This is strictly a violation of the TCP specification
I was asked to debug another weird issue on our network. Apparently every now and then a connection going through CloudFlare would time out with 522 HTTP error.
CC BY 2.0 image by Chris Combe
522 error on CloudFlare indicates a connection issue between our edge server and the origin server. Most often the blame is on the origin server side - the origin server is slow, offline or encountering high packet loss. Less often the problem is on our side.
In the case I was debugging it was neither. The internet connectivity between CloudFlare and origin was perfect. No packet loss, flat latency. So why did we see a 522 error?
The root cause of this issue was pretty complex. Afterred long debugging we identified an important symptom: sometimes, once in thousands of runs, our test program failed to establish a connection between two daemons on the same machine. To be precise, an NGINX instance was trying to establish a TCP connection to our internal acceleration service on localhost. This failed with a timeout error.
Once we knew what to look for we were able to reproduce this with good old netcat. After a couple of dozen of Continue reading
Managing The IPv6 Transition In The Enterprise
IPv6 offers many enterprise benefits, but successful implementation requires careful planning.
Show 301 – Intent Driven Network Service Orchestration with Anuta NCX – Sponsored
Anuta Networks is announcing their NCX 5.0 release using YANG model driven architecture to deliver a vendor-neutral, extensible and scalable platform. The post Show 301 – Intent Driven Network Service Orchestration with Anuta NCX – Sponsored appeared first on Packet Pushers.
HPE Expands HPC Reach With SGI Buy
Supercomputer maker SGI has been going it alone in the upper echelons of the computing arena for decades and has brought much innovation to bear on some of the most intractable simulation, modeling, and analytics problems in the world. But the one thing it could never do was get enough feet on the street to sell its gear.
Now that Hewlett Packard Enterprise has acquired SGI, that will no longer be a problem, but the downside, as far as the variety in the IT ecosystem is concerned, is that yet another independent company will be subsumed into a much larger …
HPE Expands HPC Reach With SGI Buy was written by Timothy Prickett Morgan at The Next Platform.
Auto Renew Let’s Encrypt Certificates
I'm a big fan of Let's Encrypt (free, widely trusted SSL certificates) but not a big fan of most of the client software available for requesting and renewing certificates. Unlike a typical certificate authority, Let's Encrypt doesn't have a webui for requesting/renewing certs; everything is driven via an automated process that is run between a Let's Encrypt software client and the Let's Encrypt web service.
Since the protocols that Let's Encrypt uses are standards-based, there are many open source clients available. Being security conscious, I have a few concerns with most of the clients:
- Complication. Many of the clients are hundreds of lines long and unnecessarily complicated. This makes the code really hard to audit and since this code is playing with my crypto key material, I do want to audit it.
- Elevated privilege. At least one of the clients I saw required root permission. That's a non starter.
Technology Short Take #70
Welcome to Technology Short Take #70! In this post you’ll find a collection of links to articles discussing the major data center technologies—networking, hardware, security, cloud computing, applications, virtualization…you name it! (If there’s a topic you think I’m missing, I’d love to hear from you.)
Networking
- MTU in OpenStack Neutron has been, as this article by Sam Yaple points out, a bit of a touchy subject. Fortunately, it looks like progress has been made on that front, so check out Sam’s post for more details.
- Jason Edelman has an article from back in January that describes the use of Big Switch’s Big Cloud Fabric (BCF) and Big Monitoring Fabric (BMF) in conjunction with Ansible (via some Ansible modules that Jason himself developed).
- Dwayne Sinclair covers the basics of SpoofGuard in NSX, and how to interact with SpoofGuard via API, in this article.
- This article is a bit more OpenStack-focused, but given that it focuses pretty heavily on Neutron I thought it’d fit better here in the “Networking” section. The article talks about how to use the
--allowed_address_pairsextension to build a highly-available proxy server instead of using LBaaS. - Numan Siddique describes the native DHCP support available in OVN (Open Continue reading
VMworld 2016 Prayer Time
For the last couple of years, I’ve helped organize a gathering of Christians for a brief time of prayer while at VMworld. This year, I’d like to again offer fellow believers attending VMworld 2016 the same opportunity to gather together for a time of prayer before starting the day. If you’re interested in attending, here are the details.
What: A brief time of prayer
Where: Mandalay Bay Convention Center, level 1 (same level as the food court), at the bottom of the escalators heading upstairs
When: Monday 8/29 through Thursday 9/1 at 7:45am (this should give everyone enough time to grab breakfast before the keynotes start at 9am)
Who: All courteous attendees are welcome, but please note that this will be a distinctly Christian-focused and Christ-centric activity. (I encourage believers of other faiths/religions to organize equivalent activities.)
Why: To spend a few minutes in prayer over the day, the conference, and the attendees
As in previous years, there’s no need to RSVP or let me know that you’ll be there, although you’re welcome to do so if you’d like. There’s also no need to bring anything except an open heart and a willingness to display your faith in front Continue reading