At the time, glibc was at 2.26 in artful-proposed and NetworkManager was built against it. However release pocket was at glibc 2.24. In Ubuntu we have a ProposedMigration process in place which ensures that newly built packages do not regress in the number of architectures built for; installable on; and do not regress themselves or any reverse dependencies at runtime. Thus before my build of NetworkManager was considered for migration, it was tested in the release pocket against packages in the release pocket. Specifically, since package metadata only requires glibc 2.17 NetworkManager was tested against glibc currently in the release pocket, which should just work fine.... autopkgtest [21:47:38]: test nm: [----------------------- test_auto_ip4 (__main__.ColdplugEthe...

1984: Library Edition Novel by George Orwell, cover picture by Google Search result I am scared. I am petrified. I am confused. I am sad. I am furious. I am angry. 28 days later I shall return from NYC. I hope.

Enigma machine photo by Alessandro Nassiri [ CC BY-SA 4.0 ], via Wikimedia Commons Ubuntu Archive and CD/USB image use OpenPGP cryptography for verification and integrity protection. In 2012, a new archive signing key was created and we have started to dual-sign everything with both old and new keys. In April 2017, Ubuntu 12.04 LTS (Precise Pangolin) will go end of life. Precise was the last release that was signed with just the old signing key. Thus when Zesty Zapus is released as Ubuntu 17.04, there will no longer be any supported Ubuntu release that require the 2004 signing keys for validation. The Zesty Zapus release is now signed with just the 2012 signing key, which is 4096 RSA based key. The old 2004 signing keys, where were 1024 DSA based, have been removed from the default keyring and are no longer trusted by default in Zesty and up. The old keys are available in the removed keys keyring in the ubuntu-keyring package, for example in case one wants to verify things ...

4MB RAM card By default, in Ubuntu, we usually create a swap partition. Back in the day of 4MB RAM cards this made total sense, as the ration of RAM to disk space, was still very low. Things have changed since. Server, desktop, embedded systems have migrated to newer generations of both RAM and persistent storage. On the high performance side of things we see machines with faster storage in the form of NVMe and SSD drives. Reserving space for swap on such storage, can be seen as expensive and wasteful. This is also true for recent enough laptops and desktops too. Mobile phones have substantial amounts of RAM these days, and at times, coupled with eMMC storage - it is flash storage of lower performance, which have limited number of write cycles, hence should not be overused for volatile swap data. And there are also unicorns in a form of high performance computing of high memory (shared memory) systems with little or no disk space. Today, carving a partition and reserving twice...

On Ubuntu many of the default boot loaders support booting kernels located on LVM volumes. This includes following platforms i686, x86_64 bios grub2 arm64, armhf, i686, x86_64 UEFI grub2 PReP partitions on IBM PowerPC zipl on IBM zSystems For all of the above the d-i has been modified in Zesty to create LVM based installations without a dedicated /boot partition. We shall celebrate this achievement. Hopefully this means one doesn't need to remove kernels as much, or care about sizing /boot volume appropriately any more. If there are more bootloaders in Ubuntu that support booting off LVM, please do get in touch with me. I'm interested if I can safely enable following platforms as well: armhf with u-boot arm64 with u-boot ppc64el with PReP volume ps. boots pic is from here

Out of 46,500,001 electorate 17,410,742 voted to leave, which is a mere 37.4% or just over a third. [ source ]. On my books this is not a clear expression of the UK wishes. The reaction that the results have caused are devastating. The Scottish First Minister has announced plans for 2nd Scottish Independence referendum [ source ]. Londoners are filing petitions calling for Independent London [ source , source ]. The Prime Minister announced his resignation [ source ]. Things are not stable. I do not believe that super majority of the electorate are in favor of leaving the EU. I don't even believe that those who voted to leave have considered the break up of the UK as the inevitable outcome of the leave vote. There are numerous videos on the internet about that, impossible to quantify or reliably cite, but for example this [ source ] So What Now? P R O T E S T I urge everyone to start protesting the outcome of the mistake that happened last Thursday. 4th of July...

So let's encrypt thing started. And it can do challenges over http (serving text files) and over dns (serving .txt records). My "infrastructure" is fairly modest. I've seen too many of my email accounts getting swamped with spam, and or companies going bust. So I got my own domain name surgut.co.uk . However, I don't have money or time to run my own services. So I've signed up for the Google Apps account for my domain to do email, blogging, etc. Then later i got the libnih.la domain to host API docs for the mentioned library. In the world of .io startups, I thought it's an incredibly funny domain name. But I also have a VPS to host static files on ad-hoc basis, run VPN, and an irc bouncer. My irc bouncer is ZNC and I used a self-signed certificate there, thus i had "ignore" ssl errors in all of my irc clients... which kind of defeats the purposes somewhat. I run my VPS on i386 (to save on memory usage) and on Ubuntu 14.04 LTS managed w...

There are four gunmen outside of my hotel. They are armed with automatic rifles and pistols. I am scared for my life having sneaked past them inside. Everyone else is acting as if everything is normal. Nobody is scared or running for cover. Nobody called the police. I've asked the reception to talk to the gunmen and ask them to leave. They looked at me as if I am mad. Maybe I am. Is this what shizophrenia feels like?! Can you see them on the picture?! Please help. There are four gunmen outside of my hotel. I am not in central Beirut, I am in central Brussels.

One of the WSGI servers that is commonly using with nginx is uwsgi . One way to configure and deploy simple and complex WSGI middlewares and apps is by using Paste deploy tooling. However, until now uwsgi was only able to load a default app under the suffix "main". There is no such limitation in the Paste deploy code itself, as functions there accept a name argument. What was missing is an option in uwsgi to pass, optionally, alternative non-default name of the app to load. A patch adding this option has now been merged upstream and should be available in the next uwsgi release. What I was hoping that one will be able to do something like this: $ uwsgi --ini-paste /etc/nova/api-paste.ini --paste-name osapi_compute But alas that didn't work. I wish all OpenStack Software service were deployable as normal wsgi stand-alone apps without any addition glue code. Keystone is kind of like this with /usr/share/httpd/cgi-bin/keystone/main entry point for deploying keys...

Today at work, I announced something James Hunt, Ikey Doherty and myself have been working on. We integrated Clear Containers  technology with Docker* Engine  to create Clear Containers for Docker* Engine . After following installation instructions , one can pull and run existing Docker* containers in the secure Clear Containers environment. This means that instead of namespaces, a fast virtual machine is started using the kvmtool hypervisor. This VM is running an optimised minimal Linux* kernel and the optimised Clear Linux* for Intel ®  Architecture Project user-space, with the only goal to execute the Docker* workload and then shut down. The net effect is almost indistinguishable from typical Docker* container usage: $ docker run -ti ubuntu:vivid root@d88a60502ed7:/# systemd-detect-virt kvm Apart from, as you see, it's running inside a kvm VM, and thus protected by  Intel® Virtualization Technology. This is available on Clear Linux* as well as multiple o...

Given a string, get a truncated string of length up to 12. The task is ambiguous, as it doesn't say anything about whether or not 12 should include terminating null character or not. None the less, let's see how one would achieve this in various languages. Let's start with python3 import sys print(sys.argv[1][:12]) Simple enough, in essence given first argument, print it up to length 12. As an added this also deals with unicode correctly that is if passed arg is 車賈滑豈更串句龜龜契金喇車賈滑豈更串句龜龜契金喇, it will correctly print 車賈滑豈更串句龜龜契金喇. (note these are just random Unicode strings to me, no idea what they stand for). In C things are slightly more verbose, but in essence, I am going to use strncpy function: #include <stdio.h> #include <string.h> void main(int argc, char *argv[]) { char res[12]; strncpy(res,argv[1],12); printf("%s\n",res); } This treats things as byte-array instead of unicode, thus for unicode test it will end up printing just 車賈滑...

$ sudo find /etc -type f | wc -l 2794 Stateless When was the last time you looked at /etc and thought - "I honestly know what every single file in here is". Or for example had a thought "Each file in here is configuration changes that I made". Or for example do you have confidence that your system will continue to function correctly if any of those files and directories are removed? Traditionally most *NIX utilities are simple enough utilities, that do not require any configuration files what's so ever. However most have command line arguments, and environment variables to manipulate their behavior. Some of the more complex utilities have configuration files under /etc, sometimes with "layer" configuration from user's home directory (~/). Most of them are generally widely accepted. However, these do not segregate upstream / distribution / site administrator / local administrator / user configuration changes. Most update mechanisms cre...

Current Setup I am a Linux Distribution Engineer and work on arbitrary open source projects. Mostly I'm patching/packaging existing things, and sometimes start fresh projects. My "IDE", or rather I shall say "toolbox" is rather sparse: GNOME Terminal Google Chrome GNU Emacs GCC toolcahin with GDB Python3 - iPython, iPdb, pyflakes git, GNU bazaar There are a few things that annoy me, and should be done better these days. Documentation I lookup documentation mostly with Google Chrome. This includes the texinfo renderings of the docs. There are a few reasons for that. First of all my developer machine is not polluted with all the dev packages under the sun, instead I compile practically everything in a chroot. And most of the time chroots have much newer versions of everything (from gcc & automake, to boost and whatever other dependencies are in use). However I would like to have easy generic lookup builtin for common things that I lookup in...

Ubuntu Vivid Vervet 15.04 is on its final approach to release at the end of next month. Here is a highlight of one of the features that I have helped to land. ubuntu-drivers-common is a framework to detect hardware-dependent components on user's machine and offer to install additional packages to enable better support for such hardware. Typical examples are drivers for the graphics cards. This cycle I have added CPU family detection plugin, which helps to detect cpu family and install appropriate microcode update. E.g. if one is running Intel CPU, intel-microcode package is installed. Check out: $ ubuntu-drivers devices $ ubuntu-drivers list $ ubuntu-drivers autoinstall