Revolutionary changes in software delivery, security tools, storage software and hardware, and server consolidation have reshaped Linux administrators' daily work and needed skills, says Richard Petersen, author of Linux: The Complete Reference, Sixth Edition (McGraw-Hill Professional). In this Q&A, Petersen opines on the big changes in Linux over the past five years, including virtualization, software repositories and SELinux.
Your book Linux: The Complete Reference, Sixth Edition covers all Linux developments since the last edition was released in 2002. What has changed since then?
The sixth edition is a brand-new book from cover to cover, designed to a be valid for all Linux distributions. Linux: TCR pulls together that 95 percent of all distributions that is common to all Linux systems, including some significant changes that impact IT managers and administrators.
What has changed in the last several years? Among the many developments, some important ones I see are:
Software repositories. Gone are the days when software was loaded from a CD. Now open source packages are available instantly with the click of a button. For administrators, customized repositories let you maintain all software directly without any kind of manual system-by-system management. This also has the effect of enabling users to use a much greater variety of software than they normally would. With repositories, the sheer variety of software expands enormously. Having to actually buy proprietary software on a CD now seems like something out of the Dark Ages.
GNOME Online Desktop. Though still under development, it marks a change in computing, reducing the role of a PC to that of just a client that accesses all software and services on network servers, also known as the cloud. Your desktop and the services you use are now accessible from anywhere, from any machine. The desktop has become abstracted from the hardware.
Hardware abstraction layers (HAL) and udev. Hardware is fracturing into different portable components, especially with storage and dedicated multimedia devices. Users are going to carry more of their personal files with them and want to use them with any machine.
IPv6 You no longer have to rely on a local network server to set up and maintain your connection for you. With IPv6, users connect to the Internet anywhere, anytime, automatically.
Logical volume management (LVM) In the age of multiple cheap hard drives, LVM gives you as much storage as you want: easily expanded or replaced and entirely transparent to the user.
What other kinds of changes have you seen with storage and backup?
A significant change has been making backup operations more automated with Amanda and BackupPC. The explosion of large, inexpensive hard drives -- along with growing amounts of data, even personal data -- makes disk and even smaller tape backups much more tedious. Backups to external hard drives (External Serial Advanced Technology Attachment, eSATA) or networked drives (Amanda) seem to make much more sense. The TCR [The Complete Reference] covers rsync, Amanda and dump/restore backup methods as well as BackupPC in the chapter on backup.
Another change in the Linux world has been SELinux. What do you tell administrators and managers about SELinux in the chapter from The Complete Reference?
An administrator might typically start out with a permissive security mode to see what is being rejected; then, after configuring a system the way he or she wants it, move to an enforcing mode. SELinux provides a much more refined and controlled approach to security than the traditional all-or-nothing approach. It is an entirely new approach to security, and administrators need a lot of information. I provide an orientation to SELinux, including terminology, SELinux tools, discussion of the reference policy, along with multilevel and multi-category security, review of policy methods and policy rules, and a mapping of SELinux configuration files, which can be confusing.
Many administrators still find SELinux confusing and difficult to manage. It can be traumatic to have a system in place that denies access unexpectedly, with little understanding of how to fix it. Security features like firewalls and file permissions appear much more straightforward.
Think of SELinux as a kind of tagging system, adding more labels to objects and users. Although this kind of digital paperwork can be daunting, when it comes to effective internal security, SELinux is the only game in town.
Here are some key points about SELinux to keep in mind:
- Always start out in the permissive mode with a new install. Then check messages for denials.
- Be sure to re-label any new file systems you add.
- You may have denials with network access services like Samba. Check the man page for samba_selinux for details on allowing access.
- For building policy modules from denial messages, audit2allow can be useful.
You mentioned that HAL, IPv6 and LVM have changed the way admins work. What possibilities do you see for these technologies in virtual environments?
Drivers will not get in the way as much as they used to. Xen is excellent for protecting systems by removing users from direct contact with key components like device management or network connections, but things become complicated if you have to rely on specific drivers. One shortcoming of kernel-based virtual machines is the need to use virtual devices. Graphics-intensive applications that need vendor drivers would not benefit from virtualization.
The radical change in device management with HAL and udev means that users no longer have to worry about installing drivers. All devices are detected through udev, and connections to applications are provided by HAL. In effect, the Linux hardware has become abstracted.
Add to that network autoconfiguration with IPv6. IPv6 will fundamentally change how devices connect to the Internet, stripping away much of the management of network addressing that the older IPv4 protocol required.
And with most computers using multiple hard disks, LVM provides flexibility by abstracting from the hardware to logical drives whose memory can be easily added to or reduced without affecting any data. Of course, many organizations use distributed network systems like Red Hat's Global File System.