Archive

Category Archives for "Networking"

Improving your monitoring setup by integrating Cloudflare’s analytics data into Prometheus and Grafana

Improving your monitoring setup by integrating Cloudflare’s analytics data into Prometheus and Grafana

The following is a guest post by Martin Hauskrecht, DevOps Engineer at Labyrinth Labs.

Improving your monitoring setup by integrating Cloudflare’s analytics data into Prometheus and Grafana

Here at Labyrinth Labs, we put great emphasis on monitoring. Having a working monitoring setup is a critical part of the work we do for our clients.

Cloudflare's Analytics dashboard provides a lot of useful information for debugging and analytics purposes for our customer Pixel Federation. However, it doesn’t automatically integrate with existing monitoring tools such as Grafana and Prometheus, which our DevOps engineers use every day to monitor our infrastructure.

Cloudflare provides a Logs API, but the amount of logs we’d need to analyze is so vast, it would be simply inefficient and too pricey to do so. Luckily, Cloudflare already does the hard work of aggregating our thousands of events per second and exposes them in an easy-to-use API.

Having Cloudflare’s data from our zones integrated with other systems’ metrics would give us a better understanding of our systems and the ability to correlate metrics and create more useful alerts, making our Day-2 operations (e.g. debugging incidents or analyzing the usage of our systems) more efficient.

Since our monitoring stack is primarily based on Prometheus and Grafana, we decided to implement our own Continue reading

Automation: Dealing with Vendor-Specific Configuration Keywords

One of the students in our Building Network Automation Solutions online course asked an interesting question:

I’m building an IPsec multi-vendor automation solution and am now facing the challenge of vendor-specific parameter names. For example, to select the AES-128 algorithm, Juniper uses ‌aes-128-cbc, Arista aes128, and Checkpoint AES-128.

I guess I need a kind of Rosetta stone to convert the IKE/IPSEC parameters from a standard parameter to a vendor-specific one. Should I do that directly in the Jinja2 template, or in the Ansible playbook calling the template?

Both options are awkward. It would be best to have a lookup table mapping parameter values from the data model into vendor-specific keywords, for example:

Automation: Dealing with Vendor-Specific Configuration Keywords

One of the students in our Building Network Automation Solutions online course asked an interesting question:

I’m building an IPsec multi-vendor automation solution and am now facing the challenge of vendor-specific parameter names. For example, to select the AES-128 algorithm, Juniper uses ‌aes-128-cbc, Arista aes128, and Checkpoint AES-128.

I guess I need a kind of Rosetta stone to convert the IKE/IPSEC parameters from a standard parameter to a vendor-specific one. Should I do that directly in the Jinja2 template, or in the Ansible playbook calling the template?

Both options are awkward. It would be best to have a lookup table mapping parameter values from the data model into vendor-specific keywords, for example:

Juniper i40e NVM Firmware Upgrade

Juniper Routing Engines with VM Host need an i40e NVM firmware upgrade. The procedure is a pain in the ass, and documentation is not great. But you can’t avoid the upgrade any more. New Junos versions need the firmware upgrade, and replacement REs will ship with it already installed. Here’s some tips on doing the upgrade.

Background

Newer Juniper Routing Engines use a Linux-based hypervisor, and Junos (still BSD-based) runs as a guest VM. This is mostly transparent for day to day operations. When you do a Junos upgrade, it will upgrade the underlying hypervisor if required.

Upcoming Junos versions ship with a new version of Wind River Linux that needs i40e firmware version 6.01. Older versions used v4.26. You need the new i40e firmware installed first, before you can install the latest Junos versions. You can’t put this upgrade off forever. Sooner or later you’ll want to ugprade to a Junos version that only supports the new firmware. Or you’ll get a replacement RE delivered with new firmware, and you can’t downgrade it.

For the last couple of years, Juniper has been shipping Junos versions that will work with both old & new firmware versions. You Continue reading

Why you don’t want to miss the upcoming Kubernetes Security and Observability Summit

The inaugural Kubernetes Security and Observability Summit will be a free, live, online experience full of Kubernetes-related security and observability content. On June 3, 2021, industry experts will gather under one virtual roof to discuss trends, strategies, and technologies for Kubernetes security and observability, to help you understand and navigate today’s pressing issues in the world of cloud-native applications.

Why attend?

The Summit is a great opportunity to:

  • Network with the industry’s best security, DevOps, and site reliability engineer (SRE) teams for cloud-native platforms
  • Learn how to secure, observe, and troubleshoot Kubernetes environments
  • Explore real-world Kubernetes security and observability use cases presented by experts from industry-leading companies like Amazon, Box, Citi, EY, Mirantis, Morgan Stanley, PayPal, Salesforce, and of course, Tigera

Who should attend?

SREs, platform architects, and DevOps and security teams will all find value in attending the Summit.

  • DevOps teams and SREs – Learn how to include security and observability in your CI/CD to enable security, observability, and troubleshooting
  • Platform architects – Learn architecture patterns and best practices to secure and troubleshoot cloud-native applications
  • Security teams – Learn how to holistically secure your cloud-native applications following today’s best practices

Speakers & sessions

An opening keynote address from Continue reading

Mythic AI gets funding to mass-produce edge chips

Just six months after unveiling its first AI inferencing processor, Mythic AI has announced a new round of funding for $70 million in Series C investment to begin mass production of its chips and to develop its next generation of hardware and software products.In November, the company announced the M1108 Analog Matrix Processor (AMP) aimed at edge AI deployments across a wide range of applications, including manufacturing, video surveillance, smart cities, smart homes, AR/VR, and drones.Now see "How to manage your power bill while adopting AI" For a company that is nine years old and has zero sales, it’s got some heavy hitters behind it. The new investment round was led by led by venture fund giant BlackRock and Hewlett Packard Enterprise (HPE). Other investors include Alumni Ventures Group and UDC Ventures.To read this article in full, please click here

Mythic AI gets funding to mass-produce edge chips

Just six months after unveiling its first AI inferencing processor, Mythic AI has announced a new round of funding for $70 million in Series C investment to begin mass production of its chips and to develop its next generation of hardware and software products.In November, the company announced the M1108 Analog Matrix Processor (AMP) aimed at edge AI deployments across a wide range of applications, including manufacturing, video surveillance, smart cities, smart homes, AR/VR, and drones.Now see "How to manage your power bill while adopting AI" For a company that is nine years old and has zero sales, it’s got some heavy hitters behind it. The new investment round was led by led by venture fund giant BlackRock and Hewlett Packard Enterprise (HPE). Other investors include Alumni Ventures Group and UDC Ventures.To read this article in full, please click here

How Upgrading PHP On WordPress Became *It Was DNS*-An IT Operations Tale

The server needed a PHP update. WordPress told me so with a severe-sounding notification adorned with red coloration, a security warning, boldface type, and a link explaining how to change the PHP version. I sighed. Security issues never end, and I have a recurring reminder in my todo list to patch the Virtual Private Server (VPS) boxes I shepherd.

But this PHP issue…hmm. This felt like a bigger deal, and many sites I support lean heavily into WordPress. Rather than wait for the next regular patching session, I decided to get on it. I did a process test on one server, a lower profile machine that wouldn’t hurt too much if things went awry. The goal was to move from PHP 7.2.insecure to PHP 7.4.secure. How hard could it be?

Most of the search engine hits for “upgrade PHP on WordPress” told me to go into CPanel or a similar tool my hosting provider might offer to abstract what’s going on with the server itself. That’s not what I was looking for, because I manage my own hosts. I needed to know how to reconfigure the host itself. The OS packages to install. The conf files Continue reading

Near Real-Time Kubernetes at Scale: Increasing App Throughput with Linkerd

Stephen Reardon The one-man band that keeps the show running, Stephen Reardon is the DevOps engineer in the Entain Trading Solutions team, operating hundreds of Kubernetes nodes in the cloud using IaC tooling, chaos engineering testing tools and end to end monitoring. His main responsibility is operational reliability, keeping the platform resilient and available, and above all developer-proof.

Day Two Cloud 098: Cloud Centers Of Excellence – Should You Have One?

A fractured cloud strategy causes headaches such as duplicated services, unnecessary costs, poor security controls, and other problems. A cloud center of excellence can reduce the pain by developing and championing best practices, socializing adoption, and addressing inevitable exceptions. Fred Chagnon visits the Day Two Cloud podcast to advocate for building a cloud center of excellence in your org.

The post Day Two Cloud 098: Cloud Centers Of Excellence – Should You Have One? appeared first on Packet Pushers.

Day Two Cloud 098: Cloud Centers Of Excellence – Should You Have One?

A fractured cloud strategy causes headaches such as duplicated services, unnecessary costs, poor security controls, and other problems. A cloud center of excellence can reduce the pain by developing and championing best practices, socializing adoption, and addressing inevitable exceptions. Fred Chagnon visits the Day Two Cloud podcast to advocate for building a cloud center of excellence in your org.

Why you don’t want to miss the upcoming Kubernetes Security and Observability Summit

The inaugural Kubernetes Security and Observability Summit will be a free, live, online experience full of Kubernetes-related security and observability content. On June 3, 2021, industry experts will gather under one virtual roof to discuss trends, strategies, and technologies for Kubernetes security and observability, to help you understand and navigate today’s pressing issues in the world of cloud-native applications.

Why attend?

The Summit is a great opportunity to:

  • Network with the industry’s best security, DevOps, and site reliability engineer (SRE) teams for cloud-native platforms
  • Learn how to secure, observe, and troubleshoot Kubernetes environments
  • Explore real-world Kubernetes security and observability use cases presented by experts from industry-leading companies like Amazon, Box, Citi, EY, Mirantis, Morgan Stanley, PayPal, Salesforce, and of course, Tigera

Who should attend?

SREs, platform architects, and DevOps and security teams will all find value in attending the Summit.

  • DevOps teams and SREs – Learn how to include security and observability in your CI/CD to enable security, observability, and troubleshooting
  • Platform architects – Learn architecture patterns and best practices to secure and troubleshoot cloud-native applications
  • Security teams – Learn how to holistically secure your cloud-native applications following today’s best practices

Speakers & sessions

An opening keynote address from Continue reading

The Hedge 84: David Brown and the Root of Trust

Many engineers just assume that secure hardware boot is, in fact, secure. How does this security work, and just how secure is it, though? David Brown joins Tom Ammon, Eyvonne Sharp, and Russ White on this episode of the Hedge to discuss the secure boot loader in some detail. For more information on the secure boot loader and IoT, see David’s presentation at the Open Source Summit.

download

Palo Alto Networks pushes enterprise zero trust

Palo Alto Networks bolstered its security portfolio with products that target enterprise network users looking to make the move to a zero-trust environment.The new capabilities focus on a number of zero trust mechanisms—including  SaaS, cloud and DNS that will be available in June—and will make it significantly easier for organizations to adopt zero-trust security across the enterprise, according to Anand Oswal, senior vice president and general manager with Palo Alto. More about DNS: DNS in the cloud: Why and why not DNS over HTTPS seeks to make internet use more private How to protect your infrastructure from DNS cache poisoning ICANN housecleaning revokes old DNS security key As more people are working from anywhere, they require fast and always-on access to data and applications in the distributed cloud, regardless of location, Oswal said. “An all-encompassing zero-trust approach to network security is critical for safeguarding productivity in the new reality of remote, mobile, and hybrid work,” he said.To read this article in full, please click here

Palo Alto Networks pushes enterprise zero trust

Palo Alto Networks bolstered its security portfolio with products that target enterprise network users looking to make the move to a zero-trust environment.The new capabilities focus on a number of zero trust mechanisms—including  SaaS, cloud and DNS that will be available in June—and will make it significantly easier for organizations to adopt zero-trust security across the enterprise, according to Anand Oswal, senior vice president and general manager with Palo Alto. More about DNS: DNS in the cloud: Why and why not DNS over HTTPS seeks to make internet use more private How to protect your infrastructure from DNS cache poisoning ICANN housecleaning revokes old DNS security key As more people are working from anywhere, they require fast and always-on access to data and applications in the distributed cloud, regardless of location, Oswal said. “An all-encompassing zero-trust approach to network security is critical for safeguarding productivity in the new reality of remote, mobile, and hybrid work,” he said.To read this article in full, please click here

Back to Basics: Unnumbered IPv4 Interfaces

In the previous blog post in this series, we explored some of the reasons IP uses per-interface (and not per-node) IP addresses. That model worked well when routers had few interfaces and mostly routed between a few LAN segments (often large subnets of a Class A network assigned to an academic institution) and a few WAN uplinks. In those days, the WAN networks were often implemented with non-IP technologies like Frame Relay or ATM (with an occasional pinch of X.25).

The first sign of troubles in paradise probably occurred when someone wanted to use a dial-up modem to connect to a LAN segment. What subnet (and IP address) do you assign to the dial-up connection, and how do you tell the other end what to use? Also, what do you do when you want to have a bank of modems and dozens of people dialing in?

Back to Basics: Unnumbered IPv4 Interfaces

In the previous blog post in this series, we explored some of the reasons IP uses per-interface (and not per-node) IP addresses. That model worked well when routers had few interfaces and mostly routed between a few LAN segments (often large subnets of a Class A network assigned to an academic institution) and a few WAN uplinks. In those days, the WAN networks were frequently implemented with non-IP technologies like Frame Relay or ATM (with an occasional pinch of X.25).

The first sign of troubles in paradise probably occurred when someone wanted to use a dial-up modem to connect to a LAN segment. What subnet (and IP address) do you assign to the dial-up connection, and how do you tell the other end what to use? Also, what do you do when you want to have a bank of modems and dozens of people dialing in?