AlmaLinux 放棄 1:1 clone RHEL

上個禮拜的資訊了 AlmaLinux 最後決定放棄 clone RHEL:「The Future of AlmaLinux is Bright」。

After much discussion, the AlmaLinux OS Foundation board today has decided to drop the aim to be 1:1 with RHEL. AlmaLinux OS will instead aim to be Application Binary Interface (ABI) compatible*.

這樣在市場上有 Rocky LinuxSUSE 也打算要搞自己的 RHEL clone 的前提下,沒有使用 AlmaLinux 的誘因,標題說的 bright 就是講講而已。

SUSE 參戰:SUSE 宣佈投入 RHEL clone

Hacker News 上看到「SUSE is forking RHEL (suse.com)」這個,原文的確就是 SUSE 決定參戰,跳進去 clone RHEL:「SUSE Preserves Choice in Enterprise Linux by Forking RHEL with a $10+ Million Investment」。

第一段把重點講完了,手上自己有 SUSE Linux Enterprise 的 SUSE 決定要維護一套 RHEL clone:

Today SUSE, the company behind Rancher, NeuVector, and SUSE Linux Enterprise (SLE) and a global leader in enterprise open source solutions, announced it is forking publicly available Red Hat Enterprise Linux (RHEL) and will develop and maintain a RHEL-compatible distribution available to all without restrictions. Over the next few years, SUSE plans to invest more than $10 million into this project.

然後 Hacker News 討論裡面看到這個資訊頗有趣:SUSE 的 CEO Dirk-Peter van Leeuwen 才來三個月,先前在 Red Hat 待了十八年:

> Dirk-Peter van Leeuwen, CEO of SUSE, said,

According to LinkedIn Dirk-Peter started at Suse 3 months ago as CEO and worked for Red Hat for 18 years and was a Senior VP at Red Hat.

I think this move of Suse could be a credible threat to IBM / Red Hat's RHEL.

LinkedIn 上的經歷,應該算是純業務出身... 這算是什麼操作?

Rocky Linux 提出兩個方法取得 RHEL 的 source code

在「AlmaLinux 與 Rocky Linux 看起來都暫時無解」這邊提到了檯面上目前沒有好方法穩定取得 source code 後,Rocky Linux 提出了兩個方法,在不需要同意 RHEL 的條款下取得 RHEL 的 source code:「Keeping Open Source Open」。

中間還有一些小插曲可以提一下,在社群不少抗議聲後,IBM & Red Hat 的 VP 出來直接說他們認為 RHEL rebuild 沒有任何價值,而且是故意讓 rebuilder 更難實作 RHEL rebuild:「Red Hat’s commitment to open source: A response to the git.centos.org changes」。

Ultimately, we do not find value in a RHEL rebuild and we are not under any obligation to make things easier for rebuilders; this is our call to make.

回到 Rocky Linux 的文章,他們提出來的兩個方法都是基於 GPL 的重要性質:如果你可以合法拿到 binary,那麼散佈者就有義務要提供 source code。

第一個方法是透過 RHEL 目前公開提供的 container image:

One option is through the usage of UBI container images which are based on RHEL and available from multiple online sources (including Docker Hub). Using the UBI image, it is easily possible to obtain Red Hat sources reliably and unencumbered. We have validated this through OCI (Open Container Initiative) containers and it works exactly as expected.

另外一種方式是透過雲端服務的 cloud instance 跑 RHEL:

Another method that we will leverage is pay-per-use public cloud instances. With this, anyone can spin up RHEL images in the cloud and thus obtain the source code for all packages and errata. This is the easiest for us to scale as we can do all of this through CI pipelines, spinning up cloud images to obtain the sources via DNF, and post to our Git repositories automatically.

這兩個方法都不需要同意 RHEL 目前在網站上的 TOS 與 EULA,而且短時間內應該不好防堵:前者要關掉的話,應該有一堆既有 RHEL 客戶在用會直接抱怨,真的要硬幹的話得給這些客戶時間從 public repository 轉移到要認證的 repository 上;而後者要堵的話,除非 IBM & Red Hat 決定直接不做雲端生意?

看起來 Rocky Linux 與 AlmaLinux 用這套方法可以撐一陣子,直到 IBM & Red Hat 想出新方法來搞?

AlmaLinux 與 Rocky Linux 看起來都暫時無解

昨天提到的「IBM 決定停止公開發布 RHEL 的 source code」有了另外一邊的說明了:

如同 AlmaLinux 所說的,重新散佈程式碼是受限的:

Unfortunately the way we understand it today, Red Hat’s user interface agreements indicate that re-publishing sources acquired through the customer portal would be a violation of those agreements.

所以目前 AlmaLinux 的意思是沒有什麼好解法,而 Rocky Linux 的公告文章只有幹話,沒有實質內容。

但我猜既有的客戶裡面有不受這個條款影響的族群,像是直接跟 IBM 談授權合約的公司,有可能會有排除單方面修改授權的條款,這個應該會是目前 RHEL 8/9 的破口,但後續再釋出的版本應該會被 IBM 的法務給補上?

Rocky Linux 8.4 推出了...

用來替代 CentOSRocky Linux 8.4 推出了:「Rocky Linux 8.4 GA Available Now」,可以在 Downloads 這個頁面下載。

一般 HTTPS 下載可以看到透過 Fastly 的 CDN,雖然台灣沒有 PoP,但拉了一下看起來還是夠快 (即使是晚上時間),台北市家裡的 HiNet 1G/600M 可以跑到 56.1MB/sec,新莊家裡的 300M/100M 則是 11.8MB/sec,都是走 IPv6,雖然沒滿速但這個速度算快了,畢竟要跨國塞...

如果真的要快的話 (畢竟 x86_64 的 image 要 9GB),透過 BitTorrent 下載的速度會快不少,至少我是可以跑滿 HiNet 上 1G 與 300M 的下載...

另外一個加速的方式是平行下載,像是透過 AXEL 這種工具:

axel -c 4 https://download.rockylinux.org/pub/rocky/8/isos/x86_64/Rocky-8.4-x86_64-minimal.iso

官方有提供 migration tool,可以讓使用者從 CentOS 轉移到 Rocky Linux,對於不方便或是不想要重灌的使用者提供另外一種選擇:「migrate2rocky -- Conversion Script」。

Rocky Linux 放出 RC1 了

Red Hat 實質上廢掉 CentOS 後,原來 CentOS 的人決定要再 fork 一次,弄了 Rocky Linux,前幾天放出 RC1 了:「Rocky Linux 8.3 RC1 Available Now」。

還沒下載下來測試,但我猜應該跟當初的 CentOS 差不多...

文章裡面提到的贊助商不少大公司,包括 AWS 也在列表內,好像可以理解為什麼...

另外翻到「Public active mirrors」這頁,看到 Fastly 居然有贊助頻寬,看起來也不需要擔心頻寬問題了。

等晚點再進去看看情況... 話說回來,官網上對 Rocky Linux 的介紹真是隱晦,完全不提到 Red Hat 看起來是避免被告 (以及被搞):

Rocky Linux is a community enterprise operating system designed to be 100% bug-for-bug compatible with America's top enterprise Linux distribution now that its downstream partner has shifted direction. It is under intensive development by the community. Rocky Linux is led by Gregory Kurtzer, founder of the CentOS project. Release Candidate 1 is now available for testing. Contributors are asked to reach out using the communication options offered on this site.

CentOS 將會變成 CentOS Stream

讓不少團隊要炸的消息,CentOS 將會被消滅變成 CentOS Stream:「CentOS Project shifts focus to CentOS Stream」與「CentOS Stream: Building an innovative future for enterprise Linux」。

很多團隊用 CentOS 的主要原因就是因為他基本上就是個 RHEL 重新打包的版本,一來更新速度沒有很快 (所以穩定不少,跑得好好的就不要動他最穩...),二來很多商用軟體都可以在支援 RHEL 時「順便」支援 CentOS。

再來是考慮到他有超級長的支援期,像是 2011 年推出的 CentOS 6 到上個月月底 (2020/11/30) 才終止支援,相較於 Ubuntu LTS 提供的五年來說長很多。

所以兩邊都有選擇的理由 (以及族群),一邊是追求穩定性,一邊是有新技術的需求。

不過 IBM 在 2018 年收購 Red Hat 後看起來對這件事情有很不一樣的看法:決定要收掉 CentOS,然後借屍還魂叫做 CentOS Stream,上面開始會有與 RHEL 不同的東西。

When CentOS Linux 8 (the rebuild of RHEL8) ends, your best option will be to migrate to CentOS Stream 8, which is a small delta from CentOS Linux 8, and has regular updates like traditional CentOS Linux releases.

所以接下來還有支援的兩個版本,分別是 2014 年出的 CentOS 7,將照原訂的 10 年計畫支援到 2024/06/30,以及 2019 年出的 CentOS 8,就只會支援到 2021/12/31 了。

翻了一下 Hacker News 上的討論,先不講幹聲一片的問題,看起來原來建立 CentOS 的 Gregory Kurtzer 決定出來再幹一次:「Original CentOS founder intends to create new fork of RHEL (rockylinux.org)」。

來看看後續社群會怎麼玩吧...

AWS 推出可以在 Red Hat Enterprise Linux 上跑 Microsoft SQL Server 的 AMI

自從 Microsoft SQL Server 宣佈可以在 Linux 上跑後 (參考「Microsoft SQL Server 出 Linux 版...」),就沒看到什麼 Linux 上跑 SQL Server 的消息了... 結果在這波 AWS 的活動上推出了 RHEL 上跑 SQL Server 的消息:「Amazon EC2 now offers SQL Server 2017 with Red Hat Enterprise Linux 7.4」。

SQL Server 2017 is now available for Amazon EC2 instances running Red Hat Enterprise Linux (RHEL) 7.4 as an Amazon Machine Image (AMI) from the AWS Marketplace. With this release, you can now launch RHEL instances on-demand using SQL Server 2017 Enterprise License Included AMIs without having to bring your own license. SQL Server 2017 on RHEL 7.4 AMI is available in all public AWS regions starting today.

這個消息看到的時候嚇了一跳...

把主力手機從 iPhone 換到 Android

上次主力用 Android 應該是 HTC Desire 時代了,那個時候跑得是 2.2。

總算把 LG G2 (D802) 刷完機器了 (刷了半年,每次都卡關 XDDD),這次刷了 CyanogenModOpen GApps,儘量都用 command line 來刷。

adb devices # 看裝置順便打 RSA public key 進去
adb shell # 進去後可以 ls/su 看一看
adb push filename.zip /sdcard/
adb reboot recovery

Android Marshmallow (6.0) 另外多了對權限的管理,這也是想刷到 6.0 的原因之一,使用者可以隨時 revoke 掉某些權限 (沒有處理好的會 crash XD):

Android Marshmallow introduces a redesigned application permission model: there are now only eight permission categories, and applications are no longer automatically granted all of their specified permissions at installation time. An opt-in system is now used, in which users are prompted to grant or deny individual permissions (such as the ability to access the camera or microphone) to an application when they are needed for the first time. Applications remember the grants, which can be revoked by the user at any time.

其他安裝的流程主要都是苦工了,尤其是 2FA 是少數為了安全性只能一個一個換的東西 (不提供 export,都是用手機提供的 HSM 避免被盜走),剛好趁機會把自己與公司用到的 2FA 帳號分開。

Android 上的 Google Authenticator 不怎麼好用 (不能調整位置,另外不希望隨時都給密碼),測了測 Red Hat 出的 FreeOTP Authenticator 算是比較好用的,就把 FreeOTP Authenticator 拿來給個人用,Google Authenticator 拿來給公司的帳號用。

繼續熟悉現在的 Android 環境,應該會有一陣子不習慣...

CVE-2015-7547:getaddrinfo() 的 RCE (Remote Code Execution) 慘案

Google 寫了一篇關於 CVE-2015-7547 的安全性問題:「CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow」。

Google 的工程師在找 OpenSSH 連到某台特定主機就會 segfault 的通靈過程中,發現問題不在 OpenSSH,而是在更底層的 glibc 導致 segfault:

Recently a Google engineer noticed that their SSH client segfaulted every time they tried to connect to a specific host. That engineer filed a ticket to investigate the behavior and after an intense investigation we discovered the issue lay in glibc and not in SSH as we were expecting.

由於等級到了 glibc 這種每台 Linux 都有裝的情況,在不經意的情況下發生 segfault,表示在刻意攻擊的情況下可能會很糟糕,所以 Google 投入了人力研究,想知道這個漏洞到底可以做到什麼程度:

Thanks to this engineer’s keen observation, we were able determine that the issue could result in remote code execution. We immediately began an in-depth analysis of the issue to determine whether it could be exploited, and possible fixes. We saw this as a challenge, and after some intense hacking sessions, we were able to craft a full working exploit!

在研究過程中 Google 發現 Red Hat 的人也在研究同樣的問題:「(CVE-2015-7547) - In send_dg, the recvfrom function is NOT always using the buffer size of a newly created buffer (CVE-2015-7547)」:

In the course of our investigation, and to our surprise, we learned that the glibc maintainers had previously been alerted of the issue via their bug tracker in July, 2015. (bug). We couldn't immediately tell whether the bug fix was underway, so we worked hard to make sure we understood the issue and then reached out to the glibc maintainers. To our delight, Florian Weimer and Carlos O’Donell of Red Hat had also been studying the bug’s impact, albeit completely independently! Due to the sensitive nature of the issue, the investigation, patch creation, and regression tests performed primarily by Florian and Carlos had continued “off-bug.”

攻擊本身需要繞過反制機制 (像是 ASLR),但仍然是可行的,Google 的人已經成功寫出 exploit code:

Remote code execution is possible, but not straightforward. It requires bypassing the security mitigations present on the system, such as ASLR. We will not release our exploit code, but a non-weaponized Proof of Concept has been made available simultaneously with this blog post.

技術細節在 Google 的文章裡也有提到,buffer 大小固定為 2048 bytes,但取得時有可能超過 2048 bytes,於是造成 buffer overflow:

glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query.

Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated.

另外 glibc 官方的 mailing list 上也有說明:「[PATCH] CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow」。