Scott's Weblog The weblog of an IT pro focusing on cloud computing, Kubernetes, Linux, containers, and networking

Making Firefox on Linux use Private Browsing by Default

While there are a couple different methods to make Firefox use private browsing by default (see this page for a couple methods), these methods essentially force private browsing and disable the ability to use “regular” (non-private) browsing. In this post, I’ll describe what I consider to be a better way of achieving this, at least on Linux.

It’s possible this method will also work on Windows, but I haven’t tested it. If anyone gets a chance to test it and let me know, I’ll update this post and credit you accordingly. Just hit me on Twitter and let me know what you’ve found in your testing. I’ve also only tested this on Fedora, but it should be the same or very similar for any distribution that uses GNOME.

GNOME uses the idea of “desktop files” (typically found in /usr/share/applications or ~/.local/share/applications) to enable the launching of applications via the Activities screen or other mechanisms. (For more information on desktop files, see here.) These desktop files specify where the executable is found, what command-line parameters to use, what icon to use, what name the application should go by, etc. Desktop files also allow application developers or users to define additional actions, such as opening a new window.

Firefox’s desktop file is (at least on Fedora) found at /usr/share/applications/firefox.desktop. In that file, the Exec line in the [Desktop Entry] section instructs how to launch Firefox. Farther down, several actions are defined, one of which is opening a new private window. Each of these actions also has an Exec line. Looking at the Exec line for opening a private window versus the Exec line for opening a new window, you’ll note that Firefox uses a --private-window parameter to control this behavior.

The trick here is to add --private-window to the Exec line in the [Desktop Entry] section of the desktop file, so that it looks like the Exec line in the section for opening a new private window. When you do this, launching Firefox will still open a “regular” browser window, but clicking on a link in any other application—e-mail, editor, terminal, whatever—will automatically open a new private browsing window. If a private browsing window is already open, it will open a new tab in that window.

So, to summarize:

  1. Change the /usr/share/applications/firefox.desktop file to add --private-window to the command specified on the Exec line of the [Desktop Entry] section.
  2. Firefox will still open a regular browser window when it is launched.
  3. Links outside of Firefox will open a new private browsing window (or a new tab in an existing private browsing window).

The advantage of this approach versus some of the others is that you still have access to regular browser windows if/when they are needed. This configuration doesn’t force private browsing all the time; rather, it just makes private browsing the default when opening links outside of Firefox. To me, that’s a much more user-friendly experience than forcing private browsing for all sites.

One caveat to this approach is that your changes to the Firefox desktop file get overwritten any time dnf update installs an update for Firefox. I’m sure there’s probably a workaround for this, but I haven’t found it yet.

(By the way, the reason I say this might work on Windows is because command-line parameters are exposed on Windows as well as on Linux through the use of shortcuts on the Start Menu. macOS does expose command-line parameters to a limited extent, but this functionality doesn’t appear usable in any practical way.)

I hope this information is helpful to someone. Feel free to contact me on Twitter if you have any feedback, corrections, or suggestions for improvement.

Technology Short Take 139

Welcome to Technology Short Take #139! This Technology Short Take is a bit heavy on cloud, OS, and programming topics, but there should be enough other interesting links to be useful to plenty of folks. (At least, I hope that’s the case!) Now, let’s get on to the content!

Networking

  • Tony Mackay has a tutorial showing how to use Traefik to rate-limit requests to a WordPress instance.
  • Ali Al Idrees has a post on using NSX ALB (formerly Avi Networks) with Kubernetes clusters in a vSphere with Tanzu environment.
  • This post provides some examples of shared control planes (and thus shared failure domains) within networking.
  • In this post, Jakub Sitnicki digs way deep into the Linux kernel to uncover the answer to the question, “Why are there no entries in the conntrack table for SYN packets dropped by the firewall?” Get ready to get nerdy!
  • This article on eBPF and Isovalent (the company behind the Cilium CNI plugin for Kubernetes) has some statements with which I agree, and some that don’t make sense to me. For example, I agree with the statement that the “impact eBPF will have on networking, security and observability will be widespread”. However, I don’t understand how eBPF will “reduce reliance on legacy network overlays”. I could see how eBPF will change how network overlays are implemented, sure, but reduce the reliance on network overlays? I’m not sure about that. If you have strong feelings about this, hit me on Twitter and let’s discuss.

Servers/Hardware

Security

  • Linux malware is getting more sophisticated.
  • A browser-based side-channel attack? Even worse, this isn’t just limited to Intel chips, but may also affect ARM-based systems like Apple’s M1 CPUs. Further, turning off JavaScript doesn’t help. Ugh.
  • Given the prevalence of VMware’s ESXi hypervisor, I suppose it was only a matter of time before the bad guys really started targeting it in a major way. This time, they’re exploiting a weakness that VMware can’t patch: people.
  • A while ago I chatted with the folks at Indeni about Cloudrail, a security solution for infrastructure-as-code environments.

Cloud Computing/Cloud Management

Operating Systems/Applications

Programming

Storage

  • This post from Enterprise Storage Forum attempts to provide a comparison of cloud storage between AWS and Google Cloud. Frankly, though, I found the article to be a bit unfocused, also discussing other cloud services instead of really concentrating on being the best comparison of cloud storage services. Maybe that’s just me, though.

Virtualization

  • Mike Foley shares details on a new feature in vSphere 7 Update 2 that leverages AMD-specific functionality to create what are called “Confidential Containers.”

Happy reading and learning! If you have any questions, comments, suggestions for improvement, or other feedback, I’m always happy to hear from you. Contact me on Twitter and let’s chat!

Using WireGuard on macOS

A short while ago I published a post on setting up WireGuard for AWS VPC access. In that post, I focused on the use of Linux on both the server side (on an EC2 instance in your AWS VPC) as well as on the client side (using the GNOME Network Manager interface). However, WireGuard is not limited to Linux, and I recently configured one of my macOS systems to take advantage of this WireGuard infrastructure for access to the private subnets in my AWS VPC. In this post, I’ll walk readers through configuring macOS to use WireGuard.

The first step is installing WireGuard on macOS. This is remarkably easy; just go to the App Store and install the WireGuard app for macOS. (Hopefully this link will take you directly there if you’re on a macOS-based system.)

Once the app is installed, the next step is to configure the WireGuard tunnels. I found this to be a bit confusing at first, but only because I wasn’t clear on the relationship between the WireGuard app and the Network pane in System Preferences. In this case, you need to use the WireGuard app to create the tunnels, which will show up as connections (interfaces) in the Network pane of System Preferences.

Running the WireGuard app will put an icon on your menu bar, and should bring up the “Manage WireGuard Tunnels” window. If not, select “Manage Tunnels” from the WireGuard menu icon; this will open the “Manage WireGuard Tunnels” window. From there, you can select the small plus in the lower left corner and select “Add Empty Tunnel…” from the menu. This displays a dialog box something like this:

Add Empty Tunnel dialog box

This will automatically create a new set of public and private keys, and auto-populate the start of a new WireGuard interface configuration. (Don’t worry; these keys aren’t valid for any interfaces/connections.) It’s up to you to finish the configuration by adding directives such as Endpoint, AllowedIPs, and Address. It’s an interesting sort of mismatch to have such a well-designed graphical application, but not provide any guidance or structure to the user on how to configure the interface/tunnel.

Ultimately, you’d need the configuration to look something like this:

[Interface]
PrivateKey = <some private key here>
Address = <IP address of WireGuard interface>

[Peer]
PublicKey = <public key of WireGuard peer interface>
AllowedIPs = <IP addresses or CIDR ranges to be routed across the tunnel>
Endpoint = <peer endpoint IP and port>

If you’re behind a NAT, you may also want to add the PersistentKeepalive = 25 value to the configuration as well (see the “NAT and Firewall Traversal Persistence” section of this page). Next you’ll need to configure the peer with the appropriate configuration. If the peer is Linux-based, you can use the information in my earlier blog post; if the peer is macOS, then use the instructions in this post. For anything else, refer to the WireGuard web site.

Once both sides of the connection are configured, then you should be able to activate the tunnel and start passing traffic. If traffic won’t pass successfully, then check the interface configuration on both sides, and make sure any firewalls along the path allow the traffic. The WireGuard connection will look like this in the Network pane of the System Preferences app (IP addresses have been blacked out):

Network pane

Repeat this process to add more tunnels/connections; each of them will show up as a menu item in the WireGuard menu icon, and you can select them to activate/deactivate the connection. Also note that selecting the “On-Demand” option when creating the tunnel will let WireGuard automatically establish the tunnel when you start passing traffic (assuming both ends are configured).

I hope this information helps. I found the interface to be a bit unintuitive, but after working with it for a little while it doesn’t feel so awkward now. Hopefully this walkthrough will make getting WireGuard set up and configured on macOS a bit easier for others. Thanks for reading, and hit me on Twitter if you have any questions, comments, or other feedback!

Adding a MachineHealthCheck using Kustomize

MachineHealthChecks are a powerful feature in the Kubernetes Cluster API (CAPI), and something I played around with not too long ago on TGIK 143. Recently, I was helping to document the use of kustomize with Cluster API for inclusion in the upstream CAPI documentation, and I learned a simple trick with kustomize that I’d apparently overlooked in the past. If you’ve used kustomize for any great length of time you probably already know and have used the functionality I’ll describe in this post, but if you’re new to kustomize or, like me, a user of kustomize that hasn’t had time to dig into all of its functionality, then read on and see how you can use kustomize to add a MachineHealthCheck to a CAPI workload cluster.

If you’re not familiar with kustomize, then reading my introduction to kustomize may be useful before continuing on with the rest of this article.

In this use case—adding a MachineHealthCheck to an workload cluster in CAPI—I’ll work from the assumption that you have a “base” CAPI workload cluster definition (perhaps one you’ve generated using clusterctl config cluster). In the directory where this workload cluster manifest exists, you’d need to add a kustomization.yaml to specify resources. It would look something like this:

---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - base.yaml

Now, let’s say you want to add a MachineHealthCheck for this workload cluster. You’d create a kustomize overlay directory, and in that overlay directory you’d place (at least) two files:

  1. Another kustomization.yaml file (more on that in a moment)
  2. A YAML manifest for a MachineHealthCheck

(I say “at least” two files because you could also place other patches or other resources in the directory as well.)

The YAML manifest for the MachineHealthCheck is straightforward; I’ll only point out to make sure to specify the correct cluster name and deployment name, taking into account any “namePrefix” or “nameSuffix” directives you may be using.

The kustomization.yaml would look something like this:

---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
  - ../../base
  - workload-mhc.yaml

Now, you may also include various other directives, but the key here is in the “resources” section. It does, of course, specify the base configuration, but it also lists the MachineHealthCheck manifest that resides in this overlay directory. When you run kustomize build ., kustomize will combine the specified resources together. In this case, that means it will combine the base workload cluster manifest and the MachineHealthCheck manifest, and the end result—when you feed this to kubectl apply—will be a new workload cluster and a MachineHealthCheck to go along with it.

The functionality of combining resources in an overlay is a core part of the functionality of kustomize, but for some reason I hadn’t leveraged it yet. Kudos to the Cluster API Provider for Azure (CAPZ) team for illustrating this use case in the creation of workload cluster template “flavors." Now that I know it’s there, I can begin to see other potential use cases, such as adding extra MachineDeployments to a base workload cluster configuration.

I hope this information is useful. As I said, if you’re a long-time kustomize user, this is probably not news to you, but for others who are still exploring all the various pieces of functionality that kustomize offers I hope this opens up some new possibilities for you. I welcome all constructive feedback; feel free to reach out to me on the Kubernetes Slack instance or contact me on Twitter.

Technology Short Take 138

Welcome to Technology Short Take #138. I have what I hope is an interesting and useful set of links to share with everyone this time around. I didn’t do so well on storage links; apologies to my storage-focused friends! However, there should be something for most everyone else. Enjoy!

Networking

  • I’ve been interested in learning more about gRPC, so this guide on analyzing gRPC messages using Wireshark may be useful.
  • Isovalent, the folks behind Cilium, recently unveiled the Network Policy Editor, a graphical way of editing Kubernetes Network Policies.
  • Ivan Pepelnjak, the font of all networking knowledge, has been discussing cloud networking in some detail for a good while now. The latest series of posts (found here and here) are, in my opinion, just outstanding. I want to be like Ivan when I grow up. #BeLikeIvan
  • If you work with TextFSM templates (see here for more information), then you might also like this post on writing a vim syntax plugin for TextFSM templates.
  • Want/need to better understand IPv6? Denise Fishburne has you covered. Denise also has you covered if you need BGP knowledge.

Security

Cloud Computing/Cloud Management

Operating Systems/Applications

Virtualization

Career/Soft Skills

  • I came across a couple “my home office setup” posts over the last month that I thought I’d share here. First up is this post by Clint Wyckoff; I must say I do like the ambient backlighting and I appreciate that Clint included a comprehensive parts list. Next up is a rather lengthy post by Falko Banaszak, in which he shares a pretty comprehensive view of what he uses in his home office.
  • Nick Korte discusses the importance of intentional practice, something I think is important in all sorts/types of careers. In IT, where change is a constant, it’s particularly important.
  • I found this article on depletion to be meaningful to me on a personal level.

That’s all for this time around! I hope that I’ve managed to include something useful or helpful to my readers. As always, I welcome all constructive feedback and I love hearing from readers, so feel free to reach out to me on Twitter. Thank you for reading!

Recent Posts

Deploying a CNI Automatically with a ClusterResourceSet

Not too long ago I hosted an episode of TGIK8s, where I explored some features of Cluster API. One of the features I explored on the show was ClusterResourceSet, an experimental feature that allows users to automatically install additional components onto workload clusters when the workload clusters are provisioned. In this post, I’ll show how to deploy a CNI plugin automatically using a ClusterResourceSet.

Read more...

Setting up WireGuard for AWS VPC Access

Seeking more streamlined access to AWS EC2 instances on private subnets, I recently implemented WireGuard for VPN access. WireGuard, if you’re not familiar, is a relatively new solution that is baked into recent Linux kernels. (There is also support for other OSes.) In this post, I’ll share what I learned in setting up WireGuard for VPN access to my AWS environments.

Read more...

Closing out the Tokyo Assignment

In late 2019, I announced that I would be temporarily relocating to Tokyo for a six-month assignment to build out a team focused on cloud-native services and offerings. A few months later, I was still in Colorado, and I explained what was happening in a status update on the Tokyo assignment. I’ve had a few folks ask me about it, so I thought I’d go ahead and share that the Tokyo assignment did not happen and will not happen.

Read more...

Technology Short Take 137

Welcome to Technology Short Take #137! I’ve got a wide range of topics for you this time around—eBPF, Falco, Snort, Kyverno, etcd, VMware Code Stream, and more. Hopefully one of these links will prove useful to you. Enjoy!

Read more...

Technology Short Take 136

Welcome to Technology Short Take #136, the first Short Take of 2021! The content this time around seems to be a bit more security-focused, but I’ve still managed to include a few links in other areas. Here’s hoping you find something useful!

Read more...

Using Velero to Protect Cluster API

Cluster API (also known as CAPI) is, as you may already know, an effort within the upstream Kubernetes community to apply Kubernetes-style APIs to cluster lifecycle management—in short, to use Kubernetes to manage the lifecycle of Kubernetes clusters. If you’re unfamiliar with CAPI, I’d encourage you to check out my introduction to Cluster API before proceeding. In this post, I’m going to show you how to use Velero (formerly Heptio Ark) to backup and restore Cluster API objects so as to protect your organization against an unrecoverable issue on your Cluster API management cluster.

Read more...

Details on the New Desk Layout

Over the holiday break I made some time to work on my desk layout, something I’d been wanting to do for quite a while. I’d been wanting to “up my game,” so to speak, with regard to producing more content, including some video content. Inspired by—and heavily borrowing from—this YouTube video, I decided I wanted to create a similar arrangement for my desk. In this post, I’ll share more details on my setup.

Read more...

Technology Short Take 135

Welcome to Technology Short Take #135! This will likely be the last Technology Short Take of 2020, so it’s a tad longer than usual. Sorry about that! You know me—I just want to make sure everyone has plenty of technical content to read during the holidays. And speaking of holidays…whatever holidays you do (or don’t) celebrate, I hope that the rest of the year is a good one for you. Now, on to the content!

Read more...

Bootstrapping a Cluster API Management Cluster

Cluster API is, if you’re not already familiar, an effort to bring declarative Kubernetes-style APIs to Kubernetes cluster lifecycle management. (I encourage you to check out my introduction to Cluster API post if you’re new to Cluster API.) Given that it is using Kubernetes-style APIs to manage Kubernetes clusters, there must be a management cluster with the Cluster API components installed. But how does one establish that management cluster? This is a question I’ve seen pop up several times in the Kubernetes Slack community. In this post, I’ll walk you through one way of bootstrapping a Cluster API management cluster.

Read more...

Some Site Updates

For the last three years, the site has been largely unchanged with regard to the structure and overall function even while I continue to work to provide quality technical content. However, time was beginning to take its toll, and some “under the hood” work was needed. Over the Thanksgiving holiday, I spent some time updating the site, and there are a few changes I wanted to mention.

Read more...

Assigning Node Labels During Kubernetes Cluster Bootstrapping

Given that Kubernetes is a primary focus of my day-to-day work, I spend a fair amount of time in the Kubernetes Slack community, trying to answer questions from users and generally be helpful. Recently, someone asked about assigning node labels while bootstrapping a cluster with kubeadm. I answered the question, but afterward started thinking that it might be a good idea to also share that same information via a blog post—my thinking being that others who also had the same question aren’t likely to be able to find my answer on Slack, but would be more likely to find a published blog post. So, in this post, I’ll show how to assign node labels while bootstrapping a Kubernetes cluster.

Read more...

Pausing Cluster API Reconciliation

Cluster API is a topic I’ve discussed here in a number of posts. If you’re not already familiar with Cluster API (also known as CAPI), I’d encourage you to check out my introductory post on Cluster API first; you can also visit the official Cluster API site for more details. In this short post, I’m going to show you how to pause the reconciliation of Cluster API cluster objects, a task that may be necessary for a variety of reasons (including backing up the Cluster API objects in your management cluster).

Read more...

Technology Short Take 134

Welcome to Technology Short Take #134! I’m publishing a bit early this time due to the Thanksgiving holiday in the US. So, for all my US readers, here’s some content to peruse while enjoying some turkey (or whatever you’re having this year). For my international readers, here’s some content to peruse while enjoying dramatically lower volumes of e-mail because the US is on holiday. See, something for everyone!

Read more...

Review: CPLAY2air Wireless CarPlay Adapter

In late September, I was given a CPLAY2air wireless CarPlay adapter as a gift. Neither of my vehicles support wireless CarPlay, and so I was looking forward to using the CPLAY2air device to enable the use of CarPlay without having to have my phone plugged into a cable. Here’s my feedback on the CPLAY2air device after about six weeks of use.

Read more...

Resizing Windows to a Specific Size on macOS

I recently had a need (OK, maybe more a desire than a need) to set my browser window(s) on macOS to a specific size, like 1920x1080. I initially started looking at one of the many macOS window managers, but after reading lots of reviews and descriptions and still being unclear if any of these products did what I wanted, I decided to step back to using AppleScript to accomplish what I was seeking. In this post, I’ll share the solution (and the articles that helped me arrive at the solution).

Read more...

Older Posts

Find more posts by browsing the post categories, content tags, or site archives pages. Thanks for visiting!