OpenStack is an orchestration system for setting up virtual machines and associated other virtual resources such as networks and storage on clusters of computers. At a high level, OpenStack is just configuring existing facilities of the host operating system — there isn’t really a lot of difference between OpenStack and a room full of system admins frantically resolving tickets requesting virtual machines be setup. The only real difference is scale and predictability.
To do its job, OpenStack needs to be able to manipulate parts of the operating system which are normally reserved for administrative users. This talk is the story of how OpenStack has done that thing over time, what we learnt along the way, and what I’d do differently if I had my time again. Lots of systems need to do these things, so even if you never use OpenStack hopefully there are things to be learnt here.
You’ve decided that using sudo to run command lines as root is lame and that it is time to step up and do things properly. How do you do that? Well, here’s a simple guide to adding oslo privsep to your project!
Once you’ve added oslo privsep to your project, how do you make a privileged call? Its actually really easy to do. In this post I will assume you already have privsep running for your project, which at the time of writing limits you to OpenStack Nova in the OpenStack universe.
Erik comments on security advisories based on a brief examination of the ChangeLog. I had a similar experience in July 2007 — at one point the US government issued a unified warning in my case. It seems a bit worrying that the best that security advisory companies can do is sensationalize ChangeLog entries, instead of actually acting in the interests of the users.
Many of the US forms you will have to fill out when you move will ask for an address. Use your work address until you have a permanent place.
A good example is opening your first bank account. The only possible problem with using your work address for your bank account is that some people will compare the shipping address of your online order with the billing address and complain, but you can always change the address you have recorded with the bank once you have a more permanent address.
Opening a bank account without an SSN can be exciting too (it seems to be the primary key for a lot of tables over here, you can’t get paid without one, get health insurance without one, get some cell phone accounts without one, and so forth). Bank of America did the right thing and let me open an account though, and don’t suck too much. Citibank is ok as well, although they seem to suck more for general banking than Bank of America. More on Citibank in a future post about getting money back to Australia.
This is kind of a big deal. Cryptographic has functions are used in a lot of computer science circles to take a large document and turn it into a relatively small description of the document. The transformation has a couple of interesting properties:
It’s one way — which means that I can know that I have your document, without checking the contents. There are secure file systems out there that when you give it a file give you back the ID for the file, and that’s how you access it in the future. Don’t know the ID? You can’t possibly have seen the file.
They’re meant to be unique — you can’t possibly have no overlap between bazillions of documents and the comparatively few IDs available, but it’s meant to be very hard to get two documents with the same ID. This is commonly used for CD downloads for instance where people want to be sure that you got the file intended completely, or to make sure that you’re not storing information twice. EMC for instance has an email storage system which only saves an email if the MD5 ID is new, otherwise it must be a duplicate.