SELinux talk at RVaLUG – 20140419

This morning I gave what was a pretty well-received talk about SELinux. We got into the important definitions and pretty down deep into how type enforcement works. Lots of practical examples and fun stuff.

Of course why spend hours coming up with a new slide deck when you can borrow from amazing work done by co-workers. :)

The slide deck I used was a slightly modified deck used (last I know of) for a Red Hat TAM Webinar last April.  It also came with a set of lab questions that we didn’t have time to go through today.

And of course, there is the SELinux Coloring Book.

The talk was long for a LUG meeting (right around 90 minutes plus a little follow-up), but the interaction was great and I think we had some good communication going.



getting crafty with my hospital stay

Healthcare and Insurance – My Snapshot

Last May I got sick. Like for real sick; for the first time in my life. I had what was apparently a massive blood clot that was impeding the functioning of both of my lungs. The official term is a ‘bi-cameral (sp?) pulmonary embolism’. In reality it meant that if I walked 50 feet I would pass out, have what looked like a seizure and start throwing up all over myself in the emergency room while my wife is screaming. I still owe that security guard a firm handshake and a bottle of his drink of choice. I liken it to getting hit by lightning. It came out of nowhere and laid me completely low in the span of 2 hours. There was no discernible warning and a root cause was never determined.

getting crafty with my hospital stay
getting crafty with my hospital stay

Last October I was tapped by my company to help work on You might have heard of it. The initial launch didn’t go so well. But it made a pretty strong comeback here recently. It even managed to make some of the major news outlets.
Business Insider
CBS News

Today I logged into my insurance company’s website to get some information, and I started looking at the claims filed for me in the past year year out of morbid curiosity. This would cover the time I was actually in the hospital, the 6 months of follow ups, and the maintenance for a condition I’d known about for a while but didn’t start addressing until I got sick (sleep apnea).

In the past 365 days, my insurance has been billed $47,752.13.
In the past 365 days, I have owed $768.09 for those billings.

My insurance has covered 98.4% of my medical bills in the past year.

The lessons I’ve learned today:

  1. If I didn’t have health insurance I would be bankrupt.
  2. I’ve never felt more contempt for people fighting insurance and healthcare reform in the United States
  3. If you don’t have health insurance, I am truly fearful for you on multiple levels
  4. I’ve never been more proud to have contributed professionally to something than the work I did during the last quarter of 2013 with the people working on

kpatch – my kneejerk reaction

Oracle gobbled up a company called KSplice 50 ITYA (IT Years Ago – or July 2011). They then shoe-horned it into their downstream clone of RHEL so people could slip in kernel upgrades without rebooting systems sort of like how magicians yank table cloths out from under dishes on a table. It’s scary on any number of levels.

Now there is a new-ish project called kpatch that has the backing of Red Hat (full disclosure – I work for Shadowman). I’ve only had a little time to look at the incomplete documentation on how it works. That said, it looks to be a huge step forward over ksplice. From it’s Red Hat Blog announcement:

With respect to granularity, kpatch works at the function level; put simply, old functions are replaced with new ones.  It has four main components:

  • kpatch-build: a collection of tools which convert a source diff patch to a hot patch module. They work by compiling the kernel both with and without the source patch, comparing the binaries, and generating a hot patch module which includes new binary versions of the functions to be replaced.
  • hot patch module: a kernel module (.ko file) which includes the replacement functions and metadata about the original functions.
  • kpatch core module: a kernel module (.ko file) which provides an interface for the hot patch modules to register new functions for replacement.  It uses the kernel ftrace subsystem to hook into the original function’s mcount call instruction, so that a call to the original function is redirected to the replacement function.
  • kpatch utility: a command-line tool which allows a user to manage a collection of hot patch modules.  One or more hot patch modules may be configured to load at boot time, so that a system can remain patched even after a reboot into the same version of the kernel.

That’s way cooler than just doing some fancy RAM voodoo and slipping new kernels in like ksplice.

But I still don’t see where it has a place on a company’s production server or in their security plans.

I believe that if a system cannot sustain the reboot of a single instance of Linux (physical or virtual) then there is a serious flaw in its architecture. To further that I think something like kpatch could end up being a strong crutch to bad architects out there; allowing them to  keep working in this flawed manner.

I know that my crazy idealism doesn’t represent the current reality everywhere (or almost anywhere). But if this is the only justification for its existence then I think we could have and should be using our cycles better somewhere else.

More details as I discover them.

Managing Purpose as much as Procedure

There are thousands of apps and books and philosophies out in the world designed to help people prioritize their work day and get more done.  Searching for ‘productivity books’ on Amazon provides 38,699 results. It is an entire industry, and a very lucrative one. What doesn’t seem to be an industry is managing the purpose behind all of those beautifully organized tasks. I think that is just as or more important than the task itself.

It sounds obvious, I know. Of course you should think about why you are doing the things that you have been tasked to complete. But I have seen so many examples of people not truly doing that exact thing that I don’t think it is given a lot of thought by professionals.

The definition of ‘why’ is the biggest problem. Most people report to someone else in their company; we all have a boss. From that boss we are given our share of the company’s picture and asked to perform our task to further the company’s agenda. That is awesome, and I’m all for it. A company certainly thinks through why it is doing something. The successful companies think it through, at least. Unfortunately, ‘because the company said so and I don’t want to get griped at (or worse)’ isn’t a justification that will easily help you move your career forward.

‘Why are YOU performing that task?’ is a better question to ask. Unless you are 100% satisfied and happy in your current position and have no desire to grow or move on, you should be performing that task to move forward in your career as well as to help your company realize its goals. Moving forward in your career requires expanding your skills and experiences so you can take on more responsibility and handle larger issues.

Again, it sounds like a no-brainer, but how often do you truly ask yourself that question:

How is this task on my [calendar/TODO list/productivity app/sticky note] helping me move forward toward a defined goal that I have set for myself?

Sometimes it’s obvious how it aligns to your goals. Conferences, Training, chances to present to others, etc. are easily identified as contributing to anyone’s toolbox. But the devil is in the details. Looking through my daily TODO list (currently kept in Evernote, but that changes all the time because I’m hooked on productivity apps), I can honestly say that I can align all of my daily tasks to a goal that moves me forward in my career.

Having that knowledge is powerful. Once you are consciously aware of how a task can help you move forward, you can take full advantage of the opportunity to hone those skill(s). Over time, this change in philosophy can help turbo-charge your career path. I have driven co-workers and supervisors to the edge of insanity asking these questions over the years. But I can say that this philosophy, which is what it is more than anything else I think, has helped push my career forward faster than most people I got started in IT with 7 years ago (for the record, I was 29 years old when I started my first IT gig).

I firmly believe that there is almost no such thing as ‘busywork’. If it doesn’t align with your goals in some way, then you probably aren’t the right person to be doing it or maybe it’s time to start the old job search again. 

a humble take on the Red Hat and CentOS agreement

The news is everywhere. Red Hat’s community website has a good summary of it at As soon as the announcement came out that Red Hat was going to step in and help the CentOS project with day jobs and some semblance of project management the interwebs were ablaze with opinions. They ranged from “wow!” to typical conspiracy theory nonsense (I can say on good authority that Red Hat Tower does NOT contain a secret control room from which Red Hat is trying to overtake the FOSS world).

This is NOT at Red Hat Tower, but there is air hockey and cookies.

After talking it over with a lot of the IT folks that I know (mostly the less conspiracy theory-ish ones), here is my take on what’s going on with this whole cooperative effort.

  1. Cooperation between Red Hat and CentOS is not new. Red Hat intentionally makes it not-so-hard to legally de-brand all of the trademarked stuff inside the source code that we distribute for RHEL.
  2. The CentOS core team is small. I mean 6 people small. The community is obviously much larger, and the QA team has a lot of influence. And those 6 people have day jobs. So any real expansion of the CentOS project would take multiple extra hours in the day for these people to actually get it done.
  3. Red Hat is helping out with #2. Helping with the web site and some project management / governance (and of course daytime salaries).

Number 3 draws the inference that the CentOS wants to make at least some sort of change in how CentOS operates. That would make sense, given the incredible speed that projects like Openstack are developing.

*Just in case you didn’t know*

For Openstack to work properly, a very (very) upstream kernel has to be used. Rebuilding a new kernel from source takes new build environments and QA processes and infrastructure and time and effort and money. Before this agreement, the CentOS team didn’t have that kind of time because they were up nights with bug and security fixes coming in all the time.

So CentOS couldn’t build an Openstack release prior to this agreement (IMHO).

*Downstream Innovation – What I think is happening*

Right now innovation is hard with RHEL. Customers use it for… you know… production stuff.  That’s not to say it doesn’t happen. I see innovation in Enterprise Linux everyday.

But with this agreement, there is now a project full of people working full time every day on making Enterprise Linux more innovative. I think it’s a win for the entire Open Source Community.

Above All, Be your Best and Solve Problems

I don’t often talk about my career path, mostly because it was a massive pain for me and my family.  While I’m approaching the point I want to be at for this time in my life (I think), I had to do it in an abbreviated time span. I’ve been in IT for a total of 7 years, and I’m 35.

I saw an article on LinkedIn, here, earlier tonight. I’m sure J.T. O’Donnel is a good career coach, but I just can’t agree with her idea that a ‘jack-of-all-trades’ is not able to be hired in today’s IT market.

Generalists are invaluable. They are the glue that binds together the troubleshooting and investigative processes. For reasons passing understanding, businesses don’t want to do away with knowledge silos all the time. That’s when you need a generalist to bridge the gaps. Of course you have to have specialists, but that’s not all you need.

Instead of fretting about proving a specialty, spend your time in excelling at the problems presented to you and growing your experience both in depth and breadth.

Oh, and work harder than everyone around you. ;)


Why I still use Fedora after 8 years

This post showed up on my Twitter feed recently, and I felt compelled to talk about it (outside of it’s horrible grammar, but I’m not sure if it’s a translated document or not). It picks out 12 Linux distributions, calls them the ‘top 12′, and then says little to nothing about how or why they are different. It’s review of Fedora (which it ranked at #3):

Fedora: If you want an advanced version of Linux, go for Fedora. Even those, looking for pure take on GNOME 3, opt for Fedora.

Huh? You can install Gnome 3 on any ‘upstream’ Linux Distribution. That’s sorta’ what makes Linux… you know… Linux.

I’m paid to be an ‘expert’ on Red Hat Enterprise Linux, so I’d have to charge for that milkshake. But I’ve been using Fedora since way way back when, with virtually no deviation. So I thought I’ve decided to try and give my own personal logic for using Fedora as my daily work operating system.

  • I trust the community will be there next week – The world is littered with dead and dying Linux distros. I don’t want to find a bug or run into a brain-cramping issue with my primary workstation only to see an empty IRC channel and no activity on the support mailing list.  Fedora is the upstream testbed for Red Hat Enterprise Linux. I trust that company with my retirement plan, so I feel OK trusting their upstream community with issues when I can’t figure them out*
  • It’s pretty edgy – Fedora runs pretty close to the latest available for most everything. Their latest production kernel is 3.12.6-300, and the latest stable from is 3.12.7. Certainly not the only distro that does, this, but I like that it’s among them.
  • The community walks the walk – Everything the Fedora community does is open. The community keeps it all in a myriad collection of ticketing systems and wikis. It’s not always the easiest stuff in the world to find, but it’s all out there in the open. You can’t say that about all of the other large upstream distros. I like it enough that I am a (very inactive) Fedora Ambassador.
  • It’s Easy – The distribution’s tools work well (within reason). I went from Fedora 14 through Fedora 18 before deciding to reformat the filesystem before upgrading to Fedora 19. This past week I used the included fedup tool to upgrade to Fedora 20. The process was totally seamless.  The only thing I lost was the orientation setting on the one monitor I keep vertical on my laptop docking station. I still believe that you have to WANT to use Linux as your everyday workstation. If you do, then it can be a 100% replacement. And if you do, Fedora makes it about as easy and as powerful as it can be.

* – believe it or not, I have almost 0% special insight into the wide world of Fedora from my job at Red Hat. :(

Random Geekery

%d bloggers like this: