Linus Torvalds Invites Attackers to Join the Ke… » Linux Magazine

Torvalds is not a huge fan of the ‘security community’ as he doesn’t see it as black and white. He maintains that bugs are part of the software development process and they cannot be avoided, no matter how hard you try. “constant absolute security does not exist, even if we do a perfect job,” said Torvalds in a conversation with Jim Zemlin, the executive director of the Linux Foundation.

“As a technical person, I’m always very impressed by some of the people who are attacking our code,” Torvalds said. “I get the feeling that these smart people are doing really bad things that I wish they were on our side because they are so smart and they could help us.”

Source: Linus Torvalds Invites Attackers to Join the Ke… » Linux Magazine

[SCRIBBLE] Tinkering with Kubernetes and AWS [WIP]

This is a scribble post — a WIP/incomplete post, so read with the understanding that it will have holes in the knowledge or gaps


This article just goes through my tinkering with Kubernetes on AWS.

Create a new S3 bucket to store the state of your Kubernetes clusters

aws s3 mb s3://k8sstate --region eu-west-2

Verify

aws s3 ls

Create a Route 53 hosted zone. I’m creating k8stest.blenderfox.uk

aws route53 create-hosted-zone --name k8stest.blenderfox.uk \
--caller-reference $(uuidgen)

dig the nameservers for the hosted zone you created

dig NS k8stest.blenderfox.uk

If your internet connection already has DNS setup to the hosted zone, you’ll see the nameservers in the output:

;; QUESTION SECTION:
;k8stest.blenderfox.uk.     IN  NS

;; ANSWER SECTION:
k8stest.blenderfox.uk. 172800 IN NS ns-1353.awsdns-41.org.
k8stest.blenderfox.uk. 172800 IN NS ns-1816.awsdns-35.co.uk.
k8stest.blenderfox.uk. 172800 IN NS ns-404.awsdns-50.com.
k8stest.blenderfox.uk. 172800 IN NS ns-644.awsdns-16.net.

If your connection isn’t setup to resolve to the aws dns (like mine), you’ll get this instead:

;; QUESTION SECTION:
;k8stest.blenderfox.uk. IN NS

;; AUTHORITY SECTION:
uk. 603 IN SOA dns1.nic.uk. hostmaster.nic.uk. 1403374706 7200 900 2419200 603

This means you need to do a bit of dns hacking to get this to work. The quick and dirty method is to add one of the aws DNS hosts to your /etc/resolv.conf file.

dig using one of the aws DNS servers and see if that resolves properly

dig @ns-1816.awsdns-35.co.uk NS k8stest.blenderfox.uk

If it does, then look for line near the end:

SERVER: 205.251.199.24#53(205.251.199.24)

Add this into /etc/resolv.conf (make sure you’re root/sudo’ed up)

# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8)
# DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN
nameserver 205.251.199.24
nameserver 127.0.1.1

Now try to dig the nameservers and confirm it now returns the nameservers correctly

dig NS k8stest.blenderfox.uk

If that works, we can now continue

First, export your AWS credentials as environment variables (I’ve found Kubernetes doesn’t reliably pick up the credentials from the aws cli especially if you have multiple profiles

export AWS_ACCESS_KEY_ID='your key here'
export AWS_SECRET_ACCESS_KEY='your secret access key here'

You can also add it to a bash script and source it.

Create the cluster using kops. Note that the master zones must have an odd count (1, 3, etc.) since eu-west-2 only has two zones (a and b), I have to have only one zone here

kops create cluster --cloud aws --name cluster.k8stest.blenderfox.uk \
--state s3://k8sstate --node-count 3 --zones eu-west-2a,eu-west-2b \
--node-size m4.large --master-size m4.large \
--master-zones eu-west-2a \
--ssh-public-key ~/.ssh/id_rsa.pub \
--master-volume-size 50 \
--node-volume-size 50

If you get this message:

error doing DNS lookup for NS records for "k8stest.blenderfox.uk": lookup k8stest.blenderfox.uk on 127.0.1.1:53: no such host

It means you haven’t done the resolv.conf hack

Assuming the create completed successfully, update the cluster so it pushes the update out to your cloud

kops update cluster cluster.k8stest.blenderfox.uk --yes --state s3://k8sstate

While the cluster starts up, all the new records will be setup with placeholder IPs. Remove your resolv.conf hack as this can affect your DNS resolution

Selection_004

Now you’re at a stage where the cluster is starting up but the API server is failing. Currently trying to figure that part out.

Android 8.0 Oreo, thoroughly reviewed | Ars Technica

Looking forward to when LineageOS can upgrade to Oreo. There’s a lot of new features that may make life a lot easier generally. Take a look in the article for details

We take a 20,000 word deep-dive on Android’s “foundational” upgrades.

Source: Android 8.0 Oreo, thoroughly reviewed | Ars Technica

Update & Build Prep – Lineage OS – Lineage OS Android Distribution

Cyanogen’s fork is beginning to take shape. Currently my devices aren’t showing but fingers crossed it will.

Few points worth noting from their site:

  • The build roster is ever growing, but we are supporting Marshmallow and Nougat capable devices.

    • We’ll list the 80+ devices in a separate post.
  • Our release cadence will be ‘weekly’ by default (to be nice to all the donated hardware).

  • We will NOT be shipping root baked into the ROM.

    • Root will be a downloadable zip based install similar to gapps installation (only need to flash it once).
    • Home builders that want to bake su back into the ROM can use the command ‘export WITH_SU=true’ prior to building.
  • Our official builds will all be signed with a private key for authentication and signature permission control

However, also notable and I’m really happy about this:

Regarding installation, we recommend that users wipe when switching to LineageOS, and reinstall their gapps. However, we recognize that this can be time consuming, so we are offering an EXPERIMENTAL (read as, if it fails, you’ll have to wipe anyways) solution.

  • Alongside the ‘weekly’ release for your supported device, we’ll provide an EXPERIMENTAL data migration build.
  • This build will allow you to ‘upgrade’ from CM to the signed LineageOS weekly
  • This build may wipe permissions (you’ll have to re-allow app permissions), but should retain all user data
  • This build will be watermarked with an ugly banner to ensure that you don’t permanently run this EXPERIMENTAL release, and upgrade to a normal weekly after.
  • The process for this installation will be as follows:
    • Install EXPERIMENTAL migration build on top of cm-13.0 or cm-14.1 build (don’t try to install LineageOS 13.0 on top of CM 14.1, that will not work).
    • Reboot
    • Install LineageOS weekly build
    • Reboot
    • Re-setup your application permissions

Given the EXPERIMENTAL nature of this process, we are going to remove this option in two months time.

All systems operational

Source: Update & Build Prep – Lineage OS – Lineage OS Android Distribution

OpenSSL after Heartbleed | Linux.com | The source for Linux information

Despite being a library that most people outside of the technology industry have never heard of, the Heartbleed bug in OpenSSL caught the attention of the mainstream press when it was uncovered in April 2014 because so many websites were vulnerable to theft of sensitive server and user data. At LinuxCon Europe, Rich Salz and Tim Hudson from the OpenSSL team did a deep dive into what happened with Heartbleed and the steps the OpenSSL team are taking to improve the project.

Source: OpenSSL after Heartbleed | Linux.com | The source for Linux information

Some Myths About Linux That Cause New Users To Run Away From Linux – LinuxAndUbuntu

An attempt to bust some of the myths that surround Linux. Not a lot of them, but still some of them – some of which I see a lot in Windows communities. And the old classic “Linux is CLI only” (facepalm)

Source: Some Myths About Linux That Cause New Users To Run Away From Linux – LinuxAndUbuntu