Mon blog-notes à moi que j'ai

Blog personnel d'un sysadmin, tendance hacker

Compilation veille Twitter & RSS #2016-50

La moisson de liens pour la semaine du 12 au 16 décembre 2016. Ils ont, pour la plupart, été publiés sur mon compte Twitter. Les voici rassemblés pour ceux qui les auraient raté.

Bonne lecture

Security & Privacy

The anatomy of an IoT botnet attack
The Fastly security team is focused on leveraging our network intelligence to proactively defend the modern web. We took a look at some of the more recent (and troubling) threats on the internet, and found that the emerging IoT market is under attack. Internet-connected devices are being churned out of factories and infected by malware, or malicious code, at an alarming rate. Armies of compromised IoT devices immediately try to enroll new devices, join a botnet, and participate in large-scale DDoS attacks. As a result, we’ve recently seen some of the biggest DDoS attacks in history against journalist Brian Krebs and Dyn, launched by a massive IoT botnet of hundreds of thousands of infected devices.
Secure Desktops with Qubes: Extra Protection
This article is the fourth in my series about the Qubes operating system, a security-focused Linux distribution that compartmentalizes your common desktop tasks into individual VMs. In the previous articles, I gave a general introduction to Qubes, walked through the installation process and discussed how I personally organize my own work into different appVMs. If you haven’t read those earlier articles, I suggest you do so before diving in here. In this article, I focus on some of the more advanced security features in Qubes, including split-GPG, the usbVM and how I control where URLs open.
Privacy by design, not such a good idea
Plotted, profiled, monetized: this sums up the current situation regarding our Internet activity. The ‘free’ template has been the norm on the Internet for a few years now. Even if the services proposed by large companies such as Google and Facebook are known for offering free-seeming services, their business model is excessively profitable.
security things in Linux v4.9
Previously: v4.8.
Here are a bunch of security things I’m excited about in the newly released Linux v4.9:

System Engineering

Using Kubernetes for Deployments
Let’s learn how to set up continuous deployment to Kubernetes for your Docker apps. Specifically, we’re going to look at automating the management, deployment, and scaling of your containerized applications.
Introducing rkt’’s ability to automatically detect privilege escalation attacks on containers
Intel’s Clear Containers technology allows admins to benefit from the ease of container-based deployment without giving up the security of virtualization. For more than a year, rkt’s KVM stage1 has supported VM-based container isolation, but we can build more advanced security features atop it. Using introspection technology, we can automatically detect a wide range of privilege escalation attacks on containers and provide appropriate remediation, making it significantly more difficult for attackers to make a single compromised container the beachhead for an infrastructure-wide assault.
Kubernetes de zéro
Dans cet article, nous allons monter un cluster Kubernetes pas à pas en installant et configurant chacun des composants, sans passer par un cloud-provider all-in-one (comme GKE ou AWS) ou par un script d’installation (kube-aws, kops ou autre). Cela permet entre autres de se plonger dans le fonctionnement de chaque ressource de Kubernetes pour mieux comprendre ses mécanismes.
Containers to Clusters: Advancing Kubernetes, etcd, and more at CoreOS
At Tectonic Summit on Monday, we discussed the core premise of CoreOS: securing the internet and applying operational knowledge into software. We shared how CoreOS makes infrastructure run well and update itself automatically, from Container Linux by CoreOS, to CoreOS Tectonic – what we refer to as self-driving infrastructure.
What Kubernetes users should know about the rkt container engine
Since the release of rkt 1.0 at the beginning of this year, the project has powered ahead with over 20 new stable versions on a regular release cycle. The goal of rkt has always been to provide a container engine that is not only reliable but also composable and standards-driven, allowing easy operation and integration with other best-in-class tools in the container ecosystem. Today we wanted to provide an update on the ongoing work to integrate rkt with two such projects - the Kubernetes cluster orchestration system, and the Open Container Initiative (OCI) container standards - and chart the course for rkt’s future in the year ahead.

Monitoring

MTTD and MTTR Are Key
Mean Time To Detect (MTTD) and Mean Time To Restore (MTTR) are metrics used to describe how long it takes to discover a problem and how long it takes you to restore service relative to the start of the outage. The shorter the MTTR, the less time spent in outage and the more availability your site retains. Given that services will inevitably break at some point (Every Day is Monday in Operations), we need to be adept at restoring service as soon as possible. The service triage and restoration lifecycle is made up of several steps: detection (requiring monitoring/alerting), escalation, debugging, and remediation. Each segment of the triage needs to be measured for efficiency and effectiveness in order to keep MTTR as short as possible.
Inception: How LinkedIn Deals with Exception Logs
In early 2012, the LinkedIn Performance team was trying to build a tool to validate the health of a service after code changes (a project that led us to build EKG, our canary-monitoring system). I was assigned to look into ways to use logs to analyze a service’s health. Back then, we had a script that copied log files from different machines, ran regular expressions over them, and then provided log reports. That system worked great at the time. However, LinkedIn was growing at a very rapid rate and the script was running into scaling issues.

Software Engineering

Adding integration tests to your personal CI server
In the previous article I stepped you through the process of building a basic personal CI server with Jenkins. We got to a point where we could build a Java Web application with Gradle and deploy it to WildFly. For those that are impatient, the exported VirtualBox image with Jenkins configured using these steps is available here. The username and password combination for Linux, Jenkins and WildFly is myci and password.
Common Mistakes in Automation Testing
I deal with lots of users who use Automation Tools to test their systems every day. I interact with them for technical support, for training and consulting services. I have seen certain mistakes that are repeated more often than others. Here is a list of some of the Common Mistakes in Automation Testing.
Sanity chyecking your feature branches with a personal CI server
In the previous article I stepped you through the process of building a basic personal CI server with Jenkins. We got to a point where we could build a Java Web application with Gradle and deploy it to WildFly. For those that are impatient, the exported VirtualBox image with Jenkins configured using these steps is available here. The username and password combination for Linux, Jenkins and WildFly is myci and password.
Using best practices within the scope of automation
Introduced over the last decade and a half, automated testing has gone through many changes. The enterprise test management industry has introduced new tools, open source tools are more accessible, while quality in innovation and advancements continues to influence the market. The popularity of automated testing has even encouraged automation providers to contribute several pre-formatted frameworks designed to circumvent the requirement for in depth scripting knowledge. Industry seems to foresee a long-term relationship with automated testing.
Supporting feature branch deployments in your personal CI server
In the previous article I stepped you through the process of building a basic personal CI server with Jenkins. We got to a point where we could build a Java Web application with Gradle and deploy it to WildFly. For those that are impatient, the exported VirtualBox image with Jenkins configured using these steps is available here. The username and password combination for Linux, Jenkins and WildFly is myci and password.
How to build you own personal Jenkins CI server
In a previous article I discussed some of the benefits of running a personal CI server.

Web performances

Introducing SpeedTracker
As several reports show, it’s possible to correlate poor-performing websites with losses in engagement and revenue, so keeping a close eye on performance is of utmost importance for projects and businesses of all sizes.

Databases Engineering

MySQL & MariaDB

Row Store and Column Store Databases
In this blog post, we’ll discuss the differences between row store and column store databases.
Clients often ask us if they should or could be using columnar databases. For some applications, a columnar database is a great choice; for others, you should stick with the tried and true row-based option.
MySQL InnoDB Cluster – A Hands on Tutorial
Traditionally, setting up high availability (HA) in MySQL has been a challenging task, especially for people without advanced knowledge of MySQL. From understanding concepts and technologies, to the tooling, specific commands and files to execute and edit, there’s a lot of things you need to know even when planning a test deployment (the Quick Start Guide for Group Replication should give you an idea). So many people end up procrastinating setting up HA until disaster strikes and downtime happens.

Data Engineering & Analytics

Naive Bayes Classification explained with Python code
Machine Learning is a vast area of Computer Science that is concerned with designing algorithms which form good models of the world around us (the data coming from the world around us).

Network Engineering

Preparing for the 2016 Leap Second
Preparing for the 2016 Leap Second On 31 December this year, we’re scheduled for another leap second. There are many stories about what leap seconds can do to infrastructure and applications, and rituals are built up around them. Such rituals stem from reality: leap seconds trigger poorly-tested code paths and run contrary to assumptions that system time always runs in one direction. It’s useful to be aware of how your infrastructure handles leap seconds and how NTP servers handle them, so you can plan around the event. Here, we look at some of the NTP measurements the RIPE Atlas platform took around the last leap second, and approaches for handling them.

Management & Organization

Trained Engineers - Overnight Managers (or, The Art Of Not Destroying Your Company)
It has been said that managers shouldn’t be appointed randomly. The right people should be thoughtfully selected, should know that they’re changing their career path rather than being promoted, and should not be transitioned into management too early.