cron.weekly issue #71: CVE’s, Memcache-top, Ctop, Choria, s2n, Dnsmasq, Bash, Strace, Systemd & more

cron.weekly is a newsletter about Linux, open source & webdevelopment. Want to get it in your inbox every Sunday? Subscribe below!

I respect your privacy and you won't get spam. Ever. Just a weekly-ish newsletter about Linux and open source.

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Image of Mattias Geniar

Mattias Geniar, March 12, 2017

Follow me on Twitter as @mattiasgeniar

Welcome to _cron.weekly _issue #71 for Sunday, March 12th, 2017.

A very full edition again with a lot of high-quality guides at the bottom, together with a new Linux Sucks video, an introduction to Swift, several security fixes and a heap of new tools & projects.

Have fun!

News

The end-to-end refresh of Facebook’s server hardware fleet

Facebook is making all their hardware designs open source, including the 2017 refresh of their entire stack. Some very interesting hardware storage designs in there as well as GPU-focussed servers.

New Apache Struts2 0-day Under Attack

If you have any applications running built on Apache Struts2 and haven’t patched them last week, now’s a good time to do so: there’s a a remote code execution bug that affects the Jakarta Multipart parser doing the rounds.

VMware becomes gold member of Linux Foundation: And what about the GPL?

VMware doesn’t have the best track record when it comes to honoring the GPL, many of its work is derived from the Linux kernel but the source was never released. The author voices a valid concern that this behaviour might not be the best candidate to be allowed in the Linux Foundation.

CVE-2017-2636: Linux local privilege escalation flaw in ‘n_hdlc’

This vulnerability (luckily) didn’t get much attention in the public, but still requires patching from sysadmins: a new local privilege escalation allows any user on the system to become root. Patching is as simple as disabling the offending module, by disallowing it to load at all via modprobe.

What it feels like to be an open-source maintainer

“Outside your door stands a line of a few hundred people. They are patiently waiting for you to answer their questions, complaints, pull requests, and feature requests. You want to help all of them, but for now you’re putting it off. Maybe you had a hard day at work, or you’re tired, or you’re just trying to enjoy a weekend with your family and friends.”

Tools & Projects

Datadog: all your infrastructure, in one place

Track & alert on the health and performance of every server, container, and app in any environment, with Datadog. Sign up for a free 14-day trial. (Sponsored)

Chronix

Chronix natively speaks time series. You can store nearly every kind of data type within a time series due to its flexible design. Chronix is built to store time series highly compressed and for fast access times.

memcache-top

A ‘top’ like view for Memcache(d) statistics like cache hit rate, connections/s, evictions/s, number of total reads/s, …

ctop

A ‘top’ like view for containers: see which container is consuming most CPU or bandwidth, memory, … Very clean layout with status & progress bars for each container.

mytop

mytop is a console-based (non-gui) tool for monitoring the threads and overall performance of a MySQL server.

htop

Since I seemed to be listing pretty much over ‘top’ based command, I shouldn’t ignore the most famous one of them all: htop replaces the regular top with cleaner output, color highlights, a good representation of CPU usage (user, kernel, io, …).

tig

Tig is an ncurses-based text-mode interface for git. It functions mainly as a Git repository browser, but can also assist in staging changes for commit at chunk level and act as a pager for output from various Git commands.

ffscreencast

ffscreencast is a shell wrapper for ffmpeg that allows fool-proof screen recording via the command line. It will auto-detect all available monitors, cameras and microphones and is able to interactively or manually choose the desired recording device(s). Additionally ffscreencast will let you overlay the camera stream on top of the desktop session.

burry.sh

Burry is a BackUp & RecoveRY tool for cloud native infrastructure services. Use burry to back up and restore critical infrastructure base services such as ZooKeeper and etcd.

Acra

Acra helps you to easily secure your databases in distributed, microservice-rich environments. It allows you to selectively encrypt sensitive records with strong multi-layer cryptography, detect potential intrusions and SQL injections and cryptographically compartment data stored in large sharded schemes.

dockerscan

A Docker security analysis & hacking tools. It looks for sensitive info in Docker images, gets meta information, has the ability to inject more data in a container (to trojanize), … Pretty cool stuff in there, the scanner part might be a good idea to add to your Docker build flow, to flag any potential issues.

Choria

Choria makes installing The Marionette Collective (mcollective) easy and secure for users of Puppet 4.

s2n

s2n is a C99 implementation of the TLS/SSL protocols that is designed to be simple, small, fast, and with security as a priority. Amazon just announced that all their SSL traffic is now handled by s2n, so I’d say it’s ready for production use.

fkill-cli

Fabulously kill processes. Cross-platform.

Guides & Tutorials

Detecting Bots in Apache & Nginx Logs

A clever approach to separating bots from human visitors on a website with the help from Python scripts.

dnsmasq as DNS cache server for Debian & Raspberry Pi

A step-by-step instruction with clear illustrations for setting up a DNS caching server using dnsmasq.

Emacs org-mode examples and cookbook

This looks like the holy grail of Emacs org-mode: so many examples and guides from getting started to optimizing your workflow. Note that org-mode is a tool for keeping notes, maintaining TODO lists, planning projects, and authoring documents with a fast and effective plain-text system.

Easy Bash Prompt Generator

The site looks like it comes straight from a ‘99 horror movie, but can still be pretty useful: a simple method of generating your Bash/Zsh/… prompts with the necessary variables like hostname, time, git status codes, …

How to install Wireshark network analyzer on Fedora

Wireshark is popular tool for network protocol analysis used by education institutions and in the industry. It offers both terminal and graphical user interfaces and both are available on Fedora. You can use it either for real-time network analysis or to inspect files with captured traffic such as pcap files.

Linux application/script debugging with ‘strace’

Strace is among the most powerful and confusing debugging tools to have your arsenal, this post explains how to interpret some of its output and the parameters you can/should be using for troubleshooting.

Load balancing Apache webservers with HAProxy

Another practical guide for configuring HAProxy to distribute web load amongst 2 or more Apache webservers.

Bash practices – Part 1: Input validation and local variables

A developers look at Bash and how to handle input validation, show error messages to stderr, using local variables, …

Bash practices – Part 2: CQS and return values

Part 2 of the Bash guide, this time introducing query functions, returning values from a function, …

Systemd timers as a cron alternative

These slides are from a presentation that shows how to use the systemd ‘timer’ feature to run scheduled jobs without using cron, using only systemd built-in behaviour.

Micro-optimizations matter: preventing 20 million system calls

A real world example of when removing a slow system call from a code path: does it have a measurable difference?

PostgreSQL + ZFS best practices

Lots of good advice in this PDF; covering WAL files for backups, a good introduction to the ZFS features & what those mean in the long run and a very good explanation of block file systems in general.

How to install and configure MariaDB Galera as master to master replication cluster on Ubuntu 16.04 LTS

How to install and configure MariaDB Galera master to master cluster on Ubuntu Linux 16.04 LTS server to get both read and write scalability? This post has you covered.

/usr/bin/time: not the command you think you know

A deep-dive in what goes into the ‘tim’ command on Linux.

Open-Source Host-Based Intrusion Detection System: OSSEC

OSSEC is an open-source, host-based intrusion detection system (HIDS) that performs log analysis, integrity checking, Windows registry monitoring, rootkit detection, time-based alerting, and active response. It can be used to monitor one server or thousands of servers in a server/agent mode. If properly configured, OSSEC can give you a real-time view into what’s happening on your server.

16 Linux server monitoring commands you really need to know

This covers quite a few tools like iostat, mpstat, meminfo, nmap, ps, sar & a few more.

Videos

Pushing Swift to the Server

A presentation given at the Swift Summit a few weeks ago, focussing on the Swift programming language on the server (as opposed to iOS or Apple devices). Comparisons are made against NodeJS, Ruby, … to put things in perspective. If you’re heavy into scripting server-side, Swift might be a proper alternative for you.

“Linux Sucks… For the Last Time” – 2017

Always an entertaining video: Linux Sucks, a good set of critiques of Linux in a funny way. 🙂

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.