How IKEA Patched Shellshock

jones_supa writes: Magnus Glantz, IT manager at IKEA, revealed that the Swedish furniture retailer has more than 3,500 Red Hat Enterprise Linux servers. With Shellshock, every single one of those servers needed to be patched to limit the risk of exploitation. So how did IKEA patch all those servers? Glantz showed a simple one-line Linux command and then jokingly walked away from the podium stating "That's it, thanks for coming." On a more serious note, he said that it took approximately two and half hours to upgrade their infrastructure to defend against Shellshock. The key was having a consistent approach to system management, which begins with a well-defined Standard Operating Environment (SOE). Additionally, Glantz has defined a lifecycle management plan that describes the lifecycle of how Linux will be used at Ikea for the next seven years.

What was the command?

[Anonymous Coward]

I imagine it was sudo rm -rf /, but I could be way off.

Re:

[Joe_Dragon]

yum update -y && reboot

Re:What was the command?

[hawguy]

yum update -y && reboot

You're going to type that on 3500 servers?

I think you'll want to use your configuration management platform to kick off the update. That's how we did it -- applied the update to the dev servers, did some testing, then the same to qa, then preprod, then finally to the production servers. Took us more than 2.5 hours to test and validate everywhere, but actually pushing out the patch to 1200 servers was a single line command.

Re:

[pz]

Indeed, you definitely do NOT want hundreds-to-thousands of servers doing an update all at the same time, or, worse, rebooting all at the same time. The first has the potential to saturate your network and bring the entire setup to its knees, and the second will blow your rack supplies. I speak from experience on the latter, having been the one who identified the issue with our weekly DB scrubbing procedure once the company I was working for grew to more than a half dozen servers.

You want to stagger thing

Re:

[neurovish]

Indeed, you definitely do NOT want hundreds-to-thousands of servers doing an update all at the same time, or, worse, rebooting all at the same time. The first has the potential to saturate your network and bring the entire setup to its knees, and the second will blow your rack supplies. I speak from experience on the latter, having been the one who identified the issue with our weekly DB scrubbing procedure once the company I was working for grew to more than a half dozen servers.

You want to stagger things by a few 10s of seconds per server on each rack to avoid power supply issues.

Man....I'd forgotten about the PDUs. Had that problem at one place where I brought down the DMZ because I rebooted a server. Fortunately that got a much needed datacenter review underway and people started distributing power correctly.

Re:

[dreamchaser]

In some enterprise shops it is just SOP to reboot, usually a policy written by some change management managerial type who doesn't know when a reboot is actually required.

Re:

[Anonymous Coward]

Rebooting regularly is good practice to ensure your servers are capable of coming back up if something accidentally knocks them down unexpectedly. See also Netflix's Chaos Monkey for a different but similar concept.

Re:

[neurovish]

Here, scheduling the reboot of the 900 servers was the longest part of that patching effort.

O'Reilly? You had to reboot? And you still get paid as a sysadmin?!!(sigh).

Demonoid-Penguin - moderating (the non-stupid).

If you're just running a generic "yum update", then you have pretty good chances a new kernel will be pulled in...so yeah a reboot was probably called for.

Re:

[Trogre]

Well I'd wrap it in a loop of some kind:

for host in `cat /dev/storage/admin/servers.dat`; do ssh root@$host "yum update -y && reboot"; done

Re:

[hawguy]

Well I'd wrap it in a loop of some kind:

for host in `cat /dev/storage/admin/servers.dat`; do ssh root@$host "yum update -y && reboot"; done

You're going to watch the output for 1000+ servers to see which ones failed?

Re:

[sys64764]

duh yeah! Thats why we have intern's!

Re:

[Trogre]

Well, no. You'd run that inside a screen session, and with an ampersand not a semicolon.

Re:

[cinky]

And how will you handle output from those servers? random errors? or will you just fire it up and hope for the best? I'd suggest using puppet or some similar configuration management tool...

Re:

[psyclone]

pdsh FTW

Re:

[Acid-Duck]

Why not do it the way our ancestors did it? :P

for i in $(cat ips.txt); do
XXXXXXXXX
done;

Re:

[TCM]

You mean in an amateurish way that can overload shell buffers?

Try

while read i; do ...; done < ips.txt

or

xargs ... < ips.txt

Re:

[fisted]

while read i; do ...; done < ips.txt

How amateurish to spawn an unnecessary subshell.

xargs ... < ips.txt

Yes.

Re:

[TCM]

Not so fast, Sherlock.

xargs doesn't handle shell functions, only external binaries.

Re:

[fisted]

Well I don't know your preferred shell, but I suspect updating servers isn't implemented as shell built-ins, so we're good ;)

Re:

[Acid-Duck]

Cool story, bro.

Re:What was the command?

[pmgst17]

The article says they're using a Red Hat Satellite server and so if they wanted to run `yum update -y && init 6` on all of their systems, they could just push that out as a remote command to the systems / groups of systems. In Satellite, you can push out remote commands to groups of systems, so if they have their systems grouped, it would be an easy process to push that command to all of their systems.

Re:

[lucm]

this is why God invented Ansible.

Re:

[rossz]

We're currently evaluating Ansible. I expect us to make the switch permanently as part of our move to docker containers. Currently, our puppet manifests are unwieldy and a biatch to maintain.

Re:

[Jupix]

If you don't mind my asking, what's the difference between QA and preprod for you?

Re:

[paradxum]

ok fine... try:

for i in {1..3500}; do ssh server$i yum update -y; ssh server$i reboot; done

better?

Re:

[MobileTatsu-NJG]

Your joke mighta been funny if it had contained a humorous punchline.

Re:

[ArcherB]

yum update -y && reboot

Actually, it kicked off a bash script that consisted of 100,000 commands that took a team of programmers six months to write and debug. But to him, management, it was just a single command that he typed in and took all the credit.

(it's a joke people)

Re:

[amiga3D]

I like Apple propaganda. It's much better than that awful Windoze propaganda.

Re:

[spongman]

I like Apple propaganda. And hypnotoad.

Someone post the one line command...

[SeaFox]

Let's save ourselves from unnecessary clickbait.

Re: Someone post the one line command...

[Anonymous Coward]

The video is on the summit YouTube channel, but the command was ./patch

I was there too, it was a really good presentation.

Re:

[MobileTatsu-NJG]

You're averse to clickbait so you fequent Slashdot?

They Were Only Able to Do It

[Greyfox]

They were only able to do it because they already had an affordable, high quality krampfor on hand. The whole thing would have fallen apart if not for that.

stage management

[PopeRatzo]

The moment would have been perfect if he'd just dropped the mic.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:a solid business model helps.

[Shinobi]

If you have troubles putting together IKEA furniture, I imagine Duplo LEGO would be out of your league too...

Re:

[Bob the Super Hamste]

Well got the joy of putting together an IKEA loft bed without instructions. The model isn't sold anymore, I couldn't find the instructions online, and to add further insult to injury I didn't even have a picture of what is was suppose to look like. I did get it together correctly but it took longer than it should have, especially since I was initially told it was a bunk bed. The lesson I learned from that was don't let the wife buy stuff from her friends that I will have to deal with.

Re:

[Bob the Super Hamste]

Well they had lots of the older instructions online but not for this loft bed. It just may have been too old for even that. I really haven't had a complaint about their stuff in general and even have some of their inexpensive pine shelves. By the way their pine furniture looks awesome if you sand it, stain it, and apply a couple of coats of poly, and while it is a bit more expensive than the particle board stuff it is a lot nicer especially with a good finish applied and will last longer.

Yes I realize thi

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[LongearedBat]

Sooo... you're a software developer, right?

Re:

[JakartaDean]

Only because I don't have mod points. I was laughing out loud 20 words in.

Configuration management

[rminsk]

So he is using some sort of configuration management. I modified and tested a puppet manifest and then deployed to to our production puppet server. Over the next 30 minutes I had updated over 1000 machines.

Re:

[silas_moeckel]

Shellshock took less than 4 hours to fix across 20k hardware boxes and many many vm's. Most of that was testing the puppet manifest.

Just like their furniture

[Tablizer]

How IKEA Patched Shellshock

By making the customers do most of it themselves.

Re:

[Tablizer]

Whaddya mean? They made me put in just about every screw and peg on a bookshelf I bought, not just the "last one". I wish it was only the last few.

Note they couldn't pack it into a flat box if they did much of the construction themselves.

In other news

[belthize]

Man holding hammer demonstrates ease of driving a nail into wood. Thousands holding screwdrivers are amazed.

Shellshock

[Anonymous Coward]

was is "chsh -s dash www_data"?

Re:

[account_deleted]

Comment removed based on user account deletion

News for nerds?

[ruir]

OMG, IKEA uses RH enterprise support for managing their servers... Slash *used* to be news for nerds. I have used scripts, after that RunDeck and now Ansible + Debian. And they do not need a subscription and better yet, are *distribution agnostic*.

Re:

[neurovish]

OMG, IKEA uses RH enterprise support for managing their servers... Slash *used* to be news for nerds. I have used scripts, after that RunDeck and now Ansible + Debian. And they do not need a subscription and better yet, are *distribution agnostic*.

Do you manage 3500 servers for a company with $32.65 billion in revenue?

Re:

[ruir]

Have you ever seen a devop presentation from facebook or better yet twitter techs? This piece of infomercial is rubbish.

Ob

[Hognoxious]

# find /placewithtaxes -iregex ".*\(money\|geld\|argent\).*" -exec mv '{}' /offshore \;

How quickly we forget Y2K

[anorlunda]

If the heyday of Y2K remediation, I helped set up a push of a SOE to 275,000 distributed PCs in a weekend. It went off without a hitch. Management was happy, but the cries of thousands of employees who lost all their personal files and documents were ignored.

If you are willing to be heavy handed and brutal, you can accomplish miracles. Surely there is no news in that.

Re:

[SuiteSisterMary]

I think the idea is, if you have a SOE from the get-go, you don't need to be brutal.

This is what Ops is really about

[plopez]

"The key was having a consistent approach to system management, which begins with a well-defined Standard Operating Environment (SOE). Additionally, Glantz has defined a lifecycle management plan that describes the lifecycle of how Linux will be used at Ikea for the next seven years."

And why I regard DevOps as a disaster in the making. While "DevOps" isn't bad for small companies, like ones I've worked for, where you 'wear many hats' or a rapidly moving R and D environment it is very dangerous in a real pro

With satellite, it's easy

[ebvwfbw]

Go to satellite, click on errata, set it to update. If you have it set up for communications Ikea would probably have been done in a half hour at the most. Otherwise, when they check in. Up to 4 hours later.

What's the big deal?

The solution?

[chris_clay]

That article in the link is one of the worst I have ever read. No details are given about how they patched their systems. I'm assuming (like others) that they used "yum" to install the update. But no details are given about exactly what they did or how they handled it. Don't waste your time with the link.

Re:that's it...thanks

[Vip]

I was there. It was said in a very joking manner. From the moment he started he showed his sense of humour.

In fact, his whole presentation was funny, amusing and had some good information.

The idea that he showed a one line command to patch wasn't the biggest shock of the talk. (Sorry, I don't recall the command.) It was the fact that he patches the 3,500 servers ONCE A MONTH. Straight into production. This caused some questions and discussion.

FTFA, "One of the potential challenges of constantly updating servers is the risk that applications break when new server operating system software is loaded. Glantz, however, isn't worried and noted that RHEL offers the promise of Application Binary Interface (ABI) compatibility across updates." The rest of his reasoning, and another amusing moment, is described at the end of the article.

Vip

Re: that's it...thanks

[Anonymous Coward]

./patch

but the interesting bit was the getting to that, yeah.

Re:

[JohnVanVliet]

the article did not say what it was , but anyone with redhat experience already KNOWS this
as root do ...
" yum update "

two words , that is it

Re:

[tomknight]

Well, I sure as hell wouldn't run that on all my production systems without a wee bit of testing first...

Re: that's it...thanks

[jrumney]

With 3500 servers, its probably worth setting up your own package archive. Then the command to patch all the servers would most likely be pushing your tested and approved package to your local archive to be pulled by all the production servers on their next poll for updates.

Re:

[cygnwolf]

Any chance for a link to the video?

Re:

[mrclevesque]

https://www.youtube.com/watch?... [youtube.com]

-- Red Hat security in a post-Shellshock world - 2015 Red Hat Summit

Re:that's it...thanks

[rtb61]

From the article the grandparent obviously did not read "Glantz showed a simple one-line Linux command and then jokingly walked away from the podium stating "That's it, thanks for coming," as the audience erupted into boisterous applause.". So in fact top notch people skills.

Re:

[Bert64]

What about files which don't contain a . character?

Re:

[Anonymous Coward]

We keep those.

Re: What was the command?

[jrumney]

For the more security conscious, a safer option is sudo dd /dev/zero /dev/sda

Re:

[fisted]

Real sysadmins

a) think before executing potentially disastrous commands, and therefore tend to not need the rm -i crutch
b) automate the repetitive parts of their jobs, in which rm -i obviously does not make sense
c) don't experiment around on production servers
d) have arranged their systems so that accidentally removing stuff can be recovered from.

Thanks for playing, though

Re:

[TCM]

If you alias rm to rm -i, what do you think rm -fr gets expanded to?

Could it be rm -i -fr in which case the -f overrides the -i anyway? Oh great sysadmin, can you clarify?

Re:

[TCM]

Are you referring to the zsh option which also wouldn't protect you from rm -fr /, funny man?

Re:

[stderr_dk]

mv *.* /dev/null

With only one matching file, you'll get:

mv: inter-device move failed: `foo.bar' to `/dev/null'; unable to remove target: Permission denied

If you got more than one file matching that pattern, you'll get:

mv: target `/dev/null' is not a directory

But thanks for playing...

Re:

[hcs_$reboot]

It was in Perl:
./update-all-3500-servers-at-once.pl
one line.

Re:

[Mats Svensson]

If tugboats were bigger, they could be the boats that tugboats tug.

Re: Ikea running RH?

[Anonymous Coward]

Professionals look and dress like professionals. If you insist on wearing grubby t-shirts and faded jeans at work don't be surprised if you're always kept out of the loop, never ever considered for promotion and ultimately the first to be let go when downsizing.

Re:

[goarilla]

Sad but true. If you want to get taken seriously you need to put your custom on.

Re:

[cinky]

yes, nothing like running thousands of machine without support from the OS devs. lot's of fun...

Re:

[Anonymous Coward]

So, what you are saying is I haven't bothered to read anything, or look at anything, but here is my completely irrelevant opinion?

Man, this place used to be something...

Re:

[multi io]

I would've "bothered", but the talk isn't available online, apparently. So by your logic, nobody should comment anything here. Or /. shouldn't link to articles that are essentially just teasers.

Re:

[Dog-Cow]

You and the mod who chose Interesting are fucking idiots. Go kill yourselves to make the world a better place.

Re:

[ruir]

Oh, but there is of course. We upgraded our 3k servers easily because we have a RH enterprise account. ;) The only interesting bit was we have all the procedure documented, but then they contradicted himselves and say the man goes full comando and updates everything live without testing. Apart from that, it is drivel.

Re:

[AK Marc]

the man goes full comando and updates everything live without testing.

That's an assumption on your part. Sure, it may be implied, but isn't confirmed. I've seen places large enough that their OS provider would test on their behalf. So he can claim "no testing" and the answer is it was tested. Well tested. I've seen it done before.

Re:

[silas_moeckel]

You have obviously never worked with your average big corp windows admin.