Home » 2018 » January (Page 2)

針對 Ubuntu 16.04 + PPPoE 時,OpenNTPD 的 -s 不會在啟動時直接校正的問題 workaround...

發現機器時間跟標準時間差了 40 秒左右,結果有些服務因為會看雙方時間,就不讓我跑... XDDD

找問題找了半天,發現開機後 ntpdate 會回報找不到伺服器,看起來是網路根本就還沒通就跑起來了:

Jan 25 13:10:30 home ntpdate[757]: name server cannot be used: Temporary failure in name resolution (-3)
Jan 25 13:10:30 home ntpdate[1171]: name server cannot be used: Temporary failure in name resolution (-3)
Jan 25 13:10:30 home ntpdate[1347]: name server cannot be used: Temporary failure in name resolution (-3)
Jan 25 13:10:30 home ntpdate[1410]: name server cannot be used: Temporary failure in name resolution (-3)

而理論上 與 openntpd 加上 -s 也會做類似的事情,所以這邊就在 /etc/default/openntpd 先加上 -s,讓他開機時強制對時一次,看看能不能解... 結果也是一樣在網路還沒通的時候就跑起來而失敗了:

Jan 25 13:10:45 home ntpd[1457]: no reply received in time, skipping initial time setting

由於這台機器是 HiNet 的 PPPoE,看起來有可能是某些條件沒寫好,造成執行順序不對... 所以就找個 workaround 來解決 @_@

後來找的方法是直接到 /etc/ppp/ip-up.d/ 下放一個 script 實作 workaround,直接在 PPPoE 連上後重跑 openntpd,然後用 hwclock 寫回主機裡,下次開機的時間就會比較準一些了:

#!/bin/sh -e

/usr/sbin/service openntpd restart
/sbin/hwclock -w

不過實際上還是要找看看要怎麼把 PPPoE 掛到 networking 那層行為裡面...

Percona 版本的 MySQL 對於 Meltdown/Spectre 漏洞修復造成的效能損失 (Intel 平台)

而且這還不是完全修復,只是大幅降低被攻擊的機率...

PerconaUbuntu 16.04 上測試 MeltdownSpectre 這兩個安全漏洞的修正對於效能的影響。在原文標題就講了結論,為了修正 Meltdown 與 Spectre 兩個安全漏洞,效能的損失很明顯:「20-30% Performance Hit from the Spectre Bug Fix on Ubuntu」。

這邊測的結果發現,在 CPU bound 時的損失大約是 20%~25% (甚至到 30%),而 I/O bound 會輕一些,大約是 15%~20%:

We can see that in CPU-bound workloads the overhead is 20-25%, reaching up to 30% in point select queries. In IO-bound (25G buffer pool) workloads, the observed overhead is 15-20%.

在 comment 的地方 Percona 的人被問到 AMD 平台上效能會損失多少的問題,但因為他們手上目前沒有 AMD 平台的新機器所以不知道會有多少:

I do not have modern AMD servers on my hands right now

理論上 AMD 平台不需要處理 Meltdown 問題,損失應該會少一些,但沒測過也不曉得會是什麼情況... (像是 Spectre 的修正損失會不會比 Intel 還重,這之類的...)

另外補上早些時候的文章,當時 Ubuntu 上的 kernel 只有對 Meltdown 攻擊的修正,當時 Percona 的人也測了一次:「Does the Meltdown Fix Affect Performance for MySQL on Bare Metal?」,看起來對 Meltdown 攻擊的修正對效能的影響不太大,不過文裡有測試到 syscall 的效率的確如同預期掉很多。

DuckDuckGo 推出瀏覽器與套件

DuckDuckGo 推出了自家的瀏覽器與套件,標榜注重隱私:「DuckDuckGo moves beyond search to also protect you while browsing.」,支援多個平台 (然後 IEEdge 不在列表 XDDD):

Our updated app and extension are now available across all major platforms – Firefox, Safari, Chrome, iOS, and Android – so that you can easily get all the privacy essentials you need on any device with just one download.

官方給了個示意圖:

測了一下 iOS 上的 app,用起來不算難用,應該會用一陣子測試看看...

Tinder 的漏洞

在「Tinder's Lack of Encryption Lets Strangers Spy on Your Swipes」這篇看到 Tinder 的實作問題,主要是兩個問題組合起來。第一個是圖片沒有用 HTTPS 傳輸:

On Tuesday, researchers at Tel Aviv-based app security firm Checkmarx demonstrated that Tinder still lacks basic HTTPS encryption for photos.

第二個是透過 side channel information leaking:即使是 HTTPS 傳輸,還是可以透過 size 知道是哪種類型的操作:

Tinder represents a swipe left to reject a potential date, for instance, in 278 bytes. A swipe right is represented as 374 bytes, and a match rings up at 581.

這兩個資訊就可以把行為組出來了。

接下來應該會先把圖片上 HTTPS 吧?然後再來是把各種類型的 packet 都塞大包一點?

macOS 上管制對外連線的 LuLu

看到「LuLu」這個軟體,可以在 macOS 上管制對外連線:

LuLu is the free open-source macOS firewall that aims to block unknown outgoing connections, unless explicitly approved by the user.

需要 10.12+ 的版本,目前阻擋的畫面長這樣 (目前還是 alpha 版):

這類產品讓我想到大學時還有在用的防火牆軟體... XD

程式碼在 objective-see/LuLu 這邊,軟體授權用了少見的 CC BY-NC 4.0 授權,由於限制商業使用,這不算是 open source license (雖然產品頁面上這樣宣稱)。有空來找看看有沒有替代品好了...

Rasmus Lerdorf 關於 VPS 的介紹測試...

Rasmus LerdorfPHP 的發明人,純粹是有趣的角度看這篇文章:「Testing VPS solutions」。

文章裡比較了十家 VPS 或是可以當作 VPS 的雲服務商,先直接講重點,看起來他最後選了 Vultr

A serious competitor to Digital Ocean. I would use this.

不過 Vultr 有個讓人不太舒服的地方 (對我而言) 是登入機制沒有 2FA,所以只能透過 Password Manager 用強密碼保護。不過除此之外都還算不錯。

不過既然是 Rasmus,在提到 MicrosoftAzure 才會是重點 XDDD:

This one was painful. Yes, I have a bit of a Microsoft aversion, but I tried to keep an open mind. Read the full description of my Azure adventure. Expensive, apparently no IPv6, slow disk IO, and I couldn't figure out block storage options. Definitely not for me.

然後在測試 Azure 時的評語就更酸了:

Oh Azure! This one is going to get a bit ranty. I Spent a good 20 minutes clicking around the provisioning Web UI. To be fair, it is more geared to people needing to provision a lot of servers. Doing a single one like this is not the target audience as far as I can tell. But still, instead of presenting a couple of standard options and a way to build your own custom config, Azure gives you 92 options (depending on which region you select):

繼續抱怨找不到價錢:

I also got super lost trying to figure out what it would cost to bring the VPS up to 500 GB of persistent storage. And then to make things even more confusing, when I started the virtual machine creation process and came to the "Choose your virtual machine size" step, I got a bunch of different options not included in the above list with most of them listed as "Not Available" including both the A4 v2 and F4 options I had so carefully located.

然後還有奇怪的 agent 在跑:

The Azure VPS also had the heaviest provisioning agent of all the ones I tested. It looks like it is doing a heartbeat once per second and doing a (non-ssl) GET request to an IIS server upstream asking it for a "GoalState". I listened and checked what the IIS server responded with. The response from the management server is in the GoalState addendum below. It is mostly self-explanatory, I think.

相較於其他家 VPS 的評測,這部份的長度與酸度都頗不賴的 XDDD

Transport-Layer Encryption 與 End-to-End Encryption 的差異

EFF 的「Transport-Layer Encryption vs End-to-End Encryption - GIF」這篇文章介紹了 Transport-Layer Encryption 與 End-to-End Encryption 的差異,最後還給了一張 GIF 說明:

其實 GIF 給的範例還蠻清楚的,在 Transport-Layer Encryption 中服務提供商可以看到原始內容 (以 GIF 內提到的例子就是 Google),而在 End-to-End Encryption 中就不行,只有傳輸雙方可以知道原始內容。

然後文章裡也提到了 Tor Messenger,可以吃現有的通訊軟體,然後在上面疊出 End-to-End Encryption。

Stripe 也宣佈要停止支援 Bitcoin 了

Stripe 發了公告出來,要停止支援 Bitcoin:「Ending Bitcoin Support」。預定保留三個月的緩衝期,在 2018 年 4 月 23 日停掉:

Over the next three months we will work with affected Stripe users to ensure a smooth transition before we stop processing Bitcoin transactions on April 23, 2018.

跟其他單位停用的原因都差不多,愈來愈慢的交易速度與愈來愈高的手續費:

Transaction confirmation times have risen substantially; this, in turn, has led to an increase in the failure rate of transactions denominated in fiat currencies. (By the time the transaction is confirmed, fluctuations in Bitcoin price mean that it’s for the “wrong” amount.) Furthermore, fees have risen a great deal. For a regular Bitcoin transaction, a fee of tens of U.S. dollars is common, making Bitcoin transactions about as expensive as bank wires.

Steam 當時的理由很類似... (參考「Steam 停止使用 Bitcoin 購買遊戲」)

Amazon Aurora (PostgreSQL) 也支援 Read Replica 了

Amazon Aurora (PostgreSQL) 支援 Read Replica 了:「Announcing Amazon Aurora PostgreSQL Read Replica for Amazon RDS for PostgreSQL」。

馬上想到的用途是量爆增時,如果當初有作 R/W split (讀寫分離) 就可以直接用錢撐住,不過官方給的範例是降低 RDS 轉移到 Aurora 的 downtime,這點就有點微妙...:

You can now create an Amazon Aurora PostgreSQL read replica for an Amazon RDS for PostgreSQL instance, allowing you to continuously replicate to Amazon Aurora PostgreSQL. This helps you minimize downtime when migrating a live workload from Amazon RDS for PostgreSQL to Amazon Aurora PostgreSQL, by keeping the instances in sync until you're ready to move your applications and users to Amazon Aurora PostgreSQL.

所以這次算是陸陸續續把功能補上來,在 Amazon Aurora (MySQL) 有的一般性功能,這邊就跟著先實作...

AWS KMS 可以在 VPC 內直接存取了

AWS Key Management Service 宣布支援 AWS PrivateLink Endpoint 了:「How to Connect Directly to AWS Key Management Service from Amazon VPC by Using an AWS PrivateLink Endpoint」。先前需要透過 Internet 流量存取 (透過 NAT、Proxy 之類的服務),現在則是可以接到 VPC 內直接用了:

Previously, applications running inside a VPC required internet access to connect to AWS KMS. This meant managing internet connectivity through internet gateways, Network Address Translation (NAT) devices, or firewall proxies.

With support for Amazon VPC endpoints, you can now keep all traffic between your VPC and AWS KMS within the AWS network and avoid management of internet connectivity.

KMS 需要 Internet 也是之前設計架構時比較痛的地方,現在總算是有個方向可以減少痛處了...

Archives