cron.weekly issue #58: HAProxy, CVE’s, SysAdvent, PGP, mcrouter, Expect & moreDecember 11, 2016 - Mattias Geniar
Welcome to cron.weekly issue #58 for Sunday, December 11th, 2016.
There’s a new local root exploit, exciting releases from HAProxy, guides on firewalld and there’s even a surprise section at the bottom about … Microsoft. I kid you not. 😉
As always, if you have an open source project or blogpost you’d like to highlight, send me an e-mail!
AMD provided a > 100.000 line kernel patch to add extended support for their GPU’s to the Linux kernel, but that patch has been denied due to “containing too much HAL” (Hardware Abstraction Layer). The AMD reply to that was surprisingly honest and calm.
A new privilege escalation exploit makes it possible for local users to become root, by exploiting a bug in the creation of sockets. On many systems (like CentOS 7) the CAP_NET_RAW ability is not given to local users by default, causing this exploit not to work.
Well, not me personally, as I never had the patience to even get started with PGP. But this author makes some very good points about the future of GPG and keys in general.
Every december, sysadmins unite on a single blog: SysAdvent. This always provide solid reading material, from soft-skills to deep technical articles about Docker and Kubernetes to using Desired State Configuration in the Microsoft world.
Tools & Projects
Track & alert on the health and performance of every server, container, and app in any environment. Sign up for a free 14-day trial. (Sponsored)
Akaros is an open source, GPL-licensed operating system for manycore architectures. Their goal is to provide support for parallel and high-performance applications and to scale to a large number of cores.
Climate is the ‘ultimate command line tool‘ for Linux. It provides a huge number of command line options for developers to automate their Linux system. The command examples gives a general idea of what’s possible.
Aker is a security tool that helps you configure your own Linux ssh jump/bastion host. Aker would act as choke point through which all your sysadmins and support staff access Linux production servers. Aker SSH gateway includes a lot of security features that would help you manage and administer thousands of Linux servers at ease.
This project got mentioned in issue #22 previously, but keeps on growing so deserves a second mention. NetData provides unparalleled insights, in real-time, of everything happening on your Linux systems and applications, with stunning, interactive web dashboards and powerful performance and health alarms.
This new HAProxy release brings restructuring of internal code to be more easy to maintain and to add stability, ability to include a directory of configs instead of a single config file (hooray for config management!), DNS based server configurations, OpenSSL 1.1.0 support, multiple TLS certs per domain (support ECDSA certs with traditional RSA ones) & so much more.
Improvements to live patching, a new scheduler (credit2) that aims to support latency sensitive workloads better, big speed improvements for domain creations, support for USB passthrough. All that on top of security & stability patches.
Mcrouter is a memcached protocol router for scaling memcached deployments. It’s a core component of cache infrastructure at Facebook and Instagram where mcrouter handles almost 5 billion requests per second at peak.
HyperContainer is a hypervisor-agnostic technology that allows you to run Docker images on plain hypervisor. It can encapsulate a Docker container inside a lightweight VM, providing minimal overhead but additional security.
Guides & Tutorials
Sometimes your PHP crashes due to faults in the core of PHP, leaving it with segmentation faults. When PHP crashes like that, you can log the segfault on your server and analyse the dump using gdb to see a stacktrace of where the crash occurred.
A good technical overview of the benefits of SELinux, Apparmor, auditd and how it compares to Sysdig’s Falco solution.
‘Void Linux’ is an alternative linux distribution with its own package manager. This post covers the reasons why you’d want to switch to Void Linux from, say, an Ubuntu. Its biggest assets: no systemd, very fast, rolling releases, libressl & hardened compiler flags by default.
Some good practical pointers and commands to use firewalld, the new user-land tool that replaces iptables. Add & remove zones, filter by source/destination IP, open/close TCP ports, …
The recent local-user privilege escalation exploit that allowed root access can be trivially protected against using systemd’s RestrictAddressFamilies option. This post explains how.
The ‘expect’ tool allows you to automate any tool, by simulating input to a text-based terminal. This post has lots of practical examples of what that looks like. Expect is especially useful for tools that don’t offer stdin (like pipes or text) but prompt for input instead.
‘Bats’ is the Bash Automated Testing System. This post explains how you can set it up and run to test your own Bash scripts.
This post explains how you can abstract away the differences between a dev/staging/production environment in Ansible, introducing variables, inventory, groups, …
In the latest of a 3-part blog series, Scott Helme dives into DMARC: Domain-based Message Authentication, Reporting and Conformance. This post builds on top of two earlier ones: part 1: SPF and part 2: DKIM.
Microsoft News Sources
Wait what, a Microsoft section in a Linux newsletter? – I’m just as shocked as you are!
I’ve realised that I’m pretty up-to-date with Linux and open source, but there a lot of exciting technologies coming from Microsoft that just passes me by. So I had asked earlier this week if there were recommended Microsoft newsletters/blogposts, focussing on the technical aspects. Here’s what I got back.
A daily (!) roundup of all the Microsoft news, sharing plenty of articles in the process.
A weekly newsletter highlighting the most prominent news and tools in the Microsoft ecosystem.
This newsletter focusses on Microsoft and everything around that, including VMware (vSphere + vSAN) and storage.