cron.weekly issue #86: Debian 9, Kernel vulnerability, Ubuntu, GitLab, casync, SSH tunnels & moreJune 25, 2017 - Mattias Geniar
Welcome to cron.weekly issue #86, the newsletter where the projects are open source and the points don’t matter!
We’re just coming out of a heat wave here in Belgium which gave me plenty of time to browse the web and very little time to actually get anything done. The result are a lot of links & guides to share!
Enjoy your Sunday folks!
Mozilla is offering a 2.000.000$ prize (lots of zeros!) for ideas that help decentralize the web. This in and of itself might not interest you as a sysadmin, but it shows a shift in system management: our traditional client/server model might not come to an end entirely, it is shifting to decentralized services more and more – it’s time to jump on board.
Elastic, the company behind ElasticSearch, Kibana, Logstash, … has bought Opbeat, a SaaS app that focuses on monitoring applications.
This is a write-up of an interview Torvalds gave at LinuxCon last week in China, giving more insights in the ideas and work that motivate him to keep development of the Kernel going.
Are you a curious mind? Full Sack Fest is a week-long conference based in the amazing city of Barcelona that peeks into the web of tomorrow! Serverless, Blockchain, WebVR, Distributed Web, Progressive Web Apps… Come and see. Early bird tickets available! Use CRONWEEKLY to get 10% off! (Sponsored)
A new Linux & BSD vulnerability was disclosed last week, allowing local users to escalate their privileges to root level. Kernel & glibc updates are required, so looks like you’ll be rebooting your Linux boxes. For a more web/marketing oriented write-up, see the Qualys blogpost.
A critical look at the aforementioned Stack Clash vulnerability, that actually appears to have been released in as early as 2004, but didn’t get the attention it deserved back then.
In preparation of the 18.04 LTS release, Ubuntu is making considerable changes to the network stack in the 17.10 release. 17.10 introduces a new default configuration method for network devices, using netplan instead of ifupdown. Configuration is now written as YAML files to /etc/netplan instead of in /etc/network/interfaces.
Tools & Projects
Track & alert on the health and performance of every server, container, and app in any environment, with Datadog. Sign up for a free 14-day trial. (Sponsored)
Just hours after last week’s issue went out, Debian 9 “Stretch” was released! It replaces the default MySQL server with MariaDB 10.1, has 90% of its packages as Reproducible Builds (every compile produces bit-by-bit the same results), X display no longer requires root privileges to run & lots and lots of package updates.
A PAM webhook endpoint that can be used with Kubernetes.
That team moves fast with their releases! This new release focuses on code quality and adding relations between projects, which is especially useful if you use separate repositories for each “module” of your application (think composer.json, Puppetfile, …).
nosuspend sets the systemd-inhibit flag with UID 0/root in order to block computer suspend while another command-line operation is running.
Casync creates a new system for efficiently storing and delivering file system images, optimized for high-frequency update cycles over the Internet. It’s created by Lennart Poettering of systemd fame.
I find frontend (web) development to be overly complicated nowadays, but there’s no denying it: tools like webpack are very popular. Developers will like this upgrade, it’s compatible with 2.x, offering speed improvements, magic comments & plenty of bugfixes.
Simple zsh plugin that reminds you that you should use one of your existing aliases for a command you just typed.
A minor release for Apache 2.4, but with an interest release note: HTTP/2 support no longer tagged as “experimental” but is instead considered fully production ready. See the changelog for more details.
termplay is the tool to convert images to ANSI sequences. But it also supports playing videos – and YouTube – right in your terminal.
Passmgr is a simple password manager which allows to securely store passphrases and retrieve them via commandline. Update: seems the project is already offline now. -_-
A menu driven bash script which provides updates, maintenance, backups and system checks for an Arch based linux distribution.
Linux for toys: ev3dev is a Debian Linux-based operating system that runs on several Lego Mindstorms compatible platforms including the Lego Mindstorms EV3 and Raspberry Pi-powered BrickPi.
Guides & Tutorials
This blog series uses a simple application as an example to guide you on building deployment pipelines. Following it, you will get an in-depth understanding of continuous delivery and also hands-on practices of deployment pipeline modeling. Check it out here. (Sponsored)
I’m not sure about you, but I keep forgetting the order in which to place the ports when creating SSH tunnels. This blogpost does a really good job of explaining how it works with clear examples.
Buildah is a newly released command line tool for efficiently and quickly building Open Container Initiative (OCI) compliant images and containers. This post gets you up and running in no time.
There are quite a few ways to invalidate page caches if you use Varnish as a reverse proxy (other than restarting Varnish entirely). This post gives you several ways, giving the pro’s & con’s of each method.
A lengthy post normally part of an actual hands-on workshop, but the text & diagrams are self explanatory enough. Lots of details for getting started with Kubernetes in there.
Some good gotcha’s when creating your own Docker images that might prevent your app from receiving signals to handle proper shutdowns. Quite a few interesting details in there where even the syntax of your commands can make a big difference!
Some good copy/paste’able examples of creating a one-off systemd unit file that starts a script on server boot.
A vagrant box that allows you to play with ZFS’s encryption configurations, together with all the example commands to get you started. It’s playtime!
A cautionary tale that might bite you; if you upgrade your MaxScale from 2.0 to 2.1 (a simple “yum update”), beware that the default behaviour is to bind on IPv6 and IPv4 interfaces instead of just IPv4, which might alter your authentication behaviour towards MySQL.
A slightly older post, but this should get you started just fine: practical commands & good how-to for building your own Wireless AP’s.
This guide covers pretty much every angle of iptables, from basic rules to NAT’ing to protocols & interfaces.