This month’s newsletter will be one of our biggest ever! In October, our communities met in person at the Open Source Summit Europe in Bilbao and KubeCon + CloudNativeCon + OSS in Shanghai, China.  At OpenSSF’s Secure Open Source Summit in Washington, DC, we continued advancing important conversations to improve the security of software supply chains. We had a record month at LF Research, with four new reports published since our last newsletter on brand new topics, including the mobile industry and Europe’s public sector, and year-over-year trends specific to European open source and the state of the OSPO. And, of course, there’s lots of project news for you to catch up on, including the announcement of OpenPubkey, a zero-trust passwordless authentication system for Docker.

Read the October Newsletter at the Linux Foundation Blog

The post Linux Foundation Newsletter: October 2023 appeared first on Linux.com.

The rise in cyberattacks and software’s critical role in our lives has brought to light the need for increased transparency and accountability in the software supply chain. Software distributors can achieve this by providing software bills of materials (SBOMs), which provide a comprehensive list of all the components used in a software product, including open source and proprietary code, libraries, and dependencies.

In May 2021, United States Executive Order 14028 on improving the nation’s cybersecurity emphasized the importance of SBOMs in protecting the software supply chain. After comprehensive proof of concepts using the Software Package Data Exchange format (SPDX), the National Telecommunications and Information Administration (NTIA) released the “minimum elements” for an SBOM. The minimum elements require data fields that enable basic use cases:

• Supplier Name
• Component Name
• Version of the Component
• Other Unique Identifiers
• Dependency Relationship
• Author of SBOM Data
• Timestamp

The NTIA recommends that the data contained in these fields should be expressed in predictable implementations and data formats to enable automation support. One of the preferred formats for expressing this data is SPDX. While version 2.3 of the SPDX specification, released in November 2022, was the first version to explicitly describe how to express the NTIA minimum elements in an SPDX document, SPDX has supported these elements since its version 2.0 release in 2015.

Read more about how to create an SPDX SBOM document that complies with the NTIA “minimum elements” at The New Stack.

The post Creating a ‘Minimum Elements’ SPDX SBOM Document in 5 Minutes appeared first on Linux.com.

GTP (GPRS Tunneling) is a group of IP-based communications protocols used to carry GPRS traffic within mobile GSM networks. It works as a carrier for mobile packets over an underlay IP network using tunneling. GTP is used between the base station and the gateway, which are part of the mobile elements in 5G transport architecture. The packet is encapsulated over IP and delivered across the IP network.

Why do we need GTP Parsing and Filtering?

Network monitoring tools require inner header information for the mobile network for threat monitoring, analysis, and inspection. So, network packet brokers (NPB) residing in the GPRS core networks need to filter, forward, and load balance packets toward the tools for inspection. This requires NPBs to have the capability to filter based on outer and inner headers to identify the GTP sessions in the data stream to control data flow within your infrastructure. This deep packet inspection will result in the decision-making of allowing or denying traffic based on the packet policies from the mobile operator station.

A major challenge in today’s mobile network is the data traffic from the user equipment, and its application is rapidly growing. To effectively monitor the performance and obtain a better quality of service, service providers should be able to correlate the traffic flow based on each subscriber’s data and service gateway tunnel endpoint identifiers (TEID). Therefore, GTP user and control packets need to be parsed by NPBs in the core GPRS network and packets towards the underlay IP. 

Open Networking Approach 

The evolution of modern ASICs in their programmability, providing flexible parsers for filtering, and TCAM-scale, has created an opportunity for using them on Network Packet Brokers for the 5G mobile network to perform deep packet inspection of GTP sessions. SONiC open-source NOS, regarded as the “Linux of Networking,” supports these modern ASICs. The flexible micro-services-based software architecture exposing the ASIC capabilities using standardized SAI (Switch Abstraction Interface) has created a clear opportunity to build network packet brokers for 5G deployments.

Aviz’s Open Packet Broker (OPB) is the industry’s first software-based microservice built on SONiC using ASIC (NVIDIA Spectrum) programmability capabilities to provide deep insights on 5G mobile traffic.

flow flow1
network-ports Ethernet13/1
tool-ports Ethernet16/1
tool-ports port-channel1
rule 1 permit src-ip 1.1.1.1/32 dest-ip 2.2.2.2/32 protocol tcp gtp "teid 0x13467254 inner-sip 3.3.3.3/32 inner-dip 4.4.4.4/32 inner-protocol udp inner_l4srcport 567 inner_l4destport 789" counters enable
rule 2 permit src-ip 2401::1 src-netmask f::f dest-ip 2401::2 dest-netmask f::f protocol udp l4portsrc 789 l4portdst 456 gtp "teid 0x11112222 inner-sip 1203::1 inner-smask f::f inner-dip 1203::2 inner-dmask f::f inner-protocol tcp inner_l4srcport 909 inner_l4destport 657" counters enable

Figure 1: Simple (IPv4/IPv6) Rule configuration for GTP session monitoring with LoadBalancing

Figure 2: GTP configuration using APIs

Conclusion

By providing 5G’s high capacity, low latency, and massive connectivity to customers, mobile carriers must ensure uninterrupted network service with a higher quality of experience. Therefore, mobile operators need a cost-effective solution that can meet the increase in speeds and provide deep inspection. Aviz leverages the strengths of the open networking ecosystem for both hardware and software to provide mobile network operators with the solution that’s key to greater QoE at a lower cost: OPB (Open Packet Broker).

Authors: Chid Perumal, CTO, and Rajasekaran S, Member of Technical Staff, Aviz Networks

The post Increasing 5G Quality of Experience (QoE) Using SONiC and Open Packet Broker appeared first on Linux.com.

In 2022, the Linux Foundation, in collaboration with our community, engaged in new initiatives to secure the software supply chain, enabled innovations with social, economic, regional, and environmental impact, supported open industry standards, and continued to embrace diversity and inclusivity.  Read the report today.

The post Linux Foundation Annual Report 2022: Leadership in Security and Innovation appeared first on Linux.com.

The post Why Do Enterprises Use and Contribute to Open Source Software appeared first on Linux Foundation.

The post Why Do Enterprises Use and Contribute to Open Source Software appeared first on Linux.com.

Zowe LTS V2 increases product stability, security and interoperability and ensures longevity compatibility with the Conformance and Conformant Support Provider Programs

SAN FRANCISCO, May 26, 2022 – The Open Mainframe Project announced today that Zowe, an open source software framework for the mainframe that strengthens integration with modern enterprise applications, marks a major technical milestone with the Long Term Support (LTS) V2 release. The second version, which comes 2 years after the first LTS release, will offer vendors and customers product stability, security, interoperability as well as easy installation and upgraded features.

“As organizations expand their hybrid cloud workloads, the Zowe framework evolves to address critical architectural requirements,” said Rose Sakach, Chair of the Zowe Technical Advisory Committee and Product Manager at Broadcom. “Since its launch in 2018, Zowe has become a foundational enabler to businesses’ hybrid IT strategy. The LTS V2 Release will continue to strengthen this value with developer-friendly features and benefits.”

Benefits of the LTS V2 include:

Stability: Organizations can confidently adopt the technology for enterprise use and upgrade when appropriate for their environment, minimizing the risk of disruption.Interoperability: Zowe consumers can be assured LTS-conformant extensions have adapted to and support LTS features.Longevity: Zowe is designed for years of use and plans are in place for continued updates and support.

Open Mainframe Project launched Zowe, the first-ever open source project based on z/OS, in 2018 to serve as an integration platform for the next generation of administration, management and development tools on z/OS mainframes.  The Zowe framework uses the latest web technologies among products and solutions from multiple vendors. Zowe enables developers to use familiar, industry-standard, open source tools to access mainframe resources and services.

Feedback and interest in Zowe have been noteworthy. Since January 2022, Zowe has more than:

130,000 downloads87,000 page views and 16,000 visitors of zowe.org520 contributors

Key features of Zowe LTS V2 include:

More security features built in to ensure data and user credentials are always encrypted and safe.A new daemon mode delivering performance improvements for the command line interface.The time to value to configure Zowe is faster and easier.There is more engagement and collaboration between team members using Zowe for modern DevOps at scale.New APIs created by the community

For more features, click here.

“Zowe continues to innovate as a direct result of the contributions, leadership and passion of the global open source community,” said John Mertic, Director of Program Management for the Linux Foundation and Open Mainframe Project. “Zowe shows no sign of slowing momentum and the LTS V2 release demonstrates our commitment to interoperability, stability and security.”

Other Zowe Updates

Zowe Chat, a new incubator project that extends z/OS use by focusing on working with mainframes from chat clients such as Slack, Microsoft Teams and Mattermost (with extensibility for other solutions). A set of commonly used scenarios will be provided, and the framework will be extensible so sites can add new scenarios. Similar to other Zowe core packages, the chat framework will be extensible by vendor tools, bringing an integrated user experience for more elaborate cross-vendor scenarios. Read more about it here.

Zowe IntelliJ Plugin , a new incubator project that provides access to the mainframe from IDEs like IntelliJ, PyCharm, WebStorm and more. Launched by IBA Group, the IntelliJ IDEA plug-in leverages z/OSMF to interact with mainframe data sets and USS files, which enables those familiar with these IDEs to comfortably work with the mainframe just like other projects. This integration will improve the efficiency and overall happiness of IntelliJ enthusiasts now working on the mainframe. Learn more in this blog.

Zowe was recognized as the Best DevOps for Mainframe Award in this year’s DevOps Dozen competition. It was selected over a number of commercial vendor offerings, reflecting a widespread appreciation for the value of an open source solution for the mainframe. Learn more.

The Zowe Conformance Program is Updated with LTS V2 Guidelines

Aimed to build a vendor-neutral ecosystem around Zowe, Open Mainframe Project’s Zowe Conformance Program launched in 2020.  The program has helped Open Mainframe Project members such as ASG Technologies, BMC, Broadcom, IBM, Micro Focus, Phoenix Software International, and Rocket Software incorporate Zowe with new and existing products that enable integration of mainframe applications and data across the enterprise.

To date, 75 products have implemented extensions based on the Zowe framework and earned these members conformance badges

Additional Resources:

Zowe GitHub RepositoryZowe Convenience Build DownloadGetting Started documentation site Open Mainframe Project’s I am a Mainframer Podcast

About the Open Mainframe Project

The Open Mainframe Project is intended to serve as a focal point for deployment and use of Linux and Open Source in a mainframe computing environment. With a vision of Open Source on the Mainframe as the standard for enterprise class systems and applications, the project’s mission is to Build community and adoption of Open Source on the mainframe by eliminating barriers to Open Source adoption on the mainframe, demonstrating value of the mainframe on technical and business levels, and strengthening collaboration points and resources for the community to thrive. Learn more about the project at https://www.openmainframeproject.org.

About The Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see its trademark usage page: www.linuxfoundation.org/trademark-usage. Linux is a registered trademark of Linus Torvalds.

###

The post Open Mainframe Project Announces Major Technical Milestone with Zowe’s Longer Term Support V2 Release appeared first on Linux Foundation.

The post Open Mainframe Project Announces Major Technical Milestone with Zowe’s Longer Term Support V2 Release appeared first on Linux.com.

The post Open Source Networks in Action: How leading telcos are harnessing the power of LF Networking appeared first on Linux Foundation.

The post Open Source Networks in Action: How leading telcos are harnessing the power of LF Networking appeared first on Linux.com.

The IT admins approach not only limits visibility and control but also makes it difficult to assess a device’s security level. It’s challenging to take the necessary automated steps in the event of a compromise due to a lack of access to vital threat intelligence. These challenges are even greater for Linux users, which is the preferred system of many developers and DevOps-led organizations.

Stack Overflow’s 2020 developer poll cites that professional developers will increase by more than 28 million by 2024. Thus, long-term integration and automation of Linux systems and infrastructure into IT operations is an even bigger priority for organizations moving forward.

Why organizations lack control and visibility over their Linux endpoint devices

Unfortunately, Linux infrastructure is not generally straightforward to automate. Without extra tooling, some administrators may face a long road to achieving their automation targets in the first place. To automate Linux systems, IT administrators must have complete control over their security and configuration settings. They must also possess the ability to monitor systems afterward to ensure everything is running smoothly.

Challenges of Linux endpoint management

Many endpoints currently connected to corporate networks are not official corporate assets. IT departments can’t quickly assess or monitor them to ensure they get the updates and patches they need because they don’t own these devices. This makes them vulnerable to threats, but it also makes them a relatively unknown threat vector, posing a threat to the entire fleet of devices.

Another significant barrier to visibility is mobility. Endpoint devices were once considered corporate assets kept behind the corporate firewall. Users of these endpoint devices today can connect to corporate resources, access corporate data, and even work on it using a variety of applications. They don’t need to be connected to a VPN to access physical or cloud-based resources. This is becoming more common across organizations of all sizes.

These devices spend the majority of their time related to non-corporate network resources which significantly reduces IT visibility. According to a 2020 Ponemon Institute report titled “The Cost of Insecure Endpoints,” two-thirds of IT professionals admit to having no visibility into endpoints that connect to the network regularly when they work outside of it.

There is also the challenge of Shadow IT. Employees can easily install and run traditional and cloud-based applications on their phones and computers and on corporate-owned assets assigned to them without having to go through IT. If IT administrators don’t have insight into all of the programs operating on these devices, they won’t be able to verify that essential access controls are in place to mitigate threats or govern the spread of data and other business assets. Self-compliance and security are not ideal for Linux endpoints.

Why manage your Linux devices in real-time?

Having complete visibility over IT asset inventory for security and productivity monitoring is critical to helping identify and eliminate unauthorized devices and apps.

What should IT teams monitor in real-time? Important metrics to keep an eye on include the number of unknown, checked-in, and total devices in the fleet, as well as devices installed and outdated and rarely used apps. IT professionals should look for a tool that keeps a constantly updated and monitored inventory of IT assets, including Linux.

Maintaining endpoint health with security controls is another advantage of managing Linux devices in real-time. Every day, numerous activities take place at an endpoint. It is critical to keep an eye on everything, including suspicious activity.

IT practitioners need a tool that conducts regular endpoint health checks to protect your endpoints, enforces firewall policies, quarantines or isolates unnecessary devices, kills rogue processes and services, hardens system configurations, and performs remote system tune-ups and disc clean-ups. This will help identify and eliminate unauthorized devices and applications.

Otherwise, allowing any random device or application in the network will gouge a hole in IT security and employee productivity. That’s why disabling or blocking illegal devices and programs from entering your network is critical.

Moreover continuous monitoring and remediation must be enabled. Continuous monitoring of your endpoints requires security tasks to be executed periodically. Chef Desktop helps achieve this without worrying about connectivity and maintenance issues and helps to ensure that endpoints remain in the desired state 

Conclusion

Long-term integration of Linux systems and infrastructure into IT operations is common in organizations that have them.  Continuous monitoring of endpoints requires security tasks to be executed even remotely, without relying on physical access of devices. IT administrators must have complete control over their security and configuration settings to automate Linux systems, as well as the ability to monitor systems after the fact to ensure everything runs smoothly. 

IT managers must reduce costs and optimize time by leaning off manual processes. Instead, they should configure the entire linux fleet in a consistent, policy-driven manner. This boosts efficiency and productivity as well as maintains detailed visibility into the overall status of the Linux and desktop fleet. Easy-to-implement configuration management capabilities can assist IT teams in managing and overcoming some of the challenges they face when managing large Linux laptop fleets.

AUTHOR BIO

Sudeep Charles is a Senior Manager, Product Marketing at Progress. Over a career spanning close to two decades, he has held various roles in product development, product marketing, and business development for application development, cybersecurity, fintech and telecom enterprises. Sudeep holds a Bachelor’s degree in Engineering and a Master’s in Business Administration. 

The post How to Manage Linux Endpoints with Automation appeared first on Linux.com.

San Francisco—April 12, 2022  Today, the Linux Foundation, the nonprofit organization enabling mass innovation through open source, announced the formation of project Nephio in partnership with Google Cloud and leaders across the telecommunications industry. The Linux Foundation provides a venue for continued ecosystem, developer growth and diversity, as well as collaboration across the open source ecosystems.

Building, managing and deploying scalable 5G networks across multiple edge locations is complex. The Telco industry needs true cloud-native automation to be faster, simpler and easier, while achieving agility and optimization in cloud based deployments. To address these challenges, Google Cloud and the Linux Foundation have founded “Nephio.”  The project has support from several founding organizations including Service providers: Airtel, Bell Canada, Elisa, Equinix, Jio, Orange, Rakuten Mobile, TIM, TELUS, Vapor IO, Virgin Media O2, WINDTRE as well as Network Function, Service and Infrastructure Vendors: Aarna Networks, ARM, Casa-systems, DZS, Ericsson, F5, Intel, Juniper, Mavenir, Nokia, Parallel Wireless, VMware. 

Cloud Native Principles have come a long way and as we see Cloud Service Providers collaborating with Telecom Service Providers and Enterprises, a new way of simplifying automation of network functions is emerging. 

Nephio aims to deliver carrier-grade, simple, open, Kubernetes-based cloud native intent automation and common automation templates that materially simplify the deployment and management of multi-vendor cloud infrastructure and network functions across large scale edge deployments. 

Additionally, Nephio will enable faster onboarding of network functions to production including provisioning of underlying cloud infrastructure with a true cloud native approach, and reduce costs of adoption of cloud and network infrastructure.

Google Cloud

“Telecommunication companies are looking for new solutions for managing their cloud ready and cloud native infrastructures as well as their 5G networks to achieve the scale, efficiency, and high reliability needed to operate more cost effectively,” said Amol Phadke, managing director, Telecom Industry Products & Solutions, Google Cloud. “We look forward to working alongside The Linux Foundation, and our partners, in the creation of Nephio to set an industry open standard for Kubernetes-based intent automation that will result in faster and better connected cloud-native networks of the future.” 

Linux Foundation 

“Collaboration across Telecom and Cloud Service Providers is accelerating and we are excited to bring Nephio to the open source community,” said Arpit Joshipura, GM Networking, Edge & IOT, The Linux Foundation, “As end users demand end to end open source solutions, projects like Nephio complement the innovation across LFN, CNCF, LF Edge for faster deployment of telecom network functions in a cloud-native world.” 

More information about Nephio is available at www.nephio.org. 

Service Providers

Airtel

“Zero touch deployment, configuration and operations of network functions predominantly on the edge of the network and in multi-cloud and multi-vendor scenarios is a significant challenge for all operators across the globe. A cloud-native orchestration and automation approach is the absolute need of the hour. Airtel is looking forward to being part of the LF and Google initiative to develop innovative solutions to simplify network operations,” said Manish Gangey, SVP and Head – R&D, Bharti Airtel.

Bell

“Similar to our early participation in the Linux Foundation ONAP initiative, Bell Canada is thrilled to collaborate in this next chapter of Telco softwarization,” said Petri Lyytikainen, VP Network, Bell Canada. “With innovations like 5G, ORAN and a new era of distributed cloud computing, Nephio and its community will be key in accelerating network and infrastructure automation towards a true cloud-native and intent-driven approach. This important work will help drive the evolution of network technology that will benefit Bell customers and the telecoms industry in Canada for years to come.”

Elisa   

“Elisa has a long history of network automation and cloud services. That has been utilized by the leading network analytics and automation solution provider Elisa Polystar,” said Anssi Okkonen, CEO of Elisa Polystar. “We are looking forward to working together with Linux Foundation, Google Cloud and Nephio community to enable new cloud-native automation solutions for building the tools for self-driving networks.” 

Equinix

“We believe in innovation through collaboration and are pleased to join the Nephio project to help build advanced digital infrastructure orchestration capabilities for telco (5G) cloud native network functions,” said Justin Dustzadeh, CTO at Equinix. “We look forward to collaborating with the developer community and members of the Nephio project to make it easier for developers to manage distributed infrastructure and help businesses drive digital transformation.”

Jio

“Jio is excited to be part of the Nephio initiative. At a time when 5G Standalone deployments are rapidly coming on-stream globally, Nephio will play a pivotal role in the journey of telcos towards adopting a cloud native 5G Network,” said Aayush Bhatnagar, SVP, Jio. 

Orange

“For telecom operators, Cloud Native technologies will unleash many new opportunities. By providing a cloud native intent automation framework, Nephio should play a key role in the telecommunications ecosystem by enabling on-demand connectivity and zero touch operator capabilities, thus benefiting the entire industry, developers, vendors, integrators, operators,” said Laurent Leboucher, group CTO and SVP, Orange Innovation Networks.

Rakuten Mobile

“The telecommunications industry is undergoing transformative change, with cloud native technologies bringing the industry into the modern era. When building Rakuten Mobile’s cloud native network in Japan, we understood the challenges of an open ecosystem and also realized the many benefits of cloud architecture, including automation, zero-touch provisioning and unprecedented agility. We’re excited to join Nephio in working to reimagine what telecommunications can be in the cloud era,” commented Sharad Sriwastawa, CTO, Rakuten Mobile.

TIM

“We believe that the adoption of Cloud Native technology and philosophy will represent a cornerstone for the future of telecommunications, merging the world of cloud services and the world of telco services into one single digital platform. The automation framework is probably the most sensitive and strategic part of this platform that will be able to stimulate innovation during coming years,” said Crescenzo Micheli, VP Technology & Innovation at Telecom Italia (TIM). “We believe the Nephio project could play a fundamental role to speed up this process.” 

TELUS

“TELUS is excited to be contributing to this Linux Foundation project. Innovation and collaboration have been a life-long journey for us; accelerating the adoption of Cloud Native technologies is a must to meet our customers’ ever-changing expectations,” said Ibrahim Gedeon, CTO at TELUS. “We are excited to build on our 10-year strategic partnership with Google Cloud and collaborate with the Linux Foundation. Together we will maximize the scalability and agility of our global-leading network, simplifying and rethinking the operating digital models of our customers while building a better future for all Canadians and globally. This cannot be more true than with 5G and fiberizing the world as we enter a new era of hyper-connectivity. Combining high speeds, bandwidth and reliability with cloud computing and automation will transform the way we operate, enabling solutions like smart cities and connected cars and transforming key verticals across agriculture, healthcare and manufacturing.”

Vapor IO

“Nephio depends on critical underlying infrastructure like Vapor IO’s Kinetic Grid to automate the deployment of carrier-grade network functions,” said Cole Crawford, founder & CEO of Vapor IO. “Automating at-scale operations across multiple clouds is a complicated task. We applaud Google for selecting the Linux Foundation for bringing these capabilities to market via an open source platform. This could be a watershed moment in the telecom industry, transforming historically complicated network deployments and operations into cloud-native workflows with high degrees of automation. This will lower the cost of 5G deployments and increase the overall competitiveness of the telecom industry.”

Virgin Media O2

“We are continually looking at improving and evolving our automation strategies, especially around Kubernetes.  We are incredibly motivated to work closely with the Linux Foundation and Nephio toward network automation and the process of using software to automate network and security provisioning and management to maximize network efficiency and functionality continuously,” said Paul Greaves, head of Automation and Orchestration Virgin Media O2.

WINDTRE

“Cloudnative platforms are an essential offering for accelerating the enterprises’ digitization journey plans over the next few years. Nephio, the new automation model based on Kubernetes, is the step to support the evolution of 5G networks and the edge infrastructures for dynamic services. We are pleased to be part of the Nephio community,” said Massimo Motta, Architecture and governance director of WINDTRE.

Network Function, Service and Infrastructure Vendors

Aarna Networks

“We actively utilize and contribute back to Linux Foundation Networking projects to help customers simplify the orchestration, lifecycle management, and automated service assurance of 5G networks and edge computing applications,” said Amar Kapadia, co-founder and CEO, Aarna Networks. “Similarly, we look forward to collaborating on the Nephio project to simplify numerous platform, infrastructure, and network pain points of 5G and edge deployments.” 

Arm

​​“5G is expected to be the fastest-deployed mobile technology in history, but only if we can remove the barriers to efficient large-scale deployment. The founding of Nephio brings the benefits of cloud native technology to 5G networks, improving operational agility and reducing deployment costs so that we can economically meet the surge in connectivity demand,” said Eddie Ramirez, VP, Infrastructure Line of Business, Arm.

Casa Systems 

“Next-generation networks require the flexibility and agility of the cloud at the network edge. We are pleased to be working with the Linux Foundation, Google and the broader community of partners on the Nephio initiative to develop industry standards for cloud-native, Kubernetes-based automation and orchestration solutions that will enable tomorrow’s all-connected world,” said Gibson Ang, vice president of Technology and Product Management, Casa Systems. 

DZS

“As an advocate of open standards-based solutions for the network edge, DZS enthusiastically supports this joint initiative with the Linux Foundation and Google. We look forward to collaborating with global converged carrier customers of DZS and other ecosystem partners on the Nephio project as we usher in a new era of connectivity by addressing the industry demand for multi-domain, software-driven automation and orchestration across distributed cloud-native networks for 5G and beyond,” said Andrew Bender, CTO, DZS. 

Ericsson

“The openness and flexibility of the 5G cloud native architecture brings significant opportunities for CSPs to expand existing business as well as building new business for enterprise customers. For CSPs to scale the business, simplification and automation of lifecycle and workload management across hybrid and multi cloud environments is key,” said Anders Vestergren, head of strategy portfolio and technology, Business Area Digital Services, Ericsson. “We look forward to collaborating with other industry leaders as part of the Nephio project to enhance Kubernetes with an industry-standard automation framework for cloud native deployments.”

F5 

“F5 has been partnering with many service providers in their transformation journey building and operating cloud-native infrastructure for 5G, with special focus on scaling and securing telco protocols and workloads. We are excited to join the Linux Foundation and the Nephio project to help accelerate our customers’ digital initiatives,” said Ankur Singla, SVP, GM, Distributed Cloud Services, F5.

Intel 

“Innovation at the edge is the next frontier of business opportunity. Nephio is a ground-breaking step to provide Cloud Service Providers with a carrier-grade, open, and extensible Kubernetes-based cloud-native automation framework, and common automation templates that simplify large scale edge deployment. We are pleased to be working in collaboration with the Linux Foundation and broader Nephio community to help simplify edge automation,” said  Rajesh Gadiyar, VP and CTO, Network Platforms Group at Intel.

Juniper

“Kubernetes-centric automation, leveraging cloud native principles, is an integral part of Juniper Networks’ experience-first networking strategy. We are therefore excited to join the Nephio project at the Linux Foundation as a founding partner, continuing Juniper’s long-standing tradition as a major supporter of and active contributor to the open source community. We look forward to working with other leading technology companies and mobile operators, as well as the broader Kubernetes open source community, to ensure that Nephio helps to advance cloud native automation at scale, for the benefit of all.” Constantine Polychronopoulos, VP of 5G & Telco Cloud at Juniper Networks.

Mavenir

“Network automation is a key driver for Telco network cloudification. A Kubernetes native automation framework with proven success in other vertical applications automation is promising for the Telco space. We are pleased to be part of the Google/Linux  Foundation initiative to accelerate this move on the public cloud and look forward to collaborating with the Nephio community,” said Bejoy Pankajakshan, CTSO of Mavenir.

Nokia           

“Nokia has always led in the drive to deliver open cloud-based networks and services that usher new value and possibilities of customer experience that fuel revenue growth for everyone. Automation of deployment, configuration and operations of network functions, that work seamlessly in a complex multi-cloud and multi-vendor network environment, are key to achieving the above goals. Nokia is pleased to join its customers and partners in a collaboration to co-innovate on the ‘democratic’ building blocks for the right tools of tomorrow’s networks.” Jitin Bhandari, CTO, Cloud and Network Services, Nokia

Parallel Wireless     

Steve Papa, CEO, Parallel Wireless, said, “Parallel Wireless is cloudifying 2G 3G 4G and 5G Open RAN and the Google/Linux Foundation initiative cloud-native architecture will allow fast deployment of RAN services on site, fast and fault-proofed upgrades and scalability — where resources can be scaled in an instant based on the end-user needs. Parallel Wireless is proud to join this initiative to help mobile operators modernize their networks via cloudification and bring innovation and cost savings.”

VMware

Lakshmi Mandyam, vice president of product management and partner ecosystems, Service Provider & Edge, VMware, said, “CSPs are embracing multi-cloud to create revenue-accelerating services, reduce operational costs and simplify network operations.  VMware’s vision for CSPs enables a cloud-first approach to management and orchestration across the core, RAN and edge, aligning with the goals of the Linux Foundation and Nephio project. We look forward to contributing to this initiative that will foster a multi-vendor ecosystem and support faster on-boarding, automation and life-cycle management for cloud-native networks.”

About Nephio

Nephio’s goal is to deliver carrier-grade, simple, open, Kubernetes-based cloud-native intent automation and common automation templates that materially simplify the deployment and management of multi-vendor cloud infrastructure and network functions across large scale edge deployments. Nephio enables faster onboarding of network functions to production including provisioning of underlying cloud infrastructure with a true cloud native approach, and reduces costs of adoption of cloud and network infrastructure. More information can be found at www.nephio.org.

About the Linux Foundation

The Linux Foundation is the organization of choice for the world’s top developers and companies to build ecosystems that accelerate open technology development and commercial adoption. Together with the worldwide open source community, it is solving the hardest technology problems by creating the largest shared technology investment in history. Founded in 2000, The Linux Foundation today provides tools, training and events to scale any open source project, which together deliver an economic impact not achievable by any one company. More information can be found at www.linuxfoundation.org.

#####

The post The Linux Foundation and Google Cloud Launch Nephio to Enable and Simplify Cloud Native Automation of Telecom Network Functions appeared first on Linux Foundation.

The post The Linux Foundation and Google Cloud Launch Nephio to Enable and Simplify Cloud Native Automation of Telecom Network Functions appeared first on Linux.com.

Modern software today consists of modular components that get reused in different configurations. Components can consist of open source libraries, source code or other external, third-party developed software. This reuse lets innovation of new functionality flourish, especially as a large percentage of those components being connected together to form a system may be open source. Each of these components may have different limitations, support infrastructure, and quality levels. Some components may be obsolete versions with known defects or vulnerabilities.  When software runs a critical safety system, such as life support, traffic control, fire suppression, chemical application, etc., being able to have full transparency about what software is part of a system is an essential first step for being able to do effective analysis for safety claims.  

Why is this important?

When a system has functionality incorporated that could have serious consequences in terms of a person’s well being or significant loss, the details matter.  The level of transparency and traceability may need to be at different levels of details based on the seriousness of the consequences.  

Source: NTIA’s  Survey of Existing SBOM Formats and Standards

What does this have to do with Safety Critical Development? 

Safety Standards, and the claims necessarily made against them, come in a variety of different forms.  The safety standards themselves mostly vary according to the industry that they target: Automotive uses ISO 26262, Aviation uses DO 178C for software and DO 254 for hardware, Industrial uses IEC 61508 or ISO 13849, Agriculture uses ISO 25119, and so on.  From a software perspective, all of these standards work from the same premise that the full details of all software is known: The software should be developed according to a software quality perspective, with additional measures added for safety.  In some instances these additional safety measures come in the form of a software FMEA (Failure Modes and Effects Analysis), but in all of them, there are specific code coverage metrics to demonstrate that as much of the code as possible has been tested and that the code complies with the requirements.

Another item that all safety standards have in common is the expectation that the system configuration is going to be managed as part of any product release.  Configuration management (CM) is an inherent expectation in software already, but with safety this becomes even more crucial because of the need to track exactly what the configuration of a system (and its software) is if there is a subsequent incident in the field while the system is being used.  From a software perspective, this means we need several things:

• The source code at the time of release
• The documentation associated with it
• The configuration used to build the software
• The specific versions of the tools used to build the software

The goal, then, is to be able to rebuild exactly what the executable or binary was at the time of release.

From the above, it is inherently obvious how the SBOM fits into the need for CM.  The safety standards CM requirements, from a source code and configuration standpoint, are greatly simplified by following an effective SBOM process. An SBOM supports capturing the details of what is in a specific release and supports determining what went wrong if a failure occurs.

Because software often relies upon reusable software components written by someone other than the author of the main system/application, the safety standards also have a specific expectation and a given set of criteria for software that you end up including in your final product.  This can be something as simple as a library of run-time functions as we might expect to see from a run-time library, to something as extensive as a middleware that manages communication between components.  While the safety standards do not always require that the included software be developed in accordance with a safety standard, there are still expectations that you can prove that the software was developed at least in compliance with a quality management framework such that you can demonstrate that the software fulfills its requirements. This is still predicated on the condition that you know all of the details about the software component and that it fulfills its intended purpose.

The included software components can be from:

• Third parties
• Existing SW not developed according to a safety standard
• Internally developed software already in use

Regardless of the source or current usage of the software, the SBOM should describe all of the included software in the release.

To this end, the safety standards expect that the following is available for each software component included in your project:

• Unique ID, something to uniquely identify the version of the software you are using.  Variations in releases make it important to be able to distinguish the exact version you are using.  The unique ID could be as simple as using the hash from a configuration management tool, so that you know whether it has changed.  
• Any safety requirements that might be violated if the included software performs incorrectly.  This is specifically looking for failures in the included software that can cause the safety function to perform incorrectly.  (This is referred to as a cascading failure.)
• Requirements for the software component
  • This should include the results of any testing to demonstrate requirements coverage
  • Coverage for nominal operating conditions and behavior in the case of failure
  • For highly safety critical requirements, test coverage should be in accordance with what the specification expects (e.g., Modified Condition/Decision Coverage (MC/DC) level code coverage)
• The intended use of the software component
• The component’s build configuration (how it was built so that it can be duplicated in the future)
• Any required and provided interfaces and shared resources used by the software component.  A component can add demand for system-level resources that might not be accounted for.
• Application manual (documentation)
• Instructions on how to integrate the software component correctly and invoke it properly
• What the software might do under anomalous operating conditions (e.g., low memory or low available CPU)
• Any chained dependencies that a component may require
• Any existing bugs and their workarounds

Conclusion

At a minimum, the SBOM describes the software component, supplier and version number, with an enumeration of the included dependent components.  This is what is being called for in the minimum viable definition of an SBOM to support cyber security[1] or safety critical software[2].   

Having a minimum level of information, while better than nothing, is not sufficient for the level of analysis that safety claims expect.   Knowing exactly which source files were included in the build is a better starting point.   Even better still is knowing the configuration options that were used to create the image (and be able to reproduce it), and being able to check via some form of integrity check (like a hash) that the built components haven’t changed is going to be key to having a sound foundation for the safety case.   SBOMs need to scale from the minimum, to the level of detail necessary to satisfy the safety analysis.   

While SBOM tooling may not be able to populate all of this information today, the tools are continuing to evolve so that the facts necessary to support safety analysis can be made available.   An international open SBOM standard, like SPDX[3] can become the baseline for modern configuration management and effective documentation of safety critical systems.

[1] The Minimum Elements For a Software Bill of Materials (SBOM) from NTIA

[2] ISO 26262:2018, Part 8, Clause 12 – Qualification of Software Components 

[3] ISO/IEC 5962:2021 – Information technology — SPDX® Specification V2.2.1

Authors

Peter Brink, Functional Safety Engineering Leader, kVA by UL, Underwriters Laboratories (UL)

Kate Stewart, VP Dependable Embedded Systems, The Linux Foundation

The post SBOMs Supporting Safety Critical Software appeared first on Linux.com.