ops   7283

« earlier    

One Up Security - Research - Five Minute Guide to Software Security (Oct 12, 2017)
One Up Security provides world-class cyber security consulting services. We accelerate security practices in product life cycles through in depth security assessments and providing education.
bestpractices  security  ops 
14 hours ago by dberesford
'AWS Lambda cheatsheet' -- a quick ref card for Lambda users
aws  lambda  ops  serverless  reference  quick-references 
22 hours ago by jm
Posting successful SSH logins to Slack
Wouldn't it be nice if you could see a message in Slack each time a user connects to one of your machines over SSH? Yes it would!
ops  ssh 
3 days ago by hugowett
How to operate reliable AWS Lambda applications in production
running a reliable Lambda application in production requires you to still follow operational best practices. In this article I am including some recommendations, based on my experience with operations in general as well as working with AWS Lambda.
aws  cloud  lambda  ops  amazon 
4 days ago by jm
Zebras all the way down: The engineering challenges of the data path
New-to-me medical term: Zebra, which is a rare condition which may be mistaken for one or more common conditions.
ops  hardware  firmware  zerbra  monitoring  observability 
6 days ago by rcrowley
Dynamic Users with systemd
> TL;DR: you may now configure systemd to dynamically allocate a UNIX user ID for service processes when it starts them and release it when it stops them. It's pretty secure, mixes well with transient services,
socket activated services and service templating.

This is an enhancement in systemd 235 to the basic dynamic user concept that exists since version 232.
Dynamic users have per default limited access to the machine, i.e. "DynamicUser=yes implies ProtectSystem=strict. PrivateTmp=yes, RemoveIPC=yes and ProtectHome=read-only" which only allows them to write to /proc, /sys, /tmp and /var/tmp and IPC Objects of the service (shared memory, message queues, semaphores) are removed after it exits.

The new thing in systemd 235 is that dynamic user services can now have persistent data:

> With systemd 235 this limitation is removed: there are now three new settings: StateDirectory=, LogsDirectory= and CacheDirectory=.
> In many ways they operate like RuntimeDirectory=, but create sub-directories below /var/lib, /var/log and /var/cache, respectively.
> There's one major difference beyond that however: directories created that way are persistent, they will survive the run-time cycle of a service, and thus may be used to store data that is supposed to stay around between invocations of the service.

This is how changing UIDs on subsequent service starts are handled:

> On the second invocation the directory — and all the files and directories below it — will still be owned by the original UID X so how could the second instance running as Y access it?
> Our way out is simple: systemd will recursively change the ownership of the directory and everything contained within it to UID Y before invoking the service's executable.

Dynamic UIDs are generated from hashed service names, i.e. they are unlikely don't change if the service name is stable. In addition, this means that recusively chown'ing the services' persistent data directories is often unnecessary.

On important note:

> Service that need to write to files outside of /run/<package>, /var/lib/<package>, /var/cache/<package>, /var/log/<package>, /var/tmp, /tmp, /dev/shm are generally incompatible with this scheme.
systemd  systems  ops 
6 days ago by klingt.net
IP Accounting and Access Lists with systemd
Systemd 235 introduces two new directives, that are `IPAccounting=bool` which enables traffic (packets/bytes) summaries for a service and `IPAddress{Allow,Deny}=<netmask/address/...>` to allow/deny access of certain addresses or address ranges.

I also learned about `systemd-run` in this article to start transient services, e.g. to experiment with service properties like
`systemd-run -p IPAccounting=yes --wait wget https://cfp.all-systems-go.io/en/ASG2017/public/schedule/2.pdf` that starts wget as a systemd service and shows on exit the accounted network traffic.
systemd  systems  ops 
6 days ago by klingt.net
RequestBin gives you a URL that will collect HTTP requests made to it and let you inspect them in a human-friendly way.
http  testing  ops 
7 days ago by redoPop

« earlier    

related tags

#!  2  2016  2017  2read  4k  admin  ahead  alb  amazon  app  architecture  article  availability  aws  backups  bestpractices  black  bug  change  chef  chef_basics  client  clients  cloud  cod  computer  configuration  consul  culture  database  datacenter  db  dev  developer  development  devops  distsys  ec2  elasticsearch  elb  elixir  example  firmware  future  gimlet  git  golang  graphite  gui  hardware  health  history  home-server  hosting  how-to  howto  http  incidents  ip  java  java_ops  json  kafka  kandi  kfc  kubernetes  lambda  lbs  line  linux  load-balancing  logs  metrics  migration  mobile  monitoring  mosh  mttr  mysql  networking  nix  nlb  ntp  observability  online  openstack  operations  opinto-opas  opsline/product  orchestration  order  osx  oy  packaging  panera  perf  performance  personality  pit  postgres  postgresql  postmortem  privacy  programming  psi  puppet  queue  quick-references  reference  releng  reliability  reports  research  resilience  responsibilities  restore  rrd  ruby  s3  scripts  security  serverless  service-discovery  service  shebang  social  software  sre  ssh  stackexchange  stackoverflow  statistics  surprise  sysadmin  systemd  systems  tcp  testing  time.series.databases  tol  tool  tools  training  troubleshooting  udacity  university  unix  versioning  web-security  web  windows  zerbra 

Copy this bookmark: