Fedora 23 Linux Secures Servers and the Cloud

by Sean Michael Kerner

The latest milestone release of Red Hat's community Linux distribution improves workstation, server and cloud capabilities, with new container creation capabilities coming in Fedora 24.

The Fedora Linux project is out with its second major release of the year, with today's debut of Fedora 23.

The Fedora 23 release follows Fedora 22, which was released back in May. Fedora 23 is the third release Fedora 17 Linux OSunder the Fedora Next model that started with Fedora 21 in December 2014, providing Workstation, Server and Cloud editions of Fedora.

For Fedora Project Leader Matthew Miller there were a few surprises in the Fedora 23 release cycle.

"Well, we almost hit the exact target date, which would have been a surprise," Miller told ServerWatch.

Miller explained that Fedora follows a hybrid model, between hard calendar-based release dates and the feature-based "release when ready" approach. Since Fedora integrates so much software with upstream open-source projects that Fedora doesn't control, it's hard to predict exactly how everything will land. That said, he said the Fedora project still wants to get quality releases to its users in a timely manner.

"So, we've developed this process where we adjust our targets (or feature set) at a check-in before each milestone," Miller said. "Usually, we expect this to result in the date slipping several times."

Overall, Miller said the Fedora 23 release cycle was very smooth, although there were a few severe bugs at the end of the process that pushed back the general availability of Fedora 23 by a week.

Among the major changes in Fedora 23 is the removal of SSLv3 and RC4 encryption cipher support. SSLv3 is an old protocol and has been proven to be insecure, while RC4 is now also thought to be insecure as well. Removing SSLv3 and RC4 support was no trivial task for Fedora. Miller explained it was a widespread removal process.

"We did it at the gnutls and OpenSSL level, so everything using those libraries is affected," Miller said. "If users need the old crypto for legacy compatibility, it can be changed in /etc/crypto-policies/config (or "FUTURE" used to raise the level even higher)."

Miller added that unfortunately nss, the other major crypto library, doesn't have the fine-grained control needed for the crypto policy (upstream patches are pending), so that software needed to be changed individually.

The Fedora Server now gets a new feature called "cloudtoserver" that enables a cloud image to be pulled back into a server.

cloudtoserver and the Pets vs. Cattle Cloud Computing Analogy

"The cloudtoserver package was originally called adopt-your-cattle, in reference to the pets-vs-cattle analogy common for describing cloud computing," Miller said. "But apparently that was confusing to people so we eventually went for the more literal name."

The "Pets vs. Cattle" analogy is such that pets are applications or servers, which are coddled, while cattle are used as needed and then slaughtered. Fedora has both Cloud and Server images, and Miller explained that the distinction between Fedora Cloud and Fedora Server is primarily intended to be on that line — scale-out cattle-style cloud-computing vs. carefully tended individual servers.

"But, somewhat naturally, there also ended up being an operating/deployment environment distinction: there aren't EC2 or downloadable cloud-guest images of Fedora Server," Miller said. "The related working groups in Fedora decided it'd be even more confusing to have not-Cloud cloud images, so the conversion idea is was born."

Miller explained that the cloudtoserver feature works as a script run inside a live cloud image, not on the image itself. In the future, he noted that Fedora will likely integrate cloudtoserver with cloud-init, so an administrator can really easily convert an image to Server at launch time.

Looking Ahead to Fedora 24

Looking forward to the next major update in 2016, some general ideas around Fedora 24 are already emerging. Miller said that for Fedora Workstation, one of the big things will be system upgrades from the Software app, rather than making people drop to the command line.

"One smaller but important thing which missed the [Fedora 23] release is support for marking network connections as metered or bandwidth-capped," Miller said. "That way, those updates aren't downloaded when you're tethered through your cell phone or on airplane wifi."

Fedora 24 will also likely mark the debut of the Wayland display server as the default. Miller said Wayland paves the way for other things like secure application sandboxing and better multi-monitor support.

For Fedora Server, I'm really hoping we can get some community traction around building server roles. The identity management and database roles we have are good examples, but the concept doesn't really reach its potential until there are roles for 90% of what admins want to deploy. With F23, we have an example of a role — memcached — shipped as a Docker image, and I think that model will make it easy to add a lot more.

More container integration is also likely to be a part of Fedora 24.

"One of the things I'd hoped to have in Fedora 23 but got pushed back to Fedora 24 is a container image build service for Fedora, similar to the way we use Koji to build RPM packages," Miller said. "We want our contributors to be able to create official Fedora containers in a way very similar to the way they can create and ship RPMs today. That isn't user-visible in itself, but the results will be."

Sean Michael Kerner is a senior editor at ServerWatch and InternetNews.com. Follow him on Twitter @TechJournalist.

Follow ServerWatch on Twitter and on Facebook

This article was originally published on Tuesday Nov 3rd 2015
Mobile Site | Full Site