OpenSUSE 10.1 — Novell’s attempt to keep a general-purpose version of its Linux freely available to the open source community — is both aided by and suffers from the lack of attention from Novell.
In our tests of OpenSUSE, we found several items that made this version feel more like a set of experiments rather than a coherent project with which the public should try to work seriously. For example, Xen, new server virtualisation software, was especially frustrating to use, and AppArmor, a tool that’s supposed to help lock-down applications running on the OpenSUSE machine, was more like a puzzle than a working security application.
In most ways, OpenSUSE is to Novell what Fedora Core is to Red Hat. Both are community versions of their commercial cousins. Ostensibly, these versions receive contributions as hand-me-downs from the commercial releases and aren’t supported by the shipping-vendor except via community IRCs and forums. So far, these community versions are similar to the commercial versions, although Novell says there are commercial version-specific improvements to the kernel, device drivers and other components. We did find that the kernel for the SUSE Linux Enterprise Server (SLES) performed slightly better in our performance tests.
We can also verify that the commercial update services provided by Novell are quite good and nearly manic in their constant issuance of updates. In addition, Novell has taken pains to make sure that all of the applications shipped with the commercial version work well together. It has also harmonised a patch/update schedule that takes into account the interdependence of the applications.
Novell does offer OpenSUSE in CD/DVD form (for a US$60 fee) with documentation and 90 days of free installation support. The support is scant but better than none at all.
Overall, our tests showed that OS 10 is a solidly built generic version of Linux that can be used for a wide variety of purposes, including LAMP, file/print services, and DNS/NFS/SAMBA-related exercises. The open source applications providing the underlying services are quite up-to-date, we found, but there are some minor security issues that will warrant user attention (for example, weak passwords, too many initial services turned on and light encryption).
The primary administration tool for OpenSUSE is the open sourced YaST (Yet another System Tool), and it does a good job of aiding administrators in both set-up and use of OpenSUSE.
YaST combines features of Windows-like functionality as represented by Windows Control Panel and the Microsoft Management Console, although there are no add-in widgets available for YaST. Our one complaint is that there are a number of repetitive controls where applications are listed under two categories. Often YaST is used to feed user selections to command-line tools, which then execute a change that’s been chosen. This sometimes produces strange delays in the responsiveness of the tool, as it depends on the actions of other programs rather than directly manipulating functions. As an example, changing screen resolution can have lots of odd latency.
We attempted to use the highly touted Xen server session-building software that uses a para-virtulisation scheme to host SUSE (or other Xen-compatible/modifiable operating systems) into mostly autonomous sessions. This process requires building a hypervisor, an application that’s tuned to the host hardware and serves as the microkernel there. It is subsequently used to launch a modified SUSE operating system on the host computer. This modified operating system has been compiled with Xen changes and is termed “Xen-ified”.
There were script errors (which Novell knows about and has likely been fixed since our testing) that prevented us from installing Xen sessions on OpenSUSE. We fixed the scripts and still had difficulty getting more than two instances of Xen-hosted sessions moving, either on the 32- or 64-bit OpenSUSE kernels. Xen promises to run even Windows kernels eventually, but it may take a while for this all to arrive, as indicated by our lack of success with the OpenSUSE implementation. We found that most (but not all) of the scripting difficulties with Xen have been fixed in SLES10. OpenSUSE has a number of community-offered fixes for the scripting problems, but there is no official methodology yet. We advise users to turn to XenSource.com and study OpenSUSE’s website resources for ongoing resource fulfillment should they choose to use Xen.
AppArmor is designed to provide security at the application level. It uses policies to control how the application can be accessed, how it relates to other components recorded in the operating system’s permissions profiles and not only prevents applications from purposeful damage but can limit damage that these applicatons can do to a host operating system.
Novell provides quite a few profiles with the OpenSUSE bundle. We tested several, and both used built-in policy profiles and built custom policies. A moderately high level of expertise is needed to make applications protected with AppArmor both safe and usable.
Overall, we feel that AppArmor in OpenSuSE is an experimental tool, which we found does quite well if one is intricately familiar with Linux or Unix derivatives. If one isn’t, it’s easy to unwittingly do harm to an application’s ability to function at the most basic levels, even preventing it from communicating with users or such services as printing or data file access.
Security, as a whole, after initial installation is a bit dicey. Like SLES10, OpenSUSE can have weak root passwords, and it uses the Blowfish algorithm for encryption when MD5 is available and would have made a better default. However, such individual applications as SSH and Apache of OpenSUSE were up to snuff in terms of configuration defaults and versions.
As the kernels are very similar — and our benchmark, LMBench3 tests kernel and device/driver functionality — we did not expect to see any major performance improvements in OpenSUSE over prior versions. OpenSUSE performed similarly to SUSE 9.3, although we saw dramatic improvements in inter-process communications in the new version — especially in the 64-bit kernel rendition.
Speeds between OpenSUSE 10 and SLES 10 were almost identical as the kernels between the two are similar, and the device drivers we used in our benchmark were identical.
Community-supported Linux distributions, while often released and then neglected by vendor sponsors, fulfil a vendor’s obligation to release source code and otherwise contribute to the free nature of open source software. Novell’s OpenSUSE 10.1 has many advantages and apps going for it, but when it gets sophisticated, it falls down and begs for more mature application development. That said, it is solid at its core.
Henderson is principal researcher and Szenes is a researcher at ExtremeLabs. They can be reached at firstname.lastname@example.org and email@example.com. Thayer is an independent security consultant. He can be reached firstname.lastname@example.org.
Net Results for SUSE Linux
Cost: Free, or US$60 for a bundled version with 90 days installation support
Pros: Solid core services; well-constructed administrative interface.
Cons: Xen virtualisation software needs work; AppArmor application security tool needs automation and instrumentation.
Installation/compatibility (25%) 4.5
Administration (25%) 3.5
Security (25%) 3.0
Performance (25%) 4.0
How we did it
We tested OpenSUSE 10.1 on a gigabit network with notebooks (Toshiba Satellite with AMD CPU; HP with 64bit CPU; Apple PowerBook G4), desktops (Compaq Presario SR1020NX and others), and on several server platforms (HP DL140 3GHz Xeon 32-bit CPU; Polywell dual AMD Athlon 64-bit CPUs and others) for hardware compatibility, installation driver support and operation of hardware post-installation.
We ran LMBench3 on the HP DL-140 machines (32-bit) and the Polywell (64-bit) for benchmarks. We noted any incompatibilities (none noteworthy), and tested numerous operating-system clients against these server implementations, including the HPDL140 as a 32-bit kernel sample and the Polywell 2200s as a 64-bit kernel sample.
We tested numerous cardbus adapters (Flash drives, wi-fi NICs) for compatibility, but did not test Bluetooth, as we lacked suitable drivers.