Re: [Discuss] docker Re: Corralling Processes on Linux
On 02/05/2018 04:02 PM, Mike Small wrote: At what point does it make sense to go to the cgroup level or even container level and at what point are traditional Unix abstractions like process groups and sessions adequate? If Kent is creating all the processes himself and they all fall in one process group then kill(2) on the negative of the process group leader should kill them all. Even if they are daemons? Also, the parent is (currently) a command line utility that goes away each time it is run. My use case: I specifically want this command line utility to be minimalist for now, but add features in the future (interrogate the daemons about their state, do something interesting about the ones which report an error condition, maybe shove some into a disabled state) without constantly killing all of the daemons. I want the guts of this software to be able to get ahead of the executive orchestrating it. The result will be a far looser confederacy of processes than we are familiar with in monolithic programs. -kb ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] docker Re: Corralling Processes on Linux
"Rich Braun"writes: > Kent Borg wrote: >>> I am playing with lots of different processes >>> communicating with each other, maybe some coming and going >>> incrementally. I want the ability occasionally kill them all and >>> start from a clean slate. > > Sure sounds like what you really want is Docker and/or Kubernetes. Cgroups is > part of the mechanism used by containers (such as the original LXC) to isolate > process groups but there's a whole open-source infrastructure that provide the > tools that abstract out a lot of the difficult parts of what you want to do. At what point does it make sense to go to the cgroup level or even container level and at what point are traditional Unix abstractions like process groups and sessions adequate? If Kent is creating all the processes himself and they all fall in one process group then kill(2) on the negative of the process group leader should kill them all. To me that would be simpler (but not necessarily easier? I have much to learn about container tech.) than working with these higher level abstractions and toolkits. If plain old process groups are adequate he also gets the benefit that his software might run on a BSD as is. -- Mike Small sma...@sdf.org ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mothballing Synology NAS
Actually, QNAP is probably one of the worst storage system vendors. They offer little or no support. They sat on a silent corruption bug until they were out-ed by a blogger who went public after the company's refusal to acknowledge the bug: http://www.sbsfaq.com/?p=4277 I have personally had to deal with qnap as a back-end to a ZFS storage appliance and the customer kept getting corruption errors. (He actually did have a disk failure/replacement in his raid.) We showed him the bug report. That system is now "retired." Worse yet, they don't publish the systems affected by the bug, oh no! They only published the systems NOT affected by the bug leaving you to wonder whether or not you are affected. "Is that my system? Its close, but not exact." Those small closed systems aren't worth it. A moderate ECC RAM motherboard barebones system and good SATA disks will come in at about the same price, be faster, and be more reliable. Or pony up for a real storage system with support and service level agreements. > At least QNAP offer to one-click secure your installation with a Let's > Encrypt cert through their SSL management plugin - even though they sell > certs through the the same plugin/admin interface. > > (ed. note: TLS/SSL does not prevent Spectre / Meltdown - it's just an > indication that QNAP are not 'crap' vendors if you consider Let's Encrypt > free certs the 'right thing' to do.) > > Greg Rundlett > https://eQuality-Tech.com > https://freephile.org > > On Mon, Feb 5, 2018 at 3:07 PM, Greg Rundlett (freephile) < > g...@freephile.com> wrote: > >> I have a QNAP TS-231 (dual bay SMB NAS) https://static. >> myqnapcloud.com/device_model/53466f86d6b82f5cd5295b28?r=1517796001 >> >> QNAP offered this security advisory on Jan. 8th >> https://www.qnap.com/en-us/security-advisory/nas-201801-08 >> >> And have released firmware upgrades since then ( 2018/01/30 ) QTS >> 4.3.3.0448 Build 20180126 >> >> However, they don't mention anything in the release notes yet >> https://www.qnap.com/en/releasenotes/ so I'm unsure if it's "in there". >> >> They advise: >> >>- Do not install applications from unknown third-party sources. >>- Do not open or run unknown virtual machine (VM) images on your >>device. >>- Do not run unknown software in Container Station. >> >> >> > ___ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss > ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mothballing Synology NAS
On 2/5/2018 3:07 PM, Greg Rundlett (freephile) wrote: > However, they don't mention anything in the release notes yet > https://www.qnap.com/en/releasenotes/ so I'm unsure if it's "in there". Safer to assume the patches are not included unless specifically listed. > They advise: > >- Do not install applications from unknown third-party sources. >- Do not open or run unknown virtual machine (VM) images on your device. >- Do not run unknown software in Container Station. Good advice in general, but telling in the context of a Meltdown/Spectre security advisory. And not necessarily the most useful in the context of NAS vendors with a vested interest in selling lots of add-on software which may not be hard targets. -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mothballing Synology NAS
At least QNAP offer to one-click secure your installation with a Let's Encrypt cert through their SSL management plugin - even though they sell certs through the the same plugin/admin interface. (ed. note: TLS/SSL does not prevent Spectre / Meltdown - it's just an indication that QNAP are not 'crap' vendors if you consider Let's Encrypt free certs the 'right thing' to do.) Greg Rundlett https://eQuality-Tech.com https://freephile.org On Mon, Feb 5, 2018 at 3:07 PM, Greg Rundlett (freephile) < g...@freephile.com> wrote: > I have a QNAP TS-231 (dual bay SMB NAS) https://static. > myqnapcloud.com/device_model/53466f86d6b82f5cd5295b28?r=1517796001 > > QNAP offered this security advisory on Jan. 8th > https://www.qnap.com/en-us/security-advisory/nas-201801-08 > > And have released firmware upgrades since then ( 2018/01/30 ) QTS > 4.3.3.0448 Build 20180126 > > However, they don't mention anything in the release notes yet > https://www.qnap.com/en/releasenotes/ so I'm unsure if it's "in there". > > They advise: > >- Do not install applications from unknown third-party sources. >- Do not open or run unknown virtual machine (VM) images on your >device. >- Do not run unknown software in Container Station. > > > ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mothballing Synology NAS
I have a QNAP TS-231 (dual bay SMB NAS) https://static.myqnapcloud.com/device_model/53466f86d6b82f5cd5295b28?r=1517796001 QNAP offered this security advisory on Jan. 8th https://www.qnap.com/en-us/security-advisory/nas-201801-08 And have released firmware upgrades since then ( 2018/01/30 ) QTS 4.3.3.0448 Build 20180126 However, they don't mention anything in the release notes yet https://www.qnap.com/en/releasenotes/ so I'm unsure if it's "in there". They advise: - Do not install applications from unknown third-party sources. - Do not open or run unknown virtual machine (VM) images on your device. - Do not run unknown software in Container Station. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mothballing Synology NAS
On 2/5/2018 10:30 AM, Joe Polcari wrote: > I just got an update today which, I think, covers it. The CVE referenced in the release notes fixes a local privilege escalation bug in ipesc. The Meltdown/Spectre CVEs are still listed as "Ongoing" as of this writing: https://www.synology.com/en-us/support/security/Synology_SA_18_01 On 2/5/2018 9:33 AM, ma...@mohawksoft.com wrote: > This is common across the industry. EMC, Cisco, IBM, and others have > said basically the same thing. I would dump synology because its > crap, but not because of that. My IBM references rank Meltdown/Spectre as "High Severity". Likewise, my Netapp references rank them as "High Severity". Cisco (network side) does rank them lower because network gear has a much smaller attack surface than general purpose computers. The people on the Unity side rank them much higher. But then, Synology's failure to take these vulnerabilities seriously does put them in the "crap" category. :) -- Rich P. ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mothballing Synology NAS
Nope - I was wrong This is the one it addresses CVE-2017-16939 On 2/5/18, 10:30 AM, "Discuss on behalf of Joe Polcari"wrote: >I just got an update today which, I think, covers it. > >On 2/5/18, 9:33 AM, "discuss-bounces+joe=polcari@blu.org on behalf of >ma...@mohawksoft.com" of ma...@mohawksoft.com> wrote: > >>This is common across the industry. EMC, Cisco, IBM, and others have said >>basically the same thing. I would dump synology because its crap, but not >>because of that. >> >>> The Meltdown and Spectre vulnerabilities were publicly disclosed 3 >>> January. >>> >>> Synology posted their own security advisory 5 days later on 8 January >>> listing these vulnerabilities as moderate "because these >>>vulnerabilities >>> can only be exploited via local malicious programs." As if there were >>>no >>> ways for "local malicious programs" to ever be installed or injected. >>> >>> As of 4 February, a month after the initial disclosure, Synology have >>> yet to release fixes for these vulnerabilities. >>> >>> I will be mothballing my Synology NAS box as soon as I get a >>>replacement >>> for it up and running. I have the parts. I just need to assemble and >>> test them, install an OS, and move the drives. >>> >>> -- >>> Rich P. >>> ___ >>> Discuss mailing list >>> Discuss@blu.org >>> http://lists.blu.org/mailman/listinfo/discuss >>> >> >> >>___ >>Discuss mailing list >>Discuss@blu.org >>http://lists.blu.org/mailman/listinfo/discuss > > >___ >Discuss mailing list >Discuss@blu.org >http://lists.blu.org/mailman/listinfo/discuss ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mothballing Synology NAS
I just got an update today which, I think, covers it. On 2/5/18, 9:33 AM, "discuss-bounces+joe=polcari@blu.org on behalf of ma...@mohawksoft.com"wrote: >This is common across the industry. EMC, Cisco, IBM, and others have said >basically the same thing. I would dump synology because its crap, but not >because of that. > >> The Meltdown and Spectre vulnerabilities were publicly disclosed 3 >> January. >> >> Synology posted their own security advisory 5 days later on 8 January >> listing these vulnerabilities as moderate "because these vulnerabilities >> can only be exploited via local malicious programs." As if there were no >> ways for "local malicious programs" to ever be installed or injected. >> >> As of 4 February, a month after the initial disclosure, Synology have >> yet to release fixes for these vulnerabilities. >> >> I will be mothballing my Synology NAS box as soon as I get a replacement >> for it up and running. I have the parts. I just need to assemble and >> test them, install an OS, and move the drives. >> >> -- >> Rich P. >> ___ >> Discuss mailing list >> Discuss@blu.org >> http://lists.blu.org/mailman/listinfo/discuss >> > > >___ >Discuss mailing list >Discuss@blu.org >http://lists.blu.org/mailman/listinfo/discuss ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss
Re: [Discuss] Mothballing Synology NAS
This is common across the industry. EMC, Cisco, IBM, and others have said basically the same thing. I would dump synology because its crap, but not because of that. > The Meltdown and Spectre vulnerabilities were publicly disclosed 3 > January. > > Synology posted their own security advisory 5 days later on 8 January > listing these vulnerabilities as moderate "because these vulnerabilities > can only be exploited via local malicious programs." As if there were no > ways for "local malicious programs" to ever be installed or injected. > > As of 4 February, a month after the initial disclosure, Synology have > yet to release fixes for these vulnerabilities. > > I will be mothballing my Synology NAS box as soon as I get a replacement > for it up and running. I have the parts. I just need to assemble and > test them, install an OS, and move the drives. > > -- > Rich P. > ___ > Discuss mailing list > Discuss@blu.org > http://lists.blu.org/mailman/listinfo/discuss > ___ Discuss mailing list Discuss@blu.org http://lists.blu.org/mailman/listinfo/discuss