lwn.net

Dylan O'Mahony, the cloud architecture manager for Bose, opened a presentation at KubeCon + CloudNativeCon North America 2018 by noting that many attendees may be wondering why a "50-year-old audio company" would be part of a presentation on Kubernetes. It turns out that Bose was looking for ways to support its smart-speaker products and found the existing solutions to be lacking. Bose partnered with Connected, "a product development company from Toronto", to use Kubernetes as part of that solution, so O'Mahony and David Doyle from Connected were at the conference to describe the prototype that they built.

Security updates have been issued by Debian (thunderbird), Fedora (terminology), openSUSE (GraphicsMagick), and Red Hat (rh-perl526-perl).

Cloud computing services that run customer code in short-lived processes are often called "serverless". But under the hood, virtual machines (VMs) are usually launched to run that isolated code on demand. The boot times for these VMs can be slow. This is the cause of noticeable start-up latency in a serverless platform like Amazon Web Services (AWS) Lambda. To address the start-up latency, AWS developed Firecracker, a lightweight virtual machine monitor (VMM), which it recently released as open-source software. Firecracker emulates a minimal device model to launch Linux guest VMs more quickly. It's an interesting exploration of improving security and hardware utilization by using a minimal VMM built with almost no legacy emulation.

Security updates have been issued by Mageia (graphicsmagick, poppler, python, and python-lxml) and openSUSE (GraphicsMagick).

When the 4.20 kernel was released on December 23, Linus Torvalds indicated that he would try to keep to the normal merge window schedule despite the presence of the holidays in the middle of it. Thus far, he seems to be trying to live up to that; just over 8,700 changesets have been merged for the next release, which seems likely to be called 5.0. A number of long-awaited features are finally landing in the kernel with this release.

The New York Times reports the death of Dr. Lawrence G. Roberts, who was heavily involved in Arpanet. "Dr. Roberts was considered the decisive force behind packet switching, the technology that breaks data into discrete bundles that are then sent along various paths around a network and reassembled at their destination. He decided to use packet switching as the underlying technology of the Arpanet; it remains central to the function of the internet." (Thanks to Paul Wise.)

Security updates have been issued by Arch Linux (go, go-pie, and webkit2gtk), Debian (c3p0, debian-security-support, libextractor, and tar), Fedora (electron-cash, leptonica, LibRaw, mingw-leptonica, mingw-openjpeg2, mingw-poppler, nettle, openjpeg2, php-pear, sqlite, and vcftools), Gentoo (GKSu and rust), Mageia (keepalived and libtiff), openSUSE (containerd, docker, go, go, GraphicsMagick, libraw, mozilla-nspr and mozilla-nss, netatalk, polkit, wireshark, and xen), and SUSE (containerd, docker, go, libqt5-qtbase, mailman, wireshark, and xen).

The 4.19.13, 4.14.91, and 4.9.148 stable kernels have all been released; each contains another set of important fixes.

Most processors spend a great deal of their time doing nothing, waiting for devices and timer interrupts. In these cases, they can switch to idle modes that shut down parts of their internal circuitry, especially stopping certain clocks. This lowers power consumption significantly and avoids draining device batteries. There are usually a number of idle modes available; the deeper the mode is, the less power the processor needs. The tradeoff is that the cost of switching to and from deeper modes is higher; it takes more time and the content of some caches is also lost. In the Linux kernel, the cpuidle subsystem has the task of predicting which choice will be the most appropriate. Recently, Rafael Wysocki proposed a new governor for systems with tickless operation enabled that is expected to be more accurate than the existing menu governor.

Security updates have been issued by Debian (libphp-phpmailer), Fedora (mosquitto and tinc), and Mageia (ruby-i18n and tcpdump).

Kees Cook summarizes the security-related improvements in the 4.20 kernel. "Enabling CONFIG_GCC_PLUGIN_STACKLEAK=y means almost all uninitialized variable flaws go away, with only a very minor performance hit (it appears to be under 1% for most workloads). It’s still possible that, within a single syscall, a later buggy function call could use 'uninitialized' bytes from the stack from an earlier function. Fixing this will need compiler support for pre-initialization (this is under development already for Clang, for example), but that may have larger performance implications."

Security updates have been issued by Debian (ghostscript, graphicsmagick, libarchive, libsndfile, libvncserver, ruby-sanitize, and wireshark), Fedora (mosquitto and tinc), Mageia (monit, sqlite3, and thunderbird), and SUSE (openssl).

Security updates have been issued by Debian (libextractor and nagios3) and Fedora (adplug, mingw-podofo, and podofo).

Security updates have been issued by CentOS (firefox), Debian (ghostscript, libarchive, openjpeg2, and sqlite3), Fedora (krb5, mariadb, mariadb-connector-c, mingw-openjpeg2, openjpeg2, phpMyAdmin, python-lxml, spatialite-tools, sqlite, and squid), Mageia (kernel), openSUSE (bluez, git, go1.10, libnettle, libqt5-qtbase, ovmf, pdns, perl, tcpdump, tiff, tryton, and yast2-rmt), Slackware (netatalk), and SUSE (buildah, caasp-cli, caasp-dex, cni-plugins, container-feeder, containerd-kubic, cri-o, cri-tools, docker-kubic, docker-runc-kubic, etcd, flannel, golang-github-docker-libnetwork-kubic, helm, kubernetes, kubernetes-dns, libcontainers-storage, podman, runc, skopeo, umoci, firefox, nspr, nss, netatalk, and qemu).

Linus has released 4.20 as expected. "Let's face it, last week wasn't quite as quiet as I would have hoped for, but there really doesn't seem to be any point to delay 4.20 because everybody is already taking a break." Some of the headline features in 4.20 include network flow dissectors in BPF, the taprio traffic scheduler, peer-to-peer DMA support in the PCI layer, C-SKY architecture support, the pressure-stall instrumentation mechanism, the XArray data structure, and much more. The KernelNewbies 4.20 page is coming together with more information.

This year's holiday gifts will include the 4.20 kernel; that can only mean that it is time for another look at where the code going into this release has come from. This development cycle was typically busy and brought a lot of new code into the kernel. There are some new faces showing up in the statistics this time around, but not a lot of surprises otherwise.

Greg Kroah-Hartman has announced the release of five new stable kernels: 4.19.12, 4.14.90, 4.9.147, 4.4.169, and 3.18.131. As usual, these contain important fixes throughout the tree; users of those series should upgrade.

Security updates have been issued by Debian (libapache-mod-jk, libav, and netatalk), Fedora (kernel-headers, kernel-tools, and phpMyAdmin), Gentoo (go), Mageia (netty, jctools, php, and phpmyadmin), openSUSE (keepalived), Scientific Linux (ntp), SUSE (enigmail, libqt5-qtbase, mariadb, netatalk, and yast2-rmt), and Ubuntu (kernel, linux, linux-aws, linux-azure, linux-gcp, linux-kvm, linux-raspi2, linux, linux-aws, linux-kvm, linux-raspi2, linux-snapdragon, linux-azure, linux-hwe, linux-aws-hwe, linux-azure, linux-gcp, linux-lts-trusty, linux-lts-xenial, linux-aws, and linux-raspi2).

The kernel's live-patching (KLP) mechanism can apply a wide variety of fixes to a running kernel but, at a first glance, the sort of highly intrusive changes needed to address vulnerabilities like Meltdown or L1TF would not seem like likely candidates for live patches. The most notable obstacles are the required modifications of global semantics on a running system, as well as the need for live patching the kernel's entry code. However, we at the SUSE live patching team started working on proof-of-concept live patches for these vulnerabilities as a fun project and have been able to overcome these hurdles. The techniques we developed are generic and might become handy again when fixing future vulnerabilities.

Security updates have been issued by CentOS (ntp), Debian (openssl1.0), openSUSE (salt), Oracle (firefox, ghostscript, and ntp), Red Hat (ntp), and SUSE (bluez, git, libnettle, ovmf, and tiff).