Welcome to a new cron.weekly, this is issue #7 for Sunday December 20th.
News
Grub2 Authentication Bypass
This vulnerability got a lot of attention: press the backspace 28 times when Grub prompts for a username and you bypass the authentication altogether. While the impact is limited (you need physical or IPMI access to the server to begin with), it’s surprising how this even managed to get through.
CPU Clocks and Clock Interrupts, and Their Effects on Schedulers
A nice and low-level writeup on CPU clocks and interrupts, going in further on ‘delays’ and jitter, how clock syncing happens etc.
Pentesting Redis Servers
Every service has its potential security issues. I often find these kind of write-ups interesting because they interact with the low-level protocols to find structural issues with the service and show you the commands used to interact with, in this case, Redis.
CentOS 7.2 released
A couple of weeks after Red Hat’s 7.2 release, the CentOS team can announce their 7.2 release too. For more details on what’s included I’ll refer back to the Red Hat 7.2 changelog as mentioned in issue #3.
Postmortem: Outage due to Elasticsearch’s flexibility and our carelessness
Similar to security related topics, I find blogposts that respond openly to outages with a detailed postportem to be very interesting reads. This particular post dives deep into ElasticSearch’s internals to uncover what caused downtime.
Grafana 2.6 released
Grafana is an open source application for visualizing large-scale metrics (think Kibana etc.). This new release includes a new Table panel, a new InfluxDB query editor, support for Elasticsearch Pipeline Metrics and support for multiple Cloudwatch credentials.
Tools & Projects
Grav: a modern, flat-file CMS
Similar to Jekyll, Grav is a file-based content management system. It’s a simple yet powerful system for managing websites.
knockd: a port-knocking server
Port-knocking is one of those interesting techniques to hide or obfuscate open ports on a linux machine. Knockd is a daemon that makes this possible by looking for special “knock” sequences of port-hits before opening the real port.
git-secrets
This project by the AWS crew prevents you from committing secrets and credentials into git repositories. It works by adding itself as a pre-commit hook, so it can block you before your commit is even written to disk.
emo
This projects converts _human unfriendly _strings to emoji. More of a gimmick than something useful, but I like the approach of visualising large UUIDs as simple emoji.
Syntastic vim plugin
The previous cron.weekly mentioned ShellCheck as an online tool for testing your bash scripts for vulnerabilities or logical errors. This vim plugin does the same, but straight from within vim.
Containerd: a daemon to control runC
Yet another project from the Docker team: containerd is a new daemon to control runC. If you haven’t heard of runC yet, it’s a command-line interface for spawning and running containers according to an open standard.
Kinto: lightweight JSON storage
The Mozilla team released Kinto, their lightweight JSON storage service with synchronisation and sharing abilities. It is meant to be easy to use and easy to self-host.
Guides & Tutorials
Apply changes to limits.conf immediately
A short but useful guide for anyone that needs make changes to limits.conf but doesn’t want to login to the shell again to test them. This uses the prlimit tool to make limits.conf changes effective immediately on running processes.
Docker basics: a practical starter guide
While it’s all the rage nowadays, Docker as a concept isn’t clear for everyone. This guide takes on a very basic approach, explains the fundamentals of Docker and shows you some hands-on commands.
Defensive BASH Programming
The title says it all: this extensive guide blogpost has a lot of code snippets you can use for “defensive” bash coding. The mantra is “creating bash programs that work”.
iOS continuous delivery with Jenkins and Fastlane
While iOS isn’t usually of interest for Linux sysadmins, combining Jenkins with Fastlane may be. This post covers the Jenkins configurations in more detail and could be a useful starting point if you ever want to get started like this.
ELS: latency based load balancer
Another detailed blogpost by Spotify on how the Spotify client connects to its backend. This post explains a technique that introduces circuit breakers into the load balancers to spread load across backends based on latency.
CentOS ‘Software Collections’
I have to admit, I’ve been a CentOS users for over a decade and until now, I hadn’t heard of SCL or Software Collections. SCLs allow you to run the default python (or PHP, or Ruby) that comes with CentOS (so yum and other system tools in CentOS work), while also allowing a newer version of python to be installed alongside the default python for use creating and running software with newer requirements.
Autotools Mythbuster
If you’ve ever had to pleasure to work with GNU build tools like autoconf, automake, libtool, pkg-config, and so on, you’ll find this post interesting. Every component of the build chain is described in extreme detail and can be very useful as a reference guide.