Blog 換 Hosting...

早上花了點時間,把 blog 從 DigitalOcean 搬到 Vultr 上了...

本來是打算要換到 Linode 上,但 Linode 最小台的機器太大台了 (2GB RAM),還是找了其他方案來用,看了看就挑 Vultr 了,用 768MB RAM 的方案,跟之前 DigitalOcean 相比多了一些 RAM 可以用...

順便趁機把系統換成 Ubuntu 16.04 跟 MySQL 5.7,現在用了六個小時,感覺還不錯...?

Linode 收 PayPal 了,只是...

Linode 宣佈支援 PayPal 了:「PayPal Payments」,只是:

While any customer can use PayPal to fund their account, new customers will still need to sign up using a credit card. You can use PayPal from then on.

而原因是:

This is in part because we don’t yet have the ability to automatically transfer funds from PayPal. If you intend on paying only via PayPal, you will need to ensure that you have enough credit on your Linode account to cover your next invoice. Otherwise, our system will attempt to collect any remaining balance from the credit card you have on file.

這理由爛爆了 XDDD

Linode 記憶體升級,以及新的日本機房計畫

Linode 的 13 歲禮物:「Linode’s 13th Birthday – Gifts for All!」。包括了記憶體的升級計畫:

Old PlanNew PlanPrice
Linode 1 GBLinode 2 GB$10/mo ($0.015/hr)
Linode 2 GBLinode 4 GB$20/mo ($0.03/hr)
Linode 4 GBLinode 8 GB$40/mo ($0.06/hr)
Linode 8 GBLinode 12 GB$80/mo ($0.12/hr)
Linode 16 GBLinode 24 GB$160/mo ($0.24/hr)
Linode 32 GBLinode 48 GB$320/mo ($0.48/hr)
Linode 48 GBLinode 64 GB$480/mo ($0.72/hr)
Linode 64 GBLinode 80 GB$640/mo ($0.96/hr)
Linode 96 GBLinode 120 GB$960/mo ($1.44/hr)

比較小的機器都是 double RAM,比較大的機器就沒那麼明顯了... 但這樣就超越 DigitalOcean 的規格,而且還領先其他 VPS 不少。

不過由於東京機房已經滿了,這次升級不包括在內,但也透漏了東京的新機房將會在今年年底前啟用:

Unfortunately, since Tokyo is sold out, the upgrade is not available there. We hope to have our second Tokyo facility online before the end of the year.

是個好消息 XD

Linode 將全面使用 KVM

Linode 宣佈從五月開始全面使用 KVM,新的機器將無法選擇 Xen:「KVM Update」。

原有的 Xen 機器還是會繼續跑,但將會集中起來:

Existing Xen-based Linodes will be fine. However, in the near future we will begin to consolidate Xen Linodes onto fewer physical servers, which will mean scheduled migrations with periods of downtime. Don’t worry – if you will be affected, we’ll provide plenty of advance notice when those migrations are planned.

Linode 的 KVM 的確快不少,我猜也跟硬體升級有關吧,畢竟就其他單位看到的數據應該是沒有這麼高的幅度。

Linode 針對 2015 年的安全問題,以及 2016 年年初密碼重設行為的說明

Linode 寫了相當長的一篇報告說明 2015 發生的兩件安全事件,以及 2016 年年初重設密碼的行為:「Security Investigation Retrospective」。

結論是 Linode 沒有找出證據被攻破,但還是打算改善不少東西以確保安全性。

2015 年七月曾經有一個 Linode 的客戶報案,並且向 Linode 回報帳號被入侵的問題,而後來發現是客戶帶有 2FA 資訊的手機遺失。

2015 年十二月有個資安專家在分析時發現有人取得了許多服務的帳號密碼,其中有可能有 Linode 的使用者使用相同的密碼,所以通報 Linode 並且提供一些 IP 資訊,Linode 調查後發現提供的 IP 資訊有登入到 Linode 上的帳號,而這些帳號也的確都沒有啟用 2FA,而且詢問這些帳號的主人也確認了被盜用的情況。

接下來 Linode 還是決定投入資源繼續研究問題,尋找外部的資安團隊來確認情況,最後得到上面提到的結論:沒有找出證據被入侵:

The findings of our security partner’s investigation concluded there was no evidence of abuse or misuse of Linode’s infrastructure that would have resulted in the disclosure of customer credentials. Furthermore, the security partner’s assessment of our infrastructure and applications did not yield a vector that would have provided this level of access.

在 Lish 上有發現問題,但沒有找出被使用的證據:

Linode’s security team did discover a vulnerability in Lish’s SSH gateway that potentially could have been used to obtain information discovered on December 17, although we have no evidence to support this supposition. We immediately fixed the vulnerability.

不過 Linode 還是決定把一些架構改掉,可以在原文看到。

可以看到打算規劃類似 HSM 架構的設計,,避免密碼直接被存取。把密碼從 Salt + SHA256 (以及千次運算) 轉移到 bcrypt。然後把 ColdFusion 寫的系統改用 Python 寫。並且計畫把後台 open source 出來,讓更多人可以檢視確保安全性。

Linode 的被攻擊報告

Linode 這陣子一直被 DDoS 攻擊,前幾天放出報告:「The Twelve Days of Crisis – A Retrospective on Linode’s Holiday DDoS Attacks」。

其中這段提到了一些數字,Linode 有個小機房有 40Gbps 的能力,但以現在的 DDoS 規模會馬上爆掉:

Linode’s capacity management strategy for IP transit has been simple: when our peak daily utilization starts approaching 50% of our overall capacity, then it’s time to get more links.

This strategy is standard for carrier networks, but we now understand that it is inadequate for content networks like ours. To put some real numbers on this, our smaller datacenter networks have a total IP transit capacity of 40Gbps. This may seem like a lot of capacity to many of you, but in the context of an 80Gbps DDoS that can’t be blackholed, having only 20Gbps worth of headroom leaves us with crippling packet loss for the duration of the attack.

另外把 DNS 整個放上 CloudFlare 讓他們來擋:

Our nameservers are now protected by Cloudflare, and our websites are now protected by powerful commercial traffic scrubbing appliances.

後續的改善應該還要幾個月?完成後應該會再看到 blog post...

DigitalOcean 提供 Floating IP 功能

DigitalOcean 推出的新功能,可以註冊 IP 並且動態掛到某個 droplet 上:「Floating IPs: Start Architecting Your Applications for High Availability」。

如果沒有掛到 droplet 上會收取 USD$0.006/hour 的費用,以一個月 720 小時來計算,大約是 USD$4.32/month。另外也限制在同一個 data center 內才能換來換去。

類似的功能在 Linode 很久前就有了 (2007 年底),雖然不是完全一樣:「Support for High Availability / IP Failover」,但 Amazon EC2 的 Elastic IP 功能幾乎就相同了,在 2008 年初開放:「New EC2 Features: Static IP Addresses, Availability Zones, and User Selectable Kernels」,所以只能算是補產品線,把大家都有的功能實作出來...

以往只能用 DNS 做 High Availability 的,現在可以用這種方法做,使得 downtime 可以更低。另外這樣做也可以架設 proxy server,使得對外的 IP 不變,讓 firewall 設定變得單純。

Linode 德國機房啟用

有在追蹤 LinodeTwitter @linode 就會知道前陣子 Linode 一直在測試德國機房,而最近正式公開啟用了:「Introducing Linodes in Frankfurt!」。

HiNetspeedtest.frankfurt.linode.com 測試有兩種不同的結果。

一種是 IPv4 的,會走 Sprint 交換,在美國轉入 TeliaSonera 後,一路到德國 Linode 機房。扣掉本地端的 latency 大約是 320ms。

另外一種是 IPv6,HiNet 會跟 Hurricane Electric 交換後一路跑 Hurricane Electric 骨幹,在德國進入 Linode 機房,一樣扣掉本地端的 latency 大約是 285ms,意外的快了不少?

然後是 Linode 的廣告詞:

Frankfurt is an important financial and Internet hub for Europe, with a third of Europe’s Internet traffic going through it. Frankfurt is home to DE-CIX, the largest Internet exchange in the world in terms of traffic. DE-CIX will no doubt provide abundant peering access opportunities for us, over time.

不知道有沒有機會再加開其他亞洲的機房... (東京滿了...)

Linode 提供 KVM-based hosting 服務

Linode 前幾天宣佈開始提供 KVM-based hosting:「Linode turns 12! Here’s some KVM!」。

使用 KVM 最大的進展是可以跑 Windows 了:(這對產品面來說很重要)

However, we also now support fully virtualized guests – which means you can run alternative operating systems like FreeBSD, BSD, Plan 9, or even Windows – using emulated hardware (PIIX IDE and e1000).

同時圖形化界面的 console 也會釋出:

We’re also working on a graphical console (GISH?) which should be out in the next few weeks.

而現有 Xen 換到 KVM 也包裝得很簡單:

On a Xen Linode’s dashboard, you will see an “Upgrade to KVM” link on the right sidebar. It’s a one-click migration to upgrade your Linode to KVM from there. Essentially, our KVM upgrade means you get a much faster Linode just by clicking a button.

而且打算逐步淘汰掉 Xen:

New customers and new Linodes will, by default, still get Xen. Xen will cease being the default in the next few weeks. Eventually we will transition all Xen Linodes over to KVM, however this is likely to take quite a while. Don’t sweat it.

不過 Linode 還是沒支援更好的網路環境 (i.e. Private LAN),對於要架大型服務的人來說還是有技術障礙 :o