Welcome to the first issue of The SUSE Insider, a quarterly technical journal exclusively for SUSE customers. Our mission is to help ensure that you have the resources and know-how to get the most out of your SUSE Linux Enterprise environment, improve the efficiency of your data center, leverage new open source innovation like cloud computing and make your job easier. We hope you will enjoy, and benefit from, our articles!

Happy reading!

Marjorie Westerman
Editor-in-Chief

Security That Helps You Sleep at Night:
SUSE Linux Enterprise 11 SP3

By Craig Gardner, BuildService Software Engineer, SUSE
Craig Gardner enjoys working at SUSE as a software engineer. A longtime open source advocate and Linux savant, Craig keeps SUSE systems secure with open source tools. Prior to working at SUSE, Craig worked at Novell® where he managed the release of maintenance updates for Novell Open Enterprise Server and served as a member of the Security Review Board.

Face it. Security simply isn't easy. When you think of computer system security, no doubt unpleasant images come to mind. Although the only activity that makes a server 100% secure is to unplug the keyboard and disconnect the network, your system security doesn't have to be entirely unpleasant. We design SUSE Linux Enterprise products to help you to sleep a little easier.

As my good friend and SUSE security author Roman Drahtmueller is fond of saying, “Quality software does what it's designed to do. Secure software does nothing else.” That's a tall order, but the axiom is true. Surely there are going to be bugs in any software. However, one of the key, virtuous attributes of Linux and the open source packages that make up SUSE Linux Enterprise is the large number of passionate engineers with extensive depth of experience who work virtually non-stop to ensure that Linux is of the highest quality. As Katherine Noyes of PCWorld recently reported, “Coverity's 2012 Coverity Scan Open Source Report, which was released May 7, 2013, concludes that 'Linux remains the benchmark for quality'.”

Moreover, those same engineers are just as passionate about making Linux secure. SUSE has a top-notch team which keeps a close, vigilant eye on security vulnerabilities, providing customers with maintenance updates efficiently and promptly. The SUSE Security Team works closely with the community and with CVE Numbering Authorities (CNAs) to ensure that SUSE delivers patches to keep customer systems secure. The Common Vulnerabilities Exposure (CVE) system provides a reference method for publicly known vulnerabilities and exposures. It is used by the Security Content Automation Protocol (SCAP), a method for using specific standards to automate vulnerability management, measurement and policy compliance evaluation (e.g., FISMA compliance).

This means that one of the most effective ways of keeping your systems running as designed and running securely is to download and install maintenance updates as soon as they're available. For many customers this is not so easy, due to narrow and infrequent maintenance windows and policies, but to the extent that you're able, applying maintenance updates—particularly security updates on time—will reduce your risk.

SUSE Linux Enterprise 11 SP3 provides you with a number of updates that should likewise make you feel evermore confident that your servers can repel even the most heinous of hackers. Here's a small list of examples that SP3 provides:

  • opencryptoki 2.4.2. This updated version has an IBM CCA (Common Cryptographic Architecture) token that exploits the SHA-256 hash algorithm provided by IBM System z crypto hardware. Previously only the SHA-1 family was supported. Speaking of crypto hardware, SUSE has implemented a great new feature that allows the kernel to use the crypto express card (or conceptually any other crypto hardware that is unrelated to System z) for random number generation on /dev/random. This is a feature which is exclusively available in SUSE Linux Enterprise that improves the "randomness" of random number generators.
  • OpenSSH version 6.2p2. This is the very latest version. Unlike the version in SP2, 6.2 ignores .ssh/authorized_keys2 for new installations and allows using custom AuthorizedKeys settings. This gives system administrators greater flexibility in customizing security practices to fit their organization’s policies. Customized AuthorizedKeys settings make it harder for an attacker to compromise the server by hiding authorized keys in more unpredictable places and by making it much harder for an attacker to insert his own keys.
  • OpenSCAP. This is also a key security feature included with SUSE Linux Enterprise. It's a set of open source libraries providing a path for integration of SCAP (Security Content Automation Protocol). SCAP is a collection of standards and templates managed by the National Institute of Standards and Technology (NIST). This provides an extensive framework for defending against system exploits and is manageable from SUSE Manager.

You can find more information about SUSE Linux Enterprise 11 SP 3 security features from the online release notes.

Although the practice of securing your servers requires good planning and discipline, SUSE Linux Enterprise provides you with the tools and processes you need to defend against growing threats. Overconfidence is imprudent, but having the right tools and capabilities is just what you need to give you a restful night of sleep.


SUSE Spotlight: DevOps—
A Conversation with James Tan

James Tan is a software engineer at SUSE where he is Team Lead for SUSE Studio™ Online. More of his thoughts on DevOps and related popular tools (Puppet and Chef) can be found online and in slides.

What is DevOps?
In a nutshell, DevOps to me is all about getting the software development, IT/web operations and QA teams working as one. There are many resources online that explain in-depth what it entails (for example, Wikipedia), so I won't repeat them here.

One of the key concepts is treating infrastructure as code. When done right, it ensures the ability to scale and update test and production systems quickly, repeatedly and reliably. Another valuable outcome is the ability to deploy code (for example, features and bug fixes) quickly and transparently to users.

How does DevOps affect or change the job of a developer? What are the pros and cons?
With the DevOps model, developers/programmers are much more closely involved with QA and IT operations, often even taking over some parts of these responsibilities.

The pros are:

  • Developers have a better overview of the entire software development and IT operations life cycle.
  • With the improved visibility into these other areas, developers are able to help streamline and improve the processes there, reducing the impedance mismatch.
  • Developers expand their knowledge and skill sets.
  • Developers can (and should) use the same code path to deploy their development, QA and production systems. This often saves a huge amount of time spent manually setting up systems and debugging them.
  • Developers are empowered to make decisions, as well as implement solutions that can directly impact production operations.

The cons include:

  • A longer learning curve and increased responsibilities for developers. For example, at Amazon developers are expected to be on-call during rotated weekends and non-office hours to keep an eye on their code that is deployed to production.
  • The DevOps model is often misunderstood and sometimes abused to skim or skip over QA and more careful IT operations planning.

How does DevOps affect or change the job of an IT person—pro and con?
I'll split my answer into 2 roles here: system administrators and IT managers. First, for system administrators, the pros of DevOps are:

  • More career opportunities as they can now move away from the pure hardware aspects into developing DevOps processes and code if they choose to.
  • More industry-standard tools, processes and frameworks for managing systems at scale. This generally means they spend less time doing the mundane and tedious tasks of manually updating systems and their configurations.

But there’s one con for system administrators: a longer learning curve with more tools/frameworks in the picture.

For IT managers, there are 2 pros and 2 cons.

Pros:

  • When done right, the DevOps model will eradicate barriers between the technical teams (for example, development, QA and operations). This allows the team to release features, react to customer requests and bug fixes much more quickly and with less risk.
  • The business gains a lot more agility and faster time to market with shorter feedback loops.

Cons:

  • A change in most organizations is never easy, especially at the larger ones. Convincing people and teams to adopt the DevOps model can be difficult.
  • The DevOps model is not for everyone. It is best implemented (if coming from a more traditional setup) with a change in the mindset, processes, organization structure and culture. If there's not a good fit or it can't be executed smoothly, it can do more harm than good.

Using your experience as a SUSE Studio developer as an example, tell us how DevOps changed your work on SUSE Studio and what the results were.
SUSE Studio started with a team of developers and gradually added system administrators once we were preparing for the public launch. In a way, we've always been fans of the DevOps model, even before it was trendy.

We started using Puppet pretty early on for managing our infrastructure, and this helped us manage and scale our servers in the data center quickly and efficiently. We also had integrated QA, deployment and operations engineers in our development team, so there's no "throwing it over the wall" mindset from the beginning: we're all on the same team, all aligned with the same goals.

We improved our deployment process over time. At the beginning, we had a time-based release schedule. Every week, the release manager would merge all the code in our master/trunk branch to our staging branch. This was then deployed to our staging servers, and QA would start testing it, with both automated and manual regression tests. Extra attention was paid to new features. Bugs were reported, and developers cherry-picked the fixes into the staging branch. At the end of the week, QA decided if everything was okay to deploy to production. If so, we merged staging to our production branch, and our release manager deployed to susestudio.com. This process worked pretty well, except that batching features and bug fixes together meant that sometimes one blocks the other, when they really shouldn't. It also caused a lot of stress around release day every week, plus a lot of coordination was needed to ensure things went smoothly.

Eventually, we adopted a new, streamlined workflow that empowers developers to make their own judgment calls. All features and bug fixes are done in separate, stand-alone (feature/topic) branches. These can then be deployed to test systems and tested independently by both the developer and QA, as needed. The developer is ultimately responsible for anything that goes wrong. Once satisfied, the developer deploys to production directly. With this model, we have much more frequent deployments, but each with much less change and, therefore, much less risk. Also, the developer monitors production for some time after the deployment, so any unexpected side effects can be handled quickly. With the small change set on each deployment, it's much easier to isolate the errant commits and track down the root cause. This means faster time to market for us, and we can much more quickly resolve user issues, leading to better customer satisfaction.

Developers are also happier as they can see their work in production quickly and iterate the features rapidly according to usage trends and user feedback. System administrators are happier too, as they no longer need to burn much of their time during deployments. And we no longer need a dedicated release manager.


Big Data's Open Future at SUSE

By Peter Linnell, Sales Engineer
Peter is a SUSE engineer located near Silicon Valley. Before joining SUSE he worked on Hadoop for a startup in Silicon Valley. A long-time open source developer, he is also a founder, committer and PMC of Apache Bigtop for Hadoop, as well as Apache Stratos, an emerging cloud technology.

When you read an article mentioning Big Data, your first reaction might be: “Is this another technology hype or something I should learn more about?” We think it's time to get ready. Our customers are using Big Data solutions now to derive new insights and optimize their business processes. We see Big Data as a transformative technology. Indeed, while Big Data roughly describes a set of technologies to derive information from data, it also suggests a way of gaining insights into collected data in new and innovative ways. It is not just new technologies; it changes the way companies work with data and transforms business practices and processes. Underneath all this, the real innovation is deriving useful information from data in its raw form, be it multimedia, social media, web server logs or other unstructured data.

The “big” in Big Data comes from a growing flood of data flowing from a diverse set of sources, mostly from the Internet, but also censored machinery, mobile phones and more. Enterprises today are, on average, seeing a doubling of the data they are retaining every eighteen months. Moreover, storing and using this kind of data does not fit well within traditional corporate databases.

In the year since I joined SUSE, we have engaged with the leading Big Data providers to jointly deliver optimized, certified and well-tested solutions our joint clients can rely on. Why have we not just picked 1 or 2 companies? We know there isn't a one-size-fits-all approach that works.

In terms of solutions, to greatly oversimplify, there are four distinct categories:

  1. Large in-memory solutions―These would include SAP HANA, Teradata's Aster and some newer technology on the horizon. The key benefit of these solutions is providing real-time analysis and decision making. Did you know SUSE Linux Enterprise is the exclusive platform for SAP HANA and Teradata? Also, when I talk to customers, their experiences with in-memory solutions reveal a very high degree of satisfaction.
  2. Hadoop―The big elephant in your data center. Hadoop, the software with the elephant mascot, is an open source software stack that allows customers to store massive data sets using standard hardware and provides tools on top to extract information. In the Hadoop world, SUSE Linux Enterprise Server is a supported operating system for Cloudera, Hortonworks, Intel and WANdisco Hadoop distributions. Moreover, we collaborate with all these companies to ensure SUSE Linux Enterprise is an optimal platform for Hadoop.
  3. NoSQL or New SQL―These are new open source database solutions optimized for various kinds of applications. In these ecosystems, we have partnered with 10Gen, the company behind MongoDB, one of the most popular NoSQL solutions.
  4. Data Visualization―“Dashboards” as I like to call them. These solutions provide detailed visualization of data trends and often have sophisticated tools for queries.

How does SUSE fit into all of this?

First, most of the Big Data ecosystem is open source, like SUSE Linux Enterprise Server. It is in our genes to embrace open source technology.

Second, based on our long-standing leadership in HPC (High Performance Computing), SUSE Linux Enterprise Server is the foundation for some of the largest and most powerful supercomputers in the world. We know SUSE Linux Enterprise Server is a stable, robust and highly scalable platform for Big Data. As I like to say “SUSE has been doing Big Data before we called it Big Data.”

Third, Big Data solutions typically utilize large clusters, and SUSE Manager is the perfect complement for Big Data solutions, scaling up to many thousands of servers. With SUSE Manager, you can have your Big Data cluster updated in a few short hours, not days.

From the SUSE perspective, working with these Big Data solution providers has shown us the rapidly increasing maturity and usability of these solutions. Not too long ago, implementing a Big Data solution required a great deal of in-house talent and engineering resources dedicated to managing Big Data. Early adopters were willing to put up with the complexity and special skills required, as they could see the return. Today, these tools are much more accessible and enterprise-ready with support, training and consulting.

Our portfolio of partners in the Big Data space continues to grow, and expect to hear more announcements in the future. We at SUSE are really pleased to be able to help our customers who are looking for Big Data solutions.

If you have questions or want to learn more, contact us at bigdata@suse.com


Cloud Corner: SUSE Cloud 2.0 Preview
Enhanced Enterprise Readiness of OpenStack-based Private Cloud Platform

By Peter Chadwick, Senior Product Manager, Cloud Infrastructure
Pete’s responsibilities include comprehensive market and business analysis required to deliver go-to-market strategies for one of our priority business areas – cloud.  He has presented at many industry events including LinuxCon, CloudOpen, Open Source Business Conference and Cloud Computing Expo. He is a published author including the recent 2012 Forbes article “Why Cloud Computing Needs to – and Will – Go Open Source.” 

The singular focus in developing SUSE Cloud has been to ensure its enterprise readiness for customer environments. The initial release of SUSE Cloud made enterprise OpenStack a reality by providing commercial support from a proven enterprise vendor and a hardened and secured OpenStack code base integrated with the critical components necessary for easily deploying and managing a private cloud. Among the most important additions to help streamline the set-up of an OpenStack cloud and reduce administrator time were incorporating an installation framework and including SUSE Linux Enterprise Server, a Linux operating system certified to run on all major hardware.

Building on the open source development and broad ecosystem of OpenStack, SUSE Cloud 2.0 (planned for release later this fall) expands the enterprise capabilities of the cloud platform, while enabling customers to maintain investments they have previously made in traditional data center environments.
Advanced cloud technology and broad solution choice in SUSE Cloud 2.0 will help ensure a smooth deployment into customers' data centers. Some of the highlights of SUSE Cloud 2.0 include:

  • Updated OpenStack Version. SUSE Cloud 2.0 will be based on the OpenStack Grizzly release and will include full support for OpenStack Block Storage (Cinder) and OpenStack Networking (Neutron). OpenStack Block Storage provides increased choice by letting organizations provide persistent block storage at the virtual machine level. OpenStack Networking augments network features in SUSE Cloud by delivering networking-as-a-service to enable scalable network management, an API to build rich network topologies and the ability to create advanced network services.
  • Improved Installation. Building on the initial version of the installation framework, SUSE has augmented SUSE Cloud 2.0 for even greater scalability through integration with the latest release of the open source deployment framework Crowbar and an updated user interface.
  • Additional Hypervisor Choice. The initial release of SUSE Cloud offered support for KVM and Xen hypervisor environments. To enable SUSE customers to maximize their previous technology investments, SUSE Cloud 2.0 continues its mixed-hypervisor approach, adding full support for Microsoft Hyper-V and a technical preview of VMware ESXi.
  • Increased Support for Partner Solutions. SUSE Cloud 2.0 includes a technical preview of Ceph and the Ceph Rados Gateway, providing compatible Swift and Amazon S3 (Simplified Storage Service) APIs for block storage. Support for Amazon EC2 and S3 APIs helps companies choosing to deploy hybrid clouds by providing easy access to Ceph's fully redundant data storage infrastructure for storing or retrieving any amount of data in the cloud. SUSE is also working with partners such as Coraid, EMC, Inktank and NetApp to give SUSE Cloud users a broad choice of supported block storage plug-ins. And SUSE Cloud Networking is also plug-in enabled, providing customers the extended capabilities offered by Cisco, Midokura, Open Vswitch and VLAN bridging solutions.

Learn more by visiting the SUSE Cloud website.


The Security, Hardware and Software
You Need—SUSE Certifications

By Marjorie Westerman, Editor-in-Chief, SUSE
Marjorie is editor-in-chief of the SUSE News and SUSE Insider newsletters at SUSE.

SUSE works hard to ensure its solutions meet relevant industry standards and are secure and interoperable with a wide range of hardware and software. Here's a snapshot of these certification efforts from January through July 2013.

SUSE Security—Certified
In March and April 2013, SUSE received 2 important security certifications:

  • Common Criteria Certificates at Evaluation Assurance Level EAL4, augmented by ALC_FLR.3 (EAL4+), were awarded to SUSE Linux Enterprise Server 11 SP2 including KVM virtualization and SUSE Linux Enterprise Server for System z 11 SP2. The certificates validate that SUSE develops and maintains these products according to the Common Criteria for Information Technology Security Evaluation, an international standard (ISO/IEC 15408, BSI) for handling sensitive information. The certificates are recognized by 26 countries that have signed the Common Criteria Recognition Arrangement.  For more details, click here.
  • Federal Information Processing Standard (FIPS) 140-2 for the OpenSSL Security Module certification was awarded to SUSE by the National Institute for Standards and Technology for the first time in April. OpenSSL is one of the fundamental security libraries in the Linux and open source world. FIPS is a standard for US government organizations—as well as global users--that use cryptographic-based security systems to safeguard sensitive or confidential information protected by OpenSSL. Achieving FIPS 140-2 attests that our OpenSSL model has been described, tested and validated for the standard’s 11 requirement areas. The tests confirm that the module behaves as defined and documented if it runs in FIPS mode. Learn ways to run OpenSSL in FIPS mode.

Hardware Certification:
SUSE Says YES to SP3 Running on Leading Hardware

The SUSE YES Certification Program for hardware ensures high levels of compatibility between hardware and SUSE products. This is accomplished through rigorous testing and close work between SUSE and our hardware partners in conducting these tests and supporting YES certified products. YES certification means that your technology assets work optimally with each other.
Because of the importance of certification, from June 2013 through mid-July, SUSE has already said YES to the interoperability of the new SUSE Linux Enterprise Server 11 SP3 with more than 600 network servers (not counting other hardware devices). This number includes network servers from leading hardware partners, as follows:

  • IBM, including various System x servers; IBM BladeCenter servers and Flex System 220 and 240 Compute Nodes. These were certified for relevant versions of SUSE Linux Enterprise 11 SP3, including SUSE Linux Enterprise Server with Xen and KVM for x86 and x86-64 bit systems.
  • CISCO UCS—various systems certified for SUSE Linux Enterprise Server 11 SP3 for AMD64 and Intel64
  • Toshiba SurePOS 700—various systems certified for SUSE Linux Enterprise Server 11 SP3 for x86
  • Fujitsu CELSIUS W530—certified for SUSE Linux Enterprise Server 11 SP3 for AMD64 and Intel64

The work of certifying servers and other hardware devices on SP3 is now continuing alongside certification of other hardware systems on SUSE Linux Enterprise Server 11 SP2.

To learn which hardware devices are certified on which SUSE products, click here. You can search by keyword, hardware or software type, company, product or date.

Changes in Software Certifications: Less and More
In June 2013 SUSE published an online update of the SUSE Software Partner catalog of applications certified on SUSE products. This represents the first SUSE “clean out” of ISVs (Independent Software Vendors) in the catalog. The reason is mergers and acquisitions and product portfolio consolidation. IBM alone has acquired 15 SUSE ISVs, followed in descending order by Oracle with six acquisitions, HP and Open Text Corporation with five each and CA Technologies and BMC with three each. Removing the acquired ISVs resulted in a slight decrease in applications certified on SUSE Linux Enterprise 10 and 11--from 8,599 in April 2013 to 8,565 in May 2013.

The good news is that as more ISVs join PartnerNet, the number of certified applications has recovered—with 8,968 listed in the catalog in June 2013 for SUSE Linux Enterprise Server 10 and 11. That brings the total number of certified applications for SUSE Linux Enterprise Server 9, 10 and 11 in the June catalog to 11,237. 

New additions to the catalog include the following applications from our Big Data partners: WANdisco Distro (WDD) 3.1.1, Cloudera Manager 4, and Intel Distribution for Apache Hadoop software v2.3 and MongoDB Enterprise 2.4.
You can search the Software Partner Catalog by application, appliance, ISV, industry, platform and workload.

In This Issue

Get $100 off your SUSECon pass before Oct. 1 with code SUSEINSIDER

Join SUSE Conversations and get free gifts.

Experienced user of SUSE products? Turn your knowledge into Amazon gift cards!

Visit the new SUSE Shop

Buy on-demand training videos

Get up-to-the-minute SUSE news by following us on:

Contact us at susenews@suse.com with questions or feedback.