Linode 東京二號機房開幕

大家等 Linode 的東京新機房很久了,總算是開了:「New Linode Datacenter: Tokyo 2」。

在 comment 有特別提到東京一號機房不會擴充:

Tokyo 1 is at capacity and we have no plans to add any additional. You will need to move out of Tokyo 1 for plan upgrades, KVM, newest hardware, and so on.

該來搬了 XDDD

Linode 東京第二機房預定在十二月開放

Linode 在「Network Update: Multihomed, Increased Transit, Peering」這邊提到:

We’re opening a brand new Tokyo facility next month. This will enable customers in the region to take advantage of several recent Linode announcements: KVM hypervisor, our latest plan specs including double the RAM and SSD servers, and mass availability. Stay tuned for the announcement within the next few weeks.

總算是要開放了...

Linode 東京第二機房的訪談 (a.k.a. PR 稿)

前幾天提到的「Linode 東京機房擴充的工作...」,這幾天 Linode 就開始發 PR 稿造勢了:「Behind The Scenes: Details About Upcoming Tokyo 2 DC Launch」,把重點拉出來。

新機房在品川 (Shinagawa),原文應該是打錯了 (n 跟 b 差一格而已):

Linode will be opening a new datacenter in Shibagawa ward, Tokyo, Japan, this fall and I was able to interview Linode’s datacenter operations manager, Brett Kaplan, who answered questions I asked regarding the upcoming Tokyo datacenter launch.

目標在 2016Q4 上線:

Soh: Can you say when this new datacenter is expected to come online?
Brett: We are hoping to launch later in Q4 this year.

用的是 Equinix 的機房:(然後這邊的 Shinagawa 是對的 XD)

Soh: So, where did you decide to establish the second Tokyo location?
Brett: We are utilizing an Equinix datacenter in Shinagawa ward Tokyo, Japan.

這樣看起來應該是「Tokyo TY2 Network Interconnection」這個...

Blog 換 Hosting...

早上花了點時間,把 blog 從 DigitalOcean 搬到 Vultr 上了...

本來是打算要換到 Linode 上,但 Linode 最小台的機器太大台了 (2GB RAM),還是找了其他方案來用,看了看就挑 Vultr 了,用 768MB RAM 的方案,跟之前 DigitalOcean 相比多了一些 RAM 可以用...

順便趁機把系統換成 Ubuntu 16.04 跟 MySQL 5.7,現在用了六個小時,感覺還不錯...?

Linode 收 PayPal 了,只是...

Linode 宣佈支援 PayPal 了:「PayPal Payments」,只是:

While any customer can use PayPal to fund their account, new customers will still need to sign up using a credit card. You can use PayPal from then on.

而原因是:

This is in part because we don’t yet have the ability to automatically transfer funds from PayPal. If you intend on paying only via PayPal, you will need to ensure that you have enough credit on your Linode account to cover your next invoice. Otherwise, our system will attempt to collect any remaining balance from the credit card you have on file.

這理由爛爆了 XDDD

Linode 記憶體升級,以及新的日本機房計畫

Linode 的 13 歲禮物:「Linode’s 13th Birthday – Gifts for All!」。包括了記憶體的升級計畫:

Old Plan New Plan Price
Linode 1 GB Linode 2 GB $10/mo ($0.015/hr)
Linode 2 GB Linode 4 GB $20/mo ($0.03/hr)
Linode 4 GB Linode 8 GB $40/mo ($0.06/hr)
Linode 8 GB Linode 12 GB $80/mo ($0.12/hr)
Linode 16 GB Linode 24 GB $160/mo ($0.24/hr)
Linode 32 GB Linode 48 GB $320/mo ($0.48/hr)
Linode 48 GB Linode 64 GB $480/mo ($0.72/hr)
Linode 64 GB Linode 80 GB $640/mo ($0.96/hr)
Linode 96 GB Linode 120 GB $960/mo ($1.44/hr)

比較小的機器都是 double RAM,比較大的機器就沒那麼明顯了... 但這樣就超越 DigitalOcean 的規格,而且還領先其他 VPS 不少。

不過由於東京機房已經滿了,這次升級不包括在內,但也透漏了東京的新機房將會在今年年底前啟用:

Unfortunately, since Tokyo is sold out, the upgrade is not available there. We hope to have our second Tokyo facility online before the end of the year.

是個好消息 XD

Linode 將全面使用 KVM

Linode 宣佈從五月開始全面使用 KVM,新的機器將無法選擇 Xen:「KVM Update」。

原有的 Xen 機器還是會繼續跑,但將會集中起來:

Existing Xen-based Linodes will be fine. However, in the near future we will begin to consolidate Xen Linodes onto fewer physical servers, which will mean scheduled migrations with periods of downtime. Don’t worry – if you will be affected, we’ll provide plenty of advance notice when those migrations are planned.

Linode 的 KVM 的確快不少,我猜也跟硬體升級有關吧,畢竟就其他單位看到的數據應該是沒有這麼高的幅度。

Linode 針對 2015 年的安全問題,以及 2016 年年初密碼重設行為的說明

Linode 寫了相當長的一篇報告說明 2015 發生的兩件安全事件,以及 2016 年年初重設密碼的行為:「Security Investigation Retrospective」。

結論是 Linode 沒有找出證據被攻破,但還是打算改善不少東西以確保安全性。

2015 年七月曾經有一個 Linode 的客戶報案,並且向 Linode 回報帳號被入侵的問題,而後來發現是客戶帶有 2FA 資訊的手機遺失。

2015 年十二月有個資安專家在分析時發現有人取得了許多服務的帳號密碼,其中有可能有 Linode 的使用者使用相同的密碼,所以通報 Linode 並且提供一些 IP 資訊,Linode 調查後發現提供的 IP 資訊有登入到 Linode 上的帳號,而這些帳號也的確都沒有啟用 2FA,而且詢問這些帳號的主人也確認了被盜用的情況。

接下來 Linode 還是決定投入資源繼續研究問題,尋找外部的資安團隊來確認情況,最後得到上面提到的結論:沒有找出證據被入侵:

The findings of our security partner’s investigation concluded there was no evidence of abuse or misuse of Linode’s infrastructure that would have resulted in the disclosure of customer credentials. Furthermore, the security partner’s assessment of our infrastructure and applications did not yield a vector that would have provided this level of access.

在 Lish 上有發現問題,但沒有找出被使用的證據:

Linode’s security team did discover a vulnerability in Lish’s SSH gateway that potentially could have been used to obtain information discovered on December 17, although we have no evidence to support this supposition. We immediately fixed the vulnerability.

不過 Linode 還是決定把一些架構改掉,可以在原文看到。

可以看到打算規劃類似 HSM 架構的設計,,避免密碼直接被存取。把密碼從 Salt + SHA256 (以及千次運算) 轉移到 bcrypt。然後把 ColdFusion 寫的系統改用 Python 寫。並且計畫把後台 open source 出來,讓更多人可以檢視確保安全性。

Linode 的被攻擊報告

Linode 這陣子一直被 DDoS 攻擊,前幾天放出報告:「The Twelve Days of Crisis – A Retrospective on Linode’s Holiday DDoS Attacks」。

其中這段提到了一些數字,Linode 有個小機房有 40Gbps 的能力,但以現在的 DDoS 規模會馬上爆掉:

Linode’s capacity management strategy for IP transit has been simple: when our peak daily utilization starts approaching 50% of our overall capacity, then it’s time to get more links.

This strategy is standard for carrier networks, but we now understand that it is inadequate for content networks like ours. To put some real numbers on this, our smaller datacenter networks have a total IP transit capacity of 40Gbps. This may seem like a lot of capacity to many of you, but in the context of an 80Gbps DDoS that can’t be blackholed, having only 20Gbps worth of headroom leaves us with crippling packet loss for the duration of the attack.

另外把 DNS 整個放上 CloudFlare 讓他們來擋:

Our nameservers are now protected by Cloudflare, and our websites are now protected by powerful commercial traffic scrubbing appliances.

後續的改善應該還要幾個月?完成後應該會再看到 blog post...