cron.weekly Issue #24: Badlock, Linux Scheduler, Fedora 24, Gitlint, pfSense, monitoring, Docker & more!April 17, 2016 - Mattias Geniar
Welcome to cron.weekly issue #24 for Sunday, April 17th 2016.
If you want to help promote a job opportunity, an interesting blogpost or have a new product you’re launching, you can have a look at the advertising options for cron.weekly. In the spirit of open source, everything is done via an issue tracker and is in the open, for everyone to see.
No secrets. Pure open source. All on Github.
I hope you enjoy today’s edition! Plenty of reading material as usual. Let’s hope it rains so we all have an excuse to stay indoors and hug our computer screens.
A rather serious vulnerability was discovered in Samba, which could lead to your Active Directory backend getting compromised. There was a lot of hype towards this vulnerability as several weeks in advance the site badlock.org was created: a dedicated site + logo + vulnerability name. While the vulnerability is still serious, it’s less serious than was previously assumed.
An interesting view on one of Linux’s core behaviour: how to handle file writes. Especially the fact that most writes are buffered in RAM for an indefinite period of time causes concern, as it’s hard to determine if a write actually happened to disk.
Scheduling, as in dividing CPU cycles among threads was thought to be a solved problem. This paper finds several bugs in Linux’s implementation, causing runnable threads to be stuck in runqueues for seconds while there are idle cores in the system. Let’s hope the proposed fixes and conclusions make it into the mainline Kernel soon.
Intel Skylake’s are the latest CPUs offered by Intel. However, it seems they don’t quite work the full 100% on the latest Linux kernels: the power saving options, used to preserve battery life, don’t work yet. In fact, Linux is running in a configuration that Intel imply may trigger premature failure.
A botnet that enslaved about 4,000 Linux computers and caused them to blast the Internet with spam for more than a year has finally been shut down.
Tools & Projects
Gitlint is a git commit message linter written in python: it checks your commit messages for style.
The new Fedora 24 is scheduled for release on June 7th of this year. This post goes into the changes of this release: a new Kernel, better Docker support, OpenShift Origin and GCC 6.
Blur was created from the mantra “I’d rather write shell scripts than Makefiles.” Blur is a very small and simple target-driven (top-down) build system, with (practically speaking) no dependencies: It is written entirely as a small handful of Bash scripts.
This new release is all about standards: Docker 1.11 is now built on top of runC and containerd, the Open Container Initiative (OCI). This will offer better operability between containers of different vendors (or different underlying container technologies, all commanded through the same unified CLI interface, runC).
There’s a trend of starting “awesome-xxx” git repositories, all containing relevant and useful links to a particular topic. This repository focusses on being a Linux sysadmin: lots of content on back-ups, automation, continuous integration, monitoring, file systems, …. Well, pretty much every topic is widely covered.
This new release of the open source network security software features a reworked GUI (fully responsive web interface now) and the groundwork for smaller, faster updates in the future. There will no longer be a single monolithic upgrade every few months, but smaller fixes as soon as they’re ready.
Gophish is an “Open-Source Phishing Toolkit” designed for businesses and penetration testers. It provides the ability to quickly and easily setup and execute phishing engagements and security awareness training.
hiera is a hierarchical key/value store that can be used to provide data for your puppet manifests (or any other system, really). However, Hiera can be surprisingly complex when debugging. This tool is designed to help demystify Hiera.
Voltron is an extensible debugger UI toolkit written in Python. It’s basically a GUI frontend on top of debug tools like “gdb”, offering more readable output that’s easier for interpretation if you’re just getting started.
This is a simple linter (syntax & validity checker) for HAProxy configuration: prefect for implementing in your git pre-commit hooks or in your validation steps before activating a new HAProxy configuration.
This is a work-in-progress: an search engine that focusses on searching open source code.
Dillinger is a cloud-enabled, mobile-ready, offline-storage, AngularJS powered HTML5 Markdown editor. Lots of buzzwords for another MarkDown editor.
The purpose of this tool is to make you a better onion service provider. You owe it to yourself and your users to ensure that attackers cannot easily exploit and deanonymize.
Zeal is an offline documentation browser: it has the documentation available for tools like Ansible, Bash, Go, Puppet, Python, …
Guides & Tutorials
This guide walks you through setting up OpenLDAP, configuring key authentication, creating Organisational Units and Users (in LDAP) then shows how to implement that authentication in Jenkins.
This is a very extensive post covering our most used debugging tools and comparing them to sysdig equivalents. If you haven’t heard of sysdig yet, it’s a relatively new tool to help you debug functional and performance related problems on a Linux server. Think of sysdig as strace + tcpdump + htop + iftop + lsof, all rolled into one.
The race for the smallest possible Docker containers has started! As another alternative, this post describes using the Nix operating system as a docker guest to get Docker images less than 50MB in size.
A really good read on how to interpret time series database values. Our monitoring has evolved from very simple values to graphs, averages, medians, … and all other interpretations of values. It explains Gauges, Meters, Counters, Histograms, …
This guide covers the steps and terminology involved in getting GlusterFS, the scalable network filesystem, on CentOS.
This article features over 80 ways to monitor your machines. The topics include: Command line tools, Network related, System related monitoring, Log monitoring tools, Infrastructure monitoring tools.
Linux namespaces are a relatively new kernel feature which is essential for the implementation of containers. A namespace wraps a global system resource into an abstraction which will be bound only to processes within the namespace, providing resource isolation. In this article, the author discusses network namespaces and shows a practical example.
It’s the command we all fear: rm -fr /. It recursively deletes all files on your system, starting from the top most directory. But what happens when you run that command? This video shows exactly that.
nload is a console application which monitors network traffic and bandwidth usage in real time. It visualizes the in and outgoing traffic using two graphs and provides additional info like total amount of transferred data and min/max network usage.