Application Cloud Readiness Checklist

by Thomas Orozco on Sep 30, 2014 8:00:00 AM

“Is this app ready to be deployed to cloud?”

If your organization is planning a migration to cloud (and today, who isn’t?), this is a question you’re going to ask a lot. But how do you tell? Look no further: here’s a checklist of what you’ll need to validate before you can label an app “cloud-ready!"


1. Is the deployment of your app automated?

Read More

Topics: DNS, Tips, Cloud Native, DevOps, Lifecycle Management

Upgrade Bash and Address CVE-2014-6271 ("Shellshock") now with Scalr

by Thomas Orozco on Sep 24, 2014 4:58:00 PM

Earlier today, it was discovered that bash (the “Bourne-again shell”) was susceptible to remote code execution.

The vulnerability (CVE-2014-6271) is triggered when bash is called with specially-crafted environment variable values (which, unlike environment variable names, aren’t usually validated!).

To check whether a given system is affected, you can run the following command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test" 

Just How Bad Is This?

Very bad. Passing user-provided information through environment variables is in fact pretty common (it’s done in CGI scripts with HTTP_* variables for user-provided headers, in SSHD with SSH_ORIGINAL_COMMAND, etc.).

What’s more, on RHEL, bash is the default shell, which means that all your calls to system (e.g. any Python that uses os.system, etc.) go through bash (and are therefore vulnerable). So even if you are not directly using bash, you might still be (indirectly) vulnerable.

If you are using Debian or Ubuntu, your attack surface is slightly more limited, because the default shell is dash, not bash. That is not to say this is a minor vulnerability, though — you should nonetheless upgrade immediately.

Upgrade Bash Now

To upgrade your systems, you can use the following script (use One-Off Script Execution). It’ll detect the package manager you’re using, update bash, and run a test (it’ll exit with 0 if the update was successful, 1 if you’re still vulnerable).

Check your Scripting Logs to ensure that the vulnerability is gone.


Ensure the vulnerability doesn’t come back to haunt you!

You can use Global Orchestration (a new Scalr 5.0 feature) to ensure that the aforementioned script runs on all your instances (preferably upon HostInit), so that bash is updated at startup on all your systems.

Update: Bash still vulnerable

The fix released by the bash maintainer earlier today did not entirely address the issue, and you should need run another update (consider updating the is_vulnerable function with the code linked here, which will let you know whether you are still vulnerable).

Does This Vulnerability Affect Scalr?

This vulnerability doesn’t affect Scalr directly, but it does affect the servers you are managing through Scalr.

Read More

Topics: Technical, Security, Tips

AWS Massively Rebooting Instances - What you need to know

by Thomas Orozco on Sep 24, 2014 12:53:00 AM

Earlier today, AWS announced that it would begin rebooting instances across its EC2 service over the coming days, likely in order to patch its underlying (Xen) hypervisors. This maintenance event is happening on very short notice; here’s what you need to know as an AWS (and Scalr) customer.

What You Need To Know

With earlier AWS maintenance events, it was possible to stop and restart an instance in order to have it migrate to a patched host (and avoid an uncontrolled reboot). This time, however, AWS is not guaranteeing that restarting an instance will have that effect.

Here’s why. AWS hosts can be split into two groups: hosts that have already been patched or don’t need the patch (let’s call these “good” hosts), and hosts that need the patch (let’s call these “bad hosts”).

If one of your instances is on a “bad host”, you’ll want to move it to a “good host” by stopping it and restarting it. Unfortunately, so does every other AWS customer. When the “good host” capacity runs out (and it may already have), instances you restart will land on “bad hosts” again, and will still have to go through a reboot.

Are Your Instances Affected?

You can view which (if any) of your instances are affected by logging in to the EC2 Console and opening the “Events” Tab. Be mindful that this may not be updated in real-time (though AWS is reportedly working on this).

Read More

Topics: Technical, AWS, Tips, Amazon

Deciphering VMware's OpenStack Play

by Thomas Orozco on Sep 23, 2014 8:00:00 AM

A couple weeks ago at VMworld, VMware announced that it was introducing “VMware OpenStack”, an integrated OpenStack release that is specifically designed (or configured?) to be deployed on a VMware virtualization layer (note: if you’re unfamiliar with what a “resource layer” is in this context, we encourage you to review this paper).

Is This New Software?

Not really. VMware OpenStack is essentially a repackaging of existing functionality and software. Indeed, OpenStack support for VMware virtualization is not new:

  • For compute virtualization, OpenStack Nova already supports VMware vSphere

  • For network virtualization, OpenStack Neutron already supports VMware NSX

  • For storage virtualization, OpenStack Cinder and Glance already support VMware VSAN and vSphere storage

So, in other words, OpenStack already had support for VMware virtualization software (and all of that is open-source), and therefore VMware OpenStack is not actually much more than an OpenStack distribution that is pre-configured to integrate with VMware virtualization software.

Then What is VMware’s Value Add?

The central value proposition of VMware OpenStack is to easily deploy OpenStack on an existing VMware “Software Defined Data Center” (SDDC); a VMware virtualized resource layer.

To that end, VMware provides an OpenStack installer (which ships as an OVF package). VMware argues it will let you trivially deploy OpenStack to an existing VMware infrastructure, configure it, and manage the controller services (to learn more, the SDDC2198 VMworld session includes a demo, and can be viewed online).

Note that, functionally, this is somewhat similar to what Mirantis provides with Mirantis Fuel.

Is It Still OpenStack When It’s VMware OpenStack?

Fundamentally, OpenStack’s functionality and core value proposition is to abstract away your virtualization infrastructure, and present standardized developer-friendly APIs.

Now, the APIs exposed by VMware OpenStack are the actual OpenStack APIs. So, yes, VMware OpenStack is in fact OpenStack. As such, it will be compatible with the ecosystem of tools that have been developed around OpenStack itself — including Cloud Management Platforms like Scalr.

Read More

Topics: OpenStack, Opinion, Cloud Platform, vCloud, Private Cloud, enterprise cloud, VMware

Announcing Scalr Cloud Management Platform 5.0

by Sebastian Stadil on Sep 16, 2014 3:00:00 AM

The hardworking team at Scalr is proud to announce the release of Scalr 5.0. This release furthers Scalr’s focus on the enterprise, with an emphasis on IT management and control, and new integration capabilities.

As with previous releases, Scalr 5.0 is licensed under the Apache 2.0 License. If you are a new user, you can download this new release now. If you’re already using Scalr, then head for the upgrade instructions on the Scalr Wiki.

Highlights of this release include:

Enhanced Enterprise Capabilities

Cost Analytics

First and foremost, Scalr 5.0 introduces Cost Analytics. Cost Analytics leverages the substantial amounts of infrastructure metadata generated by Scalr (such as “Who launched this instance?” or “What is this machine used for?”), and enables IT departments and their finance counterparts to use that metadata to better understand their costs across public and private clouds.

Cost Analytics is the result of close and intense collaboration with Scalr enterprise customers, and we’re delighted to be able to bring this new feature to our community of open-source users.

Policy Enforcement with Global Orchestration

When we introduced Scalr 4.5 in December 2013, two highlights of the release were Governance and Role-Based Access Control (RBAC). Governance enabled IT to control what cloud resources should be exposed to end-users (to e.g. prevent dev workloads from being deployed to a production network), and RBAC enabled IT to control permissions on a user basis (to e.g. restrict root access to instances to a specific group of users).

With Scalr 5.0, we’re adding a third layer of IT control: Global Orchestration. Using Global Orchestration, IT departments can centrally define IT policies that will be enforced at the instance level. Example use cases include deploying a standard firewall or authentication policy across all of the organization’s cloud resources, or enforcing the presence of auditing software.

Compliant Agent Upgrade Schedule with Custom Scalarizr Repositories

Scalr relies on an agent, Scalarizr, to remotely perform automation tasks on managed instances. Those tasks include deploying applications, enforcing policies using Global Orchestration, and more.

Up until Scalr 5.0, the Scalarizr agent was deployed through Scalr-managed repositories, whose upgrade schedule was sometimes incompatible with enterprise IT change management policies. Starting with Scalr 5.0, IT departments can manage their own Scalarizr repositories, and therefore control their organization’s agent upgrade schedule.

Facilitated Integration with Webhooks

As a Cloud Management Platform, Scalr is central to the provisioning and management of the cloud infrastructure at organizations that deploy it. It is therefore natural that these organizations need to integrate Scalr with other systems, such as change management databases, audit systems, and more.

With Scalr 5.0, we’re introducing a compelling and flexible solution: Webhooks.

Webhooks are outbound notifications that are delivered by Scalr to external systems whenever infrastructure events are triggered, such as when an instance is launched or decommissioned. Webhooks are dispatched as standard HTTP JSON requests, so that integration developers feel right at home when using them.

DevOps Enhancements

Of course, we didn’t forget about our audience of DevOps end-users with Scalr 5.0. Besides a ton bug fixes and enhancements (which were detailed on the Scalr Product Blog throughout the Scalr 5.0 development cycle), we’re introducing two major new features in this new release:

Read More

Topics: Announcements, Strategy, Features, Technical, Cost, Cloud Management, DevOps, Cost Analytics

Welcome to the Scalr blog!

We build a Cloud Management tool that helps businesses efficiently design and manage infrastructure across multiple clouds.

Here, we post about our experience working with the Cloud, and building Scalr. On average, we do that twice a week.

Sometimes, we'll also cover Cloud-related news.

Subscribe to Email Updates