Canonical Voices

Posts tagged with 'ubuntu-server'

Dustin Kirkland

If you haven't heard about last week's Dirty COW vulnerability, I hope all of your Linux systems are automatically patching themselves...


Why?  Because every single Linux-based phone, router, modem, tablet, desktop, PC, server, virtual machine, and absolutely everything in between -- including all versions of Ubuntu since 2007 -- was vulnerable to this face-palming critical security vulnerability.

Any non-root local user of a vulnerable system can easily exploit the vulnerability and become the root user in a matter of a few seconds.  Watch...


Coincidentally, just before the vulnerability was published, we released the Canonical Livepatch Service for Ubuntu 16.04 LTS.  The thousands of users who enabled canonical-livepatch on their Ubuntu 16.04 LTS systems with those first few hours received and applied the fix to Dirty COW, automatically, in the background, and without rebooting!

If you haven't already enabled the Canonical Livepatch Service on your Ubuntu 16.04 LTS systems, you should really consider doing so, with 3 easy steps:
  1. Go to https://ubuntu.com/livepatch and retrieve your livepatch token
  2. Install the canonical-livepatch snap
    $ sudo snap install canonical-livepatch 
  3. Enable the service with your token
    $ sudo canonical-livepatch enable [TOKEN]
And you’re done! You can check the status at any time using:

$ canonical-livepatch status --verbose

Let's retry that same vulnerability, on the same system, but this time, having been livepatched...


Aha!  Thwarted!

So that's the Ubuntu 16.04 LTS kernel space...  What about userspace?  Most of the other recent, branded vulnerabilities (Heartbleed, ShellShock, CRIME, BEAST) have been critical vulnerabilities in userspace packages.

As of Ubuntu 16.04 LTS, the unattended-upgrades package is now part of the default package set, so you should already have it installed on your Ubuntu desktops and servers.  If you don't already have it installed, you can install it with:

$ sudo apt install unattended-upgrades

And moreover, as of Ubuntu 16.04 LTS, the unattended-upgrades package automatically downloads and installs important security updates once per day, automatically patching critical security vulnerabilities and keeping your Ubuntu systems safe by default.  Older versions of Ubuntu (or Ubuntu systems that upgraded to 16.04) might need to enable this behavior using:

$ sudo dpkg-reconfigure unattended-upgrades


With that combination enabled -- (1) automatic livepatches to your kernel, plus (2) automatic application of security package updates -- Ubuntu 16.04 LTS is the most secure Linux distribution to date.  Period.

Mooooo,
:-Dustin

Read more
Dustin Kirkland

Introducting the Canonical Livepatch Service
Howdy!

Ubuntu 16.04 LTS’s 4.4 Linux kernel includes an important new security capability in Ubuntu -- the ability to modify the running Linux kernel code, without rebooting, through a mechanism called kernel livepatch.

Today, Canonical has publicly launched the Canonical Livepatch Service -- an authenticated, encrypted, signed stream of Linux livepatches that apply to the 64-bit Intel/AMD architecture of the Ubuntu 16.04 LTS (Xenial) Linux 4.4 kernel, addressing the highest and most critical security vulnerabilities, without requiring a reboot in order to take effect.  This is particularly amazing for Container hosts -- Docker, LXD, etc. -- as all of the containers share the same kernel, and thus all instances benefit.



I’ve tried to answer below some questions that you might have. As you have others, you’re welcome
to add them to the comments below or on Twitter with hastag #Livepatch.

Retrieve your token from ubuntu.com/livepatch

Q: How do I enable the Canonical Livepatch Service?

A: Three easy steps, on a fully up-to-date 64-bit Ubuntu 16.04 LTS system.
  1. Go to https://ubuntu.com/livepatch and retrieve your livepatch token
    1. Install the canonical-livepatch snap
      $ sudo snap install canonical-livepatch 
    2. Enable the service with your token
      $ sudo canonical-livepatch enable [TOKEN] 
    And you’re done! You can check the status at any time using:

    $ canonical-livepatch status --verbose

      Q: What are the system requirements?

      A: The Canonical Livepatch Service is available for the generic and low latency flavors of the 64-bit Intel/AMD (aka, x86_64, amd64) builds of the Ubuntu 16.04 LTS (Xenial) kernel, which is a Linux 4.4 kernel. Canonical livepatches work on Ubuntu 16.04 LTS Servers and Desktops, on physical machines, virtual machines, and in the cloud. The safety, security, and stability firmly depends on unmodified Ubuntu kernels and network access to the Canonical Livepatch Service (https://livepatch.canonical.com:443).  You also will need to apt update/upgrade to the latest version of snapd (at least 2.15).

      Q: What about other architectures?

      A: The upstream Linux livepatch functionality is currently limited to the 64-bit x86 architecture, at this time. IBM is working on support for POWER8 and s390x (LinuxOne mainframe), and there’s also active upstream development on ARM64, so we do plan to support these eventually. The livepatch plumbing for 32-bit ARM and 32-bit x86 are not under upstream development at this time.

      Q: What about other flavors?

      A: We are providing the Canonical Livepatch Service for the generic and low latency (telco) flavors of the the Linux kernel at this time.

      Q: What about other releases of Ubuntu?

      A: The Canonical Livepatch Service is provided for Ubuntu 16.04 LTS’s Linux 4.4 kernel. Older releases of Ubuntu will not work, because they’re missing the Linux kernel support. Interim releases of Ubuntu (e.g. Ubuntu 16.10) are targeted at developers and early adopters, rather than Long Term Support users or systems that require maximum uptime.  We will consider providing livepatches for the HWE kernels in 2017.

      Q: What about derivatives of Ubuntu?

      A: Canonical livepatches are fully supported on the 64-bit Ubuntu 16.04 LTS Desktop, Cloud, and Server operating systems. On other Ubuntu derivatives, your mileage may vary! These are not part of our automated continuous integration quality assurance testing framework for Canonical Livepatches. Canonical Livepatch safety, security, and stability will firmly depend on unmodified Ubuntu generic kernels and network access to the Canonical Livepatch Service.

      Q: How does Canonical test livepatches?

      A: Every livepatch is rigorously tested in Canonical's in-house CI/CD (Continuous Integration / Continuous Delivery) quality assurance system, which tests hundreds of combinations of livepatches, kernels, hardware, physical machines, and virtual machines.  Once a livepatch passes CI/CD and regression tests, it's rolled out on a canary testing basis, first to a tiny percentage of the Ubuntu Community users of the Canonical Livepatch Service. Based on the success of that microscopic rollout, a moderate rollout follows.  And assuming those also succeed, the livepatch is delivered to all free Ubuntu Community and paid Ubuntu Advantage users of the service.  Systemic failures are automatically detected and raised for inspection by Canonical engineers.  Ubuntu Community users of the Canonical Livepatch Service who want to eliminate the small chance of being randomly chosen as a canary should enroll in the Ubuntu Advantage program (starting at $12/month).

      Q: What kinds of updates will be provided by the Canonical Livepatch Service?

      A: The Canonical Livepatch Service is intended to address high and critical severity Linux kernel security vulnerabilities, as identified by Ubuntu Security Notices and the CVE database. Note that there are some limitations to the kernel livepatch technology -- some Linux kernel code paths cannot be safely patched while running. We will do our best to supply Canonical Livepatches for high and critical vulnerabilities in a timely fashion whenever possible. There may be occasions when the traditional kernel upgrade and reboot might still be necessary. We’ll communicate that clearly through the usual mechanisms -- USNs, Landscape, Desktop Notifications, Byobu, /etc/motd, etc.

      Q: What about non-security bug fixes, stability, performance, or hardware enablement updates?

      A: Canonical will continue to provide Linux kernel updates addressing bugs, stability issues, performance problems, and hardware compatibility on our usual cadence -- about every 3 weeks. These updates can be easily applied using ‘sudo apt update; sudo apt upgrade -y’, using the Desktop “Software Updates” application, or Landscape systems management. These standard (non-security) updates will still require a reboot, as they always have.

      Q: Can I rollback a Canonical Livepatch?

      A: Currently rolling-back/removing an already inserted livepatch module is disabled in Linux 4.4. This is because we need a way to determine if we are currently executing inside a patched function before safely removing it. We can, however, safely apply new livepatches on top of each other and even repatch functions over and over.

      Q: What about low and medium severity CVEs?

      A: We’re currently focusing our Canonical Livepatch development and testing resources on high and critical security vulnerabilities, as determined by the Ubuntu Security Team.  We'll livepatch other CVEs opportunistically.

      Q: Why are Canonical Livepatches provided as a subscription service?

      A: The Canonical Livepatch Service provides a secure, encrypted, authenticated connection, to ensure that only properly signed livepatch kernel modules -- and most importantly, the right modules -- are delivered directly to your system, with extremely high quality testing wrapped around it.

      Q: But I don’t want to buy UA support!

      A: You don’t have to! Canonical is providing the Canonical Livepatch Service to community users of Ubuntu, at no charge for up to 3 machines (desktop, server, virtual machines, or cloud instances). A randomly chosen subset of the free users of Canonical Livepatches will receive their Canonical Livepatches slightly earlier than the rest of the free users or UA users, as a lightweight canary testing mechanism, benefiting all Canonical Livepatch users (free and UA). Once those canary livepatches apply safely, all Canonical Livepatch users will receive their live updates.

      Q: But I don’t have an Ubuntu SSO account!

      A: An Ubuntu SSO account is free, and provides services similar to Google, Microsoft, and Apple for Android/Windows/Mac devices, respectively. You can create your Ubuntu SSO account here.

      Q: But I don’t want login to ubuntu.com!

      A: You don’t have to! Canonical Livepatch is absolutely not required maintain the security of any Ubuntu desktop or server! You may continue to freely and anonymously ‘sudo apt update; sudo apt upgrade; sudo reboot’ as often as you like, and receive all of the same updates, and simply reboot after kernel updates, as you always have with Ubuntu.

      Q: But I don't have Internet access to livepatch.canonical.com:443!

      A: You should think of the Canonical Livepatch Service much like you think of Netflix, Pandora, or Dropbox.  It's an Internet streaming service for security hotfixes for your kernel.  You have access to the stream of bits when you can connect to the service over the Internet.  On the flip side, your machines are already thoroughly secured, since they're so heavily firewalled off from the rest of the world!

      Q: Where’s the source code?

      A: The source code of livepatch modules can be found here.  The source code of the canonical-livepatch client is part of Canonical's Landscape system management product and is commercial software.

      Q: What about Ubuntu Core?

      A: Canonical Livepatches for Ubuntu Core are on the roadmap, and may be available in late 2016, for 64-bit Intel/AMD architectures. Canonical Livepatches for ARM-based IoT devices depend on upstream support for livepatches.

      Q: How does this compare to Oracle Ksplice, RHEL Live Patching and SUSE Live Patching?

      A: While the concepts are largely the same, the technical implementations and the commercial terms are very different:

      • Oracle Ksplice uses it’s own technology which is not in upstream Linux.
      • RHEL and SUSE currently use their own homegrown kpatch/kgraft implementations, respectively.
      • Canonical Livepatching uses the upstream Linux Kernel Live Patching technology.
      • Ksplice is free, but unsupported, for Ubuntu Desktops, and only available for Oracle Linux and RHEL servers with an Oracle Linux Premier Support license ($2299/node/year).
      • It’s a little unclear how to subscribe to RHEL Kernel Live Patching, but it appears that you need to first be a RHEL customer, and then enroll in the SIG (Special Interests Group) through your TAM (Technical Account Manager), which requires Red Hat Enterprise Linux Server Premium Subscription at $1299/node/year.  (I'm happy to be corrected and update this post)
      • SUSE Live Patching is available as an add-on to SUSE Linux Enterprise Server 12 Priority Support subscription at $1,499/node/year, but does come with a free music video.
      • Canonical Livepatching is available for every Ubuntu Advantage customer, starting at our entry level UA Essential for $150/node/year, and available for free to community users of Ubuntu.

      Q: What happens if I run into problems/bugs with Canonical Livepatches?

      A: Ubuntu Advantage customers will file a support request at support.canonical.com where it will be serviced according to their UA service level agreement (Essential, Standard, or Advanced). Ubuntu community users will file a bug report on Launchpad and we'll service it on a best effort basis.

      Q: Why does canonical-livepatch client/server have a proprietary license?

      A: The canonical-livepatch client is part of the Landscape family of tools available to Canonical support customers. We are enabling free access to the Canonical Livepatch Service for Ubuntu community users as a mark of our appreciation for the broader Ubuntu community, and in exchange for occasional, automatic canary testing.

      Q: How do I build my own livepatches?

      A: It’s certainly possible for you to build your own Linux kernel live patches, but it requires considerable skill, time, computing power to produce, and even more effort to comprehensively test. Rest assured that this is the real value of using the Canonical Livepatch Service! That said, Chris Arges has blogged a howto for the curious a while back:

      http://chrisarges.net/2015/09/21/livepatch-on-ubuntu.html

      Q: How do I get notifications of which CVEs are livepatched and which are not?

      A: You can, at any time, query the status of the canonical-livepatch daemon using: ‘canonical-livepatch status --verbose’. This command will show any livepatches successfully applied, any outstanding/unapplied livepatches, and any error conditions. Moreover, you can monitor the Ubuntu Security Notices RSS feed and the ubuntu-security-announce mailing list.

      Q: Isn't livepatching just a big ole rootkit?

      A: Canonical Livepatches inject kernel modules to replace sections of binary code in the running kernel. This requires the CAP_SYS_MODULE capability. This is required to modprobe any module into the Linux kernel. If you already have that capability (root does, by default, on Ubuntu), then you already have the ability to arbitrarily modify the kernel, with or without Canonical Livepatches. If you’re an Ubuntu sysadmin and you want to disable module loading (and thereby also disable Canonical Livepatches), simply ‘echo 1 | sudo tee /proc/sys/kernel/modules_disabled’.

      Keep the uptime!
      :-Dustin

      Read more
      Dustin Kirkland

      My wife, Kimberly, and I watch Saturday Night Live religiously.  As in, we probably haven't missed a single episode since we started dating more than 12 years ago.  And in fact, we both watched our fair share of SNL before we had even met, going back to our teenage years.

      We were catching up on SNL's 42nd season premier late this past Sunday night, after putting the kids to bed, when I was excited to see a hilarious sketch/parody of Mr. Robot.

      If SNL is my oldest TV favorite, Mr. Robot is certainly my newest!  Just wrapping its 2nd season, it's a brilliantly written, flawlessly acted, impeccably set techno drama series on USA.  I'm completely smitten, and the story seems to be just getting started!

      Okay, so Kim and I are watching a hilarious sketch where Leslie Jones asks Elliot to track down the person who recently hacked her social media accounts.  And, as always, I take note of what's going in the background on the computer screen.  It's just something I do.  I love to try and spot the app, the OS, the version, identify the Linux kernel oops, etc., of anything on any computer screen on TV.

      At about the 1:32 mark of the SNL/Mr.Robot skit, there was something unmistakable on the left computer, just over actor Pete Davidson's right shoulder.  Merely a fraction of a second, and I recognized it instantly!  A dark terminal, split into a dozen sections.  A light grey boarder, with a thicker grey highlighting one split.  The green drip of text from The Matrix in one of the splits. A flashing, bouncing yellow audio wave in another.  An instant rearrangement of all of those windows each second.

      It was Byobu and Hollywood!  I knew it.  Kim didn't believe me at first, until I proved it ;-)

      A couple of years ago, after seeing a 007 film in the theater, I created a bit of silliness -- a joke of a program that could turn any Linux terminal into a James Bond caliber hacker screen.  The result is a package called hollywood, which any Ubuntu user can install and run by simply typing:

      $ sudo apt install hollywood
      $ hollywood

      And a few months ago , Hollywood found its way into an NBC News piece that took itself perhaps a little too seriously, as it drummed up a bit of fear around "Ransomware".

      But, far more appropriately, I'm absolutely delighted to see another NBC program -- Saturday Night Live -- using Hollywood exactly as intended -- for parody!

      Enjoy a few screenshots below...








      Cheers!
      :-Dustin

      Read more
      Dustin Kirkland


      On Monday this week, I was afforded the distinct privilege to deliver the opening keynote at the OpenZFS Developer Summit in San Francisco.  It was a beautiful little event, with a full day of informative presentations and lots of networking during lunch and breaks.

      Below, you can view my slides, download the PDF, or watch the talk (starts at 31:10) and demo in its entirety.

      Hopefully you'll enjoy the demo -- especially the most interesting raw tracing system new in the Ubuntu 16.04 LTS Linux 4.4 kernel, something called The Berkeley Packet Filter, or "BPF" for short.  I used a series of open source utilities from Brendan Gregg (from Netflix), called iovisor/bcc.  Quoting the README.md on Github:

      BCC is a toolkit for creating efficient kernel tracing and manipulation programs, and includes several useful tools and examples. It makes use of extended BPF (Berkeley Packet Filters), formally known as eBPF, a new feature that was first added to Linux 3.15. Much of what BCC uses requires Linux 4.1 and above.
      I'll follow up this post with another one, formally introducing BPF and how to install and use bcc in Ubuntu 16.04 LTS, if anyone is interested...




      :-Dustin

      Read more
      Dustin Kirkland


      A couple of weeks ago, I delivered a talk at the Container Camp UK 2016.  It was an brilliant event, on a beautiful stage at Picturehouse Central in Picadilly Circus in London.

      You're welcome to view the slides or download them as a PDF, or watch my talk below.

      And for the techies who want to skip the slide fluff and get their hands dirty, setup your OpenStack and LXD and start streamlining your HPC workloads using this guide.




      Enjoy,
      :-Dustin

      Read more
      Dustin Kirkland


      I hope you'll enjoy a shiny new 6-part blog series I recently published at Linux.com.
      1. The first article is a bit of back story, perhaps a behind-the-scenes look at the motivations, timelines, and some of the work performed between Microsoft and Canonical to bring Ubuntu to Windows.
      2. The second article is an updated getting-started guide, with screenshots, showing a Windows 10 user exactly how to enable and run Ubuntu on Windows.
      3. The third article walks through a dozen or so examples of the most essential command line utilities a Windows user, new to Ubuntu (and Bash), should absolutely learn.
      4. The fourth article shows how to write and execute your first script, "Howdy, Windows!", in 6 different dynamic scripting languages (Bash, Python, Perl, Ruby, PHP, and NodeJS).
      5. The fifth article demonstrates how to write, compile, and execute your first program in 7 different compiled programming languages (C, C++, Fortran, Golang).
      6. The sixth and final article conducts some performance benchmarks of the CPU, Memory, Disk, and Network, in both native Ubuntu on a physical machine, and Ubuntu on Windows running on the same system.
      I really enjoyed writing these.  Hopefully you'll try some of the examples, and share your experiences using Ubuntu native utilities on a Windows desktop.  You can find the source code of the programming examples in Github and Launchpad:
      Cheers,
      Dustin

      Read more
      Dustin Kirkland

      A few years ago, I wrote and released a fun little script that would carve up an Ubuntu Byobu terminal into a bunch of splits, running various random command line status utilities.

      100% complete technical mumbo jumbo.  The goal was to turn your terminal into something that belongs in a Hollywood hacker film.

      I am proud to see it included in this NBCNews piece about "Ransomware".  All of the screenshots, demonstrating what a "hacker" is doing with a system are straight from Ubuntu, Byobu, and Hollywood!







      Here are a few screenshots, and the video is embedded below...



      Enjoy!
      :-Dustin

      Read more
      Dustin Kirkland


      Below you can find the audio/video recording of my OpenStack Austin presentation, where I demonstrated Ubuntu OpenStack Mitaka, running on top of Ubuntu 16.04 LTS, entirely within LXD machine containers.  You can also download the PDF of the slides here.  And there are a number of other excellent talks here!



      Cheers,
      Dustin

      Read more
      Dustin Kirkland

      I'm delighted to share the slides from our joint IBM and Canonical webinar about Ubuntu on IBM POWER8 and LinuxOne servers.  You can download the PDF here, watch the recording here, or tab through the slides or watch the video embedded below.  Enjoy!




      Cheers,
      :-Dustin

      Read more
      Dustin Kirkland


      I'm thrilled to introduce Docker 1.10.3, available on every Ubuntu architecture, for Ubuntu 16.04 LTS, and announce the General Availability of Ubuntu Fan Networking!

      That's Ubuntu Docker binaries and Ubuntu Docker images for:
      • armhf (rpi2, et al. IoT devices)
      • arm64 (Cavium, et al. servers)
      • i686 (does anyone seriously still run 32-bit intel servers?)
      • amd64 (most servers and clouds under the sun)
      • ppc64el (OpenPower and IBM POWER8 machine learning super servers)
      • s390x (IBM System Z LinuxOne super uptime mainframes)
      That's Docker-Docker-Docker-Docker-Docker-Docker, from the smallest Raspberry Pi's to the biggest IBM mainframes in the world today!  Never more than one 'sudo apt install docker.io' command away.

      Moreover, we now have Docker running inside of LXD!  Containers all the way down.  Application containers (e.g. Docker), inside of Machine containers (e.g. LXD), inside of Virtual Machines (e.g. KVM), inside of a public or private cloud (e.g. Azure, OpenStack), running on bare metal (take your pick).

      Let's have a look at launching a Docker application container inside of a LXD machine container:

      kirkland@x250:~⟫ lxc launch ubuntu-daily:x -p default -p docker
      Creating magical-damion
      Starting magical-damion
      kirkland@x250:~⟫ lxc list | grep RUNNING
      | magical-damion | RUNNING | 10.16.4.52 (eth0) | | PERSISTENT | 0 |
      kirkland@x250:~⟫ lxc exec magical-damion bash
      root@magical-damion:~# apt update >/dev/null 2>&1 ; apt install -y docker.io >/dev/null 2>&1
      root@magical-damion:~# docker run -it ubuntu bash
      Unable to find image 'ubuntu:latest' locally
      latest: Pulling from library/ubuntu
      759d6771041e: Pull complete
      8836b825667b: Pull complete
      c2f5e51744e6: Pull complete
      a3ed95caeb02: Pull complete
      Digest: sha256:b4dbab2d8029edddfe494f42183de20b7e2e871a424ff16ffe7b15a31f102536
      Status: Downloaded newer image for ubuntu:latest
      root@0577bd7d5db1:/# ifconfig eth0
      eth0 Link encap:Ethernet HWaddr 02:42:ac:11:00:02
      inet addr:172.17.0.2 Bcast:0.0.0.0 Mask:255.255.0.0
      inet6 addr: fe80::42:acff:fe11:2/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
      RX packets:16 errors:0 dropped:0 overruns:0 frame:0
      TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:1296 (1.2 KB) TX bytes:648 (648.0 B)


      Oh, and let's talk about networking...  We're also pleased to announce the general availability of Ubuntu Fan networking -- specially designed to connect all of your Docker containers spread across your network.  Ubuntu's Fan networking feature is an easy way to make every Docker container on your local network easily addressable by every other Docker host and container on the same network.  It's high performance, super simple, utterly deterministic, and we've tested it on every major public cloud as well as OpenStack and our private networks.

      Simply installing Ubuntu's Docker package will also install the ubuntu-fan package, which provides an interactive setup script, fanatic, should you choose to join the Fan.  Simply run 'sudo fanatic' and answer the questions.  You can trivially revert your Fan networking setup easily with 'sudo fanatic deconfigure'.

      kirkland@x250:~$ sudo fanatic 
      Welcome to the fanatic fan networking wizard. This will help you set
      up an example fan network and optionally configure docker and/or LXD to
      use this network. See fanatic(1) for more details.
      Configure fan underlay (hit return to accept, or specify alternative) [10.0.0.0/16]:
      Configure fan overlay (hit return to accept, or specify alternative) [250.0.0.0/8]:
      Create LXD networking for underlay:10.0.0.0/16 overlay:250.0.0.0/8 [Yn]: n
      Create docker networking for underlay:10.0.0.0/16 overlay:250.0.0.0/8 [Yn]: Y
      Test docker networking for underlay:10.0.0.45/16 overlay:250.0.0.0/8
      (NOTE: potentially triggers large image downloads) [Yn]: Y
      local docker test: creating test container ...
      34710d2c9a856f4cd7d8aa10011d4d2b3d893d1c3551a870bdb9258b8f583246
      test master: ping test (250.0.45.0) ...
      test slave: ping test (250.0.45.1) ...
      test master: ping test ... PASS
      test master: short data test (250.0.45.1 -> 250.0.45.0) ...
      test slave: ping test ... PASS
      test slave: short data test (250.0.45.0 -> 250.0.45.1) ...
      test master: short data ... PASS
      test slave: short data ... PASS
      test slave: long data test (250.0.45.0 -> 250.0.45.1) ...
      test master: long data test (250.0.45.1 -> 250.0.45.0) ...
      test master: long data ... PASS
      test slave: long data ... PASS
      local docker test: destroying test container ...
      fanatic-test
      fanatic-test
      local docker test: test complete PASS (master=0 slave=0)
      This host IP address: 10.0.0.45

      I've run 'sudo fanatic' here on a couple of machines on my network -- x250 (10.0.0.45) and masterbr (10.0.0.8), and now I'm going to launch a Docker container on each of those two machines, obtain each IP address on the Fan (250.x.y.z), install iperf, and test the connectivity and bandwidth between each of them (on my gigabit home network).  You'll see that we'll get 900mbps+ of throughput:

      kirkland@x250:~⟫ sudo docker run -it ubuntu bash
      root@c22cf0d8e1f7:/# apt update >/dev/null 2>&1 ; apt install -y iperf >/dev/null 2>&1
      root@c22cf0d8e1f7:/# ifconfig eth0
      eth0 Link encap:Ethernet HWaddr 02:42:fa:00:2d:00
      inet addr:250.0.45.0 Bcast:0.0.0.0 Mask:255.0.0.0
      inet6 addr: fe80::42:faff:fe00:2d00/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1
      RX packets:6423 errors:0 dropped:0 overruns:0 frame:0
      TX packets:4120 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:22065202 (22.0 MB) TX bytes:227225 (227.2 KB)

      root@c22cf0d8e1f7:/# iperf -c 250.0.8.0
      multicast ttl failed: Invalid argument
      ------------------------------------------------------------
      Client connecting to 250.0.8.0, TCP port 5001
      TCP window size: 45.0 KByte (default)
      ------------------------------------------------------------
      [ 3] local 250.0.45.0 port 54274 connected with 250.0.8.0 port 5001
      [ ID] Interval Transfer Bandwidth
      [ 3] 0.0-10.0 sec 1.05 GBytes 902 Mbits/sec

      And the second machine:
      kirkland@masterbr:~⟫ sudo docker run -it ubuntu bash
      root@effc8fe2513d:/# apt update >/dev/null 2>&1 ; apt install -y iperf >/dev/null 2>&1
      root@effc8fe2513d:/# ifconfig eth0
      eth0 Link encap:Ethernet HWaddr 02:42:fa:00:08:00
      inet addr:250.0.8.0 Bcast:0.0.0.0 Mask:255.0.0.0
      inet6 addr: fe80::42:faff:fe00:800/64 Scope:Link
      UP BROADCAST RUNNING MULTICAST MTU:1450 Metric:1
      RX packets:7659 errors:0 dropped:0 overruns:0 frame:0
      TX packets:3433 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:22131852 (22.1 MB) TX bytes:189875 (189.8 KB)

      root@effc8fe2513d:/# iperf -s
      ------------------------------------------------------------
      Server listening on TCP port 5001
      TCP window size: 85.3 KByte (default)
      ------------------------------------------------------------
      [ 4] local 250.0.8.0 port 5001 connected with 250.0.45.0 port 54274
      [ ID] Interval Transfer Bandwidth
      [ 4] 0.0-10.0 sec 1.05 GBytes 899 Mbits/sec


      Finally, let's have another long hard look at the image from the top of this post.  Download it in full resolution to study very carefully what's happening here, because it's pretty [redacted] amazing!


      Here, we have a Byobu session, split into 6 panes (Shift-F2 5x Times, Shift-F8 6x times).  In each pane, we have an SSH session to Ubuntu 16.04 LTS servers spread across 6 different architectures -- armhf, arm64, i686, amd64, ppc64el, and s390x.  I used the Shift-F9 key to simultaneously run the same commands in each and every window.  Here are the commands I ran:

      clear
      lxc launch ubuntu-daily:x -p default -p docker
      lxc list | grep RUNNING
      uname -a
      dpkg -l docker.io | grep docker.io
      sudo docker images | grep -m1 ubuntu
      sudo docker run -it ubuntu bash
      apt update >/dev/null 2>&1 ; apt install -y net-tools >/dev/null 2>&1
      ifconfig eth0
      exit

      That's right.  We just launched Ubuntu LXD containers, as well as Docker containers against every Ubuntu 16.04 LTS architecture.  How's that for Ubuntu everywhere!?!

      Ubuntu 16.04 LTS will be one hell of a release!

      :-Dustin

      Read more
      Dustin Kirkland


      I happen to have a full mirror of the entire Ubuntu Xenial archive here on a local SSD, and I took the opportunity to run a few numbers...
      • 6: This is our 6th Ubuntu LTS
        • 6.06, 8.04, 10.04, 12.04, 14.04, 16.04
      • 7: With Ubuntu 16.04 LTS, we're supporting 7 CPU architectures
        • armhf, arm64, i386, amd64, powerpc, ppc64el, s390x
      • 25,671: Ubuntu 16.04 LTS is comprised of 25,671 source packages
        • main, universe, restricted, multiverse
      • 150,562+: Over 150,562 (and counting!) cloud instances of Xenial have launched to date
        • and we haven't even officially released yet!
      • 216,475: A complete archive of all binary .deb packages in Ubuntu 16.04 LTS consists of 216,475 debs.
        • 24,803 arch independent
        • 27,159 armhf
        • 26,845 arm64
        • 28,730 i386
        • 28,902 amd64
        • 27,061 powerpc
        • 26,837 ppc64el
        • 26,138 s390x
      • 1,426,792,926: A total line count of all source packages in Ubuntu 16.04 LTS using cloc yields 1,426,792,926 total lines of source code
      • 250,478,341,568: A complete archive all debs, all architectures in Ubuntu 16.04 LTS requires 250GB of disk space
      Yes, that's 1.4 billion lines of source code comprising the entire Ubuntu 16.04 LTS archive.  What an amazing achievement of open source development!

      Perhaps my fellow nerds here might be interested in a breakdown of all 1.4 billion lines across 25K source packages, and throughout 176 different programming languages, as measured by Al Danial's cloc utility.  Interesting data!


      You can see the full list here.  What further insight can you glean?

      :-Dustin

      Read more
      Dustin Kirkland


      On July 7, 2010, I received the above email.  In hindsight, this note effectively changed the landscape of cloud computing forever.  I was one of 3 Canonical employees in attendance (Nick Barcet, Neil Levine) and among a number former colleagues (Theirry Carrez, Soren Hansen, Rick Clark) at the first OpenStack Design Summit at the Omni hotel in Austin, Texas, in July of 2010.

      These are the only pictures I snapped with my phone (metadata says it was an HTC Hero) of the event, which, almost unbelievably fit entirely within a single conference room :-)


      The "fishbowl" round table discussion format was modeled after Ubuntu Developer Summits.


      It was so much fun to see so many unfamiliar, non-Ubuntu people using the fishbowl discussion format.


      Also borrowed from Ubuntu Developer Summits was the collaborative, community-sourced note taking in Etherpad-Lite.



      Breakfast, in the beautiful Omni lobby.


      Lots of natural light, but thankfully, air conditioned.  By the way, does anyone have pictures from the 120oF Whole Foods roof top event?


      My, my, my, how far we've come in 6 short years!

      This month's OpenStack Summit returns to Austin, Texas, and fills the entire Austin Convention Center, and overflows into at least two nearby hotels, with 5,000+ OpenStack developers, users, and enthusiasts!


      In fact, if you're reading this post on insights.ubuntu.com, you're being served by Wordpress and MySQL hosted on a production Ubuntu OpenStack at Canonical.

      Welcome back home, OpenStack!

      :-Dustin

      Read more
      Dustin Kirkland

      As announced last week, Microsoft and Canonical have worked together to bring Ubuntu's userspace natively into Windows 10.

      As of today, Windows 10 Insiders can now take Ubuntu on Windows for a test drive!  Here's how...

      1) You need to have a system running today's 64-bit build of Windows 10 (Build 14316).


      2) To do so, you may need to enroll into the Windows Insider program here, insider.windows.com.


      3) You need to notify your Windows desktop that you're a Windows Insider, under "System Settings --> Advanced Windows Update options"


      4) You need to set your update ambition to the far right, also known as "the fast ring".


      5) You need to enable "developer mode", as this new feature is very pointedly directed specifically at developers.


      6) You need to check for updates, apply all updates, and restart.


      7) You need to turn on the new Windows feature, "Windows Subsystem for Linux (Beta)".  Note (again) that you need a 64-bit version of Windows!  Without that, you won't see the new option.


      8) You need to reboot again.  (Windows sure has a fetish for rebooting!)


      9) You press the start button and type "bash".


      10) The first time you run "bash.exe", you'll accept the terms of service, download Ubuntu, and then you're off and running!



      If you screw something up, and you want to start over, simply open a Windows command shell, and run: lxrun /uninstall /full and then just run bash again.

      For bonus points, you might also like to enable the Ubuntu monospace font in your console.  Here's how!

      a) Download the Ubuntu monospace font, from font.ubuntu.com.


      b) Install the Ubuntu monospace font, by opening the zip file you downloaded, finding UbuntuMono-R.ttf, double clicking on it, and then clicking Install.


      c) Enable the Ubuntu monospace font for the command console in the Windows registry.  Open regedit and find this key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont and add a new string value name "000" with value data "Ubuntu Mono"




      d) Edit your command console preferences to enable the Ubuntu monospace font.

      Cheers!
      Dustin

      Read more
      Dustin Kirkland

      Update: Here's how to get started using Ubuntu on Windows

      See also Scott Hanselman's blog here
      I'm in San Francisco this week, attending Microsoft's Build developer conference, as a sponsored guest of Microsoft.



      That's perhaps a bit odd for me, as I hadn't used Windows in nearly 16 years.  But that changed a few months ago, as I embarked on a super secret (and totally mind boggling!) project between Microsoft and Canonical, as unveiled today in a demo during Kevin Gallo's opening keynote of the Build conference....



      An Ubuntu user space and bash shell, running natively in a Windows 10 cmd.exe console!


      Did you get that?!?  Don't worry, it took me a few laps around that track, before I fully comprehended it when I first heard such crazy talk a few months ago :-)

      Here's let's break it down slowly...
      1. Windows 10 users
      2. Can open the Windows Start menu
      3. And type "bash" [enter]
      4. Which opens a cmd.exe console
      5. Running Ubuntu's /bin/bash
      6. With full access to all of Ubuntu user space
      7. Yes, that means apt, ssh, rsync, find, grep, awk, sed, sortxargs, md5sum, gpg, curl, wget, apache, mysql, python, perl, ruby, php, gcc, tar, vim, emacs, diff, patch...
      8. And most of the tens of thousands binary packages available in the Ubuntu archives!
      "Right, so just Ubuntu running in a virtual machine?"  Nope!  This isn't a virtual machine at all.  There's no Linux kernel booting in a VM under a hypervisor.  It's just the Ubuntu user space.

      "Ah, okay, so this is Ubuntu in a container then?"  Nope!  This isn't a container either.  It's native Ubuntu binaries running directly in Windows.

      "Hum, well it's like cygwin perhaps?"  Nope!  Cygwin includes open source utilities are recompiled from source to run natively in Windows.  Here, we're talking about bit-for-bit, checksum-for-checksum Ubuntu ELF binaries running directly in Windows.

      [long pause]

      "So maybe something like a Linux emulator?"  Now you're getting warmer!  A team of sharp developers at Microsoft has been hard at work adapting some Microsoft research technology to basically perform real time translation of Linux syscalls into Windows OS syscalls.  Linux geeks can think of it sort of the inverse of "wine" -- Ubuntu binaries running natively in Windows.  Microsoft calls it their "Windows Subsystem for Linux".  (No, it's not open source at this time.)

      Oh, and it's totally shit hot!  The sysbench utility is showing nearly equivalent cpu, memory, and io performance.

      So as part of the engineering work, I needed to wrap the stock Ubuntu root filesystem into a Windows application package (.appx) file for suitable upload to the Windows Store.  That required me to use Microsoft Visual Studio to clone a sample application, edit a few dozen XML files, create a bunch of icon .png's of various sizes, and so on.

      Not being Windows developer, I struggled and fought with Visual Studio on this Windows desktop for a few hours, until I was about ready to smash my coffee mug through the damn screen!

      Instead, I pressed the Windows key, typed "bash", hit enter.  Then I found the sample application directory in /mnt/c/Users/Kirkland/Downloads, and copied it using "cp -a".  I used find | xargs | rename to update a bunch of filenames.  And a quick grep | xargs | sed to comprehensively search and replace s/SampleApp/UbuntuOnWindows/. And Ubuntu's convert utility quickly resized a bunch of icons.   Then I let Visual Studio do its thing, compiling the package and uploading to the Windows Store.  Voila!

      Did you catch that bit about /mnt/c...  That's pretty cool...  All of your Windows drives, like C: are mounted read/write directly under /mnt.  And, vice versa, you can see all of your Ubuntu filesystem from Windows Explorer in C:\Users\Kirkland\AppData\Local\Lxss\rootfs\


      Meanwhile, I also needed to ssh over to some of my other Ubuntu systems to get some work done.  No need for Putty!  Just ssh directly from within the Ubuntu shell.



      Of course apt install and upgrade as expected.



      Is everything working exactly as expected?  No, not quite.  Not yet, at least.  The vast majority of the LTP passes and works well.  But there are some imperfections still, especially around tty's an the vt100.  My beloved byobu, screen, and tmux don't quite work yet, but they're getting close!

      And while the current image is Ubuntu 14.04 LTS, we're expecting to see Ubuntu 16.04 LTS replacing Ubuntu 14.04 in the Windows Store very, very soon.

      Finally, I imagine some of you -- long time Windows and Ubuntu users alike -- are still wondering, perhaps, "Why?!?"  Having dedicated most of the past two decades of my career to free and open source software, this is an almost surreal endorsement by Microsoft on the importance of open source to developers.  Indeed, what a fantastic opportunity to bridge the world of free and open source technology directly into any Windows 10 desktop on the planet.  And what a wonderful vector into learning and using more Ubuntu and Linux in public clouds like Azure.  From Microsoft's perspective, a variety of surveys and user studies have pointed to bash and Linux tools -- very specifically, Ubuntu -- be available in Windows, and without resource-heavy full virtualization.

      So if you're a Windows Insider and have access to the early beta of this technology, we certainly hope you'll try it out!  Let us know what you think!

      If you want to hear more, hopefully you'll tune into the Channel 9 Panel discussion at 16:30 PDT on March 30, 2016.

      Cheers,
      Dustin

      Read more
      Dustin Kirkland

      Still have questions about Ubuntu on Windows?
      Watch this Channel 9 session, recorded live at Build this week, hosted by Scott Hanselman, with questions answered by Windows kernel developers Russ Alexander, Ben Hillis, and myself representing Canonical and Ubuntu!

      For fun, watch the crowd develop in the background over the 30 minute session!

      And here's another recorded session with a demo by Rich Turner and Russ Alexander.  The real light bulb goes off at about 8:01.


      Cheers,
      :-Dustin

      Read more
      Dustin Kirkland


      We at Canonical have conducted a legal review, including discussion with the industry's leading software freedom legal counsel, of the licenses that apply to the Linux kernel and to ZFS.

      And in doing so, we have concluded that we are acting within the rights granted and in compliance with their terms of both of those licenses.  Others have independently achieved the same conclusion.  Differing opinions exist, but please bear in mind that these are opinions.

      While the CDDL and GPLv2 are both "copyleft" licenses, they have different scope.  The CDDL applies to all files under the CDDL, while the GPLv2 applies to derivative works.

      The CDDL cannot apply to the Linux kernel because zfs.ko is a self-contained file system module -- the kernel itself is quite obviously not a derivative work of this new file system.

      And zfs.ko, as a self-contained file system module, is clearly not a derivative work of the Linux kernel but rather quite obviously a derivative work of OpenZFS and OpenSolaris.  Equivalent exceptions have existed for many years, for various other stand alone, self-contained, non-GPL kernel modules.

      Our conclusion is good for Ubuntu users, good for Linux, and good for all of free and open source software.

      As we have already reached the conclusion, we are not interested in debating license compatibility, but of course welcome the opportunity to discuss the technology.

      Cheers,
      Dustin

      EDIT: This post was updated to link to the supportive position paper from Eben Moglen of the SFLC, an amicus brief from James Bottomley, as well as the contrarian position from Bradley Kuhn and the SFC.

      Read more
      Dustin Kirkland



      I had the opportunity to speak at Container World 2016 in Santa Clara yesterday.  Thanks in part to the Netflix guys who preceded me, the room was absolutely packed!

      You can download a PDF of my slides here, or flip through them embedded below.

      I'd really encourage you to try the demo instructions of LXD toward the end!


      :-Dustin

      Read more
      Dustin Kirkland


      Ubuntu 16.04 LTS (Xenial) is only a few short weeks away, and with it comes one of the most exciting new features Linux has seen in a very long time...

      ZFS -- baked directly into Ubuntu -- supported by Canonical.

      What is ZFS?

      ZFS is a combination of a volume manager (like LVM) and a filesystem (like ext4, xfs, or btrfs).

      ZFS one of the most beloved features of Solaris, universally coveted by every Linux sysadmin with a Solaris background.  To our delight, we're happy to make to OpenZFS available on every Ubuntu system.  Ubuntu's reference guide for ZFS can be found here, and these are a few of the killer features:
      • snapshots
      • copy-on-write cloning
      • continuous integrity checking against data corruption
      • automatic repair
      • efficient data compression.
      These features truly make ZFS the perfect filesystem for containers.

      What does "support" mean?

      • You'll find zfs.ko automatically built and installed on your Ubuntu systems.  No more DKMS-built modules!
      $ locate zfs.ko
      /lib/modules/4.4.0-4-generic/kernel/zfs/zfs/zfs.ko
      • You'll see the module loaded automatically if you use it.

      $ lsmod | grep zfs
      zfs 2801664 11
      zunicode 331776 1 zfs
      zcommon 57344 1 zfs
      znvpair 90112 2 zfs,zcommon
      spl 102400 3 zfs,zcommon,znvpair
      zavl 16384 1 zfs

      • The user space zfsutils-linux package will be included in Ubuntu Main, with security updates provided by Canonical (as soon as this MIR is completed).
      • As always, industry leading, enterprise class technical support is available from Canonical with Ubuntu Advantage services.

      How do I get started?

      It's really quite simple!  Here's a few commands to get you up and running with ZFS and LXD in 60 seconds or less.

      First, make sure you're running Ubuntu 16.04 (Xenial).

      $ head -n1 /etc/issue
      Ubuntu Xenial Xerus (development branch) \n \l

      Now, let's install lxd and zfsutils-linux, if you haven't already:

      $ sudo apt install lxd zfsutils-linux

      Next, let's use the interactive lxd init command to setup LXD and ZFS.  In the example below, I'm simply using a sparse, loopback file for the ZFS pool.  For best results (and what I use on my laptop and production servers), it's best to use a raw SSD partition or device.

      $ sudo lxd init
      Name of the storage backend to use (dir or zfs): zfs
      Create a new ZFS pool (yes/no)? yes
      Name of the new ZFS pool: lxd
      Would you like to use an existing block device (yes/no)? no
      Size in GB of the new loop device (1GB minimum): 2
      Would you like LXD to be available over the network (yes/no)? no
      LXD has been successfully configured.

      We can check our ZFS pool now:

      $ sudo zpool list
      NAME SIZE ALLOC FREE EXPANDSZ FRAG CAP DEDUP HEALTH ALTROOT
      lxd 1.98G 450K 1.98G - 0% 0% 1.00x ONLINE -

      $ sudo zpool status
      pool: lxd
      state: ONLINE
      scan: none requested
      config:

      NAME STATE READ WRITE CKSUM
      lxd ONLINE 0 0 0
      /var/lib/lxd/zfs.img ONLINE 0 0 0
      errors: No known data errors

      $ lxc config get storage.zfs_pool_name
      storage.zfs_pool_name: lxd

      Finally, let's import the Ubuntu LXD image, and launch a few containers.  Note how fast containers launch, which is enabled by the ZFS cloning and copy-on-write features:

      $ newgrp lxd
      $ lxd-images import ubuntu --alias ubuntu
      Downloading the GPG key for http://cloud-images.ubuntu.com
      Progress: 48 %
      Validating the GPG signature of /tmp/tmpa71cw5wl/download.json.asc
      Downloading the image.
      Image manifest: http://cloud-images.ubuntu.com/server/releases/trusty/release-20160201/ubuntu-14.04-server-cloudimg-amd64.manifest
      Image imported as: 54c8caac1f61901ed86c68f24af5f5d3672bdc62c71d04f06df3a59e95684473
      Setup alias: ubuntu

      $ for i in $(seq 1 5); do lxc launch ubuntu; done
      ...
      $ lxc list
      +-------------------------+---------+-------------------+------+-----------+-----------+
      | NAME | STATE | IPV4 | IPV6 | EPHEMERAL | SNAPSHOTS |
      +-------------------------+---------+-------------------+------+-----------+-----------+
      | discordant-loria | RUNNING | 10.0.3.130 (eth0) | | NO | 0 |
      +-------------------------+---------+-------------------+------+-----------+-----------+
      | fictive-noble | RUNNING | 10.0.3.91 (eth0) | | NO | 0 |
      +-------------------------+---------+-------------------+------+-----------+-----------+
      | interprotoplasmic-essie | RUNNING | 10.0.3.242 (eth0) | | NO | 0 |
      +-------------------------+---------+-------------------+------+-----------+-----------+
      | nondamaging-cain | RUNNING | 10.0.3.9 (eth0) | | NO | 0 |
      +-------------------------+---------+-------------------+------+-----------+-----------+
      | untreasurable-efrain | RUNNING | 10.0.3.89 (eth0) | | NO | 0 |
      +-------------------------+---------+-------------------+------+-----------+-----------+

      Super easy, right?

      Cheers,
      :-Dustin

      Read more
      Dustin Kirkland


      There's no shortage of excitement, controversy, and readership, any time you can work "Docker" into a headline these days.  Perhaps a bit like "Donald Trump", but for CIO tech blogs and IT news -- a real hot button.  Hey, look, I even did it myself in the title of this post!

      Sometimes an article even starts out about CoreOS, but gets diverted into a discussion about Docker, like this one, where shykes (Docker's founder and CTO) announced that Docker's default image would be moving away from Ubuntu to Alpine Linux.


      I have personally been Canonical's business and technical point of contact with Docker Inc, since September of 2013, when I co-presented at an OpenStack Meetup in Austin, Texas, with Ben Golub and Nick Stinemates of Docker.  I can tell you that, along with most of the rest of the Docker community, this casual declaration in an unrelated Hacker News thread, came as a surprise to nearly all of us!

      Docker's default container image is certainly Docker's decision to make.  But it would be prudent to examine at a few facts:

      (1) Check DockerHub and you may notice that while Busybox (Alpine Linux) has surpassed Ubuntu in the number downloads (66M to 40M), Ubuntu is still by far the most "popular" by number of "stars" -- likes, favorites, +1's, whatever, (3.2K to 499).

      (2) Ubuntu's compressed, minimal root tarball is 59 MB, which is what is downloaded over the Internet.  That's different from the 188 MB uncompressed root filesystem, which has been quoted a number of times in the press.

      (3) The real magic of Docker is such that you only ever download that base image, one time!  And you only store one copy of the uncompressed root filesystem on your disk! Just once, sudo docker pull ubuntu, on your laptop at home or work, and then launch thousands of images at a coffee shop or airport lounge with its spotty wifi.  Build derivative images, FROM ubuntu, etc. and you only ever store the incremental differences.

      Actually, I encourage you to test that out yourself...  I just launched a t2.micro -- Amazon's cheapest instance type with the lowest networking bandwidth.  It took 15.938s to sudo apt install docker.io.  And it took 9.230s to sudo docker pull ubuntu.  It takes less time to download Ubuntu than to install Docker!

      ubuntu@ip-172-30-0-129:~⟫ time sudo apt install docker.io -y
      ...
      real 0m15.938s
      user 0m2.146s
      sys 0m0.913s

      As compared to...

      ubuntu@ip-172-30-0-129:~⟫ time sudo docker pull ubuntu
      latest: Pulling from ubuntu
      f15ce52fc004: Pull complete
      c4fae638e7ce: Pull complete
      a4c5be5b6e59: Pull complete
      8693db7e8a00: Pull complete
      ubuntu:latest: The image you are pulling has been verified. Important: image verification is a tech preview feature and should not be relied on to provide security.
      Digest: sha256:457b05828bdb5dcc044d93d042863fba3f2158ae249a6db5ae3934307c757c54
      Status: Downloaded newer image for ubuntu:latest
      real 0m9.230s
      user 0m0.021s
      sys 0m0.016s

      Now, sure, it takes even less than that to download Alpine Linux (0.747s by my test), but again you only ever do that once!  After you have your initial image, launching Docker containers take the exact same amount of time (0.233s) and identical storage differences.  See:

      ubuntu@ip-172-30-0-129:/tmp/docker⟫ time sudo docker run alpine /bin/true
      real 0m0.233s
      user 0m0.014s
      sys 0m0.001s
      ubuntu@ip-172-30-0-129:/tmp/docker⟫ time sudo docker run ubuntu /bin/true
      real 0m0.234s
      user 0m0.012s
      sys 0m0.002s

      (4) I regularly communicate sincere, warm congratulations to our friends at Docker Inc, on its continued growth.  shykes publicly mentioned the hiring of the maintainer of Alpine Linux in that Hacker News post.  As a long time Linux distro developer myself, I have tons of respect for everyone involved in building a high quality Linux distribution.  In fact, Canonical employs over 700 people, in 44 countries, working around the clock, all calendar year, to make Ubuntu the world's most popular Linux OS.  Importantly, that includes a dedicated security team that has an outstanding track record over the last 12 years, keeping Ubuntu servers, clouds, desktops, laptops, tablets, and phones up-to-date and protected against the latest security vulnerabilities.  I don't know personally Natanael, but I'm intimately aware of what a spectacular amount of work it is to maintain and secure an OS distribution, as it makes its way into enterprise and production deployments.  Good luck!

      (5) There are currently 5,854 packages available via apk in Alpine Linux (sudo docker run alpine apk search -v).  There are 8,862 packages in Ubuntu Main (officially supported by Canonical), and 53,150 binary packages across all of Ubuntu Main, Universe, Restricted, and Multiverse, supported by the greater Ubuntu community.  Nearly all 50,000+ packages are updated every 6 months, on time, every time, and we release an LTS version of Ubuntu and the best of open source software in the world every 2 years.  Like clockwork.  Choice.  Velocity.  Stability.  That's what Ubuntu brings.

      Docker holds a special place in the Ubuntu ecosystem, and Ubuntu has been instrumental in Docker's growth over the last 3 years.  Where we go from here, is largely up to the cross-section of our two vibrant communities.

      And so I ask you honestly...what do you want to see?  How would you like to see Docker and Ubuntu operate together?

      I'm Canonical's Product Manager for Ubuntu Server, I'm responsible for Canonical's relationship with Docker Inc, and I will read absolutely every comment posted below.

      Cheers,
      :-Dustin

      p.s. I'm speaking at Container Summit in New York City today, and wrote this post from the top of the (inspiring!) One World Observatory at the World Trade Center this morning.  Please come up and talk to me, if you want to share your thoughts (at Container Summit, not the One World Observatory)!


      Read more
      Dustin Kirkland


      As always, I enjoyed speaking at the SCALE14x event, especially at the new location in Pasadena, California!

      What if you could adapt a package from a newer version of Ubuntu, onto your stable LTS desktop/server?

      Or, as a developer, what if you could provide your latest releases to your users running an older LTS version of Ubuntu?

      Introducing adapt!

      adapt is a lot like apt...  It’s a simple command that installs packages.

      But it “adapts” a requested version to run on your current system.

      It's a simple command that installs any package from any release of Ubuntu into any version of Ubuntu.

      How does adapt work?

      Simple… Containers!

      More specifically, LXD system containers.

      Why containers?

      Containers can run anywhere, physical, virtual, desktops, servers, and any CPU architecture.

      And containers are light and fast!  Zero latency and no virtualization overhead.

      Most importantly, system containers are perfect copies of the released distribution, the operating system itself.

      And all of that continuous integration testing we do perform on every single Ubuntu release?

      We leverage that!
      You can download a PDF of the slides for my talk here, or flip through them here:



      I hope you enjoy some of the magic that LXD is making possible ;-)

      Cheers!
      Dustin

      Read more