Happy 2018 everyone!
Welcome to cron.weekly issue #111, the first issue for 2018. Hope you all enjoyed the break and found some time to relax. I’m pretty sure last week wasn’t as quiet as you hoped.
Let’s get to it!
The Intel CPU debacle
Yeah, this one deserves a topic on its own. Lots of links to share here.
On January 2nd, a severe flaw was rumored to be announced in all Intel CPU’s. No biggie, hardly anyone uses those, right? At first, it looked like AMD was off the hook, but it was later announced AMD was vulnerable for 2 out of the 3 exploits to be released. There are patches, but benchmarks indicate that – depending on the workload – there’s a 1 to 19% performance hit on the patched systems. After the patch is applied, you can control which of its security features are enabled or disabled, if you value performance over security.
Shortly after the rumors came out, Intel tried to explain it with a vague PR statement. The Register did a good job at debunking every line in that statement, it’s worth a read for laughs & giggles.
Anyway, a few days later, the vulnerabilities got announced. As per usual, it got a logo (2!) and a website. SpectreAttack.com. From this day on, we’ll call them Spectre & Meltdown. Now that the details are out, the write-ups are coming, explaining the exploits with more clear examples. I specially liked this one from LWN.
Microsoft issued updates. Red Hat did too, as did most Linux distro’s. It’s a shame someone forgot to notify the BSD community though.
As if the bugs themselves weren’t serious enough, because of all the hype around it, the vulnerabilities were revealed a week earlier than planned. Turns out, if you hype the most serious vulnerability in the last decade, people go looking online. And they pieced together the bug from various sources, before the details were released. And in many cases, before vendors were ready with the patch. They all thought they had an extra week. Funny, isn’t it?
Meanwhile, props to Google for this bug. They followed-up on earlier reports of these vulnerabilities with some epic technical debugging. They even submitted patches to LLVM & GCC with new binary constructs for speculative execution.
The bugs were so bad, you could apparently exploit them with client-side JavaScript in a browser. Mozilla quickly pushed updates to help prevent it.
To make a long story short, if you haven’t already, you will want to:
- Update the BIOS of your servers (make sure your vendor confirms they patched this)
- Update your hypervisors (KVM/Xen/VMware/….)
- Update all your servers (bare metal + VMs) with the latest kernel updates. By now, all major OS’s have patches.
- Just update everything that has a CPU in it
I hope your week wasn’t as shitty as ours, this gave us many headaches & unplanned work. It’s a big one, you’ll want to do your own research to evaluate the impact.
News
Announcing the OpenWrt/LEDE merge
The LEDE project is joining forces with OpenWrt to continue under the OpenWrt name. Both teams specialize in high performance home router firmware.
The state of Linux security in 2017
A nice review of 2017 with the most prominent security news (basically: all security fails from the Linux communities in 2017).
Start your open source career
If you’ve never done anything open source, how do you start? This was a fun read on making the first steps by contributing to a project you use.
SSH tron
Multiplayer Tron in your terminal. Just run the command below and you’ll be playing in seconds. Cool!
Docker, Inc is Dead
An opinionated piece on why Docker might be losing ground in 2018.
Tools & Projects
Get full-stack observability with Datadog
Go from a global view of your infrastructure to inspecting an individual request trace, all in one developer-friendly platform. Start a free 14-day trial. (Sponsored)
cr
cr is a job executor concerned with achieving the highest parallel execution possible. Given a definition of jobs and their dependencies, it builds a graph that outlines the execution plan of these jobs.
elasticsearch-gmail
This project indexes your gmail in an elasticsearch instance you control using bulk indexing and then start querying the cluster to get a better picture of what’s going on (who mails you the most, what mails take up most size, …).
acme.sh
A pure Unix shell script implementing ACME client protocol (this is what Let’s Encrypt uses to issue free certificates).
Open Paperless
Scan, index, and archive all of your paper documents.
gittup
This is an entire(-ish) linux distribution in git. Everything is built with tup. That’s why it’s called gittup.
dehydrated
letsencrypt/acme client implemented as a shell-script – just add water.
ack3 beta
This blazing fast grep alternative is getting a new version, the first beta release is out.
Guides & Tutorials
GoCD – Open Source Continuous Delivery Server
GoCD is a continuous delivery tool supporting modern infrastructure with elastic on-demand agents and cloud deployments. With GoCD, you can easily model, orchestrate and visualize complex workflows from end to end. It’s open source, free to use and download. (Sponsored)
Key metrics for PostgreSQL monitoring
There’s a lot of data in this post, from single server setups to replication ones, covering the Postgres statistics collector & what metrics to keep an eye on.
Collecting metrics with PostgreSQL monitoring tools
As a follow-up to the previous post, but focussing on the configuration of collecting the necessary metrics in Postgres.
Building a Kubernetes cluster on bare metal with CentOS 7
A guide covering how to create a bare metal Kubernetes cluster using kubeadm and Centos 7.
The 2018 Guide to Building Secure PHP Software
Make sure to show this to as many PHP devs you know: a lot of practical guides on writing secure PHP code.
Learning to operate Kubernetes reliably
Lessons learned from a team that uses Kubernetes: how to build a setup reliably, what abstractions were built on top of Kubernetes, how to integrate it in existing infra, …
Demystifying container runtimes
This article will try to explain what container runtimes are, what they do, how they compare with each other, and how to choose the right one.
Move a running process to screen
A quick guide on how to move a running linux process to the screen terminal multiplexer.
Escaping Docker container using waitid() – CVE-2017-5123
A nice technical write-up on how a kernel vulnerability allowed for Docker containers to escape their container boundaries and get access to the host.