Heavy Networking 672: Overcoming Your Imposter Syndrome
Lots of folks suffer from impostor syndrome. Tech is complex--how could you know what you’re doing? And yet, many of us are responsible for incredibly complex IT systems. Fake it ‘til you make it, right? To handle the cognitive dissonance of impostor syndrome, we overcompensate. In doing so, we pay a personal price. Today's Heavy Networking guest is Matt Vitale. He's here to share what he's learned about coping with and overcoming imposter syndrome.
The post Heavy Networking 672: Overcoming Your Imposter Syndrome appeared first on Packet Pushers.
Creating a Talos Linux Cluster on Azure with Pulumi
A little over a month ago I published a post on creating a Talos Linux cluster on AWS with Pulumi. Talos Linux is a re-thinking of your typical Linux distribution, custom-built for running Kubernetes. Talos Linux has no SSH access, no shell, and no console; instead, everything is managed via a gRPC API. This post is something of a “companion post” to the earlier AWS post; in this post, I’ll show you how to create a Talos Linux cluster on Azure with Pulumi.
The program I’ll share with you in this post is written in Go, but the process outlined in this post and the accompanying code is equally applicable in other languages supported by Pulumi. (TypeScript is a popular choice for lots of folks.) The code is available in this GitHub repository. It’s based on this documentation from Sidero Labs, and I also found this blog post to be helpful as well.
The Pulumi program follows this overall flow:
- First, the program creates the base infrastructure objects that are required—a resource group, a virtual network, some subnets, and a network security group.
- Next, it creates a load balancer, gets a public IP address for the load Continue reading
Upgrading one of the oldest components in Cloudflare’s software stack
Cloudflare serves a huge amount of traffic: 45 million HTTP requests per second on average (as of 2023; 61 million at peak) from more than 285 cities in over 100 countries. What inevitably happens with that kind of scale is that software will be pushed to its limits. As we grew, one of the problems we faced was related to deploying our code. Sometimes, a release would be delayed because of inadequate hardware resources on our servers. Buying more and more hardware is expensive and there are limits to e.g. how much memory we can realistically have on a server. In this article, we explain how we optimised our software and its release process so that no additional resources are needed.
In order to handle traffic, each of our servers runs a set of specialised proxies. Historically, they were based on NGINX, but increasingly they include services created in Rust. Out of our proxy applications, FL (Front Line) is the oldest and still has a broad set of responsibilities.
At its core, it’s one of the last uses of NGINX at Cloudflare. It contains a large amount of business logic that runs many Cloudflare products, using a variety of Continue reading
Video: Sample Kubernetes SDN Implementations
It’s time for another Kubernetes video. After Stuart Charlton explained the Kubernetes SDN architecture, he described architectural approaches of Kubernetes SDN implementations, using Flannel as a sample implementation.
Parts of Kubernetes Networking Deep Dive webinar (including this video) are available with Free ipSpace.net Subscription.
Video: Sample Kubernetes SDN Implementations
It’s time for another Kubernetes video. After Stuart Charlton explained the Kubernetes SDN architecture, he described architectural approaches of Kubernetes SDN implementations, using Flannel as a sample implementation.
Parts of Kubernetes Networking Deep Dive webinar (including this video) are available with Free ipSpace.net Subscription.
Finally: Some Good News For The Intel Xeon CPU Roadmap
It was a reasonable enough gut reaction given the many changes happening at Intel in recent months. …
Finally: Some Good News For The Intel Xeon CPU Roadmap was written by Timothy Prickett Morgan at The Next Platform.
4 ways to leverage existing kernel security features to set up process monitoring
The large attack surface of Kubernetes’ default pod provisioning is susceptible to critical security vulnerabilities, some of which include malicious exploits and container breakouts. I believe one of the most effective workload runtime security measures to prevent such exploits is layer-by-layer process monitoring within the container.
It may sound like a daunting task that requires additional resources, but in reality, it is actually quite the opposite. In this article, I will walk you through how to use existing Linux kernel security features to implement layer-by-layer process monitoring and prevent threats.
Threat prevention and process monitoring
Containerized workloads in Kubernetes are composed of numerous layers. An effective runtime security strategy takes each layer into consideration and monitors the process within each container, also known as process monitoring.
Threat detection in process monitoring involves integrating mechanisms that isolate workloads or control access. With these controls in place, you can effectively prevent malicious behavior, reduce your workload’s attack surface, and limit the blast radius of security incidents. Fortunately, we can use existing Kubernetes mechanisms and leverage Linux defenses to achieve this.
Kernel security features
By pulling Linux defenses closer to the container, we can leverage existing Kubernetes mechanisms to monitor processes and reduce Continue reading
How Emerging LEO Satellites are Impacting Wireless Networking
T-Mobile/SpaceX and Verizon/Amazon strategic partnerships support, via low-Earth orbit satellites (LEOs), connectivity plus cellular messaging and emergency offerings for iPhone and Android users beyond the reach of wireless networks.Best Practices for Improving File Access for Distributed Engineering Teams
Improving file access performance and end-user productivity for distributed engineering teams requires a combination of the right tools, processes, and support.Content Creation Complications
If you’ve noticed my regular blog posts have been a bit irregular as of late you’re not alone. I’m honestly working through a bit of writer’s block as of late. The irony is that I’m not running out of things to talk about. I’m actually running out of time to talk about them the way that I want.
Putting in the Work
By now you, my dear readers, know that I’m not going to put out a post of 200-300 words just to put something out during the week. I’d rather spend some time looking into a topic and creating something that informs or encourages discussion. That means having sources or doing research.
Research takes time. Ironically enough I’ve always had a much easier time writing things so long as I have the info to pull from in my head. One of the side effects of neurodivergence that I’ve learned about recently is that neurodivergent people tend to write their ‘first draft’ in their head throughout the creation process. Rather than writing and rewriting over and over again I pool all the information in my brain and work through it all to put down my final thoughts. That means what Continue reading
Kubernetes Unpacked 022: Kubernetes Networking And Abstraction With Cilium And eBPF
In this episode, Michael catches up with Stephane Karagulmez, Senior Solution Architect at Isovalent (founded by the creators of Cilium). Michael spent a lot of time working with Cilium, which is open-source software that provides networking and observability capabilities for Kubernetes workloads. Cilium is based on another open-source project, eBFP. It's important to understand the details and performance changes when implementing eBPF and removing kube-proxy.Kubernetes Unpacked 022: Kubernetes Networking And Abstraction With Cilium And eBPF
In this episode, Michael catches up with Stephane Karagulmez, Senior Solution Architect at Isovalent (founded by the creators of Cilium). Michael spent a lot of time working with Cilium, which is open-source software that provides networking and observability capabilities for Kubernetes workloads. Cilium is based on another open-source project, eBFP. It's important to understand the details and performance changes when implementing eBPF and removing kube-proxy.
The post Kubernetes Unpacked 022: Kubernetes Networking And Abstraction With Cilium And eBPF appeared first on Packet Pushers.
Dropped packet reason codes in Linux 6+ kernels
The recent addition of dropreason.h in Linux 6+ kernels provides detailed reasons for packet drops. The netlink drop_monitor API has been extended to include the NET_DM_ATTR_REASON attribute to report the drop reason, see net_dropmon.h.
The following example illustrates the value of the reason code in explaining Linux packet drops.
tcp_v4_rcv+0x7c/0xef0The value of NET_DM_ATTR_SYMBOL shown above indicates that the packet was dropped in the tcp_v4_rcv function in Linux kernel at memory location 0x7c/0xef0. While this information is helpful, there are many reasons why a TCP packet may be dropped.
NO_SOCKETIn this case, the value of NET_DM_ATTR_REASON shown above indicates that the TCP packet was dropped because no application had opened a socket and so there was nowhere to deliver the packet.
In the case of Linux-based hardware switches or smart network adapters, where packet processing is offloaded to hardware, the netlink drop_monitor events include NET_DM_ATTR_HW_TRAP_GROUP_NAME and NET_DM_ATTR_HW_TRAP_NAME attributes and packet header information supplied by the hardware Continue reading