Re: [Discuss] docker Re: Corralling Processes on Linux

[Kent Borg]

On 02/05/2018 04:02 PM, Mike Small wrote:

At what point does it make sense to go to the cgroup level or even
container level and at what point are traditional Unix abstractions like
process groups and sessions adequate?  If Kent is creating all the
processes himself and they all fall in one process group then kill(2) on
the negative of the process group leader should kill them all.


Even if they are daemons? Also, the parent is (currently) a command line 
utility that goes away each time it is run.


My use case: I specifically want this command line utility to be 
minimalist for now, but add features in the future (interrogate the 
daemons about their state, do something interesting about the ones which 
report an error condition, maybe shove some into a disabled state) 
without constantly killing all of the daemons. I want the guts of this 
software to be able to get ahead of the executive orchestrating it. The 
result will be a far looser confederacy of processes than we are 
familiar with in monolithic programs.


-kb
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] docker Re: Corralling Processes on Linux

[Mike Small]

"Rich Braun"  writes:

> Kent Borg  wrote:
>>> I am playing with lots of different processes
>>> communicating with each other, maybe some coming and going
>>> incrementally. I want the ability occasionally kill them all and
>>> start from a clean slate.
>
> Sure sounds like what you really want is Docker and/or Kubernetes. Cgroups is
> part of the mechanism used by containers (such as the original LXC) to isolate
> process groups but there's a whole open-source infrastructure that provide the
> tools that abstract out a lot of the difficult parts of what you want to do.

At what point does it make sense to go to the cgroup level or even
container level and at what point are traditional Unix abstractions like
process groups and sessions adequate?  If Kent is creating all the
processes himself and they all fall in one process group then kill(2) on
the negative of the process group leader should kill them all. To me
that would be simpler (but not necessarily easier? I have much to learn
about container tech.) than working with these higher level abstractions
and toolkits. If plain old process groups are adequate he also gets the
benefit that his software might run on a BSD as is.

-- 
Mike Small
sma...@sdf.org
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Mothballing Synology NAS

[markw]

Actually, QNAP is probably one of the worst storage system vendors. They
offer little or no support. They sat on a silent corruption bug until they
were out-ed by a blogger who went public after the company's refusal to
acknowledge the bug:

http://www.sbsfaq.com/?p=4277

I have personally had to deal with qnap as a back-end to a ZFS storage
appliance and the customer kept getting corruption errors. (He actually
did have a disk failure/replacement in his raid.) We showed him the bug
report. That system is now "retired."

Worse yet, they don't publish the systems affected by the bug, oh no! They
only published the systems NOT affected by the bug leaving you to wonder
whether or not you are affected. "Is that my system? Its close, but not
exact."

Those small closed systems aren't worth it. A moderate ECC RAM motherboard
barebones system and good SATA disks will come in at about the same price,
be faster, and be more reliable.

Or pony up for a real storage system with support and service level
agreements.

> At least QNAP offer to one-click secure your installation with a Let's
> Encrypt cert through their SSL management plugin - even though they sell
> certs through the the same plugin/admin interface.
>
> (ed. note: TLS/SSL does not prevent Spectre / Meltdown - it's just an
> indication that QNAP are not 'crap' vendors if you consider Let's Encrypt
> free certs the 'right thing' to do.)
>
> Greg Rundlett
> https://eQuality-Tech.com
> https://freephile.org
>
> On Mon, Feb 5, 2018 at 3:07 PM, Greg Rundlett (freephile) <
> g...@freephile.com> wrote:
>
>> I have a QNAP TS-231 (dual bay SMB NAS) https://static.
>> myqnapcloud.com/device_model/53466f86d6b82f5cd5295b28?r=1517796001
>>
>> QNAP offered this security advisory on Jan. 8th
>> https://www.qnap.com/en-us/security-advisory/nas-201801-08
>>
>> And have released firmware upgrades since then ( 2018/01/30 ) QTS
>> 4.3.3.0448 Build 20180126
>>
>> However, they don't mention anything in the release notes yet
>> https://www.qnap.com/en/releasenotes/ so I'm unsure if it's "in there".
>>
>> They advise:
>>
>>- Do not install applications from unknown third-party sources.
>>- Do not open or run unknown virtual machine (VM) images on your
>>device.
>>- Do not run unknown software in Container Station.
>>
>>
>>
> ___
> Discuss mailing list
> Discuss@blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>


___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Mothballing Synology NAS

[Richard Pieri]

On 2/5/2018 3:07 PM, Greg Rundlett (freephile) wrote:
> However, they don't mention anything in the release notes yet
> https://www.qnap.com/en/releasenotes/ so I'm unsure if it's "in there".

Safer to assume the patches are not included unless specifically listed.

> They advise:
> 
>- Do not install applications from unknown third-party sources.
>- Do not open or run unknown virtual machine (VM) images on your device.
>- Do not run unknown software in Container Station.

Good advice in general, but telling in the context of a Meltdown/Spectre
security advisory. And not necessarily the most useful in the context of
NAS vendors with a vested interest in selling lots of add-on software
which may not be hard targets.

-- 
Rich P.
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Mothballing Synology NAS

[Greg Rundlett (freephile)]

At least QNAP offer to one-click secure your installation with a Let's
Encrypt cert through their SSL management plugin - even though they sell
certs through the the same plugin/admin interface.

(ed. note: TLS/SSL does not prevent Spectre / Meltdown - it's just an
indication that QNAP are not 'crap' vendors if you consider Let's Encrypt
free certs the 'right thing' to do.)

Greg Rundlett
https://eQuality-Tech.com
https://freephile.org

On Mon, Feb 5, 2018 at 3:07 PM, Greg Rundlett (freephile) <
g...@freephile.com> wrote:

> I have a QNAP TS-231 (dual bay SMB NAS) https://static.
> myqnapcloud.com/device_model/53466f86d6b82f5cd5295b28?r=1517796001
>
> QNAP offered this security advisory on Jan. 8th
> https://www.qnap.com/en-us/security-advisory/nas-201801-08
>
> And have released firmware upgrades since then ( 2018/01/30 ) QTS
> 4.3.3.0448 Build 20180126
>
> However, they don't mention anything in the release notes yet
> https://www.qnap.com/en/releasenotes/ so I'm unsure if it's "in there".
>
> They advise:
>
>- Do not install applications from unknown third-party sources.
>- Do not open or run unknown virtual machine (VM) images on your
>device.
>- Do not run unknown software in Container Station.
>
>
>
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Mothballing Synology NAS

[Greg Rundlett (freephile)]

I have a QNAP TS-231 (dual bay SMB NAS)
https://static.myqnapcloud.com/device_model/53466f86d6b82f5cd5295b28?r=1517796001

QNAP offered this security advisory on Jan. 8th
https://www.qnap.com/en-us/security-advisory/nas-201801-08

And have released firmware upgrades since then ( 2018/01/30 ) QTS
4.3.3.0448 Build 20180126

However, they don't mention anything in the release notes yet
https://www.qnap.com/en/releasenotes/ so I'm unsure if it's "in there".

They advise:

   - Do not install applications from unknown third-party sources.
   - Do not open or run unknown virtual machine (VM) images on your device.
   - Do not run unknown software in Container Station.
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Mothballing Synology NAS

[Richard Pieri]

On 2/5/2018 10:30 AM, Joe Polcari wrote:
> I just got an update today which, I think, covers it.

The CVE referenced in the release notes fixes a local privilege
escalation bug in ipesc. The Meltdown/Spectre CVEs are still listed as
"Ongoing" as of this writing:

https://www.synology.com/en-us/support/security/Synology_SA_18_01


On 2/5/2018 9:33 AM, ma...@mohawksoft.com wrote:
> This is common across the industry. EMC, Cisco, IBM, and others have
> said basically the same thing. I would dump synology because its
> crap, but not because of that.
My IBM references rank Meltdown/Spectre as "High Severity".

Likewise, my Netapp references rank them as "High Severity".

Cisco (network side) does rank them lower because network gear has a
much smaller attack surface than general purpose computers. The people
on the Unity side rank them much higher.

But then, Synology's failure to take these vulnerabilities seriously
does put them in the "crap" category. :)

-- 
Rich P.
___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Mothballing Synology NAS

[Joe Polcari]

Nope - I was wrong
This is the one it addresses CVE-2017-16939

On 2/5/18, 10:30 AM, "Discuss on behalf of Joe Polcari"

wrote:

>I just got an update today which, I think, covers it.
>
>On 2/5/18, 9:33 AM, "discuss-bounces+joe=polcari@blu.org on behalf of
>ma...@mohawksoft.com" of ma...@mohawksoft.com> wrote:
>
>>This is common across the industry. EMC, Cisco, IBM, and others have said
>>basically the same thing. I would dump synology because its crap, but not
>>because of that.
>>
>>> The Meltdown and Spectre vulnerabilities were publicly disclosed 3
>>> January.
>>>
>>> Synology posted their own security advisory 5 days later on 8 January
>>> listing these vulnerabilities as moderate "because these
>>>vulnerabilities
>>> can only be exploited via local malicious programs." As if there were
>>>no
>>> ways for "local malicious programs" to ever be installed or injected.
>>>
>>> As of 4 February, a month after the initial disclosure, Synology have
>>> yet to release fixes for these vulnerabilities.
>>>
>>> I will be mothballing my Synology NAS box as soon as I get a
>>>replacement
>>> for it up and running. I have the parts. I just need to assemble and
>>> test them, install an OS, and move the drives.
>>>
>>> --
>>> Rich P.
>>> ___
>>> Discuss mailing list
>>> Discuss@blu.org
>>> http://lists.blu.org/mailman/listinfo/discuss
>>>
>>
>>
>>___
>>Discuss mailing list
>>Discuss@blu.org
>>http://lists.blu.org/mailman/listinfo/discuss
>
>
>___
>Discuss mailing list
>Discuss@blu.org
>http://lists.blu.org/mailman/listinfo/discuss


___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Mothballing Synology NAS

[Joe Polcari]

I just got an update today which, I think, covers it.

On 2/5/18, 9:33 AM, "discuss-bounces+joe=polcari@blu.org on behalf of
ma...@mohawksoft.com"  wrote:

>This is common across the industry. EMC, Cisco, IBM, and others have said
>basically the same thing. I would dump synology because its crap, but not
>because of that.
>
>> The Meltdown and Spectre vulnerabilities were publicly disclosed 3
>> January.
>>
>> Synology posted their own security advisory 5 days later on 8 January
>> listing these vulnerabilities as moderate "because these vulnerabilities
>> can only be exploited via local malicious programs." As if there were no
>> ways for "local malicious programs" to ever be installed or injected.
>>
>> As of 4 February, a month after the initial disclosure, Synology have
>> yet to release fixes for these vulnerabilities.
>>
>> I will be mothballing my Synology NAS box as soon as I get a replacement
>> for it up and running. I have the parts. I just need to assemble and
>> test them, install an OS, and move the drives.
>>
>> --
>> Rich P.
>> ___
>> Discuss mailing list
>> Discuss@blu.org
>> http://lists.blu.org/mailman/listinfo/discuss
>>
>
>
>___
>Discuss mailing list
>Discuss@blu.org
>http://lists.blu.org/mailman/listinfo/discuss


___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss

Re: [Discuss] Mothballing Synology NAS

[markw]

This is common across the industry. EMC, Cisco, IBM, and others have said
basically the same thing. I would dump synology because its crap, but not
because of that.

> The Meltdown and Spectre vulnerabilities were publicly disclosed 3
> January.
>
> Synology posted their own security advisory 5 days later on 8 January
> listing these vulnerabilities as moderate "because these vulnerabilities
> can only be exploited via local malicious programs." As if there were no
> ways for "local malicious programs" to ever be installed or injected.
>
> As of 4 February, a month after the initial disclosure, Synology have
> yet to release fixes for these vulnerabilities.
>
> I will be mothballing my Synology NAS box as soon as I get a replacement
> for it up and running. I have the parts. I just need to assemble and
> test them, install an OS, and move the drives.
>
> --
> Rich P.
> ___
> Discuss mailing list
> Discuss@blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>


___
Discuss mailing list
Discuss@blu.org
http://lists.blu.org/mailman/listinfo/discuss