cron.weekly issue #90: OCI, Apache, Go, Shells, Duplicity, mktemp, man & more

cron.weekly is a newsletter about Linux, open source & webdevelopment. Want to get it in your inbox every Sunday? Subscribe below!

I respect your privacy and you won't get spam. Ever. Just a weekly-ish newsletter about Linux and open source.

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Image of Mattias Geniar

Mattias Geniar, July 23, 2017

Follow me on Twitter as @mattiasgeniar

Welcome to cron.weekly issue #90 for Sunday, July 23rd, 2017.

A packed issue again, with news on containers, licensing, autonomous vehicles, nftables, mysql, … heck, there’s so much!


Apache foundation bans Facebook BSD+ patented projects

Some big news in licensing land: the Apache Foundation has added all projects that use the Facebook BSD+ license (and there are a ton!) to “category x“, making it illegal to use them in any Apache licensed project. It’s reason is written down as “The […] license includes a specification of a PATENTS file that passes along risk to downstream consumers of our software imbalanced in favor of the licensor, not the licensee, thereby violating our Apache legal policy“.

How Linux containers have evolved

Some nice history on where containers have come from and the iterations they’ve gone through to get where we are today.

Cybersecurity Humble Bundle

A new book bundle for a very low price, this time focussing on all things security.

Go’s work-stealing scheduler

This was a really fun read on task schedulers in general, and how Go implemented the work-stealing scheduler.

Apache httpd 2.2.15-60: underscores in hostnames are now blocked

A seemingly minor version bump in Apache had an unexpected side effect; it’s know following RFC’s more strictly and blocking (sub)domains with underscores in them. If you had those working before, this update will break them.

Terminal and shell performance

A really deep-dive post on the effects of latency in the terminal & shell, comparing different terminals (iTerm, hyper,, …) in response times. Lots of nitty gritty details.

The Inspiration Behind Open Source Project Harbor

In this post, the VMware team behind Harbor – a “enterprise” class Docker registry focussing on security, identity & replication – shares their thoughts on the why of starting an open source project. No technical details, all “soft” details like the people, the reasoning, choosing the name, …

Open Container Initiative Specifications are 1.0

Good news for standardized containers: the OCI (Open Container Initiative) has reached a formal agreement on what a “container” is, how it should be behave and how to interact with it. Now container services like Docker, Rocket, …. can all align their tooling.

Upgrading 2.000 Ubuntu servers in-memory

These guys upgraded their set of Ubuntu servers by first installing a minimal OS in memory, wiping their OS boot disk and reinstalling to disk from that memory OS, saving them lots of time.

Systemd vs. the Linux Kernel

Last issue mentioned a kernel mailing-list post about Linus “not trusting init to do the sane thing anymore”, referring to systemd. This post gives more background to why that is and explains why there’s such friction.

Tools & Projects

Datadog: all your infrastructure, in one place

Track & alert on the health and performance of every server, container, and app in any environment, with Datadog. Sign up for a free 14-day trial(Sponsored)

GoCD – open source continuous delivery server

GoCD is a continuous delivery tool specializing in advanced workflow modeling and dependency management. It lets you track a change from commit to deploy at a glance, providing superior visibility into your workflow. It’s open source, free to use and download(Sponsored)


kubicorn is a project that helps a user manage cloud infrastructure for Kubernetes. With kubicorn a user can create new clusters, modify and scale them, and take a snapshot of their cluster at any time.


Cipherscan tests the ordering of the SSL/TLS ciphers on a given target, for all major versions of SSL and TLS. It also extracts some certificates informations, TLS options, OCSP stapling and more. Cipherscan is a wrapper above the openssl s_client command line.


A DHCP server backed by etcd.


This is an interesting project, especially for learning both strace & Go: it’s a Go implementation of Strace!


Apollo is an open autonomous driving platform. It is a high performance flexible architecture which supports fully autonomous driving capabilities.

Apache mod_md

From the same author as the Apache HTTP/2 module comes mod_md, a module for Apache httpd that adds support for Let’s Encrypt (and other ACME CAs).


A standard unix password manager. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password.


Burrow is a monitoring companion for Apache Kafka that provides consumer lag checking as a service without the need for specifying thresholds.


Pelias is a modular open-source geocoder using ElasticSearch for fast geocoding.


Lumogon provides a way to inspect, analyze and report on your running Docker containers.

DNS Spy: paranoid about your DNS

Ever had to wait for a DNS change from a client? Worried someone might alter your own DNS records, even for just a few minutes? Or scared a colleague or client might make an unwanted DNS change? Fear no more, monitor your DNS like a pro with DNS Spy! (Sponsored)

Guides & Tutorials

An Introduction to the ss Command

The ‘netstat’ command has been deprecated for several years now, and replaced by ‘ss’. This guide gives you lots of clear examples for querying sockets, tcp ports. The biggest advantage – to me at least – is that ss is considerably faster than netstat, especially on high-throughput machines.

How to make Ubuntu backups using Duplicity and Google Cloud Storage

Another duplicity post, this time focussing on Google Cloud Storage as the endpoint to store your data.

Safely Creating And Using Temporary Files

Some good tips around temp files and using `mktemp` wherever possible.

nftables port knocking

Port knocking is a technique that’s been around for ages, where a closed port is dynamically opened if the user send packets in order to a predetermine series of ports. This guide explains how to do so in nftables.

mysqldump without table locks (MyISAM and InnoDB)

This one is useful when testing migrations or timing certain actions, these CLI flags to `mysqldump` will make sure there are no read/write locks on the data you’re backing up. The result might be inconsistent though, so for testing purposes only.

How to use a man page: Faster than a Google search

There’s so much info in man-pages, if you just remember to look there. This post gives a rundown of what manpages are, how to read them & parse the examples given in manpages.

Increase your Linux server Internet speed with TCP BBR congestion control

If your kernel supports it, this post gets you up and running with a new congestion control algorithm named TCP BBR. Google is already running this at production scale on their own Google Cloud Platform.

Containing System Services in Red Hat Enterprise Linux – Part 1

Two practical examples in this post; both named and dhcpd are being run in a Docker container on RHEL 7, explaining every step and using systemd’s machinectl along the way.

Enabling TCP Fast Open for NGINX on CentOS 7

TFO or TCP Fast Open is a method to send data in the initial SYN packet of a 3-way handshake, to reduce the time to set up a connection and start sending data faster. This post shows how this can be implemented on CentOS 7 & Nginx.

Alert, backup, whatever on DNS NOTIFY with nsnotifyd

This post includes several clever tricks to hook custom scripts when a master nameserver sends a NOTIFY to one of its slaves, requesting it to update its zone file.

Ask cron.weekly

These questions were asked on the cron.weekly forum and stand out or are in need of more eyes to find the answer. Go for it, join the discussions!

Deploying an Internal CA – looking for advice

Having your own Certificate Authority (CA) has lots of benefits, but there are a lot of cases to keep in mind. Should you separate CA’s for multiple purposes (building VMs, certificates, secret management)? How to make it highly available? Wouter, this post can use your opinion. 😉

Best E2E encrypted back up tool for Linux?

With so many tools out there, which is the best if you value security over anything else? There are already a lot of suggestions in here, you might find some of them valuable.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.