# echo 1 > /proc/sys/kernel/sysrq
# echo b > /proc/sysrq-trigger


Of course the disk errors meant that it was unable to boot but ‘The Big Hammer’ struck me as something extremely useful.

EncFS is an encrypted filesystem based on FUSE. It transparently encrypts files stored in it and places them on another volume. This is in contrast to block level encrypted filesystems which transparently encrypt the data under the filesystem layer as it is being written to disk. Think of EncFS as a bind mount, except that the source for the mount is encrypted and the place it is mounted to is the only place it is available unencrypted.

The main advantage of EncFS filesystems is that when backing up only the files which have changed need to be backed up. This means it works perfectly with tools such as rsnapshot. Another advantage is that the filesystem doesn’t need a block of disk allocated to it and will shrink and expand as the files inside change.

Finally because this is all implemented with FUSE it is all done in userspace. No root access is required (apart from setting FUSE up) to create and alter encfs filesystems.

Setting Up an EncFS Volume

So the first thing you need to do to setup an encfs volume is to install FUSE and EncFS. If you don’t have root access you will have to ask your sysadmin to do this for you, otherwise follow your distribution specific method of installing new packages. On Fedora it is called ‘fuse-encfs’ and on Debian/Ubuntu its called ‘encfs’. On some older systems users wishing to use FUSE may need to be added to the correct group.

First you need to decide where you will put the encfs volume, and where you’ll mount it. I usually put mine in /home/daniel/.crypt and mount it to /home/daniel/crypt. But feel free to name it whetever you want. When you’ve decided run the EncFS with those arguments, for example to use the example I specified it would look like this:

[code]
<daniel@server ~>$ encfs /home/daniel/.crypt /home/daniel/crypt
The directory "/home/daniel/.crypt/" does not exist. Should it be created? (y,n) y
The directory "/home/daniel/crypt" does not exist. Should it be created? (y,n) y
Creating new encrypted volume.
Please choose from one of the following options:
enter "x" for expert configuration mode,
enter "p" for pre-configured paranoia mode,
anything else, or an empty line will select standard mode.
?>

Standard configuration selected.

Configuration finished. The filesystem to be created has
the following properties:
Filesystem cipher: "ssl/aes", version 2:2:1
Filename encoding: "nameio/block", version 3:0:1
Key Size: 192 bits
Block Size: 1024 bytes
Each file contains 8 byte header with unique IV data.
Filenames encoded using IV chaining mode.
File holes passed through to ciphertext.

Now you will need to enter a password for your filesystem.
You will need to remember this password, as there is absolutely
no recovery mechanism. However, the password can be changed
later using encfsctl.

New Encfs Password:
Verify Encfs Password:
[/code]

As you can see the directories don’t need to be created first. There is also a prompt for what security settings you want to use. Hitting enter will give you standard settings, but for something more powerful you should hit ‘p’ then enter. You can now proceed to place files in /home/daniel/crypt and they will be encrypted and placed into /home/daniel/.crypt. If you don’t believe me go ahead and check.

See? I told you so. Now you can unmount it using ‘fusermount -u /home/daniel/crypt’ and mount it again using encfs /home/daniel/.crypt /home/daniel/crypt and typing your password.

Random Thought: When travelling to other countries, local laws may mean that customs can search your laptop, including encrypted filesystems. You may have to reveal your key, or be arrested.

A daemon is a program that runs in the background. A daemon will usually be started at system startup and end at system shutdown. The exceptions to this rule are programs like the Bluetooth SDP daemon, which is activated when a new Bluetooth HCI is found,, and ends when it is removed. Daemons run transparently and do not normally interact with the user directly.

Daemons start as ordinary processes but they eventually ‘fork and die’ to start running in the background. Some daemons do only the ‘fork and die’ step but ignore other important steps. Here is a list of what a daemon should do:

1. Fork to create a child, and exit the parent process.
2. Change the umask so that we aren’t relying on the one set in the parent.
3. Open logs to write to in the case of an error.
4. Create a new session id and detach from the current session.
5. Change the working directory to somewhere that won’t get unmounted.
6. Close STDIN, STDOUT and STDERR.

These steps ensure that our association with the calling environment is destroyed and our daemon is now free to run as a completely separate process.

Lastly before writing the daemon you should make sure the code is written securely and in a way that fails gracefully. If your daemon crashes it will not be able to prompt the user about what action to take. The user may not even notice until it is too late.

Forking a child process

In Unix fork() is the only system call with two return values. When you call fork a child process is created which is a near copy of its parent (some things will be different in the child eg. process id). The fork command then returns a 0 in the child and the childs process id in the parent, on failure a -1 is sent to the parent. Generally a program will then check whether it is the child or parent by these return values (just like in movies when a cloned character will check to see if he has a belly button and hence is the original). Here is a snippet of code to do this:
[code lang="c"]
pid_t pid;

/* Clone ourselves to make a child */
pid = fork();

/* If the pid is less than zero,
something went wrong when forking */
if (pid < 0) {
exit(EXIT_FAILURE);
}

/* If the pid we got back was greater
than zero, then the clone was
successful and we are the parent. */
if (pid > 0) {
exit(EXIT_SUCCESS);
}

/* If execution reaches this point we are the child */
[/code]

Changing the umask

Because we are a clone of our parent we’ve inherited its umask. This means the child doesn’t know what permissions files will end up with when it tries to create them. We do this by simply calling umask like this:
[code lang="c"]
/* Set the umask to zero */
umask(0);
[/code]

Open logs to write to

This part can be done in several different ways. You could open text files, log to a database or use syslog. The method I’m going to demonstrate here is to log using syslog. Syslog sends your log messages to a system wide logger, where they can be configured to be written to a file, send to a network server or filtered away entirely.
[code lang="c"]
/* Open a connection to the syslog server */
openlog(argv[0],LOG_NOWAIT|LOG_PID,LOG_USER);

/* Sends a message to the syslog daemon */
syslog(LOG_NOTICE, "Successfully started daemon\n");

/* this is optional and only needs to be done when your daemon exits */
closelog();
[/code]

Create a new session id

Each process on a Unix system is a member of a process group (or session). The id of each group is the process id of its owner. When we forked from our parent earlier we will have inherited its process group, and our process group leader will still be its parent process. We want to create our own process group and become our own process leader otherwise we will look like an orphan. We can do this easily as follows:
[code lang="c"]
pid_t sid;

/* Try to create our own process group */
sid = setsid();
if (sid < 0) {
syslog(LOG_ERR, "Could not create process group\n");
exit(EXIT_FAILURE);
}
[/code]

Changing the working directory

At the moment we have the working directory we inherited from our parent. This working directory could be a network mount, a removable drive or somewhere the administrator may want to unmount at some point. To unmount any of these the system will have to kill any processes still using them, which would be unfortunate for our daemon. For this reason we set our working directory to the root directory, which we are sure will always exist and can’t be unmounted.
[code lang="c"]
/* Change the current working directory */
if ((chdir("/")) < 0) {
syslog(LOG_ERR, "Could not change working directory to /\n");
exit(EXIT_FAILURE);
}
[/code]

Closing the standard file descriptors

A daemon doesn’t interact with the user directly it has no use for STDIN, STDOUT and STDERR and we really have no idea where these are connected or where anything we write to them will end up. As these file descriptors are not required and effectively useless we should close them to save some system resources and prevent any related security problems. We close these descriptors like this:
[code lang="c"]
/* Close the standard file descriptors */
close(STDIN_FILENO);
close(STDOUT_FILENO);
close(STDERR_FILENO);
[/code]

Writing the payload

Now you have a C program that is capable of becoming a daemon, but its a pretty useless daemon if it exits immediately. Payload code is really up to you to design. I’ll offer you a few tips on designing your payload.

• Put your payload in a loop. Generally in a daemon you want to perform the same action over and over again until you’re killed. If you have to cleanup (such as closing syslog) when the daemon is about to be killed you should add an exit clause that will be activated by a SIGTERM signal handler.
• Make your code as fast an efficient as possible. This is something you should do with any program, but with daemons it is important that you do not hamper the performance of the rest of the system. This is especially true if you’re going to be running this daemon on desktop systems.
• Be aware that your code may be preempted very often. As your daemon is going to be running for the amount of time the system is up, it is likely that its execution will be preempted.
• Be paranoid about security. Daemons are common attack vectors and can be used to gain privileged access to a system. You should consider dropping any privileges that you don’t require.

Conclusion

So if we take all the code I’ve mentioned in this post and put it all together you have a simple daemon. You can download the source from the link here: daemon.c.
If your daemon is only going to be run on Linux and not on a System V style system such as Solaris you can use the daemon function to do a lot of this work for you.

References

Linux Daemon Writing HOWTO in C
Linux Daemon writing in C++

Random Thought: It appears the devil uses a Unix based OS, probably OSX.

• Subversion allows you to work on the same assignment on multiple computers.
• Subversion can email you with changes you’ve made, allowing to review them.
• Subversion allows you to show a teacher that you’ve been working on an assignment over the whole time available and not just in the last few days. this gives you greater leverage when asking for an extension.
• Subversion can help you prove in a disciplinary hearing that you did not plagiarise any code from others showing the natural growth your code had.
• Subversion can get back that file you just accidentally emptied out of the trash.
• Subversion can show you all the changes you made between the time you fixed that annoying bug, and now, when you just reintroduced it.

The first step to making an assignment in is to build your repository. If you didn’t do this first that’s okay, you can easily import an existing project into a subversion repository. To create a repository you simply use the ‘svnadmin create’ command. You should then create some folders that should be in every subversion repository (trunk, tags and branches). This next block of commands will show you how to create the initial project. If you’re using these instructions to import an existing project just copy your files into the trunk folder before you run the ‘svn import’ command.
[code lang="shell"]mkdir -p /home/daniel/svn/newproject
svnadmin create /home/daniel/svn/newproject
mkdir -p /tmp/newrepo/{trunk,branches,tags}
svn import /tmp/newrepo file:///home/daniel/svn/newproject -m "Create Initial Structure"
rm -rf /tmp/newproject[/code]
The trunk, tags and branches folders aren’t strictly required but can be very useful in certain circumstances. The trunk folder is where you main copy sits, it should be the latest stable version of the software. In an assignment though this is where you will probably be doing all your work, you generally don’t have the need or the time to make and merge branches. Which leads us to branches. Generally you branch software when you are about to make a major change that may break other developers work. You most likely don’t have other developers on your assignment and if you do you’ve probably all decided on what parts you will work on. Finally tags are for labelling certain versions with a specific tag. For example if you have to submit your assignment weekly you could tag each week as you submit, or you could tag as you finish each requirement. To populate these folders you just copy whatever it is you want into them. Subversion will only use a minuscule amount of space as the copy will be stored internally to the repository.

Before you can edit the files in the repository you need to check it out. You can check it out to the same machine, you can use SSH or you could check it out over WebDAV depending how you’ve set it up. The following command checks out the trunk folder into a folder called newproject. This is one of the few times you have to type the full path to the repository. Subversion remembers this for you so that next time you use a subversion command its pre filled.
[code lang="shell"]svn checkout file:///home/daniel/svn/newproject/trunk newproject[/code]
What you’ve just checked out is called a ‘working copy’. This is where you make your changes before uploading them again in to the repository. Your working copy also includes copies of the versions you originally checked out so that if you want to revert back to them you can. Because they are stored in the working copy you don’t need access to the repository to revert. To revert back to the version you checked out from the repository you simply run ‘svn revert <filename>’. You can also find the differences between these versions and the current ones by using ‘svn diff <filename>’. The filename is optional and if omitted will print all the changes in the current directories and below.

Part 2 to come…
Random Thought: I’ve just redesigned my website, I’d love to know what my readers think. If you could post your comment on the new design, I’d appreciate it.

Few people don’t realise that subversion has the ability to connect to a remote repository via SSH. Its extremely simple and can give you all the advantages of storing your important files on a server while still having them readily accessible on your desktop. This means that for example you could have your files (and every old version of your files) stored on a RAID device on a server while working with them locally on your desktop.

To set this up its actually rather simple. First you create your repository and perform the initial import of the files. I usually make it in my home directory as follows:
[code lang="shell"]mkdir -p /home/daniel/svn/newproject
svnadmin create /home/daniel/svn/newproject
mkdir -p /tmp/newrepo/{trunk,branches,tags}
svn import /tmp/newrepo file:///home/daniel/svn/newproject -m "Create Initial Structure"
rm -rf /tmp/newproject[/code]
These commands are basically what you’d use to create any subversion repository and people familiar with it require no explanation. Most people probably even have is scripted to make it just that much easier. Here comes the fun part though. Next we (on our local machine) check the files out. To checkout subversion repositories over ssh you simply use the following command:
[code lang="shell"]svn checkout svn+ssh://username@servername/home/daniel/svn/newproject/trunk newproject[/code]
All going well you will now see a password prompt and upon successful authentication the files will be checked out. This is all that is required and from now on you can simply use the ordinary svn commands.

Random Thought: … and I says to the kernel developer, I says “git this!”

Particular points I’m enjoying:

• The desktop wallpaper that has squares on an angled surface is very appealing. The other new desktop wallpapers are very eye catching too.
• Having 3D rendering working properly on my laptop.
• The new Fedora 12 Login Theme is music to my ears (except when I have my laptop speakers turned up and it reverbs horribly).
• EXT4 support seems a bit stronger. Of particular importance barrier based sync now works on LVM metadevices.
• Dracut has made no discernible difference to boot times and ability to boot.
• resize2fs is now able to shrink an ext4 partition. system-config-lvm now recognises ext4 and allows resizing it.

Particular points I’m not enjoying:

• Eclipse is unstable and keeps crashing.
• Turning off the menu icons in GNOME seems like a bad idea, it makes it harder to recognise each menu.
• Modesetting stops me from using 3D effects.
• You can’t drag icons from the menu to the panels or the desktop any more.

Early in my high school education I discovered Microsoft Visual Basic 6.0. This was my original programming language and where I learnt the basis of my programming skills. Using Visual Basic I wrote many programs, some useful some utterly useless. I remember writing a chat program, a scrabble optimiser, a remote PC control application and several games. Unfortunately an over zealous system administrator saw many executables in my home directory and decided I had been infected by a virus and wiped the whole directory. Unfortunately as much as I protested and complained the files were never restored and they are all lost forever.

As I was completing my high school years I ran a web game with two fellow classmates of mine. We spend most of the second half of the year designing it and I spent my exam period implementing it. We managed to keep it running for a year until we ran out of funds (we were all studying) to support it. The game had several limitations and some major design flaws. I’ve entertained thoughts of setting it up once again many times, but ultimately without my two partners (one of who I’ve lost touch with) it would never work. In addition all copies of the original source code have been lost.

Now we come to my favourite project of all. WeatherMon was written for my Dad. He had bought a weather station that had a PC link and this enabled me to get the data into our server. Not only is WeatherMon‘s source code still available it is still running to this day. It was also my first foray into AJAX and XML. WeatherMon does not reload the page at all, and all data transferred is either images or XML. I’ve got a write up all about it here.

Finally, it began as a school assignment but I took it way too far. Originally I had implemented it as a web service, which I then extended to a website, then I made the XHTML so that it could easily be themed and finally I implemented several themes. You can read about converter here.

I think pet projects are what differentiates the passionate from the crowd. Anybody can write programs, and anybody can go to work and do it there. It takes the right person to want to toil outside hours on something that isn’t earning them any money. I think the best thing you can do to further your abilities and your career is to start a pet project. It doesn’t have to be thankless, or useless but that doesn’t mean it can’t be. Its easy, submit a patch to an open source project, become a maintainer for a project lacking development, fork a project, start a website or even start your own open source project.

Random Thought: How tasty is the definitive Open Sauce?

So the key part of why a SSH agent and SSH agent forwarding forwarding is so useful is due to the way keys can be attacked. If I wanted to get your SSH private key I could find some flaw in the system that would give me that /home/you/.ssh/id_rsa file you have. Of course a malicious user with root access to the system could just go in and grab it. You can prevent this kind of attack by setting a passphrase on the key. Of course the root user could replace SSH with a special version designed to get your passphrase, steal the key out of memory or setup a keylogger. This means effectively that your private key is not safe on any system where a person you don’t trust has root access, or has other users and exploitable vulnerabilities.

Single Private Key on Multiple Machines

In this example you’re trusting the security of every single machine you have your private key on. Should it get compromised then you have to revoke you public key from every host, and regenerate private keys to place on every host. Every time you put your private key on a machine you increase the chances that it could be compromised.

Multiple Private Keys On Multiple Machines

So we’re getting a little closer to a good solution. In this instance we don’t have to generate our key and roll it out to all hosts in event of a compromise. You can also have segregate groups, on set of keys for work, another for home and so on. Your keys can still be compromised easily though, and once compromised they can be used until you revoke them manually.

SSH Agent Forwarding

There is a way to keep your key safe from compromise. Now I’ll have to explain how SSH authenticates you using your key. When your authenticating with SSH keys your key isn’t sent, the server sends you some random data and challenges your client to encrypt it with your private key. It then verifies the encrypted data by decrypting it with the public key and checking if it matches the data originally sent. Now the way most people would SSH from the second host to another third host is to utilise a private key on the second host to connect to the third host. Unfortunately this method means that you have to store a key (that is open for compromise) on the second host. SSH agent forwarding tells the SSH client on the second server to send the challenge data through to the SSH client (or ssh agent) on the first host. The agent encrypts the data and sends it via the SSH session to the third client.

The beauty of this method is that the second host never sees a private key, and the challenge data is useless to try and connect to a different host. Even if the second host is compromised there isn’t a private key there to compromise. It should be noted that if the second host is compromised it can still request the agent identify for a different host, or the session to the third host can be taken over. Both these are temporary though and unless the malicious user installs their key (something easy to notice) they cannot get back in.

Diagram detailing how an SSH connection is authenticated using agent forwarding.

If you want to know more about how this works, there is a wonderful tech tip at http://unixwiz.net/techtips/ssh-agent-forwarding.html.

But how?

SSH agent forwarding is even easier than copying keys all over the place. The first step is to generate keys for all the machines you log on to directly. You need to be sure these machines are secure and that your keys will stay safe, though this is sometimes not possible. You then add the generated public key to the authorized hosts file of all the machines you will connect to from this one, including ones that take two or more steps to get to. Finally you edit your ~/.ssh/ssh_config file to tell SSH to forward your agent through those hosts. Include the intermediate hosts in this list, but not the endpoints. You could also use SSHmenu to add the arguments automatically to those SSH commands. The following disables forwarding to all hosts, and explicitly enables it to fred, and aaron.missgner.com.

Host fred
  ForwardAgent yes

Host aaron.missgner.com
  ForwardAgent yes

Host *
  ForwardAgent no

Random thought: Linux has Plug ‘n Pray too, you plug the device in and pray the drivers aren’t proprietary.

My machine was still running so I knew I hadn’t wiped anything immediately important. The first thing that I thought of doing was checking what exactly it was that I had wiped and what chance I had of backing up anything before bailing out. Looking at the LVM layout revealed that I’d probably just destroyed the file system I stored my local Fedora repository on, something I could do without. So I umounted it, removed it from /etc/fstab and did a lvremove. This is exactly where I realised the gravity of the situation. LVM was complaining that it couldn’t locate one of the physical volumes. Of course it couldn’t, I’d just blown away all the metadata for it.

Did you know LVM keeps backups of the metadata? Yes, it keeps them in /etc/lvm/backup (for slightly older copies see /etc/lvm/archive) and you can use this to recover the metadata. I thought a good place to do this would be now, before the reboot that could end it all. Try as I might it was refusing to create a volume that already existed and it also complained about the device being in use. I count myself extremely lucky to be able to do what I did next. To me it felt incredible but when you really think about it it makes sense.

I downloaded the Fedora 11 Live CD and burned it to CD. Yep that’s right, while knocking on deaths door my machine managed to launch a torrent client, download a 700Mb ISO and burn it to a CD. After that I backed up the /etc/lvm folder to the USB hard drive that caused this mess. Finally I rebooted into the Live environment. The very next step was to recreate the partition table with fdisk.

Then I recreated the physical volume metadata that was destroyed with the following command:

pvcreate -ff -u DsuvMV-1HVj-SQOU-wZkT-N9M0-LMZd-gPws1U \
 --restorefile /media/usbdisk/lvm/backup/Volgroup00 /dev/sdb1

This forces the creation of a pv with a specific uuid, ignoring any pvs that exist with the same uuid. It also restores the metadata stored in the restorefile. Follow up with this command to restore the full metadata.

vgcfgrestore -f /media/usbdisk/lvm/backup/Volgroup00 -v VolGroup00

Now our LVM metadata is all correct, but at this point we still need to activate the logical volumes.

vgchange -ay

Finally you should fsck your logical volumes to make sure everything is working properly and you don’t get any nasty surprises later. All that is left then is to reboot into your recovered system.

Now thats something they don’t teach you in RHCE!

Random thought: Who needs enemies when I have my own stupidity to contend with?

New Features

Abrt 1.0

ABRT stands for Automated Bug Reporting Daemon. It is a tool designed to make it trivially easy for a user to submit a bug report when an application they are using crashes. This will require a fully updated system (to ensure you’re not reporting bugs already fixed, and the debuginfo packages for the software you’re reporting the bug for (they will be downloaded on demand). This will mean that should an application crash a popup will appear in the system tray, clicking the pop-up will launch a simple wizard to walk the user through the steps of reporting the bug.

Anaconda MDRaid

This feature involves changing the default RAID type from dmraid to mdraid when using Intel BIOS-RAID devices. Mdraid (Linux Software RAID) holds many advantages over dmraid including RAID 5 sets and better flexibility. In the past the dmraid drivers were built into the initrd and hence the only way to stop them loading would be to rebuild the initrd without them. Of course this was a non-solution as you had to do it every time you upgraded the kernel.

FCoE

Fibre Channel over Ethernet is a recent attempt to reduce the number of cables and interfaces in datacenters. With less switches, cables and interfaces then less cooling is needed and less power is needed, which saves money which is clearly good for companies. So currently to get Fedora working over FCoE you have to play some very interesting tricks. This new feature is aiming to get Fedora 12 to easily install and boot straight from FCoE without any hassle.

Fedora Studio

If you have many multimedia applications installed in Fedora 11 you can end up with a very large menu. This can make it difficult to see all the applications and choose the right one. This feature is about creating submenus for media applications to make it easier to find everything.

GFS2 Clustered Samba

This feature (though I must admit I’m not experienced with samba) allows you to export GFS2 clustered filesystems across samba. This means that you can have high availability samba share. Unfortunately that’s as much as I can tell you. If you want to know more, I suggest you visit the feature page.

KDE 4.3

Keeping Fedoa at the cutting edge of the Linux software world involves keeping the desktop environments up to date. A desktop environment is what the user sees most and what will make the most difference to their experience. KDE 4.3 has many new features including: a new default theme, brand new plasma gadgets, Google Calendar support in KOrganiser and a new bug reporting tool.

KSM

KSM or Kernel SamePage Merging allows KVM to request pages of RAM that are identical between multiple virtual machines be shared. This approach works because visualized guests will be running the same daemons, loading the same kernels and loading a large amount of similar files. This requires a large amount of kernel changes which probably wont make it into the 2.6.31 kernel so will have to be backported.

Mobile Broadband Enhancements

The current black spot in NetworkManagers support is around mobile broadband. Today mobile broadband adaptors are becoming commonplace, but support in Linux is anything but easy. Adding NetworkManager support should make it extremely simple to get your broadband working where ever you are, whatever plan you’re on and whatever device you’re using.

Moblin

Moblin is a Linux platform that is optimised to give a better experience on netbooks. This feature involves the addition of new desktop manager from Moblin Core. Moblin is a complete rethink of the GUI in a way that’s designed to be easy to work on netbooks. Its also integrated with socail networking and all the features the ‘new kids’ want. Check out the intro video.

Gnome 2.28

The plan for Gnome 2.28 hasn’t been completely finalized yet. So I cant tell you what you’ll see, what it will be like or whether this feature will eventually be dropped. You can find a list of planned changes for Gnome overall here and a separate list for each Gnome application here.

KVM NIC Hotplug

This feature add support for hot plugging KVM network interfaces. Having to restart every time you want to add a host to a new network, or give it another interface to load balance over can be a royal pain. Adding a new device simply involves creating a new TAP device and passing its file descriptor to QEMU. Some changes to SELinux will be required but that’s about it.

KVM qcow2 Performance

qcow2 is a disk format for QEMU. Currently though it has a poor performance when using it without a in memory write cache. Unfortunately though storing writes in memory means that in the event of a system crash they may not get written to the physical disk. This feature focuses on improving performance so that administrators don’t feel the need to choose between performance and data safety.

KVM Huge Page Backed Memory

Normally on an x86 CPU the page size would be 4 kilobytes, but the Linux kernel has the ability to use huge page sizes. To find out what size a huge page is in you system type ‘cat /proc/meminfo | grep Hugepagesize:’. On my x86_64 bit system this is 2048 Kb. Large pages require less memory for page tables, which increases performance.

KVM Stable Guest ABI

When QEMU is upgraded some of the devices it emulates may change, for example it may support new network cards or different hard drive controllers. These upgrades are equivalent to upgrading the hardware the guest runs on. Unfortunately if Windows detects that hardware has changed it requests activation. Reactivating all your windows guests can become very tiresome every time you upgrade QEMU. This feature is about providing a stabilized hardware to each guest, and only upgrading on the request of the administrator.

libguestfs

Libguestfs allows you to easily access any filesystem that can be accessed by your qemu virtual machines. It borrows code from the Linux kernel and qemu. This saves application developers from using complicated loopback mounts and LVM (of which there is another feature to improve).

Lower Process Capabilities

The DAC_OVERRIDE capability allows a process to override any file permissions that may be set. If we can remove the DAC_OVERRIDE permission from system daemons then they will become a less attractive target for exploitation. If the filesystem permissions are set in such a way as to protect the files even better (such as 0000 permissions on /etc/shadow and 005 on /bin) then attacking a program with root privileges will be even less attractive. This feature is about dropping DAC_OVERRIDE from some system daemons and modifying file permissions system wide.

NetBeans 6.7

Fedora has always been up to date with the latest cutting edge software. Currently NetBeans 6.5 is in Fedora 11. The plan it to move to NetBeans 6.7 to take advantages of the new features.

Ovirt Node

Ovirt node is a host installation of Fedora that is extremely lightweight. The only items included are utilities to run and manage virtual machines and their dependencies. This takes much less memory, disk and CPU for the host leaving more memory available to the guests and increasing the amount of virtual machines you can run on any host.

Open Shared Root

This feature is extremely interesting to me because as part of my work I manage several High Performance Clusters. This feature is about having multiple Fedora systems all boot off the same root filesystem. This way people who manage a large number of systems can make one completely stateless image that they all boot off.

Power Management F12

A sneak addition to Fedora 11 was tuned, so sneaky I only discovered it recently. It allows the system to tune its setting on the fly. For example on my laptop when there is little filesystem activity it can tune the commit interval so it only has to spin up the HD on rare occasions. It has a plugin architecture so it could also tune the network card to 10Mbits when it is hardly being used, or turn off the wireless network card when it isn’t required. This feature involves merging tuned and Red Hats ktune in order to automatically tune the power usage of your PC.

SystemTap Eclipse GUI

There is currently a focus on making SystemTap easier to use. Currently SystemTap only has a CLI GUI, and while there is a vim syntax highlighter it isn’t installed by default. This effectively means there is no IDE for developing SystemTap scripts. Eclipse is a visual editor for writing many types of applications. SystemTap will no doubt benefit With eclipse integration, maybe we’ll even see automatically generated SystemTap scripts.

Systemtap Tracing Refresh

Originally a feature was proposed for Fedora 12 titled ‘SystemTap Static probes’, but the work required for this feature to become a reality hasn’t been finished yet. So that feature has been re targeted for Fedora 13. Instead this feature will focus on documenting and streamlining the SystemTap tools to provide a better user experience. This work going into this feature also enables the ‘SystemTap Static probes’ for the next version of Fedora.

Rakudo Perl 6

Rakudo is an implementation of the Perl 6 specification under the Parrot Virtual Machine. There are currently many implementations of Perl 6 but this one clearly separates the compiler and the runtime and its more actively maintained than the rest. This feature allows Fedora to stay at the cutting edge of technology.

Thusnelda

Thusnelda is the name of the new Theora encoder. As of the libtheora 1.1 release it is now the chosen encoder for Theora video. Thusnelda’s development was supported by Red Hat, Wikimedia and Mozilla. It should be noted that mplayer and ffmpeg include their own implementation for Theora encoders so this feature will not include those applications that rely on them.

Virtual Network Interface Management

Linux allows some very complicated setups for networking, for instance you can bond multiple physical interfaces for increased throughput or reliability, you can set an inteface to tag VLANs and many more. None of these configurations are easy, and NetworkManager has even made some harder. This feature is especially important when guest machines are involved because they can involde some interesting network setups. This feature will introduce a netcf library to allow the easy configuration of complicated network setups. Netcf will not be integrated with NetworkManager in this release of Fedora, but these features will be designed with future integration in mind.

NFSv4Default

Simply put, this feature is about changing the default NFS protocol for Fedora 12 to NFSv4. NFSv4 includes many improvements over its predecessors but most importantly it uses less traffic to perform the same tasks.

PackageKitBrowserPlugin

Lets say I’m writing a blog post that explains how get SystemTap working on your system. I’d have to tell you what packages you’d need to install in order to get it working. Rather than give you a bunch of yum commands to run wouldn’t it be cool if you just clicked a button on my site. That’s basically what is involved in this feature, it means I can add a button which will prompt you to install the features I’ve told it to.

PackageKitCommandNotFound

Ever typed mplayer into a terminal only to find out it isn’t installed yet? This integrates into bashes command not found message to help you find the program you were looking for. Now instead of bash saying command not found when you type iotop for the first time it will prompt you to install it.

SR-IOV

using QEMU you can assign PCI devices directly to the guests machines, but previously this would stop the host from using it, and it would only be available on the one guest. This feature is about allowing multiple guests and the host to simultaneously access one PCI device. This requires driver support so that the machines can be organised and coordinated to prevent mishaps and errors.

Virt Privileges

This feature allows running QEMU as a non root user. Running with these lower privileges limits the damage that can be done by particular vulnerabilities. Another advantage is that you can have a much better intergration with a users desktop. The guest machine will be able to use that users sound server, put disk images in that users home directories and generally integrate with the desktop better.

VirtioSerial

This feature will create an interface between the userspace on the guest and the userspace on the host. This interface will consist of simple character devices that will be able to alert the guest to windows size changes, or transfer copy/paste data bidirectionally.

VirtgPXE

Every time Red Hat fix a bug in etherboot and send a patch upstream the get the response “we currently do not support etherboot, can you use gpxe instead?”. At the moment gxpe is included in Fedora but is not used by QEMU. The plan for this feature is to deprecate etherboot and move towards gxpa.

Virt Storage Management

At the moment if you want a guest machine to use a SAN for storage you’ll have to set it up manually. This feature plans to make it easier to configure by allowing machines to auto-detect and configure the SAN for the virtual machine.

XI2

XInput2 is a major enhancement over XInput1.5. It opens up X to some very interesting posibilities, for example I could have two keyboards and mice attached to my desktop allowing both me and another person to use two applications on the same screen simultaneously. I could copy something to the clipboard and they could paste it. I could drag a picture into their document from my image editor and so on. Somewhat less exciting is support for 32bit keycodes, instead of 255 allowing even more multimedia keys, support for devices that modify the amount of buttons they have at runtime and so on.

YumLangpackPlugin

Fedora is available in many different languages, but finding and installing the correct langpacks to get the language you want can be very difficult. This feature lets yum find and install the correct langpacks when the base langpack is installed. this makes Fedora much more accessable to people who speak languages other than English.

Dropped Features

Debuginfo filesystem

Dropped due to a lack of status updates

Multiseat

Dropped due to a lack of status updates

SystemTap Static probes

See the SystemTap Tracing Refresh.

Random Thought: I just wrote a 2446 word post about Fedora’s features and you expect me to be able to think afterwards? I’m too tired to think!