cron.weekly issue #51: Chaos Monkey, Pi-Hole, tcptop, Varnish, chmod, Linux Internals & more!October 23, 2016 - Mattias Geniar
I like how even if I think it’s going to be a slow week, there’s always more than enough content to share!
There’s a privilege escalation vulnerability going around dubbed “Dirty Cow“. An attacker can use this to (rather reliably) use a non-privileged user to become root on a Linux server. Kernel updates & reboots are advised.
Zalando has been publishing open source projects for quite a while, this new post is about how their teams should do open source. I love how that’s also open sourced!
Other organisations are betting big on open source too, like Disney. They made a good-looking overview of their projects which are all pushed to Github.
Tools & Projects
Get real-time, integrated statistics on your entire infrastructure: from Amazon stats on your servers to detailed numbers of your PostgreSQL, Elasticsearch, Node & other applications – all from a single, easy to use, interface. Sign up for a free trial to discover a better way to monitor your stack! (Sponsored)
The basic purpose of image_build is to enable building various images, including Docker images, from Puppet code.
Octocatalog-Diff assists with Puppet development and testing by enabling the user to compile 2 Puppet catalogs and compare them. It is possible to compare different branches, different versions, and different fact values. This is intended to be run from a local development environment or in CI.
Netflix’s “Chaos Monkey” introduced an interesting concept to Ops team: Chaos Monkey randomly terminates virtual machine instances and containers that run inside of your production environment. Exposing engineers to failures more frequently incentivizes them to build resilient services.
This is a new open source cloud-based registry platform that powers Google’s top level domains (TLDs).
I just finished setting this up at home: a DNS server for your Raspberry Pi which blocks, monitors and reports on advertisement and malicious domains. It’s essentially an adblocker via DNS you can run on your own.
Sanic is a Flask-like Python 3.5+ web server that’s written to go fast.
A CLI tool to determine STDIN line rate at the interval of choice.
Noms is a decentralized database based on ideas from Git.
The tcptop tool uses the new Linux BPF capabilities, which summarizes top active TCP sessions.
Guides & Tutorials
This is a good guide for actions you can take when you accidentally chown/chmod your entire filesystem. You can’t recover everything if you don’t have back-ups, but by using a mounted install CD you can copy all permissions again.
This post and video explains how Varnish, the caching and load balancing daemon, works: it covers an introduction to HTTP headers, the internals of Varnish, how to write custom VCL code and getting started with Varnish.
“Livepatching” is a licensed tool from Ubuntu, but you can test it out for free: it allows you to do in-memory kernel upgrades, without server reboots. I wonder when/how RHEL/Fedora implement this, and if it’s behind a paywall like Canonical.
Did you know there is an option to drop Linux capabilities in Docker? Using the docker run –cap-drop option, you can lock down root in a container so that it has limited access within the container.
Nginx supports a method called “socket sharding”, where multiple processes can listen on the same IP/socket. This technique allows for rolling upgrades of nginx.
Lots of low level details on PostgreSQL’s storage: tuples, items, nodes, blocks & pages, heaps, CTID’s, clusters, … If you’re into databases and Postgres, you’ll love this.
This is a work-in-progress book with lots of interesting content: interrupt handlers, system calls, time management, synchronisations, … really stunning work by the author, all free to read!
This Linux focussed conference takes place in Australia, the CFP is open so if you want to present yourself, now’s the time to apply.