Welcome to cron.weekly issue #90 for Sunday, July 23rd, 2017.

A packed issue again, with news on containers, licensing, autonomous vehicles, nftables, mysql, … heck, there’s so much!

News

Some big news in licensing land: the Apache Foundation has added all projects that use the Facebook BSD+ license (and there are a ton!) to “category x“, making it illegal to use them in any Apache licensed project. It’s reason is written down as “The […] license includes a specification of a PATENTS file that passes along risk to downstream consumers of our software imbalanced in favor of the licensor, not the licensee, thereby violating our Apache legal policy“.

Some nice history on where containers have come from and the iterations they’ve gone through to get where we are today.

A new book bundle for a very low price, this time focussing on all things security.

This was a really fun read on task schedulers in general, and how Go implemented the work-stealing scheduler.

A seemingly minor version bump in Apache had an unexpected side effect; it’s know following RFC’s more strictly and blocking (sub)domains with underscores in them. If you had those working before, this update will break them.

A really deep-dive post on the effects of latency in the terminal & shell, comparing different terminals (iTerm, hyper, terminal.app, …) in response times. Lots of nitty gritty details.

In this post, the VMware team behind Harbor – a “enterprise” class Docker registry focussing on security, identity & replication – shares their thoughts on the why of starting an open source project. No technical details, all “soft” details like the people, the reasoning, choosing the name, …

Good news for standardized containers: the OCI (Open Container Initiative) has reached a formal agreement on what a “container” is, how it should be behave and how to interact with it. Now container services like Docker, Rocket, …. can all align their tooling.

These guys upgraded their set of Ubuntu servers by first installing a minimal OS in memory, wiping their OS boot disk and reinstalling to disk from that memory OS, saving them lots of time.

Last issue mentioned a kernel mailing-list post about Linus “not trusting init to do the sane thing anymore”, referring to systemd. This post gives more background to why that is and explains why there’s such friction.

Track & alert on the health and performance of every server, container, and app in any environment, with Datadog. Sign up for a free 14-day trial. (Sponsored)

GoCD is a continuous delivery tool specializing in advanced workflow modeling and dependency management. It lets you track a change from commit to deploy at a glance, providing superior visibility into your workflow. It’s open source, free to use and download. (Sponsored)

kubicorn is a project that helps a user manage cloud infrastructure for Kubernetes. With kubicorn a user can create new clusters, modify and scale them, and take a snapshot of their cluster at any time.

Cipherscan tests the ordering of the SSL/TLS ciphers on a given target, for all major versions of SSL and TLS. It also extracts some certificates informations, TLS options, OCSP stapling and more. Cipherscan is a wrapper above the openssl s_client command line.

A DHCP server backed by etcd.

This is an interesting project, especially for learning both strace & Go: it’s a Go implementation of Strace!

Apollo is an open autonomous driving platform. It is a high performance flexible architecture which supports fully autonomous driving capabilities.

From the same author as the Apache HTTP/2 module comes mod_md, a module for Apache httpd that adds support for Let’s Encrypt (and other ACME CAs).

A standard unix password manager. With pass, each password lives inside of a gpg encrypted file whose filename is the title of the website or resource that requires the password.

Burrow is a monitoring companion for Apache Kafka that provides consumer lag checking as a service without the need for specifying thresholds.

Pelias is a modular open-source geocoder using ElasticSearch for fast geocoding.

Lumogon provides a way to inspect, analyze and report on your running Docker containers.

Ever had to wait for a DNS change from a client? Worried someone might alter your own DNS records, even for just a few minutes? Or scared a colleague or client might make an unwanted DNS change? Fear no more, monitor your DNS like a pro with DNS Spy! (Sponsored)

Guides & Tutorials

The ‘netstat’ command has been deprecated for several years now, and replaced by ‘ss’. This guide gives you lots of clear examples for querying sockets, tcp ports. The biggest advantage – to me at least – is that ss is considerably faster than netstat, especially on high-throughput machines.

Another duplicity post, this time focussing on Google Cloud Storage as the endpoint to store your data.

Some good tips around temp files and using `mktemp` wherever possible.

Port knocking is a technique that’s been around for ages, where a closed port is dynamically opened if the user send packets in order to a predetermine series of ports. This guide explains how to do so in nftables.

This one is useful when testing migrations or timing certain actions, these CLI flags to `mysqldump` will make sure there are no read/write locks on the data you’re backing up. The result might be inconsistent though, so for testing purposes only.

There’s so much info in man-pages, if you just remember to look there. This post gives a rundown of what manpages are, how to read them & parse the examples given in manpages.

If your kernel supports it, this post gets you up and running with a new congestion control algorithm named TCP BBR. Google is already running this at production scale on their own Google Cloud Platform.

Two practical examples in this post; both named and dhcpd are being run in a Docker container on RHEL 7, explaining every step and using systemd’s machinectl along the way.

TFO or TCP Fast Open is a method to send data in the initial SYN packet of a 3-way handshake, to reduce the time to set up a connection and start sending data faster. This post shows how this can be implemented on CentOS 7 & Nginx.

This post includes several clever tricks to hook custom scripts when a master nameserver sends a NOTIFY to one of its slaves, requesting it to update its zone file.

Ask cron.weekly

These questions were asked on the cron.weekly forum and stand out or are in need of more eyes to find the answer. Go for it, join the discussions!

Having your own Certificate Authority (CA) has lots of benefits, but there are a lot of cases to keep in mind. Should you separate CA’s for multiple purposes (building VMs, certificates, secret management)? How to make it highly available? Wouter, this post can use your opinion. 😉

With so many tools out there, which is the best if you value security over anything else? There are already a lot of suggestions in here, you might find some of them valuable.