All posts by corbet

[$] Containers as kernel objects — again

Post Syndicated from corbet original https://lwn.net/Articles/780364/rss

Linus Torvalds once famously said
that there is no design behind the Linux kernel. That may be true, but
there are still some guiding principles behind the evolution of the kernel;
one of those, to date, has been that the kernel does not recognize
“containers” as objects in their own right. Instead, the kernel provides
the necessary low-level features, such as namespaces and control groups, to
allow user space to create its own container abstraction. This refusal to
dictate the nature of containers has led to a diverse variety of container
models and a lot of experimentation. But that doesn’t stop those who would
still like to see the kernel recognize containers as first-class
kernel-supported objects.

[$] Development statistics for the 5.0 kernel

Post Syndicated from corbet original https://lwn.net/Articles/780271/rss

The announcement of the 5.0-rc7 kernel
prepatch on February 17 signaled the imminent release of the final 5.0
kernel and the end of this development cycle. 5.0, as it turns out,
brought in fewer changesets than its immediate predecessors, but it was
still a busy cycle with a lot of developers participating. Read on for an
overview of where the work came from in this release cycle.

[$] The case of the supersized shebang

Post Syndicated from corbet original https://lwn.net/Articles/779997/rss

Regressions are an unavoidable side effect of software development; the
kernel is no different in that regard. The 5.0 kernel introduced a change
in the handling of the “#!” (or “shebang”) lines used to indicate
which interpreter should handle an executable text file. The problem has
been duly fixed, but the incident shows how easy it can be to introduce
unexpected problems and highlights some areas where the kernel’s
development process does not work as well as we might like.

Geary 0.13.0 released

Post Syndicated from corbet original https://lwn.net/Articles/780003/rss

Version 0.13.0 of the Geary graphical email client is out.
This is a major new release, featuring a number of new features —
including a new user interface for creating and managing email
accounts, integration with GNOME Online Accounts (which also provides
OAuth login support for some services), improvements in displaying
conversations, composing new messages, interacting with other email
apps, reporting problems as they occur, and number of important bug
fixes, server compatibility fixes, and security fixes.

[$] Per-vector software-interrupt masking

Post Syndicated from corbet original https://lwn.net/Articles/779738/rss

Software interrupts (or “softirqs”) are one of the oldest
deferred-execution mechanisms in the kernel, and that age shows at times.
Some developers have occasionally been heard to mutter about removing them, but
softirqs are too deeply embedded into how the kernel works to be easily ripped
out; most developers just leave them alone. So the recent per-vector
softirq masking patch set
from Frederic Weisbecker is noteworthy as an
exception to that rule. Weisbecker is not getting rid of softirqs, but he
is trying to reduce their impact and improve their latency.

[$] Some challenges for GNOME online accounts

Post Syndicated from corbet original https://lwn.net/Articles/779607/rss

The cynical among us might be tempted to think that an announcement from
the GNOME project about the removal of a feature — a relatively unused
feature at that — would be an unremarkable
event. In practice, though, Debarshi Ray’s announcement that the GNOME Online
Accounts
(GOA)
subsystem would no longer support the “documents” access point touched off
a lengthy discussion within the project itself. The resulting discussion
revealed a few significant problems with GOA and, indeed, with the concept
of online-account management in any sort of open-source umbrella project
like GNOME.

[$] io_uring, SCM_RIGHTS, and reference-count cycles

Post Syndicated from corbet original https://lwn.net/Articles/779472/rss

The io_uring mechanism that was described here in
January has been through a number of revisions since then; those changes have
generally been fixing implementation issues rather than changing the
user-space API. In particular, this patch set seems to have received more
than the usual amount of security-related review, which can only be a good
thing. Security concerns became a bit of an obstacle for io_uring, though,
when virtual filesystem (VFS) maintainer Al Viro threatened
to veto
the merging of the whole thing. It turns out that there were
some reference-counting issues that required his unique experience to
straighten out.

CVE-2019-5736: runc container breakout

Post Syndicated from corbet original https://lwn.net/Articles/779542/rss

Anybody running containerized workloads with runc (used by Docker,
cri-o, containerd, and Kubernetes, among others) will want to make note of
a newly disclosed vulnerability known as CVE-2019-5736. “The vulnerability allows a malicious container to (with minimal user
interaction) overwrite the host runc binary and thus gain root-level
code execution on the host.
” LXC is also evidently vulnerable to a
variant of the exploit.

The CNCF annual report

Post Syndicated from corbet original https://lwn.net/Articles/779381/rss

For those wondering what the Cloud Native Computing Foundation is up to,
its 2018 annual
report [PDF]
is now out. “KubeCon + CloudNativeCon has expanded
from its start with 500 attendees in 2015 to become one of the largest and
most successful open source conferences ever. The KubeCon + CloudNativeCon
North America event in Seattle, held December 10-13, 2018, was our biggest
yet and was sold out several weeks ahead of time with 8,000
attendees.

The CNCF 2018 annual report

Post Syndicated from corbet original https://lwn.net/Articles/779381/rss

For those wondering what the Cloud Native Computing Foundation is up to,
its 2018 annual
report [PDF]
is now out. “KubeCon + CloudNativeCon has expanded
from its start with 500 attendees in 2015 to become one of the largest and
most successful open source conferences ever. The KubeCon + CloudNativeCon
North America event in Seattle, held December 10-13, 2018, was our biggest
yet and was sold out several weeks ahead of time with 8,000
attendees.

[$] Blacklisting insecure filesystems in openSUSE

Post Syndicated from corbet original https://lwn.net/Articles/779243/rss

The Linux kernel supports a wide variety of filesystem types, many of which
have not seen significant use — or maintenance — in many years. Developers
in the openSUSE project have concluded that many of these filesystem types are,
at this point, more useful to attackers than to openSUSE users and are
proposing to blacklist many of them by default. Such changes can be
controversial, but it’s probably still fair to say that few people expected
the massive
discussion
that resulted, covering everything from the number of OS/2
users to how openSUSE fits into the distribution marketplace.

The OpenStack Foundation’s 2018 annual report

Post Syndicated from corbet original https://lwn.net/Articles/779313/rss

The OpenStack Foundation has issued its
2018 annual report
. “2018 was a productive year for the
OpenStack community. A total of 1,972 contributors approved more than
65,000 changes and published two major releases of all components, code
named Queens and Rocky. The component project teams completed work on
themes related to integrating with other OpenStack components, other
OpenStack Foundation Open Infrastructure Projects, and projects from
adjacent communities. They also worked on stability, performance, and
usability improvements. In addition to that component-specific work, the
community continued to expand our OpenStack-wide goals process, using a few
smaller topics to refine the goal selection process and understand how best
to complete initiatives on such a large scale.