Pragmatic Debian packaging (2019)

Notice

This guide is an updated version of a previous edition. If you need to target distributions older than Debian Stretch and Ubuntu Bionic, please have a look at the older version instead.

While the creation of Debian packages is abundantly documented, most tutorials are targeted to packages implementing the Debian policy. Moreover, Debian packaging has a reputation of being unnecessarily difficult1 and many people prefer to use less constrained tools2 like fpm or CheckInstall.

However, building Debian packages with the official tools can become straightforward if you bend some rules:

  1. No source package will be generated. Packages will be built directly from a checkout of a VCS repository.

  2. Additional dependencies can be downloaded during build. Packaging individually each dependency is a painstaking work, notably when you have to deal with some fast-paced ecosystems like Java, Javascript and Go.

  3. The produced packages may bundle dependencies. This is likely to raise some concerns about security and long-term maintenance, but this is a common trade-off in many ecosystems, notably Java, Javascript and Go.

The BGP Monitoring Protocol (BMP)

If you run connections to the ‘net at any scale, even if you are an “enterprise” (still a jinxed term, IMHO), you will quickly find it would be very useful to have a time series record of the changes in BGP at your edge. Even if you are an “enterprise,” knowing what changes have taken place in the routes your providers have advertised to you can make a big difference in tracking down an application performance issue, or knowing just when a particular service went off line. Getting this kind of information, however, can be difficult.

BGP is often overloaded for use in data center fabrics, as well (though I look forward to the day when the link state alternatives to this are available, so we can stop using BGP this way). Getting a time series view of BGP updates in a fabric is often crucial to understanding how the fabric converges, and how routing convergence events correlate to application issues.

One solution is to set up the BGP Monitoring Protocol (BMP—an abbreviation within an abbreviation, in the finest engineering tradition).

BMP is described in RFC7854 as a protocol intended to “provide a convenient interface for obtaining route views.” Continue reading

Security group support in OVN external networks

In this post I will introduce and showcase how security groups can be used to enable certain scenarios.

Security groups allow fine-grained access control to - and from - the oVirt VMs attached to external OVN networks.

The Networking API v2 defines security groups as a white list of rules - the user specifies in it which traffic is allowed. That means, that when the rule list is empty, neither incoming nor outgoing traffic is allowed (from the VMs perspective).

A demo recording of the security group feature can be found below.

here.

Provided tools

This repo adds tools, and information on how to use them, to help manage the security groups in oVirt, since currently there is no supported mechanism to provision security groups, other than the REST API, and ManageIQ. ManageIQ also doesn't fully support security groups, since it lacks a way to attach security groups to logical ports.

Demo scenarios

In the following links you can also find playbooks that can be built upon to reach different types of scenarios.

A deeper dive into Linux permissions

Sometimes you see more than just the ordinary r, w, x and - designations when looking at file permissions on Linux. Instead of rwx for the owner, group and other fields in the permissions string, you might see an s or t, as in this example:drwxrwsrwt One way to get a little more clarity on this is to look at the permissions with the stat command. The fourth line of stat’s output displays the file permissions both in octal and string format:$ stat /var/mail File: /var/mail Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 801h/2049d Inode: 1048833 Links: 2 Access: (3777/drwxrwsrwt) Uid: ( 0/ root) Gid: ( 8/ mail) Access: 2019-05-21 19:23:15.769746004 -0400 Modify: 2019-05-21 19:03:48.226656344 -0400 Change: 2019-05-21 19:03:48.226656344 -0400 Birth: - This output reminds us that there are more than nine bits assigned to file permissions. In fact, there are 12. And those extra three bits provide a way to assign permissions beyond the usual read, write and execute — 3777 (binary 011111111111), for example, indicates that two extra settings are in use.To read this article in full, please click here

It’s Time for Another Pet Project

More than a decade ago I decided to start a pet project: a blog describing interesting details of networking technologies. The idea quickly morphed into vendor-neutral webinars - the first one took place in February 2010. A year or two later I had my first guest speaker and as of today we had more than 50 industry experts participating in ipSpace.net webinars and online courses.

In the meantime the ipSpace.net team grew: I had video and audio editors for years, Irena Marčetič took over marketing, logistics, and production in 2018, and we got a team of webinar moderators that will help us with guest speaker webinars (last week we ran the first guest speaker webinar where I didn’t have to be involved - hooray ;)

Read more ...

Dell R610 Ubuntu 1804 Install Error

When attempting to install the Ubuntu 1804 server spin on a Dell R610 I use for labs I encountered an error. The image that is available from the main downloads page links to a live installer. When I tried to install from this image, the installer would crash and restart when trying to...

For ESXi: Realtek NICs Are Awful And Don’t Use Them

OK, this isn’t a really a controversial opinion. This is more as a guide for those who run into these problems when trying to setup their first whitebox/homelab systems for ESXi.

So it goes something like this: You’ve got an old desktop, gaming rig, or workstation. You decide you’ll retire it to your home data center (or basement, or laundry room) as a hypervisor. ESXi by itself (no vSphere controller) is free, and here’s how to download and get the license key.

For most desktop/workstation type of hardware, you can install ESXi from the general ESXi installer except for one aspect: Many of these types of systems use Realtek, Marvell, or other desktop/consumer grade NICs, and there’s not an ESXi driver for these. And for good reasons: They suck.

So you have the choice: Try to use a special custom ISO installer with the Realtek?Marvell/etc. driver loaded, or buy a different NIC. In most of IT, there’s usually more than one right answer, and a heaping dose of “it depends”. However, for this particular question (Realtek or buy another NIC) there’s only right right answer: Buy another NIC.

Realtek NICs suck. They don’t perform well, they’re a pain to Continue reading

Middle East Chapters Advocacy Meeting

Last month, the Chapters Advocacy Workshop for the Middle East, took place in Beirut Lebanon. The two-day event hosted Chapter leaders and representatives from  Bahrain, Egypt, Jordan, Lebanon, Saudi Arabia, Morocco, Palestine, Somalia, Syria, United Arab Emirates, and Yemen. While the focus was on MANRS (Mutually Agreed Norms for Routing Security), it also included representatives from the Blockchain SIG (Special Interest Group).

During the two days, we discussed many issues related to the Middle East Chapters and their concerns, the 2019 plan of the Middle East Bureau, the strategic vision for the Internet Society, and the 2020 planning process. We acquired feedback from the delegates on our plans and community facing processes. We had ample staff representation that contributed immensely to the workshop, including, Sally Wentworth, Salam Yamout, Konstantinos Komaitis, Sally Harvey, Nermine El Saadany, and Aftab Siddiqui.

Aftab initiated the workshop with an introductory session on MANRS. He gave a technical breakdown on what MANRS is about before moving onto a hands-on workshop. The second day opened with an introduction to the 2020 Strategic Plan, followed by a PEST analysis led by Sally. Participants gave feedback on what’s important to their Chapters and to themselves as members Continue reading

Weekend Reads 052419

By any metric, the queries and responses that take place in the DNS are highly informative of the Internet and its use. But perhaps the level of interdependencies in this space is richer than we might think. —Geoff Huston

According to our researchers, the attackers either had access to the source code of the victims’ projects or they injected malware at the time of project compilation, meaning they were in the networks of those companies. And this reminds us of an attack that we reported on a year ago… —Kapersky

Endpoint security is a common concern among organizations, but security teams should be thinking more broadly about protecting data wherever it resides. —Kelly Sheridan

Two open source projects that have been instrumental in providing metrics for cloud native operations have merged into a single project. The fusion of Google’s OpenCensus and the Cloud Native Computing Foundation’s OpenTracing will be known as OpenTelemetry, and will be managed by the CNCF. —Joab Jackson

In a blog post published Tuesday, Google revealed that its G Suite platform mistakenly stored unhashed passwords of some of its enterprise users on internal servers in plaintext for 14 years because of a bug in the password recovery Continue reading

1 1,203 1,204 1,205 1,206 1,207 3,819