Everything You Need to Know about Linux Containers, Part II: Working with Linux Containers (LXC)

4 weeks ago
by Petros Koutoupis

Part I of this Deep Dive on containers introduces the idea of kernel control groups, or cgroups, and the way you can isolate, limit and monitor selected userspace applications. Here, I dive a bit deeper and focus on the next step of process isolation—that is, through containers, and more specifically, the Linux Containers (LXC) framework.

Containers are about as close to bare metal as you can get when running virtual machines. They impose very little to no overhead when hosting virtual instances. First introduced in 2008, LXC adopted much of its functionality from the Solaris Containers (or Solaris Zones) and FreeBSD jails that preceded it. Instead of creating a full-fledged virtual machine, LXC enables a virtual environment with its own process and network space. Using namespaces to enforce process isolation and leveraging the kernel's very own control groups (cgroups) functionality, the feature limits, accounts for and isolates CPU, memory, disk I/O and network usage of one or more processes. Think of this userspace framework as a very advanced form of chroot.

Note: LXC uses namespaces to enforce process isolation, alongside the kernel's very own cgroups to account for and limit CPU, memory, disk I/O and network usage across one or more processes.

But what exactly are containers? The short answer is that containers decouple software applications from the operating system, giving users a clean and minimal Linux environment while running everything else in one or more isolated "containers". The purpose of a container is to launch a limited set of applications or services (often referred to as microservices) and have them run within a self-contained sandboxed environment.

Note: the purpose of a container is to launch a limited set of applications or services and have them run within a self-contained sandboxed environment.

Figure 1. A Comparison of Applications Running in a Traditional Environment to Containers

This isolation prevents processes running within a given container from monitoring or affecting processes running in another container. Also, these containerized services do not influence or disturb the host machine. The idea of being able to consolidate many services scattered across multiple physical servers into one is one of the many reasons data centers have chosen to adopt the technology.

Container features include the following:

Go to Full Article
Petros Koutoupis

New Raspberry Pi PoE HAT, UBports Foundation Releases Ubuntu Touch OTA-4, OpenSSH 7.8 Now Available, KDE Enhancements and Seagate Media Server SQL Injection Vulnerabilities,

4 weeks ago

News briefs for August 27, 2018.

Raspberry Pi Trading is offering a Power-over-Ethernet HAT board for the RPi 3 Model B+ for $20 that ships with a small fan. Linux Gizmos notes that the "802.3af-compliant 'Raspberry Pi PoE HAT' allows delivery of up to 15W over the RPi 3 B+'s USB-based GbE port without reducing the port's up to 300Mbps bandwidth." To purchase, visit here.

UBports Foundation has released Ubuntu Touch OTA-4. This release features Ubuntu 16.04 and includes many security fixes and stability improvements. UBports notes that "We believe that this is the 'official' starting point of the UBports project. From the point when Canonical dropped the project until today, the community has been playing 'catch up' in development, infrastructure, and community building. This release shows that the community is soundly based and capable of delivering."

OpenSSH 7.8 was released August 24, 2018, and is available from its mirrors at

KDE developers continue to enhance KDE. According to Phoronix, the latest usability and productivity improvements include a new Plasmoid that brings easy access to the screen layout switcher, the logout screen will now warn you when other users are still logged in, new thumbnails for AppImages and more.

Several SQL injection vulnerabilities were discovered in the Seagate Media Server. Evidently the public folder facility "can be abused by malicious attackers when they upload troublesome files and media to the folder in the cloud". See the Appuals post for more details about this exploit.

News Raspberry Pi Ubuntu Touch UBports OpenSSH KDE Plasma
Jill Franklin

Intel Reworks Microcode Security Fix License after Backlash, Intel's FSP Binaries Also Re-licensed, Valve Releases Beta of Steam Play for Linux, Chromebooks Running Linux 3.4 or Older Won't Get Linux App Support and Windows 95 Now an App

1 month ago

News briefs for August 24, 2018.

Intel has now reworked the license for its microcode security fix after outcry from the community. The Register quotes Imad Sousou, corporate VP and general manager of Intel Open Source Technology Center, "We have simplified the Intel license to make it easier to distribute CPU microcode updates and posted the new version here. As an active member of the open source community, we continue to welcome all feedback and thank the community."

Intel also has re-licensed its FSP binaries, which are used by Coreboot, LinuxBoot and Facebook's Open Compute Project, so that they are under the same license as the CPU microcode files. According to the Phoronix post, "The short and unofficial summary of that license text is it allows for redistribution (and benchmarking, if so desired) of the binaries and the restricts essentially come down to no reverse-engineering/disassembly of the binaries and respecting the copyright."

Valve announced this week that it's releasing the Beta of a new and improved Steam Play version to Linux. The new version includes "a modified distribution of Wine, called Proton, to provide compatibility with Windows game titles." Other improvements include DirectX 11 and 12 implementations are now based on Vulkan, full-screen support has been improved, game controller support has been improved, and "Windows games with no Linux version currently available can now be installed and run directly from the Linux Steam client, complete with native Steamworks and OpenVR support".

Linux app support will be available soon for many Chromebooks, but a post on the Chromium Gerrit indicates that devices running Linux 3.14 or older will not be included. See this beta news article for a full list of the Chromebooks that won't be able to run Linux apps.

Windows 95 is now an app you can run on Linux, macOS and Windows thanks to Slack developer Felix Rieseberg who created the electron app. See The Verge for more details. The source code and app installers are available on GitHub.

News Intel licensing Valve gaming Chromebooks Windows
Jill Franklin

Organizing a Market for Applications

1 month ago
by Sriram Ramkrishna

The "Year of the Desktop" has been a perennial call to arms that's sunken into a joke that's way past its expiration date. We frequently talk about the "Year of the Desktop", but we don't really talk about how we would achieve that goal. What does the "Year of the Desktop" even look like?

What it comes down to is applications—rather, a market for applications. There is no market for applications because of a number of cultural artifacts that began when the Free Software was just getting up on wobbly legs.

Today, what we have is a distribution-centric model. Software is distributed by an OSV (operating system vendor), and users get their software directly from there via whatever packaging mechanism that OSV supports. This model evolved, because in the early-to-mid 1990s, those OSVs existed to compile the kernel and userspace into a cohesive product. Packaging of applications was the next step as a convenience factor to save users from having to compile their own applications, which always was a hit-or-miss endeavor as developers had different development environment from the users. Ultimately, OSVs enjoyed being gatekeepers as part of keeping developers honest and fixing issues that were unique to their operating system. OSVs saw themselves as agents representing users to provide high-quality software, and there was a feeling that developers were not to be trusted, as of course, nobody knows the state of their operating system better than they would.

However, this model represented a number of challenges to both commercial and open-source developers. For commercial developers, the problem became how to maximize their audience as the "Linux" market consisted of a number of major OSVs and an uncountable number of smaller niche distributions. Commercial application developers would have to develop multiple versions of their own application targeted at various major distributions for fear of missing out on a subset of users. Over time, commercial application developers would settle on using Ubuntu or a compressed tar file hosted on their website. Various distributions would pick up these tar balls and re-package them for their users. If you were an open-source developer, you had the side benefit of distributions picking up your work automatically for you and packaging them if you successfully enjoyed a large following. But they faced the same dilemma.

Go to Full Article
Sriram Ramkrishna

Debian Withholding Intel Security Patches, Linus Torvalds on the XArray Pull Request, Red Hat Transitioning Its Container Registry, Akraino Edge Stack Moves to Execution Phase, openSUSE Tumbleweed Snapshots Released and digiKam 6.0.0 Beta 1 Now Available

1 month ago

News briefs for August 23, 2018.

Debian is withholding security patches for the latest Intel CPU design flaw due to licensing issues. The Register reports that the end-user license file Intel added to the archive "prohibits, among other things, users from using any portion of the software without agreeing to be legally bound by the terms of the license", and Debian is not having it. See also Bruce Perens' blog post on this issue.

Linus Torvalds ranted about the XArray pull request this week on the LKML saying, "For some unfathomable reason, you have based it on the libnvdimm tree. I don't understand at all why you did that. That libnvdimm tree didn't get merged, because it had complete garbage in the mm/ code. And yes, that buggy shit was what you based the radix tree code on. I seriously have no idea why you have based it on some unstable random tree in the first place."

Red Hat is transitioning its customers and product portfolio to a new container registry for Red Hat container images at Red Hat notes that as it makes this transition, "the goal is to have a uniform experience for all of our registries that uses industry standard Open Authorization (OAuth)."

The Linux Foundation announced that its Akraino Edge Stack, "designed to improve the state of edge cloud infrastructure for enterprise edge, OTT edge, and carrier edge networks", is moving from formation to execution. The Akraino Edge Stack seed code will be released to the community this week at the Akraino Edge Stack Developer Summit.

Two openSUSE Tumbleweed snapshots were released this week. Changes include a move to kernel 4.18.0, KVM improvements, Mozilla Firefox 61.0.2 and many more fixes and updates.

digiKam 6.0.0 beta 1 was released recently. The next major version will include "full support of video files management working as photos"; "new tools to export to Pinterest, OneDrive and Box web-services"; "an integration of all import/export web-service tools in LightTable, Image editor and Showfoto"; and many more improvements.

News kernel Linus Torvalds Debian Intel Red Hat Containers The Linux Foundation Akraino Edge Stack digiKam openSUSE Distributions
Jill Franklin

Copy and Paste in Screen

1 month ago
by Kyle Rankin

Put the mouse down, and copy and paste inside a terminal with your keyboard using Screen.

Screen is a command-line tool that lets you set up multiple terminal windows within it, detach them and reattach them later, all without any graphical interface. This program has existed since before I started using Linux, but first I clearly need to address the fact that I'm even using Screen at all prior to writing a tech tip about it. I can already hear you ask, "Why not tmux?" Well, because every time someone tries to convince me to make the switch, it's usually for one of the following reasons:

  • Screen isn't getting updates: I've been happy with the current Screen feature set for more than a decade, so as long as distributions continue to package it, I don't feel like I need any newer version.
  • tmux key bindings are so much simpler: I climbed the Screen learning curve more than a decade ago, so to me, the Screen key bindings are second nature.
  • But you can do vertical and horizontal splits in tmux: you can do them in Screen too, and since I climbed that learning curve ages ago, navigating splits are part of my muscle memory just like inside vim.

So now that those arguments are out of the way, I thought those of you still using Screen might find it useful to learn how to do copy and paste within Screen itself. Although it's true that you typically can use your mouse to highlight text and paste it, if you are a fan of staying on the home row like I am, you realize how much faster and more efficient it is if you can copy and paste from within Screen itself using the keyboard. In fact, I found that once I learned this method, I ended up using it multiple times every day.

Enter Copy Mode

The first step is to enter copy mode from within Screen. Press Ctrl-a-[ to enter copy mode. Once you're in this mode, you can use arrow keys or vi-style keybindings to navigate up and down your terminal window. This is handy if you are viewing a log or other data that has scrolled off the screen and you want to see it. Typically people who are familiar with copy mode just use it for scrolling and then press q to exit that mode, but once you are in copy mode, you also can move the cursor to an area you want to copy.

Copy Text

To copy text once in copy mode, move your cursor to where you want to start to copy and then press the space bar. This will start the text selection, and you'll see the cursor change so that it highlights the text as you then move the cursor to select everything you want to copy. Once you are done selecting text, press the space bar again, and it will be copied to Screen's copy buffer. Once text is copied to Screen's clipboard, it automatically will exit copy mode.

Go to Full Article
Kyle Rankin