Slashdot Mirror
How IKEA Patched Shellshock
jones_supa writes: Magnus Glantz, IT manager at IKEA, revealed that the Swedish furniture retailer has more than 3,500 Red Hat Enterprise Linux servers. With Shellshock, every single one of those servers needed to be patched to limit the risk of exploitation. So how did IKEA patch all those servers? Glantz showed a simple one-line Linux command and then jokingly walked away from the podium stating "That's it, thanks for coming." On a more serious note, he said that it took approximately two and half hours to upgrade their infrastructure to defend against Shellshock. The key was having a consistent approach to system management, which begins with a well-defined Standard Operating Environment (SOE). Additionally, Glantz has defined a lifecycle management plan that describes the lifecycle of how Linux will be used at Ikea for the next seven years.
I imagine it was sudo rm -rf /, but I could be way off.
Let's save ourselves from unnecessary clickbait.
They were only able to do it because they already had an affordable, high quality krampfor on hand. The whole thing would have fallen apart if not for that.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
You'd rather read Microsoft or Apple propaganda all day?
I was there. It was said in a very joking manner. From the moment he started he showed his sense of humour.
In fact, his whole presentation was funny, amusing and had some good information.
The idea that he showed a one line command to patch wasn't the biggest shock of the talk. (Sorry, I don't recall the command.) It was the fact that he patches the 3,500 servers ONCE A MONTH. Straight into production. This caused some questions and discussion.
FTFA, "One of the potential challenges of constantly updating servers is the risk that applications break when new server operating system software is loaded. Glantz, however, isn't worried and noted that RHEL offers the promise of Application Binary Interface (ABI) compatibility across updates." The rest of his reasoning, and another amusing moment, is described at the end of the article.
Vip
./patch
but the interesting bit was the getting to that, yeah.
for the IT-asshole quote that we all know. ZERO people skills.
Actually he presented a great sense of humor when he said that "That's it, thanks for coming." Like the only needed fix was some kind of fix-all-servers command. That is people skills in my book.
The moment would have been perfect if he'd just dropped the mic.
You are welcome on my lawn.
From the article the grandparent obviously did not read "Glantz showed a simple one-line Linux command and then jokingly walked away from the podium stating "That's it, thanks for coming," as the audience erupted into boisterous applause.". So in fact top notch people skills.
Chaos - everything, everywhere, everywhen
You think you're more of a people person? Prove it bitch.
Why do you sound like an IT asshole with zero people skills?
if its anything like my general Ikea experience, im sure the security ops team was handed a cardboard box labelled "Schelli schocc" with a 7 page manual full of bloated looking stick figures and a tiny hex wrench. they were then left to figure it out over a long night of busted knuckles and impromptu invented curse words. by dawn, either the prod environement passed a nessus scan or theyd built a bed...or both.
Good people go to bed earlier.
So he is using some sort of configuration management. I modified and tested a puppet manifest and then deployed to to our production puppet server. Over the next 30 minutes I had updated over 1000 machines.
I like Apple propaganda. It's much better than that awful Windoze propaganda.
Sure ./updateIkeaServers is one line.
But that's cheating if it's calling a 5 million line script.....
people with no enterprise experience stick out like a sore thumb in threads like these.
By making the customers do most of it themselves.
Table-ized A.I.
Man holding hammer demonstrates ease of driving a nail into wood. Thousands holding screwdrivers are amazed.
Lol.
You sound like a complete corporate shill.
Let me guess... You have to wear a suit to work everyday, because a "manager" told you to?
Gee, how did I know???
Sad article, they didn't even show us the command!
was is "chsh -s dash www_data"?
AC here, frequently a facetious troll, but seriously, is that ABI guarantee that reliable ?
This so much. Why do we have to hear about the Linux garbage? It hasn't been a relevant OS for ages.
BSD for the servers, Windows for the desktop. These are the professional choices.
Dude, they patched 3500 linux servers in two hours from a command line because they have good automation tools.
Perhaps you're just too fucking stupid to understand why this is interesting.
If so, then kindly shut the fuck up and go watch cat videos and leave the rest of us to not have to put up with your bullshit.
Apple is mainly a propaganda company, so that's no surprise. I always enjoy Linux propaganda for its amateur style and heavy use of hyperbole.
I know nothing about IKEA's Linux setup and didn't see the talk, but "one-line Linux command" sounds like the wrong approach to something like this, at least if that command directly manipulates something on each server. Shell commands that an administrator issues interactively on a terminal can't be reproduced, tracked, or documented automatically. The right thing to do would probably be to change some "bash_version" parameter in the puppet hiera/chef/whatever configuration management system they use, from where the change will automatically be applied on all nodes, or use an internal rpm/yum server that all nodes install from automatically (governed, again, by the configuration management system) and upload the patched bash rpm to that.
I like Apple propaganda. And hypnotoad.
If tugboats were bigger, they could be the boats that tugboats tug.
It was in Perl:
./update-all-3500-servers-at-once.pl
one line.
Slashdot, fix the reply notifications... You won't get away with it...
the article did not say what it was , but anyone with redhat experience already KNOWS this ...
as root do
" yum update "
two words , that is it
"I don't pitch OpenSUSE Linux to my friends, i let Microsoft do it for me
Why use a onelinerand what is in that oneliner? /usr/local/bin/IKEA-Update` is also a onliner.
I would use a script or a program to run it. Thta can be run as a 'oneliner'.
`sh
It is also not importand what is in that oneliner. Is it the standard update, or does it contain their own command with 360 different programs in it, subroutines and numerous other points of failure.
Don't fight for your country, if your country does not fight for you.
Seriously, this is an embedded add for RHEL. There is no technical information beyond they use Linux Computers. The rest is all marketing for a Linux OS product. I hope eWeek, IKEA and /. at least got paid for this.
Professionals look and dress like professionals. If you insist on wearing grubby t-shirts and faded jeans at work don't be surprised if you're always kept out of the loop, never ever considered for promotion and ultimately the first to be let go when downsizing.
OMG, IKEA uses RH enterprise support for managing their servers... Slash *used* to be news for nerds. I have used scripts, after that RunDeck and now Ansible + Debian. And they do not need a subscription and better yet, are *distribution agnostic*.
Well, I sure as hell wouldn't run that on all my production systems without a wee bit of testing first...
Oh arse
# find /placewithtaxes -iregex ".*\(money\|geld\|argent\).*" -exec mv '{}' /offshore \;
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Sad but true. If you want to get taken seriously you need to put your custom on.
Now I wonder if the clowns over here in Circus America are too proud and stubborn to take some hints.
That's exactly how all sysadmins of the world did the upgrade. Or does anyone thinks sysadmins go system by system and apply the upgrade 3000 times?
Most people even didn't have to issue any command.... Just approve a new package to be rolled out.
Can't understand what's amusing of this article, appart of a obvious Red Hat ad placement.
No, seriously, I was at that talk. The command was ./patch. But the talk was about explaining how they got to that point. The video is on the Red Hat Summit YouTube channel, too.
If the heyday of Y2K remediation, I helped set up a push of a SOE to 275,000 distributed PCs in a weekend. It went off without a hitch. Management was happy, but the cries of thousands of employees who lost all their personal files and documents were ignored.
If you are willing to be heavy handed and brutal, you can accomplish miracles. Surely there is no news in that.
But but but...there's no way our culture would be so shallow!
It's not that it's impossible to succeed while badly dressed, you're just throwing a roadblock in front of yourself. John Carmack (e.g.) gets to wear whatever he wants. J. Random Linuxuser should be wearing CK or better.
Any chance for a link to the video?
Free Pie! The Pie is Also Evil!
https://www.youtube.com/watch?...
-- Red Hat security in a post-Shellshock world - 2015 Red Hat Summit
My one line command was apt-get upgrade
But YMMV if you use Red Hat based distros like IKEA.
With 3500 servers, its probably worth setting up your own package archive. Then the command to patch all the servers would most likely be pushing your tested and approved package to your local archive to be pulled by all the production servers on their next poll for updates.
yes, nothing like running thousands of machine without support from the OS devs. lot's of fun...
I see Joshua Bressers talking not Magnus Glantz.
Close - but it's not that video, that one is (Joshua Bresser's presentation ), the article refers to Magnus Glantz & Mattias Haern's presentation.
Can't see their video in RedHat's list though.
well... sort of.
Except the article says that they're using Red Hat Satellite - so the updates were probably pushed from there.
Building systems that are secure is not hard. Implementing grsecurity.net patching on all servers, running nginx under chroot jail environments, using ssh whitelisting to prevent random IP's from entering your ssh server. These are pretty standard things. How does a user escalate privileges when they can't see any process outside their own, or can't compile and execute a piece of code outside the trusted paths of /usr/bin, /bin, etc? How do stack overflow exploits happen if the kernel prevents them (grsec). Things like "shellshock" and whatever the new thing coming out, these things don't matter when the user doing the attacking has no access to do anything except login and logout from the shell.
Very true. But that also means that you will stay at a company that thinks like that, and that promotion is more likely to be to a useless middle manager position with a raise that isn't proportional to the increased workload.
Bad leaders doesn't recruit internally to management positions and they will focus more on appearance than performance.
Then again, a job at a badly run company is better than no job at all.
In my experience vendor that is all suited up and has a perfect smile does this to compensate for lack of competence. Usually the suit is just a salesperson and then you get to talk to someone who actually knows something.
In the cases where companies have been all suits they have also been pretty sketchy. (Probably outright criminal but I didn't investigate further.)
Step One
Step Two
That's patching it the smart way.
https://www.youtube.com/watch?v=tke07oW5zN4
your welcome
except these good automation tools were available for the past 10 years. If they showed this to me in 2005 I would be very impressed. Now it's easy to do for almost anyone. cobbler for provisioning and puppet for config management work wonders, I didn't work with new config management frameworks (salt,chef etc) so I can't comment on them but I heard they are even better.
It's not a Red Hat based distro, it's just a Red Hat distro.
"The key was having a consistent approach to system management, which begins with a well-defined Standard Operating Environment (SOE). Additionally, Glantz has defined a lifecycle management plan that describes the lifecycle of how Linux will be used at Ikea for the next seven years."
And why I regard DevOps as a disaster in the making. While "DevOps" isn't bad for small companies, like ones I've worked for, where you 'wear many hats' or a rapidly moving R and D environment it is very dangerous in a real production environment. Of course clueless management will use "DevOps" as a cost cutting measure and then after the disaster fire everyone and outsource everything, often with even worse results, for what is essentially bad management.
But hey, they were Agile, Nimble, flexible, idiot sourced, and buzz word compliant.
putting the 'B' in LGBTQ+
Is a video of the presentation available online? So far, I've only found the entry of the presentation in the agenda for the redhat summit.
That only does one machine. Neither apt-get, nor yum will login to the other 3499 machines.
Perhaps you thought he was giving a presentation on "How to upgrade one machine".
ikea has a, rhel server for every 42 employees (less than, actually, because they have 'more than' 3500 servers, not 'just' 3500).
i know they have factory operations, online presence, corporate accounting/crm, multiple regions and locations across the globe, but still, that's just the rhel ones, not the servers they no doubt have that run windows or a flavor of *nix other than rhel... wtf?
Go to satellite, click on errata, set it to update. If you have it set up for communications Ikea would probably have been done in a half hour at the most. Otherwise, when they check in. Up to 4 hours later.
What's the big deal?
That article in the link is one of the worst I have ever read. No details are given about how they patched their systems. I'm assuming (like others) that they used "yum" to install the update. But no details are given about exactly what they did or how they handled it. Don't waste your time with the link.