Peter Gale Apr 08 •
Announcements / Current System Status
RESOLVED - UPDATE at 08:45 PST, 15:45 UTC - April 9, 2014
This notice is to advise Joyent Public Cloud and Smart Data Center customers of the recently identified Open SSL security issue openssl CVE-2014-0160 (https://www.openssl.org/news/secadv_20140407.txt
). SmartOS users
If you use the images with their original pkgsrc repositories as intended, check which package repository your image uses by looking at /opt/local/etc/pkgin/repositories.conf. If your repository is any of the following, and you have installed the openssl package using pkgin, you are vulnerable:
You can check if OpenSSL is installed by running
pkgin ls | grep -i openssl
A patch has been prepared and updated packages have been built and added to the affected repositories as follows. The package name for each is shown alongside the repository name.
2012Q4 - openssl-1.0.1dnb3
2013Q1 - openssl-1.0.1enb1
2013Q2 - openssl-1.0.1enb2
2013Q3 - openssl-1.0.1enb3
2013Q4 - openssl-1.0.1fnb1
Customers can re-install OpenSSL with the following commands
pkgin -y up && pkgin -y in openssl
Please check the notices applicable to the Linux Distro you are using for the necessary remedial actions:
Centos/Red Hat/Fedora: https://rhn.redhat.com/errata/RHSA-2014-0376.html
Ubuntu: http://www.ubuntu.com/usn/usn-2165-1/ Joyent Manta, CloudAPI and Portal
Please be assured that the Joyent HTTPS endpoints for Manta, CloudAPI and the portal at https://my.joyent.com
were not vulnerable to this issue. Stingray Users
Stingray instances are NOT affected by this vulnerability.
Only versions v0.10.0 and v0.10.1 were affected, the latest stable release of v0.10.26 is not affected. None of the releases for v0.8 were affected.
Peter Gale Apr 05 •
Announcements / Current System Status
[This maintenance is now complete in all DC's.]
Joyent will conducting routine maintenance on April 15-16, 2014 which will affect the availability of the Joyent API and the Joyent Portal (my.joyentcloud.com, my.joyent.com). The maintenance will be conducted on each data centre in turn over a 2 hour period. The maximum down time of the API for each data centre will be 30 minutes. When the API is down the portal will also not be able to create or manage VM's in that data centre.
This maintenance DOES NOT affect customer VM's. VM's will continue to work normally and can be accessed in the normal way.
The specific start time for each maintenance slot for each data centre is as follows.
eu-ams-1 : 15 Apr 14 19:00 PDT / 16 APR 14 02:00 UTC
us-east-1 : 15 Apr 14 19:30 PDT / 16 APR 14 02:30 UTC
us-sw-1 : 15 Apr 14 20:00 PDT / 16 APR 14 03:00 UTC
us-west-1 : 15 Apr 14 20:00 PDT / 16 APR 14 03:30 UTC
Peter Gale November 22, 2013 •
JoyentCloud Knowledge Articles / General Usage
As a valued customer of Joyent we want to make sure you get the best possible service from us and that your investment in Joyent based infrastructure is protected against failure and unauthorised access. The purpose of this article is to make sure that you are fully aware of the steps required to ensure recoverability and security of your VM's.
Our Terms of Service (http://www.joyent.com/company/policies/terms-of-service) sections 3.C and 3.D define your responsibility in the areas of Security and Data Preservation.
With regard to data preservation as a minimum you need to implement the following to ensure your data is recoverable in the event of a system failure.
- Take regular backups and move those backups off the VM to some form of secondary storage. This could be to one of our secondary storage options such as Manta (http://www.joyent.com/products/manta) or to machine in another physical location such as your own premises or another one of Joyent's Data Centers.
- Ensure you use the appropriate tools for your backups. Flat files can be backed up using commands such as tar, zip etc. Database systems need to be backed up using the tools recommended for the specific system. Consult the documentation for the systems you use to determine the correct backup method.
- Take backups at a frequency that will minimise data loss in the event of a failure. The frequency can be determined by assessing just how much data loss you can tolerate and how volatile your data is. If you cannot tolerate any data loss you should look at implementing real time replication of data to a backup area.
- Test your data recovery procedure regularly to ensure your backups are valid.
In respect of Security you will be aware that SmartOS and Linux VM's are protected by SSL security by default. However all ports are open. Windows is protected by passwords generated when the machine is created. As a minimum you should take the following steps to ensure security but this is only advisory information. Even with these steps carried out you should undertake your own analysis to ensure your machines are as secure as you require them.
- Change all passwords that have been generated for any accounts/logins on your machines. The passwords generated by the provisioning system are intended for first time use only.
- Review open access ports and block or restrict access to ports as necessary.
- Regularly perform a security audit to validate who is logging into the machines and from where.
Backup and Security can be complex topics so we have deliberately only scratched the surface in this article in order to raise awareness and to ensure you are thinking about the processes and procedures you need to have in place.
You will find some useful advice and guidance on these topics on our Wiki at http://wiki.joyent.com/wiki/display/jpc2/Securing+your+Infrastructure.
If you have any questions regarding these topics please don't hesitate to reach out via help.joyent.com or firstname.lastname@example.org.