Merge branch 'master' of https://github.com/LCTT/TranslateProject into translating

This commit is contained in:
geekpi 2022-05-13 09:28:48 +08:00
commit 1525038f48
11 changed files with 668 additions and 393 deletions

View File

@ -3,41 +3,40 @@
[#]: author: "Seth Kenlon https://opensource.com/users/seth"
[#]: collector: "lujun9972"
[#]: translator: "MjSeven"
[#]: reviewer: " "
[#]: publisher: " "
[#]: url: " "
[#]: reviewer: "wxy"
[#]: publisher: "wxy"
[#]: url: "https://linux.cn/article-14584-1.html"
当下运行容器的 3 个步骤
======
在本教程中,你将学习如何在一个 pod 中运行两个容器来托管一个 WordPress 站点。
![堆积的运输容器][1]
> 在本教程中,你将学习如何在一个“吊舱”中运行两个容器来托管一个 WordPress 站点。
![](https://img.linux.net.cn/data/attachment/album/202205/12/121429y2s9v96rxxk2litk.jpg)
无论你是将其作为工作的一部分、未来的工作机会或者仅仅是出于对新技术的兴趣,容器对很多人,即使是经验丰富的系统管理员,可能是非常难以应付的。那么如何真正开始使用容器呢?从容器到 [Kubernetes][2] 的成长路径是什么?另外,为什么有不止一条路径?如你所料,最好的起点就是现在。
### 1\. 了解容器
### 1了解容器
转念一想,从头开始可以追溯到早期 BSD 及其特殊的 chroot 监狱,时间久了还是直接跳到最近发生的事情吧
略一回忆,容器的开端可以追溯到早期 BSD 及其特殊的 chroot 监狱,但让我们直接跳到发展中期讲起
不久前Linux 内核引入和 _cgroups_,允许你能够使用 _namespace_ 来“标记”进程。当你将进程组合到一个命名空间时,这些进程的行为在命名空间之外好像不存在任何东西,就像你把这些进程放入某种容器一样。当然,容器是虚拟的,它位于计算机内部,它和你操作系统的其余进程使用相同的内核、RAM 和 CPU但你已经包含了这些进程。
之前Linux 内核引入了 “<ruby>控制组<rt>cgroup</rt></ruby>”,允许你能够使用 “<ruby>命名空间<rt>namespace</rt></ruby>” 来“标记”进程。当你将进程分组到一个命名空间时,这些进程的行为就像在命名空间之外的东西不存在一样,这就像你把这些进程放入某种容器中。当然,这种容器是虚拟的,它位于计算机内部,它和你操作系统的其余进程使用相同的内核、内存和 CPU但你用容器包含了这些进程。
预制容器仅包含运行它所包含的应用程序必须的内容。使用容器引擎,如 [Podman][3]、Docker 或 CRI-O你可以运行容器化应用程序,而无需像之前一样操作很多配置。容器引擎通常是跨平台的,因此即使容器运行在 Linux 上,你也可以在其他 Linux、MacOS 或 Windows 上启动容器。
分发的预制容器仅包含运行它所包含的应用程序必须的内容。使用容器引擎,如 [Podman][3]、Docker 或 CRI-O你可以运行一个容器化应用程序,而无需进行传统意义上的安装。容器引擎通常是跨平台的,因此即使容器运行在 Linux 上,你也可以在其他 Linux、MacOS 或 Windows 上启动容器。
更重要的是,当需求量很大时,你可以运行同一应用程序的多个容器。
现在你知道了什么是容器,下一步是运行一个容器。
**[ 获取备忘录:[Pod、集群和容器之间有什么区别][4] ]**
### 2、运行一个容器
### 2\. 运行一个容器
在运行容器之前,你应该有一个想要运行它的理由。你可以编一个,这有助于你对让容器创建过程感兴趣,这样你就会受到鼓舞,真正去使用你所运行的容器。毕竟,运行容器但不使用它提供的应用程序,只能证明你没有注意到任何故障,但使用容器证明它可以工作。
在运行容器之前,你应该有一个想要运行它的理由。你可以编一个,这有助于你对让容器创建过程感兴趣,这样你在运行容器过程中会收到鼓舞。毕竟,运行容器但不使用它提供的应用程序只能证明你没有注意到任何故障,但使用容器证明它可以工作
我推荐从 WordPress 开始,它是一个很流行的 Web 应用程序,容易使用,所以一旦容器运行起来,你就可以测试使用它。虽然你可以轻松地配置一个 WordPress 容器,但还是有很多配置选项可以引导你发现更多运行容器的方式(例如运行数据库容器)以及容器如何通信
我推荐从 WordPress 开始,它是一个很流行的 Web 应用程序,容易使用,所以一旦容器运行,你就可以测试使用它。虽然你可以轻松地配置一个 WordPress 容器,但还是有很多配置选项可以引导你发现更多容器选项(例如运行数据库容器)以及容器如何通信。
我使用 Podman它是一个友好、方便且无守护进程的容器引擎。如果你没有安装 Podman可以改用 Docker 命令。它们都是很棒的开源容器引擎,而且它们的语法是相同的(只需输入 `docker` 而不是 `podman`)。因为 Podman 没有守护进程,所以它需要更多的配置,这种代价是值得的。
如果你使用 Docker可以跳到 [WordPress 容器部分][5],否则,打开终端安装并配置 Podman
我使用 Podman它是一个友好、方便且无守护进程的容器引擎。如果你没有安装 Podman可以改用 Docker 命令。它们都是很棒的开源容器引擎,而且它们的语法是相同的(只需输入 `docker` 而不是 `podman`)。因为 Podman 没有守护进程,所以它需要更多的配置,但为了这种运行免 root、无守护进程的容器的能力是值得的。
如果你使用 Docker可以跳到下面的 [运行 WordPress 容器][5] 小节,否则,打开终端安装并配置 Podman
```
$ sudo dnf install podman
@ -45,7 +44,6 @@ $ sudo dnf install podman
容器会产生许多进程,通常只有 root 用户有权创建数千个进程 ID。创建一个名为 `/etc/subuid` 的文件,定义一个适当的起始 UID 和大量合法的 PID这样就可以为你添加一些额外的进程 ID
```
seth:200000:165536
```
@ -61,7 +59,6 @@ staff:200000:165536
```
$ sysctl --all --pattern user_namespaces
user.max_user_namespaces = 28633
```
如果你的用户无权管理超过 28,000 个命名空间,创建 `/etc/sysctl.d/userns.conf` 文件来增加数量并输入:
@ -76,18 +73,15 @@ user.max_user_namespaces=28633
```
$ podman run --name mypress \
-p 8080:80 -d wordpress
-p 8080:80 -d wordpress
```
给 Podman 一会来找到容器,从互联网下载它,然后启动。
给 Podman 一会时间来找到容器、从互联网下载它,然后启动。
在收到终端返回提示后启动 Web 浏览器,打开 `localhost:8080`。WordPress 正在运行,等待你进行设置。
在收到终端返回提示启动 Web 浏览器,打开 `localhost:8080`。WordPress 正在运行,等待你进行设置。
![WordPress 容器][6]
(Seth Kenlon, [CC BY-SA 4.0][7])
不过,你很快就会遇到障碍,因为 WordPress 使用数据库来存储数据,因此你需要为其提供一个数据库。
在继续之前,停止并删除 WordPress 容器:
@ -95,62 +89,54 @@ $ podman run --name mypress \
```
$ podman stop mypress
$ podman rm mypress
```
### 3\. 在 pod 中运行容器
### 3、在吊舱中运行容器
容器在设计上是独立的,正如它们的名字所暗示的那样。在容器中运行的应用程序不应该与在容器外的应用程序或基础设进行交互。因此,当一个容器需要另一个容器才能运行时,一种解决方案是将这两个容器放在一个更大的容器中,称为 _pod_。Pod 确保其容器可以共享重要的命名空间以便相互通信。
正如名字所暗示的那样,容器在设计上是独立的。在容器中运行的应用程序不应该与在容器外的应用程序或基础设进行交互。因此,当一个容器需要另一个容器才能运行时,一种解决方案是将这两个容器放在一个更大的容器中,称为 <ruby>吊舱<rt>pod</rt></ruby>”。吊舱确保其容器可以共享重要的命名空间以便相互通信。
创建一个新的 pod为 pod 提供一个名称,以及希望能够访问的端口:
创建一个新的吊舱,为它提供一个名称,以及希望能够访问的端口:
```
$ podman pod create \
\--name wp_pod \
\--publish 8080:80
--name wp_pod \
--publish 8080:80
```
确认 pod 存在:
确认吊舱存在:
```
$ podman pod list
POD ID        NAME     STATUS    INFRA ID      # OF CONTAINERS
100e138a29bd  wp_pod   Created   22ace92df3ef   1
```
#### 将容器添加到吊舱
#### 将容器添加到 pod
现在你已经为相互依赖的容器创建了一个 pod你可以通过指定一个运行的 pod 来启动每个容器。
现在你已经为相互依赖的容器创建了一个吊舱,你可以通过指定一个运行的吊舱来启动每个容器。
首先,启动一个数据库容器。你可以创建自己的凭据,只要在 WordPress 连接到数据库时使用相同的凭据。
```
$ podman run --detach \
--pod wp_pod \
--restart=always \
-e MYSQL_ROOT_PASSWORD="badpassword0" \
-e MYSQL_DATABASE="wp_db" \
-e MYSQL_USER="tux" \
-e MYSQL_PASSWORD="badpassword1" \
--name=wp_db mariadb
```
接下来,在同一个吊舱中启动 WordPress 容器:
```
$ podman run --detach \
\--pod wp_pod \
\--restart=always \
-e MYSQL_ROOT_PASSWORD="badpassword0" \
-e MYSQL_DATABASE="wp_db" \
-e MYSQL_USER="tux" \
-e MYSQL_PASSWORD="badpassword1" \
\--name=wp_db mariadb
```
接下来,在同一个 pod 中启动 WordPress 容器:
```
$ podman run --detach \
\--restart=always --pod=wp_pod \
-e WORDPRESS_DB_NAME="wp_db" \
-e WORDPRESS_DB_USER="tux" \
-e WORDPRESS_DB_PASSWORD="badpassword1" \
-e WORDPRESS_DB_HOST="127.0.0.1" \
\--name mypress wordpress
--restart=always --pod=wp_pod \
-e WORDPRESS_DB_NAME="wp_db" \
-e WORDPRESS_DB_USER="tux" \
-e WORDPRESS_DB_PASSWORD="badpassword1" \
-e WORDPRESS_DB_HOST="127.0.0.1" \
--name mypress wordpress
```
现在启动你最喜欢的网络浏览器并打开 `localhost:8080`
@ -159,17 +145,13 @@ $ podman run --detach \
![WordPress 启动][8]
(Seth Kenlon, [CC BY-SA 4.0][7])
创建用户账户后,你可以登录查看 WordPress 仪表板。
![WordPress dashboard running in a container][9]
(Seth Kenlon, [CC BY-SA 4.0][7])
### 下一步
你已经创建了两个容器,并在一个 pod 中运行了它们。你现在已经了解了如何在自己的服务器上运行容器及服务。如果你想迁移到云,容器非常适合你。使用像 Kubernetes 和 OpenShift 这样的工具,你可以自动化启动[集群上的容器和 pod][10]。如果你正在考虑采取下一步行动,阅读 Kevin Casey 的 [3 个开始使用 Kubernetes 的方法][11],并尝试他提到的 Minikube 教程。
你已经创建了两个容器,并在一个吊舱中运行了它们。你现在已经了解了如何在自己的服务器上运行容器及服务。如果你想迁移到云,容器非常适合你。使用像 Kubernetes 和 OpenShift 这样的工具,你可以自动化启动 [集群上的容器和吊舱][10]。如果你正在考虑采取下一步行动,阅读 Kevin Casey 的 [3 个开始使用 Kubernetes 的方法][11],并尝试他提到的 Minikube 教程。
--------------------------------------------------------------------------------
@ -178,7 +160,7 @@ via: https://opensource.com/article/22/2/start-running-containers
作者:[Seth Kenlon][a]
选题:[lujun9972][b]
译者:[MjSeven](https://github.com/MjSeven)
校对:[校对者ID](https://github.com/校对者ID)
校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出

View File

@ -0,0 +1,160 @@
[#]: subject: "How to Install h.264 decoder on Ubuntu Linux"
[#]: via: "https://itsfoss.com/install-h-264-decoder-ubuntu/"
[#]: author: "Abhishek Prakash https://itsfoss.com/author/abhishek/"
[#]: collector: "lujun9972"
[#]: translator: "hwlife"
[#]: reviewer: "turbokernel"
[#]: publisher: "wxy"
[#]: url: "https://linux.cn/article-14583-1.html"
在 Ubuntu Linux 如何安装 H.264 解码器
======
![](https://img.linux.net.cn/data/attachment/album/202205/12/101451szky6vn0vn4ssv2s.jpg)
当你开始使用 [新安装的 Ubuntu 系统][1] 并尝试打开一个 MP4 文件进行播放时,它可能会显示一个错误,即:
> 播放这个文件要求 H.264(高清)解码器 ,但是没有安装。
![当播放特定媒体文件时Ubuntu 的默认视频播放器会显示错误][2]
你可能会猜到原因:系统没有安装所需的多媒体解码器,导致视频播放器播放该视频文件。
所以,解决方案是什么?安装所需的解码器。怎么做呢?
我将讨论解决这个问题的三种方法:
1. 只安装所需的解码器:它能解决所需的文件播放,但是一些其它格式的文件仍然会处在无解码器可用的状态。
2. 一次安装多种多媒体解码器:它会安装解码器之外,还会安装你不需要的其它软件包,类似微软的字体库一样。
3. 安装一个不同的视频播放器:像 VLC 和 MPV 视频播放器默认状态下对解码器有更好的支持。对大多数常规视频文件来说,你不必分别安装它们。
如果你遵从我的建议,我建议你采用第二种和第三种方法。为什么?一会你就知道了。
### 在 Ubuntu Linux 获取 H.264 解码器
这里我使用 Ubuntu Linux。第一和第三种方法应该也适用于其它发行版但是第二种方法不适用因为所提到的包常常是 Ubuntu 所独有的。
#### 方法 1: 只安装所需的解码器(不推荐)
当你看到这个错误时,它给你一个叫做 “在 Ubuntu 软件中心查找” 的按钮。点击这个按钮打开软件中心,可能显示(或不显示)一些将在你的系统上安装 H.264 解码器的软件包。
![在 Ubuntu 软件中心可能提供 H.264 解码器软件包][3]
软件包名可能听起来很相似,但是你需要安装来自<ruby>“不良”组合<rt>"bad" set</rt></ruby>的 GStreamer 多媒体解码器。注意检查软件包的描述。
或者,你可以使用如下命令在终端来安装软件包:
```
sudo apt install gstreamer1.0-plugins-bad
```
如果你对终端不了解,请注意要求使用你的账户密码的提示。**当你输入你的密码时,屏幕什么都不显示**。这是 Linux 的方式。你盲输密码然后按回车键。
一旦软件包安装完成,再次打开文件看看是否能够正常播放。
这可能对你有用,但是解决方案并未结束。你可能有其它格式的一些视频文件要求一些其它的 H.264 解码器或者其它解码器。
![其它的解码器播放视频你可能仍然有问题][4]
你可以通过如下命令安装更多的解码器:
```
sudo apt install libavcodec-extra gstreamer1.0-plugins-ugly gstreamer1.0-libav
```
然而,在 Ubuntu 有一个 [安装多媒体解码器更加方便的方法][5],我会在下一节展示给你。
#### 方法 2: 安装所有多媒体解码器(推荐)
Ubuntu 系统提供了一个名字叫做 `ubuntu-restricted-extras` 的基础软件包,由许多常规的音频和视频解码器以及像类似微软字体库那样多余的一些软件包组成。
安装这个软件包你将不用再担心多媒体解码器的问题了。
在 Ubuntu 打开终端并键入以下命令:
```
sudo apt install ubuntu-restricted-extras
```
由于这个基础软件包包含类似微软字库那样用不到的一些多余的软件你必须得接受最终用户许可协议EULA才行。
![按下 tab 键 然后点击回车接受 EULA 协议][6]
下一屏类似如下。按下 `tab` 键会高亮显示选项。当正确的选项高亮显示时,按下回车键来确认你的选择。
![当高亮显示你正确的选项时,按下 tab 键,按回车键确认][7]
当多媒体解码器安装完成后,你应该能够播放绝大多数媒体文件了。你的音乐播放器能播放 MP3 文件,你的视频播放器能播放 MP4MKV 等等格式。
然而,这也不是解决方案的终点,至少对某些人来说。
为什么我要那样说?因为我已经注意到 Ubuntu 系统下的默认视频播放器 Totem 在播放某些视频格式文件时常常遇到问题。你会注意到突然你的系统主机发热,风扇狂转并且鼠标指针停止运行。
为什么?因为 Totem 播放器在视频解码方面占用了大量的处理器资源。
当你播放视频的时候你可以通过 `top` 命令尝试查看名称为 `totem` 这个进程(那是默认视频播放器的名字)。
![Ubuntu 默认的视频播放器 Totem 可能消耗过多的必要的 CPU 资源][8]
你现在能够做什么?你的麻烦看起来永无止境,别担心。[在 Linux 上有更好的视频播放器][9] 并且它们能帮助你解决问题。
#### 方法 3: 安装一个更优秀的视频播放器(推荐)
在 Linux 上有很多优秀的视频播放器。我发现它们优于默认的 Totem 视频播放器。
就我个人来说,那么多个我只喜欢这两个:[VLC][10] 和 [MPV][11]。
VLC 是一个功能丰富且超级流行的视频播放器。很可能你已经使用过 VLC 。
MPV 媒体播放器不是那么流行,但使用这个轻量级的程序播放视频文件是再合适不过了。
VLC 和 MPV 播放器都擅长处理多媒体解码器。你甚至不必分开来安装多媒体解码器。只需要 [安装 VLC][12] 或者 MPV ,你就能够播放各种格式的视频文件。
在软件中心也可以找到它:
![在 Ubuntu 软件中心 MPV 可用][13]
或者 使用命令行 [在 Ubuntu 安装 MPV][14]
```
sudo apt install mpv
```
现在你已经有了一个新的视频播放器,你应该右键点击视频文件,选择新的视频播放器来打开。
或者,你可以[使其作为默认程序][15] 双击来播放视频文件。
### 对你有用吗?
我在这里没有说太多细节。我想阐述各种方法以及对应的优缺点。
你在 Ubuntu 处理好 H.264 解码器的问题了吗?哪种方法对你有用?
--------------------------------------------------------------------------------
via: https://itsfoss.com/install-h-264-decoder-ubuntu/
作者:[Abhishek Prakash][a]
选题:[lujun9972][b]
译者:[hwlife](https://github.com/hwlife)
校对:[turbokernel](https://github.com/turbokernel)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://itsfoss.com/author/abhishek/
[b]: https://github.com/lujun9972
[1]: https://itsfoss.com/install-ubuntu/
[2]: https://itsfoss.com/wp-content/uploads/2022/04/h264-decoder-error-ubuntu-800x241.png
[3]: https://itsfoss.com/wp-content/uploads/2022/04/h264-decoder-ubuntu-software-center-800x532.png
[4]: https://itsfoss.com/wp-content/uploads/2022/04/ac3-decoder-missing-ubuntu-800x251.png
[5]: https://itsfoss.com/install-media-codecs-ubuntu/
[6]: https://itsfoss.com/wp-content/uploads/2020/02/installing_ubuntu_restricted_extras.jpg
[7]: https://itsfoss.com/wp-content/uploads/2020/02/installing_ubuntu_restricted_extras_1.jpg
[8]: https://itsfoss.com/wp-content/uploads/2022/04/totem-consuming-more-cpu-ubuntu-800x454.webp
[9]: https://itsfoss.com/video-players-linux/
[10]: https://www.videolan.org/vlc/
[11]: https://mpv.io/
[12]: https://itsfoss.com/install-latest-vlc/
[13]: https://itsfoss.com/wp-content/uploads/2022/04/mpv-player-ubuntu-software-center-800x346.png
[14]: https://itsfoss.com/mpv-video-player/
[15]: https://itsfoss.com/change-default-applications-ubuntu/

View File

@ -0,0 +1,73 @@
[#]: subject: "Good News! Docker Desktop is Now Here for Linux Users"
[#]: via: "https://news.itsfoss.com/docker-desktop-linux/"
[#]: author: "Ankush Das https://news.itsfoss.com/author/ankush/"
[#]: collector: "lkxed"
[#]: translator: "lkxed"
[#]: reviewer: "wxy"
[#]: publisher: "wxy"
[#]: url: "https://linux.cn/article-14586-1.html"
好消息Docker Desktop 现已支持 Linux
======
> 你现在可以在 Linux 上使用 Docker Desktop 无缝地创建容器了!它可在 Debian、Ubuntu 和 Fedora 上使用,并为 Arch Linux 提供了实验性支持。
![Docker][1]
Docker Desktop 是容器化应用程序的最简单的方法。有了它,你就不需要预先设置平台相关环境。
你只需要安装 Docker Desktop就可以开始了。Docker Desktop 附带了许多容器工具,如 Kubernetes、Docker Compose、BuildKit 和漏洞扫描工具。
此前,它可用于 Windows 和 macOS但不支持 Linux 平台。所以Linux 用户只好直接与 docker 引擎交互,以创建/测试他们的 docker 容器。
终于,现在所有 Linux 用户也可以通过 Docker Desktop 来方便地使用 Docker 了。
### Linux 版的 Docker Desktop 来了
在 Docker 团队关于未来开发/改进的公共路线图中Linux 版的 [Docker Desktop][2] 是呼声最高的。
有了 Linux 版的 Docker Desktop你终于可以不费吹灰之力地得到跨平台的 Docker 体验。
我在这里列出其中一些亮点。现在,作为一名使用 Linux 桌面的开发者,你可以:
* 使用 Docker <ruby>扩展<rt>Extension</rt></ruby> 访问新功能
* 与 Kubernetes 无缝集成
* 轻松地管理和组织 <ruby>数据卷<rt>volumes</rt></ruby><ruby>容器<rt>containers</rt></ruby><ruby>镜像<rt>images</rt></ruby>
### 在 Linux 上安装 Docker Desktop
值得注意的是,目前(在 Linux 上)安装 Docker Desktop 并不算超简单,但也不会十分复杂。
Docker 团队计划尽快改进安装和更新过程。
截至目前,你可以得到官方支持的 Ubuntu、Debian 和 Fedora 的 deb 或 rpm 包。支持 Arch Linux 的软件包还未开发完成,但已经可以下载来测试了。
如果你的桌面环境不是 GNOME 的话,你还需要安装 GNOME 终端。
在 Linux 上安装 Docker Desktop 对系统也有整体要求,包括:
* 64 位 Ubuntu 22.04 LTS、Ubuntu 21.10、Fedora 35、Fedora 36 或 Debian 11。
* 支持 KVM 虚拟化
* QEMU 5.2 或更新版本
* Systemd 系统守护工具
* GNOME 或 KDE 桌面环境
* 4GB 的内存
至于安装步骤,你可以参照文档中的 [官方说明][3] 进行。
--------------------------------------------------------------------------------
via: https://news.itsfoss.com/docker-desktop-linux/
作者:[Ankush Das][a]
选题:[lkxed][b]
译者:[lkxed](https://github.com/lkxed)
校对:[wxy](https://github.com/wxy)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://news.itsfoss.com/author/ankush/
[b]: https://github.com/lkxed
[1]: https://news.itsfoss.com/wp-content/uploads/2022/05/docker-desktop-available-on-linux.jpg
[2]: https://www.docker.com/products/docker-desktop/
[3]: https://docs.docker.com/desktop/linux/install/

View File

@ -1,72 +0,0 @@
[#]: subject: "Good News! Docker Desktop is Now Here for Linux Users"
[#]: via: "https://news.itsfoss.com/docker-desktop-linux/"
[#]: author: "Ankush Das https://news.itsfoss.com/author/ankush/"
[#]: collector: "lkxed"
[#]: translator: " "
[#]: reviewer: " "
[#]: publisher: " "
[#]: url: " "
Good News! Docker Desktop is Now Here for Linux Users
======
You can now seamlessly create containers using Docker Desktop on Linux. It is available for Debian, Ubuntu, and Fedora, with experimental support for Arch Linux.
![docker][1]
Docker Desktop is the easiest way to containerize applications. You do not need to think about setting up an environment on the platform of your choice to get started.
You just need to install the Docker Desktop, and you will be good to go. The Docker Desktop application comes with container tools like Kubernetes, Docker Compose, BuildKit, and vulnerability scanning.
While it was available for Windows and macOS, it did not support the Linux platform. So, Linux users were restricted to the docker engine to create/test their docker containers.
Finally, anyone who wants to make things convenient using Docker on Linux can do it using Docker Desktop.
### Docker Desktop for Linux is Here
[Docker Desktop][2] for Linux was one of the most requested things on their public roadmap for future development/improvements.
With Docker Desktop on Linux, you finally get to experience a cross-platform Docker experience without much hassle.
To mention some highlights, as a developer on Linux desktop, you can now:
* Access new features using Docker Extensions
* Seamlessly integrate with Kubernetes
* Easily manage and organize volume, containers, and images.
### Installing Docker Desktop on Linux
It is worth noting that it may not be super easy to install Docker Desktop for now, but it isnt overly complicated either.
The Docker team plans to improve the installation and update process as soon as possible.
As of now, you get deb and rpm packages officially supported for Ubuntu, Debian, and Fedora. The Docker Desktop package for Arch Linux is a work in progress, but it is available to test.
It also needs you to install the GNOME terminal if you are on a non-GNOME desktop environment.
The overall system requirements for Docker Desktop on Linux include:
* 64-bit Ubuntu 22.04 LTS, Ubuntu 21.10, Fedora 35, Fedora 36, or Debian 11.
* KVM virtualization support
* QEMU 5.2 or newer
* Systemd init system
* GNOME or KDE desktop environment
* 4 GB of RAM
For installation, you can follow the [official instructions][3] in the documentation.
--------------------------------------------------------------------------------
via: https://news.itsfoss.com/docker-desktop-linux/
作者:[Ankush Das][a]
选题:[lkxed][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://news.itsfoss.com/author/ankush/
[b]: https://github.com/lkxed
[1]: https://news.itsfoss.com/wp-content/uploads/2022/05/docker-desktop-available-on-linux.jpg
[2]: https://www.docker.com/products/docker-desktop/
[3]: https://docs.docker.com/desktop/linux/install/

View File

@ -1,87 +0,0 @@
[#]: subject: (WebAssembly Security, Now and in the Future)
[#]: via: (https://www.linux.com/news/webassembly-security-now-and-in-the-future/)
[#]: author: (Dan Brown https://training.linuxfoundation.org/announcements/webassembly-security-now-and-in-the-future/)
[#]: collector: (lujun9972)
[#]: translator: (hanszhao80)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
WebAssembly Security, Now and in the Future
======
_By Marco Fioretti_
**Introduction**
WebAssembly is, as we [explained recently][1], a binary format for software written in any language, designed to eventually run on any platform without changes. The first application of WebAssembly is inside web browsers, to make websites faster and more interactive. Plans to push WebAssembly beyond the Web, from servers of all sorts to the Internet of Things (IoT), create as many opportunities as security issues. This post is an introductory overview of those issues and of the WebAssembly security model.
**WebAssembly is like JavaScript**
Inside web browsers, WebAssembly modules are managed by the same Virtual Machine (VM) that executes JavaScript code. Therefore, WebAssembly may be used to do much of the same harm that is doable with JavaScript, just more efficiently and less visibly. Since JavaScript is plain text that the browser will compile, and WebAssembly a ready-to-run binary format, the latter runs faster, and is also harder to scan (even by antivirus software) for malicious instructions.
This “code obfuscation” effect of WebAssembly has been already used, among other things, to pop up unwanted advertising or to open fake “tech support” windows that ask for sensitive data. Another trick is to automatically redirect browsers to “landing” pages that contain the really dangerous malware.
Finally, WebAssembly may be used, just like JavaScript, to “steal” processing power instead of data. In 2019, an [analysis of 150 different Wasm modules][2] found out that about _32%_ of them were used for cryptocurrency-mining.
**WebAssembly sandbox, and interfaces**
WebAssembly code runs closed into a [sandbox][3] managed by the VM, not by the operating system. This gives it no visibility of the host computer, or ways to interact directly with it. Access to system resources, be they files, hardware or internet connections, can only happen through the WebAssembly System Interface (WASI) provided by that VM.
The WASI is different from most other application programming interfaces, with unique security characteristics that are truly driving the adoption of WASM on servers/edge computing scenarios, and will be the topic of the next post. Here, it is enough to say that its security implications greatly vary, when moving from the web to other environments. Modern web browsers are terribly complex pieces of software, but lay on decades of experience, and of daily tests from billions of people. Compared to browsers, servers or IoT devices are almost uncharted lands. The VMs for those platforms will require extensions of WASI and thus, in turn, surely introduce new security challenges.
**Memory and code management in WebAssembly**
Compared to normal compiled programs, WebAssembly applications have very restricted access to memory, and to themselves too. WebAssembly code cannot directly access functions or variables that are not yet called, jump to arbitrary addresses or execute data in memory as bytecode instructions.
Inside browsers, a Wasm module only gets one, global array (“linear memory”) of contiguous bytes to play with. WebAssembly can directly read and write any location in that area, or request an increase in its size, but thats all. This linear memory is also separated from the areas that contain its actual code, execution stack, and of course the virtual machine that runs WebAssembly. For browsers, all these data structures are ordinary JavaScript objects, insulated from all the others using standard procedures.
**The result: good, but not perfect**
All these restrictions make it quite hard for a WebAssembly module to misbehave, but not impossible.
The sandboxed memory that makes it almost impossible for WebAssembly to touch what is _outside_ also makes it harder for the operating system to prevent bad things from happening _inside_. Traditional memory monitoring mechanisms like [“stack canaries”][4], which notice if some code tries to mess with objects that it should not touch, [cannot work there][5].
The fact that WebAssembly can only access its own linear memory, but directly, may also _facilitate_ the work of attackers. With those constraints, and access to the source code of a module, it is much easier to guess which memory locations could be overwritten to make the most damage. It also seems [possible][6] to corrupt local variables, because they stay in an unsupervised stack in the linear memory.
A 2020 paper on the [binary security of WebAssembly][5] noted that WebAssembly code can still overwrite string literals in supposedly constant memory. The same paper describes other ways in which WebAssembly may be less secure than when compiled to a native binary, on three different platforms (browsers, server-side applications on Node.js, and applications for stand-alone WebAssembly VMs) and is recommended further reading on this topic.
In general, the idea that WebAssembly can only damage whats inside its own sandbox can be misleading. WebAssembly modules do the heavy work for the JavaScript code that calls them, exchanging variables every time. If they write into any of those variables code that may cause crashes or data leaks in the unsafe JavaScript that called WebAssembly, those things _will_ happen.
**The road ahead**
Two emerging features of WebAssembly that will surely impact its security (how and how much, its too early to tell) are [concurrency][7], and internal garbage collection.
Concurrency is what allows several WebAssembly modules to run in the same VM simultaneously. Today this is possible only through JavaScript [web workers][8], but better mechanisms are under development. Security-wise, they may bring in [“a lot of code… that did not previously need to be”][9], that is more ways for things to go wrong.
A [native Garbage Collector][10] is needed to increase performance and security, but above all to use WebAssembly outside the well-tested Java VMs of browsers, that collect all the garbage inside themselves anyway. Even this new code, of course, may become another entry point for bugs and attacks.
On the positive side, general strategies to make WebAssembly even safer than it is today also exist. Quoting again from [here][5], they include compiler improvements, _separate_ linear memories for stack, heap and constant data, and avoiding to compile as WebAssembly modules code in “unsafe languages, such as C”.
The post [WebAssembly Security, Now and in the Future][11] appeared first on [Linux Foundation Training][12].
--------------------------------------------------------------------------------
via: https://www.linux.com/news/webassembly-security-now-and-in-the-future/
作者:[Dan Brown][a]
选题:[lujun9972][b]
译者:[hanszhao80](https://github.com/hanszhao80)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://training.linuxfoundation.org/announcements/webassembly-security-now-and-in-the-future/
[b]: https://github.com/lujun9972
[1]: https://training.linuxfoundation.org/announcements/an-introduction-to-webassembly/
[2]: https://www.sec.cs.tu-bs.de/pubs/2019a-dimva.pdf
[3]: https://webassembly.org/docs/security/
[4]: https://ctf101.org/binary-exploitation/stack-canaries/
[5]: https://www.usenix.org/system/files/sec20-lehmann.pdf
[6]: https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly
[7]: https://github.com/WebAssembly/threads
[8]: https://en.wikipedia.org/wiki/Web_worker
[9]: https://googleprojectzero.blogspot.com/2018/08/the-problems-and-promise-of-webassembly.html
[10]: https://github.com/WebAssembly/gc/blob/master/proposals/gc/Overview.md
[11]: https://training.linuxfoundation.org/announcements/webassembly-security-now-and-in-the-future/
[12]: https://training.linuxfoundation.org/

View File

@ -0,0 +1,106 @@
[#]: subject: "5 reasons to use sudo on Linux"
[#]: via: "https://opensource.com/article/22/5/use-sudo-linux"
[#]: author: "Seth Kenlon https://opensource.com/users/seth"
[#]: collector: "lkxed"
[#]: translator: " "
[#]: reviewer: " "
[#]: publisher: " "
[#]: url: " "
5 reasons to use sudo on Linux
======
Here are five security reasons to switch to the Linux sudo command. Download our sudo cheat sheet for more tips.
![Command line prompt][1]
Image by: Opensource.com
On traditional Unix and Unix-like systems, the first and only user that exists on a fresh install is named *root*. Using the root account, you log in and create secondary "normal" users. After that initial interaction, you're expected to log in as a normal user.
Running your system as a normal user is a self-imposed limitation that protects you from silly mistakes. As a normal user, you can't, for instance, delete the configuration file that defines your network interfaces or accidentally overwrite your list of users and groups. You can't make those mistakes because, as a normal user, you don't have permission to access those important files. Of course, as the literal owner of a system, you could always use the `su` command to become the superuser (root) and do whatever you want, but for everyday tasks you're meant to use your normal account.
Using `su` worked well enough for a few decades, but then the `sudo` command came along.
To a longtime superuser, the `sudo` command might seem superfluous at first. In some ways, it feels very much like the `su` command. For instance, here's the `su` command in action:
```
$ su root
<enter passphrase>
# dnf install -y cowsay
```
And here's `sudo` doing the same thing:
```
$ sudo dnf install -y cowsay
<enter passphrase>
```
The two interactions are nearly identical. Yet most distributions recommend using `sudo` instead of `su`, and most major distributions have eliminated the root account altogether. Is it a conspiracy to dumb down Linux?
Far from it, actually. In fact, `sudo` makes Linux more flexible and configurable than ever, with no loss of features and [several significant benefits][2].
### Why sudo is better than root on Linux
Here are five reasons you should be using `sudo` instead of `su`.
### 1. Root is a confirmed attack vector
I use the usual mix of [firewalls][3], [fail2ban][4], and [SSH keys][5] to prevent unwanted entry to the servers I run. Before I understood the value of `sudo`, I used to look through logs with horror at all the failed brute force attacks directed at my server. Automated attempts to log in as root are easily the most common, and with good reason.
An attacker with enough knowledge to attempt a break-in also would also know that, before the widespread use of `sudo`, essentially every Unix and Linux system had a root account. That's one less guess about how to get into your server an attacker has to make. The login name is always right, as long as it's root, so all an attacker needs is a valid passphrase.
Removing the root account offers a good amount of protection. Without root, a server has no confirmed login accounts. An attacker must guess at possible login names. In addition, the attacker must guess a password to associate with a login name. That's not just one guess and then another guess; it's two guesses that must be correct concurrently.
### 2. Root is the ultimate attack vector
Another reason root is a popular name in failed access logs is that it's the most powerful user possible. If you're going to set up a script to brute force its way into somebody else's server, why waste time trying to get in as a regular user with limited access to the machine? It only makes sense to go for the most powerful user available.
By being both the singularly known user name and the most powerful user account, root essentially makes it pointless to try to brute force anything else.
### 3. Selective permission
The `su` command is all or nothing. If you have the password for `su` root, you can become the superuser. If you don't have the password for `su`, you have no administrative privileges whatsoever. The problem with this model is that a sysadmin has to choose between handing over the master key to their system or withholding the key and all control of the system. That's not always what you want. [Sometimes you want to delegate.][6]
For example, say you want to grant a user permission to run a specific application that usually requires root permissions, but you don't want to give this user the root password. By editing the `sudo` configuration, you can allow a specific user, or any number of users belonging to a specific Unix group, to run a specific command. The `sudo` command requires a user's existing password, not your password, and certainly not the root password.
### 4. Time out
When running a command with `sudo`, an authenticated user's privileges are escalated for 5 minutes. During that time, they can run the command or commands you've given them permission to run.
After 5 minutes, the authentication cache is cleared, and the next use of `sudo` prompts for a password again. Timing out prevents a user from accidentally performing that action later (for instance, a careless search through your shell history or a few too many Up arrow presses). It also ensures that another user can't run the commands if the first user walks away from their desk without locking their computer screen.
### 5. Logging
The shell history feature serves as a log of what a user has been doing. Should you ever need to understand how something on your system happened, you could (in theory, depending on how shell history is configured) use `su` to switch to somebody else's account, review their shell history, and maybe get an idea of what commands a user has been executing.
If you need to audit the behavior of 10s or 100s of users, however, you might notice that this method doesn't scale. Shell histories also rotate out pretty quickly, with a default age of 1,000 lines, and they're easily circumvented by prefacing any command with an empty space.
When you need logs on administrative tasks, `sudo` offers a complete [logging and alerting subsystem][7], so you can review activity from a centralized location and even get an alert when something significant happens.
### Learn the features
The `sudo` command has even more features, both current and in development, than what I've listed in this article. Because `sudo` is often something you configure once then forget about, or something you configure only when a new admin joins your team, it can be hard to remember its nuances.
Download our [sudo cheat sheet][8] and use it as a helpful reminder for all of its uses when you need it the most.
--------------------------------------------------------------------------------
via: https://opensource.com/article/22/5/use-sudo-linux
作者:[Seth Kenlon][a]
选题:[lkxed][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/seth
[b]: https://github.com/lkxed
[1]: https://opensource.com/sites/default/files/lead-images/command_line_prompt.png
[2]: https://opensource.com/article/19/10/know-about-sudo
[3]: https://www.redhat.com/sysadmin/secure-linux-network-firewall-cmd
[4]: https://www.redhat.com/sysadmin/protect-systems-fail2ban
[5]: https://opensource.com/article/20/2/ssh-tools
[6]: https://opensource.com/article/17/12/using-sudo-delegate
[7]: https://opensource.com/article/19/10/know-about-sudo
[8]: https://opensource.com/downloads/linux-sudo-cheat-sheet

View File

@ -0,0 +1,98 @@
[#]: subject: "Get started with Bareos, an open source client-server backup solution"
[#]: via: "https://opensource.com/article/22/5/bareos-open-source-client-server-backup-solution"
[#]: author: "Heike Jurzik https://opensource.com/users/hej"
[#]: collector: "lkxed"
[#]: translator: " "
[#]: reviewer: " "
[#]: publisher: " "
[#]: url: " "
Get started with Bareos, an open source client-server backup solution
======
Bareos preserves, archives, and recovers data from all major operating systems. Discover how its modular design and key features support flexibility, availability, and performance.
![Puzzle pieces coming together to form a computer screen][1]
Image by: Opensource.com
[Bareos][2] (Backup Archiving Recovery Open Sourced) is a distributed open source backup solution (licensed under AGPLv3) that preserves, archives, and recovers data from all major operating systems.
Bareos has been around since 2010 and is (mainly) developed by the company Bareos GmbH & Co. KG, based in Cologne, Germany. The vendor not only provides further development as open source software but also offers subscriptions, professional support, development, and consulting. This article introduces Bareos, its services, and basic backup concepts. It also describes where to get ready-built packages and how to join the Bareos community.
### Modular design
Bareos consists of several services and applications which communicate securely over the network: the Bareos Director (Dir), one or more Storage Daemons (SD), and File Daemons (FD) installed on the client machines to be backed up. This modular design makes Bareos flexible and scalable—it's up to you whether to install all components on one system or several hundred computers, even in different locations. The client-server software stores backups on all kinds of physical and virtual storage (HDD/SSD/SDS), tape libraries, and in the cloud. Bareos includes several plug-ins to support virtual infrastructures, application servers (like databases, such as PostgreSQL, MySQL, MSSQL, MariaDB, etc.), and LDAP directory services.
Here are the Bareos components, what they do, and how they work together:
![Bareos components][3]
Image by: (Heike Jurzik, CC BY-SA 4.0)
#### Bareos Director
This is the core component and the control center of Bareos, which manages the database (i.e., the Catalog), clients, file sets (defining the data in the backups), the plug-ins' configuration, backup jobs and schedules, storage and media pools, before and after jobs (programs to be executed before or after a backup/restore job), etc.
#### Catalog
The database maintains a record of all backup jobs, saved files, and backup volumes. Bareos uses PostgreSQL as the database backend.
#### File Daemon
The File Daemon (FD) runs on every client machine or the virtual layer to handle backup and restore operations. After the File Daemon has received the director's instructions, it executes them and then transmits the data to (or from) the Storage Daemon. Bareos offers client packages for various operating systems, including Windows, Linux, macOS, FreeBSD, Solaris, and other Unix-based systems on request.
#### Storage Daemon
This Storage Daemon (SD) receives data from one or more FDs and stores data on the configured backup medium. The SD runs on the machine handling the backup devices. Bareos supports backup media like hard disks and flash arrays, tapes and tape libraries, and S3-compatible cloud solutions. If there is a media changer involved, the SD controls that device as well. The SD sends the correct data back to the requesting File Daemon during the restore process. To increase flexibility, availability, and performance, there can be multiple SDs, for example, one per location.
### Jobs and schedules
A backup job in Bareos describes what to back up (in a so-called FileSet directive on the client), when to back up (Schedule directive), and where to back up the data (Pool directive). This modular design lets you define multiple jobs and combine several directives, such as FileSets, Pools, and Schedules. Bareos allows you to have two different job resources managing various servers but using the same Schedule and FileSet, maybe even the same Pool.
The schedule not only sets the backup type (full, incremental, or differential) but also describes when a job is supposed to run, i.e., on different days of the week or month. Because of that, you can plan a detailed schedule and run full backups every Monday, incremental backups the rest of the week, etc. If more than one backup job uses the same schedule, you can set the job priority and thus tell Bareos which job is supposed to run first.
### Encrypted communication
As mentioned, all Bareos services and applications communicate with each other over the network. Bareos provides TLS/SSL with pre-shared keys or certificates to ensure encrypted data transport. On top of that, Bareos can encrypt and sign data on the File Daemons before sending the backups to the Storage Daemon. Encryption and signing on the clients are implemented using RSA private keys combined with X.509 certificates (Public Key Infrastructure). Before the restore process, Bareos validates file signatures and reports any mismatches. Neither the Director nor the Storage Daemon has access to unencrypted content.
As a Bareos administrator, you can communicate with the backup software using a command-line interface (bconsole) or your preferred web browser (Bareos WebUI). The multilingual web interface manages multiple Bareos Directors and their databases. Also, it's possible to configure role-based access and create different profiles with ACLs (Access Control Lists) to control what a user can see and execute in the WebUI.
![Bareos WebUI][4]
Image by: (Heike Jurzik, CC BY-SA 4.0)
The WebUI provides an overview and detailed information about backup jobs, clients, file sets, pools, volumes, and more. It's also possible to start backup and restore jobs via the web interface. Starting with Bareos 21, the WebUI provides a timeline to display selected jobs. This timeline makes it easy to spot running, finished, or even failed jobs. This is a great feature, especially in larger environments, as it lets you detect gaps in the schedule or identify which backup jobs are taking up the most time.
### Packages, support, and training
There are no license fees for using Bareos. In addition to the Bareos source code, which is available on [GitHub][5], the vendor provides Bareos packages in two different repositories:
* The community repository contains packages for all major releases (without support).
* The subscription repository also offers packages for minor releases with updates, bug fixes, etc., for customers with a Bareos subscription.
Customers with a valid subscription can also buy support and consulting from the manufacturer or sponsor the development of new features. Bareos GmbH & Co. KG has a global partner network, offering support and training in multiple languages.
### Join the Bareos community
Bareos is a very [active open source project][6] with a great community. The source code of the software and the [Bareos manual][7] sources are hosted on GitHub, and everyone is welcome to contribute. Bareos also offers two mailing lists, one for users ([bareos-users][8]) and one for developers ([bareos-devel][9]). For news and announcements, technical guides, quick howtos, and more, you can also follow the [Bareos blog][10].
--------------------------------------------------------------------------------
via: https://opensource.com/article/22/5/bareos-open-source-client-server-backup-solution
作者:[Heike Jurzik][a]
选题:[lkxed][b]
译者:[译者ID](https://github.com/译者ID)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://opensource.com/users/hej
[b]: https://github.com/lkxed
[1]: https://opensource.com/sites/default/files/lead-images/puzzle_computer_solve_fix_tool.png
[2]: https://www.bareos.com/
[3]: https://opensource.com/sites/default/files/2022-05/components.png
[4]: https://opensource.com/sites/default/files/2022-05/webui-restore-single-file.png
[5]: https://www.bareos.com/community/github/
[6]: https://www.openhub.net/p/bareos
[7]: https://docs.bareos.org/
[8]: https://groups.google.com/forum/#!forum/bareos-users
[9]: https://groups.google.com/forum/#!forum/bareos-devel
[10]: https://www.bareos.com/blog/

View File

@ -0,0 +1,98 @@
[#]: subject: "NVIDIA Takes a Big Step to Improve its GPU Experience on Linux"
[#]: via: "https://news.itsfoss.com/nvidia-open-source-linux/"
[#]: author: "Ankush Das https://news.itsfoss.com/author/ankush/"
[#]: collector: "lkxed"
[#]: translator: "chunyang.wen"
[#]: reviewer: " "
[#]: publisher: " "
[#]: url: " "
英伟达 (Nvidia) 在提升 Linux 上的 GPU 使用体验上迈出了一大步
=====
英伟达公司提升 Nvidia GPU 在 Linux 上的体验开源计划终于来了。
![][1]
Linus Torvalds 会乐意听到此消息。
Nvidia 终于公布提升 Linux 上的 GPU 使用体验的计划。
不过不幸地是,和你想象的可能不完全一样,你仍然会看到很多有专有的驱动。
但是这和放弃专有的驱动一样重要。
它是:** Nvidia 发布支持数据中心和消费级GeForce/RTX) 显卡开源 GPU 内核**。
此外,它同时支持 GPL/MIT 两种授权,听起来很酷对不对?
### 此举如何帮助到 Linux 桌面用户?
开源的 GPU 内核模块会提升内核和专有驱动之间的交互。
所以,这个动作对 **游戏玩家和开发者** 都有利,和 Nvidia 专有驱动之间麻烦事最终会被消除。
发布公告中提到的技术收益包括
> 开发者可以跟踪到具体的代码路径,并且观察内核事件调度和他们的工作之间的交互机制,从而在调试时更快定位根本原因。除此之外,企业软件开发者可以根据他们项目配置无缝地将驱动集成进入他们的内核
> 来自 Linux 终端社区输入和评价会进一步提升 Nvidia GPU 驱动的质量和安全性
当面对一个终端用户或者游戏玩家,我们想得越清楚,安装会更便捷,整体会更安全。
Canonical 和 SUSE 会立即为他们的企业用户打包开源的内核模块,其它厂商很快会跟进。
Canonical 应该在未来几月到来的 Ubuntu 22.04 LTS 桌面版本中让这些内核模块可用。其它的 Linux 发行版也会做相应的升级。
### 现在可以试用吗?
![][2]
第一个发布的开源 GPU 内核模块版本是 R515是作为 CUDA 工具集 11.7 一部分一起发布的开发版本的驱动。
你可以从[官方驱动下载页面][3]或者从[CUDA 下载页面][4]找到。
对于数据中心是生产可用,**对于 GeForce 或者工作站 GPU 还是 alpha 阶段**。
事实上,在 Turing 和 Ampere GPu 型号上可以使用 Vulkan 和 Optix 中的 **多显示G-SyncNvidia RTX 光线追踪** 功能。
然而除非你想运行一些实验性测试,你可能想等待几个月,从而直接获取你的 Linux 发行版为终端用户发行的稳定版。
### 对 Nouveau 驱动开发也有益
不仅仅是提升专有驱动的体验,公布的开源 GPU 内核代码也会改善 Nouveau 驱动。
正如发布新闻所说:
> Nouveau 可以像 Nvidia 驱动一样充分利用硬件,暴露更多 GPU 功能,例如时钟管理,散热管理,为 Nouveau 驱动带来新的特性。为未来的驱动更新保持关注,在 Github 上合作。
NVIDIA 真是出奇的好,它提到并且有可能和改善 NVIDIA 开源驱动的团队合作,例如 Nouveau。
这也更好地表示他们希望 Linux 的开源驱动有一个更好的版本。
### 开源 Nivida 驱动的未来?
毋容置疑NVIDIA 计划持续发布开源的 GPU 内核模块。
所以,尽管他们不会单独开源它们的驱动,我们仍然可以寄希望于 Nouveau 释放所有的图形卡特性。
想知道他们更多的计划,你可以参考[官方的发布声明][5]。
*你如何看待这件事Nivida 最终会爱开源和 Linux至少这是一个好的开始。在下面的评论区分享你的想法吧。*
via: https://news.itsfoss.com/nvidia-open-source-linux/
作者:[Ankush Das][a]
选题:[lkxed][b]
译者:[译者ID](https://github.com/chunyang-wen)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://news.itsfoss.com/author/ankush/
[b]: https://github.com/lkxed
[1]: https://news.itsfoss.com/wp-content/uploads/2022/05/linus-torvalds-nvidia.jpg
[2]: https://news.itsfoss.com/wp-content/uploads/2022/05/nvidia-opensource-linux-drivers-1024x576.jpg
[3]: https://www.nvidia.com/en-us/drivers/unix/
[4]: https://developer.nvidia.com/cuda-downloads
[5]: https://developer.nvidia.com/blog/nvidia-releases-open-source-gpu-kernel-modules/

View File

@ -0,0 +1,86 @@
[#]: subject: (WebAssembly Security, Now and in the Future)
[#]: via: (https://www.linux.com/news/webassembly-security-now-and-in-the-future/)
[#]: author: (Dan Brown https://training.linuxfoundation.org/announcements/webassembly-security-now-and-in-the-future/)
[#]: collector: (lujun9972)
[#]: translator: (hanszhao80)
[#]: reviewer: ( )
[#]: publisher: ( )
[#]: url: ( )
WebAssembly 安全的现在和未来
======
### 说明
正如我们 [最近解释的][1]WebAssembly 是一种用于以任何语言编写的软件的二进制格式旨在最终无需更改就能在任意平台运行。WebAssembly 的第一个应用是在 Web 浏览器中,以使网站更快、更具交互性。计划将 WebAssembly 推向 Web 之外,从各种服务器到<ruby>物联网<rt>IoT</rt></ruby>,创造了与安全问题一样多的机会。这篇文章是对这些问题和 WebAssembly 安全模型的介绍性概述。
### WebAssembly 跟 JavaScript 很像
在 Web 浏览器内部WebAssembly 模块由执行 JavaScript 代码的同一 <ruby>虚拟机<rt>VM</rt></ruby> 管理。因此WebAssembly 可用于造成与 JavaScript 相同的危害,只是效率更高,并且不易被察觉。由于 JavaScript 是纯文本,运行前需要浏览器的编译,而 WebAssembly 是一种可立即运行的二进制格式,后者运行速度更快,也更难被扫描出(即使用杀毒软件)其中的恶意指令。
WebAssembly 的这种 **代码混淆** 效果已经被用来弹出不受欢迎的广告或打开要求敏感数据的虚假 **技术支持** 窗口。另一个把戏则是自动将浏览器重定向到包含真正危险的恶意软件的 **登陆** 页面。
最后,就像 JavaScript 一样WebAssembly 可能被用来 **窃取** 处理能力而不是数据。2019 年,[对 150 个不同的 WASM 模块的分析][2]发现,其中约 _32%_ 被用于加密货币挖掘。
### WebAssembly 沙箱和接口
WebAssembly 代码在由 <ruby>虚拟机<rt>VM</rt></ruby>(而不是操作系统)管理的[沙箱][3]中封闭运行。这使它无法看到主机,也无法直接与主机交互。对系统资源(文件、硬件或互联网连接)的访问只能通过该虚拟机提供的 <ruby>WebAssembly 系统接口<rt>WASI</rt></ruby> 进行。
WASI 不同于大多数其他应用程序编程接口,它具有独特的安全特性,真正推动了 WASM 在传统服务器和<ruby>边缘<rt>Edge</rt></ruby>服务器计算场景中的采用,这将是下一篇文章的主题。在这里,可以说,当从 Web 迁移到其他环境时,它的安全影响会有很大的不同。现代网络浏览器是极其复杂的软件,但它是建立在数十年的经验和数十亿人的日常测试之上的。与浏览器相比,服务器或<ruby>物联网<rt>IoT</rt></ruby>设备几乎是未知领域。这些平台的虚拟机将需要扩展 WASI因此肯定会带来新的安全挑战。
### WebAssembly 中的内存和代码管理
与普通的编译程序相比WebAssembly 应用程序对内存的访问非常有限对它们自己也是如此。WebAssembly 代码不能直接访问尚未调用的函数或变量,不能跳转到任意地址,也不能将内存中的数据作为字节码指令执行。
在浏览器内部WASM 模块只能获得一个连续字节的全局数组(<ruby>线性内存<rt>linear memory</rt></ruby>进行操作。WebAssembly 可以直接读写该区域中的任意位置,或者请求增加其大小,但仅此而已。这个<ruby>线性内存<rt>linear memory</rt></ruby>也与包含其实际代码、执行堆栈、当然还有运行 WebAssembly 的虚拟机的区域分离。对于浏览器来说,所有这些数据结构都是普通的 JavaScript 对象,与所有其他使用标准过程的对象隔离。
### 结果很好,但并不完美
所有这些限制使得 WebAssembly 模块很难做出不当行为,但也并非不可能。
沙箱化的内存使 WebAssembly 几乎不可能接触到 __外部__ 的东西,也使操作系统更难防止 __内部__ 发生不好的事情。传统的内存监测机制,比如 [**Stack Canaries**][4] 能注意到是否有代码试图扰乱它不应该接触的对象,[在这里不奏效][5]。
事实上WebAssembly 只能访问自己的<ruby>线性内存<rt>linear memory</rt></ruby>,但可以直接访问,这也可能为攻击者的行为 _提供便利_。有了这些约束和对模块源代码的访问,就更容易猜测覆盖哪些内存位置可能造成最大的破坏。局部变量似乎也 [可能][6] 被破坏,因为它们停留在<ruby>线性内存<rt>linear memory</rt></ruby>中的无监督的堆栈中。
2020年的一篇关于 [WebAssembly 的二进制安全性][5] 的论文指出WebAssembly 代码仍然可以在设定的常量内存中覆盖字符串文字。同一篇论文描述了在三个不同的平台浏览器、Node.JS 上的服务端应用程序和独立 WebAssembly 虚拟机的应用程序WebAssembly 可能比编译为原生二进制文件时更不安全的其他方式。建议进一步阅读此主题。
通常,认为 WebAssembly 只能破坏其自身沙箱中的内容的想法可能会产生误导。WebAssembly 模块为调用它们的 JavaScript 代码做繁重的工作,每次都交换变量。如果模块在这些变量中的任意一处写入不安全的调用 WebAssembly 的 JavaScript 代码,就 _会_ 导致崩溃或数据泄露。
### 未来的方向
WebAssembly 的两个新出现的特性:[并发][7] 和内部垃圾收集,肯定会影响其安全性(如何影响以及影响多少,现在下结论还为时过早)。
并发允许多个 WebAssembly 模块在同一个虚拟机中并行。目前,只有通过 JavaScript [web workers][8] 才能实现这一点,但更好的机制正在开发中。安全方面,他们可能会带来[以前不需要的大量的代码][9],会导致出现更多的错误。
[原生的垃圾收集器][10] 需要提高性能和安全性,但最重要的是在经过良好测试的浏览器的 Java <ruby>虚拟机<rt>VM</rt></ruby> (收集它们自己内部的所有垃圾)之外使用 WebAssembly。当然甚至这个新代码也可能成为漏洞和攻击的另一个入口。
往好处想,使 WebAssembly 比现在更安全的通用策略也是存在的。再次引用 [这篇文章][5],这些策略包括:编译器改进,栈、堆和常量数据 _分离_ 的线性存储机制,以及避免使用 **不安全的语言**(如 C编译 WebAssembly 模块代码。
本文 [WebAssembly 安全的现在和未来][11] 首次发表在 [Linux 基金会 - 培训][12]。
--------------------------------------------------------------------------------
via: https://www.linux.com/news/webassembly-security-now-and-in-the-future/
作者:[Dan Brown][a]
选题:[lujun9972][b]
译者:[hanszhao80](https://github.com/hanszhao80)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://training.linuxfoundation.org/announcements/webassembly-security-now-and-in-the-future/
[b]: https://github.com/lujun9972
[1]: https://training.linuxfoundation.org/announcements/an-introduction-to-webassembly/
[2]: https://www.sec.cs.tu-bs.de/pubs/2019a-dimva.pdf
[3]: https://webassembly.org/docs/security/
[4]: https://ctf101.org/binary-exploitation/stack-canaries/
[5]: https://www.usenix.org/system/files/sec20-lehmann.pdf
[6]: https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly
[7]: https://github.com/WebAssembly/threads
[8]: https://en.wikipedia.org/wiki/Web_worker
[9]: https://googleprojectzero.blogspot.com/2018/08/the-problems-and-promise-of-webassembly.html
[10]: https://github.com/WebAssembly/gc/blob/master/proposals/gc/Overview.md
[11]: https://training.linuxfoundation.org/announcements/webassembly-security-now-and-in-the-future/
[12]: https://training.linuxfoundation.org/

View File

@ -1,169 +0,0 @@
[#]: subject: "How to Install h.264 decoder on Ubuntu Linux"
[#]: via: "https://itsfoss.com/install-h-264-decoder-ubuntu/"
[#]: author: "Abhishek Prakash https://itsfoss.com/author/abhishek/"
[#]: collector: "lujun9972"
[#]: translator: "hwlife"
[#]: reviewer: " "
[#]: publisher: " "
[#]: url: " "
怎样在 Ubuntu Linux 安装 h.264 解码器
======
当你开始使用 [新安装的 Ubuntu 系统][1] 并尝试打开一个 MP4 文件进行播放时,它可能会显示一个错误,即:
_**播放这个文件要求 H.264 (高端类) 解码器 但是没有安装。**_
![当播放特定媒体文件时Ubuntu 的默认视频播放器会显示错误][2]
你可能会猜到这是怎么了。系统没有安装所需的多媒体解码器阻止了视频播放器不能播放视频文件。
所以,解决方案是什么?安装所需的解码器。怎么做呢?
我将讨论解决这个问题的三种方法:
1. 只安装所需的解码器:它可能会让所需的文件播放但是一些其它格式的文件仍然会处在失去解码器的状态。
2. 一次安装多种多媒体解码器:它会安装解码器之外,还会安装其它你不需要的软件包,类似微软的字体库一样。
3. 安装一个不同的视频播放器:像 VLC 和 MPV 视频播放器默认状态下对解码器有更好的支持。对大多数常规视频文件来说,你不必分别安装它们。
如果你遵从我的建议,我建议你采用第二种和第三种方法。为什么?一会你就知道了。
### 在 Ubuntu Linux 获取 h264 解码器
这里我使用 Ubuntu Linux。第一和第三种方法应该适用于其它发行版但是第二种方法不适用因为所提到的包 (常常) 是 Ubuntu 所独有的。
#### 方法 1: 只安装所需的解码器 (不建议)
当你看到这个错误,它给你一个叫做 “在 Ubuntu 软件中心查找 ” 的选项。点击这个选项打开软件中心,可能显示(或不显示)一些软件包将会在你的系统上安装 h264 解码器。
![在 Ubuntu 软件中心可能提供 h264 解码器软件包][3]
软件包名可能听起来很相似但是需要带有“糟糕”设置的 GStreamer 多媒体解码器。检查软件包的描述。
或者,你可以使用这个命令在终端来安装软件包:
```
sudo apt install gstreamer1.0-plugins-bad
```
如果你对终端不了解,请注意它将要求使用你的账户密码。**当你输入你的密码时,屏幕什么都不显示**。这是 Linux 的方式。你盲输密码然后按回车键。
一旦软件包安装完成,再次打开文件看看是否能够正常播放。
这可能对你有用,但是故事并未结束。你可能有其它格式的一些视频文件要求一些其它的 h264 解码器 或者其它解码器。
![其它的解码器播放视频你可能仍然有问题][4]
你可以像这样尝试安装更多的解码器:
```
sudo apt install libavcodec-extra gstreamer1.0-plugins-ugly gstreamer1.0-libav
```
然而,在 Ubuntu 有一个 [ 安装多媒体解码器更加方便的方法 ][5] 并且在下一节我会展示给你。
#### 方法 2: 安装所有多媒体解码器 (建议)
Ubuntu 系统提供了一个名字叫做 ubuntu-restricted-extras 的原始软件包,由许多常规的音频和视频解码器以及像类似微软字体库那样无用的一些软件包组成。
安装这个软件包你将不用再担心多媒体解码器的问题了。
在 Ubuntu 打开终端并键入以下命令:
```
sudo apt install ubuntu-restricted-extras
```
由于这个原始软件包包含类似微软字库那样用不到的一些多余的软件,你将不得不接受最终用户许可协议 (EULA) 。
![按下 tab 键 然后点击回车接受 EULA 协议][6]
下一屏可能类似以下这样。只按下 tab 键将会高亮显示选项。当正确的选项高亮显示时,按下回车键来确认你的选择。
![当高亮显示你正确的选项时,按下 tab 键,按回车键确认][7]
多媒体解码器安装完成,你应该能够播放 (大多数) 许多中媒体文件。你的音乐播放器能播放 MP3 文件,你的视频播放器能播放 MP4MKV等等格式。
然而,这也不是故事的终点,至少对某些人来说。
为什么我要那样说?因为我已经注意到 Ubuntu 系统下的默认视频播放器Totem在播放某些视频格式文件时常常遇到问题。你会注意到突然你的系统主机发热风扇狂转并且鼠标指针停止运行。
为什么?因为 Totem 播放器在视频解码方面占用了太多的处理器资源。
当你播放视频的时候你可以通过 top 命令 测试以下。查看名称为 totem 这个进程 (那是默认视频播放器的名字)。
![Ubuntu 默认的视频播放器, Totem, 可能消耗过多的必要的 CPU 资源][8]
你现在能够做什么?你的麻烦看起来永无止境,别担心。[在 Linux 上有更好的视频播放器][9] 并且它们能帮助你解决问题。
#### 方法 3: 安装一个更好的视频播放器 (建议)
在 Linux 有很多优秀的视频播放器。我发现它们好于默认的 Totem 视频播放器。
就我个人来说那么多个我只喜欢这两个VLC][10] 和 [MPV][11]。
VLC 是一个多功能且超级流行的额视频播放器。很可能你已经使用过 VLC 。
MPV 媒体播放器不是那么流行但是这个轻量级的程序播放视频文件是再合适不过了。
VLC 和 MPV 播放器都擅长处理多媒体解码器。你甚至不必分开来安装多媒体解码器。只需要 [安装 VLC][12] 或者 MPV ,你就能够播放各种格式的视频文件。
在软件中心也可以找到它:
![在 Ubuntu 软件中心 MPV 可用][13]
或者 使用命令行 [在 Ubuntu 安装 MPV][14]
```
sudo apt install mpv
```
现在你已经有了另一个视频播放器,你应该右键点击视频文件,选择新的视频播放器来打开。
或者,你可以[使其作为默认程序][15] 双击来播放视频文件。
### 对你有用吗?
我在这里没有说太多细节。我想阐述各种方法和它们每个的利弊。
你在 Ubuntu 处理好 h264 解码器的问题了吗?那种方法对你有用?
--------------------------------------------------------------------------------
via: https://itsfoss.com/install-h-264-decoder-ubuntu/
作者:[Abhishek Prakash][a]
选题:[lujun9972][b]
译者:[hwlife](https://github.com/hwlife)
校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译,[Linux中国](https://linux.cn/) 荣誉推出
[a]: https://itsfoss.com/author/abhishek/
[b]: https://github.com/lujun9972
[1]: https://itsfoss.com/install-ubuntu/
[2]: https://itsfoss.com/wp-content/uploads/2022/04/h264-decoder-error-ubuntu-800x241.png
[3]: https://itsfoss.com/wp-content/uploads/2022/04/h264-decoder-ubuntu-software-center-800x532.png
[4]: https://itsfoss.com/wp-content/uploads/2022/04/ac3-decoder-missing-ubuntu-800x251.png
[5]: https://itsfoss.com/install-media-codecs-ubuntu/
[6]: https://itsfoss.com/wp-content/uploads/2020/02/installing_ubuntu_restricted_extras.jpg
[7]: https://itsfoss.com/wp-content/uploads/2020/02/installing_ubuntu_restricted_extras_1.jpg
[8]: https://itsfoss.com/wp-content/uploads/2022/04/totem-consuming-more-cpu-ubuntu-800x454.webp
[9]: https://itsfoss.com/video-players-linux/
[10]: https://www.videolan.org/vlc/
[11]: https://mpv.io/
[12]: https://itsfoss.com/install-latest-vlc/
[13]: https://itsfoss.com/wp-content/uploads/2022/04/mpv-player-ubuntu-software-center-800x346.png
[14]: https://itsfoss.com/mpv-video-player/
[15]: https://itsfoss.com/change-default-applications-ubuntu/