cron.weekly issue #53: RHEL 7.3, fpm, kpatch, sshesame, Minoca OS, Lynis & many more!

cron.weekly is a newsletter about Linux, open source & webdevelopment. Want to get it in your inbox every Sunday? Subscribe below!

I respect your privacy and you won't get spam. Ever. Just a weekly-ish newsletter about Linux and open source.

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Image of Mattias Geniar

Mattias Geniar, November 06, 2016

Follow me on Twitter as @mattiasgeniar

Welcome to cron.weekly issue #53 for Sunday, November 6th, 2016!

The vim editor turned 25 years, we’ve got Docker horror stories and plenty of SSH honeypots to collect interesting hacking attempts. Surely enough to keep you all occupied for today, tomorrow & the week to come.


MITM on sync+emerge = root almost any gentoo system

Perhaps not so much news as an interesting vulnerability: the Gentoo package manager doesn’t validate any GPG keys, making it trivial to set up a man-in-the-middle proxy to intercept any packages served to the package manager.

Buttery Smooth Emacs

I’m not an emacs user myself, but I liked this story: since Emacs is so old, it couldn’t/didn’t use standards related to displaying windows/text. Only just now did it implement methods for smooth scrolling & displays. The joys of ancient software!

Debian 9 drops support for powerpc

As of Debian 9, there won’t be any support for the powerpc architecture anymore.

Let’s Encrypt crowdfunding campaign

If you like the free TLS certificates from Let’s Encrypt, now’s the time to show your support: the Let’s Encrypt team needs help filling the last donations to cover running costs. Embarrassingly, it only had ~600 backers in 4 days. For the world’s biggest Certificate Authority (or close to it), that should be a lot more!

Vim text editor turns 25

Quite an accomplishment, Vi-IMproved!

Tools & Projects

Datadog – Application monitoring done right

Get real-time, integrated statistics on your entire infrastructure: from Amazon stats on your servers to detailed numbers of your PostgreSQL, Elasticsearch, Node & other applications – all from a single, easy to use, interface. Sign up for a free trial to discover a better way to monitor your stack! (Sponsored)


Effing package management! Build packages for multiple platforms (deb, rpm, etc) with great ease and sanity.


HTTP logging middleware especially useful to unwind concurrent operations without losing the request context: log HTTP requests/responses separately, visualize their concurrency and report logs/errors.


A modified sudo binary that allows authentication via the new TouchID on Apple Macbooks.


“Yet Another Zone Validation Script”: is one of the utilities that Verisign uses daily to validate new versions of the root and arpa DNS zones before they are published to the distribution masters.

Chronos: A Replacement for Cron

This is a bit older already, but still sounds interesting: Chronos is the Airbnb replacement for cron. It is a distributed and fault-tolerant scheduler which runs on top of Mesos.


kpatch is a Linux dynamic kernel patching infrastructure which allows you to patch a running kernel without rebooting or restarting any processes.

Minoca OS: A new open source operating system

Lots of attention for this project last week: Minoca OS is a general purpose operating system written completely from the ground up. It’s intended for devices looking to conserve power, memory, and storage.


Cowrie is a medium interaction SSH and Telnet honeypot designed to log brute force attacks and the shell interaction performed by the attacker.


A fake SSH server that lets everyone in and logs their activity (aka: an SSH honeypot).


This is essentially a “per-application VPN”, instead of a system-wide VPN: ocproxy is a user-level SOCKS and port forwarding proxy for OpenConnect based on lwIP. When using ocproxy, OpenConnect only handles network activity that the user specifically asks to proxy, so the VPN interface no longer “hijacks” all network traffic on the host.


Snoopy is a tiny library that logs all executed commands (+ arguments) on your system.


Darling is a translation layer that allows you to run unmodified macOS binaries on Linux. In its nature, it is similar to the well-known Wine project.


BearSSL is an implementation of the SSL/TLS protocol written in C.


Portainer is an open-source lightweight management UI which allows you to easily manage your Docker host or Swarm cluster.


Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless and installation is optional.

systemd 232

Plenty of new features in this systemd release: ther’s now support for dynamically created users for the lifetime of a service, improved container support, cgroup limitations for swap usage, the introduction of systemd-mount & much more.

RHEL 7.3

Red Hat Enterprise Linux 7.3 has been released, which means we should see CentOS 7.3 soonish too: lots of package updates, many stability & security improvements.

Guides & Tutorials

Run Nginx proxy in Docker container for HTTP/2

Since you need a recent version of OpenSSL to support HTTP/2 for browsers like Chrome, running an HTTP/2 enabled proxy in a Docker makes sense. This guide covers an Nginx TLs proxy running inside Docker to support HTTP/2.

Service discovery at Stripe

At Stripe, they’re heavy users of consul. This post gives lots of insights to how it works at scale, how it got introduced and what it’s doing today.

How to run commands at shutdown on Linux

A good tip on using a script in _/etc/rc.d/rc3.d/ _to run commands on system shutdown.

NTP: I Need You to Go Ahead and Love It

This post is a good reminder on what NTP is and does, how it works and how to configure it.

Linux increase ip_local_port_range TCP port range

For heavy traffic network servers, like proxy servers or load balancers, you may need to increase the networking port range to create more source/destination ports for new TCP connections.

Current state of the Ansible inventory and how it might evolve

A very good introduction post to Ansible inventory, the current state and shortcomings and how those could be addresses in the future.

Docker in Production: A History of Failure

This is somewhere between a rant and a precautionary tale: beware of running Docker in production, learn from these folks.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.