Forem: vivek kumar sahu

Operating System (OS) with 32 bit will stop working after 19 January 1938....

vivek kumar sahu — Mon, 31 Oct 2022 13:48:56 +0000

Do you know when 32 bit OS will stop working?

When will 32 bits computers stop storing data?

Before moving forward, it's always good to know the content:
1) When 32 bit Unix Based OS will stop working exactly?
2) Why it happens on exact time and date so?
3) What are bits and Maximum value of standard bits?
4) Obviously 32 bit has such a big capacity to store data/values, then on what type of storing data or values will lead to cross 32 bit maximum value ?
5) Why time has to be memorized by OS. Is there any significance of time as such?
6) Is there any particular date from when OS has to remember the time?
7) Why 1901 is considered to be birth or origin of computers??
8) And in what unit does the time is being stored in 32 bit Unix-based OS ??
9) Calculation of seconds to be stored since 1901 till 1938 ?
10) What all are the Devices that will be impacted by this ??

Note: OS refers to 32 bit Linux or Unix based OS.

When 32 bit Unix Based OS will stop working exactly?

19 January 2038, at 03:14:07 UTC

Why it will happen on particular date and time( and particular second too) so?

Because on that particular time, the 32 bit will be exact to its maximum value. After one second later it will cross its maximum value. Due to which it won't be able to store further value of time.

Extra knowledge

Techie detail:

When it gets to Tue, Jan 19 03:14:07 2038, the next second(03:14:08) will be Fri, Dec 13 20:45:52 1901. Can you see the difference in the day & date at 7th and 8th second respectively. At 7th seconds it's a Tuesday,Jan 19 03:14:07 2038 and just one second later at 8th second it's a Friday, Dec 13 20:45:52 1901. However internally, if the code calculates the difference of time from Tue, Jan 19 03:14:07 2038 to Fri, Dec 13 20:45:52 1901, this is still just 1 second because that is how the numbers work internally - that is what the roll-over is about.

What are bits and their Maximum values ?

Before moving forward let me introduce you to the basic terminologies:
Bit or bit : a single block([]) or one container in which either 1 or 0 is stored.
Similarly,
2 bit means 2 blocks( [], []) or simply 2 containers in both either 0 or 1 can be stored.

Similarly there are some standard bits in the OS world.

Standard bits:

Let's look at the standard bits, such as 4 bit, 8 bit, 16 bit, 32 bit, 64 bit and 128 bit.

4 bit:

4 containers ( [], [], [], [] )

8 bit:

8 containers ( [], [], [], [], [], [], [], [] )

16 bit:

16 containers ( [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [] )

32 bit:

32 containers ([], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [])

64 bit:

64 containers,( [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [] . . . . . . . [] )

Each containers or block allows to store either 1 or 0

Extra Knowledge:

To know how numbers are converted into binary , switch here. And from binary to decimal, switch here.

But why does the OS store data in the form of binary ??

It's because the hardware understands either True or False, 1 or 0, switch ON or Switch OFF.
Similarly, the hardware of a laptop/computer understood in binary format( 0 or 1) only. Whereas it doesn't understand human readable numerical format(1,2,3,4,5,6,7,8,9,0). Basically numerical format is first converted into ASCII values and then converted into binary format.

Let's get back to our topic and talk about the maximum value that can be stored in standard bits.

Maximum value of standard bits?

Maximum values that 4 bit, 16 bit and 32 bit can store ?
Condition of maximum value in any bits: When all container or block are filled with 1

For example:

In 4 bit, maximum value that can be stored is: 15
[1][1][1][1] = 1 x 2^3 + 1 x 2^2 + 1 x 2^1 + 1 x 2^0 = 8 + 4 + 2 + 1

Similarly in 16 bit:
[1][1][1][1][1][1][1][1][1][1][1][1][1][1][1][1] = 1 x 2^15 + 1 x 2^14 + 1 x 2^13 + 1 x 2^12 + 1 x 2^11 + 1 x 2^10 + 1 x 2^9 + 1 x 2^8 + 1 x 2^7 + . . . . . + 1 x 2^3 + 1 x 2^2 + 1 x 2^1 + 1 x 2^0 = 65535

Similarly, in 32 bit:
[1][1][1][1][1][1][1][1] . . . . . . . [1][1][1][1][1][1][1][1] = 1 x 2^31 + 1 x 2^30 + 1 x 2^29 + . . . . . . .

1 x 2^3 + 1 x 2^2 + 1 x 2^1 + 1 x 2^0 = 4,294,967,295 = approximately 429 crores.

So, finally we came to know about the maximum value that 4 bit, 16 bit and 32 bit can store. Now you tell me, when will 32 bits stop working. So your answer will be:

And what type of data it will store. Because obviously 429 crore is such a big number ?

The data is time which is to be stored in seconds since 1901. And we all know time always increases, so it's value will keep on increasing further.

Why time has to be memorized by OS. Is there any significance of time as such?

For now accept that Time plays a very important role in operating systems. For more.

Is there any particular date from when OS has to remember the time?

It's from 1901.

Why 1901 is considered to be `birth` or `origin` of computers??

It's because 1901 is considered as the reference time for the origin of Unix-based OS, In actually Unix-based OS were born around 1970. See, basically we count birth day on that particular day on which you were born. In Linux since the time is being counted from 1901 as a standard so just for sake 1901 year is called as the origin of the computer because of the time of the Unix based 32 bit OS is considered 1901 year as the origin.

And in what unit the time is being stored ??

It's a small unit of time called a second.

Calculation of seconds to be stored since 1901 till 1938 ?

Oh got it that the Unix-based 32 bit OS has been storing time in seconds since 1901. For example, suppose the 1st day passed after 1901, then 32 bit OS has to remember total seconds equals 24 hrs x 60 min x 60 sec = 86400 seconds. This number can't even be stored in a 16 bit register as it crosses the maximum value of 16 bit , i.e 65535. Now suppose a year passes w.r.t 1901. Means you are in 1902. Total number of seconds a 32 bit OS has to be stored is 365days x 24 hrs x 60 min x 60 seconds = 31,536,000( ~ 3 crores)

Look at the number, are you able to digest how big this 31,536,000 number is.

Now let's calculate the total number of seconds for 10 years: 10 x 31,536,000 = approx 31 crores.

And as we know that the maximum limit of 32 bits is approx 429 crore. Are you able to feel how fast within the coming years it will surpass 32 bit maximum numbers.
It has been said that in the year 2038(19 Jan) the 429 crore number will be surpassed.
Let's feel it and prove it.
The difference in years b/w 1901 to 2038 is 138 years. And if you talk about the actual value of seconds passed in 138 years, plus 18 days and time at 03:14:07 UTC(I.e ). But don’t get into actual value, just remember approx value of second in 137 years.
1) Total passed years = 136. ---> Total second = 136×31536000 = 4,288,896,000 ~ 428 crores
2) And on 137th year, on 19 Jan at 3:14:7 second. = 18×24×60×60 seconds = 1,555,200 ~ 10 lakhs

Total seconds from 1901 to 19 Jan, 2038 = 429(428 crore + 10 lakh) crore = Maximum value of 32 bit = all 32 boxes or container filled with 1. To store more values needs more container or boxes. That's why 64 bit was considered over 32 bit.

And max value of 32 bit is also approx to 429 crore. And as the 32 bit OS starts storing values greater than say 429 crore then it has to shift from 32 bit to 64 bit to store values greater than 429 crores.

That's the exact reason why 32 bit Unix-based OS will stop working after 19 Jan 2038 at around 3 AM, 14 minute and 78th second.

What all are the Devices that will be impacted by this ??

As far as operating systems are concerned, Windows is okay, its operating system used a different method for dates from the start.
There are still some issues for 32 bit versions of the Linux operating system but they are being fixed. It should be okay by 2038 so long as you are able to update to the 64 bit of the operating system.
Android is based on Linux, so if you have a 32 bit Android device then the operating system might not be able to handle dates beyond 2038 - but if not this should be fixed well before 2038.
This was all from this blog, hope you get to learn something interesting today. That's all from my side keep learning and keep upgrading yourself.

And last but not the least, let me know if you found any error in the blog through comment. That would be really appreciated ☺️

Keep this flow chart for future reference

https://lucid.app/lucidspark/ba0c97cb-9a4c-42e5-8972-d7e539e1e378/edit?invitationId=inv_c1752b95-4a22-4f5a-be11-e59631353f0b#

References:

https://en.m.wikipedia.org/wiki/Year_2038_problem

https://betterprogramming.pub/the-end-of-unix-time-what-will-happen-1b1a25ec1c20#:~:text=The%20most%20imminent%20overflow%20date,03%3A14%3A07%20UTC.

How Kernel boot up ??

vivek kumar sahu — Sat, 23 Jul 2022 22:35:00 +0000

Hey tech lovers. This time back with one of the interesting topic of Linux, how Operating System starts. The reason behind writing this blog is curiousity within me pulls down to know what's going under the hood when OS starts. After knowing can stop myself to share with you all. What I believe that an individual can not learn everything but on sharing things its become easier for learner to understand things properly within short spam of time. Always try to share your knowledge. It enhances your knowledge as well as saves time of others.

How the Linux Kernel Boots?

Let's begin with the topic "how Linux System starts or boots up".

When happens after pressing Power ON button of the computer.

As the user Power ON its machine, Power supply goes to motherboard. Motherboard tries to start CPU. After CPU starts, first off all it clears old data from registers. After that CPU goes to its memory location(0xffff0000→ address sector on the hard disk) to see if any instruction is present or not. By the way that address is the home or location of BIOS. Basically, CPU executes BIOS program. And that's how BIOS starts.

Note:-

Basically, BIOS or UEFI represents firmware. The general difference between them is that BIOS is traditional and UEFI is modern one. Your system may have either of them.
To check which one is present in your system, run efibootmgr command.

BIOS(basic input/output system) performs POST (Power On Self Test) checks

After BIOS starts, it perform various checks or test on many components of hardware such as CPU test, RAM test, etc. The whole testing process is known as POST(Power On Self Test). Basically, the main task of BIOS is to ensure that the computer hardware are functioning correctly or not. If POST fails, the computer may not be usable and so the boot process does not continue. After successfully completion of POST operation. The next job of BIOS is to search the boot sector from the attached disks. And do you know, what boot sector contains? It's Boot record popularly knows as Master Boot Record (MBR). Simply, BIOS loads MBR instructions code
to RAM, execute it and handle over control to the MBR.

What MBR does?

The first 512-byte sector on the hard drive along with the partition table. The total amount of space allocated for the actual MBR is 446 bytes and remaining are assigned for Partition table.
Because the boot record must be so small, it is also not very smart and does not understand filesystem structures. Therefore the sole purpose of MBR is to locate and load GRUB. In order to accomplish this, GRUB must be located in the space between MBR till first partition on the drive. After loading GRUB into RAM, MBR handles control over to GRUB program.

At sector 0 ---> MBR is located of size 512 bytes
Between sector 0 and 2048  ---> GRUB is located of size which is of size 1MiB(2048*512 bytes = 1024KiB = 1MiB)
From 2049 sectors onwards ---> Partitioning of disk starts

Note: Hard disk is divided into sector. Sector is the smallest unit of Hard disk. 1 Sector = 512 byte

GRUB(Grand Unified Boot Loader)

Do You Know !!

What is the use of GRUB?

_To know the answers you have to know what is booting first of all.
In technical terms, booting means copying the kernel image from hard disk to memory and afterwards executing it. So, copying the kernel image from disk to memory is performed by the GRUB program. Along with the kernel image GRUB also helps to pass some parameters. This is where GRUB comes into use.

But the biggest problem for GRUB is how to search the kernel image in the disk. Listen carefully don't get confuse. I know you are thinking that searching any file in Linux is very easy, yes 100% right no doubt in that, but it is when your OS is in running state(i.e. Kernel is running + necessary drivers and programs are running).
But currently only GRUB is running, you system is not yet started. What it mean is, neither kernel is running nor required drivers and necessary programs are running. So, here searching any file is like impossible task. Then how GRUB searches kernel image from disk.

Let’s see how GRUB solves these problems.

GRUB has to find the answer of 2 question:-

1) What is Kernel and its parameter?
2) And how to find or search it in the hard disk ?

To load the Kernel image into memory GRUB has to search Kernel image along with parameter from disk. To access hard disk and file system for searching Kernel image. GRUB takes help of BIOS or UEFI. Btw, disk allows BIOS or UEFI to access hardware storage via Logical Block Addressing(LBA). Are you able to memorise how BIOS searched for MBR from disks. LBA is a universal, simple way to access data from any disk. One more thing, most Boot Loader Program, GRUB, can read partition table( index page which maps files to their their corresponding address in the hard disk) which is built-in support for read-only access to the file system. Therefore, GRUB solves the problem of searching kernel images from the disk. Once it gets Kernel image(i.e. .iso file) and it's parameter it loads to memory along with that it also loads *initramfs *.

Below, BOOT_IMAGE refers to kernel image as well as it's parameter.

BOOT_IMAGE=/boot/vmlinuz-4.15-generic  root=UUID=179hfy4955  ro  quiet splash  vt.handoff=1

kernel image ---> /boot/vmlinuz-4.15-generic
Parameters ---> root, ro(read only), vt.handoff,

initramfs is an archive containing the kernel modules for the hardware required during the boot time, initialization scripts, drivers, and more. These are modules which connect with hardware as well as software. May be this question arises to your mind why Kernel image is not directly attached with it's modules. Why these modules are kept separately in form of initramfs. Let's contradict our point, so let's say all kernel modules are present inside Kernel image. Basically what will happen, as the CPU start executing Kernel image then along with that all modules will also starts executing whether it is needed by the Kernel or not. And this leads to bottleneck of RAM or overflow of RAM. As a result memory may crash. So, that's why Kernel modules are separated and only those modules are taken from initramfs which are required by the Kernel at that particular time. For example, we all know that there is module or driver for printer which is used when printer is attached. But during the boot time the printers driver module is not required. But if it is too executed then it's totally wastage of your RAM and CPU. To know more about initramfs refer.

Once the GRUB load kernel image and execute/start it. The control is transfer from GRUB to Kernel and from here Kernel work starts

High level idea regarding the function of the kernel:

Kernel initialization
CPU inspection
Memory inspection
Device bus discovery
Device discovery
Auxiliary kernel subsystem setup
Root filesystem mount
User space start(systemd)

During the initialization process, Kernel must mount a root file system before starting init or systemd. We don't need to go in detail of it. Finally kernel last job is to start Systemd and also hand over control to Systemd. This is the end of the boot process. At this point, the Linux kernel and systemd are running but unable to perform any productive tasks for the end user because nothing else is running.

Systemd is a system as well as service manager in the Linux. It is the mother of all process and programs. From here all your services and user space programs are managed as well as controlled by it. In next blog will know about Systemd in detail.

flowchart:-

https://lucid.app/lucidchart/4345e110-7988-438b-a961-a39113f2d341/edit?invitationId=inv_d794a834-d90d-4931-a62d-94b2220a8c71

References

https://opensource.com/article/17/2/linux-boot-and-startup
https://learning.oreilly.com/library/view/hands-on-booting-learn/9781484258903/
https://learning.oreilly.com/library/view/how-linux-works/9781098128913/

Thanks for reading it. Hope you liked it and gain some knowledge. Tried my best to make you under the topic step by step. Thank you guys. Will see you in next blog.

GitHub Action

vivek kumar sahu — Sun, 05 Jun 2022 10:47:01 +0000

The name of the topic is GitHub and Action. GitHub represents GitHub repository, whereas Action represents action that is performed after some activity( in technical terms known as events) by the user on the github repository.
Let's understand with examples:

Whenever someone pushes(activity or events) some commits to your repository, perform xyz action, or
Whenever someone creates new issues(activity or events) in a repository, perform abc action, etc.
In short, users perform activities such as: push commits, create PR, create new issues ----> in repository ----> and based on those activities action is performed.

So, basically what we get out of examples is that the user performs some activity on the repository and according to those activities, corresponding actions are performed. Whatever action to be performed is written as a workflow. And workflows are present under .github/workflows. These workflows totally depend on the type of activity performed. Because at the end activities or events will trigger workflow to run.
For different events or activities separate workflows are defined. For example, for push activity separate workflows is defined, for new issues separate workflows is defined. And it depends on the maintainer of the project what type of action is hooked corresponding to the event or activity. The workflows are written in Kubernetes native language i.e. YAML.

Now, let's understand GitHub Action in more technical terms.

It is a CI/CD platform that allows you to automate build, test and deploy. If you are beginners and don't know about terms build, test, and deploy. For now, assumes these are bunch of commands which are wrapped for simplicity. Generally, build and test actions are performed for every PR activity. So, as the new PR created these bunch of commands in return are executed. Whereas deploy actions are performed for every merged PR. Similarly, bunch of commands runs for deploy in return action.

Components of GitHub Action

Workflows

Workflows represent action executed automatically as it gets triggered by some kind of event or activity performed by a user.
Each workflow is defined for some activity or events. Workflow is a configurable automated process that will run one or more jobs.
Defined under .github/workflows. And written in YAML language.
A repo can have multiple workflows for performing different sets of events.

Events

Activity performed by the user triggers workflows to be executed. Examples:
Create PR
Create issues
Push commits
Release cycle
Merge successful PRs

Jobs

Each workflow contains one or multiple jobs.
And jobs contain one or more steps.
Step is script to be executed.
Each step is executed inside the same runner.

Action

Example:

When a user creates a new issue(activity or events), it triggers a corresponding workflow. As a result, the label of the issue is automatically added.

Runner

It is a server in which workflows run as they get triggered.
Each runner runs a single job at a time.
Each workflow is executed in fresh VMS or containers.

Understanding the workflow file:

name: learn-github-actions
on: [push]
jobs:
  for-tutorial:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - run: echo "Hello, Setting up your first GA."

name: learn-github-actions → Name of the GitHub Action
on: [push] → Name of the event or activity. GitHub keeps eye on the activity perform on the repo. As the activity is performed by the user it will trigger to perform action or run the workflow file.

jobs: → list of one or more actions
check-bats-version: → name of vary first job
runs-on: ubuntu-latest → machine in which job will run.
steps: → list of one or more script or command.

uses: actions/checkout@v3→ step 1 --> Pull the code base from github.
run: echo "Hello, Setting up your first GA." ---> Execute command/script on ubuntu machine.

Checkout this small example

Conclusion:

GitHub Action is similar to the concept of Newtons Third Law of Motion. Every action by user on github repo by the user has opposite custom reaction.

This was basic overview of GitHub Action for beginners. Hope you liked it. This was all from my side for this weekend. For more do follow for more interesting blogs.

Comment below and let me know which topic you feel like complex, I will try my best to make it simple and interesting for you.

Linux Security Modules

vivek kumar sahu — Thu, 02 Jun 2022 01:11:39 +0000

What we will learn?

User dependent Security: DAC
DAC
LSM
User-independent Security: MAC
MAC
Flow of command
Types of LSM
DAC vs MAC

How Linux is Secured?

If we talk about security in linux. Users, files and processes play an important role in protecting your OS. In short, the OS is all about files. Among them, few files are very critical and important, therefore they must be secure. According to me, securing your files or securing a running process is what security means in Linux. For accessing files or processes users must have permissions. Unlike root users, other users have restricted and limited permission. Securing files can be achieved in 2 ways: One is user dependent and another is user independent.

What does it mean by user dependent security?

Discretionary Access Control(DAC)

In the early days when security was dependent on users of linux, the user played the most important role in securing your environment. If the user is root, then it has unlimited access to files and processes, otherwise a normal user has restricted access or limited access. User-dependent means that access to files and processes requires permission of the user. If the user has the permission then it can access files and processes otherwise could not. Here the user may be owner or may not be owner of the file, or root user or any other user included to a group which has access to this file. Suppose if an attacker gets access to the root user then your system will be controlled by the attacker. Though getting root access is not easy, it's not an impossible task.
The terminology given for user-dependent security in the Linux world is known as Discretionary Access Control(DAC). According to definition, DAC (Discretionary Access Control) based access control is a means of restricting access to objects based(files, process,etc) on the identity of subjects or groups(users).

Example:

Let’s take an example and try to understand through it.
Suppose you are running a web server which hosts several websites. To allow access on websites we have to open several ports in the firewall. Hackers may use these ports to crack the system through the security exploits. And if that happens, hackers will gain the access permission of the web server process, as we know that port is associated with some web server that serves web pages. To serve web pages, usually a web server process must have read permission on document root and write permission on the /tmp and /var/tmp directory. With this permission of root associated with the web server, hackers can write malicious scripts in /tmp directory and execute it. From here, the system is now in control of the attacker. We saw how one infected process can cause a huge security risk to all services running on the server. So, the conclusion of the story is that the attacker got access to the root user through a web server user to write a script and execute it. So, now the question arises, Is there any way to protect ? Yes, it’s like a third party solution. The third party solution is none other than a policy known as Security Policies or Security Modules or Linux Security modules(LSMs).

Linux Security modules(LSM)

Since the policies are used for securing your environment that is why it is known as Linux Security based Policies or in more technical terms it is known as Linux Security Modules. Now, one more question arises is, where are these policies attached or hooked? In short these policies are fitted after DAC checks. To understand it in more detail, you need to understand how commands are executed. Until and unless you don't have an idea how commands are executed,then you won’t be able to know where the policy is being added.
For example, let's say a hacker after getting access to the root user wants to access files present in /etc directory to change its configuration as well also interested in seeing the confidential files such as passwd file and shadow file.
As we know that each and every user in linux is associated with some files or each file is associated with a user. Suppose there is a policy whose operation is to block some files from reading. After attaching that policy after DAC checks, the policy determines whether the user has permission to access that file or not; it will block opening of a particular file independent of any user trying to read it. One exciting solution for this is to secure linux by user-independent method. Basically, what user-independent means is, though the root user or any user has unlimited access but then also it can be denied from operation such as accessing files or processes, if external policy is applied. And the terminology used for user-independent or policy based security is known as MAC.

user-independent security

Mandatory access control(MAC)

Mandatory access control is a security method where what is allowed is explicitly defined by policy. A user(normal or root both) or program can not do any more than is allowed by the policy confining it.
MAC is of User-independent type security.
To understand it you need to understand the flow-chart.

Flow of open() system call:

The LSM framework is integrated into the kernel which provides each LSM with hooks on essential functions of the kernel. The diagram above shows coarse call flow of the “open()” system call invoked by some process –
As the user tries to open or see any file, it always triggers the open() syscalls function.
A process in the user space calls open() on the file path
The system call is dispatched and the path string is used to obtain a kernel file object and inode object. Inode table is nothing but you can relate it to your content in the first page of your copy. Remember in your childhood, you used to write chapter names and corresponding page numbers. So, similarly in inode table, file name and its corresponding address are provided.
The parameters and syntax of command are checked. If incorrect then error is returned.
If everything above goes fine. Then normal “Discrete access control” (DAC) file permissions are checked. What does it mean? It checks whatever operation is performed(like file access or process access), if the user has permission to execute it or not. Suppose a user is accessing a file, it will check if this user is the owner of the file, or is this user a member of a group which has permission to access this file or is it a root user. If it doesn't have permission then the system call is terminated and error is returned to user space.
Note: As we talked above, Since the attacker has the access of root user so it can easily pass the security till here.
Then questions arise where policy fits. Or where policy can be hooked. So, the answer is just after DAC checks. Now the attacker will face a problem because the next Security is user independent, i.e. linux security modules or linux security policies. Users from here onward, whether it's a root or normal, can only run those commands that are allowed to run from the policy.
To attach policy in a hook, a framework is used, i.e. the LSM framework. LSM frameworks provide hooks to attach your policy. As above we applied a policy which is to block all execution of binary files or accessing of any file or folder which are inside /etc directory. The policy blocks execution and the system is terminated and error is returned to the user space if a single LSM hook returns an error.
Finally, when all security checks pass, the file is opened for the process and a new file descriptor is returned to the process in the user space.

Types of LSMs

There are a total of 9 different types of LSM: SELinux , SMACK , AppArmor , TOMOYO ,Yama , LoadPin , SafeSetID , Lockdown , BPF. Out of which SELinux and AppArmor are popular one. SELinux is used in RedHat Linux distribution whereas AppArmor is used in Ubuntu and Suse.
Complexity: Different LSM have different languages to write those policies. And believe me, it’s hard to write those policies. Btw, until and unless you are a professional or Linux Administrator you don't need to add any policies. Because by default all necessary policies are already applied to your distribution system, but for that LSMs must be enabled.

DAC vs MAC

DAC (Discretionary Access Control) based access control is a means of restricting access to objects based on the identity of subjects or groups. For decades, Linux only had DAC-based access controls in the form of user and group permissions. One of the problems with DACs is that the primitives are transitive in nature. A user who is a privileged user could create other privileged users, and that user could have access to restricted objects.
With MACs (Mandatory Access Control), the subjects (e.g., users, processes, threads) and objects (e.g., files, sockets, memory segments) each have a set of security attributes. These security attributes are centrally managed through MAC policies. In the case of MAC, the user/group does not make any access decision, but the access decision is managed by security attribute or security policies.

Beginners guide to eBPF...

vivek kumar sahu — Fri, 25 Feb 2022 09:42:03 +0000

If you are really curious about knowing different technologies. You will definetily love this technology too.

What is eBPF??

eBPF is a mechanism to attach your own program or any kind of custom program to a particular events(here events refers to system calls). Each time the event gets triggered by some process, your custom program will run.

I know learning any thing with examples or practicals make your concept crystal clear. So, what you are waiting for. Let's start with one example or practical.

Practical

Step:1

Make a simple hello world program in c language.
Note: Program should be written in c language.

int hello_world(void *ctx) {
    bpf_trace_printk("Hello World!! \\n");
    return 0;
}

Step:2

Now, the second step is to load your program with the help of BPF. Basically, BPF will compile your c language program into bytecode . For now, please ignore BPF.

# Loading program in BPF
b = BPF(text=program)

Step:3 And the third step is to attach your program with any event. So, here we will attach it with clone() or fork() event. Whenever any process is forked or cloned your program will get executed.

# Getting system call name for fork or clone
clone = b.get_syscall_fnname("clone")

# Attaching hello world program to an event i.e. clone or fork event.
b.attach_kprobe(event=clone, fn_name="hello_world")

Above attch_kprobe function is used. Basically kprobe in simple terms means all kernel function. syscall is known as function or probe in Kernel world. Basically, kprobe has knowledge of all syscalls inside the kernel. That's why we called attach_kprobe function to bind our hellow world(or any custom program) program with clone syscall event.

Note: Each and every system calls or syscalls refers as events. In general terminology event is just an action.

These are main 3 steps. So, finally our program would look like,

hello_world.py

from bcc import BPF
from time import sleep

# Programs print hello world !!
program = """
int hello_world(void *ctx) {
    bpf_trace_printk("Hello World!! \\n");
    return 0;
}
"""
# Loading program in BPF
b = BPF(text=program)

# Getting system call name for fork or clone
clone = b.get_syscall_fnname("clone")

# Attaching function i.e. program to an event i.e. clone event.
b.attach_kprobe(event=clone, fn_name="hello_world")

# printing
b.trace_print()

Note: You must need to install bcc tools.

Run the above program in separate terminal

sudo python3 hello_world.py

And on the other terminal run any commands like date, ls pwd, cmd, etc and see hello world is being printed on the terminal in which hello_world.py program is running.

That's all for this practical. Hope you got enjoyed the practical and got the basic idea.

Let's go back in history to understand from where the concept of eBPF arises?

Basically, eBPF is built on the top of classic BPF(cBPF).
In the initial days, Berkeley Packet Filter*(BPF) was
used to filter the packets from user space.

But how ??

By attaching pre-defined bytecode program with chains of
syscalls. In the above example we attached one program to
one system calls. But in BPF, many syscalls were
attached to different programs.

Note: In those time BPF didn't had mechanism to attach any custom program with syscalls. Only only pre-defined or in-built programs were attched to events. It was totally static in nature. Which means that user can't replace those built-in program with your custom program unlike eBPF provides. So, basically eBPF is extended version of BPF which allows to run custom program in the Kernel.

Now, let's go in more deep and try to understand the working of eBPF.
eBPF uses bpf() sys calls to take code(i.e. Users customize programs written in c language) from user space and just after program being loaded by BPF, it is compiled into bytecode. After that it injects the BPF-bytecode program into Kernel and bind to the specified event(in above example to clone or fork system call) with the help of kprobe(having knowledge of all system calls inside Kernel). Parallelly , at the same time of injecting program in the Kernel, BPF-bytecode programs are checked and verified to make sure it's safe from the perspective of security side. While execution these BPF-bytecode programs are first compiled by JIT compiler to native languages or instructions according to the architecture of the computer. And that's how any sandboxed or custom program runs each time when events triggers. And just after execution program is removed from the Kernel space from security point of view. That’s how eBPF helps in running user space programs into the Kernel space. This is how eBPF helps to add more programmability into Kernel space.

So, whenever any events or system calls is triggered by any process running on your system will result into execution of your custom program(hello world in above example).

Relating `eBPF` with `Javascript`

eBPF does to Linux what JavaScript does to HTML. (Sort of.)

But how ??,

In initial days of a static HTML website, JavaScript lets you define mini programs that run on events such as clicking of mouse, hover of mouse, scrolling of pages, etc. On any event the corresponding JavaScript program runs in a safe virtual machine in the browser. Similarly with eBPF, instead of a fixed kernel, you can now write mini programs that run on events like any syscalls such as forking, executing, reading, writting, etc, which are run in a safe virtual machine in the kernel. In reality, eBPF is more like the v8 virtual machine that runs JavaScript, rather than JavaScript itself. eBPF is part of the Linux kernel.

The more beautiful program you add in JavaScript the more attractive and beutiful your website looks. Similarly, it's depends on user which type of programs is added. It depend from use case to use case.

UseCase of eBPF

Networking

Hooks: Traffic Control, sockets, XDP
Anti-DDoS
Load balancing
Routing, overlay, NAT
TCP control

Tracing and Monitoring

Hooks: kProbes, uProbes, tracepoints and perf events
Inspect, trace, profile kernel, or user space function.
Aggregate and correlate metrics in the Kernel , return meaningful date

Others

Security(LSM such as AppArmor)
Infrared protocols
File System, Storage

Reference:
Beginner guide to eBPF by LizRice
Learn eBPF
eBPF
Keynotes

OSI Model

vivek kumar sahu — Fri, 26 Nov 2021 21:54:49 +0000

History of Internet

It was a need to share information. But the computers at those times were large and immobile and in order to make use of information stored in any one computer, one had to either travel to the site of the computer or have magnetic computer tapes sent through the conventional postal system.
Another reason was the cold war which acted as a catalyst to the formation of the Internet. At that time this Internet was known as ARPANET.
To share information it was decided to create networks between different computers which was present in different university over a wide range of area. And that where the the ARPANET arises.

ARPANET ??

Advanced Research Projects Agency Network, ARPANET or ARPAnet began development in 1966 by the United States ARPA. ARPANET was a Wide Area Network (collection of computers connected by a communications network over a wide geographic area) linking many Universities and research centers, was first to use packet switching (information is broken into small segments of data known as packets and then reassembled when received at the destination), and was the beginning of what we consider the Internet today. ARPANET was created to make it easier for people to access computers, improve computer equipment, and to have a more effective communication method for the military.
In short ARPANET was a concept of connecting two or more computers to share information between them. It becames possible after protocols came into existance.

FACT:

January 1, 1983 is considered the official birthday of the Internet.

Protocols

You can think of a protocol as a language, which allows communication between two or more people.. Let’s say, people can only be able to share information among themselves if they speak the same language. As we all know every language has its own set of rules and grammar. In a similar way protocols also have a set of rules to communicate.
Let's come to the bookish definition of protocol. A protocol is a standard set of rules that allow electronic devices to communicate with each other. These rules include what type of data may be transmitted, what commands are used to send and receive data, and how data transfers are confirmed.

Types of Protocols

Post office Protocol (POP) ---> designed for receiving incoming Emails.
Simple mail transport Protocol (SMTP) ---> designed to send and distribute outgoing EMail.
File Transfer Protocol (FTP) ---> to move files from one computer to another.
HyperText Transfer Protocol (HTTP) ---> designed for transferring a hypertext among two or more systems.
Transmission Control Protocol (TCP) ---> It divides any message into series of packets that are sent from source to destination and there it gets reassembled at the destination.
Internet Protocol (IP) ---> The IP addresses in packets help in routing them through different nodes in a network until it reaches the destination system.

Let’s get back to the topic ARPANET, the communication between these computers was not completed until 1970, but as they began using the Network Control Protocol (NCP). NCP led to the development and use of the first computer-to-computer protocols like Telnet and File Transfer Protocol (FTP).

Fall of NCP and rise of TCP

NCP’s could not keep up with the demands of the network and the variety of networks connected. Due to which it’s downfall started and to fulfill this demand TCP came into picture. TCP allowed different kinds of computers on different networks to "talk" to each other. By 1983, TCP/IP had become the only approved protocol on ARPANET, replacing the earlier NCP because of its versatility and modularity. Hence, ARPANET and the Defense Data Network officially changed to the TCP/IP standard on January 1, 1983, hence the birth of the Internet.

OSI Model

The OSI model is a learning tool for understanding step by step networking.
It describes how information or data from an application of one computer transfers through a physical medium to an application in another computer. It is considered as an architectural model for inter-computer communications.
For Example:- Much like a car is composed of independent functions which combine to accomplish the end-goal of moving the car forward: A battery powers the electronics, an alternator recharges the battery, an engine rotates a driveshaft, an axle transfers the driveshaft’s rotation to the wheels, and so on and so forth.
Similarly, OSI model is divided into seven different layers, each of which fulfills a very specific function.

Characteristics of OSI Model

The OSI model divides the whole task into seven layers. Each layer differs in terms of Protocol Data Unit(PDU). Each layer deals with the data. Before proceding further get familar with terminologies encapsulation and decapsulation .

The OSI model breaks the responsibilities of the network into seven distinct layers.
Each layer takes data from the previous layer and encapsulates it to make its Protocol Data Unit (PDU). The PDU is used to describe the data at each layer. PDUs are also part of TCP/IP. The applications of the Session layer are considered “data” for the PDU, preparing the application information for communication. Transport uses ports to distinguish what process on the local system is responsible for the data. The Network layer PDU is the packet. Packets are distinct pieces of data routed between networks. The Data Link layer is the frame or segment. Each packet is broken up into frames, checked for errors, and sent out on the local network. The Physical layer transmits the frame in bits over the medium.

Application Layer (PDU ---> data or message) → 7th

The Application layer is the top layer of the OSI model and is the one the end user interacts with every day. This layer is not where actual applications live, but it provides the interface for applications that use it like a web browser
L7 has PDU as [data]

Presentation Layer (PDU ---> data or message) → 6th Layer

It translates the data from sender-dependent format into a common format and changes the common format into receiver-dependent format. It acts as a data translator for a network. It also helps in compressing the data.
L6 has PDU as [data]

Session Layer (PDU ---> data or message) → 5th layer

It is the 5th layer of the OSI model. It establishes a connection to send and receive data.
L5 has PDU as [data]

Transport Layer ( PDU ---> segment ) → 4th Layer

It is the 4th layer. It transfers the data between applications. It receives the data from the upper layer and converts it into smaller units known as segments. It is also known as an end-to-end layer because it provides point-to-point connection between source and destination. Two protocols can be used in this layer: TCP and UDP.

NOTE:

The responsibility of the network layer is to transmit the data from one computer to another computer. Whereas the responsibility of the transport layer is to transmit the message to the correct process(i.e. correct port )

L4 has PDU as segment. Consisting of port + data of previous layer.

Network Layer ( PDU ---> packet) → 3rd Layer

It is the 3rd layer of the osi model which manages device addressing, tracks the location of devices on the network. It determines the best path to move data from source to destination based on network conditions.
The protocols used to route the network traffic are known as Network Layer Protocols.
It also adds source and destination address to the header of the frame which helps in identifying the device on the internet.

L3 has PDU as packet. Consisting of IP Address + data of previous layer.

Data-Link Layer ( PDU ---> frame) → 2nd Layer

It is responsible for putting 1’s and 0’s on the wire, and pulling 1’s and 0’s from the wire. It groups together those 1’s and 0’s into chunks known as Frames. The data Link layer also adds the header and trailer to the frame. The header contains the destination and source hardware address. These frames are transmitted to the destination address mentioned in the header.

This layer also maintains the rate at which data is transferred with the help of processing speed of the computer.
It is also responsible for routing and forwarding packets.

L2 has PDU as frame consisting of MAC Address + data of previous layer.

Physical Layer ( PDU ---> bit ) → 1st Layer

It is responsible for the transfer of bits. It carries 1’s and 0’s between two nodes. These bits are transferred in the form of electric pulses, pulses of light, radio waves, etc depending on the type of medium used. Because at the end computer/machine/nodes understand only bits( “0” or “1” format)

L1 has PDU as bits

Medium (wire) --------- data(bits)
Ethernet --------> electric pulses
Wifi --------> radio waves
Fiber --------> pulses of light.

Conclusion

There was need to share information or data between computers(at those times computers were immobile) during the time of cold war. Birth of ARPANET took place, it's a group of computers connected through wire over wide range of area. After computer connected through medium like wire, cable, etc. Now to send data computer should understand the common set of rules and grammers to send data. Therefore first protocol NCP was created. And with the help of NCP protocol, it becames possible to share information or data. But due to limitation in NCP, TCP was formed.
And the study of how data transfers flow from one computers to another is known as OSI MODEL. Model has 7 different layers. Each layers has Protocol Data Unit(PDU), recieving data from previous layer and adding more info to it like Port, IP Address, MAC Address. And this concept is known as encaptulation.

How to begin your contribution to open source projects?

vivek kumar sahu — Sun, 24 Oct 2021 08:09:42 +0000

Why to contribute?

From a professional point of view it is said that always apply what you have learnt. To do the same there are 2-3 places where you can use your knowledge and apply it. First, it is a company and the other one is open source projects. And being a student you should choose an open source project, because the company is not going to hire you at your early stage of college.
And another reason like everyone said is getting perks, experience in working on real projects, gives edge to your resume during placements, networking with people across different parts of the world, etc, etc…..

Why does it seem overwhelming to contribute to open source projects for beginners?

It’s because:-
You don't know about that project.
You never used that product.
You have a fear of a huge code base. ( But the reality is you don’t have to contribute to the whole codebase. You have to contribute to a very small part of it).
New way of communition through slack. And switching from Instagram, Facebook to Slack feels like your world has completely changed. Initially when you join slack you get bored and start excusing yourself since you don’t understand anything about the discussion going inside the channel, so better you leave this place and this is not for you. I totally agree with you all that switching to slack is hard, but believe me if you endure the talks, meeting, discussion going inside slack for at least one month. You will see that each morning when you get up either you will open your email or slack or github instead of Insta, Facebook, etc.
NOTE:
Don’t keep this ego that in one day you will do all things like installation of projects, read documentation of project, and blah blah. Please give time. During Installation of the project you may get problems or stuck at something which may take a time. Because at the beginning you don’t have any knowledge.

How much time does it take for a complete beginner to get aware about the project?

In one word you need at least 1 month to know what a project is all about, what its use case is, what problems it solves in the real industries, and many more things.
Structure for the time to be given different parts of projects in the beginning:-
For Installation→ 1-6 days (totally depends from person to person).
For Reading documentation of project → 1 month
Use the project until and unless you get a feel of it.
Watch the hands-on of that project and try to apply it in your local workspace.
Join the meeting. If you don’t understand anything in the meeting it’s ok. But be with it.
Slack → daily 1-2 hours
Start asking any doubts in the slack. Don’t feel shy about it.

How to begin your contribution with Kyverno ??

The best part about contributing to Kyverno is there are 2 options available for contributor to contribute on:-
Firstly, contributing to policies. It doesn’t require any coding experience. It only requires basic knowledge of Kubernetes resource, YAML, and also knowledge about kyverno.

Secondly, through coding. By fixing bug, working on enhancement, etc.

So, by the time you get ready to contribute through code you can contribute through its policies. As the policies are written in the same language in which Kubernetes resources manifest are written down i.e YAML. And this is the best part of Kyverno.

That's all from my side. May this blog helpful for complete beginner.

Internship at Nirmata on Kyverno(CNCF sanboxed project)...

vivek kumar sahu — Mon, 18 Oct 2021 19:31:24 +0000

About myself ....

Hello Everyone!! Myself Vivek Kumar Sahu, sophomore(at the time of writting this blog) in Electronics and Telecommunication from Jabalpur Engineering College, India. My field of interests are cloud based technology as well as Linux world. I started exploring all these technologies just after Lockdown started and continued learning Linux and cloud-based technologies. After learning wanted to apply my knowledge and skills through some projects. Then i came to know that best way to make use of your skills and knowledge is by contributing to some open source project or by working in a company. But, being a student open source would be good choice. From there open source took place in my mind. Seriously, if you are complete beginner then 1-2 months you have to roam around the projects, meetings, slack channels, etc. And once you have understanding about the projects then you have to roam around the code written in those projects. It's not easy in the beginning but later on it is.
After exploring different projects from CNCF, I came across a Sandboxed project known as Kyverno.

And it was my right decision to pick the Kyverno project for contribution. For newbie contributor this is one of the good project to start their contribution with it and the reason behind it:-
Firstly, the Kyverno policies written for Kubernetes resources are written in the same language(i.e. YAML) as the resource manifest written in the Kubernetes.
And secondly, easy to relate different concepts of Kubernetes while applying different types of policies for different resources. So, it looks quite a relatable project with my skills.

After one month of exploring this project I got an opportunity from Nirmata company (drives Kyverno Project) to work as an intern for 3 months in Kyverno Project.
The mentor assigned to me was shuting zhao and she is currently maintainer of the Kyverno project. She is really a calm, helpful and supportive in nature. She understand beginner contributor and gives time to settle down.

About Project

Kyverno is the policy engine for Kubernetes. In technical terms Kyverno is care-taker of Kubernetes in terms of security. If you want to understand Kyverno in more detail, will recommend to you go through these blogs:-

https://www.linkedin.com/pulse/kyverno-native-policy-manager-kubernetes-code-arun-singh/?trackingId=xlfXp3sLzav3R71xJ%2FtCEA%3D%3D

https://medium.com/techloop/understanding-kyverno-policies-7e2d8651d7b1

During internship, I had to work on feature enhancement and it was To extend the test command to support or handle mutate Policy and also
To cover all sample policies. The same reaction I also had earlier after reading this project headline. Didn't understand anything. So, the recommendation to newbie contributors that the best way to understand any project is to read the documentation first and then install that project in your local machine and try to use it, play with it until and unless you get the feel about that project.

Description of feature-enhacement

Let me explain about this enhancement feature which I had to work upon. The feature needed to be added in the Kyverno-CLI to extend the support of the test command to support or handle mutate policy. At that time test command used to support for validate policy but not for mutate and generate policy. So, it was like a extension feature for test command to also support for mutate policy.

Let me break the topic into 2 parts i.e.
What is test command, it's uses and how it works and
What is mutate policy and describe them separately.

What is a test and Why to use it and how does it work?

test is a command (in the Kyverno-cli) like other commands, which provides facility to test policies on resources before deploying policy directly to the cluster. To be more specific test command provides facility to the user to check or test the policies whether it's properly working on resources or not. Since, it's related to security of Kubernetes resource, so it is recommended to check policies before directly applying to live clusters.

But how does the test command make sure that whatever policy applied on resources is correctly applied or not ??
Good question. Here comes the actual use of test command. Basically test command internally work is compares the actual result which is generated from Kyverno engine with expected result provided by the user.
Note: that expected result provided by the user may be wrong but actual result obtained from engine can not be. And if you want to get the actual result then use apply command. To know more about apply command visit here.

Let's understand more detail how test command works ?
As the user will run below command,

$kyverno  test  <path of folders containing test.yaml file>

First of all, test command looks for it's configuration file i.e. test.yaml in the provided folder by the user.

Structure of test.yaml file

name: mytests
policies: (contains list of path of policies file)
  - <path/to/policy.yaml>
  - <path/to/policy.yaml>
Resources: (contains list of path of resource file)
  - <path/to/resource.yaml>
  - <path/to/resource.yaml>
variables: variables.yaml (optional)
results:
- policy: <name>
  rule: <name>
  resource: <name>
  kind: <name>
  patchedResource: <path/to/patchedResource.yaml> (path of patchedResource file) 
  status/result: <pass/fail/skip>

Path of Policy provided by the user under the policies section in the test.yaml file is fetched from it and similarly all resources are fetched from the path of resources provided by the user under the resources section in the test.yaml file. After the policies and resources are fetched from the respective paths, then the policy with the help of match/exclude block selects the resources one by one. If the policy doesn’t selects the resource then policy skip that resource, which means the rule of the policy won’t be applied to that resource.
But if policy selects the resource which means that the further rule of the policy will be applied to resources and
Lastly, irrespective of policy applied on resource or not applied, the Kyverno engine will generates a result which is known as an actual result or engine response.

And also on the other hand, user also need to provide the expected result or user-defined result under the results section of the test.yaml file. Expected result here means that what user thinks of the result could be after policy applied on resources. The common fields on whose basis comparison of actual result or engine response with expected result or user-defined result are done:-
policy name(name of the policy),
resource name(name of the resource),
rule name,
kind(type of resource),
patchedResource(path of patched resource or updated resource file,
namespace(optional)
result/status: (fail/pass/skip),

Pass ----> when policy selects the resource and rule applied on the resource + patchedResource obtained from the engine response must be equal to the patched Resource provided by the user
Fail ----> when policy selects the resource and rule applied on the resource + patchedResource obtained from the engine response is not equal to the patched Resource provided by the user
Skip ----> When policy doesn’t select the resource because the resource description doesn’t match with the match/exclude block of rule of the policy, therefore rule is not applied on the resource. So, policy skips the resource.

What is Mutate Policy ?

As the mutate names suggest mutating something or updating something. Here updation could be anything like removing of any field or addition of any field or replacing of any field on Kubernetes resources. And resources updated through mutation policy is known as patched Resource.

This was the overall design part of how the test command will work with mutate policy.

To know more about test command switch here
To know more about writting mutate policies switch here

Hands-on

Let's see the hand's on using test command for mutate policy.

For ClusterPolicy:-

Let's try to understand the field in the Policy first.
1) kind: ClusterPolicy --> which means selecting resources in all namespaces or cluster wide.
2) metadata: name: add-labels ---> it is the name of Policy

3) spec: rules: - name: add-labels ---> name of the rule,
here coincidently, the name of policy is same as rule name. But don't think that they are related something like that. They are totally independent.
NOTE:- Under the rule section there can be one or more than one rules. But the type of policy i.e. validate/mutate/generate must be any among them throughout the policy.

Let's try to understand the policy through the below diagram.

The policy wants to say that selects all the resource of kind: Pod in whole cluster(i.e. in all namespaces). And after selecting resources add the label foo: bar to those resources.

policy.yaml

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: add-labels
  annotations:
    pod-policies.kyverno.io/autogen-controllers: none
    policies.kyverno.io/description: >-
      Labels are used as an important source of metadata describing objects in various ways
      or triggering other functionality. Labels are also a very basic concept and should be
      used throughout Kubernetes. This policy performs a simple mutation which adds a label
      `foo=bar` to Pods, Services, ConfigMaps, and Secrets.
spec:
  rules:
  - name: add-labels
    match:
      resources:
        kinds:
        - Pod
    mutate:
      patchStrategicMerge:
        metadata:
          labels:
            foo: bar

Below is the resource of kind: Pod. Which means it will be selected by the policy.

resource.yaml

apiVersion: v1
kind: Pod
metadata:
  name: myapp-pod
spec:
  containers:
  - name: nginx
    image: nginx:latest

Below, is the patchedResource with added label foo: bar with it. After mutate rule is applied to the above resource, label foo: bar will be added to that resource, the resource gets updated because of that. And updated resource is known as a patchedResource.

patchedResource,yaml

apiVersion: v1
kind: Pod
metadata:
  name: myapp-pod
  labels:
    foo: bar
spec:
  containers:
  - name: nginx
    image: nginx:latest

Below, is the configuration file of test command. It contains path of above policies, path of above resources, path of above patched resource and results defined by the user.

test.yaml

name: add-labels
policies:
  - add_labels.yaml
resources:
  - resource.yaml
results:
  - policy: add-labels
    rule: add-labels
    resource: myapp-pod
    patchedResource: patchedResource.yaml
    kind: Pod
    result: pass

Now run the below command:-
$ kyverno test <path_of_folder_containing_test.yaml_file>

Executing add-labels...
applying 1 policy to 1 resource...
│───│────────────│────────────│───────────│────────│
│ # │ POLICY     │ RULE       │ RESOURCE  │ RESULT │
│───│────────────│────────────│───────────│────────│
│ 1 │ add-labels │ add-labels │ myapp-pod │ Pass   │
│───│────────────│────────────│───────────│────────│
(base)

For Namespaced-policy ( Policy)

Namespaced-policy are applied only on particular namespace.
First of all, let's read out the policy. It says that select resource of kind: Pod from testing namespace and after selecting mutate or add the below field in it.
"dnsConfig: options: - name: ndots value: "1"

Policy.yaml

apiVersion: kyverno.io/v1
kind: Policy
metadata:
  name: add-ndots
  namespace: testing
  annotations:
    policies.kyverno.io/title: Add ndots
    policies.kyverno.io/category: Sample
    policies.kyverno.io/subject: Pod
    policies.kyverno.io/description: >-
      The ndots value controls where DNS lookups are first performed in a cluster
      and needs to be set to a lower value than the default of 5 in some cases.
      This policy mutates all Pods to add the ndots option with a value of 1.
spec:
  background: false
  rules:
  - name: add-ndots
    match:
      resources:
        kinds:
        - Pod
    mutate:
      patchStrategicMerge:
        spec:
          dnsConfig:
            options:
              - name: ndots
                value: "1"

resource.yaml

apiVersion: v1
kind: Pod
metadata:
  name: myapp-pod
  labels:
    foo: bar
  namespace: testing
spec:
  containers:
  - name: nginx
    image: nginx:latest

Patched Resource with added
dnsConfig: options: - name: ndots value: "1"
in the resource.

patchedResource.yaml

apiVersion: v1
kind: Pod
metadata:
  labels:
    foo: bar
  name: myapp-pod
  namespace: testing
spec:
  containers:
  - image: nginx:latest
    name: nginx
  dnsConfig:
    options:
    - name: ndots
      value: "1"

test.yaml

name: add-nodeselector
policies:
  - policy.yaml
resources:
  - resource.yaml
results:
  - policy: testing/add-ndots   
    rule: add-ndots
    resource: myapp-pod
    patchedResource: patchedResource.yaml
    namespace: testing
    kind: Pod
    result: pass

$ kyverno test <path>

Executing add-nodeselector...
applying 2 policies to 1 resource...
│───│───────────────────│───────────│───────────────────────│────────│
│ # │ POLICY            │ RULE      │ RESOURCE              │ RESULT │
│───│───────────────────│───────────│───────────────────────│────────│
│ 1 │ testing/add-ndots │ add-ndots │ Pod/testing/myapp-pod │ Pass   │
│───│───────────────────│───────────│───────────────────────│────────│

NOTE:-
The difference in the test.yaml between the Namespaced policy and ClusterPolicy is in their name of policy under the results section. If it is a Namespaced policy then user need to provide the policy name as: <namespace>/<policy_name>

whereas if it is a ClusterPolicy then policy name as: .

The Namespaced policy is applied to resources present in that particular namespace. Whereas ClusterPolicy is applied in all namespaces present in whole cluster.

Challenges I faced during project :-

1) There are 2 types of policies:-
ClusterPolicy --> Applied on whole cluster
Policy --> Applied on a particular namespace, which means it will only select those resources having the same namespace as namespaced policy.
Initially the solution works fine for ClusterPolicy but it wasn't supporting namespaced Policy. So, for the same I have to understand the concept of namespaced policy and then apply separate checks to filter resources according to the namespace of the policy.

I think you all have got the basic idea about this enhancement feature for Kyverno-cli. And to know more about the Kyverno project go to kubectl get kyverno project
I would highly thanks to Jim Bugwadia for giving this opportunity. And once again highly thankful to my mentor Shuting zhao, for her continuous support and guidance throughout the project. And also special thanks to Vyankatesh, Pooja and Chip Zoller for their continous help. It was really amazing to work with this community. I don't know how these 3 months passed, it seems like it started only a few days ago. In these 3 months learned many new things from the community members.

That was all from mine side. Thanks for reading it. Hope you liked it. If you have any doubt regarding the Kyverno project join the slack channel.

Resources for beginners wanted to contribute to Kyverno project:-
Kyverno --> https://github.com/kyverno/kyverno
Kyverno policies ---> https://kyverno.io/policies/
Youtube channel ---> https://www.youtube.com/c/Nirmata/videos
golang resources --> https://gobyexample.com/ and https://zetcode.com/all/#go

k-mean clustering and its real usecase in the security domain

vivek kumar sahu — Mon, 19 Jul 2021 12:20:59 +0000

The k-means algorithm is one of the oldest and most commonly used clustering algorithms. It is a great starting point for new ml enthusiasts to pick up, given the simplicity of its implementation. Let's comes to the defination part first.

K-means clustering is one of the simplest and popular unsupervised machine learning algorithms.

Typically, unsupervised algorithms make inferences from datasets using only input vectors without referring to known, or labelled, outcomes.

“The objective of K-means is simple: group similar data points together and discover underlying patterns. To achieve this objective, K-means looks for a fixed number (k) of clusters in a dataset.”

You’ll define a target number k, which refers to the number of centroids you need in the dataset. A centroid is the imaginary or real location representing the center of the cluster.

Every data point is allocated to each of the clusters through reducing the in-cluster sum of squares.

In other words, the K-means algorithm identifies k number of centroids, and then allocates every data point to the nearest cluster, while keeping the centroids as small as possible.

The ‘means’ in the K-means refers to averaging of the data; that is, finding the centroid.

How the K-means algorithm works

To process the learning data, the K-means algorithm in data mining starts with a first group of randomly selected centroids, which are used as the beginning points for every cluster, and then performs iterative (repetitive) calculations to optimize the positions of the centroids.

It halts creating and optimizing clusters when either:

The centroids have stabilized — there is no change in their values because the clustering has been successful.
The defined number of iterations has been achieved.

The way kmeans algorithm works is as follows:

Specify number of clusters K.
Initialize centroids by first shuffling the dataset and then randomly selecting K data points for the centroids without replacement.
Keep iterating until there is no change to the centroids. i.e assignment of data points to clusters isn’t changing.

Compute the sum of the squared distance between data points and all centroids.
Assign each data point to the closest cluster (centroid).
Compute the centroids for the clusters by taking the average of the all data points that belong to each cluster.

Use-cases of K-means Algorithm:-

1. document classification

cluster documents in multiple categories based on tags, topics, and the content of the document. this is a very standard classification problem and k-means is a highly suitable algorithm for this purpose. the initial processing of the documents is needed to represent each document as a vector and uses term frequency to identify commonly used terms that help classify the document. the document vectors are then clustered to help identify similarity in document groups. here is a sample implementation of the k-means for document clustering.

2. delivery store optimization

optimize the process of good delivery using truck drones by using a combination of k-means to find the optimal number of launch locations and a genetic algorithm to solve the truck route as a traveling salesman problem. here is a whitepaper on the same topic .

3. identifying crime localities

with data related to crimes available in specific localities in a city, the category of crime, the area of the crime, and the association between the two can give quality insight into crime-prone areas within a city or a locality. here is an interesting paper based on crime data from delhi firs.

4. customer segmentation

clustering helps marketers improve their customer base, work on target areas, and segment customers based on purchase history, interests, or activity monitoring. here is a white paper on how telecom providers can cluster pre-paid customers to identify patterns in terms of money spent in recharging, sending sms, and browsing the internet. the classification would help the company target specific clusters of customers for specific campaigns.

5. fantasy league stat analysis

analyzing player stats has always been a critical element of the sporting world, and with increasing competition, machine learning has a critical role to play here. as an interesting exercise, if you would like to create a fantasy draft team and like to identify similar players based on player stats, k-means can be a useful option. check out this article for details and a sample implementation.

6. insurance fraud detection

machine learning has a critical role to play in fraud detection and has numerous applications in automobile, healthcare, and insurance fraud detection. utilizing past historical data on fraudulent claims, it is possible to isolate new claims based on its proximity to clusters that indicate fraudulent patterns. since insurance fraud can potentially have a multi-million dollar impact on a company, the ability to detect frauds is crucial. check out this white paper on using clustering in automobile insurance to detect frauds.

7. rideshare data analysis

the publicly available uber ride information dataset provides a large amount of valuable data around traffic, transit time, peak pickup localities, and more. analyzing this data is useful not just in the context of uber but also in providing insight into urban traffic patterns and helping us plan for the cities of the future. here is an article with links to a sample dataset and a process for analyzing uber data.

8. cyber-profiling criminals

cyber-profiling is the process of collecting data from individuals and groups to identify significant co-relations. the idea of cyber profiling is derived from criminal profiles, which provide information on the investigation division to classify the types of criminals who were at the crime scene. here is an interesting white paper on how to cyber-profile users in an academic environment based on user data preferences.

9. call record detail analysis

a call detail record (cdr) is the information captured by telecom companies during the call, sms, and internet activity of a customer. this information provides greater insights about the customer’s needs when used with customer demographics. in this article , you will understand how you can cluster customer activities for 24 hours by using the unsupervised k-means clustering algorithm. it is used to understand segments of customers with respect to their usage by hours.

10. automatic clustering of it alerts

large enterprise it infrastructure technology components such as network, storage, or database generate large volumes of alert messages. because alert messages potentially point to operational issues, they must be manually screened for prioritization for downstream processes. clustering of data can provide insight into categories of alerts and mean time to repair, and help in failure predictions.

How to configure CoreDNS in Linux(Part-1)..

vivek kumar sahu — Fri, 26 Feb 2021 07:25:40 +0000

For CoreDNS installation in Linux, you can proceed further.

📌Go to this Link-->
https://github.com/coredns/coredns/releases/tag/v1.8.3

Now copy this link, as shown in the below image.

📌Now run the below command to download the software.
$ wget https://github.com/coredns/coredns/releases/download/v1.8.3/coredns_1.8.3_linux_amd64.tgz

Software is installed but it is in a zip format.

📌So you need to unzip this file "coredns_1.8.3_linux_amd64.tgz"
Now, run the command to unzip.
tar -xvzf coredns_1.8.3_linux_amd64.tgz

And finally, your program CoreDNS is installed.

How to install HELM Version (above 3) in Linux..

vivek kumar sahu — Thu, 25 Feb 2021 10:11:35 +0000

For Helm installation in Linux, you can proceed further.

📌Go to this Link--> https://github.com/helm/helm/releases
Now copy this link, as shown in the below image.

📌Now run the below command to download the software.
$ wget https://get.helm.sh/helm-v3.5.2-linux-amd64.tar.gz

Software is installed but it is in a zip format.

📌So you need to unzip this file "helm-v3.5.2-linux-amd64.tar.gz"
Now, run the command to unzip.
$ tar -xvzf helm-v3.5.2-linux-amd64.tar.gz

📌In Linux, all program files needed to be stored in "/usr/bin/" folder.
Copy this program file("linux-amd64/helm") into this folder("/usr/bin/").

📌Run the command to copy.
$ cp linux-amd64/helm /usr/bin/

📌Now you can check, whether it is installed or not.
$ helm version
if version shows, it means it is successfully installed.

Kubernetes Part-1

vivek kumar sahu — Mon, 07 Dec 2020 17:38:43 +0000

KUBERNETES ARCHITECTURE

Master Node

Worker Node

Etcd

If you are curious to know, Why need of Kubernetes & Docker and their basic definations, then feel free to go through it---> https://dev.to/viveksahu26/kubernetes-for-beginners-basic-part-why-need-of-docker-k8-s-2bgf

MASTER NODE

What is a Node? Node refers to a computer or pc or virtual machine. You can consider the master node as a manager position of any company and worker node as a employee of that company. It's totally up to you assign nodes as a worker or master, but keep in mind that their must be only one master node & more than one worker node under master node or in a cluster.
Cluster is a set of worker machines, called nodes, that run containerized applications. Every cluster has at least one worker node.
It is responsible for managing the state of k8's cluster and it manages and control worker nodes. It also provides an environment for control panel.

COMPONENTS OF MASTER NODES:-

1)API Server

2)Scheduler

3)Controller Manager

4)Etcd

1)API Server:-

It is known as "kube-api server", a central control plane component running on the master node. Every components of master node communicate with it. The API Server is the only master node component to talk to the etcd data store, both to read from and to save Kubernetes cluster state information. During, processing it reads the current state of the worker nodes from etcd and matches it with the Desired state. For now assume etcd as a data storage, we will cover it in details later.

2)Scheduler (kube-scheduler):-

As soon as the new pods are created, Scheduler job is to assign new pods or non-schedule pods to a feasible Nodes. Every container in pods has different requirements for resources and every pod also has different requirements. So, according to these requirements scheduler searches for nodes existing in cluster fulfilling its requirements. And node which fulfilling its requirements or node meeting its requirements are knowns as feasible nodes. Questions arises, From where does the scheduler knows about the configuration of worker nodes? Etcd contains configuration of all worker Nodes existing in a cluster. Scheduler approaches to the api-server for configuration of nodes and api-server collects data from etcd and provides it to the scheduler. Scheduler uses this Data(configuration of nodes) to schedule pod into a feasible Node.

NOTE:-

If scheduler doesn't find feasible nodes for pods, then they remain as it is till scheduler finds feasible node and these pods are known as non-schedule pods.

3)Controller Manager:-

Here is one example of a control loop: a thermostat in a room.

When you set the temperature, that's telling the thermostat about your desired state. The actual room temperature is the current state. The thermostat acts to bring the current state closer to the desired state, by turning equipment on or off.
Controllers are control loops or watch loops ( non-terminating loop that regulates the state of a system) which continuously running across worker nodes and notice the current state of each nodes and parallelly(at the same time) comparing the cluster's desired state (provided by objects' configuration data) with current state. Here, current state refers to the task worker nodes are performing or doing. And after noticing, it sends current state data of each worker node to the api-server and api-server store these data in etcd for future use. The controller(s) are responsible for making the current state come closer to that desired state.

4)Etcd:-

It's a key-value data storage for storing Kubernetes cluster state. It also stores configuration data of each nodes existing in cluster. New data is written to the data store only by appending to it, data is never replaced in the data store.
Note:- It is only accessible to kube-api server.

WORKER NODE

As the scheduler assign the feasible node(here refer to worker node) for a pod. Now, from here the role of worker node starts. Worker nodes knows its job very well that what to do next.

NOTE:-

Btw in Kubernetes, each component knows their job very well, there is no need to tell each components what to do next. For ex.:- As we have seen above that Master node don't have to tell scheduler about its role, to schedule pods to feasible nodes. Scheduler knows its role very well and start working as soon as it gets newly created pods or non-scheduled pods. Similarly, worker nodes knows their job as soon as they get pods. It provides running environment for client applications. These applications are encapsulated in Pods, controlled by the cluster control plane agents running on the master node.

A Pod is the smallest scheduling unit in Kubernetes or in another words Pods are collections of one or more container. And inside these containers your application runs.

WORKER NODE COMPONENTS

1) Container Runtime

2) Kubelet

3) Kube-proxy

1)Container Runtime

The container runtime is the software that is responsible for running containers. Although Kubernetes is described as a "container orchestration engine" or "container management engine", it does not have the capability to directly handle containers. In order to manage a container's lifecycle, Kubernetes requires a container runtime on the node where a Pod and its containers are to be scheduled. Kubernetes supports several container runtimes are:-

Docker

Although a container platform which uses containerd as a container runtime, it is the most popular container runtime used with Kubernetes.

CRI-O

A lightweight container runtime for Kubernetes, it also supports Docker image registries.

containerd

A simple and portable container runtime providing robustness.

frakti

A hypervisor-based container runtime for Kubernetes.

NOTE:-

In simple language, Kubernetes don't have capability to run container. So, it need tools to run these containers. And these tools are known as container runtime. Kubernetes job is to manage these containers.

2)Kubelet

The kubelet is an agent running on each node and communicates with the control plane components(i.e api-server) from the master node. It gets instructions from the api-server and interacts with the container runtime on the node to run containers associated with the pod.

NOTE:-

As the pods get scheduled by scheduler to a feasible node existing in a cluster. Then worker node components i.e. kubelet starts its job.

Kubelet also monitors the health of Pod's running container. It also connects the container runtime using container runtime interface(CRI).
CRI implements two services:-
1) Image Service:- Responsible for all the image-related
operations.
2) Runtime Service:- Responsible for all the pods and
container based operations.

3)Kube-Proxy

The Kubernetes network proxy runs on each node. It is responsible for dynamic updates and maintenance of all networking rules on the node.

Forem: vivek kumar sahu

Operating System (OS) with 32 bit will stop working after 19 January 1938....

Do you know when 32 bit OS will stop working?

When will 32 bits computers stop storing data?

When 32 bit Unix Based OS will stop working exactly?

Why it will happen on particular date and time( and particular second too) so?

Extra knowledge

Techie detail:

What are bits and their Maximum values ?

Standard bits:

4 bit:

8 bit:

16 bit:

32 bit:

64 bit:

Extra Knowledge:

But why does the OS store data in the form of binary ??

Maximum value of standard bits?

For example:

And what type of data it will store. Because obviously 429 crore is such a big number ?

Why time has to be memorized by OS. Is there any significance of time as such?

Is there any particular date from when OS has to remember the time?

Why 1901 is considered to be birth or origin of computers??

And in what unit the time is being stored ??

Calculation of seconds to be stored since 1901 till 1938 ?

What all are the Devices that will be impacted by this ??

References:

How Kernel boot up ??

How the Linux Kernel Boots?

When happens after pressing Power ON button of the computer.

BIOS(basic input/output system) performs POST (Power On Self Test) checks

What MBR does?

GRUB(Grand Unified Boot Loader)

What is the use of GRUB?

GRUB has to find the answer of 2 question:-

flowchart:-

References

GitHub Action

Components of GitHub Action

Workflows

Events

Jobs

Action

Runner

Understanding the workflow file:

Conclusion:

Linux Security Modules

How Linux is Secured?

What does it mean by user dependent security?

Discretionary Access Control(DAC)

Example:

Linux Security modules(LSM)

user-independent security

Mandatory access control(MAC)

Flow of open() system call:

Types of LSMs

DAC vs MAC

Beginners guide to eBPF...

What is eBPF??

Practical

But how ??

Relating eBPF with Javascript

But how ??,

UseCase of eBPF

OSI Model

History of Internet

ARPANET ??

FACT:

Protocols

Types of Protocols

Fall of NCP and rise of TCP

OSI Model

Characteristics of OSI Model

Application Layer (PDU ---> data or message) → 7th

Presentation Layer (PDU ---> data or message) → 6th Layer

Session Layer (PDU ---> data or message) → 5th layer

Transport Layer ( PDU ---> segment ) → 4th Layer

NOTE:

Network Layer ( PDU ---> packet) → 3rd Layer

Data-Link Layer ( PDU ---> frame) → 2nd Layer

Why 1901 is considered to be `birth` or `origin` of computers??

Relating `eBPF` with `Javascript`