Tech News - Servers

On 23rd January, Debian announced the release of Debian 9.7 which is the seventh update of the stable distribution of Debian 9. This comes right after a remote code execution vulnerability was discovered in the APT high-level package manager used by Debian, Ubuntu, and other related Linux distributions that allows an attacker to perform a man-in-the-middle attack. This Debian includes a security update for the APT vulnerability. The Debian GNU/Linux 9.7 (codename "Stretch") release contains a new version of the APT package manager that's no longer vulnerable to man-in-the-middle attacks. The team states that there is no need to download new ISO images to update existing installations, however, the Debian Project will release live and install-only ISO images for all supported architectures of the Debian GNU/Linux 9.7 "Stretch". This will be available for download in a few days. Head over to Debian’s official website for more information on this announcement. Kali Linux 2018 for testing and maintaining Windows security – Wolf Halton and Bo Weaver [Interview] Black Hat hackers used IPMI cards to launch JungleSec Ransomware, affects most of the Linux servers Homebrew 1.9.0 released with periodic brew cleanup, beta support for Linux, Windows and much more!

Yesterday a remote code execution bug was found in the APT high-level package manager used by Debian, Ubuntu, and other related Linux distributions. Max Justicz, the security researcher who discovered the bug, says that the bug "allows a network man-in-the-middle (or a malicious package mirror) to execute arbitrary code as root on a machine installing any package.” Justicz’s blog post states that the vulnerable versions of APT don't properly sanitize certain parameters during HTTP redirects. An attacker can take advantage of this and perform a remote man-in-the-middle attack to inject malicious content, thus tricking the system to install certain altered packages. HTTP redirects while using apt-get command help Linux machines to automatically request packages from an appropriate mirror server when other servers are unavailable. If the first server fails, it returns the location of the next server from where the client should request the package. Justicz has also demonstrated this man-in-the-middle attack in a short video: https://justi.cz/assets/aptpoc.mp4 Justicz told The Hacker News that a malicious actor intercepting HTTP traffic between APT utility and a mirror server, or just a malicious mirror, could execute arbitrary code on the targeted system with the highest level of privileges, i.e. root. He further adds, "You can completely replace the requested package, as in my proof of concept. You could substitute a modified package as well if you wanted to”. The APT is also used by major Linux distributions like Debian and Ubuntu, who have also acknowledged and released security patches for this vulnerability. Hacker News also points how this flaw comes around the time when cybersecurity experts are fighting over Twitter, in favor of not using HTTPS and suggesting software developers to rely on signature-based package verification since the APT on Linux also does the same. They further add that the APT exploitation could have been mitigated if the software download manager was strictly using HTTPS to communicate securely. The developers of APT have released version 1.4.9 that fixes the issue. The bug has also been fixed in APT 1.2.29ubuntu0.1, 1.7.0ubuntu0.1, 1.0.1ubuntu2.19, and 1.6.6ubuntu0.1 packages, as well as in APT 1.4.9 for the Debian distribution. You can head over to Max Justicz official blog for more insights on this news. Kali Linux 2018 for testing and maintaining Windows security – Wolf Halton and Bo Weaver [Interview] Black Hat hackers used IPMI cards to launch JungleSec Ransomware, affects most of the Linux servers Homebrew 1.9.0 released with periodic brew cleanup, beta support for Linux, Windows and much more!

Last week, GeoServer 2.14.2 was released., GeoServer is an open source software server based on Java, for sharing geospatial data. It allows users to display their spatial information to the world. It is free and can display data on popular mapping applications such as Google Earth, Google Maps, Microsoft Virtual Earth and Yahoo Maps. Improvements in GeoServer 2.14.2 In GeoServer 2.14.2, WMTS Restful binding is accessible to all users and works with workspace specific services which initially used to be limited to admins. gs:DownloadEstimator now returns a true value when estimating full raster downloads at native resolution. In GeoServer 2.14.2, KML ignores sortBy parameter while querying records. The NullPointerException is thrown while using env() function with LIKE operator in CSS filters. With this release, it’s possible to modify existing GWC blobstore via UI without renaming which was not possible initially. For GetLegendGraphic, this release allows expressions in ColorMapEntry labels. In this release, OpenLayers2 preview is not automatically triggered on IE8. New MongoDB extension has been added GeoServer 2.14.2. The style editor has been improved, it now includes side by side editing Nearest match support has been added for Web Map Service (WMS) dimension handling. Major fixes Rendering issue with JAI-EXT and Input/Output TransparentColor options has been resolved. The Complex MongoDB generated properties are now handled in this release. Check out the official blog post by GeoServer for full release notes. Getting Started with GeoServer ArangoDB 3.4 releases with a native search engine, full GeoJSON support, and more Uber’s kepler.gl, an open source toolbox for GeoSpatial Analysis

Unsecured IPMI (Intelligent Platform Management Interface) cards are preparing a gateway for the JungleSec ransomware that affected multiple Linux servers. The ransomware attack was originally reported in early November 2018. Victims were seen using the Windows, Linux, and Mac; however, there were no traces of how they were being infected. The Black Hat hackers have been using the IPMI cards to breach access and install the JungleSec ransomware, which encrypts data and demands a 0.3 bitcoin payment (about $1,100) for the unlock key. IPMI, a management interface, is built into server motherboards or installed as an add-on card. This enables administrators to remotely manage the computer, power on and off the computer, get system information, and get access to a KVM that gives one remote console access. The IPMI is also useful for managing servers, especially when renting servers from another company at a remote collocation center. However, if the IPMI interface is not properly configured, it could allow attackers to remotely connect to and take control of servers using default credentials. Bleeping Computers said they have “spoken to multiple victims whose Linux servers were infected with the JungleSec Ransomware and they all stated the same thing; they were infected through unsecured IPMI devices”. Bleeping Computers first reported this story on Dec 26 indicating that the hack only affected Linux servers. The attackers installed the JungleSec ransomware through the server's IPMI interface. In the conversations that Bleeping computers had with two of the victims, one victim said, “that the IPMI interface was using the default manufacturer passwords.” The other victim stated that “the Admin user was disabled, but the attacker was still able to gain access through possible vulnerabilities.” Once the attackers were successful in gaining access to the servers, the attackers would reboot the computer into single user mode in order to gain root access. Once in single user mode, they downloaded and compiled the ‘ccrypt’ encryption program. In order to secure the IPMI interface, the first step is to change the default password as most of these cards come with default passwords Admin/Admin. “Administrators should also configure ACLs that allow only certain IP addresses to access the IPMI interface. In addition, IPMI interfaces should be configured to only listen on an internal IP address so that it is only accessible by local admins or through a VPN connection”, Bleeping computer reports. The report also includes a tip from Negulescu--not specific to IPMI interfaces--which suggests adding a password to the GRUB bootloader. Doing so will make it more difficult, if not impossible, to reboot into single user mode from the IPMI remote console. To know more about this news in detail head over to Bleeping Computers’ complete coverage. Go Phish! What do thieves get from stealing our data? Hackers are our society’s immune system – Keren Elazari on the future of Cybersecurity Sennheiser opens up about its major blunder that let hackers easily carry out man-in-the-middle attacks

GNU project made version 5.0 of its popular POSIX shell Bash ( Bourne Again Shell) available yesterday. Bash 5.0 explores new improvements and features such as BASH_ARGV0, EPOCHSECONDS, and EPOCHREALTIME among others. Bash was first released in 1989 and was created for the GNU project as a replacement for their Bourne shell. It is capable of performing functions such as interactive command line editing, and job control on architectures that support it. It is a complete implementation of the IEEE POSIX shell and tools specification. Key Updates New features Bash 5.0 comes with a newly added EPOCHSECONDS variable, which is capable of expanding to the time in seconds. There is another newly added EPOCHREALTIME variable which is similar to EPOCHSECONDS in Bash 5.0. EPOCHREALTIME is capable of obtaining the number of seconds since the Unix Epoch, the only difference being that this variable is a floating point with microsecond granularity. BASH_ARGV0 is also a newly added variable in Bash 5.0 that expands to $0 and sets $0 on assignment. There is a newly defined config-top.h in Bash 5.0. This allows the shell to use a static value for $PATH. Bash 5.0 has a new shell option that can enable and disable sending history to syslog at runtime. Other Changes The `globasciiranges' option is now enabled by default in Bash 5.0 and can be set to off by default at configuration time. POSIX mode is now capable of enabling the `shift_verbose' option. The `history' builtin option in Bash 5.0 can now delete ranges of history entries using   `-d start-end'. A change that caused strings containing + backslashes to be flagged as glob patterns has been reverted in Bash 5.0. For complete information on bash 5.0, check out its official release notes. GNU ed 1.15 released! GNU Bison 3.2 got rolled out GNU Guile 2.9.1 beta released JIT native code generation to speed up all Guile programs

Today, Microsoft unveiled new features of Windows Server 2019. The new features are based on four themes—hybrid, security, application platform, and Hyper-Converged Infrastructure (HCI). General changes Windows Server 2019, being a Long-Term Servicing Channel (LTSC) release, includes Desktop Experience. During setup, there are two options to choose from: Server Core installations or Server with Desktop Experience installations. A new feature called System Insights brings local predictive analytics capabilities to Windows Server 2019. This feature is powered by machine learning and aimed to help users reduce operational expenses associated with managing issues in Windows Server deployments. Hybrid cloud in Windows Server 2019 Another feature called the Server Core App Compatibility feature on demand (FOD) greatly improves the app compatibility in the Windows Server Core installation option. It does so by including a subset of binaries and components from Windows Server with the Desktop Experience included. This is done without adding the Windows Server Desktop Experience graphical environment itself. The purpose is to increase the functionality of Windows server while keeping a small footprint. This feature is optional and is available as a separate ISO to be added to Windows Server Core installation. New measures for security There are new changes made to add a new protection protocol, changes in virtual machines, networking, and web. Windows Defender Advanced Threat Protection (ATP) Now, there is a Windows Defender program called Advanced Threat Protection (ATP). ATP has deep platform sensors and response actions to expose memory and kernel level attacks. ATP can respond via suppressing malicious files and also terminating malicious processes. There is a new set of host-intrusion prevention capabilities called the Windows Defender ATP Exploit Guard. The components of ATP Exploit Guard are designed to lock down and protect a machine against a wide variety of attacks and also block behaviors common in malware attacks. Software Defined Networking (SDN) SDN delivers many security features which increase customer confidence in running workloads, be it on-premises or as a cloud service provider. These enhancements are integrated into the comprehensive SDN platform which was first introduced in Windows Server 2016. Improvements to shielded virtual machines Now, users can run shielded virtual machines on machines which are intermittently connected to the Host Guardian Service. This leverages the fallback HGS and offline mode features. There are troubleshooting improvements to shield virtual machines by enabling support for VMConnect Enhanced Session Mode and PowerShell Direct. Windows Server 2019 now supports Ubuntu, Red Hat Enterprise Linux, and SUSE Linux Enterprise Server inside shielded virtual machines. Changes for faster and safer web Connections are coalesced to deliver uninterrupted and encrypted browsing. For automatic connection failure mitigation and ease of deployment, HTTP/2’s server-side cipher suite negotiation is upgraded. Storage Three storage changes are made in Windows Server 2019. Storage Migration Service It is a new technology that simplifies migrating servers to a newer Windows Server version. It has a graphical tool that lists data on servers and transfers the data and configuration to newer servers. Their users can optionally move the identities of the old servers to the new ones so that apps and users don’t have to make changes. Storage Spaces Direct There are new features in Storage Spaces Direct: Deduplication and compression capabilities for ReFS volumes Persistent memory has native support Nested resiliency for 2 node hyper-converged infrastructure at the edge Two-server clusters which use a USB flash drive as a witness Support for Windows Admin Center Display of performance history Scale up to 4 petabytes per cluster Mirror-accelerated parity is two times faster Drive latency outlier detection Fault tolerance is increased by manually delimiting the allocation of volumes Storage Replica Storage Replica is now also available in Windows Server 2019 standard edition. A new feature called test failover allows mounting of destination storage to validate replication or backup data. Performance improvements are made and Windows Admin Center support is added. Failover clustering New features in failover clustering include: Addition of cluster sets and Azure-aware clusters Cross-domain cluster migration USB witness Cluster infrastructure improvements Cluster Aware Updating supports Storage Spaces Direct File share witness enhancements Cluster hardening Failover Cluster no longer uses NTLM authentication Application platform changes in Windows Server 2019 Users can now run Windows and Linux-based containers on the same container host by using the same docker daemon. Changes are being continually done to improve support for Kubernetes. A number of improvements are made to containers such as changes to identity, compatibility, reduced size, and higher performance. Now, virtual network encryption allows virtual network traffic encryption between virtual machines that communicate within subnets and are marked as Encryption Enabled. There are also some improvements to network performance for virtual workloads, time service, SDN gateways, new deployment UI, and persistent memory support for Hyper-V VMs. For more details, visit the Microsoft website. OpenSSH, now a part of the Windows Server 2019 Microsoft announces Windows DNS Server Heap Overflow Vulnerability, users dissatisfied with patch details Microsoft fixes 62 security flaws on Patch Tuesday and re-releases Windows 10 version 1809 and Windows Server 2019

Yesterday, Microsoft announced that the OpenSSH client and server are available as a supported feature-on-Demand in Windows Server 2019 and Windows 10 1809. OpenSSH is a collection of client/server utilities allowing secure login, remote file transfer, and public/private key pair management. It originated as a part of the OpenBSD project and has been used across the BSD, Linux, macOS, and Unix ecosystems, for years. In 2015, Microsoft said they would build OpenSSH into Windows, while also making contributions to its development. The Win32 port of OpenSSH was first included in the Windows 10 Fall Creators Update and Windows Server 1709 as a pre-release feature. With OpenSSH in the Windows Server 2019, organizations can work across a broad range of operating systems and also utilize a consistent set of tools for remote server administration. The community welcomes OpenSSH on Windows Server 2019 According to some on HackerNews, “Having used DSC and PowerShell remoting extensively, these create as many problems as they solve. Nothing works smoothly. Not a thing. The saving grace here will be SSH because then at least we can drive all our kit across both platforms from Ansible and be done with the entire MSFT management stack.” Another review says, “Mounting requires other ports to be opened, which no sysadmin will do on the internet. Ssh, on the other hand, can be started on a non-standard port.” “SSH is an awesome tool & capability as a relatively high-level network channel. The defacto “shell” approach leads to a lot of problems when used as a management device. It encourages ad-hoc, unstructured, and opaque changes. Managing your hosts via Secure Shell simply leads to bespoke, unrepeatable, outcomes and crushing debt.” To know more about this news in detail, visit the Windows official blog. Microsoft fixes 62 security flaws on Patch Tuesday and re-releases Windows 10 version 1809 and Windows Server 2019 Microsoft releases first test build of Windows Server 1803 How to use PowerShell Web Access to manage Windows Server

Yesterday, the FreeBSD release engineering team announced the availability of FreeBSD 12.0, which marks the first release of the stable/12 branch. This version is available for the amd64, i386, powerpc, powerpc64, powerpcspe, sparc64, armv6, armv7, and aarch64 architectures. FreeBSD is an open source, Unix-like operating system for x86, ARM, AArch64, RISC-V, MIPS, POWER, PowerPC, and Sun UltraSPARC computers. It is based on the 4.4BSD-Lite release from Computer Systems Research Group (CSRG) at the University of California at Berkeley. It comes with features like preemptive multitasking, memory protection, virtual memory, multi-user facilities, and SMP support. Following are some of the updates introduced in FreeBSD 12.0: The bsdinstall installer and zfsboot are updated to allow a UEFI+GELI installation option. GOST is removed, and LDNS now enables DANE-TA. sshd now comes with additional support for capsicum. Also, capsicum is enabled on armv6 and armv7 by default. The VIMAGE kernel configuration option is enabled by default. The NUMA option is enabled by default in the amd64 GENERIC and MINIMAL kernel configurations. The netdump driver is added for transmitting kernel crash dumps to a remote host after a system panic. The vt driver now comes with better performance, drawing text at rates ranging from 2- to 6-times faster. The UFS/FFS filesystem is updated to consolidate TRIM/BIO_DELETE commands, resulting in fewer read/write requests. This is enabled by default in the UFS/FFS filesystem and can be disabled by setting the vfs.ffs.dotrimcons sysctl to 0, or adding vfs.ffs.dotrimcons=0 to sysctl.conf. The pf packet filter can now be used within a jail using vnet. The bhyve utility is updated to add NVMe device emulation and it is now also able to be run within a jail. Various Lua loader improvements such as detecting a list of installed kernels to boot and support for module blacklists. Upgraded components Clang, LLVM, LLD, LLDB, compiler-rt, and libc++ is updated to 6.0.1. OpenSSL is updated to 1.1.1a (LTS). Unbound is updated to 1.8.1 OpenSSH is updated to 7.8p1. The vt(4) Terminus BSD Console font is updated to 4.46. KDE has been updated to version 5.12.5. The NFS version 4.1 server is updated to include pNFS server support. You can install FreeBSD 12.0 from a bootable ISO image or over the network. Some architectures also support installing from a USB memory stick. To read the entire list of update in FreeBSD 12.0, check out its release notes. LibrePCB 0.1.0 released with major changes in library editor and file format Systems programming with Go in UNIX and Linux AMD ROCm GPUs now support TensorFlow v1.8, a major milestone for AMD’s deep learning plans  

Yesterday, the Linux Foundation announced that they are joining hands with the RISC-V Foundation to drive the open source development and adoption of the RISC-V instruction set architecture (ISA). https://twitter.com/risc_v/status/1067553703685750785 The RISC-V Foundation is a non-profit corporation, which is responsible for directing the future development of the RISC-V ISA. Since its formation, the RISC-V Foundation has quickly grown and now includes more than 100 member organizations. With this collaboration, the foundations aim to further grow this RISC-V ecosystem and provide improved support for the development of new applications and architectures across all computing platforms. Rick O’Connor, the executive director of the RISC-V Foundation, said, “With the rapid international adoption of the RISC-V ISA, we need increased scale and resources to support the explosive growth of the RISC-V ecosystem. The Linux Foundation is an ideal partner given the open source nature of both organizations. This joint collaboration with the Linux Foundation will enable the RISC-V Foundation to offer more robust support and educational tools for the active RISC-V community, and enable operating systems, hardware implementations and development tools to scale faster.” The Linux Foundation will provide governance, best practices for open source development, and resources such as training programs and infrastructure tools. Along with this, they will also help RISC-V in community outreach, marketing, and legal expertise. Jim Zemlin, the executive director at the Linux Foundation believes that RISC-V has great potential seeing its popularity in areas like AI, machine learning, IoT, and more. He said, “RISC-V has great traction in a number of markets with applications for AI, machine learning, IoT, augmented reality, cloud, data centers, semiconductors, networking and more. RISC-V is a technology that has the potential to greatly advance open hardware architecture. We look forward to collaborating with the RISC-V Foundation to advance RISC-V ISA adoption and build a strong ecosystem globally.” The two foundations have already started working on a pair of getting started guides for running Zephyr, a small, scalable open source real-time operating system (RTOS) optimized for resource-constrained devices. They are also conducting RISC-V Summit, a 4-day event starting from December 3-6 in Santa Clara. This summit will include sessions on RISC-V ISA architecture, commercial and open-source implementations, software and silicon, vectors and security, applications and accelerators, and much more. Read the complete announcement on the Linux Foundation’s official website. Uber becomes a Gold member of the Linux Foundation The Ceph Foundation has been launched by the Linux Foundation to support the open source storage project Google becomes new platinum member of the Linux foundation

Linux 4.20 has shown major performance issues and the reason behind this regression was Single Thread Indirect Branch Predictors (STIBP), as shared by Phoronix yesterday. This support is being reverted from the upcoming releases Linux 4.19.4 and 4.14.83 kernel points. Linus Torvalds, the creator of Linux kernel, was also surprised with the performance hit on Linux 4.20 as a result of STIBP introduction. He posted to the kernel mailing list that the performance impact was not communicated before the patches were merged and believes that this should not be enabled by default: “This was marked for stable, and honestly, nowhere in the discussion did I see any mention of just *how* bad the performance impact of this was.  When performance goes down by 50% on some loads, people need to start asking themselves whether it was worth it. It's apparently better to just disable SMT entirely, which is what security-conscious people do anyway.  So why do that STIBP slow-down by default when the people who *really* care already disabled SMT?  I think we should use the same logic as for L1TF: we default to something that doesn't kill performance. Warn once about it, and let the crazy people say "I'd rather take a 50% performance hit than worry about a theoretical issue”.“ The tests done by Michael Larabel also revealed that Linux 4.20 is facing significant performance issues in many workloads, more than some of the earlier Spectre and Meltdown mitigations. This has measurably affected PHP, Python, Java, and many other workloads and even the gaming performance to some extent. The STIBP support for cross-hyperthread Spectre V2 mitigation was backported to the Linux 4.14 and 4.19 LTS series, which is now being reverted. You can find the reverts in Greg Kroah-Hartman’s linux-stable-rc tree:  Source: Phoronix On current Linux 4.20 Git, STIBP still remains in place and a better approach to handle performance issues is being reviewed. Michael Larabel expects that the new patch series will be ready for merging prior to the shipping of Linux 4.20, which is approximately one month’s time. To know more, check out Michael Larabel’s post on Phoronix: Linux Stable Updates Are Dropping The Performance-Pounding STIBP. Read Next Linux 4.20 kernel slower than its previous stable releases, Spectre flaw to be blamed, according to Phoronix Red Hat releases Red Hat Enterprise Linux 8 beta; deprecates Btrfs filesystem Soon, RHEL (Red Hat Enterprise Linux) won’t support KDE

On the 4th of November, Linux 4.20 rc-1 was released with a host of notable changes right from AMD Vega 20 support getting squared away, AMD Picasso APU support, Intel 2.5G Ethernet support, the removal of Speck, and other new hardware support additions and software features. The release that was supposed to upgrade the kernel’s performance, did not succeed in doing so. On the contrary, the kernel is much slower as compared to previous Linux kernel stable releases. In a blog released by Phoronix, Michael Larabel,e lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org, discussed the results of some tests conducted on the kernel. He bisected the 4.20 kernel merge window to explore the reasons for the significant slowdowns in the kernel for many real-world workloads. The article attributes this degrade in performance to the Spectre Flaws in the processor. In order to mitigate against the Spectre flaw, an intentional kernel change was made.The change is termed as  "STIBP" for cross-hyperthread Spectre mitigation on Intel processors. Single Thread Indirect Branch Predictors (STIBP) prevents cross-hyperthread control of decisions that are made by indirect branch predictors. The STIBP addition in Linux 4.20 will affect systems that have up-to-date/available microcode with this support and where a user’s CPU has Hyper-Threading enabled/present. Performance issues in Linux 4.20 Michael has done a detailed analysis of the kernel performance and here are some of his findings. Many synthetic and real-world tests showed that the Intel Core i9 performance was not upto the mark. The Rodinia scientific OpenMP tests took 30% longer, Java-based DaCapo tests taking up to ~50% more time to complete, the code compilation tests also extended in length. There was lower PostgreSQL database server performance and longer Blender3D rendering times. All this was noticed in Core i9 7960X and Core i9 7980XE test systems while the AMD Threadripper 2990WX performance was unaffected by the Linux 4.20 upgrade. The latest Linux kernel Git benchmarks also saw a significant pullback in performance from the early days of the Linux 4.20 merge window up through the very latest kernel code as of today. Those affected systems included a low-end Core i3 7100 as well as a Xeon E5 v3 and Core i7 systems. The tests conducted found the  Smallpt renderer to slow down significantly PHP performance took a major dive, HMMer also faced a major setback compared to the current Linux 4.19 stable series. What is surprising is that there are mitigations against Spectre, Meltdown, Foreshadow, etc in Linux 4.19 as well. But 4.20 shows an additional performance drop on top of all the previously outlined performance hits this year. In the entire testing phase, the AMD systems didn’t appear to be impacted. This would mean if a user disables Spectre V2 mitigations to account for better performance- the system’s security could be compromised. You can head over to Phoronix for a complete analysis of the test outputs and more information on this news. Soon, RHEL (Red Hat Enterprise Linux) won’t support KDE Red Hat releases Red Hat Enterprise Linux 8 beta; deprecates Btrfs filesystem The Ceph Foundation has been launched by the Linux Foundation to support the open source storage project

Earlier this month, Red Hat released RHEL 7.6. Now, Red Hata Enterprise Linux (RHEL) 8 beta version is available with more container friendliness than ever. This RHEL release is based on the Red Hat community Linux May 2018 Fedora 28 release. It uses the upstream Linux kernel 4.18 for its foundation. RHEL 8 beta introduces the concept of Application Streams. With this, userspace components can now update more quickly than core operating system packages and without having to wait for the next major version of the operating system. With Application Streams, you can also keep multiple versions of the same package around. RHEL 8 beta features RHEL 8 beta introduces a single and consistent user control panel through the RHEL Web Console. Systems admins of all experience levels can easily manage RHEL servers locally and remotely, including virtual machines. RHEL 8 beta uses IPVLAN to support efficient Linux networking in containers through connecting containers nested in virtual machines (VMs) to networking hosts. RHEL 8 beta also has a new TCP/IP stack with Bandwidth and Round-trip propagation time (BBR) congestion control. This increases performance and minimizes latency for services like streaming video or hosted storage. RHEL 8 is made secure with OpenSSL 1.1.1 and TLS 1.3 support and system-wide Cryptographic Policies. Red Hat’s lightweight, open standards-based container toolkit comes with Buildah (container building), Podman (running containers) and Skopeo (sharing/finding containers). RPM's YUM package manager has also been updated. Yum 4 delivers faster performance, fewer installed dependencies and more choices of package versions to meet specific workload requirements. File Systems in RHEL 8 beta RedHat has deprecated the Btrfs filesystem. This has really confused developers who are surprised why RedHat would opt out of it especially considering that it is also used for ChromeOS's Crostini Linux application container. From hacker news: “I'm still incredibly sad about that, especially as Btrfs has become a really solid filesystem over the last year or so in the upstream kernel.” “Indeed, Btrfs is uniquely capable and important. It has lightweight snapshots of directory trees, and fully supports NFS exports and kernel namespaces, so it can easily solve technical problems that currently can't be easily solved using ZFS or other filesystems.” Stratis is the new volume-managing file system in RHEL 8 beta. Stratis abstracts away the complexities inherent to data management via an API. Also, File System Snapshots provide for a faster way of conducting file-level tasks, like cloning virtual machines, while saving space by consuming new storage only when data changes. Existing customers and subscribers can test Red Hat Enterprise Linux 8 beta. You can also view the README file for instructions on how to download and install the software. RedHat shares what to expect from next week’s first-ever DNSSEC root key rollover. Soon, RHEL (Red Hat Enterprise Linux) won’t support KDE. Red Hat Enterprise Linux 7.5 (RHEL 7.5) now generally available.

Yesterday, at Uber Open Summit 2018, the company announced that it is joining the Linux Foundation as a Gold Member with a promise to support the open source community via the Linux Foundation. Jim Zemlin, Executive Director of the Linux Foundation, said, “Uber has been influential in the open source community for years, and we’re very excited to welcome them as a Gold member at the Linux Foundation. Uber truly understands the power of open source and community collaboration, and I am honored to witness that first hand as a part of Uber Open Summit 2018.” By being a member, Uber will support the Linux Foundation’s mission and help the community in building ecosystems that accelerate open source technology development. Uber will also work towards solving complex technical problems and further promote open source adoption globally. Zemlin said, “Their expertise will be instrumental for our projects as we continue to advance open solutions for cloud-native technologies, deep learning, data visualization and other technologies that are critical to businesses today.” Thuan Pham, Uber CTO, said, “The Linux Foundation not only provides homes to many significant open source projects but also creates an open environment for companies like Uber to work together on developing these technologies. We are honored to join the Linux Foundation to foster greater collaboration with the open source community.” To know more about this membership in detail, head over to Uber Engineering. Michelangelo PyML: Introducing Uber’s platform for rapid machine learning development Uber posted a billion dollar loss this quarter. Can Uber Eats revitalize the Uber growth story? Uber announces the 2019 Uber AI Residency

Yesterday (on the 7th of November), Facebook open-sourced its high-performance kernel library FBGEMM: Facebook GEneral Matrix Multiplication. This library offers optimized on-CPU performance for reduced precision calculations used to accelerate deep learning models. The library has delivered 2x performance gains when deployed at Facebook (in comparison to their current production baseline). Users can deploy it using the Caffe2 front end, and it will soon be callable directly by PyTorch 1.0 Python front end. Features of FBGEMM 1. FBGEMM is optimized for server-side inference. It delivers accuracy and efficiency when performing quantized inference using contemporary deep learning frameworks. It is a low-precision, high-performance matrix-matrix multiplications and convolution library that enables large-scale production servers to run the most powerful deep learning models efficiently. The library exploits opportunities to overcome the unique challenges of matrix multiplication at lower precision with bandwidth-bound pre- and post-GEMM operations. At Facebook, FBGEMM has benefited many AI services, increased the speed of English-to-Spanish translations by 1.3x, reduced DRAM bandwidth usage in their recommendation system used in feeds by 40%, and speed up character detection by 2.4x in Rosetta, the machine learning system for understanding text in images and videos. FBGEMM supplies modular building blocks to construct an overall GEMM pipeline needed by plugging and playing different front-end and back-end components. It combines small compute with bandwidth-bound operations and exploits cache locality by fusing post-GEMM operations with macro kernel while providing support for accuracy-loss-reducing operations. Why does GEMM matter? Floating point operations (FLOPs)  are mostly consumed by Fully connected (FC) operators in the deep learning models that are  deployed in Facebook’s data centers. These FC operators are just plain GEMM, which means that their overall efficiency directly depends on GEMM efficiency. 19% of these deep learning frameworks at Facebook implement convolution as im2col followed by GEMM. However, straightforward im2col adds overhead from the copy and replication of input data. To combat this, some deep learning libraries implement direct (im2col-free) convolution for improved efficiency. Facebook provides a way to fuse im2col with the main GEMM kernel to minimize im2col overhead. Facebook  says that recent industry and research works have indicated that inference using mixed-precision works well- without adversely affecting accuracy. FBGEMM uses this as an alternative strategy to improve inference performance with quantized models. Also, newer generations of GPUs, CPUs, and specialized tensor processors natively support lower-precision compute primitives, and hence the deep learning community is moving toward low-precision models. FBGEMM provides a way to perform efficient quantized inference on the current and upcoming generation of CPUs. Head over to Facebook’s official blog to understand more about this library and how it is implemented. A new data breach on Facebook due to malicious browser extensions allowed almost 81,000 users’ private data up for sale, reports BBC News 90% Google Play apps contain third-party trackers, share user data with Alphabet, Facebook, Twitter, etc: Oxford University Study Facebook open sources a set of Linux kernel products including BPF, Btrfs, Cgroup2, and others to address production issues

Linus Torvalds announced on 4th November that Kernel 4.20-rc1 is tagged and pushed out, and the merge window is closed.  Linux 4.20 brings a lot of prominent changes from AMD Vega 20 support getting squared away, AMD Picasso APU support, Intel 2.5G Ethernet support, the removal of Speck, peer-to-peer PCI memory support, and other new hardware support additions and software features. Here are some of the features of 4.20-rc 1r: 70% of the patch is driver updates including changes in the gpu drivers Arch updates in x86, arm64, arm, powerpc, and the new C-SKY architecture), Updates in the  header files, networking, core mm and kernel, and tooling 4. Tooling has been upgraded as well. The Kernel will have more than 350 thousand lines of new code! The AMD Vega 20 7nm workstation GPU support is now largely squared away for when this graphics card will be released in the months ahead. GPUVM performance improvements for the AMDGPU kernel driver. The Intel DRM driver now has full PPGTT support for Haswell/Ivy/Valley View hardware. Support for the Hygon Dhyana CPUs -the new Chinese data center processors based on AMD Zen. Scheduler improvements that should benefit asymmetric CPU systems like ARM big.LITTLE processors.  Faster context switching on IBM POWER9.  Several Btrfs performance improvements.  Intel 2.5G Ethernet support was added via the new "IGC" driver. Xbox One S controller rumble support along with Logitech high-resolution scrolling and the new Apple Trackpad 2 driver are among the input hardware improvements.  The Linux kernel is now VLA-free for variable length arrays to improve code portability and better performance and security. Speck crypto code was removed due to this crypto algorithm being quite controversial with its roots inside the NSA. The highly anticipated WireGuard secure VPN tunnel is held off until the next cycle. The FreeSync / Adaptive-Sync / HDMI VRR bits are also being held off for DRM until the next cycle. As the merge window closes, there will be some delay in the pull request which will be taken care of in the second week of the merge window. The duration of the merge window is two weeks. Linus is considering making an explicit rule that he will stop taking new pull requests some time during the second week unless users have a good reason for why it was delayed. He also hopes that by the time the next merge window rolls around, there will be a new automation for it, so that everybody just automatically gets notified when their pull request hit mainline. You can head over to Phoronix.com for a detailed list of all the new improvements added to 4.2 0 rc 1. You can also read the change log for further details. Soon, RHEL (Red Hat Enterprise Linux) won’t support KDE Microsoft releases ProcDump for Linux, a Linux version of the ProcDump Sysinternals tool Facebook open sources a set of Linux kernel products including BPF, Btrfs, Cgroup2, and others to address production issues