cron.weekly issue #7: Grub2, Grafana, Redis, Knockd, Docker & many moreDecember 19, 2015 - Mattias Geniar
Welcome to a new cron.weekly, this is issue #7 for Sunday December 20th.
This vulnerability got a lot of attention: press the backspace 28 times when Grub prompts for a username and you bypass the authentication altogether. While the impact is limited (you need physical or IPMI access to the server to begin with), it’s surprising how this even managed to get through.
A nice and low-level writeup on CPU clocks and interrupts, going in further on ‘delays’ and jitter, how clock syncing happens etc.
Every service has its potential security issues. I often find these kind of write-ups interesting because they interact with the low-level protocols to find structural issues with the service and show you the commands used to interact with, in this case, Redis.
A couple of weeks after Red Hat’s 7.2 release, the CentOS team can announce their 7.2 release too. For more details on what’s included I’ll refer back to the Red Hat 7.2 changelog as mentioned in issue #3.
Similar to security related topics, I find blogposts that respond openly to outages with a detailed postportem to be very interesting reads. This particular post dives deep into ElasticSearch’s internals to uncover what caused downtime.
Grafana is an open source application for visualizing large-scale metrics (think Kibana etc.). This new release includes a new Table panel, a new InfluxDB query editor, support for Elasticsearch Pipeline Metrics and support for multiple Cloudwatch credentials.
Tools & Projects
Similar to Jekyll, Grav is a file-based content management system. It’s a simple yet powerful system for managing websites.
Port-knocking is one of those interesting techniques to hide or obfuscate open ports on a linux machine. Knockd is a daemon that makes this possible by looking for special “knock” sequences of port-hits before opening the real port.
This project by the AWS crew prevents you from committing secrets and credentials into git repositories. It works by adding itself as a pre-commit hook, so it can block you before your commit is even written to disk.
This projects converts human unfriendly strings to emoji. More of a gimmick than something useful, but I like the approach of visualising large UUIDs as simple emoji.
The previous cron.weekly mentioned ShellCheck as an online tool for testing your bash scripts for vulnerabilities or logical errors. This vim plugin does the same, but straight from within vim.
Yet another project from the Docker team: containerd is a new daemon to control runC. If you haven’t heard of runC yet, it’s a command-line interface for spawning and running containers according to an open standard.
The Mozilla team released Kinto, their lightweight JSON storage service with synchronisation and sharing abilities. It is meant to be easy to use and easy to self-host.
Guides & Tutorials
A short but useful guide for anyone that needs make changes to limits.conf but doesn’t want to login to the shell again to test them. This uses the prlimit tool to make limits.conf changes effective immediately on running processes.
While it’s all the rage nowadays, Docker as a concept isn’t clear for everyone. This guide takes on a very basic approach, explains the fundamentals of Docker and shows you some hands-on commands.
The title says it all: this extensive guide blogpost has a lot of code snippets you can use for “defensive” bash coding. The mantra is “creating bash programs that work”.
While iOS isn’t usually of interest for Linux sysadmins, combining Jenkins with Fastlane may be. This post covers the Jenkins configurations in more detail and could be a useful starting point if you ever want to get started like this.
Another detailed blogpost by Spotify on how the Spotify client connects to its backend. This post explains a technique that introduces circuit breakers into the load balancers to spread load across backends based on latency.
I have to admit, I’ve been a CentOS users for over a decade and until now, I hadn’t heard of SCL or Software Collections. SCLs allow you to run the default python (or PHP, or Ruby) that comes with CentOS (so yum and other system tools in CentOS work), while also allowing a newer version of python to be installed alongside the default python for use creating and running software with newer requirements.
If you’ve ever had to pleasure to work with GNU build tools like autoconf, automake, libtool, pkg-config, and so on, you’ll find this post interesting. Every component of the build chain is described in extreme detail and can be very useful as a reference guide.