Writing a custom Ansible module
Ansible ships a lot of modules you can combine for your configuration management needs. However, the quality of these modules may vary widely. Sometimes, it may be quicker and more robust to write your own module instead of shopping and assembling existing ones.1
In my opinion, a robust module exhibits the following characteristics:
- idempotency,
- diff support,
- check mode compatibility,
- correct change signaling, and
- lifecycle management.
In a nutshell, it means the module can run with --diff --check and
shows the changes it would apply. When run twice in a row, the second
run won’t apply or signal changes. The last bullet point suggests the
module should be able to delete outdated objects configured during
previous runs.2
The module code should be minimal and tailored to your needs. Making the module generic for use by other users is a non-goal. Less code usually means less bugs and easier to understand.
I do not cover testing here. It is undeniably a good practice, but it requires a significant effort. In my opinion, it is preferable to have a well written module matching the above characteristics rather than a module that is well tested but without them or a module requiring Continue reading
Explore VMware Tanzu Service Mesh at VMworld 2020
It’s that time of year again — VMworld! And while this year, due to COVID-19, we’re pivoting to a virtual format, we’ll, we still be delivering a top-notch event with great sessions on cutting edge innovations. And the best part is, it’s FREE!
One of the hottest topics these days is service mesh, which is an abstraction that takes care of service to service communication, security, and observability. At VMware, we’re the “abstraction company” — but we’re not just working on the immediate use cases that the rest of the pack are working on, we’re ahead of the game, extracting a lot more value from our unique position vis a vis abstraction.
Service Mesh Sessions You Won’t Want to Miss:
I’ve compiled a list of our service mesh sessions below so you can easily register for them:
- Introduction to Tanzu Service Mesh [MAP1231] – This session, delivered by yours truly and Oren Penso, will take you step by step from understanding what service mesh is at the most basic level to understanding the unique value of VMware’s Tanzu Service Mesh. As we usually do, this session will have plenty of good demos.
- Connect and Secure Your Applications Through Continue reading
Don’t Forget Cybersecurity on Your Back-to-School List
This opinion piece was originally published in Dark Reading.
School systems don’t seem like attractive targets, but they house lots of sensitive data, such as contact information, grades, health records, and more.
Schools are starting to reopen around the country – some physically, some virtually, and some a hybrid of the two. As a result, the remote learning requirement that was thrust upon schools when the pandemic forced closures earlier this year has reemerged. Presumably, lessons learned during the chaotic transition in the spring can be applied to make fall run more smoothly. But one item is critical to consider during this back to school season: Cybersecurity.
Before examining cybersecurity needs in school systems, it’s important to understand what’s at stake. On the surface, school systems don’t appear to be an attractive target, but they contain a significant amount of highly sensitive information, such as contact information, grades, health records, counselor interactions, and possibly parents’ financial records. In light of COVID-19 and increased remote connections, there is now even more data – including health status, contact tracing, and recordings of student participation online – housed in systems and therefore more privacy concerns than ever.
In recent years, schools have also seen Continue reading
Day Two Cloud 064: Bringing Ansible Into A Windows Shop
Today's Day Two Cloud podcast makes the case for bringing Ansible into your Windows automation toolkit with guest Josh Duffney. Josh is an SRE, a Microsoft MVP, and author of a book on Ansible. We discuss key elements of Ansible, how it fits in a Windows shop, using Ansible with the Chocolately package manager, and more.
The post Day Two Cloud 064: Bringing Ansible Into A Windows Shop appeared first on Packet Pushers.
Day Two Cloud 064: Bringing Ansible Into A Windows Shop
Today's Day Two Cloud podcast makes the case for bringing Ansible into your Windows automation toolkit with guest Josh Duffney. Josh is an SRE, a Microsoft MVP, and author of a book on Ansible. We discuss key elements of Ansible, how it fits in a Windows shop, using Ansible with the Chocolately package manager, and more.The Hedge Podcast #50: The Challenge of Growing People
Many network engineers complain about their companies not giving them opportunities—but how many think about helping the company grow in a way that allows them to have the opportunities they desire? Scott Morris, aka “evil ccie,” joins Tom and Russ on this episode of the Hedge to talk about the challenges of certifications, growing people, and people learning how to grow in a way what improves the business. Sometimes growing means creating opportunities rather than just waiting for them to knock.
The Internet Society Welcomes the Comoros Chapter
We are excited to announce the new Internet Society Comoros Chapter! ISOC Comoros officially launched in July in front of an in-person and online audience at the Retaj Hotel.
Journalists joined several distinguished guests, including:
- Dawit Bekele, Internet Society’s Regional Vice-President for Africa
- Mohamed Said Abdallah Mchangama, President of the Federation of Comorian Consumers (FCC)
- Amina Abdallah, Coordinator of the World Bank’s Phase 4 of the Regional Communications Infrastructure Program for Africa (RCIP-4)
- Hamidou Mhoma, President of the Comorian ICT Association
- Chamsoudine Soudjay, Secretary General of the Comorian ICT Association
- Amroine Mouzaoui, Executive Secretary of the Comorian Movement for Entrepreneurs
- Raymane Ali Matoir, Director of Human Resources of Telma Comores
- Youssouf Abdoulmadjid, Chief Operating Officer of Comor’Lab
- Moussa Abdallah Moumine, Coordinator of the General Inspectorate of National Education
Since the country’s very first connection to the Internet in July 1998, the Internet industry has continued to evolve, along with telecommunications. The country is beginning to benefit from the rise in competition in the ICT sector, and as such the establishment of ISOC Comoros brings an added dimension to the development, promotion, and use of the Internet for the greater good of the entire country.
The Internet is for everyone and Continue reading
Example: Securing AWS Deployment
Nadeem Lughmani created an excellent solution for the securing your cloud deployment hands-on exercise in our public cloud online course. His Terraform-based solution includes:
- Security groups to restrict access to web server and SSH bastion host;
- An IAM policy and associated user that has read-only access to EC2 and VPC resources (used for monitoring)
- An IAM policy that has full access to as single S3 bucket (used to modify static content hosted on S3)
- An IAM role for AWS CloudWatch logs
- Logging SSH events from the SSH bastion host into CloudWatch logs.
Mitigating the Risks of Instance Metadata in AWS EKS
Compromising a pod in a Kubernetes cluster can have disastrous consequences on resources in an AWS Elastic Kubernetes Service (EKS) account if access to the Instance Metadata service is not explicitly blocked. The Instance Metadata service is an AWS API listening on a link-local IP address. Only accessible from EC2 instances, it enables the retrieval of metadata that is used to configure or manage an instance. Although you can only access instance metadata and user data from within the instance itself, the data is not protected by authentication or cryptographic methods.
A recent blog described a scenario where an attacker compromised a pod in an EKS cluster by exploiting a vulnerability in the web application it was running, thus enabling the attacker to enumerate resources in the cluster and in the associated AWS account. This scenario was simulated by running a pod and attaching to a shell inside it.
By querying the Instance Metadata service from the compromised pod, the attacker was able to access the service and retrieve temporary credentials for the identity and access management (IAM) role assigned to the EC2 instances acting as Kubernetes worker nodes. At that point, the attacker was able to pursue multiple exploits, Continue reading
History of Networking: Networking at Google with Richard Hay
Google fascinates network engineers because of the sheer scale of their operations, and their obvious influence over the way networks are built and operated. In this episode of the History of Networking, Richard Hay joins Donald Sharp and Russ White to talk about some past designs and stories of failure and success in one of the world’s largest operating networks.
Two clicks to add region-based Zero Trust compliance
Your team members are probably not just working from home - they may be working from different regions or countries. The flexibility of remote work gives employees a chance to work from the towns where they grew up or countries they always wanted to visit. However, that distribution also presents compliance challenges.
Depending on your industry, keeping data inside of certain regions can be a compliance or regulatory requirement. You might require employees to connect from certain countries or exclude entire countries altogether from your corporate systems.
When we worked in physical offices, keeping data inside of a country was easy. All of your users connecting to an application from that office were, of course, in that country. Remote work changed that and teams had to scramble to find a way to keep people productive from anywhere, which often led to sacrifices in terms of compliance. Starting today, you can make geography-based compliance easy again in Cloudflare Access with just two clicks.
You can now build rules that require employees to connect from certain countries. You can also add rules that block team members from connecting from other countries. This feature works with any identity provider configured and requires no Continue reading
Docker Services 101
Last week I published an overview of how complex (networking-wise) Docker Swarm services can get. This time let’s focus on something that should have been way simpler: running container-based services on a single Linux host.
In the first part of this article I’m focusing on the basics, including exposed ports, and published ports. The behind-the-scenes details are coming in a week or so; in the meantime you can enjoy (most of them) in the Docker Networking Deep Dive webinar.
LXC as Virtual Service Container on IOS XE
In the last tutorial, we have discussed Cisco open service container based on Kernel Virtual Machine (KVM). Virtual machines include the application, binaries and libraries along with entire guest OS. As a result, we can run any guest OS supported by KVM hypervisor. Containers, however share the same kernel with; each container still acts as […]Continue reading...