Slashdot Mirror

← Back to Stories (view on slashdot.org)

How IKEA Patched Shellshock

Posted by samzenpus on from the protect-ya-neck dept.

jones_supa writes: Magnus Glantz, IT manager at IKEA, revealed that the Swedish furniture retailer has more than 3,500 Red Hat Enterprise Linux servers. With Shellshock, every single one of those servers needed to be patched to limit the risk of exploitation. So how did IKEA patch all those servers? Glantz showed a simple one-line Linux command and then jokingly walked away from the podium stating "That's it, thanks for coming." On a more serious note, he said that it took approximately two and half hours to upgrade their infrastructure to defend against Shellshock. The key was having a consistent approach to system management, which begins with a well-defined Standard Operating Environment (SOE). Additionally, Glantz has defined a lifecycle management plan that describes the lifecycle of how Linux will be used at Ikea for the next seven years.

20 of 154 comments (clear)

  1. Re:What was the command? by hawguy · · Score: 4, Informative

    yum update -y && reboot

    You're going to type that on 3500 servers?

    I think you'll want to use your configuration management platform to kick off the update. That's how we did it -- applied the update to the dev servers, did some testing, then the same to qa, then preprod, then finally to the production servers. Took us more than 2.5 hours to test and validate everywhere, but actually pushing out the patch to 1200 servers was a single line command.

  2. Re:What was the command? by Acid-Duck · · Score: 2

    Why not do it the way our ancestors did it? :P

    for i in $(cat ips.txt); do
    XXXXXXXXX
    done;

  3. Re:that's it...thanks by Vip · · Score: 5, Interesting

    I was there. It was said in a very joking manner. From the moment he started he showed his sense of humour.

    In fact, his whole presentation was funny, amusing and had some good information.

    The idea that he showed a one line command to patch wasn't the biggest shock of the talk. (Sorry, I don't recall the command.) It was the fact that he patches the 3,500 servers ONCE A MONTH. Straight into production. This caused some questions and discussion.

    FTFA, "One of the potential challenges of constantly updating servers is the risk that applications break when new server operating system software is loaded. Glantz, however, isn't worried and noted that RHEL offers the promise of Application Binary Interface (ABI) compatibility across updates." The rest of his reasoning, and another amusing moment, is described at the end of the article.

    Vip

  4. stage management by PopeRatzo · · Score: 2

    The moment would have been perfect if he'd just dropped the mic.

    --
    You are welcome on my lawn.
  5. Re:What was the command? by pmgst17 · · Score: 4, Informative

    The article says they're using a Red Hat Satellite server and so if they wanted to run `yum update -y && init 6` on all of their systems, they could just push that out as a remote command to the systems / groups of systems. In Satellite, you can push out remote commands to groups of systems, so if they have their systems grouped, it would be an easy process to push that command to all of their systems.

  6. Re:that's it...thanks by rtb61 · · Score: 4, Insightful

    From the article the grandparent obviously did not read "Glantz showed a simple one-line Linux command and then jokingly walked away from the podium stating "That's it, thanks for coming," as the audience erupted into boisterous applause.". So in fact top notch people skills.

    --
    Chaos - everything, everywhere, everywhen
  7. a solid business model helps. by nimbius · · Score: 4, Funny

    if its anything like my general Ikea experience, im sure the security ops team was handed a cardboard box labelled "Schelli schocc" with a 7 page manual full of bloated looking stick figures and a tiny hex wrench. they were then left to figure it out over a long night of busted knuckles and impromptu invented curse words. by dawn, either the prod environement passed a nessus scan or theyd built a bed...or both.

    --
    Good people go to bed earlier.
    1. Re:a solid business model helps. by Shinobi · · Score: 4, Insightful

      If you have troubles putting together IKEA furniture, I imagine Duplo LEGO would be out of your league too...

    2. Re:a solid business model helps. by Bob+the+Super+Hamste · · Score: 2

      Well got the joy of putting together an IKEA loft bed without instructions. The model isn't sold anymore, I couldn't find the instructions online, and to add further insult to injury I didn't even have a picture of what is was suppose to look like. I did get it together correctly but it took longer than it should have, especially since I was initially told it was a bunk bed. The lesson I learned from that was don't let the wife buy stuff from her friends that I will have to deal with.

      --
      Time to offend someone
  8. Re:Now we have ad-news? by amiga3D · · Score: 2

    I like Apple propaganda. It's much better than that awful Windoze propaganda.

  9. Re:What was the command? by hawguy · · Score: 2

    Well I'd wrap it in a loop of some kind:

    for host in `cat /dev/storage/admin/servers.dat`; do ssh root@$host "yum update -y && reboot"; done

    You're going to watch the output for 1000+ servers to see which ones failed?

  10. Re:What was the command? by TCM · · Score: 2

    You mean in an amateurish way that can overload shell buffers?

    Try

    while read i; do ...; done < ips.txt

    or

    xargs ... < ips.txt

    --
    Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
  11. Just like their furniture by Tablizer · · Score: 3, Funny

    How IKEA Patched Shellshock

    By making the customers do most of it themselves.

    --
    Table-ized A.I.
  12. In other news by belthize · · Score: 4, Insightful

    Man holding hammer demonstrates ease of driving a nail into wood. Thousands holding screwdrivers are amazed.

  13. Re:Now we have ad-news? by spongman · · Score: 2

    I like Apple propaganda. And hypnotoad.

  14. Re: Ikea running RH? by Anonymous Coward · · Score: 2, Insightful

    Professionals look and dress like professionals. If you insist on wearing grubby t-shirts and faded jeans at work don't be surprised if you're always kept out of the loop, never ever considered for promotion and ultimately the first to be let go when downsizing.

  15. Re:What was the command? by Jupix · · Score: 2

    If you don't mind my asking, what's the difference between QA and preprod for you?

  16. Re:What was the command? by sys64764 · · Score: 2

    duh yeah! Thats why we have intern's!

  17. Re:What was the command? by pz · · Score: 2

    Indeed, you definitely do NOT want hundreds-to-thousands of servers doing an update all at the same time, or, worse, rebooting all at the same time. The first has the potential to saturate your network and bring the entire setup to its knees, and the second will blow your rack supplies. I speak from experience on the latter, having been the one who identified the issue with our weekly DB scrubbing procedure once the company I was working for grew to more than a half dozen servers.

    You want to stagger things by a few 10s of seconds per server on each rack to avoid power supply issues.

    --

    Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
  18. Re:What was the command? by TCM · · Score: 2

    If you alias rm to rm -i, what do you think rm -fr gets expanded to?

    Could it be rm -i -fr in which case the -f overrides the -i anyway? Oh great sysadmin, can you clarify?

    --
    Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6