major.io - Page 3 of 142 - Words of wisdom from a Linux engineer focused on information security

Join me on Thursday to talk about OpenStack LBaaS and security hardening

July 19, 2016 By Major Hayden Leave a Comment

If you want to learn more about load balancers and security hardening in OpenStack clouds, join me on Thursday for the Rackspace Office Hours podcast! Walter Bentley, Kenneth Hui and I will be talking about some of the new features available in the 12.2 release of Rackspace Private Cloud powered by OpenStack.

The release has a tech preview of OpenStack’s Load Balancer as a Service project. The new LBaaSv2 API is stable and makes it easy to create load balancers, add pools, and add members. Health monitors can watch over servers and remove those servers from the load balancers if they don’t respond properly.

I talked about the security hardening feature extensively at this year’s OpenStack Summit in Austin and it is now available in the 12.2 release of RPC.

The new Ansible role and its tasks apply over 200 security hardening configurations to OpenStack hosts (control plane and hypervisors) and it comes with extensive auditor-friendly documentation. The documentation also allows deployers to fine-tune many of the configurations and disable the ones they don’t want. Deployers also have the option to tighten some configurations depending on their industry requirements.

Join us this Thursday, July 21st, at 1:00 PM CDT (check your time zone) to talk more about these new features and OpenStack in general.

Bring back two and three finger taps in Fedora 24

July 5, 2016 By Major Hayden 5 Comments

Most of the recent Fedora upgrades have been quite smooth. There were definitely some rough spots back in Fedora 15 and Fedora 17 with the /bin migration and the switch to systemd. The upgrade from Fedora 23 to Fedora 24 has been really easy except for one minor quirk: my two and three finger taps don’t seem to work on the touchpad.

I use a Lenovo ThinkPad X1 Carbon (3rd gen) and it has a clickpad along with physical buttons across the top. I use the two finger taps (to do a secondary click) frequently. After the Fedora 24 upgrade, I can still do clicks with one, two or three fingers, but the taps don’t work.

After a little digging in xinput, I began to narrow down the problem:

[major@arsenic ~]$ xinput list
⎡ Virtual core pointer                      id=2    [master pointer  (3)]
⎜   ↳ Virtual core XTEST pointer                id=4    [slave  pointer  (2)]
⎜   ↳ SynPS/2 Synaptics TouchPad                id=11   [slave  pointer  (2)]
⎜   ↳ TPPS/2 IBM TrackPoint                     id=12   [slave  pointer  (2)]
⎣ Virtual core keyboard                     id=3    [master keyboard (2)]
    ↳ Virtual core XTEST keyboard               id=5    [slave  keyboard (3)]
    ↳ Power Button                              id=6    [slave  keyboard (3)]
    ↳ Video Bus                                 id=7    [slave  keyboard (3)]
    ↳ Sleep Button                              id=8    [slave  keyboard (3)]
    ↳ Integrated Camera                         id=9    [slave  keyboard (3)]
    ↳ AT Translated Set 2 keyboard              id=10   [slave  keyboard (3)]
    ↳ ThinkPad Extra Buttons                    id=13   [slave  keyboard (3)]
[major@arsenic ~]$ xinput list-props 11 | grep Tap
    Synaptics Tap Time (271):   180
    Synaptics Tap Move (272):   252
    Synaptics Tap Durations (273):  180, 100, 100
    Synaptics Tap Action (285): 0, 0, 0, 0, 1, 0, 0

[major@arsenic ~]$ xinput list

⎡ Virtual core pointer id=2 [master pointer (3)]

⎜ ↳ Virtual core XTEST pointer id=4 [slave pointer (2)]

⎜ ↳ SynPS/2 Synaptics TouchPad id=11 [slave pointer (2)]

⎜ ↳ TPPS/2 IBM TrackPoint id=12 [slave pointer (2)]

⎣ Virtual core keyboard id=3 [master keyboard (2)]

↳ Virtual core XTEST keyboard id=5 [slave keyboard (3)]

↳ Power Button id=6 [slave keyboard (3)]

↳ Video Bus id=7 [slave keyboard (3)]

↳ Sleep Button id=8 [slave keyboard (3)]

↳ Integrated Camera id=9 [slave keyboard (3)]

↳ AT Translated Set 2 keyboard id=10 [slave keyboard (3)]

↳ ThinkPad Extra Buttons id=13 [slave keyboard (3)]

[major@arsenic ~]$ xinput list-props 11 | grep Tap

Synaptics Tap Time (271): 180

Synaptics Tap Move (272): 252

Synaptics Tap Durations (273): 180, 100, 100

Synaptics Tap Action (285): 0, 0, 0, 0, 1, 0, 0

Hunting for a fix

It seems like this Synaptics Tap Action (285) is what I need to adjust. What do those numbers mean, anyway?

After some searching, I found the answer in some Synaptics documentation:

Synaptics Tap Action
8 bit, up to MAX_TAP values (see synaptics.h), 0 disables an element. order: RT, RB, LT, LB, F1, F2, F3.

1 2	Synaptics Tap Action 8 bit, up to MAX_TAP values (see synaptics.h), 0 disables an element. order: RT, RB, LT, LB, F1, F2, F3.

This seems like what I want, but what do those abbreviations mean at the end? I scrolled up on the page and found something useful:

Option "RTCornerButton" "integer"
Which mouse button is reported on a right top corner tap. Set to 0 to disable. Property: "Synaptics Tap Action"
Option "RBCornerButton" "integer"
Which mouse button is reported on a right bottom corner tap. Set to 0 to disable. Property: "Synaptics Tap Action"
Option "LTCornerButton" "integer"
Which mouse button is reported on a left top corner tap. Set to 0 to disable. Property: "Synaptics Tap Action"
Option "LBCornerButton" "integer"
Which mouse button is reported on a left bottom corner tap. Set to 0 to disable. Property: "Synaptics Tap Action"
Option "TapButton1" "integer"
Which mouse button is reported on a non-corner one-finger tap. Set to 0 to disable. Property: "Synaptics Tap Action"
Option "TapButton2" "integer"
Which mouse button is reported on a non-corner two-finger tap. Set to 0 to disable. Property: "Synaptics Tap Action"
Option "TapButton3" "integer"
Which mouse button is reported on a non-corner three-finger tap. Set to 0 to disable. Property: "Synaptics Tap Action"

Option "RTCornerButton" "integer"

Which mouse button is reported on a right top corner tap. Set to 0 to disable. Property: "Synaptics Tap Action"

Option "RBCornerButton" "integer"

Which mouse button is reported on a right bottom corner tap. Set to 0 to disable. Property: "Synaptics Tap Action"

Option "LTCornerButton" "integer"

Which mouse button is reported on a left top corner tap. Set to 0 to disable. Property: "Synaptics Tap Action"

Option "LBCornerButton" "integer"

Which mouse button is reported on a left bottom corner tap. Set to 0 to disable. Property: "Synaptics Tap Action"

Option "TapButton1" "integer"

Which mouse button is reported on a non-corner one-finger tap. Set to 0 to disable. Property: "Synaptics Tap Action"

Option "TapButton2" "integer"

Which mouse button is reported on a non-corner two-finger tap. Set to 0 to disable. Property: "Synaptics Tap Action"

Option "TapButton3" "integer"

Which mouse button is reported on a non-corner three-finger tap. Set to 0 to disable. Property: "Synaptics Tap Action"

The last three are the ones I care about. Then the abbreviations made sense:

F1: TapButton1
F2: TapButton2
F3: TapButton3

The TapButton1 setting was already set to 1, which means a primary tap. I need TapButton2 set to 3 (two fingers for a secondary button tap) and TapButton3 set to 2 (three fingers for a middle button tap). Let’s try with xinput directly first:

xinput set-prop 11 "Synaptics Tap Action" 0 0 0 0 1 3 2

1	xinput set-prop 11 "Synaptics Tap Action" 0 0 0 0 1 3 2

SUCCESS! The secondary and middle taps have returned!

Making it stick

Let’s make the setting permanent. You could add this to a ~/.xprofile or some other file that the display manager runs, but this isn’t helpful if you have a touchpad that could be removed or re-added (like a USB touchpad). For this, we need an extra X configuration file.

I created a file called /etc/X11/xorg.conf.d/99-xinput-fix-multi-finger-taps.conf and added some configuration:

Section "InputClass"
       Identifier "tap-by-default"
       MatchIsTouchpad "on"
       Option "TapButton1" "1"
       Option "TapButton2" "3"
       Option "TapButton3" "2"
EndSection

Section "InputClass"

Identifier "tap-by-default"

MatchIsTouchpad "on"

Option "TapButton1" "1"

Option "TapButton2" "3"

Option "TapButton3" "2"

EndSection

The configuration file specifies what we want to occur when one, two or three fingers tap on the pad. We’re also being careful here to match only on touchpads to avoid tinkering with a mouse or other pointer device.

Log out of your X session and log in again. Your two and three finger taps should still be working!

Talk recap: The friendship of OpenStack and Ansible

June 28, 2016 By Major Hayden Leave a Comment

The 2016 Red Hat Summit is underway in San Francisco this week and I delivered a talk with Robyn Bergeron earlier today. Our talk, When flexibility met simplicity: The friendship of OpenStack and Ansible, explained how Ansible can reduce the complexity of OpenStack environments without sacrificing the flexibility that private clouds offer.

The talk started at the same time as lunch began and the Partner Pavilion first opened, so we had some stiff competition for attendees’ attention. However, the live demo worked without issues and we had some good questions when the talk was finished.

This post will cover some of the main points from the talk and I’ll share some links for the talk itself and some of the playbooks we ran during the live demo.

IT is complex and difficult

Getting resources for projects at many companies is challenging. OpenStack makes this a little easier by delivering compute, network, and storage resources on demand. However, OpenStack’s flexibility is a double-edged sword. It makes it very easy to obtain virtual machines, but it can be challenging to install and configure.

Ansible reduces some of that complexity without sacrificing flexibility. Ansible comes with plenty of pre-written modules that manage an OpenStack cloud at multiple levels for multiple types of users. Consumers, operators, and deployers can save time and reduce errors by using these modules and providing the parameters that fit their environment.

Ansible and OpenStack

Ansible and OpenStack are both open source projects that are heavily based on Python. Many of the same dependencies needed for Ansible are needed for OpenStack, so there is very little additional software required. Ansible tasks are written in YAML and the user only needs to pass some simple parameters to an existing module to get something done.

Operators are in a unique position since they can use Ansible to perform typical IT tasks, like creating projects and users. They can also assign fine-grained permissions to users with roles via reusable and extensible playbooks. Deployers can use projects like OpenStack-Ansible to deploy a production-ready OpenStack cloud.

Let’s build something

In the talk, we went through a scenario for a live demo. In the scenario, the marketing team needed a new website for a new campaign. The IT department needed to create a project and user for them, and then the marketing team needed to build a server. This required some additional tasks, such as adding ssh keys, creating a security group (with rules) and adding a new private network.

The files from the live demo are up on GitHub:

major/ansible-openstack-summit-demo

In the operator-prep.yml, we created a project and added a user to the project. That user was given the admin role so that the marketing team could have full access to their own project.

From there, we went through the tasks as if we were a member of the marketing team. The marketing.yml playbook went through all of the tasks to prepare for building an instance, actually building the instance, and then adding that instance to the dynamic inventory in Ansible. That playbook also verified the instance was up and performed additional configuration of the virtual machine itself — all in the same playbook.

What’s next?

Robyn shared lots of ways to get involved in the Ansible community. AnsibleFest 2016 is rapidly approaching and the OpenStack Summit in Barcelona is happening this October.

Downloads

The presentation is available in a few formats:

PDF
Google Slides (good option if you like GIFs to work)
Slideshare

My list of must-see sessions at Red Hat Summit 2016

June 26, 2016 By Major Hayden 1 Comment

The Red Hat Summit starts this week in San Francisco, and a few folks asked me about the sessions that they shouldn’t miss. The schedule can be overwhelming for first timers and it can be difficult at times to discern the technical sessions from the ones that are more sales-oriented.

If you’re in San Francisco, and you want to learn a bit more about using Ansible to manage OpenStack environments, come to the session that I am co-presenting with Robyn Bergeron: When flexibility met simplicity: The friendship of OpenStack and Ansible.

Confirmed good sessions

Here’s a list of sessions that I’ve seen in the past and I still highly recommend:

Security-enhanced Linux for mere mortals from Thomas Cameron
Container security from Dan Walsh

Dan is also doing a lab for container security called “A practical introduction to container security” that should be really interesting if you enjoy his regular sessions.

Sessions I want to see this year

Are you listening to what SELinux is telling you from Dan Walsh and Roland Wolters
Optimizing code for modern processors from William Cohen
Ansible BoF from Greg DeKoenigsberg and James Cammarata
Docker versis Systemd – Can’t we just get along? from Dan Walsh
Tracking huge files with Git LFS from Tim Pettersen
Developer meet designer from Andres Galante and Brian Leathern

If you want to talk OpenStack, Ansible, or Rackspace at the Summit, send me something on Twitter. Have a great time!

New SELinux shirts are available

June 16, 2016 By Major Hayden 3 Comments

With the upcoming Red Hat Summit 2016 in San Francisco almost upon us, I decided to update the old SELinux shirts with two new designs:

Make SELinux enforcing again shirt setenforce 1 shirt 2016

You can buy these now over at Spreadshirt! There are styles there for men and women and I’ve priced them as low as the store will allow.

Spreadshirt is also running a sale for 15% off T-shirts until June 21st with the code TSHIRT16. Let’s make SELinux enforcing again!