LWN.net

Polling a set of file descriptors to see which ones can perform I/O withoutblocking is a useful thing to do — so useful that the kernel provides threedifferent system calls (select(),poll(),and epoll_wait()— plus some variants) to perform it. But sometimes three is not enough;there is now a proposal circulating for a fourth kernel polling interface.As is usually the case, the motivation for this change is performance.

Security updates have been issued by Arch Linux (graphicsmagick and linux-lts), CentOS (thunderbird), Debian (kernel, opencv, php5, and php7.0), Fedora (electrum), Gentoo (libXfont), openSUSE (gimp, java-1_7_0-openjdk, and libvorbis), Oracle (thunderbird), Slackware (irssi), SUSE (kernel, kernel-firmware, and kvm), and Ubuntu (awstats, nvidia-graphics-drivers-384, python-pysaml2, and tomcat7, tomcat8).

The disclosure of the Meltdown and Spectrevulnerabilities has brought anew level of attention to the security bugs that can lurk at the hardwarelevel. Massive amounts of work have gone into improving the (still poor)security of our software, but all of that is in vain if the hardware givesaway the game. The CPUs that we run in our systems are highly proprietaryand have been shown to contain unpleasant surprises (the Intel managementengine, for example). It is thus natural to wonder whether it is time tomake a move to open-source hardware, much like we have done with oursoftware. Such a move may well be possible, and it would certainly offersome benefits, but it would be no panacea.

Three years after the last stable release, version 3.0 of the MusEMIDI/Audio sequencer is now available. As you might expect there manychanges since the last release including a switch to Qt5, a new Plugin Patheditor in Global Settings, a mixer makeover with lots of fixes, asystem-wide move to double precision of all audio paths, and much more.

Security updates have been issued by Arch Linux (linux-hardened, linux-lts, linux-zen, and mongodb), Debian (gdk-pixbuf, gifsicle, graphicsmagick, kernel, and poppler), Fedora (dracut, electron-cash, and firefox), Gentoo (backintime, binutils, chromium, emacs, libXcursor, miniupnpc, openssh, optipng, and webkit-gtk), Mageia (kernel, kernel-linus, kernel-tmb, openafs, and python-mistune), openSUSE (clamav-database, ImageMagick, kernel-firmware, nodejs4, and qemu), Red Hat (linux-firmware, ovirt-guest-agent-docker, qemu-kvm-rhev, redhat-virtualization-host, rhev-hypervisor7, rhvm-appliance, thunderbird, and vdsm), Scientific Linux (thunderbird), SUSE (kernel and qemu), and Ubuntu (firefox and poppler).

Linus has released the 4.15-rc7 kernelprepatch. "Ok, we had an interesting week, and by now everybody knows why we weremerging all those odd x86 page table isolation patches withoutfollowing all of the normal release timing rules.But rc7 itself is actually pretty calm. "

Here's anupdate from Greg Kroah-Hartman on the kernel's response to Meltdown andSpectre. "If you rely on any other kernel tree other than 4.4, 4.9, or 4.14 right now, and you do not have a distribution supporting you, you are out of luck. The lack of patches to resolve the Meltdown problem is so minor compared to the hundreds of other known exploits and bugs that your kernel version currently contains. You need to worry about that more than anything else at this moment, and get your systems up to date first.Also, go yell at the people who forced you to run an obsoleted and insecurekernel version, they are the ones that need to learn that doing so is atotally reckless act."

When the Meltdown and Spectre vulnerabilities were disclosed onJanuary 3, attention quickly turned to mitigations. There was alreadya clear defense against Meltdown in the form of kernel page-table isolation (KPTI), but thedefenses against the two Spectre variants had not been developed in public and stilldo not exist in the mainline kernel. Initial versions of proposeddefenses have now been disclosed. The resulting picture shows what hasbeen done to fend off Spectre-based attacks in the near future, but thesituation remains chaotic, to put it lightly.

Robert Haas continues his series on the PostgreSQL VACUUM operation with thissurvey of recent work and unsolved problems. "What is left to bedone? The PostgreSQL development community has made great progress inreducing the degree to which VACUUM performs unnecessary scans of tablepages, but basically no progress at all in avoiding unnecessary scanning ofindex pages. For instance, even a VACUUM which finds no dead row versionswill still scan btree indexes to recycle empty pages."

One of the main concerns about the mitigations for the Meltdown/Spectre speculative execution bugs has been performance. The Google Security Blog is reporting negligible performance impact on Google systems for two of the mitigations (kernel page-table isolation and Retpoline): "In response to the vulnerabilities that were discovered we developed a novel mitigation called “Retpoline” -- a binary modification technique that protects against “branch target injection” attacks. We shared Retpoline with our industry partners and have deployed it on Google’s systems, where we have observed negligible impact on performance.In addition, we have deployed Kernel Page Table Isolation (KPTI) -- a general purpose technique for better protecting sensitive information in memory from other software running on a machine -- to the entire fleet of Google Linux production servers that support all of our products, including Search, Gmail, YouTube, and Google Cloud Platform.There has been speculation that the deployment of KPTI causes significant performance slowdowns. Performance can vary, as the impact of the KPTI mitigations depends on the rate of system calls made by an application. On most of our workloads, including our cloud infrastructure, we see negligible impact on performance."

Greg Kroah-Hartman has announced the release of the 4.14.12, 4.9.75, and 4.4.110 stable kernels. The bulk of thechanges are either to fix the mitigations for Meltdown/Spectre (in 4.14.12) or to backportthose mitigations (in the two older kernels). There are apparently known (orsuspected) problems with each of the releases, which Kroah-Hartman is hoping to get shaken out inthe near term. For example, the 4.4.110 announcement warns: "But becareful, there have been some reports of problems with this release during the -rc review cycle. Hopefully all of those issues arenow resolved.So please test, as of right now, it should be 'bug compatible' with the'enterprise' kernel releases with regards to the Meltdown bug and propersupport on all virtual platforms (meaning there is still a vdso issuethat might trip up some old binaries, again, please test!)"

Security updates have been issued by Arch Linux (kernel), CentOS (kernel, libvirt, microcode_ctl, and qemu-kvm), Debian (kernel and xen), Fedora (kernel), Mageia (backintime, erlang, and wildmidi), openSUSE (kernel and ucode-intel), Oracle (kernel, libvirt, microcode_ctl, and qemu-kvm), Red Hat (kernel, kernel-rt, libvirt, microcode_ctl, qemu-kvm, and qemu-kvm-rhev), Scientific Linux (libvirt and qemu-kvm), SUSE (kvm and qemu), and Ubuntu (ruby1.9.1, ruby2.0, ruby2.3).

There's lots of material out on the net regarding the just-disclosedprocessor vulnerabilities and their impact on users. Here is a list ofworthwhile stuff we have found.

As might be guessed, a fair number of these updates are for the kernel and microcode changes to mitigate Meltdown and Spectre. More undoubtedly coming over the next weeks.Security updates have been issued by CentOS (kernel, linux-firmware, and microcode_ctl), Debian (imagemagick), Fedora (kernel, libvirt, and python33), Mageia (curl, gdm, gnome-shell, libexif, libxml2, libxml2, perl-XML-LibXML, perl, swftools, and systemd), openSUSE (kernel-firmware), Oracle (kernel), Red Hat (kernel, kernel-rt, linux-firmware, and microcode_ctl), Scientific Linux (kernel, linux-firmware, and microcode_ctl), SUSE (ImageMagick, java-1_7_0-openjdk, kernel, kernel-firmware, microcode_ctl, qemu, and ucode-intel), and Ubuntu (apport, dnsmasq, and webkit2gtk).

The LWN.net Weekly Edition for January 4, 2018 is available.

Rumors of an undisclosed CPU security issue have been circulating sincebefore LWN first covered the kernelpage-table isolation patch set in November 2017. Now, finally, theinformation is out — and the problem is even worse than had beenexpected. Read on for a summary of these issues and what has to bedone to respond to them in the kernel.

One of the motivations behind projects like kdbus and bus1, both of which have fallen short ofmainline inclusion, is to have an interprocess communication (IPC)mechanism available early in the boot process. The D-Bus IPCmechanism has a daemon that cannot be started until filesystems are mountedand the like, but what if the early boot process wants to perform IPC? A new project, varlink, wasrecently announced; it aimsto provide IPC from early boot onward, though it does not really addressthe longtime D-Bus performance complaints that also served as motivationfor kdbus and bus1.

The rumored bugs in Intel (and beyond) processors have now been disclosed:they are called Meltdown andSpectre, and have the requisite cute logos. Stay tuned for more.See also: this ProjectZero blog post. "Variants of this issue are known to affect manymodern processors, including certain processors by Intel, AMD and ARM. Fora few Intel and AMD CPU models, we have exploits that work against realsoftware. We reported this issue to Intel, AMD and ARM on2017-06-01."See also: thisGoogle blog posting on how it affects users of Google products inparticular. "[Android] devices with the latest security update areprotected. Furthermore, we are unaware of any successful reproduction ofthis vulnerability that would allow unauthorized information disclosure onARM-based Android devices. Supported Nexus and Pixel devices with thelatest security update are protected."

We have covered the Fedora Modularity initiative a time or twoover the years but, just as the modular "product" started rolling out,Fedora went back to the drawing board.There were a number of fundamental problems with Modularity as it was to bedelivered in theFedora 27 server edition, so aclassic version of the distribution was released instead. ButModularity is far from dead; there is a new plan afoot to deliver it forFedora 28, which is due in May.

Intel has respondedto reports of security issues in its processors:Recent reports that these exploits are caused by a “bug” or a“flaw” and are unique to Intel products are incorrect. Based on theanalysis to date, many types of computing devices — with manydifferent vendors’ processors and operating systems — aresusceptible to these exploits.Intel is committed to product and customer security and is workingclosely with many other technology companies, including AMD, ARMHoldings and several operating system vendors, to develop anindustry-wide approach to resolve this issue promptly andconstructively. Intel has begun providing software and firmwareupdates to mitigate these exploits. Contrary to some reports, anyperformance impacts are workload-dependent, and, for the averagecomputer user, should not be significant and will be mitigated overtime.Stay tuned, there is certainly more to come.

The 4.15 kernel is likely to require a relatively long development cycle asa result of the post-rc5 merge of the kernelpage-table isolation patches. That said, it should be in somethingclose to its final form, modulo some inevitable bug fixes. The developmentstatistics for this kernel release look fairly normal, but they do reveal anunexpectedly busy cycle overall.

The OpenWrt and LEDE projects have announcedtheir unification under the OpenWrt name. The old OpenWrt CC 15.05release series will receive a limited amount of security and bug fixes, butthe current LEDE 17.01 series is the most up-to-date. "The mergedproject will use the code base of the former LEDE project. OpenWrt specificpatches not present in the LEDE repository but meeting LEDEs code qualityrequirements got integrated into the new tree. The source code will behosted at git.openwrt.org with acontinuously synchronized mirror hosted at Github. The original OpenWrtcodebase has been archived onGithub for future reference."

Back in October, LWN reported on a talkabout thestate of the GNU Privacy Guard (GnuPG)project, an asymmetric public-key encryption and signing tool that had been almost abandoned by its lead developer due to lackof resources before receiving a significant infusion of funding and communityattention. GnuPG 2 has brought about a number of changes andimprovements but, at the same time, several efforts are underway to significantly change the wayGnuPG and OpenPGP are used. This article will look at the currentstate of GnuPG and the OpenPGP web of trust, as compared to new implementationsof the OpenPGP standard and other trust systems.

Security updates have been issued by Debian (poppler), Fedora (glibc, phpMyAdmin, python33, and xen), Mageia (awstats, binutils, connman, elfutils, fontforge, fossil, gdb, gimp, jbig2dec, libextractor, libical, libplist, mbedtls, mercurial, OpenEXR, openldap, perl-DBD-mysql, podofo, python-werkzeug, raptor2, rkhunter, samba, w3m, and wayland), and Ubuntu (firefox).

The4.14.11,4.9.74,4.4.109, and3.18.91stable kernel updates have been released with another set of significantfixes and updates. Note that 4.14.11 also includes the remainder of thekernel page-table isolation patches.

Welcome to the first LWN.net feature article for 2018. The holidays areover and it's time to get back to work. One of the first orders ofbusiness here at LWN is keeping up with our ill-advised tradition of makingunlikely predictions for the coming year. There can be no doubt that 2018will be an eventful and interesting year; here's our attempt at guessinghow it will play out.

Linux Journal isback. "Talk about a Happy New Year. The reason: it turns out we're not dead. In fact, we're more alive than ever, thanks to a rescue by readers—specifically, by the hackers who run Private Internet Access (PIA) VPN, a London Trust Media company. PIA are avid supporters of freenode and the larger FOSS community. They’re also all about Linux and the rest of the modern portfolio of allied concerns: privacy, crypto, freedom, personal agency, rewriting the rules of business and government around all of those, and having fun with constructive hacking of all kinds. We couldn’t have asked for a better rescue ship to come along for us."

It turns out that Linux Journal isn'tshutting down after all. "In fact, we're more alive than ever,thanks to a rescue by readers—specifically, by the hackers who run PrivateInternet Access (PIA) VPN, a London Trust Media company. PIA are avidsupporters of freenode and the larger FOSS community."

Security updates have been issued by Debian (imagemagick), Fedora (chromium), and Mageia (iceape, libzip, and mad).

Security updates have been issued by Debian (asterisk, gimp, thunderbird, and wireshark), Fedora (global, python-mistune, and thunderbird-enigmail), Mageia (apache, bind, emacs, ffmpeg, freerdp, gdk-pixbuf2.0, gstreamer0.10-plugins-bad/gstreamer1.0-plugins-bad, gstreamer0.10-plugins-ugly, gstreamer0.10-plugins-ugly/gstreamer1.0-plugins-ugly, gstreamer1.0-plugins-bad, heimdal, icu, ipsec-tools, jasper, kdebase4-runtime, ldns, libvirt, mupdf, ncurses, openjpeg2, openssh, python/python3, ruby, ruby-RubyGems, shotwell, thunderbird, webkit2, and X11 client libraries), openSUSE (gdk-pixbuf and phpMyAdmin), and SUSE (java-1_7_1-ibm).

The 4.15-rc6 kernel prepatch has beenreleased for testing. "This would have been a very quiet week, if itwasn't for the final x86 PTI stuff - and that shows in the diffstattoo. About half the rc6 work is x86 updates. The timing for this isn'twonderful, but it all looks nice and clean."

Linus has mergedthe kernel page-table isolation patch setinto the mainline just ahead of the 4.15-rc6 release. This is afundamental change that was added quite late in the development cycle; itseems a fair guess that 4.15 will have to go to -rc8, at least, before it'sready for release.

Greg Kroah-Hartman has announced the release of the 4.14.10 and 4.9.73 stable kernels. Both have fixesacross the tree, though 4.14.10 is rather larger and contains more of thekernel page-table isolation work.

Security updates have been issued by Debian (imagemagick, mercurial, and thunderbird), Fedora (asterisk, libexif, python-mistune, sensible-utils, shellinabox, and webkitgtk4), Mageia (glibc, kernel-firmware, and phpmyadmin), and openSUSE (global).

Security updates have been issued by Fedora (asterisk, evince, lynx, ruby, sensible-utils, and shellinabox) and SUSE (GraphicsMagick and java-1_7_1-ibm).

The Debian Project has been working on replacing git.debian.org with aGitLab based service at https://salsa.debian.org. ActiveDebian Developers already have accounts. "External users are invitedto create an account on salsa. To avoid clashes with future DebianDevelopers, we are enforcing a '-guest' suffix for any guest username. Therefore we developed a self-service portal which allows non-DebianDevelopers to sign up, available at https://signup.salsa.debian.org.Please keep in mind that your username will have '-guest' appended."

Security updates have been issued by Debian (enigmail, gimp, irssi, kernel, rsync, ruby1.8, and ruby1.9.1), Fedora (json-c and kernel), Mageia (libraw and transfig), openSUSE (enigmail, evince, ImageMagick, postgresql96, python-PyJWT, and thunderbird), Slackware (mozilla), and SUSE (evince).

The4.14.9,4.9.72,4.4.108, and3.18.90stable kernel updates have been released with a large set of importantfixes. The 4.14.9 update includes thekernel page-table isolation precursorpatches that also just landed in 4.15-rc5.

The 4.15-rc5 kernel prepatch is out."This (shortened) week ended up being fairly normal for rc5, with theexception of the ongoing merging of the x86 low-level prep for kernelpage table isolation that continues and is noticeable. In fact, abouta third of the rc5 patch is x86 updates due to that."

Jann Horn has reported eight bugs in theeBPF verifier, one for the 4.9 kernel and seven introduced in 4.14, to theoss-security mailing list. Someof these bugs result in eBPF programs being able to read and write arbitrarykernel memory, thus can be used for a variety of ill effects, includingprivilege escalation. As Ben Hutchings notes,one mitigation would be to disable unprivileged access to BPF using thefollowing sysctl:kernel.unprivileged_bpf_disabled=1. More information can also be foundin this ProjectZero bug entry. The fixes are not yet in the mainline tree, but are inthe netdev tree. Hutchings goes on to say: "There is a publicexploit that uses several of these bugs to get root privileges. It doesn'twork as-is on stretch [Debian 9] with the Linux 4.9 kernel, but is easy to adapt. Irecommend applying the above mitigation as soon as possible to all systemsrunning Linux 4.4 or later."

In the previous article of this series, I discussed how to use eBPF to safely run code supplied byuser space inside of the kernel. Yet one of eBPF's biggest challengesfor newcomers is that writing programs requires compiling and linking tothe eBPF library from the kernel source. Kernel developers might alwayshave a copy of the kernel source within reach, but that's not so forengineers working on production or customer machines.

The Register reportsthat the grsecurity defamation suit filed against Bruce Perens has beentossed out of court. "On Thursday, the judge hearing the case, SanFrancisco magistrate judge Laurel Beeler, granted Peren's motion to dismissthe complaint while also denying – for now – his effort to invokeCalifornia's anti-SLAPP law."

The Free Software Foundation (FSF) has announced that it added PureOS to its list of endorsed Linux distributions. "'PureOS is a GNU operating system that embodies privacy, security, and convenience strictly with free software throughout. Working with the Free Software Foundation in this multi-year endorsement effort solidifies our longstanding belief that free software is the nucleus for all things ethical for users. Using PureOS ensures you are using an ethical operating system, committed to providing the best in privacy, security, and freedom,' said Todd Weaver, Founder & CEO of Purism."

Here's thelatest from Eben Moglen on the Software Freedom Law Center's trademarkattack against the Software Freedom Conservancy. "We propose ageneral peace, releasing all claims that the parties have against oneanother, in return for an iron-clad agreement for mutual non-disparagement,binding all the organizations and individuals involved, with strongsafeguards against breach. SFLC will offer, as part of such an overallagreement, a perpetual, royalty-free trademark license for the SoftwareFreedom Conservancy to keep and use its present name, subject to agreedmeasures to prevent confusion, and continued observance of thenon-disparagement agreement."In the spirit of non-disparagement,it also says: "In view of this evidence and the sworn pleadingsubmitted by the Conservancy, we have now moved to amend our petition, tostate as a second ground for the cancellation that the trademark wasobtained by fraud."

Security updates have been issued by Debian (bouncycastle, enigmail, and sensible-utils), Fedora (kernel), Mageia (dhcp, flash-player-plugin, glibc, graphicsmagick, java-1.8.0-openjdk, kernel, kernel-linus, kernel-tmb, mariadb, pcre, rootcerts, rsync, shadow-utils, and xrdp), and SUSE (java-1_8_0-ibm and kernel).

Security updates have been issued by Debian (libreoffice, openafs, and otrs2) and SUSE (ImageMagick).

The LWN.net Weekly Edition for December 21, 2017 is available.

The Docker (now Moby) project hasdone a lot to popularize containers in recent years. Along the way,though, it has generated concerns about its concentration of functionalityinto a single, monolithic system under the control of a single daemonrunning with root privileges: dockerd. Those concerns werereflected in a talkby Dan Walsh, head of the container team at Red Hat, at KubeCon +CloudNativeCon. Walsh spoke about the work the container team is doingto replace Docker with a set of smaller, interoperable components. His rallying cry is "no big fatdaemons" as he finds them to be contrary to the venerated Unix philosophy.

As we briefly mentioned in our overview article aboutKubeCon + CloudNativeCon, there are multiple container "runtimes", which areprograms that can create and execute containers that are typically fetchedfrom online images. That space is slowly reaching maturity both in termsof standards and implementation: Docker's containerd 1.0 was releasedduring KubeCon, CRI-O 1.0 was released a few months ago, and rkt isalso still in the game. With all of those runtimes, it may be a confusingtime for those looking at deploying their own container-based systemor Kubernetes cluster fromscratch. This article will try to explain what container runtimes are, what they do, how they compare with each other, andhow to choose the right one. It also provides a primer on containerspecifications and standards.

The December 21 LWN Weekly Edition will be the final one for 2017; asusual, we will take the last week of the year off and return onJanuary 4. It's that time of year where one is moved to look backover the last twelve months and ruminate on what happened; at LWN, we alsoget the opportunity to mock the predictions wemade back in January. Read on for the scorecard and a year-end notefrom LWN.