Blitznote Ubuntu repository


#1

Aye!

I’ve been not satisfied with some popular packages for Ubuntu being outdated, unpatched, or simply not customized to my need on Scaleway’s servers. This resulted in me backporting a few patches and modifying what’s available, and in some instances writing some additional code. I’d like to share the results it with you. For Ubuntu (works with 15.04, should work with 15.10):

Add the Repository

apt-get -y install apt-transport-https

printf "deb https://s.blitznote.com/debs/ubuntu/armhf/ arm7/" \
  > /etc/apt/sources.list.d/blitznote.list
printf 'Package: *\nPin: origin "s.blitznote.com"\nPin-Priority: 510\n' \
  > /etc/apt/preferences.d/blitznote

apt-get -q update
apt-get -y --force-yes upgrade apt
apt-get -y autoremove && apt-get clean

Packages, and most notable Changes

  • gogs — an Github clone, like Gitlab but less resource-hungry and easier to maintain
  • golang-go 1.5 — a copy from Ubuntu’s buildbots
  • openssl 1.0.1x
    • latest patches from Ubuntu for CVEs as they are published
    • support for ChaCha20-Poly1305 from BoringSSL (but optimized for the Marvell Armada 370/XP we use)
    • reduced set of curves offered in ECDSA, because you don’t want to use e.g. brainpool curves or fringe ones like sect163r2 in TLS (compare output(s) of curl -fsS "https://www.ssllabs.com/ssltest/viewMyClient.html" | grep -F "Elliptic curves" -A 3)
    • the default cipher list contains only strong ones
    • RC4 won’t be offered with ≥TLSv1.1
    • minimum DH group size is 1024bit
  • curl 7.44.x
    • defaults to OpenSSL instead of GnuTLS due to the improvements outlined above
    • cipher order is changed in order to promote faster ciphers with PFS
    • use this for certificate pinning
  • openssh 7.1p1
    • patches for way better performance with aesXXX-ctr ciphers („HPN“ patchset)
    • (support for DSA will be removed with the next iteration)
  • apt and apt-transport-https 1.0.9.10
    • uses OpenSSL due to better performance and Kx support
    • fixes errors such as „Size of file … is not what the server reported“
  • nginx + boringssl + http2
    • BoringSSL is compiled-in, with my patches for curve negotiation
    • some improvements for ARM which have not been included back then by Nginx’ authors
    • automatic taskset among the available cores
    • not a deb, find it here: https://s.blitznote.com/debs/ubuntu/armhf/arm7/nginx
    • the only dependencies are zlib1g libjemalloc1

Nginx with Gitlab:

mkdir /var/log/nginx
chmod 1700 $_
mkdir -p /opt/sbin
cd $_
curl -fLRO https://s.blitznote.com/debs/ubuntu/armhf/arm7/nginx && chmod a+x nginx

cd /opt/gitlab
for F in embedded/service/gitlab-rails/lib/support/nginx/* embedded/cookbooks/gitlab/templates/default/nginx*; do \
  sed -i \
    -e '/listen/ s@ ssl<@ ssl http2<@g' \
    -e '/^worker_processes/a\worker_cpu_affinity auto;' \
    "${F}"; \
done
for F in $(find -name 'sv-nginx-run.erb'); do
  sed -i \
    -e '/^exec chpst/i\LD_PRELOAD=/usr/lib/arm-linux-gnueabihf/libjemalloc.so.1 \\' \
    -e '/chpst/ s@$@ -c conf/nginx.conf@' \
    -e 's@/opt/gitlab/embedded/sbin/nginx@/opt/sbin/nginx@' \
    "${F}"; \
done

See also:


#2

Thank you this is a really great Tutorial


#3

Thanks! I am using everything myself, so no need for anyone to waste time on that again.

Here’s the result in action. ECDSA performs way better than RSA on those machines (almost 10 times!) — as long as there is enough entropy.

https://www.ssllabs.com/ssltest/analyze.html?d=hub.blitznote.com

AES-CBC is the fastest available cipher here, but most clients don’t implement the client-side–split which is advisable with CBC modes. This leaves us with AES-GCM and CHACHA20 in TLSv1.2, and the latter is the fastest cipher. (25 MB/s ≪ 37 MB/s × 4 on those ARMs w/o NEON extension. *sigh*)