Mon blog-notes à moi que j'ai

Blog personnel d'un sysadmin, tendance hacker

Compilation veille Twitter & RSS #2016-37

La moisson de liens pour la semaine du 12 au 16 septembre 2016. Ils ont, pour la plupart, été publiés sur mon compte Twitter. Les voici rassemblés pour ceux qui les auraient raté.

Bonne lecture

Security & Privacy

Files Your Webserver Shouldn’t Deliver
During penetration tests, we often find interesting files on web servers. Almost as often, those files enable us to carry out further attacks with much higher impact. Inspired by Chris Gate’s great series From Low to Pwned, we decided to share the following small piece.
data recovery
From time to time I need to recover data from disks. Reasons can be broken flash/hard disks as well as accidently deleted files. Fortunately, this doesn’t happen to often, which on the downside means that I usually don’t remember the details about best practice.
The FBI’s Quiet Plan to Begin Mass Hacking
Senator Ron Wyden delivered a speech on the floor of the Senate on Thursday calling for passage of a bill that would annul new rules for judges. These rules will give the FBI authority to hack millions of people’s computers with a single search warrant, regardless of where the device is located.

System Engineering

Auto scaling Pinterest
At Pinterest, infrastructure efficiency is one of our top priorities. During peak hours, Requests Per Second (RPS) can be twice that of RSP during off-peak hours. In the past, we maintained a fixed number of instances in the fleet to serve during peak hours and ensure the fleet wouldn’t be under capacity. However, as RPS decreases during off-peak hours, most of our instances run under utilization. Since Pinterest is built on top of AWS, we decided to apply Amazon Auto Scaling to our service.
How to use pluggable isolation features in the rkt container engine
This video shows how to use rkt’s modular stage1 isolation mechanism to choose the process isolation model that makes the most sense for your application. By executing alternate stage1s, you can either expose more host resources to your application, or segment it away from your host further by running it inside of a rkt-managed virtual machine.
How to solve anything in VCL, part 1: collecting data at the edge
Our second annual customer summit was a great day of talks and workshops, and we heard from various brilliant speakers on the future of the edge, media 2.0, and clever tips for using Fastly’s Custom Varnish Configuration Language (VCL).
DHCPLB: An open source load balancer
Last year we talked about our production DHCP infrastructure and how we use ISC KEA in production to deploy a stateless and dynamic DHCP server across the fleet. At the time, we used a hash-based ECMP selection algorithm for our BGP anycast IP distribution.
Scalable and secure access with SSH
Consistent security controls and high reliability are common expectations for any systems administrator. How do you deliver both on a network with thousands of servers supporting thousands of engineers? Most off-the-shelf solutions require a compromise in at least one of these areas — and we refused to accept this.
DNSSEC vs. Elastic Load Balancers: the Zone Apex Problem
Federal websites are required to implement DNSSEC, which relies on knowing exactly what server is responding to a request. In Amazon Web Services (AWS), the problem of unreliable servers is solved by Elastic Load Balancing (ELB). An ELB containing one or more servers is presented to the world as a single hostname — say, usasearch-elb.ec2.aws.com — and requests are routed to individual servers in the ELB pool based on health and capacity. Hosts change without notice, at odds with standard DNSSEC implementations.

Monitoring

Monitoring Docker and Kubernetes at WayBlazer
Moving Docker into production is still as much art as it is science. We caught up with Kevin Kuhl and Kevin Cashman at WayBlazer to talk about monitoring Docker and Kubernetes, selecting the right metrics to focus on, deciding what to run with Kubernetes, and diagnosing the « domino effect » in a Kubernetes failover.
Introducing 411: A new open source framework for handling alerting
Back in 2014, Etsy started using the ELK (Elasticsearch, Logstash & Kibana) stack. We’ve previously written about how we use saved searches as a reactive security mechanism. When we made the transition to ELK, we noticed there was no way to automatically schedule searches and be notified on the results. Today, we’re introducing our open source solution to this problem: 411.
Using RIPE Atlas to Monitor Game Service Connectivity
Using RIPE Atlas to Monitor Game Service Connectivity We started using RIPE Atlas to monitor and improve the services to our customers. We liked it so much that we’re now a sponsor!
Monitoring Container Resource Usage with Metricbeat
Metricbeat is a new addition to the Beats lineup for the 5.0 release. It is a lightweight shipper for host and service metrics. Metricbeat is replacing Topbeat in the 5.0 release, and it incorporates all of the metrics provided by Topbeat plus many more.

Software Engineering

Deployment Pipeline using Docker, Jenkins, Java and Couchbase
This blog explains how to create a Deployment Pipeline using Jenkins and Docker for a Java application talking to a database.
Jenkins support the creation of pipelines. They are built with simple text scripts that use a Pipeline DSL (domain-specific language) based on the Groovy programming language.
Upgrading the Software Behind RIPE Labs
Upgrading the Software Behind RIPE Labs We are updating the technology behind RIPE Labs and www.ripe.net. If you are a frequent RIPE Labs editor, you will discover some great new features! At the same time, we also documented our experiences with upgrading to the new version to provide feedback to the Plone community. https://labs.ripe.net/Members/adam_castle/upgrading-the-cms-behind-ripe-labs https://labs.ripe.net/logo.png

PHP

PHP 7 magic function call trampoline
This article will detail an optimization that’s been added to PHP 7 virtual machine executor (Zend VM). We’ll get back a minute into theorical concepts about function call trampolines, then we’ll detail how those work into PHP 7. It is better - if you want to fully understand - to have a nice overview on how the Zend VM works. I suggest you follow this article which details the internals of PHP 5 VM. Here, we’ll talk about PHP 7. Although PHP 7 VM has been reworked, it barely works the same way as PHP 5’s; so understanding PHP 5’s VM is a huge step forward to understand PHP 7’s one.
PHP 7.1: a few bc-breaks and conclusion
To conclude this series of posts about PHP 7.1 I started two weeks ago, I will list a few points that could, especially if your code is a bit legacy, slow down upgrading.
PHP 7.1: the road towards PHP 7.2 and PHP 8.0
PHP 7.1 is only the second minor version of the PHP 7 branch, but some are already thinking about what’s next: the next minor release, PHP 7.2; and the next major version, what might become PHP 8.0.
PHP 7.1: a few other things
After a year of work, evolutions brought by PHP 7.1 are not limited to those I presented these past few days!
Here’s the rest of the list, grouping in this post pretty-much all remaining new features, even if they didn’t really catch my eye for now — but might still be of interest to some of you?
PHP 7.1: create a Closure from a callable
Traditionally, a callable is often handled, in PHP, as a string. For example, we can use the array_map() function, invoking the ‘trim’callable on all items of an array.
PHP 7.1: better syntax, a more consistent language
A new version of PHP is always the right time to fix or enhance some syntax specific points, or to add some minor new features to the language. Here are some of the changes for PHP 7.1 that I noticed the most.

Databases Engineering

MySQL & MariaDB

Consul, ProxySQL and MySQL HA
When it comes to « decision time » about which type of MySQL HA (high-availability) solution to implement, and how to architect the solution, many questions come to mind.
ProxySQL and Percona XtraDB Cluster (Galera) Integration
In this post, we’ll discuss how an integrated ProxySQL and Percona XtraDB Cluster (Galera) helps manage node states and failovers.
ProxySQL is designed to not perform any specialized operation in relation to the servers with which it communicates. Instead, it uses an event scheduler to extend functionalities and cover any special needs.
MySQL CDC, Streaming Binary Logs and Asynchronous Triggers
In this post, we’ll look at MySQL CDC, streaming binary logs and asynchronous triggers.
MySQL Group Replication for MySQL 5.7.15
Hi all, it is time again to do another preview release of MySQL Group Replication, the plugin that brings multi-master update everywhere support to MySQL, like we described in the Hello World post.
We are very proud to present the eighth preview release of MySQL Group Replication plugin, based on MySQL Server 5.7.15. It introduces a couple of exciting features and several bug fixes. Please enjoy the highlights!
The MySQL 8.0.0 Milestone Release is available
The MySQL Development team is happy to announce our 8.0.0 development milestone release (DMR), now available for download at dev.mysql.com. The source code is available at GitHub. You can find the full list of changes and bug fixes in the 8.0.0 Release Notes. Here are the highlights. Enjoy!

Elasticsearch

The Great Query Refactoring: Thou shalt only parse once
When writing software, adding cool new features is of course always great fun. But sometimes it’s also important to work on internal changes in the code base that enable those shiny new additions in the future. For example, there were a number of cool new ideas for Elasticsearch floating around that were essentially blocked by the lack of having a good intermediate representation for search requests arriving through the REST layer, which prevented early query optimizations and delayed parsing to the shard level.

Vertica

Visual Guide to Data Loading with HPE Vertica
This blog provides excepts from our visual guide to loading data in HPE Vertica. For the full visual guide, see the attached PDF file.

Data Engineering & Analytics

Solving Real-Life Mysteries with Big Data and Apache Spark
Everyone loves a good real-life mystery. That’s why the three most popular TV shows of the 80s and 90s were Jack Palance’s reboot of Ripley’s Believe It or Not!, Unsolved Mysteries with Robert Stack, and Beyond Belief: Fact or Fiction hosted by Commander Riker. (Well…they were in my house, anyway.) At Cloudera, the highly-skilled support team has gotten good at cracking actual stranger-than-fiction cases like, « Why doesn’t this Kerberos ticket renew? » or, « Who deleted that table? »

Network Engineering

BBR opensourced
This is pretty big stuff for anyone who cares about TCP. Huge congrats to the team at Google.
IP Transparency and Direct Server Return with NGINX and NGINX Plus as Transparent Proxy
This blog post describes how to configure the open source NGINX software or NGINX Plus as a « transparent » proxy for traffic to upstream servers. It explains how you can use a transparent proxy to spoof the source IP address of packets to implement IP Transparency, and how you can implement a load‑balancing mode called Direct Server Return for UDP traffic.

Management & Organization

15 Open-Ended Questions for DevOps Interviews
Don’t turn your DevOps interview in a quiz. Instead, use open-ended questions to find people who are positive and happy, have a focus on self-improvement, possess gratitude, are humble, and are comfortable with extreme transparency. The following guidelines will help you hire just the person you’re looking for.