Manage Red Hat Enterprise Linux like a Boss with Red Hat Ansible Content Collection for Red Hat Insights

Running IT environments means facing many challenges at the same time: security, performance, availability and stability are critical for the successful operation of today’s data centers. IT managers and their teams of administrators, operators and architects are well advised to move from a reactive, “fire-fighting” mode to a proactive approach where systems are continuously scanned and improvements are applied before critical situations come up. Red Hat Insights routinely analyzes Red Hat Enterprise Linux systems for security/vulnerability, compliance, performance, availability and stability threats, and based on the results, can provide guidance on how to improve daily operations. Insights is included with your Red Hat Enterprise Linux subscription and located at cloud.redhat.com

We recently announced a new Red Hat Ansible Content Collection for Insights, an integration designed to make it easier for Insights users to manage Red Hat Enterprise Linux and to automate tasks on those systems using Ansible. The Ansible Content Collection for Insights is ideal for customers that have large Red Hat Enterprise Linux estates that require initial deployment and ongoing management of the Insights client. 

In this blog, we will look at how this integration with Ansible takes care of key tasks via included Ansible Continue reading

Cloudflare’s first year in Lisbon

Cloudflare's first year in Lisbon
Cloudflare's first year in Lisbon

A year ago I wrote about the opening of Cloudflare’s office in Lisbon, it’s hard to believe that a year has flown by. At the time I wrote:

Lisbon’s combination of a large and growing existing tech ecosystem, attractive immigration policy, political stability, high standard of living, as well as logistical factors like time zone (the same as the UK) and direct flights to San Francisco made it the clear winner.

We landed in Lisbon with a small team of transplants from other Cloudflare offices. Twelve of us moved from the UK, US and Singapore to bootstrap here. Today we are 35 people with another 10 having accepted offers; we’ve almost quadrupled in a year and we intend to keep growing to around 80 by the end of 2020.

Cloudflare's first year in Lisbon

If you read back to my description of why we chose Lisbon only one item hasn’t turned out quite as we expected. Sure enough TAP Portugal does have direct flights to San Francisco but the pandemic put an end to all business flying worldwide for Cloudflare. We all look forward to getting back to being able to visit our colleagues in other locations.

The pandemic also put us in the Continue reading

Happy 10-year Anniversary Lostintransit

Wow! I can’t believe it. I’ve been blogging for 10 years! Where did time go? July 16th 2010 is when I posted the first time to this blog. It was a post saying “I’m game” and I included Radia Perlman’s Algorhyme.

August 27th 2010, I wrote that I wanted to pass the CCIE lab within two years. Turns out I wasn’t too far from the truth. I passed late October 2012. Greg Ferro himself popped in to wish me good luck:

January 2011, I passed the written. I had a little different approach to many where I spent a considerate amount of time, around 200h if I remember correctly, to build a strong foundation before moving on to labbing. Today you would take the ENCOR exams, of course. But I still think this is a valid strategy.

It took me a little more than 6 months to get my first 5000 views. It’s good to remember that. Especially for those of you just starting out. This site has now had more than a million views but it took some time to get there. It doesn’t get as many views as you probably think, either.

I took my first stab at Continue reading

IPv6 and the DNS

These days it seems that whenever we start to talk about the DNS the conversation immediately swings around to the subject of DNS over HTTPS (DoH) and the various implications of this technology. But that's not my intention here. I'd like to look at a different, but still very familiar and somewhat related, topic relating to the DNS, namely how IPv6 is being used as a transport protocol for DNS queries.

A Look at the New Calico eBPF Dataplane

Calico was designed from the ground up with a pluggable dataplane architecture. The Calico 3.13 release introduced an exciting new eBPF (extended Berkeley Packet Filter) dataplane targeted at those ready to adopt newer kernel versions and wanting to push the Linux kernel’s latest networking capabilities to the limit. In addition to improved throughput and latency performance compared to the standard Linux networking data plane, Calico’s eBPF data plane also includes native support for Kubernetes services without the need to run kube-proxy. One of the ways Calico’s eBPF dataplane realizes these improvements is through source IP preservation and Direct Server Return (DSR)

Kube-proxy and Source IP

The application of Network Address Translation (NAT) by kube-proxy to incoming network connections to Kubernetes services (e.g. via a service node port) is a frequently encountered friction point with Kubernetes networking. NAT has the unfortunate side effect of removing the original client source IP address from incoming traffic. When this occurs, Kubernetes network policies can’t restrict incoming traffic from specific external clients. By the time the traffic reaches the pod it no longer has the original client IP address. For some applications, knowing the source IP address is desirable or required. For example, Continue reading

Automating Mitigation of the F5 BIG-IP TMUI RCE Security Vulnerability Using Ansible Tower (CVE-2020-5902)

On June 30, 2020, a security vulnerability affecting multiple BIG-IP platforms from F5 Networks was made public with a CVSS score of 10 (Critical). Due to the significance of the vulnerability, network administrators are advised to mitigate this issue in a timely manner. Doing so manually is tricky, especially if many devices are involved. Because F5 BIG-IP and BIG-IQ are certified with the Red Hat Ansible Automation Platform, we can use it to tackle the issue.

This post provides one way of temporarily mitigating CVE-2020-5902 via Ansible Tower without upgrading the BIG-IP platform. However, larger customers like service providers might struggle to upgrade on a short notice, as they may have to go through a lengthy internal validation process. For those situations, an automated mitigation may be a reasonable workaround until such time to perform an upgrade.

 

Background of the vulnerability

The vulnerability is described in K52145254 of the F5 Networks support knowledgebase

The Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.

And describes the impact is serious:

This vulnerability allows for unauthenticated attackers, or authenticated users, with network access to the Configuration Continue reading

Options grow for migrating mainframe apps to the cloud

Mainframe users looking to bring legacy applications into the public or private cloud world have a new option: LzLabs, a mainframe software migration vendor.Founded in 2011 and based in Switzerland, LzLabs this week said it's setting up shop in North America to help mainframe users move legacy applications – think COBOL – into the more modern and flexible cloud application environment.Read also: How to plan a software-defined data-center network At the heart of LzLabs' service is its Software Defined Mainframe (SDM), an open-source, Eclipse-based system that's designed to let legacy applications, particularly those without typically available source code, such as COBOL, run in the cloud without recompilation.To read this article in full, please click here

Are Your Virtual Meetings Accessible for People with Disabilities? Start with This Checklist

The COVID-19 pandemic has changed the way humans interact with one another. With an emphasis on less physical interaction and more social distancing, institutions and organizations are moving their work and meetings online.

People with disabilities form about 15 percent of world population, so it is all the more important these online meetings are made accessible.

The Internet Society Accessibility Special Interest Group (Accessibility SIG) aims to make the Internet and its attendant technologies accessible to the largest audience possible, regardless of disabilities. The digital divide is not just about having the access to digital technology, it could also be about having the access to technology and not being able to use it. Our digital products must be usable by all. Many laws and the Internet Society’s vision – the Internet is for everyone – demand that we provide everyone with an equal experience.

The Accessibility SIG is planning a series of seven webinars discussing this very topic. Our first one was titled When Rhetoric Meets Reality: Digital Accessibility, Persons With Disabilities and COVID-19 and was held on May 28.

The way we design and build can make it hard – and sometimes impossible – for people with disabilities to access Continue reading

Cumulus content roundup: June 2020

June seems like a lifetime ago but there was so much content we wanted to make sure was on your radar. We know you may be thinking but wait, didn’t something big happen to Cumulus Networks in June? You would be right! We’re excited to share that we are now officially NVIDIA®.  Along with the news, we kept very busy with fresh podcast episodes, informative blog posts and much more so take a minute to dive on in and catch up on it all here.

From Cumulus Networks, now NVIDIA

Cumulus Networks’ President and Chief Product Officer, Partho Mishra, on the NVIDIA-Cumulus acquisition.: Partho Mishra answers your questions regarding the strategic focus of the new networking business unit at NVIDIA & the future of open networking.

Open source — the great equalizer.: Technology is a great equalizer and the open source movement has played a huge role in making this true and accelerating the process.

Remote work makes network visibility more critical than ever: We’re living through a major shift in the way employees work, extending the boundaries of what was once a tightly controlled environment.

Kernel of Truth season 3 episode 8: Cumulus Linux in action Continue reading

Containerized Python Development – Part 1

Developing Python projects in local environments can get pretty challenging if more than one project is being developed at the same time. Bootstrapping a project may take time as we need to manage versions, set up dependencies and configurations for it. Before, we used to install all project requirements directly in our local environment and then focus on writing the code. But having several projects in progress in the same environment becomes quickly a problem as we may get into configuration or dependency conflicts. Moreover, when sharing a project with teammates we would need to also coordinate our environments. For this we have to define our project environment in such a way that makes it easily shareable. 

A good way to do this is to create isolated development environments for each project. This can be easily done by using containers and  Docker Compose to manage them.  We cover this in a series of blog posts, each one with a specific focus.

This first part covers how to containerize a Python service/tool and the best practices for it.

Requirements

To easily exercise what we discuss in this blog post series, we need to install a minimal set Continue reading

Cloudflare Network expands to more than 100 Countries

Cloudflare Network expands to more than 100 Countries
Cloudflare Network expands to more than 100 Countries

2020 has been a historic year that will forever be associated with the COVID-19 pandemic. Over the past six months, we have seen societies, businesses, and entire industries unsettled. The situation at Cloudflare has been no different. And while this pandemic has affected each and every one of us, we here at Cloudflare have not forgotten what our mission is: to help build a better Internet.

We have expanded our global network to 206 cities across more than 100 countries. This is in addition to completing 40+ datacenter expansion projects and adding over 1Tbps in dedicated “backbone” (transport) capacity connecting our major data centers so far this year.

Pandemic times means new processes

There was zero chance that 2020 would mean business as usual within the Infrastructure department. We were thrown a curve-ball as the pandemic began affecting our supply chains and operations. By April, the vast majority of the world’s passenger flights were grounded. The majority of bulk air freight ships within the lower deck (“belly”) of these flights, which saw an imbalance between supply and demand with the sudden 74% decrease in passenger belly cargo capacity relative to the same period last year.

We were fortunate to have Continue reading

Day Two Cloud 057: See Your Data With Grafana

Day Two Cloud gets into data visualization with the open-source Grafana project. Grafana helps you visualize, alert on, and query all kinds of data and metrics. We look at how Grafana works, how it manipulates and stores data, and common use cases. Our guest is Ryan McKinley, VP of Applications at Grafana.

Introduction to Segment Routing

Jeff Tantsura and Nick Buraglio bring a wealth of knowledge to this Network Collective Introduction to Segment Routing webinar. In this webinar we cover the fundamental SR technologies and how they work, as well as some of the practical implementation details that can only be learned by working with the technology directly.

Jeff Tantsura
Host
Nick Buraglio
Host

Outro Music:
Danger Storm Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 3.0 License
http://creativecommons.org/licenses/by/3.0/

The post Introduction to Segment Routing appeared first on Network Collective.

BGP EVPN Underlay Network with BGP (Multi-AS)


Introduction


The focus of this chapter is to explain the BGP Multi-AS Underlay Network design in BGP EVPN/VXLAN Fabric. It starts by explaining the BGP configuration because this way explanation can be done by using show and debug command as well as taking packet captures. The next section discusses of BGP adjacency process and its related states (Idle, Connect/Active, OpenSent, Open Confirm and Established). After that, this chapter explains the BGP routing discussing how connected routes are sent from RIB to Loc-RIB and from there to Adj-RIB-Out (Pre/Post). This section also introduces how NLRIs received within BGP Update eventually ends up into the RIB of receiving BGP speaker. In addition, this chapter shortly introduces the MRAI timer as well as a non-disruptive device maintenance solution. The last section tries to give an answer which protocol best fits in the Underlay Network of BGP EVPN fabric.



Infrastructure AS Numbering and IP Addressing Scheme


The AS-numbering scheme used in this chapter is the same as what was used in chapter 1 but instead of using unnumbered interfaces, each inter-switch interface now has an IP address assigned to it. It is possible to use the Unnumbered interface also with BGP using IPv6 Link-Local addressing [RFC 5549]. However, this solution is not supported by all vendors.


Figure 2-1: IP addressing Scheme.
Continue reading

Worth Reading: Working with TC on Linux systems

Here’s one of the weirdest ideas I’ve found recently: patch together two dangling ends of virtual Ethernet cables with PBR.

To be fair, Jon Langemak used that example to demonstrate how powerful tc could be. It’s always fun to see a totally-unexpected aspect of Linux networking… even though it looks like the creators of those tools believed in Perl mentality of creating a gazillion variants of line noise to get the job done.

1 869 870 871 872 873 3,787