cron.weekly issue #71: CVE’s, Memcache-top, Ctop, Choria, s2n, Dnsmasq, Bash, Strace, Systemd & moreMarch 12, 2017 - Mattias Geniar
Welcome to cron.weekly issue #71 for Sunday, March 12th, 2017.
A very full edition again with a lot of high-quality guides at the bottom, together with a new Linux Sucks video, an introduction to Swift, several security fixes and a heap of new tools & projects.
Facebook is making all their hardware designs open source, including the 2017 refresh of their entire stack. Some very interesting hardware storage designs in there as well as GPU-focussed servers.
If you have any applications running built on Apache Struts2 and haven’t patched them last week, now’s a good time to do so: there’s a a remote code execution bug that affects the Jakarta Multipart parser doing the rounds.
VMware doesn’t have the best track record when it comes to honoring the GPL, many of its work is derived from the Linux kernel but the source was never released. The author voices a valid concern that this behaviour might not be the best candidate to be allowed in the Linux Foundation.
This vulnerability (luckily) didn’t get much attention in the public, but still requires patching from sysadmins: a new local privilege escalation allows any user on the system to become root. Patching is as simple as disabling the offending module, by disallowing it to load at all via modprobe.
“Outside your door stands a line of a few hundred people. They are patiently waiting for you to answer their questions, complaints, pull requests, and feature requests. You want to help all of them, but for now you’re putting it off. Maybe you had a hard day at work, or you’re tired, or you’re just trying to enjoy a weekend with your family and friends.”
Tools & Projects
Track & alert on the health and performance of every server, container, and app in any environment, with Datadog. Sign up for a free 14-day trial. (Sponsored)
Chronix natively speaks time series. You can store nearly every kind of data type within a time series due to its flexible design. Chronix is built to store time series highly compressed and for fast access times.
A ‘top’ like view for Memcache(d) statistics like cache hit rate, connections/s, evictions/s, number of total reads/s, …
A ‘top’ like view for containers: see which container is consuming most CPU or bandwidth, memory, … Very clean layout with status & progress bars for each container.
mytop is a console-based (non-gui) tool for monitoring the threads and overall performance of a MySQL server.
Since I seemed to be listing pretty much over ‘top’ based command, I shouldn’t ignore the most famous one of them all: htop replaces the regular top with cleaner output, color highlights, a good representation of CPU usage (user, kernel, io, …).
Tig is an ncurses-based text-mode interface for git. It functions mainly as a Git repository browser, but can also assist in staging changes for commit at chunk level and act as a pager for output from various Git commands.
ffscreencast is a shell wrapper for ffmpeg that allows fool-proof screen recording via the command line. It will auto-detect all available monitors, cameras and microphones and is able to interactively or manually choose the desired recording device(s). Additionally ffscreencast will let you overlay the camera stream on top of the desktop session.
Burry is a BackUp & RecoveRY tool for cloud native infrastructure services. Use burry to back up and restore critical infrastructure base services such as ZooKeeper and etcd.
Acra helps you to easily secure your databases in distributed, microservice-rich environments. It allows you to selectively encrypt sensitive records with strong multi-layer cryptography, detect potential intrusions and SQL injections and cryptographically compartment data stored in large sharded schemes.
A Docker security analysis & hacking tools. It looks for sensitive info in Docker images, gets meta information, has the ability to inject more data in a container (to trojanize), … Pretty cool stuff in there, the scanner part might be a good idea to add to your Docker build flow, to flag any potential issues.
Choria makes installing The Marionette Collective (mcollective) easy and secure for users of Puppet 4.
s2n is a C99 implementation of the TLS/SSL protocols that is designed to be simple, small, fast, and with security as a priority. Amazon just announced that all their SSL traffic is now handled by s2n, so I’d say it’s ready for production use.
Fabulously kill processes. Cross-platform.
Guides & Tutorials
A clever approach to separating bots from human visitors on a website with the help from Python scripts.
A step-by-step instruction with clear illustrations for setting up a DNS caching server using dnsmasq.
This looks like the holy grail of Emacs org-mode: so many examples and guides from getting started to optimizing your workflow. Note that org-mode is a tool for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system.
The site looks like it comes straight from a ’99 horror movie, but can still be pretty useful: a simple method of generating your Bash/Zsh/… prompts with the necessary variables like hostname, time, git status codes, …
Wireshark is popular tool for network protocol analysis used by education institutions and in the industry. It offers both terminal and graphical user interfaces and both are available on Fedora. You can use it either for real-time network analysis or to inspect files with captured traffic such as pcap files.
Strace is among the most powerful and confusing debugging tools to have your arsenal, this post explains how to interpret some of its output and the parameters you can/should be using for troubleshooting.
Another practical guide for configuring HAProxy to distribute web load amongst 2 or more Apache webservers.
A developers look at Bash and how to handle input validation, show error messages to stderr, using local variables, …
Part 2 of the Bash guide, this time introducing query functions, returning values from a function, …
These slides are from a presentation that shows how to use the systemd ‘timer’ feature to run scheduled jobs without using cron, using only systemd built-in behaviour.
A real world example of when removing a slow system call from a code path: does it have a measurable difference?
Lots of good advice in this PDF; covering WAL files for backups, a good introduction to the ZFS features & what those mean in the long run and a very good explanation of block file systems in general.
How to install and configure MariaDB Galera as master to master replication cluster on Ubuntu 16.04 LTS
How to install and configure MariaDB Galera master to master cluster on Ubuntu Linux 16.04 LTS server to get both read and write scalability? This post has you covered.
A deep-dive in what goes into the ‘tim’ command on Linux.
OSSEC is an open-source, host-based intrusion detection system (HIDS) that performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It can be used to monitor one server or thousands of servers in a server/agent mode. If properly configured, OSSEC can give you a real-time view into what’s happening on your server.
This covers quite a few tools like iostat, mpstat, meminfo, nmap, ps, sar & a few more.
A presentation given at the Swift Summit a few weeks ago, focussing on the Swift programming language on the server (as opposed to iOS or Apple devices). Comparisons are made against NodeJS, Ruby, … to put things in perspective. If you’re heavy into scripting server-side, Swift might be a proper alternative for you.
Always an entertaining video: Linux Sucks, a good set of critiques of Linux in a funny way. 🙂