Docker Machine on Scaleway

Docker Machine is a tool designed to manage Docker Engine setup on local and remote hosts. Docker Machine does all the host deployment work for you: it provisions the host, installs Docker Engine on them, and then configures the Docker client to talk to the Docker Engines.

We now provide a driver for Docker Machine to easily manage all your containers on Scaleway. Docker Machine can now be used to provision all your Docker hosts on our cloud platform!



blog.scaleway.com/2016/05/03/docker-machine-on-scaleway/

у нас появился PayPal

Хотим воспользоваться рабочим перерывом среди праздничной страды (кстати, с прошедшим и наступающим :)) и радостно сообщить о долгожданном появлении PayPal в платежных опциях сервиса CloudLITE.
Пользуйтесь на здоровье!
cloudlite.ru/order/methods

Кстати, если вы не находите в нашем наборе удобного для себя способа оплаты, напишите, что нам стоит добавить, в ответ на это письмо или sales@cloudlite.ru.

Take on Tableau's Big Data Viz Challenge



Google and Tableau have teamed up to create the first-ever European Big Data Viz Challenge.
Whether novice or expert, you’re invited to sign up and discover how easy it is to visualise insights from big data sets using the power of Tableau and Google Cloud Platform.

With Tableau, you can connect natively to Google BigQuery and Google Cloud SQL to analyse billions of rows in seconds without writing a single line of code. How you visually represent the data is up to you.

The winner gets a free pass and accommodation to attend Tableau Conference 2016 in Austin, Texas, in November, along with a tour of the Google Austin office. Finalists win free tickets to Tableau Conference On Tour London in June.

Everyone who takes part will receive complimentary GCP credits, a Tableau trial license, and the top 200 entries will be promoted on Tableau’s Public Gallery.
Submit your Viz by May 16th, 2016.

get.tableau.com/registration/bigdatachallenge.html?id=23112

Star Wars Day Special is Almost in Range



That’s No Moon… that’s a great deal!


Star Wars day is almost here – May the Fourth be with you!

Two things to know about us here at Namecheap: we love Star Wars and we love saving you money on our top-tier products. In honor of May the Fourth, aka Star Wars Day, you can get a .XYZ domain for our lowest price ever — just 44 cents – when you use the coupon code THEFOURTH. Be sure to check out the deals on all our products during this promo too.

This sale only lasts from Star Wars Day (May 4) through May 10 at midnight EST, and you may never again see prices this low – in any galaxy!

https://namecheap.com

isualize 2016 election data with GCP and Bitnami



Join developers from GCP and Bitnami for a hands-on demo. We’ll analyze campaign fundraising data from the Center for Responsive Politics to show how you can convert terabytes of data into rich, interactive visualizations in minutes.
In this demo, you’ll learn how to deploy a Google BigQuery enterprise dashboard and use Re:dash, an open source data visualization tool packaged by Bitnami, to analyze campaign data–and see what it may reveal.

cloud.google.com/election-2016/

We’ve updated our Terms of Service policy — what you need to know

We’ve updated our terms of service to reflect our credit expiration policy and want to provide clarity around what types of credit will expire, and when. Here’s what you need to know:

  1. Promotional credit will expire 12 months after it has been issued or redeemed. This includes referral sign-up credit, promotion codes you’ve entered, or credit issued by DigitalOcean staff.
  2. Referral and SLA credit will now expire after 12 months of account inactivity, and no sooner than May 2017. This includes credits earned from referring customers to DigitalOcean and SLA credits.

If you're interested in reviewing a detailed explanation of the changes, be sure to read our terms of service changelog or our blog post.
www.digitalocean.com/company/blog/details-on-expiring-digitalocean-credits/

Новые фотки. Ночью были большие техработы

В 2012 году я попробовал себя в нелегком деле хостинга. Купил на кредитку жены первый сервер :)
Прошло 3.5 года, у меня 4 стойки. Рост продолжается.
Расти приходилось потихоньку, с 1 стойки, в которой были и сетевые свитчи, и серверы, и системы хранения. Через некоторое время это стало проблемой. Воткнуть что либо стало уже некуда (много место занимали системы хранения), пришлось брать новые стойки. Из них пришлось тянуть провода от серверов к сетевому оборудованию.
Волевым решением было отключить вообще, всю инфраструктуру для тотальной перетряски всей инфраструктуры. Системы хранения были вынесены в отдельную просторную стойку с широкими возможностями роста. Стойка с сетевым оборудованием получила массу места для установки новых серверов, есть куда и как расти.

Ниже фотки :)


Читать дальше →

Мы расширили список поддерживаемых версий PHP

Мы расширили список поддерживаемых версий PHP. С сегодняшнего дня на всех тарифных планах виртуального хостинга Вы можете выбирать для своих сайтов PHP7. Переключение версии осуществляется буквально парой кликов.

В панели управления хостингом перейдите в раздел WWW, далее заходим в подраздел WWW-домены из списка выбираем домен на которым планируете установить PHP версии 7 и нажимаем клавишу Изменить. В появившемся окне в строке Версия PHP из списка выбираем PHP 7.0 (alt).

В версии PHP7 появилось очень много полезных функций. По сравнению с предыдущей стабильной веткой PHP 5.6 новый новая версия интерпретатора PHP 7.0 значительно выигрывает по производительности, не менее чем на 20-30%.

Protect yourself by SYN flood

Distributed Denial of Service (DDoS) attacks are becoming increasingly commonplace as business becomes more and more dependent on delivering services over the Internet. One of the most common types of DDoS attacks is the well-known SYN-flood attack. It is a basic end-host resource attack designed to bring your server to its knees. As a result, your server is unable to properly handle any new incoming connection requests.

SYN Protection in the past
In the past, SYN attacks, by major vendor, was mitigated using conntrack filtering on commodity or AICS hardware. With Netfilter’s connection tracking system (conntrack), we can start filtering out false SYN-ACK and ACK packets before they hit the “listen” state lock. The conntrack system actually has a scalability problem (like the “listen” lock) when it comes to creating (or deleting) connections, which the SYN-flood will hit.

Even after fixing the conntrack lock, the SYN packets will still be sent to the socket causing the “listen” socket lock to occur. The normal mitigation technique is to send SYN-cookies and avoid creating any state until the SYN-ACK packet is seen.

Unfortunately, SYN-cookies are sent under the same “listen” state lock, so the mitigation does not solve the scalability issue. How these limitations can be worked around will be discussed later.

SYNPROXY, New Filtering Era
With SYNPROXY we can increase 20x performance then old technique removing the “listen state lock” part catching packets that the connection tracking system has categorized as “INVALID” and not part of a known connection state. The matching against existing conntrack entries is very fast and completely scalable. The conntrack system actually does lockless RCU (read-copy update) lookups for existing connections.

Essentially, this solves all other TCP-flooding packets except SYN-flooding.

But NOW, How we can solve SYN-flooding?
SYNPROXY essentially does parallel SYN-cookies and not create a conntrack entry before the SYN-ACK packet is received thus avoiding the conntrack new connections lock. Once the initial connection is established the normal conntrack system will take over and do all the needed forwarding.

If you have CentOS 7 or any distribution with kernel > 3.13 and iptables 1.4.21 you have this module built-in.

To enable it we need to tweak sysctl.conf. Insert in /etc/sysctl.conf:
#SYN cookies
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_max_syn_backlog=4096
net.ipv4.tcp_syn_retries=5
net.ipv4.tcp_synack_retries=2

#SYNPROXY REQ
net.netfilter.nf_conntrack_tcp_loose=0
net.netfilter.nf_conntrack_max=2000000
net.ipv4.tcp_timestamps=1

#OPTIMIZE TCP
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
net.core.netdev_max_backlog = 250000


Now you can configure SYNPROXY using public online script avaiable here
github.com/netoptimizer/network-testing/blob/master/iptables/iptables_synproxy.sh

If you want configure yourself go head with these steps:
Step #1: In the “raw” table, we need to make sure connections that need protection don’t create new conntrack entries for SYN packets.
# iptables -t raw -I PREROUTING -i $DEV -p tcp -m tcp –syn –dport $PORT -j CT –notrack


Step #2: Now we need to catch these packets and direct them to the SYNPROXY target module. To do this, use the following rule to catch UNTRACKED SYN and INVALID packets that contain the ACK from 3WHS (and also others, but they will fall-through).
# iptables -A INPUT -i $DEV -p tcp -m tcp –dport $PORT -m state –state INVALID,UNTRACKED -j SYNPROXY –sack-perm –timestamp –wscale 7 –mss 1460


Step #3: Catch the INVALID state packets that fell-through the SYNPROXY module and drop those. Basically, this will drop SYN-ACK based floods.
# iptables -A INPUT -m state –state INVALID -j DROP

Considerations when using SYNPROXY

Enabling SYNPROXY does comes at a cost. The connection establishment phase is going to be slower due to the extra connection setup needed towards the end-host. When the end-host is localhost, then this extra step is obviously very fast but nonetheless adds latency.

The parameters to the SYNPROXY target module must match TCP options and settings supported by the end-host that the TCP connections are being proxied for. Detecting and setting this up is manually done per rule setting. (A helper tool “nfsynproxy” is part of iptables release 1.4.21). This unfortunately means the module cannot be easily deployed in DHCP-based firewall environments.

Приём PayPal возобновлён

Приём PayPal возобновлён.
В настоящее время в соответствии с российским законодательством (Федеральный закон от 27.06.2011 N 161-ФЗ «О национальной платежной системе») перевод электронных денежных средств между индивидуальными предпринимателями, а также индивидуальными предпринимателями и юридическими лицами невозможен.
Речь идёт как мы понимаем о переводах внутри российских PayPal счетов.

BGP подняли в Москве пока на приватной AS. Это позволит отправлять в блэк-хол любой IP, и никакой DDoS на этот IP не сможет забить канал в сети. Приступаем к автоматизации данного процесса.

Порог для срабатывания блэк-холл сейчас установлен на 3Gbps. Работаем, чтобы можно было эту величину динамически регулировать.