A Quick Overview - Apache Spark

Apache Spark

Apache Spark is an open source parallel processing framework that enables users to run large-scale data analytics applications across clustered computers.

Apache Spark can process data from a variety of data repositories, including the Hadoop Distributed File System (HDFS), NoSQL databases and relational data stores such as Apache Hive. Spark supports in-memory processing to boost the performance of big data analytics applications, but it can also do conventional disk-based processing when data sets are too large to fit into the available system memory.

Spark became a top-level project of the Apache Software Foundation in February 2014, and Version 1.0 of Apache Spark was released in May 2014. The technology was initially designed in 2009 by researchers at the University of California, Berkeley, as a way to speed up processing jobs in Hadoop systems. Spark provides programmers with a potentially faster and more flexible alternative to MapReduce, the software framework that early versions of Hadoop were tied to. Spark's developers say it can run jobs 100 times faster than MapReduce when processed in memory and 10 times faster on disk.

In addition, Spark can handle more than the batch processing applications that MapReduce is limited to running. The core Spark engine functions partly as an application programming interface (API) layer and underpins a set of related tools for managing and analyzing data, including a SQL query engine, a library of machine learning algorithms, a graph processing system and streaming data processing software.

Apache Spark can run in Hadoop 2 clusters on top of the YARN resource manager; it can also be deployed standalone or in the cloud on the Amazon Elastic Compute Cloud (EC2) service. Its speed, combined with its ability to tie together multiple types of databases and run different kinds of analytics applications, has prompted some proponents to claim that Spark has the potential to become a unifying technology for big data applications.

Happy Birthday Google.com !!!

How many people know the name of  Google.com ???
How many people use Google.com ???
How many people set their browser's Search Engine as Google.com ??? 


The answer is simple. Its Everyone !!!


But how many people know that today is the Birth Day of Google.com !!!


Yes, Google.com domain was registered exactly 17 years ago, on 15 September 1997 !!! 

The Who Is Detail :

Domain Name: google.com
Registry Domain ID: 
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Updated Date: 2014-05-19T04:00:17-0700
Creation Date: 1997-09-15T00:00:00-0700
Registrar Registration Expiration Date: 2020-09-13T21:00:00-0700
Registrar: MarkMonitor, Inc.
Registrar IANA ID: 292

 Happy Birthday Google.com  !!!

A Brief About mPOS - Mobile Point of Sale

mPOS - Mobile Point of Sale

Before we know about mPOS - Mobile Point of Sale, we have to understand what is POS - Point of Sale. Point of Sale - POS or Checkout is the place where a retail transaction is completed. It is the point at which a customer makes a payment to the merchant in exchange for goods or services. At the Point of Sale the retailer would calculate the amount owed by the customer and provide options for the customer to make payment. The merchant will also normally issue a receipt for the transaction. The POS in various retail industries uses customized hardware and software as per their requirements. Retailers may utilize weighing scales, scanners, electronic and manual cash registers, EFTPOS (Electronic Funds Transfer at Point of Sale — is an electronic payment system involving electronic funds transfers based on the use of payment cards, such as debit or credit cards, at terminals located at points of sale.) terminals, touch screens and any other wide variety of hardware and software available for use with POS. For example, a grocery or candy store uses a scale at the Point of Sale, while bars and restaurants use software to customize the item or service sold when a customer has a special meal or drink request.

The modern Point of Sale is often referred to as the Point of Service because it is not just a Point of Sale but also a Point of Return. Additionally it includes advanced features to cater to different functionality, such as inventory management, CRM, financials, warehousing, etc., all built into the POS software. Prior to the modern POS, all of these functions were done independently and required the manual re-keying of information, which can lead to entry errors.

mPOS - Mobile Point of Sale in a single word, a "Dongle Plus Smartphone" innovation for modern POS system. An mPOS - Mobile Point of Sale is a smartphone, tablet or dedicated wireless device that performs the functions of a cash register or electronic Point of Sale (POS) terminal. 

mPOS implementations allow service and sales industries to conduct transactions in place, improving the customer experience and freeing up valuable real estate that would otherwise be dedicated to a POS counter. An mPOS can also be cost-effective, allowing a small business owner to conduct transactions without having to invest in an electronic register or pay someone to support the software. 

Any smartphone or tablet can be transformed into an mPOS with a downloadable mobile app. Typically, when the business owner registers the app, the vendor sends the business owner a card reader that plugs into the mobile device's audio jack. Some mPOS software vendors also provide optional hand-held docking stations (called sleds) that allow the mobile device to read barcodes and print receipts. 

Depending on the software, a mPOS can operate as a stand-alone device that's simply linked to the business' bank account or it can be an integrated component of a larger, legacy POS system. To protect cardholder data, customer data is encrypted and stored in the cloud -- not on the device.

Popular mobile POS vendors include PayPal, Square, Intuit and VeriFone. 

NOTE:   mPOS implementation requires Strong Security Awareness.  

Quick Reference Guide - CRUSH & Ceph

CRUSH

CRUSH (Controlled Replication Under Scalable Hashing) is a hash-based algorithm for calculating how and where to store and retrieve data in a distributed object-based storage cluster.

CRUSH is the pseudo-random data placement algorithm that efficiently distributes object replicas across a Ceph storage cluster. Cluster size needs to be flexible, and device failure is going to happen. CRUSH allows for the addition and removal of storage devices with as little movement of data as possible. Ceph utilizes the CRUSH algorithm to compute where data can be found or should be written. This eliminates metadata bottlenecks, which increases overall efficiency accessing data in the cluster. Ceph clients accessing storage and Ceph devices that replicate data to their peers both run the CRUSH algorithm. This allows the work to scale linearly with the size of the cluster.

CRUSH is an algorithm that can calculate the physical location of data in Ceph, given the object name, cluster map and CRUSH rules as input.

CRUSH distributes data evenly across available object storage devices in what is often described as a pseudo-random manner. Distribution is controlled by a hierarchical cluster map called a CRUSH map. The CRUSH map, which can be customized by the storage administrator, informs the cluster about the layout and capacity of nodes in the storage network and specifies how redundancy should be managed. 

CRUSH replicates data in multiple locations and fault domains. So when a disk fails, CRUSH replicates data across available OSDs. There is no need for RAID, which typically just adds to the hardware cost.

Ceph and CRUSH allow you to work in a heterogeneous structured environment that frees you from vendor lock-in and expensive proprietary hardware. CRUSH is also self-managing and self-healing, this reduces the overall need for human intervention in your data center.

CRUSH is one of the key features that makes Ceph powerful and uniquely scalable compared to other storage systems that we see today.

Ceph

Linux's impressive selection of file systems is Ceph, a distributed file system that incorporates replication and fault tolerance while maintaining POSIX compatibility.

CRUSH was designed for Ceph, an open source software designed to provide object-, block- and file-based storage under a unified system. Because CRUSH allows clients to communicate directly with storage devices without the need for a central index server to manage data object locations, Ceph clusters can store and retrieve data very quickly and scale up or down quite easily.

As if the dynamic and adaptive nature of the file system weren't enough, Ceph also implements some interesting features visible to the user. Users can create snapshots, for example, in Ceph on any subdirectory (including all of the contents). It's also possible to perform file and capacity accounting at the subdirectory level, which reports the storage size and number of files for a given subdirectory (and all of its nested contents).

Ceph is a distributed object store and file system designed to provide excellent performance, reliability and scalability.

Goals

• Easy scalability to multi-petabyte capacity (Required for BigData)

• High performance over varying workloads (input/output operations per second [IOPS] and bandwidth)

• Strong reliability

Note:

Ceph is not only a file system but an object storage ecosystem with enterprise-class features. Ceph isn't unique in the distributed file system space, but it is unique in the way that it manages a large storage ecosystem. Other examples of distributed file systems include the Google File System (GFS), the General Parallel File System (GPFS), and Lustre etc. The ideas behind Ceph appear to offer an interesting future for distributed file systems, as massive scales introduce unique challenges to the massive storage problem. 

Although Ceph is now integrated into the mainline Linux kernel, it's properly noted there as experimental. File systems in this state are useful to evaluate but are not yet ready for production environments. 

Geetika Technosoft Pvt Ltd - GTechnosoft & GTechEd Family Wishing All of You Happy Independence Day

Quick Reference Guide - Cloud Storage Gateway

Cloud Storage Gateway

A Cloud Storage Gateway is a hardware- or software-based appliance located on the customer premises that serves as a bridge between local applications and remote cloud-based storage. 

A Cloud Storage Gateway is a network appliance or server which resides at the customer premises and translates cloud storage APIs such as SOAP or REST to block-based storage protocols such as iSCSI or Fibre Channel or file-based interfaces such as NFS or CIFS.

According to a 2011 report by Gartner Group, Cloud Storage Gateways were expected to increase the use of Cloud Storage by lowering monthly charges and eliminating the concern of data security.

A Cloud Storage Gateway appliance provides basic protocol translation and simple connectivity to allow the incompatible technologies to communicate transparently. The gateway may be a stand-alone computing device or a virtual machine (VM) image.

As the market has evolved, some vendors have dropped the word "gateway" in favor of the word "controller" to emphasize the idea that their gateway products do more than just serve as a bridge. 

Unlike the Cloud Storage Services which they complement, Cloud Storage Gateway use standard network protocols which integrate with existing applications. Cloud Storage Gateway can also serve as intermediaries to multiple cloud storage providers. Some Cloud Storage Gateway also include additional storage features such as backup and recovery, caching, compression, encryption, storage de-duplication and provisioning.

Many of today's Cloud Storage Gateway products provide data deduplication and compression capabilities to make use of available bandwidth efficiently and move data as quickly as possible. Reducing the data footprint also lowers cost, because cloud providers charge for over-the-wire transfers as well as for storage space. Other popular features include snapshots and version control, the ability to use local storage as a cache, automated tiered storage and encryption. 

A Brief About GCE - Google Compute Engine

GCE - Google Compute Engine

Google Compute Engine is a service that provides virtual machines that run on Google infrastructure. Google Compute Engine offers scale, performance, and value that allows you to easily launch large compute clusters on Google's infrastructure. There are no upfront investments and you can run up to thousands of virtual CPUs on a system that has been designed from the ground up to be fast, and to offer strong consistency of performance.

The Google Compute Engine (GCE) is an Infrastructure as a Service (IaaS) offering that allows clients to run workloads on Google's infrastructure. The Compute Engine provides a scalable number of virtual machines (VMs) to serve as large compute clusters for that purpose.  

Virtual machines (VMs) are offered as standard Google Linux-based VMs; also customers may use their own system images for custom virtual machines. Virtual machines are offered in a number of memory configurations with up to 16 virtual cores each. The number of allowed instances makes it possible to run thousands of virtual CPUs working on a task.

GCE can be managed through a RESTful API, command line interface (CLI) or Web console. GCE's application program interface (API) provides administrators with virtual machine (VMs), DNS servers and load balancing capabilities. VMs are available in a number of CPU and RAM configurations and Linux distributions, including Debian and CentOS. Customers may use their own system images for custom virtual machines. Data at rest is encrypted using the AEC-128-CBC algorithm. 

GCE's scalable number of allowed instances makes it possible for an administrator to create clusters with thousands of virtual CPUs. GCE allows administrators to select the region and zone where certain data resources will be stored and used. Currently, GCE has three regions: United States, Europe and Asia. Each region has two availability zones and each zone supports either Ivy Bridge or Sandy Bridge processors. GCE also offers a suite of tools for administrators to create advanced networks on the regional level. GCE instances must be within a network to ensure that only instances within the same network can see each other by default. 

Compute Engine is a pay-per-usage service with a 10-minute minimum and per-minute billing thereafter. There are no up-front fees or time-period commitments. GCE competes with Amazon's Elastic Compute Cloud (EC2) and Microsoft Azure.

Google Compute Engine offers many capabilities

Create virtual machines with a variety of configurations

• Launch a standard boot image based on Debian or CentOS 6.2 images, or create your own image.
• Create a 64 bit x86 Linux-based virtual machine (VM) instance. Google Compute Engine offers a variety of machine types that you can choose from for your instances.

Maintain and store data in persistent block storage

• From a VM image, mount persistent block storage (persistent disk) that maintains state beyond the life cycle of the VM instance. Data on persistent disks are retained even if your virtual machine instance suffers a failure or is taken offline. Persistent disk data is also replicated for additional redundancy.

Manage network access to your virtual machines

• Use your virtual machines alone or connected together to form a compute cluster
• Connect your machines to the Internet with a flexible networking solution that offers static and ephemeral IPv4 addresses for your instances.
• Use the built-in layer 3 load balancing service to distribute heavy workloads across many virtual machines.
• Use an easily configurable firewall to set up network access to your instances.
• Create an internal network of virtual machines or set up access to external traffic by setting up customizable firewall rules.
• Connect your VM instances to each other and to the Internet with our fully encapsulated layer 3 network. Our network offers strong isolation to help protect your instances from undesired access.
• Locate other instances in your project using DNS lookup of VM names.

Use a variety of tools and OAuth 2.0 authentication to manage your virtual machines

• Access your virtual machine instances through the Compute Engine console, RESTful API, or through a simple command line tool.
• Take advantage of OAuth 2.0 to authenticate to the RESTful API to create and delete virtual machine instances, disks, and other resources. Also, leverage OAuth 2.0 to seamlessly integrate with other Google Cloud services such as Google Cloud Storage.
• Use service account identities to authenticate your instances to other services, and remove the need to push keys into VM instances.

Note:  Google Compute Engine does not guarantee 100% uptime, so you should take steps to make sure that your service can easily regenerate the state on an instance should an unexpected failure occur. If you do not, your service will be adversely affected if your instances fall offline.

Amazing Features of recently introduced Red Hat Enterprise Linux 7 (RHEL7) by Red Hat

Introduction 

After 6 + months of public beta testing and more than 3 years after its previous major point release, RHEL (Red Hat Enterprise Linux) version 7 is out. The update speaks to Red Hat's interests in outfitting RHEL with many of the latest enterprise and data center features. Here are the some amazing features of newly launched RHEL 7

Features

Red Hat’s latest release of its flagship platform RHEL 7 delivers dramatic improvements in reliability,  performance, and scalability. A wealth of new features provides the architect, system administrator, and developer with the resources necessary to innovate and manage more efficiently.

Linux Containers

Linux Containers provide a method of isolating a process and simulating its environment inside  a single host. It provides application sandboxing technology to run applications in a secure container environment, isolated from other applications running in the same host operating system environment. Linux Containers are useful when multiple copies of an application or  workload need to be run in isolation, but share environments and resources.

Identity Management

Cross-Realm Kerberos Trust

Identity Management in Red Hat Enterprise Linux can now establish cross-realm trust with  Microsoft Active Directory. Synchronization between the two identity stores is not needed.  This new capability makes it possible for users with Active Directory credentials to access Linux resources without requiring additional identity authentication so that single sign-on functionality exists across Microsoft Windows and Linux domains.

RealmD

RealmD discovers information about the domain or realm automatically and simplifies the configuration needed to join it. RealmD works with Microsoft Active Directory and Red Hat Enterprise Linux identity management. 

Performance Management

Performance Co-Pilot

Performance Co-Pilot is a new framework for system-wide performance monitoring, recording, and analysis that provides an API for importing and exporting sampled and traced data. It also includes tools for interrogating, retrieving, and processing the collected data. Performance Co-Pilot can transmit this data across a network and integrate with subsystems such as syslogd, sar/sysstat, and systemd. It provides a common graphical user interface for browsing through all collected data as well as interactive text interfaces. 

TUNED AND TUNED Profiles

Tuned is an adaptive system-tuning daemon that tunes system settings dynamically depending on usage. Red Hat Enterprise 7 includes several default tuned profiles, allowing administrators to benefit from better performance and power management for common workloads with very little tweaking. By default, the tuned profile selected is based on the Red Hat Enterprise Linux product variant, though administrators can modify the profile to address intended use cases.

TUNA

Red Hat Enterprise Linux 7 enhances Tuna beyond just the process performance monitoring capabilities found in Red Hat Enterprise Linux 6 with additional support for kernel parameter tuning, along with profile customization and management. 

Tuna has a unified, easy-to-use graphical user interface for system performance tuning, monitoring, and tuned profile management. It helps customers get the best performance out of their systems  by using proactive load balancing and monitoring to eliminate hot spots, prevent performance  problems, and avoid potential service calls.

NUMA Affiniy

With more and more systems, even at the low end, presenting Non-Uniform Memory Access (NUMA) topologies, Red Hat Enterprise Linux 7 addresses the performance irregularities that such systems present. A new, kernel-based NUMA affinity mechanism automates memory optimization. It attempts to match processes that consume significant resources with available memory and CPU resources in order to reduce cross-node traffic. The resulting improved NUMA resource alignment improves performance for applications and virtual machines, especially when running  memory-intensive workloads. 

Hardware Event Reporting Mechanism (HERM)

Red Hat Enterprise Linux 7 unifies hardware event reporting into a single reporting mechanism. Instead of various tools collecting errors from different sources with different timestamps, a new Hardware Event Reporting Mechanism (HERM) will make it easier to correlate events and get an  accurate picture of system behavior. HERM reports events in a single location and in a sequential timeline. HERM uses a new userspace daemon, rasdaemon, to catch and log all RAS events coming from the kernel tracing infrastructure.

Virtualization

Guest Integration with VMWARE

Red Hat Enterprise Linux 7 advances the level of integration between the Red Hat  Enterprise Linux guest and VMware vSphere. 

Integration now includes:

• Open VM Tools. 
• 3D graphics drivers for hardware-accelerated OpenGL and X11 rendering. 
• Fast communication mechanisms between VMware ESX and the virtual machine. 

Combined, these additions provide a rich, high-performance environment for the Red Hat Enterprise Linux virtual machine running on VMware.

Cryptography Support

KVM-based virtualization capabilities meet new cryptographic security requirements from both US and UK governments by adding the ability for the virtual machine to draw entropy from the host. By default, this information is sourced from the host’s /dev/random file, but hardware random number generators available on hosts can be used as the source as well.

By alleviating entropy starvation in guests, cryptographic applications running on the guest are more effective. This feature is especially important to highly security-conscious customers such  as federal governments, online merchants, financial institutions, and defense contractors. 

Virtual Function I/O Device Assignment 

The Virtual Function I/O (VFIO) userspace driver interface improves PCI device assignment for KVM. VFIO provides kernel-level enforcement of device isolation, improves security of device access, and is compatible with features such as secure boot. For example, Red Hat Enterprise Linux 7 uses the VFIO framework for Graphic Processing Unit (GPU) device assignment. Note that VFIO replaces the KVM device assignment mechanism used in Red Hat Enterprise Linux 6.

Development

OpenJDK

Red Hat Enterprise Linux 7 includes OpenJDK 7 as the default Java development and runtime environment. OpenJDK 7 is the most current stable version of publicly available Java. It provides more stability, better performance, better support for dynamic languages, and quicker startup times.

All Java 7 packages (java-1.7.0-openjdk, java-1.7.0-oracle, java-1.7.0-ibm) in Red Hat Enterprise Linux 7 let you install multiple versions in parallel, similarly to the kernel. Parallel installation makes it simpler to try out multiple versions of the same JDK simultaneously in order to tune performance and debug problems if needed.

Installation and Deployment

IN-PLACE Upgrade

Red Hat Enterprise Linux 7 provides support that simplifies the task of performing in-place upgrades. A pre-upgrade assistant package is provided in the Red Hat Enterprise Linux 6. 5 beta zstream, which reports what can be upgraded in-place and what will have to be done manually.  The report describes the issues and links to knowledgebase articles available in the Red Hat Customer Portal. 

The report includes information on configuration files that will be modified and identifies existing user-modified configuration files, recommending some to be manually checked. At that point, the administrator can decide if the end result of an in-place upgrade is sufficient for their needs. Upon executing the in-place upgrade, the administrator can then inspect the final results and decide to complete the upgrade.

Partitioning Defaults for Rollback

The ability to revert to a known, good system configuration is crucial in a production environment. Using LVM snapshots with ext4 and XFS (or the integrated LVM snapshotting feature in Btrfs) an administrator can capture the state of a system and preserve it for future use. An example use case would involve an in-place upgrade that does not present a desired outcome and an administrator who wants to restore the original configuration.

ANACONDA KICKSTART for Active Directory Integration

A system administrator can now create kickstart installation files that do not require administrative credentials. The installed system can then join an Active Directory domain with a one-time password. This new feature eliminates the need for writing and maintaining large blocks of interdependent code in two domains.

Creating Installation Media

Red Hat Enterprise Linux 7 introduces Live Media Creator for creating customized installation media from a kickstart file for a range of deployment use cases. Media can be used to deploy standardized images whether on standardized corporate desktops, standardized servers, virtual machines, or hyperscale deployments. Live Media Creator, especially when used with templates, provide a way to control and manage configurations across the enterprise.

Server Profile TEMPLATES

Red Hat Enterprise Linux 7  features the ability to use installation templates to create servers for common workloads. These templates can simplify and speed creating and deploying Red Hat Enterprise Linux servers, even for those with little or no experience with Linux.

Desktop

Red Hat Enterprise Linux 7 includes three desktops to match different work styles and preferences:

• GNOME 3, 
• GNOME Classic, and 
• KDE

GNOME 3 provides a focused working environment that encourages productivity. A powerful  search feature lets you access all your work from one place. Side-by-side windows make it easy  to view several documents at the same time, and you can turn off notifications when you need to concentrate on the task in hand.

Every part of GNOME 3 has been designed with simplicity and ease-of-use in mind. Activities Overview gives an easy way to access all your basic tasks. A press of a button is all it takes to view your open windows, launch applications, or check if you have new messages.

GNOME 3 integrates well with online document-storage services, calendars, and contact lists, so all your data can be accessed from the same place.

GNOME Classic combines old and new; it keeps the familiar look and feel of GNOME 2, but adds the powerful new features and 3-D capabilities of GNOME Shell.

In addition to GNOME 3 and GNOME Classic, Red Hat Enterprise Linux 7 offers the version 4 of the KDE desktop, the latest stable version of this popular desktop.

Management 

SYSTEM-WIDE Resource Management

Systemd, a system and service manager for Linux, is compatible with SysV and LSB init scripts and can work as a drop-in replacement for sysvinit, as it is backward-compatible with sysvinit scripts. Systemd, now included in Red Hat Enterprise Linux 7 :

• Provides aggressive parallelization capabilities. 
• Uses socket and D-Bus activation for starting services. 
• Offers on-demand starting of daemons. 
• Keeps track of processes using Linux cgroups. 
• Supports creating snapshots and restoring system state. 
• Maintains mount and automount points. 
• Implements fine-grained transactional, dependency-based, service control logic.

OpenLMI

The OpenLMI project provides a common infrastructure for the remote management of Linux systems. Capabilities include configuration, management, and monitoring of hardware, operating systems, and system services. OpenLMI includes a set of services that can be accessed both locally and remotely, multiple language bindings, standard APIs, and standard scripting interfaces. It enables system administrators to manage more systems, automate management operations, and manage both physical and virtual servers. The standardized tool interface shortens the learning curve for new administrators and the standard APIs make it easier to build custom tools.

Storage management capabilities simplify configuring and managing storage, especially on systems with multiple drives. A traditional issue on Linux systems is that volume labels can change when hardware is reconfigured. OpenLMI avoids this problem by allowing you to address volumes by volume label, UUID, or Device ID. The combination of a standardized API and persistent device names makes it easy to keep storage consistent, even when hardware and software change.

OpenLMI enables remote network management by providing a standardized API to query and configure the network hardware. In addition to standard network configuration, it supports configuring network bridging and bonding and provides notification of changes in network configuration.

A system administrator can use the OpenLMI Software Provider to remotely to add or remove  services, determine the state of the service (started, running, stopped, failed), enable, start, or restart a service.

File Systems

• Red Hat Enterprise Linux now supports XFS file systems that are up to 500TB in size. The  previous support limit was 100TB.
• BTFS (Brtfs) is a relatively young file system especially useful for local, large-scale use cases. BTFS includes basic volume management, snapshot support, and full data and metadata integrity checksumming, and a command-line interface that makes these advanced features easier to use than in other large-scale file systems. 
• Ext4 supports a file system that is 50TB in size, up from 16TB. 
• The Red Hat Enterprise Linux PNFS client now supports all commercially available server layout types. 
• The CIFS networking file system with server message block (SMB) protocol updates will provide better performance, security, and more features than were available with previous protocols.
• GFS2 commands now more accurately deal with RAID stripe alignment and placement of critical elements such as journals and resource groups. This increases the scalability and performance of GFS2 when the file system is being created and when it is used.

Storage

ISCSI and FCOE Targets

Red Hat Enterprise Linux 7 includes a new software implementation of the iSCSI (RFC-3720 mode) and Fibre Channel over Ethernet (FCoE) targets in the kernel, as opposed to the user space, as was the case previously. This new implementation makes it possible to replace expensive shared storage arrays to Linux-based storage appliances built on commodity hardware.


Dynamic LUN Detection

Logical units (LUN) can now be dynamically recognized by the operating system with no manual intervention, resulting in fewer reboots and less downtime.


SNAPPER

Snapper is a new utility that creates, deletes, labels, and organizes snapshots of the Btrfs file  system and logical volume manager block device. The additional information and tooling give system administrators more control over their backup environment.

Security

Dynamic FIREWALL

With firewalld, a firewall does not have to be stopped in order to change its rules. This increases the security of the system by eliminating vulnerability and adding the ability to respond to threats by quickly activating new rules. In addition to dynamic configuration capabilities, firewalld supports a powerful rules language that simplifies configuring firewalls.


Structured Logging

Information in log files is now structured, making automated log analysis tools more powerful  and effective. The log file structure is not changed, ensuring that your existing tools and processes continue to work without requiring modifications.


Labeled NFS

Labeled NFS allows customers to deploy more secure environments, including secure virtual machine home directories stored on NFS servers. Images in a Red Hat Enterprise Virtualization storage domain can have labels conveniently assigned and issued by the Red Hat  Enterprise Virtualization Manager.

Many types of attacks on a system can be prevented by providing fine-grained control of who  can access system resources. SELinux protection is now available when using NFS, simplifying the development of secure applications. The Linux kernel has enhanced support for passing SELinux labels between a client and server using NFS.

Networking

NetworkManager Interfaces

NetworkManager has two new user interfaces: a command-line tool (nmcli) and a curses-based,  text user interface (TUI). Nmcli is intended for administrators who prefer command-line access for managing network services and is useful for remote network administration and managing headless servers. The TUI replaces system-config-network-tui and simplifies configuring many network settings for those who do not want to edit configuration files directly.


Accurate Time Synchronization

Red Hat Enterprise Linux 7 supports the network time protocol (NTP) implementation Chrony, which provides more accurate clock synchronization than the network time protocol daemon (ntpd).


Benefits of Chrony include:

• Faster synchronization. Chrony usually needs only minutes instead of hours to minimize the time and frequency error, which is useful on desktops or systems not running 24 hours a day.
• A larger range for frequency correction (100000 ppm vs. 500 ppm) is useful for virtual machines that have quickly drifting clocks. 
• Better response to rapid changes in the clock frequency, useful for virtual machines that have unstable clocks or for power-saving technologies that don’t keep the clock frequency constant. 
• After the initial synchronization, the clock is never stepped, which is useful for applications needing system time to be monotonic.
• Better stability with temporary asymmetric delays, for example when the link is saturated by a large download.
• Periodic polling of servers is not required, so systems with intermittent network connections can still quickly synchronize clocks.

Precision Time Protocol

Red Hat Enterprise Linux 7 supports IEEE 1588 PTPv2 (Precision Time Protocol version 2) in combination with a supported network card. PTP is used to precisely synchronize clocks in an Ethernet network. When used in conjunction with the appropriate hardware, it is capable of achieving clock accuracy in the sub-microsecond range, which is far more accurate than is  typically obtainable with the network time protocol (NTP). This feature is particularly important  for applications in the financial services and trading-related industries, where application latency is measured in microseconds.  


Team Driver Link Aggregation

The Team Driver project is new for Red Hat Enterprise 7 and provides a mechanism to team multiple network devices (ports) into a single logical interface at the data link layer (layer 2). This mechanism is typically used to increase the maximum bandwidth and provide redundancy.

Team Driver identifies only the necessary data fast-path parts in the kernel, and the majority of its logic is implemented as a user space daemon. This approach provides advantages over traditional bonding such as more stability, easier debugging, and simpler extensions while providing equal or better performance.


TCP Enhancements

Various improvements to transmission control protocol (TCP) aim to reduce latency for connection-oriented services such as web servers built on Red Hat Enterprise Linux.

• Fast Open is an experimental TCP extension (not yet approved by the Internet Assigned  Numbers Authority (IANA)) designed to reduce the overhead when establishing a TCP connection by eliminating one round time trip (RTT) from certain kinds of TCP conversations. Fast Open could result in speed increases of between 4% and 41% in page-load times.
• Tail loss probe (TLP), an experimental algorithm, improves the efficiency of how the TCP  networking stack deals with lost packets at the end of a TCP transaction. TLP could reduce  re-transmission timeouts by 15% and shorten HTTP response times by an average of 6%.
• Early Retransmit (RFC 5827) allows the transport to use fast retransmits to recover segment losses that would otherwise require a lengthy timeout. Connections can recover from lost  packets faster, which decreases overall latency. 
• Proportional Rate Reduction (PRP) is an experimental algorithm designed to return to the maximum transfer rate quickly. It can potentially reduce HTTP response times by 3-10%.

40G Ethernet Link Speed

Red Hat Enterprise Linux 7 supports 40G Ethernet link speeds, which enables faster network communication for systems and applications.


Low-Latency Sockets

Low-latency sockets are a software implementation that reduces networking latency and jitter within the kernel. This implementation makes it easy for applications to poll for new packets directly in the network driver which speeds up packets moving into the network stack. Applications that are sensitive to unpredictable latency benefit from the top-down, busy-wait polling method that replaces interrupts for incoming packets. 

High Availability

Enhanced CLUSTER Resource Manager

Cluster resource management has been enhanced through several additions: 

• Simplified administrative procedures reduce the amount of effort it takes to monitor and manage a cluster. 
• Finer-grained monitoring of every component in the cluster stack provides more awareness and control over applications running in high-availability environments. Resources can have multiple states associated with them and can be managed on a schedule basis or manually. An important new feature is the ability to create user-defined actions.
• Resource cloning allows a single command to be replicated across multiple nodes in the cluster. For example, by using cloned resources, issuing a single command can cause a GFS2 filesystem to be mounted on all nodes within the cluster.
• The new cluster resource manager has both a graphical and a command-line interface. The new resource manager provides a single environment for managing clusters running Red Hat Enterprise Linux 6 and 7.

PACEMAKER Policy Engine

The pacemaker remote capabilities now apply to virtual machines within a cluster. Now with  Red Hat Enterprise Linux 7, users can run pacemaker from within a virtual machine and to control resources and applications running in other virtual machines in the cluster.

A Quick Overview - SFA, TFA & MFA

What is SFA - Single Factor Authentication 

This is “something a user knows.”  The most recognized type of Single Factor Authentication method is the password. Single Factor Authentication (SFA) is the traditional security process that requires a user name and password before granting access to the user.

SFA security relies on the diligence of the user, who should take additional precautions -- for example, creating a strong password and ensuring that no one can access it. For applications that require greater security, it may be advisable to implement more complex systems, such as Multi Factor Authentication.

What is TFA - Two Factor Authentication

In Two Factor Authentication, in addition to the first factor, the second factor is “something a user has.”  Examples of something a user has are a fob that generates a pre-determined code, a signed digital certificate or even a biometric such as a fingerprint.  The most recognized form of two-factor authentication is the ubiquitous RSA SecurID fob.

In a Two Factor Authentication system, the user provides dual means of identification, one of which is typically a physical token, such as a card, and the other of which is typically something memorized, such as a security code. This is a process involving two stages to verify the identity of an entity trying to access services in a computer or in a network. In a Two Factor Authentication, each step involves a different authentication factor.

An Automated Teller Machine (ATM) typically requires Two Factor Authentication. To prove that users are who they claim to be, the system requires two items: an ATM smartcard (application of the possession factor) and the personal identification number (PIN) (application of the knowledge factor). In the case of a lost ATM card, the user's accounts are still safe; anyone who finds the card cannot withdraw money as they do not know the PIN. The same is true if the attacker has only knowledge of the PIN and does not have the card. This is what makes Two Factor Authentication more secure: there are two factors required in order to authenticate.

What is MFA - Multi Factor Authentication

In Multi Factor Authentication, in addition to the previous two factors, the third factor is “something a user is.”  Examples of a third factor are all biometric such as the user’s voice, hand configuration, a fingerprint, a retina scan or similar.  The most recognized form of Multi Factor Authentication is usually the retina scan with Two Factor Authentication. 

Multi Factor Authentication is an approach to authentication which requires the presentation of the three authentication factors: a knowledge factor ("something only the user knows"), a possession factor ("something only the user has"), and an inherence factor ("something only the user is"). After presentation, each factor must be validated by the other party for authentication to occur.

Multi Factor Authentication is often confused with other forms of authentication. The Multi Factor Authentication requires the use of the three authentication factors. The factors are identified in the standards and regulations for access to U.S. Federal Government systems. These factors are:

1. Something only the user knows (e.g., password, PIN, pattern);
2. Something only the user has (e.g., ATM card, smart card, mobile phone); and
3. Something only the user is (e.g., biometric characteristic, such as a fingerprint)

The goal of MFA is to create a layered defense and make it more difficult for an unauthorized person to access a target such as a physical location, computing device, network or database. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.

Typical MFA scenarios include:

• Swiping a card and entering a PIN.
• Downloading a VPN client with a valid digital certificate and logging into the VPN before being granted access to a network.
• Logging into a website and being requested to enter an additional one-time password (OTP) that the website's authentication server sends to the requester's phone or email address.
• Swiping a card, scanning a fingerprint and answering a security question.
• Attaching a USB hardware token to a desktop that generates an OTP and using the one-time password to log into a VPN client.

In the United States, interest in Multi Factor Authentication has been driven by regulations such as the Federal Financial Institutions Examination Council (FFIEC) directive calling for Multi Factor Authentication for Internet banking transactions.

A Quick Overview - IP Spoofing

IP Spoofing (IP address forgery or a host file hijack)

IP address spoofing or IP spoofing is the creation of Internet Protocol (IP) packets with a forged source IP address, with the purpose of concealing the identity of the sender or impersonating another computing system.

IP spoofing is also known as IP address forgery or a host file hijack, is a hijacking technique in which a cracker masquerades as a trusted host to conceal his identity, spoof a Web site, hijack browsers, or gain access to a network. Here's how it works: The hijacker obtains the IP address of a legitimate host and alters packet headers so that the legitimate host appears to be the source.

When IP spoofing is used to hijack a browser, a visitor who types in the URL (Uniform Resource Locator) of a legitimate site is taken to a fraudulent Web page created by the hijacker. For example, if the hijacker spoofed the Instagram Web site, then any Internet user who typed in the URL www.instagram.com would see spoofed content created by the hijacker.

If a user interacts with dynamic content on a spoofed page, the hijacker can gain access to sensitive information or computer or network resources. He could steal or alter sensitive data, such as a credit card number or password, or install malware . The hijacker would also be able to take control of a compromised computer to use it as part of a zombie army in order to send out spam.

Web site administrators can minimize the danger that their IP addresses will be spoofed by implementing hierarchical or one-time passwords and data encryption/decryption techniques. 

Users and administrators can protect themselves and their networks by installing and implementing firewalls that block outgoing packets with source addresses that differ from the IP address of the user's computer or internal network.

IP spoofing is most frequently used in denial-of-service attacks. In such attacks, the goal is to flood the victim with overwhelming amounts of traffic, and the attacker does not care about receiving responses to the attack packets. Packets with spoofed addresses are thus suitable for such attacks. They have additional advantages for this purpose—they are more difficult to filter since each spoofed packet appears to come from a different address, and they hide the true source of the attack. Denial of service attacks that use spoofing typically randomly choose addresses from the entire IP address space, though more sophisticated spoofing mechanisms might avoid unroutable addresses or unused portions of the IP address space. The proliferation of large botnets makes spoofing less important in denial of service attacks, but attackers typically have spoofing available as a tool, if they want to use it, so defenses against denial-of-service attacks that rely on the validity of the source IP address in attack packets might have trouble with spoofed packets. Backscatter, a technique used to observe denial-of-service attack activity in the Internet, relies on attackers' use of IP spoofing for its effectiveness.

IP spoofing can also be a method of attack used by network intruders to defeat network security measures, such as authentication based on IP addresses. This method of attack on a remote system can be extremely difficult, as it involves modifying thousands of packets at a time. This type of attack is most effective where trust relationships exist between machines. 

For example, it is common on some corporate networks to have internal systems trust each other, so that users can log in without a username or password provided they are connecting from another machine on the internal network (and so must already be logged in). By spoofing a connection from a trusted machine, an attacker may be able to access the target machine without an authentication.

Spoofed IP packets are not incontrovertible evidence of malicious intent; however, in performance testing of websites, hundreds or even thousands of "vusers" (virtual users) may be created, each executing a test script against the Web site under test, in order to simulate what will happen when the system goes "live" and a large number of users log on at once.

Since each user will normally have their own IP address, commercial testing products (such as HP's Loadrunner software or Websense etc) can use IP spoofing, allowing each user its own "return address", as well.