TPMs are good for something

Posted on October 19, 2009 by mdomsch

TPMs (Trusted Platform Modules) have long been avoided on Linux, given that their primary use cases have historically been around licensing and Digital Rights Management, concepts which are mostly foreign to Free and Open Source software. However, as new use cases, such as “trusted boot” have emerged, developers have added TPM device drivers to the Linux kernel to enable these uses. One often-overlooked feature of the TPM is that it has a hardware pseudo-random number generator.

A while back, Jeff Garzik and others were discussing this on the linux-kernel mailing list (summarized on LWN.net), where it was suggested that the TPM could be used to feed the rngd (random number gathering daemon) tool, just as it reads from other hardware random number generators. The rngd program reads from hardware-based random number generators and feeds entropy into the kernel’s entropy pool. Easy in concept, but lacking in TPM implementation.

As it happens, quite a few Dell systems include a TPM chip, including the PowerEdge 11G servers such as the R610 and R710. So, I asked Dell’s crack team of Linux developers to see what they could do. The result: a patch to rngd which adds the TPM as another source of random numbers for feeding the kernel’s entropy pool.

We’re working with Jeff to get this patch applied to the rng-tools upstream sources, and from there into the various distributions as their schedules permit.

So, should you find yourself running out of entropy on your servers, and not having a keyboard or mouse attached as ways to feed the entropy pool, you can run enable the TPM in BIOS SETUP, run rngd, and never lack for randomness again.

MirrorManager automatic local mirror selection

Posted on September 28, 2009 by mdomsch

MirrorManager 1.3.2 (plus a hotfix) is now running on all Fedora Infrastructure application servers. This brings one new interesting feature – automatic mirror detection. How’s that you say?

As you know, Internet routing uses BGP (Border Gateway Protocol), and Autonomous System Numbers (ASNs) to exchange IP prefixes (aa.bb.cc.dd/nn) and routing tables. By grabbing a copy of the global BGP table a few times a day, MM can know the ASN of an incoming client request, and Hosts in the MM database have grown two new fields: ASN and “ASN Clients?”. MM then looks to see if there is a mirror with the same ASN as each client, and offers it up earlier in the list.

I’ve pre-populated the MM database, for public servers only, with ASNs, and set “ASN Clients?” = True, meaning such will offer to serve all clients on the same ASN. If you have a private server and wish to do likewise (remember, this doesn’t work for home systems or those behind NATs), you can fill in those fields yourself. The Fedora wiki page on mirroring gives an example on how to look up your ASN. I recommend this for all schools, research organizations, companies, and ISPs.

The mirrorlist lookup code now goes in preferential order:

same netblock
same ASN
both on Internet2
same country
same continent
global

For ISPs and schools, this should mean that most of the possible Fedora traffic will stay within your network – no transit costs. And as netblocks change, MM will keep up with them automatically.

To see this in action, try a query as such, and look for the ‘Using ASN ####’ in the result comment line.

$ wget -O – ‘http://mirrors.fedoraproject.org/mirrorlist?repo=fedora-11&arch=i386′

# Using preferred netblock Using ASN XXXX country = US country = MX country = CA
your-local-mirror-here
…

I hope you enjoy this new feature.

Heading to Portland for LinuxCon

Posted on September 19, 2009 by mdomsch

I’ll be at LinuxCon in Portland this next week. On Monday, 11:30am, I get to compete against Jon Corbet’s excellent Kernel Report and four other interesting topics, to present Dynamic Driver Injection, a method to simplify OS deployments on new servers. If you’re at LinuxCon, I hope you will join me.

This will be my first trip to Portland. I’m looking forward to it a lot.

Fedora services IPv6-enabled

Posted on September 9, 2009 by mdomsch

As Mike McGrath, Fedora Infrastructure team lead announced last week, several Fedora services are now IPv6-enabled. Thanks to our good friends at ibiblio.org, who have native IPv6 connectivity, we were able to set up one web server and one DNS name server, with more services to come over time. The web server in particular means that nearly all Fedora Infrastructure-hosted web pages and web applications are immediately reachable over IPv6. This week, over 5000 unique IPv6 addresses have been served.

However, this has not come without a cost. There have been a handful of individuals having difficulty reaching our web pages. In one case, the user needed to lower the MTU (maximum transmission unit) for his ethernet adapter from the default 1500 to 1472, to accommodate both IPv6 and his PPPoE connection. For others, particularly those using 6to4 routing (the default method in Fedora if you don’t already have native IPv6 connectivity), some packets are getting dropped elsewhere on the Internet (pings reach our server, responses don’t make it back). These are the growing pains we’ll have to live through, and which will resolve themselves over time as more network operators deploy native IPv6 to their end users.

If you have troubles reaching Fedora web sites, take a look at the Known Problems section on our IPv6 wiki page for common workarounds, add your own workarounds as you find them, and if all else fails, join us in #fedora-admin on irc.freenode.net for assistance. There’s not a lot we can do about the wider Internet and its routing, but we’ll help if we can.

If you’d like to help get additional services IPv6-enabled, check out our IPv6 page for tasks we’d like to do, and offer your own ideas.

CDs are Dead. Long live CDs.

Posted on June 12, 2009 by mdomsch

I was running some stats on the Fedora 11 release, and an interesting thing caught my eye. Very few people are downloading the six (or in the case of PPC, seven) CDs to perform a “Fedora” install. Very Very few. In fact, at most, six people downloaded split media CDs using the Fedora mirror servers in the first few days. This in contrast to the over 234,000 direct downloads of DVDs and LiveCDs in the same amount of time. BitTorrent statistics are a little better for CDs: 908 completed downloads of the split media CDs, out of 41,235 total downloads (or ~2.2 %).

Which leads to the question, “Do we really need split media CDs for Fedora 12?”

A few more points lend credence to this idea.

Looking only at the BitTorrent stats for Fedora 9, 10, and now 11, we see an interesting trend. Figure 1 shows that the interest in split media CDs has been decreasing over the past year.

I have a suspicion. As the number of x86_64 users grows, it’s more likely that x86_64 systems will have DVD readers as opposed to older CD readers. Figure 2 shows the growth of x86_64 vs x86 over the past year, again extracted from BitTorrent statistics.

The entire Fedora 11 release as sent to the mirrors is ~143GB. Of that, CD and DVD ISOs represent ~34GB; the split media CD ISOs represent ~15.5GB of that. As most of the rest of that 143GB is all hardlinked, we’re really only transferring out all these ISO files. 10% of the disk space, and 45% of the time/bandwidth needed to get a release out to the mirrors, for about 2% of the user base, and declining.

CDs had their place, back when DVD readers weren’t commonplace, and before we had LiveCD/LiveUSB medias. Now, DVDs are fairly common, the LiveCDs work great for a lot of installs, and we have both a small (158MB) network-based bootable CD installer for new installs that would require a CD, and preupgrade for upgrading from an older distro version to the next. Let’s kill off split media CDs for Fedora 12.

Your thoughts?

Fedora 11 Metalinks!

Posted on June 11, 2009 by mdomsch

I didn’t manage to get these onto http://get.fedoraproject.org/, but we have metalinks available for all of the Fedora 11 main content, as well as the Fedora Electronics Lab spin. Metalinks can be used with metalink-aware download tools, like aria2 and the DownThemAll! FireFox plugin, to let the end user tool decide from which mirror to download the actual content.

Fedora 11 i686 Live CD images:

Live Desktop i686
Live KDE i686

Fedora 11 x86_64 Live CD images:

Live Desktop x86_64
Live KDE x86_64

Fedora 11 i386 CD and DVD images:

Network Install
DVD
CD1 CD2 CD3 CD4 CD5 CD6

Fedora 11 x86_64 CD and DVD images:

Network Install
DVD
CD1 CD2 CD3 CD4 CD5 CD6

Fedora 11 ppc CD and DVD images:

Network Install
DVD
CD1 CD2 CD3 CD4 CD5 CD6 CD7

Fedora 11 Fedora Electronics Lab spin Live CD images:

FEL Live i686
FEL Live x86_64

Fedora 11 Source Code CD and DVD images:

DVD
CD1 CD2 CD3 CD4 CD5 CD6

Fedora Elections: Voting now open

Posted on June 7, 2009 by mdomsch

I’d like to take a moment to thank everyone involved in this Fedora election cycle.

Moderators: John Rose, Max Spevack, Chris Tyler, and Paul Frields
Questionnaire coordinator: Thorsten Leemhuis
Election application: Nigel Jones
Fedora 12 Naming Process: Josh Boyer

and of course the 5 individuals running for the Board seats and the 11 running for the FESCo seats. I appreciate the efforts you put into attending the Town Hall sessions, answering the questionnaire, and for the commitment you’ve shown to Fedora already.

Fedora Voted

You have until 2359 UTC on 22nd June 2009 to vote.

Fedora Elections: Town Hall schedule set, beginning in 12 hours

Posted on June 2, 2009 by mdomsch

With each of the candidates noting they can attend at least one of the IRC Town Halls for their respective offices, the schedule is now set.

Town Halls begin in about 12 hours.

Each group participating in the election will host two Town Hall sessions on IRC. Each will last one hour, or less if there are no further questions.

How to Join
* Everyone should join #fedora-townhall on FreeNode (irc.freenode.net). Only candidates and a moderator may speak in this channel.
* Non-candidates should also join #fedora-townhall-public on FreeNode (irc.freenode.net). Direct your questions for the candidates to the moderator.

FESCo Candidate forum
Wednesday, June 3, 1400 UTC (Wed morning, 10am US Eastern Daylight Time, 7am US Pacific Daylight Time)
Moderated by Max Spevack

FESCo Candiate forum
Thursday, June 4, 0200 UTC (Wed night, 10pm US Eastern Daylight Time, 7pm US Pacific Daylight Time)
Moderated by Chris Tyler

Board Candidate forum
Thursday, June 4, 1400 UTC (Thurs morning, 10am US Eastern Daylight Time, 7am US Pacific Daylight Time)
Moderated by Paul Frields

Board Candidate forum
Friday, June 5 0200 UTC (Thurs night, 10pm US Eastern Daylight Time, 7pm US Pacific Daylight Time)
Moderated by John Rose (aka inode0)

https://fedoraproject.org/wiki/Elections lists these now.

I look forward to your participation, and hope these forums will more
fully inform our electorate about the candidates.

Fedora nominations open through 5/29

Posted on May 26, 2009 by mdomsch

Typo in my last post: Fedora Nominations are open through this Friday, 5/29.

Fedora Board, FESCo nominations open until Friday

Posted on May 26, 2009 by mdomsch

Nominations to join the Fedora Project Board are open until Friday,May 29. There are three seats open for election, each lasting for two full release cycles (will expire in about a year, following the Fedora 13 release). The Board is responsible for overall direction, setting and resolving policy, and generally tries to remove roadblocks which may impede participation in the Project.

The Fedora Engineering Steering Committee also is electing five members this cycle. Nominations are open until Friday as well.

Please consider adding your voice to the leadership of Fedora through participating in one of these offices.

Updated: Nominations close the 29th, not the 23rd. Thanks to Rahul for catching my error.

domsch.com blog

"It Just Works" is more than just a slogan, it's a way of life!

Category Archives: Linux