cron.weekly issue #92: RHEL 7.4, Varnish, Exa, Btrfs, sslh, ZFS, inputrc, opensmtpd & moreAugust 6, 2017 - Mattias Geniar
Welcome to cron.weekly issue #92 for Sunday, August 6th, 2017.
Lots of news this time with the release of Red Hat Enterprise Linux 7.4. Hopefully, the CentOS release will follow soon. Further on there's news on the first-ever Varnish vulnerability, some interesting guides & fun topics on the forum.
Monitor for domain outages or unwanted DNS changes with DNS Spy and rest assured your DNS is monitored, tracked and backed-up for easy restore. Supports AXFR zone transfers. (Sponsored)
A new collection of Adobe projects that have been open sourced, ranging from an open source code editor for the web (brackets), a new looking monospaced font called "Source Code Pro", tools to manipulate webfonts & SVG & many more. Worth a look, for sure.
There's a proposal in Fedora, aiming for Fedora 27, to unity the databases of the package management systems of "yum" and "dnf", to allow you to use both yum and dnf and see the same package lists and keep track of what's already installed.
The latest RHEL 7.4 release brings an updated OpenSSL package that will allow ALPN again, meaning you can use HTTP/2 on Google's Chrome browser once again.
Red Hat has deprecated the btrfs file system in RHEL 7.4. This is a move mostly motivated by the fact no one at RHEL was still actively working on btrfs, not because btrfs is a "bad" file system in any way. However, without engineers working on it, you can't really support it either.
Without btrfs, RHEL is betting on XFS and LVM for its "next gen" (ahum) storage solutions on its platform. Tried & proven, I think XFS & LVM make for an obvious choice.
An interesting project by the Mozilla foundation: send up to 1GB files, locally encrypted with auto-expiring links. Quite a lot has gone into making sure this happens securely & privately.
The Varnish project – behind the popular Varnish caching proxy – has announced their first ever vulnerability. In all these years, having their first CVE is quite an accomplishment. The attack can crash a Varnish instance remotely, trigger an auto-restart and loss of cache. If you're on 4.x or higher, you'll need an update.
A very interesting graphic showing the evolution of Linux distro's and its forks. It's quite big, especially if you think about the 4 or 5 Linux distro's you probably know.
(I had to read 5x to get that title right.) Work is being done for a Long Term Support (LTS) version of TLS 1.2 for systems that can have multi-year or even decade-long update cycles, one that incoporates as far as possible what's already deployed for TLS 1.2 but with the security holes and bugs fixed.
This wiki has all the arguments and proposes several other projects if you're looking for a life without systemd. (Personal opinion: systemd is here to stay, instead of fighting it, embrace it, learn the configs and contribute to the project if you spot bugs or security issues. Everyone wins if that happens.)
Tools & Projects
Track & alert on the health and performance of every server, container, and app in any environment, with Datadog. Sign up for a free 14-day trial. (Sponsored)
A ssl/ssh multiplexer. sslh accepts connections on specified ports, and forwards them further based on tests performed on the first data packet sent by the remote client. Probes for HTTP, SSL, SSH, OpenVPN, tinc, XMPP are implemented, and any other protocol that can be tested using a regular expression, can be recognised. A typical use case is to allow serving several services on port 443 (e.g. to connect to SSH from inside a corporate firewall, which almost never block port 443) while still serving HTTPS on that port.
GoboLinux is an alternative Linux distribution which redefines the entire filesystem hierarchy. In GoboLinux you don't need a package database because the filesystem is the database: each program resides in its own directory.
Heptio Ark is a utility for managing disaster recovery, specifically for your Kubernetes cluster resources and persistent volumes. It provides a simple, configurable, and operationally robust way to back up and restore applications and PVs from a series of checkpoints.
Heptio Sonobuoy is a diagnostic tool that makes it easier to understand the state of a Kubernetes cluster by running a set of Kubernetes conformance tests in an accessible and non-destructive manner. It is a customizable, extendable, and cluster-agnostic way to generate clear, informative reports about your cluster–regardless of your deployment details.
exa is a modern replacement for ls. It uses colours for information by default, helping you distinguish between many types of files, such as whether you are the owner, or in the owning group. It also has extra features not present in the original ls, such as viewing the Git status for a directory, or recursing into directories with a tree view. exa is written in Rust, so it’s small, fast, and portable.
Lots of changes in this 7.4 release; updated OpenSSL, deprecation of several core components (like btrfs), improved audit capabilities, SELinux in containers & many package updates.
A set of strong ciphers for your SSL/TLS configurations in Apache, nginx and Lighttpd.
OpenSMTPD is a FREE implementation of the server-side SMTP protocol as defined by RFC 5321, with some additional standard extensions. It allows ordinary machines to exchange emails with other systems speaking the SMTP protocol. Started out of dissatisfaction with other implementations, OpenSMTPD is a fairly complete SMTP implementation.
A fast replacement for PGAdmin.
Guides & Tutorials
Our Continuous Delivery 101 video series helps teams get a basic understanding of continuous delivery. Get to know the history and concepts, a look into automated testing, as well as best practises and more. Check it out. (Sponsored)
Some good tips on what to do with the disk of a compromised server, in order to find the root cause without accidentally 'tainting' the disk with your own actions, preserving as many of the timestamps & logs as you can.
That's a lot of disk capacity! This post is more hardware than software, but it's really interesting to see how you can build a really big file server with commodity hardware.
This one is written by the Mesos project (so take with a grain of salt), but gives a pretty good overview of the differences & strengths of each container orchestrator.
~/.inputrc is the user configuration file of GNU readline, which provides customizable command line user interfaces for many important interactive programs, such as Bash and Python interactive shell. However, many of its useful features are disabled by default. In this post, the author walks you through a decent ~/.inputrc file to release the power of readline.
Even with memory to spare, some SWAP space can be beneficial. This post explains why with several caveats.
This is the part where you can have your say: join the discussions and share your opinion on the forum!
If you'd start from scratch, would you pick a RHEL or Ubuntu distribution? Or something else? And why one over the other?
Some interesting discussions where held here with plenty of projects, tools & setup ideas that have been shared for deploying your own internal Certificate Authority.