Technology Short Take 169

Welcome to Technology Short Take #169! Prior to the recent Spousetivities post, it had been a few months since I posted on the site; life has been busy, and it hasn’t left much time for blogging. Hopefully things will settle down soon, but until then I’ll continue to do the best I can to share useful information with folks. Hopefully something I’ve included in this Technology Short Take proves to be useful to someone. OK, let’s get on to the content!

Networking

• Navendu Pottekkat offers readers a comprehensive guide to API gateways, Kubernetes gateways, and service meshes. It’s a good breakdown of the technologies, how they’re related, how they’re different, and the intended/ideal use cases for each.

Security

• Backdoors in SSH public keys? Oh my. Be wary, friends.
• Alessandro Brucato updates on SCARLETEEL 2.0 enhancements and changes.
• Daniel Gzrelak walks readers through what appears to be a very large (potential) hole when configuring GitHub OIDC integration with AWS.
• Here we go again. As a side note, I am curious to know what other CPU architectures, if any, are affected. Will something like this spark a (larger) migration to ARM-based architectures?

Cloud Computing/Cloud Management

• Has your team started saying, Continue reading

Spousetivities Returns to VMware Explore 2023

After a lengthy hiatus—prompted by a pandemic and the suspension of in-person events as a result—Spousetivities returns to VMware Explore! VMware Explore, the event formerly known as VMworld, is happening in Las Vegas, NV, and Spousetivities will be there offering organized activities for spouses, partners, significant others, family, or friends traveling with conference attendees. Registration is already open!

Thanks to the support of Veeam and Synterex, Crystal has organized a great set of activities happening during VMware Explore:

• Downtown food tour (with or without cocktails): How about a private food tour in Vegas’ newly revitalized area of Fremont East? This area is now home to the city’s most exciting dining scene with local chefs crafting imaginative farm-to-table, seasonal, artisan fare.
• Scenic Route 66 tour: “Get your kicks, On Route 66”! Visit a unique desert winery and two distilleries on historic Route 66. Total tour time is approximately five hours.
• Emerald Cave kayak tour: What could be better than a day of kayaking on the Colorado River? This amazing 5 mile kayaking tour in the spectacular Black Canyon is sure to be an amazing adventure. You should have a chance to see plenty of desert wildlife, and you’ll visit Emerald Continue reading

Technology Short Take 168

Welcome to Technology Short Take #168! Although this weekend is (in the US, at least) celebrated as Mother’s Day weekend—don’t forget to call or visit your mom!—I thought you all might want some light weekend reading. I’m here to help, after all. To that end, here’s the latest Technology Short Take, with links to a variety of articles in various disciplines. Enjoy!

Networking

• Ivan Pepelnjak has been on a bit of a DHCP relaying kick. He’s recently published articles on DHCP relaying in VXLAN segments, DHCP relaying in EVPN VRFs, and most recently DHCP relaying with redundant DHCP servers.
• William Collins has a two-part series on site-to-site VPN with AWS. In part 1, Collins shows how VPN connections directly to VPCs don’t scale (both bandwidth-wise and operationally). In part 2, Collins shows how Transit VPC and Transit Gateway address scaling concerns.
• Daryll Swer talks about BGP zombie routes on JunOS.
• One notable challenge with Kubernetes is handling traffic outbound from the cluster and securing (or controlling) that traffic. Aadhil Abdul Majeed with Tigera reviews how using Calico Egress gateway and access controls enables users/operators to secure this outbound traffic.

Security

• Via Russ White, I came across an Continue reading

Technology Short Take 167

Welcome to Technology Short Take #167! This Technology Short Take is a tad shorter than the typical one; I’ve been busy recently and my intake volume of content has gone down, thus resulting in fewer links to share with all of you! I opted to go ahead and publish a shorter Technology Short Take instead of making everyone wait around for a longer one. In any case, here’s hoping that I’ve included something useful for you!

Networking

• Jeff McLaughlin discusses what he calls the “war on expertise.”
• Ivan Pepelnjak has some very useful and very applicable information on VRF-aware DHCP relaying.
• Michał Iwańczuk shares some information on EVPN inline mode in NSX-T.
• Harikrishnan T wraps up a 4-part series on stateful active-active gateways in NSX. Links to the previous three posts are embedded in the article.

Servers/Hardware

• Manoj Kumar provides a beginner’s guide to Trusted Platform Module (TPM).

Security

• GitHub recently had to change their RSA SSH host key; be sure to check out the details.
• Google warns users about exploitable flaws in popular Android phones.
• Rory McCune examines some container security fundamentals that arise from the fact that “containers are just processes.”

Cloud Computing/Cloud Management

• Laurent Continue reading

Creating a Talos Linux Cluster on Azure with Pulumi

A little over a month ago I published a post on creating a Talos Linux cluster on AWS with Pulumi. Talos Linux is a re-thinking of your typical Linux distribution, custom-built for running Kubernetes. Talos Linux has no SSH access, no shell, and no console; instead, everything is managed via a gRPC API. This post is something of a “companion post” to the earlier AWS post; in this post, I’ll show you how to create a Talos Linux cluster on Azure with Pulumi.

The program I’ll share with you in this post is written in Go, but the process outlined in this post and the accompanying code is equally applicable in other languages supported by Pulumi. (TypeScript is a popular choice for lots of folks.) The code is available in this GitHub repository. It’s based on this documentation from Sidero Labs, and I also found this blog post to be helpful as well.

The Pulumi program follows this overall flow:

1. First, the program creates the base infrastructure objects that are required—a resource group, a virtual network, some subnets, and a network security group.
2. Next, it creates a load balancer, gets a public IP address for the load Continue reading

Technology Short Take 166

Welcome to Technology Short Take #166! I’ve been collecting links for the last few weeks, and now it’s time to share them with all of you. There are some familiar names in the links below, but also some newcomers—and I’m really excited to see that! I’m constantly on the lookout for new sources (if you have a site you think I should check out, hit me up—my contact info is at the bottom of this post!). But enough of that, let’s get on with the content. Enjoy!

Networking

• Kevin Jin’s post on the APNIC blog about network automation tools is a great read. He discusses Netmiko, NAPALM, and Nornir in some detail, and provides some guidance around which network automation tool may be right for you.
• Rob Novak shares his experience in replacing Meraki with TP-Link Omada.
• Anton Kuliashov writes about why Palark uses Cilium for Kubernetes networking.
• Nick Buraglio discusses IPv6 Unique Local Addressing (ULA).
• Given how frequently I include content from Ivan, you can probably tell that I’m a big fan. This time I’m including two of his articles. In the first, he discusses the relationships between Layer 2 (VLAN) and Layer 3 (subnet) segments. In the Continue reading

Creating a Talos Linux Cluster on AWS with Pulumi

Talos Linux is a Linux distribution purpose-built for running Kubernetes. The Talos web site describes Talos Linux as “secure, immutable, and minimal.” All system management is done via an API; there is no SSH access, no shell, and no console. In this post, I’ll share how to use Pulumi to automate the creation of a Talos Linux cluster on AWS.

I chose to write my Pulumi program in Go, but you could—of course—choose to write it in any language that Pulumi supports (JavaScript/TypeScript, Python, one of the .NET languages, Java, or even YAML). I’ve made the Pulumi program available via this GitHub repository. It’s based on these instructions for standing up Talos Linux on AWS.

The Pulumi program has four major sections:

1. First, it creates the underlying base infrastructure needed for a Talos Linux cluster to run. This includes a VPC (and all the assorted other pieces, like subnets, gateways, routes, and route tables) and a load balancer. The load balancer is needed for the Kubernetes control plane, which we will bootstrap later in the program. This portion also creates the EC2 instances for the control plane.
2. Next, it uses the Talos Pulumi provider to generate the Talos Continue reading

Technology Short Take 165

Welcome to Technology Short Take #165! Over the last few weeks, I’ve been collecting articles I wanted to share with readers on major areas in technology: networking, security, storage, virtualization, cloud computing, and OSes/applications. This particular Technology Short Take is a tad heavy on cloud computing, but there’s a decent mix of other articles as well. Enjoy!

Networking

• For a deeper understanding of Kubernetes networking, and in particular the role played by kube-proxy, I highly recommend this post by Arthur Chiao. There is a ton of information here!
• Denis Mulyalin shows how to use Nornir, Salt, and NetBox to template your network tests. Now if Denis’ site just had a discoverable RSS feed…

Security

• Aeva Black and Gil Yehuda tackle the conundrum of open source security.
• If you haven’t looked at Teri Radichel’s series of posts on automating cybersecurity metrics (ACM), you should. There’s quite a bit of good information there.
• This post on Cedar—a new policy language developed by AWS—is an interesting read. I’m curious as to the constraints that led AWS to develop a new policy language versus using something like Rego (part of Open Policy Agent); this isn’t something the article touches upon.

Cloud Computing/Cloud Continue reading

Stage Manager is Incomplete

I’ve been using macOS Stage Manager off and on for a little while now. In Stage Manager, I can see the beginnings of what might be a very useful paradigm for desktop computing. Unfortunately, in its current incarnation, I believe Stage Manager is incomplete.

Note that I haven’t yet tried Stage Manager on my iPad; my comments here apply only to the macOS implementation.

For those of you who haven’t yet tried Stage Manager yet, here’s a screenshot of my desktop, taken while I was writing this blog post:

I’ll draw your attention to the list of “recently used applications” on the left side of the screen. That’s the “Cast” (a term used by Howard Oakley in his great introductory article on Stage Manager). As you can see in this screenshot, the Cast supports application groups—like having Slack and Mail grouped together—as well as single applications. This allows you to easily switch between groups of applications simply by clicking on the preview in the Cast (which, using Howard’s terminology, moves the application or applications to the Stage).

This is the glimmer of a useful paradigm that I see in Stage Manager: being able to assemble groups of applications that Continue reading

Installing the Prerelease Pulumi Provider for Talos

Normally, installing a Pulumi provider is pretty easy; you run pulumi up and the provider gets installed automatically. Worst case scenario, you can install the provider using pulumi plugin install. However, when dealing with prerelease providers, sometimes things have to be done manually. Such is the case with the prerelease Pulumi provider for Talos Linux. In this post, I’ll show you what the manual process looks like for installing a prerelease provider.

The GitHub repository for the prerelease Pulumi provider for Talos can be found here. As of this writing, the latest release was v0.1.0-beta.0. Currently, the prerelease provider for Talos Linux can’t be installed automatically when running pulumi up, and pulumi plugin install doesn’t work either.

The manual process for installing this provider looks like this:

1. Download the latest release of the Talos provider from the GitHub Releases page. This will download a tarred and gzipped archive.
2. The plugin files need to go into a specific subdirectory under ~/.pulumi/plugins. Navigate to that directory, and create a subdirectory whose name corresponds to the version of the Talos provider. For example, if the version downloaded is v0.1.0-beta.0, then the name of the new Continue reading

Automating Docker Contexts with Pulumi

Since I switched my primary workstation to an M1-based MacBook Pro (see my review here), I’ve starting using temporary AWS EC2 instances for compiling code, building Docker images, etc., instead of using laptop-local VMs. I had an older Mac Pro (running Fedora) here in my home office that formerly filled that role, but I’ve since given that to my son (he’s a young developer who wanted a development workstation). Besides, using EC2 instances has the benefit of access when I’m away from my home office. I use Pulumi to manage these instances, and I extended my Pulumi code to also include managing local Docker contexts for me as well. In this post, I’ll share the solution I’m using.

For those that aren’t already aware, Docker supports SSH-based contexts, which allow you to use the docker CLI over an SSH connection to a remote Docker daemon (including one behind an SSH bastion host). This is the functionality I’m using to do remote Docker image builds on an EC2 instance. I wrote a bit about SSH-based Docker contexts here.

When I run pulumi up to create the infrastructure, the Pulumi code (written in Go) does a few things:

1. It Continue reading

Technology Short Take 164

Welcome to Technology Short Take #164! I’ve got another collection of links to articles on networking, security, cloud, programming, and career development—hopefully you find something useful!

Networking

• William Morgan’s 2022 service mesh recap captures some of the significant events in service mesh in 2022, although through a Linkerd-colored lens. I do agree that the synergy between service mesh and the Gateway API was a surprise for a lot of folks, but they really are a good match.
• Back in October of last year, Tom Hollingsworth weighed in on Hedgehog, the networking company that has set out to commercialize SONiC, a Linux-based NOS used extensively in Azure.
• Ah, the bygone sounds of yesteryear…what a blast from the past!

Servers/Hardware

• What do you think of the ThinkPhone? (Hat tip to James Kane for bringing this to my attention.)
• I just found this article buried in my list of “articles to include in a future TST”: it’s a list of blade server resources from “blade server guy” Kevin Houston.

Security

• Adrian Mouat reviews some of the security-focused changes in Go 1.20.
• This article on using osquery for behavioral detection of macOS malware was an interesting read.

Cloud Computing/Cloud Management

• Continue reading

Technology Short Take 163

Welcome to Technology Short Take #163, the first of 2023! If you’re new to this site, the Technology Short Takes are essentially “link lists”—I collect links and articles about various technologies and I share them about every 3-4 weeks (sometimes more frequently). I’ll often add a bit of commentary here and there, but the real focus is the information in the linked articles. But enough of this, let’s get on with it! Here’s hoping you find something useful here.

Networking

• Yuchen Wu and Andrew Hauck share the story of Pingora, a Rust-based HTTP proxy developed by and currently in use at Cloudflare.
• Ivan Velichko has been publishing some great articles on container-focused networking concepts; the latest (that I’d seen as of the writing of this article) is this one on publishing the port of a running container.
• Numerous Networks has some information on optimizing Wi-Fi 6E networks for Apple devices.

Servers/Hardware

• Back during the AWS re:Invent 2022 timeframe, I came across this newsletter focused on AWS custom chips (Graviton, Trainium, Inferencia). If staying up-to-date with this topic is important for your role, then subscribing is probably a good idea. (I did.)
• I enjoyed this story on the mass Continue reading

A Depth Year in 2023

Off and on for a number of years, I published a “projects for the coming year” post and a “report card for last year’s projects” post (you can find links to all of these here). Typically, the project list was composed of new things I would learn and/or new things I would create or do. While there’s nothing wrong with this sort of thing—not at all!—I came across an idea while reading that I’ve decided I’ll adopt for 2023: a depth year.

The idea comes from this article, which I found while searching for some other information. Basically, a “depth year” is a year focused on going “deeper” (increasing your expertise in things you already know) instead of going “wider” (adding new things to what you know). Don’t take on new hobbies; instead, focus on getting better at the hobbies you already have. Don’t buy new books; instead, read the unread books that you keep meaning to get around to but never actually do. Don’t buy courses to learn something new; instead, finish the courses you already purchased.

I love this idea. Now, I know already that there is one small area where I’ll violate the rule Continue reading

Technology Short Take 162

Welcome to Technology Short Take #162! It’s taken me a bit longer than I would have liked to get this post assembled, but it’s finally here. Hopefully I’ve managed to find something you’ll find useful! As usual, the links below are organized by technology area/discipline, and I’ve added a little bit of commentary to some of the links where it felt necessary. Enjoy!

Networking

• With this announcement of Cilium support within AKS, Cilium is now available in managed Kubernetes offerings across all three major cloud providers.
• Leave it to Ivan to school everyone on Ethernet encapsulations.
• This article provides a few practical examples of how using VPC Endpoints to reduce network traffic moving through NAT Gateways can help save money.

Security

• Rory McCune has a series of articles on PCI compliance in containerized and Kubernetes environments. These are worth a read if security and compliance are your jam (see here, here, here, here, here, here, and here). I suspect more are in the works, so stay tuned to his site!
• Persistent malware in ESXi hypervisor environments? Ugh! See here for more details.
• The corny (cheesy?) food references in the title of this Continue reading

Technology Short Take 161

Welcome to Technology Short Take #161! It’s been a little over a month since the last Technology Short Take, although the Full Stack Journey recently did an “Audio Edition” of a Technology Short Take that you should probably check out. In any case, I’ve spent the last month collecting links to articles and tutorials from around the web on all the various technologies that us IT folk are likely to encounter in our day-to-day adventures. I hope there’s something here that you find useful!

Networking

• Atulpriya Sharma illustrates how to use DNS-based routing (with Argo Rollouts and Azure Traffic Manager) to implement a blue/green deployment strategy.
• Ivan Pepelnjak addresses the idea that network automation is harmful. I believe that IT folks in all disciplines, including networking, need to embrace automation.
• How awesome is it that the first commercial distribution of SONiC comes from a company named Hedgehog?

Servers/Hardware

• Howard Oakley has a great series on Apple Silicon; the series is up to three posts so far. The first post provides a high-level overview of how Apple Silicon M-series chips are different, and the second post has more details on the capabilities of the P and E cores. The third post Continue reading

Streamlining the User Experience for Accessing AKS Clusters

Lately I’ve been spending a little bit of time building Pulumi programs to assist with standing up Azure Kubernetes Service (AKS) clusters. I’ve learned a pretty fair amount about Azure and AKS along the way, as expected, but I was taken aback by the poor user experience (in my opinion) when it came to accessing the AKS clusters once they’d been established. In this post, I’ll share a small tweak you can make that will, in most cases, make accessing your AKS clusters a great deal smoother.

What do I mean by “poor user experience”? In the same vein as comparable offerings from AWS (EKS) and Google Cloud (GKE), AKS leverages Azure’s identity and access management (IAM) functionality, so that users have a single place to manage user and group entities. This makes perfect sense! What doesn’t make sense to me, though, is the requirement that users must perform a separate login process to gain access to the cluster, even if the user is already authenticated via the Azure CLI. This is very counter to both EKS and GKE, where—if you are already authenticated via their CLI tools—no additional steps are necessary to access appropriately-configured managed Kubernetes clusters on their Continue reading

Technology Short Take 160

Welcome to Technology Short Take #160! This time around, my list of links and articles is a tad skewed toward cloud computing/cloud management, but I’ve still managed to pull together some links on other topics that readers will hopefully find useful. For example, did you know about the secret macOS network quality tool? You didn’t? Lucky for you there’s a link to an article about it below. Read on to get all the details!

Networking

• Ivan Pepelnjak tackles the “infrastructure-as-code is scary” mindset. (Related: see the first bullet in the “Career/Soft Skills” section below.)
• Larry Peterson reflects on the evolution of TCP.
• Vikas Choudhary discusses Istio’s Secure Naming; that is, the name given to services and the Subject Alternative Name (SAN) put on the X.509 certificates used in mTLS.

Servers/Hardware

• Timothy Prickett Morgan takes a look at Tesla’s “Dojo” supercomputer.

Security

• Rory McCune has a round-up of what’s new for security in Kubernetes 1.25.
• Ars Technica has details on another recent software supply chain attack.
• Mac Chaffee shares some under-documented Kubernetes security tips.

Cloud Computing/Cloud Management

• Not familiar with the AWS CDK? This post should help.
• Barry Browne writes about his journey to becoming an AWS Solutions Continue reading

Referencing Configuration Values in Pulumi YAML

Lately I’ve been doing a fair amount of work with Pulumi’s YAML support (see this blog post announcing it), and I recently ran into a situation where I wanted to read in and use a configuration value (set via pulumi config). When using one of Pulumi’s supported programming languages, like TypeScript or Python or Go, this is pretty easy. It’s also easy in YAML, but not as intuitive as I originally expected. In this post, I’ll share how to read in and use a configuration value when using Pulumi YAML.

Configuration values are how you parameterize a Pulumi program in order to make it more flexible and reusable (see this page on configuration from Pulumi’s architecture and concepts documentation). That same page also has examples of using config.Get or config.Require to pull configuration values into a program (the difference between these two, by the way, is that the latter will prevent a program from running if the configuration value isn’t supplied).

In YAML, it’s (currently) handled a bit differently. As outlined in the Pulumi YAML reference, a Pulumi YAML document has four main sections: configuration, resources, variables, and outputs. At first, I thought Continue reading

Managing AWS Key Pairs with Pulumi and Go

As I was winding down things at Kong and getting ready to transition to Pulumi (more information on why I moved to Pulumi here), I casually made the comment on Twitter that I needed to start managing my AWS key pairs using Pulumi. When the opportunity arose last week, I started doing exactly that! In this post, I’ll show you a quick example of how to use Pulumi and Go to declaratively manage AWS key pairs.

This is a pretty simple example, so let’s just jump straight to the code:

_, err := ec2.NewKeyPair(ctx, "aws-rsa-keypair", &ec2.KeyPairArgs{
	KeyName:   pulumi.String("key-pair-name"),
	PublicKey: pulumi.String("<ssh-key-material-here>"),
	Tags: pulumi.StringMap{
		"Owner":   pulumi.String("User Name"),
		"Team":    pulumi.String("Team Name"),
		"Purpose": pulumi.String("Public key for authenticating to AWS EC2 instances"),
		},
	})
	if err != nil {
		return err
	}

This code is, by and large, pretty self-explanatory. For PublicKey, you just need to supply the contents of the public key file (use cat or similar to get the contents of the file) where Continue reading