Blogging Break

I wanted to let readers know that there will be a break in my blogging over the next few weeks. Crystal and I are celebrating our 20th wedding anniversary and have decided to take a very long trip to someplace very far away from civilization so that we can relax, unplug, and simply enjoy each other’s company.

I’ll be back in civilization on June 7, and you can expect a quick post summarizing our trip (maybe with some photos). I’ll also have some feedback on how the Peak Designs 20L photo backpack worked out for me. Until then, have a great one!

Technology Short Take 114

Welcome to Technology Short Take #114! There will be a longer gap than usual before the next Tech Short Take (more details to come on Monday), but in the meantime here’s some articles and links to feed your technical appetite. Enjoy!

Networking

• Courtesy of Tigera, Alex Pollitt shares some guidelines on when Linux conntrack is no longer your friend.

Servers/Hardware

• Apparently Dell’s new docking stations support firmware updates via Linux. Nice!

Security

• Michael Allen published an article on weaponizing the Yubikey. It’s an interesting read, although I’m not sure about the usefulness or practicality of the technique he describes.
• This is a pretty detailed write-up of a remote code execution vulnerability prsent on most Dell computers (courtesy of Dell SupportAssist). I’m thankful that Bill Demirkapi followed a responsible disclosure policy.
• Here’s a summary of attacks against GPG-signed APT repositories. The “TL;DR” on this one is simple: always serve your APT repositories over TLS.
• Since we’re on a bit of a security kick this time around, then the recent announcement by HyTrust of HyTrust CloudControl 6.0 seems appropriate to include. There’s some interesting new functionality found in this release, including support for/integration with Kubernetes.

Cloud Computing/Cloud Management

• This article by Continue reading

The Linux Migration: Preparing for the Migration

As far back as 2012, I was already thinking about migrating away from Mac OS X (now known as macOS). While the migration didn’t start in earnest until late 2016, a fair amount of work happened in advance of the migration. Since I’ve had a number of folks ask me about migrating to Linux, I thought I’d supplement my Linux migration series with a “prequel” about some of the work that happened to prepare for the migration.

In the end—and I imagine some folks may get upset or offended at this—an operating system (OS) is really just a vehicle to deliver applications to the user. While users like myself have strong preferences about their OS and how their OS works, ultimately it is the ability to “get things done” that really matters. This is why I ended up suspending my Linux migration in August 2017; I didn’t have access to the applications I needed in order to do what I needed to do. (Though, to be fair, part of that was a lack of growth on my part, though that’s a different blog post for a different day.)

To that end, most of the work I did in Continue reading

A Sandbox for Learning Pulumi

I recently started using Pulumi, a way of using a general purpose programming language for infrastructure-as-code projects. I’ve been using Pulumi with JavaScript (I know, some folks would say I should question my life decisions), and while installing Pulumi itself is pretty low-impact (a small group of binaries) there are a number of dependencies that need to be installed when using Pulumi with JavaScript. As I’m a stickler for keeping my primary system very “clean” with regard to installed packages and software, I thought I’d create a means whereby I can easily spin up a “sandbox environment” for learning Pulumi.

When creating this sandbox environment, I turned to some tools that are very familiar:

• I used virtualization (a virtual machine) as the isolation mechanism. The next step is to use a Linux container, like a Docker container, as the isolation mechanism, but I thought I’d start with something a bit simpler at first.
• Vagrant provides a way of automating the creation/destruction of said VM. Again, Vagrant is well-understood and widely used.
• Ansible provides the automation to configure the VM with the necessary software (Pulumi and associated dependencies).
• I also thought that some folks might find it interesting or useful Continue reading

Technology Short Take 113

Welcome to Technology Short Take #113! I hope the collection of links and articles I’ve gathered for you contains something useful for you. I think I have a pretty balanced collection this time around; there’s a little bit of something for almost everyone. Who says you can’t please everyone all the time?

Networking

• Via the Kubernetes blog, Box announced it has open sourced a project called kube-iptables-tailer, which turns packet drops from iptables into Kubernetes events that can be logged for easier troubleshooting. The GitHub repository for the project is here.
• Via BlueCat Networks, John Capobianco shares his network automation journey. In part 1, John discusses the frameworks/tooling and the goals for his network automation efforts; in part 2, John digs into getting started with Ansible and the initial impact of his efforts.
• Diógenes Rettori has a comparison of Istio and Linkerd as solutions for service mesh. Personally, I could’ve done without the little product advertisement at the end, but that’s just me.
• Here’s a good article on packets-per-second limits in EC2.

Servers/Hardware

• AnandTech has some coverage of the latest Intel processor announcements, which totally flew by my radar.

Security

• I recently read about the Continue reading

Technology Short Take 112

Welcome to Technology Short Take #112! It’s been quite a while since the last one, as life and work have been keeping me busy. I have, however, finally managed to pull together this list of links and articles from around the Internet, and I hope that something I’ve included here proves useful to readers.

Networking

• Part 2 of Stark and Wayne’s container-to-container networking for Cloud Foundry and Kubernetes dig deep into CNI workings.
• Via Ivan Pepelnjak’s site, Albert Siersema shares some information on using Ansible to automate 802.1x configurations.
• Milind Gunjan shares some tips for troubleshooting Linux bridged networking on a KVM host.

Servers/Hardware

Nothing this time around! I’ll stay alert for content I can include next time.

Security

• Tim Hinrichs discusses securing the Kubernetes API with Open Policy Agent.
• Pod Security Policies (PSPs) are an important security feature in Kubernetes. Sysdig explains PSPs, and talks about kube-psp-advisor, a tool to help simplify deploying PSPs.
• ClusterScope is a handy tool for finding outdated images in your Kubernetes cluster.
• This article discusses four open source secrets management tools.
• Many organizations prefer to use two-factor authentication (2FA) to help protect their systems. While this article on how to configure 2FA Continue reading

Using Kubeadm to Add New Control Plane Nodes with AWS Integration

In my recent post on using kubeadm to set up a Kubernetes 1.13 cluster with AWS integration, I mentioned that I was still working out the details on enabling AWS integration (via the AWS cloud provider) while also using new functionality in kubeadm (specifically, the --experimental-control-plane flag) to make it easier to join new control plane nodes to the cluster. In this post, I’ll share with you what I’ve found to make this work.

The challenge here, by the way, is that you can’t use the --config <filename>.yaml flag and the --experimental-control-plane flag at the same time. I did try this, and the results of my testing led me to believe that although kubeadm doesn’t report an error, it does ignore the --experimental-control-plane flag. (Kubernetes experts/contributors, feel free to let me know if I’ve missed something here.)

After some trial-and-error—mostly my own fault because I didn’t take the time to review the v1beta1 kubeadm API docs ahead of time—I finally arrived at a working configuration that allows you to use kubeadm join --config <filename>.yaml to join a control plane node to an existing AWS-integrated Kubernetes cluster.

Credit for finding the solution goes to Rafael Fernández López, Continue reading

My Team’s Blogs

I’m thankful to have the opportunity to work with an amazing team. Many of my teammates also produce some very useful content via their own sites, and so I thought it might be useful to my readers to share a list of links to my teammates’ blogs.

Without further ado, here is a list of my teammates who have a blog; each entry is a link to the respective site (these are presented in no particular order):

• John Harris
• Jim Weber
• Josh Rosso
• Alexander Brand
• Nicholas Lane
• Dan Finneran
• Hart Hoover
• Duffie Cooley
• Stephen Augustus (as of this post Stephen hadn’t yet updated his affiliation—c’mon Stephen, get with the program!)
• Timmy Carr
• Carl Danley (not fully live yet)
• Olive Power (not fully live yet)
• Koushik Radhakrishnan (not fully live yet)

I know I’ve gained valuable insight from some of their content, and I hope you do as well.

Spousetivities at Oktane 2019

It should come as no surprise to anyone that I’m a huge supporter of Spousetivities, and not just because it was my wife, Crystal Lowe, who launched this movement. What started as the gathering of a few folks at VMworld 2008 has grown over the last 11 years, and this year marks the appearance of Spousetivities at an entirely new conference: Oktane 2019!

Oktane is the conference for Okta, a well-known provider of identity services, and the event is happening in San Francisco from April 1 through April 4 (at Moscone West). This year, Okta is bringing Spousetivities in to add activities for those traveling to San Francisco with conference attendees.

What sort of activities are planned? The Oktane19 Spousetivities landing page has full details, but here’s a quick peek:

• A wine tour in Sonoma/Napa with private transportation (lunch is included, of course!)
• A walking food tour of San Francisco combined with a bus tour of the city and tickets to Beach Blanket Babylon
• A whale watching tour

…and more!

If you’re attending Oktane19 and are bringing along a spouse, domestic partner, family member, or even just a friend—I’d definitely recommend signing them up for Spousetivities. Continue reading

Looking Ahead: My 2019 Projects

It’s been a little while now since I published my 2018 project report card, which assessed my progress against my 2018 project goals. I’ve been giving a fair amount of thought to the areas where I’d like to focus my professional (technical) development this coming year, and I think I’ve come up with some project goals that align both with where I am professionally right now and where I want to be technically as I grow and evolve. This is a really difficult balance to strike, and we’ll see at the end of the year how well I did.

Without further ado, here’s my list of 2019 project goals, along with an optional stretch goal (where it makes sense).

1. Make at least one code contribution to an open source project. For the last few years, I’ve listed various programming- and development-related project goals. In all such cases, I haven’t done well with those goals because they were too vague, and—as I pointed out in previous project report cards—these less-than-ideal results are probably due to the way programming skills tend to be learned (by solving a problem/challenge instead of just learning language semantics and syntax). So, in an effort to Continue reading

Split Tunneling with vpnc

vpnc is a fairly well-known VPN connectivity package available for most Linux distributions. Although the vpnc web site describes it as a client for the Cisco VPN Concentrator, it works with a wide variety of IPSec VPN solutions. I’m using it to connect to a Palo Alto Networks-based solution, for example. In this post, I’d like to share how to set up split tunneling for vpnc.

Split tunneling, as explained in this Wikipedia article, allows remote users to access corporate resources over the VPN while still accessing non-corporate resources directly (as opposed to having all traffic routed across the VPN connection). Among other things, split tunneling allows users to access things on their home LAN—like printers—while still having access to corporate resources. For users who work 100% remotely, this can make daily operations much easier.

vpnc does support split tunneling, but setting it up doesn’t seem to be very well documented. I’m publishing this post in an effort to help spread infomation on how it can be done.

First, go ahead and create a configuration file for vpnc. For example, here’s a fictional configuration file:

IPSec gateway vpn.company.com
IPSec ID VPNGroup
IPSec secret donttellanyone
Xauth username bobsmith

Continue reading

Advanced AMI Filtering with JMESPath

I recently had a need to do some “advanced” filtering of AMIs returned by the AWS CLI. I’d already mastered the use of the --filters parameter, which let me greatly reduce the number of AMIs returned by aws ec2 describe-images. In many cases, using filters alone got me what I needed. In one case, however, I needed to be even more selective in returning results, and this lead me to some (slightly more) complex JMESPath queries than I’d used before. I wanted to share them here for the benefit of my readers.

What I’d been using before was a command that looked something like this:

ec2 describe-images --owners 099720109477 \
--filters Name=name,Values="*ubuntu-xenial-16.04*" \
Name=virtualization-type,Values=hvm \
Name=root-device-type,Values=ebs \
Name=architecture,Values=x86_64 \
--query 'sort_by(Images,&CreationDate)[-1].ImageId'

The part after --query is a JMESPath query that sorts the results, returning only the ImageId attribute of the most recent result (sorted by creation date). In this particular case, this works just fine—it returns the most recent Ubuntu Xenial 16.04 LTS AMI.

Turning to Ubuntu Bionic 18.04, though, I found that the same query didn’t return the result I needed. In addition to the regular builds of 18.04, Canonical apparently also builds EKS Continue reading

Technology Short Take 111

Welcome to Technology Short Take #111! I’m a couple weeks late on this one; wanted to publish it earlier but work has been keeping me busy (lots and lots of interest in Kubernetes and cloud-native technologies out there!). In any event, here you are—I hope you find something useful for you!

Networking

• Daniel Dib has a great article on how network engineers need to evolve. The network isn’t going away, it’s just changing.
• I referenced part 1 of Ajay Chenampara’s series on the Ansible network-engine command parser back in Technology Short Take 102 (July of last year). I’m not sure how I missed that part 2 was published only 2 days later, so I’m rectifying that now. Go check out part 2.
• Paul Fitzgerald shows how to use Hyper-V and Docker to build a VyOS 1.2.0 ISO image. (VyOS is an open source Linux-based network operating system.)
• Matt Cowger shares how to use MetalLB with the Unifi USG to take advantage of Kubernetes LoadBalancer functionality in your home lab. Nifty.

Servers/Hardware

• James Hamilton is back with a more in-depth look at the components of the AWS Nitro System.
• I must say that my conclusions regarding Continue reading

Thoughts on VPNs for Road Warriors

A few days ago I was talking with a few folks on Twitter and the topic of using VPNs while traveling came up. For those that travel regularly, using a VPN to bypass traffic restrictions is not uncommon. Prompted by my former manager Martin Casado, I thought I might share a few thoughts on VPN options for road warriors. This is by no means a comprehensive list, but hopefully something I share here will be helpful.

There were a few things I wanted to share with readers:

• I found commercial VPN services too unreliable (it’s not uncommon for commercial VPN services to get blocked and thus defeat the purpose of using a VPN).
• Instead, I’ve found more success using something like AutoVPN. AutoVPN helps you stand up an on-demand OpenVPN endpoint on AWS. I used this successfully in Beijing, setting up endpoints in Seoul, Singapore, Tokyo, and sometimes Sydney. Because these IP addresses are “ephemeral,” they’re far less likely to be blocked. (Here’s another example of using AWS as a personal VPN service.)
• I also had success using AutoVPN not to get around traffic restrictions, but to change my source IP. My wife needed to access some real Continue reading

Kubernetes, Kubeadm, and the AWS Cloud Provider

Over the last few weeks, I’ve noticed quite a few questions appearing in the Kubernetes Slack channels about how to use kubeadm to configure Kubernetes with the AWS cloud provider. You may recall that I wrote a post about setting up Kubernetes with the AWS cloud provider last September, and that post included a few snippets of YAML for kubeadm config files. Since I wrote that post, the kubeadm API has gone from v1alpha2 (Kubernetes 1.11) to v1alpha3 (Kubernetes 1.12) and now v1beta1 (Kubernetes 1.13). The changes in the kubeadm API result in changes in the configuration files, and so I wanted to write this post to explain how to use kubeadm 1.13 to set up a Kubernetes cluster with the AWS cloud provider.

I’d recommend reading the previous post from last September first. In that post, I listed four key configuration items that are necessary to make the AWS cloud provider work:

1. Correct hostname (must match the EC2 Private DNS entry for the instance)
2. Proper IAM role and policy for Kubernetes control plane nodes and worker nodes
3. Kubernetes-specific tags on resources needed by the cluster
4. Correct command-line flags added to the Kubernetes API server, controller Continue reading

Scraping Envoy Metrics Using the Prometheus Operator

On a recent customer project, I recommended the use of Heptio Contour for ingress on their Kubernetes cluster. For this particular customer, Contour’s support of the IngressRoute CRD and the ability to delegate paths via IngressRoutes made a lot of sense. Of course, the customer wanted to be able to scrape metrics using Prometheus, which meant I not only needed to scrape metrics from Contour but also from Envoy (which provides the data plane for Contour). In this post, I’ll show you how to scrape metrics from Envoy using the Prometheus Operator.

First, I’ll assume that you’ve already installed and configured Prometheus using the Prometheus Operator, a task which is already fairly well-documented and well-understood. If this is something you think would be helpful for me to write a blog post on, please contact me on Twitter and let me know.

The overall process looks something like this:

1. Modify the Envoy DaemonSet (or Deployment, depending on your preference) to add a sidecar container and expose additional ports.
2. Modify the Service for the Envoy DaemonSet/Deployment to expose the ports you added in step 1.
3. Add a ServiceMonitor object (a CRD added by the Prometheus Operator) to tell Prometheus to scrape Continue reading

Technology Short Take 110

Welcome to Technology Short Take #110! Here’s a look at a few of the articles and posts that have caught my attention over the last few weeks. I hope something I’ve included here is useful for you also!

Networking

• Via Kirk Byers (who is himself a fantastic resource), I read a couple of articles on network automation that I think readers may find helpful. First up is a treatise from Mircea Ulinic on whether network automation is needed. Next is an older article from Patrick Ogenstad that provides an introduction to ZTP (Zero Touch Provisioning).
• The folks over at Cilium took a look at a recent CNI benchmark comparison and unpacked it a bit. There’s some good information in their article.
• I first ran into Forward Networks a few years ago at Fall ONUG in New York. At the time, I was recommending that they explore integration with NSX. Fast-forward to this year, and the company announces support for NSX and (more recently) support for Cisco ACI. The recent announcement of their GraphQL-based Network Query Engine (NQE)—more information is available in this blog post—is also pretty interesting to me.

Servers/Hardware

• Patrick Kennedy over at Serve The Home shares the Continue reading

Technology Short Take 109

Welcome to Technology Short Take #109! This is the first Technology Short Take of 2019. It may be confirmation bias, but I’ve noticed of number of sites adding “Short Take”-type posts to their content lineup. I’ll take that as flattery, even if it wasn’t necessary intended that way. Enjoy!

Networking

• Niran Even-Chen says service mesh is a form of virtualization. While I get what Niran is trying to say here, I’m not so sure I agree with the analogy. Sometimes analogies such as this are helpful, but sometimes the analogy brings unnecessary connotations that make understanding new concepts more difficult. One area where I do strongly agree with Niran is in switching your perspective: looking at service mesh from a developer’s perspective gives one quite a different viewpoint than viewing service mesh in an infrastructure light.
• Jim Palmer has a detailed write-up on DHCP Option 51 and different behaviors from different DHCP clients.
• Niels Hagoort talks about some network troubleshooting tools in a vSphere/ESXi environment.

Servers/Hardware

Nothing this time around, but I’ll stay alert for items to include next time.

Security

• Nandor Kracser outlines a method that Banzai Cloud uses to inject secrets from Vault directly into Kubernetes Pods.
• Via Continue reading

On Thinking About Infrastructure as Code

I just finished reading Cindy Sridharan’s excellent post titled “Effective Mental Models for Code and Systems,” and some of the points Sridharan makes immediately jumped out to me—not for “traditional” code development, but for the development of infrastructure as code. Take a few minutes to go read the post—seriously, it’s really good. Done reading it? Good, now we can proceed.

Some of these thoughts I was going to share in a planned presentation at Interop ITX in May 2019, but since I’m unable to speak at the conference this year due to schedule conflicts (my son’s graduation from college and a major anniversary trip for me and Crystal), I figured now was as good a time as any, especially given the timing of Sridharan’s post. Also, a lot of these thoughts stem from a discussion with a colleague at work, which in turn led to this Full Stack Journey podcast on practical infrastructure as code.

Anyway, let me get back to Sridharan’s post. One of the things that jumped out to me right away was Sridharan’s proposed hierarchy of needs for code:

As you can see in the image (full credit for which belongs to Sridharan, as far Continue reading

The Linux Migration: December 2018 Progress Report

In December 2016, I kicked off a migration from macOS to Linux as my primary laptop OS. Throughout 2017, I chronicled my progress and challenges along the way; links to all those posts are found here. Although I stopped the migration in August 2017, I restarted it in April 2018 when I left VMware to join Heptio. In this post, I’d like to recap where things stand as of December 2018, after 8 months of full-time use of Linux as my primary laptop OS.

I’ll structure this post roughly as a blend of the formats I used in my April 2017 and July 2017 progress reports.

Hardware

Readers may recall that I was using a Dell Latitude E7370 (see my E7370 hardware review) up until August 2017, when I put the Linux migration on hold indefinitely due to productivity concerns. Upon moving to Heptio, I switched to a Lenovo ThinkPad X1 Carbon (see here for my review of the X1 Carbon—the “TL;DR” is that I love it). In my home office, the X1 Carbon connects to a USB-C expansion hub that provides connectivity to a 34” 21:9 ultrawide curved monitor, external HD webcam, and a USB headset for Zoom Continue reading