There is this old quote from LKML:
Get back there in front of the computer NOW. Christmas can wait.
[Linus "the Grinch" Torvalds, 24 Dec 2000 on linux-kernel]
The AppArmor developers followed this advise - John released AppArmor 2.12 yesterday (Dec 25), and I just submitted updated packages to openSUSE Tumbleweed (SR 560017).
The most visible changes in 2.12 are support for "owner" rules in aa-logprof and upstreaming of the aa-logprof --json interface (used by YaST). Of course that's only the tip of the christmas cookie ;-) - see the Release Notes for all details.
One important change in the openSUSE packages is that I intentionally broke "systemctl stop apparmor". The reason for this is "systemctl restart apparmor" - systemd maps this to stop, followed by start. This resulted in unloading all AppArmor profiles by the "stop" part and, even if they get loaded again a second later, running processes will stay unconfined unless you restart them. The systemd developers were unwilling to implement the proposed ExecRestart= option for unit files, therefore breaking "stop" is the best thing I can do. (See boo#996520 and boo#853019 for more details.)
"systemctl reload apparmor" will continue to work and is still the recommended way to reload the AppArmor profiles, but accidently typing "restart" instead of "reload" can easily happen. Therefore I chose to break "stop" - that's annoying, but more secure than accidently removing the AppArmor confinement from running processes.
If you really want to unload all AppArmor profiles, you can use the new "aa-teardown" command which does what "systemctl stop apparmor" did before - but who would do that? ;-)
Note that the above (except the recommendation to use "reload") only applies to Tumbleweed and Leap 15.
Some weeks ago, someone asked on the opensuse-wiki mailinglist if it's acceptable to move documentation (in this case about Icecream) from the openSUSE wiki to the upstream repo on github. One of the arguments was:
I think I should store anything I do for the openSUSE project somewhere in the openSUSE.org domain, not in a RedHat.org or Canonical.org domain or a SourceForge.net or GitHub.com domain.
While this sounds like a valid argument and for sure shows good intentions, I wrote a longish reply:
You are overlooking an important point here - collaboration.
It doesn't make sense to think of "we" vs. "them" when it comes to other distributions or upstream projects. It's quite the opposite - everybody can save time by working together with other distributions, upstream projects etc. We have more important things to do than re-inventing the wheel just because we need a green one.
As an example: You might know that I maintain AppArmor in openSUSE and also contribute upstream (OMG, the upstream mailinglist is @lists.ubuntu.com, not at a "neutral" domain!)
Some not-so-known details:
- I implemented support for new AppArmor rule types (dbus, signal etc.) in aa-logprof, but those are not yet supported in the upstream kernel (and also not in openSUSE) - so currently only Ubuntu users benefit from that
- I always send patches upstream so that everybody can benefit (no, saying "use openSUSE, it's fixed there" is not a good idea ;-)
- In 2015, I visited DebConf (I'd guess I was the only one there who had never used Debian before) and even gave a talk.
- I closely follow AppArmor-related bugreports in Debian and Ubuntu, and help them to get things fixed - even if it's distro-specific
So, tell me - am I working for the enemy? ;-)
BTW: This isn't a one way road. Quite some AppArmor contributions done by Ubuntu (some other upstream developers work for Canonical) and Debian contributors end up in openSUSE ;-)
Needless to say that AppArmor is just an example. What I said is basically valid for every package, project, whatever. Either you collaborate (and everybody wins), or you "cook your own soup" and never find out that someone else has a receipe for a much more tasty soup ;-)
Since I talked a lot about AppArmor in the above text, let's see what's new there.
You might have noticed that there were some AppArmor releases recently:
- AppArmor 2.9.4 (with several bugfixes and profile updates) was already released as an update for openSUSE 13.2 shortly before it went out of support.
- AppArmor 2.10.2 (also with several bugfixes and profile updates) is already available in Tumbleweed, and updates for Leap 42.1 and 42.2 are under review
- AppArmor 2.11 (with lots of improvements and new features - for example, I rewrote the handling of file rules in aa-logprof etc.) is on its way to Tumbleweed (SR 453537), but it seems splitting off libapparmor into its own spec file (to fix a build loop) triggered a bug in the factory-auto review bot. Given my talent to find bugs, I'm not even surprised ;-)
The rewrite of the file rule handling resulted in a nice series of 42 patches which replace 1600 lines of code using a deeply nested array with 1200 lines with the more readable and easier maintainable FileRule and FileRuleset classes (a total of 530 lines) and functions using these classes. Even with 400 lines less code, I added some small features (for example, rules with leading permissions like "r /etc/fstab," are now supported) and fixed some bugs along the way.
The old code to handle file rules had very few unittests, which made this rewrite (and especially avoiding breakage and regressions) quite challenging. On the positive side, my patch series added full test coverage for the FileRule and FileRuleset classes, and also added unittests for most of the functions using FileRule and FileRuleset. (Unfortunately full test coverage isn't always easy, especially for the interactive parts of aa-logprof.) Those unittests add about 1400 lines of code, but as long as such additions happen in the tests directory, I'm more than happy about them ;-)
Oh, and the final challenge hit the other AppArmor developers. AppArmor has the policy that all patches have to be reviewed, and reviewing the whole patch series (which summed up to +2600 -1628 lines) took some time ;-)
That all said, let's not forget to answer where the documentation should live:
To come back to the origin of this discussion: I don't care too much where the Icecream developers host their documentation as long as
- it is complete and up to date (having it at the developers' favorite place makes this more likely)
- it can be easily found (also not a problem, it's linked from the wiki, and your favorite search engine will also find it)
I see the main purpose of the openSUSE wiki to provide openSUSE-specific information.
Information about upstream projects (even if a project is done by openSUSE) is "nice to have", but it's also ok if it lives upstream. It's better have one good upstream documentation than pages at 5 distro wikis that are all incomplete and out of date ;-)
BTW: The question "Am I working for the enemy?" was mostly meant as a rhetoric question - but if you want to answer nevertheless, please add a comment ;-)
A week ago, the openSUSE Conference 2016 ended, so it's time to finally upload my AppArmor Crash Course slides ;-)
I enjoyed lots of good talks. There were too many to mention a favorite one, but I'll try nevertheless:
- Georgi's "MySQL firewall" - basically you could describe it as "AppArmor for MySQL", so it isn't surprising that I like it ;-)
- AJ's "Infrastructure at OpenStack" included several interesting ideas (watched on video because it happened at the same time as "MySQL Firewall")
- Reproducible Builds (both from Holger and Bernhard) - it was good to see that we have some progress on it, even if the current target is "build-compare says it's equal" and not "it's bit-for-bit equal"
- Markus' "What's that distribution" quiz with funny quotes
- Thorsten's "Btrfs, snapshots and rollbacks" with quite some btrfs insight and details
- the keysigning party - a literally hot party ;-) (back home, I found out that perl-GnuPG-Interface which is needed for caff is incompatible with the GPG version in Tumbleweed, so I'll need to setup a Leap VM to do the keysigning)
- the LinuxTag-style Hacking Content - I applied quite some evil hacks, but it also turned out playing with the PAM config can make the login hard ;-)
- Sarah's "Stress Tests and Performance Monitoring" - I already started to play with Munin which looks like a good candidate to replace some custom perl scripts I'm currently using
- the SUSE Band :-)
- Richard's "Distribute or die", even if I don't really agree that we should discourage using additional repos. Maybe I should just quote Richard himself:
I am not a Dictator, I can think of no example where I've ordered anyone to do anything. And I would expect people to stare at me funny and tell me 'no', if I tried.
I also had lots of interesting discussions on the hallway track and learned something about Nürnberg in the city tour and the cellar tour.
After the official part of oSC16 ended, we had a promising disussion about the (technical) future of the openSUSE wiki. If everything works out as planned, we'll get some shiny new hardware hosted in Provo that is only used for openSUSE - and the most important thing is that we'll have SSH access to it and can do whatever is needed without having to wait for the Provo admins.
PS: You might have noticed that I didn't mention the openSUSE Jeopardy in this post - I'll do that in a separate post next week ;-)
(Kleine Werbeeinlage auf speziellen Wunsch von Michal Hrušecký ;-)
Die meisten Leute wissen wahrscheinlich schon, dass openSUSE 12.3 diesen Mittwoch (also morgen) releast wird.
Um das zu feiern, gibt es (ebenfalls am Mittwoch, also morgen) ab 19:00 Uhr eine Release Party im Artefakt in Nürnberg, bei der jeder willkommen ist. Dort kann man viele Geekos treffen, auch das openSUSE-Team von SUSE hat sich angekündigt und freut sich darauf, viele openSUSE-Begeisterte, Unterstützer und Benutzer zu sehen. Für Essen und openSUSE-Bier ist laut Michal gesorgt.
Natürlich ist auch der Star des Tages da - openSUSE 12.3 wird auf einem Demo-Rechner gezeigt. Mit etwas Glück gibt es auch ein Google Hangout für alle, die nicht nach Nürnberg kommen können - Infos dazu auf der openSUSE G+-Seite.
Ich selbst kann leider nicht zur Party kommen, wünsche aber allen viel Spaß ;-)
Letztes Wochenende (bis Dienstag) war ich bei der openSUSE conference, die diesmal in der "goldenen Stadt" Prag stattfand. Die Konferenz war sehr interessant - zum Einen die Vorträge, zum Anderen der "hallway track", bei dem ich viele Leute persönlich traf, die ich sonst nur namentlich aus Mailinglisten oder Bugzilla kenne.
Mein Workshop zu AppArmor wurde von rund 15 Personen besucht, die jetzt mehr über AppArmor wissen. Es wurden auch Fragen zum Packaging von Profilen gestellt - mit etwas Glück bekommen also ein paar Programme ein AppArmor-Profil in ihr Paket oder das Profil wird upstream zur Aufnahme zu den Standard-Profilen vorgeschlagen. Die Folien zum Workshop gibt es am Ende dieses Eintrags.
Zum openSUSE Jeopardy kamen nur 5 Personen. Diese haben aber alle mitgespielt und hatten sichtlich Spaß, die passenden Fragen zu meinen Antworten rund um Linux und openSUSE zu finden - vor allem Jan, der beide Runden (und somit zwei Flaschen Wein) gewann. Der IRC-basierte "Buzzer" hat dabei gut funktioniert und kommt mit etwas Glück beim nächsten LinuxTag nochmal zum Einsatz.
Am Montag war ich einer der wenigen Teilnehmer der BoF zur openSUSE landing page, die wir spontan etwas verlängerten. Daher fiel die admin@-BoF mehr oder weniger aus, was mangels anwesender Admins auch nicht wirklich schlimm war. Danach wurde ich von Coolo noch zum Filmen freiwillig gemeldet ;-) - die schrecklichen Publikums-Bilder vom Montag Nachmittag (Project Meeting etc.) und Dienstag (hauptsächlich Raum Riker) stammen von mir ;-)
Vielen Dank an alle, die zur openSUSE Conference beigetragen haben, and für die Unterstützung bei den Reisekosten!
Last weekend (until tuesday) I visited the openSUSE conference which was in the "golden town" Prague this year. The conference was very interesting. One part are the talks, the other part is the "hallway track" where I met lots of people I only knew from mailinglists or bugzilla.
About 15 persons took part in my AppArmor workshop, which means they now know more about AppArmor. Some also asked about packaging of AppArmor profiles. If we are lucky, some applications will receive a profile in their package, or their profile will be proposed for inclusion the the upstream set of default profiles. The slides I used in the workshop are available for download at the end of this post.
Only 5 persons came to my openSUSE jeopardy, but they all played and had fun in finding the matching questions for my answers about Linux and openSUSE. Jan must have had most fun - he won both rounds (and two bottles of wine). The IRC based "buzzer" worked quite well and will probably be used again at next LinuxTag.
On monday, I was one of the few participants of the BoF about the openSUSE landing page, which we extended time-wise. This also means the admin@ BoF was more or less dropped, which wasn't really bad because there weren't admins around. Afterwards, Coolo volunteered me ;-) to operate a video camera. The terrible pictures of the audience on monday afternoon (project meeting etc.) and tuesday (mostly room Riker) are from me ;-)
Thanks to everybody who contributed to the openSUSE Conference, and for the travel support!
Slides:
 Mit meinem "1001 Bugs"-Vortrag habe ich die openSUSE Conference überlebt, obwohl mancher Entwickler vermutlich nicht ganz glücklich war, dass ich einen seiner peinlichen Bugs entdeckt hatte ;-)
Daher hielt ich diesen Vortrag in leicht überarbeiteter Form und in deutsch auch auf dem LinuxTag. Den ca. 80-90 Zuhörern hat es scheinbar gefallen - neben einigen Lachern zwischendurch bekam die "spezielle Regel für openSUSE" sogar Szenenapplaus :-)
Wer den Vortrag auf dem LinuxTag verpasst hat oder sich die Folien (incl. Notitzen) nochmal ansehen will - bitte schön:
1001 Bugs - oder: die goldenen Regeln für schlechte Programmierung als PDF
(Die LibreOffice-Datei stelle ich auf Anfrage gern bereit.)
If you missed my talk at the openSUSE conference or want to see the slides (including notes) again - here we are:
1001 bugs - or: the golden rules of bad programming as PDF
(If you need an editable LibreOffice file, just drop me a note.)
1001 bugs - das ist eins der Ergebnisse meiner Mitarbeit bei (open)SUSE: Ich habe vorhin meinen 1001. Bugreport eingereicht. Außerdem werde ich unter dem Motto "1001 bugs - or: the golden rules of bad programming" einen Vortrag auf der openSUSE conference halten. Die genaue Beschreibung meines Vortrags steht unter dem englischen Text. Ich habe schon eine ganze Reihe von Ideen für den Vortrag, bin aber für Vorschläge in den Kommentaren offen.
Wer sich für meine Bugzilla-Statistik interessiert, findet unten den Screenshot. Man sieht deutlich, dass ich bei SUSE Linux 9.2 mit dem Betatesten angefangen habe und seitdem die Entwickler mit Bugreports zuschütte ;-)
1001 bugs - that's one of the results of my work on (open)SUSE: I just filed my 1001. bugreport. Besides that, I'll give a talk "1001 bugs - or: the golden rules of bad programming" at the openSUSE conference. I already have lots of ideas for my talk, however I'm open for proposals - just add a comment here.
If you are interested in my bugzilla statistics, have a look at the screenshot below. You can clearly see that I started beta-testing with SUSE Linux 9.2 and since then overwhelm the developers with bugreports ;-)
But first I'll give you the the detailed description of my talk:
1001 bugs - or: the golden rules of bad programming
You'll find lots of books telling you how to write good code. That's nice and maybe even useful, but boring ;-)
My talk will give you something more inspiring: the golden rules of bad programming. It also comes with some interesting[tm] things I've seen in bugzilla as topping.
Most examples will be in pseudocode to be understandable for everybody.
(nur für Admins interessant, daher nur auf englisch)
I just released patch2mail 1.1 which will send you a mail when updates are available for your openSUSE system.
Changes:
- patch2mail will now also send notifications for package updates, not only for patches (configurable in /etc/sysconfig/patch2mail)
- include a note about package manager updates (they can hide other updates)
- older distributions are still supported of course - just make sure to install the package for the correct distribution. However the new features listed above are only supported on 11.1 and newer.
You can download patch2mail from the openSUSE build service.
I have also submitted the new version to Factory (SR 74130).
Erstmal ein kleines Schnipsel aus meiner Konsole:
Let's start with a sniplet from my console:
cb@geeko:~/postfixadmin> svn help | head -n1
usage: svn <subcommand> [options] [args]
cb@geeko:~/postfixadmin> cd /home/cb/apparmor
cb@geeko:~/apparmor> svn help | head -n1
Bazaar 2.0.5 -- a free distributed version-control tool
Mein SVN ist nicht verrückt geworden ;-) - ich habe nur ein kleines Script vorgelagert, das man am Besten als Verzeichnis-abhängigen Alias bezeichnen könnte. Wenn ich im Verzeichnis ~/apparmor bin, wird aus "svn" wie durch Geisterhand ein "bzr"-Aufruf. Das Script ~/bin/svn ist nicht wirklich kompliziert:
My SVN didn't go crazy ;-) - I just prepended a small script you could best describe as directory-dependent alias. When I'm working in ~/apparmor, it magically replaces "svn" with a "bzr" call. The script ~/bin/svn is not really complicated:
#!/bin/bash
command=/usr/bin/svn # use the full path. Just "svn" will result in an endless loop!
pwd | grep -q ^/home/cb/apparmor && command=/usr/bin/bzr
exec $command "$@"
Warum ich das Ganze brauche? Ich habe seit kurzem Commit-Rechte bei AppArmor, damit apparmor.vim
endlich ein offizielles Zuhause hat. Außerdem habe ich schon ein paar
Profil-Updates commited. (Keine Angst: vom C-Code werde ich mich
fernhalten ;-)
AppArmor verwendet Bazaar für die Versionskontrolle, und das ist glücklicherweise Parameter-kompatibel zu SVN (zumindest bei dem, was ich brauche) und erspart mir so die Umgewöhnung an noch eine Versionsverwaltung.
Nebenbei: Für Bazaar musste ich mir einen Launchpad-Zugang einrichten, und habe natürlich[tm] auch gleich einen Bug in Launchpad gefunden ;-)
Why do I need this? Since a short while, I have commit access for AppArmor. This finally gives apparmor.vim an official home. I also commited some profile updates. (Don't worry - I'll stay away from the C code ;-)
AppArmor uses Bazaar as version control system, which is luckily parameter compatible to SVN (at least for the commands I use). This means I don't have to keep another version control system in mind.
BTW: For Bazaar I had to create a Launchpad account, and of course[tm] found a Launchpad bug instantly ;-)
Gleich zwei Releases in einem Blog-Eintrag:
One blog post, two releases:
Prosit Neujahr und alles Gute für 2010! Dieser Artikel enthält einiges, das ich schon 2009 bloggen wollte, und außerdem eine kleine Neujahrsüberraschung von SpamAssassin ;-)
Happy New Year! This article contains some things I wanted to blog about in 2009 already, and a little new year surprise from SpamAssassin ;-)
- PostfixAdmin 2.3 wurde im Oktober 2009 releast, RPMs gibt es natürlich im openSUSE Build Service
PostfixAdmin 2.3 was released in october 2009, RPMs are available in the openSUSE Build Service
- Postfixadmin 2.4 (oder 3.0?) wird Smarty für die Templates verwenden
PostfixAdmin 2.4 (or 3.0?) will use smarty for the templates
- PostfixAdmin 2.3.1 (alle Bugfixes seit dem 2.3-Release, aber ohne Smarty) ist in Arbeit
PostfixAdmin 2.3.1 (with all bugfixes since 2.3 release, but without smarty) is under development
- openSUSE 11.2 wurde im November 2009 releast, und auch gleich von uns (Jan, Jan-Simon und mir) auf der Open Source Expo in Karlsruhe präsentiert
openSUSE 11.2 was released in november 2009, and presented by us (Jan, Jan-Simon and me) at the Open Source Expo in Karlsruhe
- und die Neujahrsüberraschung von SpamAssassin: 2010 bekommt jede Mail erstmal 3.188 Punkte... - Bugreport
and the new year surprise from SpamAssassin: every mail in 2010 gets 3.188 points... - Bugreport
"AppArmor in der Praxis" - unter diesem Titel hielt ich einen Vortrag auf dem LinuxTag, der trotz des eher trockenen Themas (Security!) recht gut besucht war. Ich habe versucht, den Vortrag so unterhaltsam wie möglich zu halten - ob mir das gelungen ist, darf gern in den Kommentaren vermerkt werden ;-)
Ein Seifenkisten-Rennen und fast zwei Wochen später gibt es meine Präsentation zum Download. (Die Originaldatei im OpenDocument-Format ist auf Anfrage erhältlich.) Eine Video-Aufzeichnung des Vortrags müsste demnächst im openSUSE-Wiki verfügbar sein.
"AppArmor in practise" is the title of the talk I gave at LinuxTag which was received quite well despite the "pedestrian" security topic. Nevertheless I tried to make the talk as lively as possible - feel free to add a comment if this worked out ;-)
One soap box race and nearly two weeks later, I managed to upload my presentation (german). (The original file in OpenDocument format is available on request.) A video recording of my talk should be available on the openSUSE wiki soon.
Download:apparmor-in-der-praxis.pdf
Wie gerade in meinem Vortrag "AppArmor in der Praxis" versprochen gibt es hier meine AppArmor-Profile, die ich auf meinem 11.1-Server benutze. Hinweis: Viele Profile sind im complain-Mode - mit aa-enforce können sie in den enforce-Mode versetzt werden. (Die Präsentation lade ich in den nächsten Tagen hoch.)
As just proposed in my "AppArmor in der Praxis" talk at LinuxTag, here are the AppArmor profiles I use on my 11.1 server. Note that many of them are in complain mode - use aa-enforce to switch them to enforce mode. (I'll upload my presentation in some days.)
Download: apparmor-profiles-111.tar.bz2
openSUSE 11.1 wurde heute freigegeben / was released today. Neben diesem Blogeintrag habe ich mich zu einer etwas ungewöhnlichen Werbemethode per .htaccess entschieden: Besides this blog entry, I decided to start a somewhat unusual advertising campaign using .htaccess: RewriteCond %{HTTP_REFERER} myspace.com [OR]
RewriteCond %{HTTP_REFERER} web3.vs165036.vserver.de [OR]
# some other domains
RewriteRule .*\.(gif|jpg|jpeg|bmp|png)$ http://counter.opensuse.org [R,NC]Das bedeutet, dass Leute, die Bilder von diesem Blog auf ihren Seiten einbinden und mir Traffic produzieren, ab sofort Werbung fürs neueste openSUSE-Release machen :-) Man sollte eben das Beste aus dem Bilderklau machen *g* This means that people who hotlink images from my blog on their pages (and cause traffic on my server) are automatically advertising the new openSUSE-release :-) Hey, I'm making the best of these image thefts *g* (BTW: Am häufigsten geklautes Bild / most stolen image: Winterlicher Weinberg)
|
Kommentare