As mentioned in a previous announcement, Engine Yard has released our latest stack, stable v5. With many feature enhancements and stabilization in the past three months, we are thrilled to announce that we have made stable v5 the default stack for the Engine Yard PaaS platform.
For Ruby on Rails developers, we’ve released support for Ruby 2.3. Engine Yard is more committed than ever to keep relevant with all the latest stable versions of Ruby and Rails. Ruby 2.4.0 as the first stable release of the Ruby 2.4 series just came out, which will be offered by the Engine Yard Cloud platform very soon.
For PHP developers, PHP 5.6 and PHP 7 are available in stable v5. This brings current support for PHP developers regardless of needing 5.6 or 7 for their applications. This also allows a seamless upgrade path for developers.
For Node.js developers, we’ve significantly ramped up our offering for Node.js in stable v5. 4.6.0 / 6.4.0 / 6.7.0 are now available in stable v5. We also provide a brand new reference application for Node.js. Engine Yard recently sponsored Nodeknockout, hundreds of Node.js developers leveraged Engine Yard’s Node.js offering in stable v5 for this distinguished competition. We now have around 150 Node.js applications running in stable v5.
With stable v5, we now offer Docker support through Chef recipes. You can write infrastructure code that runs containers along with your other customizations. Docker allows you to run more apps and software on the Engine Yard PaaS platform. We’ve published some example cookbooks for running containers on v5 here.
To name a few, here is a short list of recent platform enhancements:
- Support for AWS’s EFS Solution
- Support for the AWS Data Pipeline
- Containerized turnkey application support
- Enhancements to the onboarding workflow
- Provisioning capabilities for AWS’ Mumbai region
- Further expansion of AWS’s AP Southeast region and new instance types
Moreover, many enhancements were added to EYGL (Engine Yard Gentoo Linux distribution), such as:
- Upgrade Ruby 2.1.x and Ruby 2.2.x on stable v4 instances using OpenSSL 1.0.1, the upgraded Ruby versions come as default on stable v5 instances
- PHP 7 support
- Node.js 4.6.0 / 6.4.0 / 6.7.0 support
- Latest AMI (Engine Yard Gentoo Linux 2016.06.014.final Operating System Image) revision for stable v5
- Recent OpenSSL security updates
Another exciting development is we are working to add support for new languages on the Engine Yard Cloud platform. Currently we are working on Elixir which will be available for preview very soon.
Engine Yard makes use of Gentoo Linux with a Hardened Gentoo Linux Toolchain for customer instances. This strategy encourages a focus of proactively hardening the software utilized through specialized security technologies offered by the Gentoo OS. Additionally, Engine Yard follows standard industry best practices in securing the OS image that is distributed for customer use.
Standardized customer deployment build images have been created and access to publish the images is restricted to appropriate individuals.
Toolchain & Userspace
Engine Yard Gentoo Linux inherits and is built upon a Hardened Gentoo Linux profile that includes security features such as Stack Smashing Protection. Leveraging the Hardened Gentoo profile enables built-in security technologies to the included compiled software transparently, such as:
- Read-only sections after the loader is finished (RELRO)
- Full binding at load-time (BIND_NOW)
- Stack Smashing Protection (SSP)
- Position Independent Executables (PIEs)
- Compiler option FORTIFY_SOURCE
- Improved address space layout randomization (ASLR)
These technologies mitigate many common vulnerability types in compiled software like buffer overflows, format string attacks and more. These protections are added transparently, without the software’s author awareness or requiring authors to write their code differently.
Engine Yard performs targeted scans against standard application installation paths (/bin, /usr/bin, /sbin, /usr/sbin) when preparing a new OS release to ensure the AMI only includes packages in the base OS image along with the limited packages specifically needed to work with the Engine Yard cloud platform. Up-to-date security bugfixes We also monitor security bulletins, security advisory mailing lists/feeds and key bug trackers for vulnerabilities that may affect Engine Yard’s software stack. As fixes become available they are incorporated into the latest version of the Engine Yard AMI or Portage tree when possible.
Vulnerability scanning takes place daily to validate that baseline images used in customer deployment are appropriately secure. Critical vulnerabilities are addressed timely in accordance with documented procedures.
Remote access to instances is through OpenSSH public key authentication. By default, password authentication is disabled to prevent password brute force attacks, sharing and theft.
Services and ports
Only the packages specifically needed to work with the Engine Yard cloud platform are installed on the image. This means no unnecessary services and daemons are installed or enabled by default. Security advisories for software providing these services are monitored closely and addressed timely.
This is a platform-wide upgrade that was rolled out on 12/16/2016. Customers who created new environments in the past few weeks might have already notice this change. If you have any questions, get in touch and let’s talk about how we can work together.