Hybrid Operations with Ansible

One of the most common questions I hear while talking about Ansible's support for cloud providers is whether it will work in hybrid environments. You may not be able to use the ec2 module to create an instance in your datacenter, but Ansible has modules for RHV, OpenStack, and VMWare to talk to virtualization tools in your datacenter. I love working in AWS, Azure, and Google Cloud but most environments I've worked in have had on-prem systems as well.

That's what I've been invited to Red Hat Summit to talk about -- best practices for automating all the infrastructure at your disposal, not just the cloud services. My demos will feature a couple new Ansible Core/Engine 2.5 features, as well as preview new 2.6-only features.

My favorite feature to show off is part of the new ec2_instance module. In the demo we'll have a look at how Tower provisioning callbacks are now built in to the ec2_instance module, making provisioning brand new instances as easy as:

- ec2_instance:
  image:
    id: "{{ latest_centos.image_id }}"
  key_name: my-secret-key
  instance_type: t2.large
  name: call-me-maybe
  security_groups:
    - demo-web-sg
  # COOL MAGIC HERE
  tower_callback:
    host_config_key: "{{ your_secret_here }}"
    job_template_id:  Continue reading

Fabrics Open The Way For Storage Class Memory

Dell EMC has long been a vocal proponent of NVM-Express, the up and coming protocol that cuts out the CPU jib-jab with PCI-Express peripherals and that boost throughput and drops latency for flash and other non-volatile memory.

For the past two years, Dell, like other system makers, has put NVM-Express drives in its servers while ramping up the flash in its high-end storage systems and preparing to bring the protocol to those external storage appliances. It has taken time to get the arrays reworked, for the price of NVM-Express drives to come down, and for the volumes to ramp up. …

Fabrics Open The Way For Storage Class Memory was written by Jeffrey Burt at The Next Platform.

What is BGP Hijacking, Anyway?

Two weeks ago, we learned about yet another routing security incident, namely the hijack of BGP routes to the Amazon DNS infrastructure, used as a stepping stone to steal about $150,000 of Ethereum cryptocurrency from MyEtherWallet.com. We’ve been talking a lot lately about BGP hijacking, digging into the details of what happened in this post. But maybe we need to back up a minute and answer: What in the world is BGP hijacking, anyway, and why does it matter? Here, we’ll explain the basics and how network operators and Internet Exchange Points can join MANRS to help solve the problem.

What is BGP?

BGP, or Border Gateway Protocol, is used to direct traffic across the Internet. Networks use BGP to exchange “reachability information” – networks they know how to get to. Any network that is connected to the Internet eventually relies on BGP to reach other networks.

What is BGP Hijacking?

In short, BGP hijacking is when an attacker disguises itself as another network; it announces network prefixes belonging to another network as if those prefixes are theirs. If this false information is accepted by neighboring networks and propagated further using BGP, it distorts the “roadmap” of the Continue reading

Frequency Shielding Paint

This exists.

The Week in Internet News: Criminal Cryptocurrency Miners Target IoT

Cryptomining the IoT: Cryptocurrency mining has caused a run on high-powered graphics cards, but criminal groups are looking for ways to exploit other computing power for mining operations. One target is Internet of Things networks because of the lack of strong security on many IoT devices, reports ZDNet. IoT cryptojacking malware is becoming popular on underground forums.

Secrecy for Slackers: Have you ever sent a message on Slack that you didn’t want your boss to see? Or maybe you’re concerned that someone could forward your Slack conversations. Apparently, you’re not alone. Security consulting firm Minded Security has created a tool, called Shhlack, that allows for encrypted messages in the popular messaging app, Motherboard says.

Hey, something worked! Law enforcement authorities in several countries worked together to take down WebStresser, a large DDoS-for-hire service, in late April. In the week following the takedown, DDoS attacks observed by one security provider dropped by about 60 percent in Europe, BleepingComputer reports. The drop may have been only temporary, however.

Fake news hits the courts: Malaysia’s controversial new has its first casualties. A Danish citizen has pleaded guilty maliciously publishing a fake news report by posting a YouTube video that appeared to contradict Continue reading

HPE’s new Nimble flash arrays offer storage guarantee, NVMe and SCM support

HPE is rolling out the next generation of its Nimble Storage platform, overhauled to better meet the ever-increasing performance demands on data-center workloads, including real-time web analytics, business intelligence, and mission-critical enterprise resource applications.The new HPE Nimble Storage All Flash arrays as well as Nimble Adaptive Flash arrays for hybrid implementations (mixing solid state drives and hard disk drives, for example), are generally available from May 7 and have both been engineered to support NVMe (non-volatile memory express), an extremely fast communications protocol and controller designed to move data to and from SSDs via the PCIe bus standard. NVMe SSDs are expected to offer two orders of magnitude speed improvement over prior SSDs.To read this article in full, please click here

HPE’s new Nimble flash arrays offer storage guarantee, NVMe and SCM support

Tech Skills Employers Want Now: More Than Development

Employers most often list development skills in job postings, but when they search for resumes, they frequently look for infrastructure management capabilities.

Mesosphere Scores $125M in Funding to Target IoT, Geo Expansion

The latest funding round pushes the company's total haul to nearly a quarter-billion dollars since its founding in 2013.

Using 4-Byte BGP AS Numbers with EVPN on Junos

After documenting the basic challenges of using EBGP and 4-byte AS numbers with EVPN automatic route targets, I asked my friends working for various vendors how their implementation solves these challenges. This is what Krzysztof Szarkowicz sent me on specifics of Junos implementation:

To learn more about EVPN technology and its use in data center fabrics, watch the EVPN Technical Deep Dive webinar.

Equality of opportunity in supervised learning

Equality of opportunity in supervised learning Hardt et al., NIPS’16

With thanks to Rob Harrop for highlighting this paper to me.

There is a a lot of concern about discrimination and bias entering our machine learning models. Today’s paper choice introduces two notions of fairness: equalised odds, and equalised opportunity, and shows how to construct predictors that are fair under these criteria. One very appealing feature of the model is that in the case of uncertainty caused by under-representation in the training data, the cost of less accurate decision making in that demographic is moved from the protected class (who might otherwise for example not be offered loans), to the decision maker. I’m going to approach the paper backwards, and start with the case study, as I find a motivating example really helps with the intuition.

Loans, race, and FICO scores

We examine various fairness measures in the context of FICO scores with the protected attribute of race. FICO scores are a proprietary classifier widely used in the United States to predict credit worthiness. Our FICO data is based on a sample of 301,536 TransUnion TransRisk scores from 2003.

We’re interesting in comparing scores, the Continue reading

Cisco IOSv Vagrant Libvirt Box Install

In this post I will cover how to create a Cisco IOSv Vagrant box for use with the vagrant-libvirt provider. This post assumes a working installation of Vagrant with the vagrant-libvirt plugin already installed. You can follow this post to get the vagrant-libvirt plugin installed. For...

Cisco ASAv Vagrant Libvirt Box Install

In this post I will cover how to create a Cisco ASAv Vagrant box for use with the vagrant-libvirt provider as well as enabling the REST API. This post assumes a working installation of Vagrant with the vagrant-libvirt plugin already installed. You can follow this post to get the...

Cisco IOSv Vagrant Libvirt Box Install

Build a Cisco IOSv Vagrant box for use with the libvirt provider.

Cisco ASAv Vagrant Libvirt Box Install

Build a Cisco ASAv Vagrant box for use with the libvirt provider.

Amateur Radio and FT8

My interest in SDR got me into Amateur Radio. One reason was that so that I could transmit on non-ISM bands and with more power. Turns out the 2.3GHz band available to Amateur Radio operators is much quieter than the 2.4GHz band where WiFi, bluetooth, microwave ovens, drones, cordless phones and everything else lives. Shocker, I know.

Amateur radio doesn’t just have voice and morse code, there’s also digital modes.

A popular mode is FT8. It’s only used to exchange signal reports, so there’s no chatting. It’s in fact often practically unattended.

It’s a good way to check the quality of your radio setup, and the radio propagation properties that depend on how grumpy the ionosphere is at the moment.

If you transmit, even if you nobody replies, you’ll be able to see on PSKReporter who heard you, which is useful.

Because propagation should be pretty much symmetric, receiving a strong signal should mean that two-way communication is possible with the station. Though FT8 is a slow mode that will get through where others won’t, so a weak FT8 signal means that any voice communication is very unlikely to get through.

Unfortunately unlike WSPR the standard FT8 Continue reading

Active Directory & Ansible Tower

Welcome to the second installment of our Windows-centric Getting Started series!

Last time we walked you through how Ansible connects to a Windows host. We’ve also previously explored logging into Ansible Tower while authenticating against an LDAP directory. In this post, we’ll go over a few ways you can use Ansible to manage Microsoft’s Active Directory. Since AD plays a role in many Windows environments, using Ansible to manage Windows will probably include running commands against the Active Directory domain.

First, Set Your Protocol

We’ll be using WinRM to connect to Windows hosts, so this means making sure Ansible or Tower knows that. Machine credentials in Ansible Tower can be created and used along with variables, but when using Ansible in a terminal the playbook should make it clear with variables:

---
- name: Your Windows Playbook
  hosts: win
  vars:
    ansible_ssh_user: administrator
    ansible_ssh_pass: ThisIsWhereStrongPassesGo
    ansible_connection: winrm
    ansible_winrm_server_cert_validation: ignore

- tasks:

Along with using the local admin account/pass, the WinRM connection method is named specifically. The variable to ignore the certificate validation is for standalone, non-domain hosts because a domain-joined instance should have certificates validated on the domain.

Where’s the Domain?

Speaking of domains, Ansible can spin up a new domain Continue reading

OpenDKIM-OpenDMARC and a Chrooted Postfix Instance

No Postfix installation is complete without OpenDKIM and OpenDMARC.

While some people go for all-in-one solutions that does all of these for them with a single command or two (and then cry to their gods as soon as the system fails as they have no idea how to debug it), the rest of us rather to be our own boss and set things up manually and carefully based on our needs, so we can troubleshoot it if when things go wrong.

This however, is easier to be said than done. In this post, rather than trying to explain what they are and how they can be set up (which can be found everywhere on the web), I am mainly going to address the issues that you might encounter when running your Postfix and these Milters on the same system running Ubuntu.

Background

OpenDKIM and OpenDMARC are designed to be used as Milters. They are two different programs for two different -and yet related- tasks.

They show a lot of similarities in their configuration files and both suffer from the same limitations when running along with a chrooted Postfix instance.

While in a recent enough version of Postfix, daemons are Continue reading

Learning TrustSec – An Introduction to Inline Tagging

In my last article, Basic TrustSec – Implementing Manual SGTs and SGACLs,
we talked about a basic TrustSec configuration. In that example, we shared the understanding of having two devices connected to a single switch and enforcing traffic policies via SGACL. We know that there are more scalable and automated ways to configure TrustSec enabled networks, but our goal is to work toward understanding the building blocks.

In today’s article, we will expand our knowledge and connect the two devices to different switches. The trunks between these switches will be configured to carry the associated source SGT’s (Security Group Tags). The topology used for this discussion is as follows.

Topology

To demonstrate the topic of inline SGT, we will need to accomplish the following.

Configure and Confirm that 192.168.254.11 (connected to c9kSW1) is recognized by its switch with an SGT of 2.
Configure and Confirm that 192.168.254.100 (connected to c9kSW2) is recognized by its switch with an SGT of 3.
Configure the trunk between the switches to carry SGTs
Configure an enforcement policy to demonstrate overall functionality

Configuration Steps

c9kSW1 configuration/confirmation for host port

//We are using static SGT and need to do IP Device  Continue reading

« Previous 1 … 1,625 1,626 1,627 1,628 1,629 … 3,849 Next »