#^RDBMS Containers » ADMIN Magazine

If you spend very much of your time pushing containerized services from server to server, you might be asking yourself: Why not databases, as well? We describe the status quo for RDBMS containers.

Was debugging some #Kerberos error messages in M$ Active Directory this morning. What a nice coincidence to find Orpheus' Lyre website just now.

#^Orpheus' Lyre

On Tuesday, 11 July 2017, at 1PM New York time, Microsoft, and various Linux distros and BSDs, released patches for Orpheus' Lyre.

We will be updating this blog post with more details as time passes. This vulnerability is quite serious, and we wish to give users a chance to apply patches before we discuss the full scope of the vulnerability. We urge users to apply and deploy patches forthwith and without delay.

In Greek mythology, Orpheus was a bard who put Cerberus to sleep with his music, and was then able to bypass Hades' guard. This vulnerability defeats Kerberos in a critical way permitting a bypass of mutual authentication. Thus we name it after Orpheus' Lyre much as Kerberos is named after Cerberus.

Its not actually a broken protocol, but it's all too easy to make subtle but disastrous implementation mistakes. Orpheus' Lyre is a serious vulnerability in some implementations of the Kerberos protocol.

MIT implemented it correctly, all others failed? Quite interesting.

#SSO

There will be beta-exams for the new LPIC-OT at FrOSCon in August. Looking at the objectives for this new exam it contains a lot of what I have done recently.

#^DevOps Tools Engineer

DevOps is one of the most in-demand skills in open source today.  In order to meet this need with verified skills LPI, an established authority in Linux Administration, is developing the DevOps Tools Engineer certification.  These additional certified competencies strengthen the portfolio of today’s IT professionals.

As more and more companies introduce DevOps methodologies to their workflows; skills in using tools which support the collaboration model of DevOps become increasingly important. LPIC-OT DevOps Tools Engineers will be able to efficiently implement a workflow and to optimize their daily administration and development tasks.

This certification will be released in autumn 2017 and will test proficiency in the most relevant free and open source tools used to implement the DevOps collaboration model, like for example configuration automation or container virtualization.

The new certification is created according to LPI‘s community-based certification development process. This process relies heavily on involvement by the IT community.

Nice introduction video for every M$ Windows user! But don't tell your domain adminstrators.

#^From User to Domain Admin: A Step-By-Step Guide on How to Be a Little Evil
by BeyondTrust on Vimeo

#^Keychest

Let's Encrypt is now the largest certificate provider for internet facing servers (combining a Frost&Sullivan report on SSL/TLS certificates from 2016 and actual data from Let's Encrypt, LE currently issues around 80% of all browser-trusted certificates). It does not issue the "most secure" certificates (i.e., EV, or extended validation certificates, which require manual validation of the address and legal status of the web service owner), but its certificates provide a very good level of security for most of us.

When we started using Let's Encrypt (LE), we slowly learnt about various limitations imposed on users. There is not any single place where you can find all important information in one place so here's the first attempt. We will amend it as we learn more directly, or from your feedback.

Secure Your Containers with this One Weird Trick

Did you know there is an option to drop Linux capabilities in Docker? Using the docker run --cap-drop option, you can lock down root in a container so that it has limited access within the container. Sadly, almost no one ever tightens the security on a container or anywhere else.

This is a really nice tool I didn't knew something like that exists. How many times I was wondering how the progress of loading a sqldump was.

man pv

pv shows the progress of data through a pipeline by giving information such as time elapsed, percentage completed (with progress bar), current throughput rate, total data transferred, and ETA.
To use it, insert it in a pipeline between two processes, with the appropriate options.  Its standard input will be passed through to its standard output and progress will be shown on standard error.

#^Understanding Firewalld in Multi-Zone Configurations | Linux Journal

Linux firewalls are handled by netfilter, which is a kernel-level framework. For more than a decade, iptables has provided the userland abstraction layer for netfilter. iptables subjects packets to a gauntlet of rules, and if the IP/port/protocol combination of the rule matches the packet, the rule is applied causing the packet to be accepted, rejected or dropped.

Firewalld is a newer userland abstraction layer for netfilter. Unfortunately, its power and flexibility are underappreciated due to a lack of documentation describing multi-zoned configurations. This article provides examples to remedy this situation.

#^How setting the TZ environment variable avoids thousands of system calls

TL;DR This blog post explains how setting an environment variable can save thousands(or in some cases, tens of thousands) of unnecessary system calls that can begenerated by glibc over small periods of time.This has been tested on Ubuntu Precise (12.04) and Ubuntu Xenial (16.04). Itlikely applies to other flavors of Linux, as well. It is very easy to test ifthis applies to you and to correct it, if so. Keep reading for more details!

To avoid extra system calls on server processes where you won’t be updating the timezone (or can restart processes when you do) simply set the TZ environment variable to :/etc/localtime (or some other timezone file of your choice) for a process. This will cause glibc to avoid making extra (and unnecessary) system calls.

#^GitLab.com Database Incident - 2017/01/31

This incident affected the database (including issues and merge requests) but not the git repo's (repositories and wikis). So in other words, out of 5 backup/replication techniques deployed none are working reliably or set up in the first place.

There is a lot of progress compared to the old BPM.

Business Process module v2.0.0 released

Want to visualize part of your IT infrastructure in a hierarchical way? Do you know the Business Impact of single services? What would happen in case you power down a specific server? Would it have any influence on your most important services? If yes, which applications would have been affected? This is what the Icinga Business Process module has been built for.

Define as many processes nested as deep as you want: each node can calculate it’s own state based on a given logical operator. Show them as a tree or using the tile renderer. Discover the business impact of your components, simulate state changes and deploy Icinga Service Checks and Notifications. Start to monitor whole processes instead of single services.

No idea how this works or how it is protected, but looks like a fun tool when you have to kill time.

#^firehol/netdata

Get control of your servers. Simple. Effective. Awesome. #^https://my-netdata.io/

Exceptions prove the rule, Director to the rescue

Two and a half month have gone by since version 1.2.0. Yesterday we tagged the latest release: version 1.3.0. As we all know, Director is a fantastic tool for automation, being the glue between your various data sources and your monitoring. But in the rough real world not all the things are always automated. Therefore, this release puts focus on managing all those “little exemptions” many of you are facing in their daily work with in semi-automated environments.

What happened with the response time of this #Piwik installation? Too bad I will never know.
Is it #Docker? (It was not containerized before)
Is it #MariaDB? (It was MySQL before)
Is it #PHP7? (It was PHP5.6 before)
Is it #Nginx reverse proxy? (There was no additional reverse proxy before)



The new host has just 2 virtual cores instead of 4 before and 3GB virtual RAM instead of 6GB before. It runs on the same virtual environment. The base system was CentOS6, now it is a SIG of CentOS7 Atomic Host.

#ProjectAtomic

This looks good.

#^Ende des Supports für PHP 5 | heise online

Support-Schema für PHP

#^Bro Security Monitoring » ADMIN Magazine

The Bro security framework takes a new approach to security monitoring, with the emphasis on trends and long-term analysis.
Bro is high-quality security monitoring tool designed to discover and analyze traffic trends on your network. Bro provides in-depth analysis of network traffic without limiting itself to traditional signature-based approaches.

#ELK

#^Automated Malware Analysis - Cuckoo Sandbox

What is it? In three words, Cuckoo Sandbox is a malware analysis system.

In other words, you can throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.

Malware is the swiss-army knife of cybercriminals and any other adversary to your corporation or organization.

In these evolving times, detecting and removing malware artifacts is not enough: it's vitally important to understand how they operate in order to understand the context, the motivations and the goals of a breach, for better protecting in the future

Cuckoo Sandbox is a free software that automated the task of analyzing any malicious file under Windows, OS X, Linux, and Android.

What a nice collection of monitoring plugins! Setting up a Centreon Monitoring system was my final practical task during my apprenticeship. After switching to Icinga some years later, these plugins I unfortunately lost sight of.

#^centreon/centreon-plugins

centreon-plugins - Collection of plugins for softwares compatible with Nagios plugins

“centreon-plugins” is a free and open source project to monitor systems. The project can be used with Centreon and all monitoring softwares compatible with Nagios plugins.

Oracle versteht noch viel weniger Spass bei Lizenzen als Micro$oft. Das wird noch lustig.

#^Java SE: Oracle will angeblich kassieren

Laut einem Bericht hat Oracle begonnen, Lizenzgebühren für den Einsatz von Java SE einzufordern. Der kostenlose Java-SE-Download enthält Komponenten, deren Nutzung lizenz- und kostenpflichtig sein kann.

Ehemals Galileo Press, von denen habe ich einige Bücher. Auch die Location am Bonner Bogen ist schon ziemlich cool. Wenn jemand gerade was sucht, hört sich ganz interessant an. Gibt auch noch andere offene Stellen.

#^Rheinwerk – Der Verlag für IT, Design und Fotografie

Rheinwerk ist Deutschlands führender Fachverlag für Computer-, Design- und Fotografie-Themen. Wir setzen auf eine offene Unternehmenskultur, hohe Produktqualität und eine kommunikative Kundenbeziehung. Zurzeit bieten wir folgende Stellen an:
Systemadministrator mit Schwerpunkt Linux (w/m)
Aufgabengebiete:
Sie verstärken unser IT-Team bei der Installation, Konfiguration und Administration unserer zentralen IT-Dienste sowie deren Überwachung und Optimierung im Betrieb. Darüber hinaus sind Sie den Kollegen ein kompetenter Ansprechpartner bei technischen Problemen im 1st- und 2nd-Level Support und arbeiten eng mit unserer Softwareentwicklung in einer agilen Umgebung zusammen.