Technology Short Take 182

Welcome to Technology Short Take #182! I have a slightly bulkier list of links for you today, bolstered by some recent additions to my RSS feeds and supplemented by some articles I found through social media. There should be enough here to keep folks entertained this weekend—enjoy!

Networking

• New to network automation? Ivan Pepelnjak has made publicly available the materials from his Network Automation 101 course.
• This is an older article from 2020, but still useful: Nathan Taber “demystifies” cluster networking for Amazon EKS worker nodes.
• Ales Brelih provides a reasonably comprehensive introduction to container networking, covering all the significant concepts involved (network namespaces, veth pairs, bridges, and our good friend iptables).
• And here’s another breakdown of network namespaces and container networking.
• Running your own FreeRADIUS implementation to control Wi-Fi access is overkill for me, but for Neil it’s just another day.
• Alexis Ducastel provides some CNI benchmark results.

Servers/Hardware

• I thought this write-up of Andy Bechtolsheim’s keynote at Hot Interconnects 2024 was an interesting summary of where we could see hardware development go in the next 4 years.
• It turns out that Yubikeys—hardware security keys—are subject to a potential cloning vulnerability, although it does require physical access to the device. Ars Technica has more details here. There’s also a more detailed write-up available here.

Security

• The so-called “0.0.0.0 Day” vulnerability apparently has the potential to expose services on local networks; get more details in this Hacker News article.
• Oh man, this was something I didn’t need to know. I was happier in my ignorance.
• Gabriella Gonzalez shares some tricks for jailbreaking hosts behind “secure” enterprise firewalls.
• Microsoft shares some details on a Chromium zero-day exploit leveraged by a North Korean threat actor.
• I recently stumbled across AWS Cloud Security Weekly; here’s issue 60.

Cloud Computing/Cloud Management

• Vegard Hagen shares how to use OpenTofu to stand up Talos Kubernetes on Proxmox.
• Even when I worked at Pulumi, I wasn’t a fan of using infrastructure-as-code for defining Kubernetes resources. Instances exist where it can help reduce complexity, but it feels like for many other instances of Kubernetes infrastructure the use of IaC results in a net increase in complexity. I must be looking at this the wrong way, though, because I see a ton of articles on using IaC to define Kubernetes resources—like this one discussing the use of CDK8s.

Operating Systems/Applications

• I started using eza on my desktop systems (both macOS and Linux) a while ago, but it’s nice to see it getting more attention.
• Giacomo Coletto shares some “quality of life” improvements for Arch Linux.
• John Woltman has a trick for quickly extracting archives in KDE Plasma.
• A Microsoft update that wasn’t supposed to affect Linux is wreaking havoc with dual-boot Linux systems.
• Nick Janetakis reminds folks to use compose.yaml.
• Martin Heinz shares 10 reasons why curl is awesome.
• The author of this post on exploring desktop Linux has apparently had enough with Apple’s direction with macOS. I can’t say I disagree.
• Oliver Davies explains why he feels abbreviations are better than aliases.
• I’m a avid fan of RSS/Atom, so I loved reading Mark Nottingham’s suggestions on what RSS needs. Great ideas here! I would love to see an “RSS comeback.”
• This is a slightly older article (from 2019), but worthwhile if you’re considering a switch from Bash to Fish.

Programming/Development

• I really enjoyed Julia Evans’ breakdown of some of the common mistakes from this list of common Go mistakes.

Storage

• This is a great story on the history of block storage at AWS. Well worth a read.
• Kirill Bobrov helps readers choose the right AWS storage service by comparing S3, S3N, and S3A.
• Here’s a guide to building a minimal ZFS NAS.
• Plausible deniability in storage. Cool.

Career/Soft Skills

• Here are some suggestions for identifying experts versus imitators.
• I recently watched a video recording, recently released by the NSA, of a presentation given by Grace Hopper in 1982 (part one, part two). Truly, this is a must-watch pair of videos. I was amazed to see and hear Grace Hopper predicting and advocating for “systems of computers” and “systems of software” using “independent modules.” Why? What Grace Hopper predicted and advocated for 42 years ago sound so much like what the industry is using today! I also felt it was interesting to hear her advocating for better security, and talking about problems that we haven’t yet solved after 42 years.

That’s it for me—I hope that you find something useful among the links I’ve shared here. As always, you’re welcome to reach out to me with feedback, corrections, comments, or suggestions for improvement. Find me on Twitter, on the Fediverse, via e-mail (my address is on this site and isn’t hard to find), or hit me up in one of the Slack communities I haunt. Thanks for reading!

Preloading Extra Images with Kubernetes Image Builder

The Image Builder project is a set of tools aimed at automating the creation of Kubernetes disk images—such as VM templates or Amazon Machine Images (AMIs). (Interesting side note: Image Builder is the evolution of a much older Heptio project where I was a minor contributor.) I recently had a need to build a custom AMI with some extra container images preloaded, and in this post I’ll share with you how to configure Image Builder to preload additional container images.

Image Builder isn’t a single binary; it’s a framework built on top of other tools such as Packer and Ansible. Although in this post I’m discussing Image Builder in the context of building an AMI, it’s not limited to use with AWS. You can use Image Builder for a pretty wide collection of platforms (check the Image Builder web site for more details).

To have Image Builder preload additional images into your disk image, there are three changes needed. All three of these changes belong in the images/capi/packer/config/additional_components.json file:

1. Set load_additional_components to true. (The default value is false.)
2. Set additional_registry_images to true. (This also defaults to false.)
3. Set additional_registry_images_list to a comma-delimited list of fully-qualified image names. For example, if you wanted to preload the “cilium:v1.15.8” container image, you’d specify “quay.io/cilium/cilium:v1.15.8”.

That’s it—you don’t need any other changes. (Shout-out to the Image Builder authors and contributors for making the tooling extendable and customizable.) I didn’t find this until after the fact, but the Image Builder web site has an example of a customized additional_components.json file here.

From there, you’re ready to build your disk image. In my case, I needed to build an Ubuntu-based AMI, so I used this command:

make build-ami-ubuntu2204

The specific targets to use with the make command are in the Makefile but I will admit it’s a bit hard to decipher the Makefile. To build an AMI, the target will take the form build-ami-<base-os>. Examples include build-ami-amazon-2 and build-ami-flatcar, along with the usual Ubuntu suspects.

Once your disk image is complete, the make command will return the identifiers needed to locate or identify the finished images. For an AMI, you’ll get a list of the AMI IDs for the regions where the AMI exists. (The regions are configurable in Image Builder.)

I hope this information is useful to someone. Although this information is available on the Image Builder web site, it wasn’t immediately clear to me when I first started down this path. If nothing else, this post should at least make the existing information on the Image Builder site a bit easier to find.

If you have questions about this post or suggestions on how I can improve it, I’d love to hear from you. Feel free to reach out via Twitter, via Mastodon, via Slack (I frequent the Kubernetes Slack instance, among others), or even via e-mail. Thanks for reading!

Storing Pulumi State in the Project Directory

Pulumi, like Terraform and OpenTofu, has the ability to store its state in a supported backend. You can store the state in one of the blob/object storage services offered by the major cloud providers, via Pulumi’s SaaS offering (called Pulumi Cloud), or even locally. It’s this last option I’ll explore a little bit in this post, where I’ll show you how to configure Pulumi to store the state in the project directory instead of somewhere else.

Let me start with this disclaimer: If you’re working with a team of folks on IaC for your project or employer, don’t do this. Storing project state locally with your project will just make life difficult for you. Instead, just accept that you need to store the state somewhere that your whole team can access it. Howver, if you are a “team of one” then you might find this interesting or useful.

Pulumi supports a “local” backend, which means storing stack state information locally on the same system where Pulumi is running. By default, Pulumi will store the state information in the ${HOME}/.pulumi folder.

It’s possible to configure the location the local backend uses with the PULUMI_BACKEND_URL environment variable (see this page for a full list of environment variables that Pulumi uses). Note that this variable doesn’t just affect the local backend; it allows you to configure any supported Pulumi backend. You could specify the name of an S3 bucket Pulumi should use, for example. You could set that value on a per-directory basis using something like Direnv so that different projects (i.e., different directories) could use different backends.

To use the PULUMI_BACKEND_URL to configure the local backend, you’ll need to use the file:// URL syntax (as opposed to using s3:// for an S3 bucket, or an HTTPS URL when using the Pulumi SaaS backend). To configure the local backend to store the state in the current project directory, set PULUMI_BACKEND_URL like this:

export PULUMI_BACKEND_URL=file://.

Pulumi will create a .pulumi subdirectory in the current directory and store project state there. In this regard, it will make Pulumi more like Terraform and OpenTofu, which also (unless configured otherwise) will store state in the current project directory.

Do I recommend doing this? No, not really. You might think, “Well, I’m reducing my dependency on Pulumi’s SaaS offering or other cloud storage options”, but the reality is that Pulumi orchestrates cloud infrastructure. If you can’t get to the cloud to access project state, then you probably can’t get to the cloud to orchestrate infrastructure, either.

That said, you may have valid reasons for wanting to store Pulumi state locally, and I tend to prefer this approach instead of the default configuration.

As a side note, using this approach does not remove the need for the ${HOME}/.pulumi directory, which is still used for Pulumi providers and other data. This approach only changes the location where Pulumi stores project state. If you don’t want to use ${HOME}/.pulumi as the location where Pulumi stores non-project state data, then you can use the PULUMI_HOME environment variable to specify a different location.

I hope this is helpful to someone out there! Thanks for reading. If you have questions, comments (maybe I overlooked something?), corrections, or suggestions for improvement, please feel free to reach out. I’m available on Twitter, on the Fediverse, via e-mail (have a look around on the site), or in the Pulumi Slack community.

Review: Lenovo ThinkPad X1 Carbon Gen11

I’ve recently had the opportunity to start using a Lenovo ThinkPad X1 Carbon (X1C) Gen11 as my primary work system. Since I am not a Windows person—I don’t think I’ve used Windows as a daily driver since before the turn of the century—I’m running Linux on the X1C Gen11. Now that I’ve had a few weeks of regular use, in this post I’ll provide my review of this laptop.

This is my second ThinkPad X1 Carbon; my first was a Gen 5 that I received when I joined Heptio in 2018 (see my review of the X1C Gen5). I loved that laptop; my experience with the Gen5 was what made me choose the X1C Gen11 when given the opportunity. What I’ve found is that the Gen11 improves upon the X1C experience in some ways, but falls short in other ways.

Before getting into the details, here’s a quick rundown on the specifications:

• 10-core Intel 13th generation Core i7-1365U (two performance cores and eight efficiency cores)
• 32GB of RAM
• 512GB NVMe storage
• 2880×1800 display
• Two USB-C ports, two USB-A ports, and an HDMI port

As with the Gen5, I’m happy with the build quality and subjective “feel” of the laptop; it feels sturdy and well-built. It’s light, and it’s comfortable to carry around. The outside of the laptop isn’t “slippery” like a MacBook Air/Pro. Instead, it has a good tactile grip. I have no complaints with performance or battery life, although it probably doesn’t need saying that the battery life doesn’t compare with an M-series Mac. The onboard Intel wireless and integrated Intel graphics are more than capable, but won’t win any performance competitions. They’re more than adequate for my use case, though.

As I mentioned earlier, the Gen11 improves on the X1 Carbon experience in some ways but falls short in other ways:

• The display on the Gen5 might have been good for its time (in my review I wrote that the screen quality and brightness were “really good”), the screen on the Gen11 is great. It’s bright, the colors are vivid, and text is sharp and crisp. (It’s bright enough that most of the time I have the screen turned down to half of the full brightness.) Comparatively speaking, it puts the display from the Gen5 to shame.
• The keyboard on the X1C Gen5 was—and still is—probably my favorite laptop keyboard. Unfortunately, at some point between the Gen5 and the Gen11 Lenovo decided to revise the keyboard, and the result is less than stellar. Compared to the earlier keyboard, it’s downright disappointing. My advice to the Lenovo engineers: go back to the earlier keyboard design! If Apple can admit that changing keyboards was a bad idea (recall the infamous butterfly keyboard?), then I think it’s OK for you to admit it and go back.

Finally: how is the Linux support on the Gen11? It’s good, equally as good if not better than previous generations. Although I tend to use Arch Linux these days instead of Fedora, I haven’t encountered any problems or issues with any of the hardware working as expected. Screen brightness controls work, volume controls work, and suspend works (just close the lid). I’m seeing indications that the fingerprint reader works, although I haven’t actually tried to set it up yet.

As I did in 2018 with the X1C Gen5, I’d recommend the ThinkPad X1 Carbon Gen11 to folks looking for a well-performing lightweight Linux laptop.

Technology Short Take 181

Welcome to Technology Short Take #181! The summer of 2024 is nearly over, and Labor Day rapidly approaches. Take heart, though; here is some reading material for your weekend. From networking to security and from hardware to the cloud, there’s something in here for just about everyone. Enjoy!

Networking

• Leon Adato has a great piece on transitioning from being a network engineer to being a cloud engineer. The post links to some good resources, and Leon provides three quick “lessons” to help folks get started.
• Geoff Huston discusses DNS and UDP truncation.
• Ivan Pepelnjak examines when you might need to use BGP, EVPN, VXLAN, or SRv6.

Servers/Hardware

• Permanent damage? No recall? Ouch! Sean Hollister discusses Intel’s responses to questions asked about instabilities in their 13th and 14th Gen Intel Core desktop processors.
• Chaim Gartenberg shares a look back at 10 years of Google’s AI-specialized chips (the Tensor Processing Units, or TPUs).

Security

• I enjoy Ben Bornholm’s article showing how to use Cilium and Tetragon to secure a vulnerable web application. Practical examples like this are useful. Thanks for sharing, Ben!
• Writing for The Hacker News, Ravie Lakshmanan discusses CRYSTALRAY and a recent surge of infections aiming “to harvest and sell credentials, deploy cryptocurrency miners, and maintain persistence in victim environments.”
• Also via The Hacker News, I saw this article about Singapore banks phasing out OTPs (one-time passwords). I was a bit surprised, to be honest, but the news in the article of sophisticated toolkits aimed at harvesting OTPs provides some explanation why this is happening.
• While patches mitigating the underlying vulnerability are available (the article is from April 2024), this post on how folks can use Tetragon to detect exploits like the one used by XZ Utils/CVE 2024-3094 is (to me) informative.

Cloud Computing/Cloud Management

• It’s an older post, sir, but it checks out: Seth Miles shares his experience from 2021 in building a Cilium-powered EKS cluster using Bottlerocket. Seth uses eksctl in his post, but I verified it using Pulumi (and I hope to be able to share the Pulumi program I used shortly).
• Matt Gowie of Masterpoint shares some experience as an early adopter of OpenTofu.
• Piotr Jastrzebski shares a quick but effective way to optimize GitHub Actions usage.
• Jim Bugwadia shares some techniques for applying the DRY principle to Kyverno policies. I believe a trade-off between DRY and readability exists; emphasizing DRY over readability has the potential for some issues. I am not an expert, though, so feel free to disagree. (Although it would be awesome if you reached out to me to explain why you disagree!)
• Eleni Grosdouli shares a way of deploying and controlling Ciilum on an EKS cluster using Sveltos. Before finding this article, I was not aware of Sveltos.
• Running Oracle Kubernetes Engine (OKE)? Here’s a write-up on enhancing OKE security with Cilium Network Policy.

Operating Systems/Applications

• Bhushan Shah shares some “lessons learned” using git bisect to do some Linux kernel troubleshooting.
• Run macOS software on Linux? I saw Darling described on social media as “WINE, but for macOS”. Anyway, it’s intended to let you run macOS software in a “Darwin emulation/translation” layer on Linux. Nice!
• Andreas Scherbaum reviews a recent change in some Arch Linux packaging around the replacement of BDB with LMDB in the Postfix.
• Kien Nguyen-Tuan reviews testing Ansible with Molecule.
• Chris Wood shares their experience using Linux as a UX designer.

Storage

• William Lam tries to get folks excited about NVMe tiering in vSphere 8 Update 3. I’ll admit this looks like a pretty cool feature.

Virtualization

• Stine Elise Larsen writes about an easily-missed requirement for port 9087 to be open between vCenter Server and ESXi hosts when using vSphere Lifecycle Manager.

Career/Soft Skills

• This doesn’t really pertain to a “soft skill,” exactly, but the focus of the article is a career skill that many folks feel is important: accounting. Yes, you read that right. It’s important to know basic accounting principles, especially for developers building products that move and track money. Check out this guide to accounting for developers.

That’s all for now, folks! I love hearing from readers, so if you have thoughts about any of the links I’ve shared—or maybe you have a link or two of your own you think I should include in the next Technology Short Take—drop me a line! You can reach me via e-mail (my address is on this site, not too terribly hard to find to be honest), you can contact me on Twitter, you can reach me on the Fediverse, or you can hit me up in one of the Slack communities I regularly visit.

Using SOPS with Pulumi

I was first introduced to SOPS at a platform engineering event hosted in Denver last year. SOPS, which is an acronym for Secrets OPerationS, describes itself as “an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP” (taken directly from the project’s GitHub repository). In this post, I’ll explore using Pulumi with SOPS—and I’ll also touch upon whether this combination of tools offers value or users or not.

Bootstrapping Talos Linux over SSH

For those that aren’t aware, Talos Linux is a purpose-built Linux distribution designed for running Kubernetes. Bootstrapping a Talos Linux cluster is normally done via the Talos API, but this requires direct network access to the Talos Linux nodes. What happens if you don’t have direct network access to the nodes? In this post, I’ll share with you how to bootstrap a Talos Linux cluster over SSH.

Using Vale to Improve my Writing

Back in March of this year, I talked about how I started using markdownlint-cli to perform linting against the Markdown source files that are used by Hugo to generate this site. At the same time, I also started exploring the use of similar tools to check (or lint, if you will) my writing itself. In this post, I’ll share with you how I started using Vale to perform some checks against my writing.

Technology Short Take 180

Welcome to Technology Short Take #180! It’s hard to believe that July is almost over, and that 2024 is flying past us. It’s probably time that you, my readers, took some time to slow down and read more technical blogs. To help with that, I just happen to have a little collection of links to share. Enjoy!

Using a Git Commit Template

Although I’m sure that I’d seen or read about Git commit templates previously, the idea of using a Git commit template was brought to the forefront recently with the release of version 11 of Tower for Mac. When I’m using macOS, Tower is my graphical Git client of choice. However, most of my Git operations are via the terminal, and I’m not always using macOS (I also spend a fair amount of time using Linux). For that reason, I wanted to implement a more “platform-neutral” solution to Git commit templates. In this post, I’ll share with you what I learned about using a Git commit template.

Technology Short Take 179

Welcome to Technology Short Take #179! I’m back with another set of links to articles on various data center- and IT-related topics. In the interest of full transparency, I’d like to give credit to Russ White for his “Weekend Reads” series of posts, which are similar in nature to my Technology Short Takes. If you aren’t reading Russ’ “Weekend Reads” posts, you’re missing out on a good source of useful information. Several of the links included below are taken from recent posts by Russ. Thanks, Russ—and to all the other content creators and content curators referenced here—for your great work! Now, on to the content.

Technology Short Take 178

Welcome to Technology Short Take #178! This one is notably shorter than many of the Technology Short Takes I publish; I’m still trying to fine-tune my collection of RSS feeds (such a useful technology that seems to have fallen out of favor), removing inactive feeds and looking for new feeds to replace them. Regardless, I have managed to collect a few links for your reading pleasure this weekend. Enjoy!

Endpoint Selectors and Kubernetes Namespaces in CiliumNetworkPolicies

While performing some testing with CiliumNetworkPolicies, I came across a behavior that was unintuitive and unexpected to me. The behavior centers around how an endpoint selector behaves in a CiliumNetworkPolicies when Kubernetes namespaces are involved. (If you didn’t understand a bit of what I just said, I’ll provide some additional explanation shortly—stay with me!) After chatting through the behavior with a few folks, I realized the behavior is essentially “correct” and expected. However, if I was confused by the behavior then there’s a good chance others might be confused by the behavior as well, so I thought a quick blog post might be a good idea. Keep reading to get more details on the interaction between endpoint selectors and Kubernetes namespaces in CiliumNetworkPolicies.

Getting Barrier Working Between Arch Linux and Ubuntu

I recently had a need to get Barrier—an open source project aimed at enabling mouse/keyboard sharing across multiple computers, aka a “software KVM”—running between Arch Linux and Ubuntu 22.04. Unfortunately, the process for getting Barrier working isn’t as intuitive as it should be, so I’m posting this information in the hopes it will prove useful to others who find themselves in a similar situation. Below, I’ll share how I got Barrier working between an Arch Linux system and an Ubuntu system.

Technology Short Take 177

Welcome to Technology Short Take #177! Wow, is it the middle of May already? The year seems to be flying by—much in the same way that all these technical articles keep flying by my Inbox, occasionally getting caught and included here! In this Technology Short Take, I have links on things ranging from physical network designs to running retro operating systems as virtual machines. Surely there will be something useful in here for you!

Tracking EC2 Instances used by EKS with AWS CLI

As a sort of follow-up to my previous post on using the AWS CLI to track the specific Elastic Network Interfaces (ENIs) used by Amazon Elastic Kubernetes Service (EKS) cluster nodes, this post focuses on the EC2 instances themselves. I feel this is less of a “problem” than tracking ENIs, but I wanted to share this information nevertheless. In this post, I’ll show you which AWS CLI command to use to list all the EC2 instances associated with a particular EKS cluster.

Tracking ENIs used by EKS with AWS CLI

I’ve recently been spinning up lots of Amazon Elastic Kubernetes Service (EKS) clusters (using Pulumi, of course) in order to test various Cilium configurations. Along the way, I’ve wanted to verify the association and configuration of Elastic Network Interfaces (ENIs) being used by the EKS cluster. In this post, I’ll share a couple of AWS CLI commands that will help you track the ENIs used by an EKS cluster.

Technology Short Take 176

Welcome to Technology Short Take #176! This Tech Short Take is a bit heavy on security-related links, but there’s still some additional content in a number of other areas, so you should be able to find something useful—or at least interesting—in here. Thanks for reading!

Linting your Markdown Files

It’s no secret I’m a fan of Markdown. The earliest mention of Markdown on this site is all the way back in 2011, and it was only a couple years after that when I migrated this site from WordPress to Markdown. Back then, the site was generated from Markdown using Jekyll (via GitHub Pages); today it is generated from Markdown sources using Hugo. One thing I’ve not done, though, is perform linting (checking for errors or potential errors) of the Markdown source files. That’s all about to change! In this post, I’ll share with you how I started linting my Markdown files.

Technology Short Take 175

Welcome to Technology Short Take #175! Here’s your weekend reading—a collection of links and articles from around the internet on a variety of data center- and cloud-related topics. I hope you find something useful here!

• Technology Short Take 174 9 Feb 2024
• Using NAT Instances on AWS with Pulumi 5 Feb 2024
• Using SSH with the Pulumi Docker Provider 22 Jan 2024
• Technology Short Take 173 19 Jan 2024
• Technology Short Take 172 5 Jan 2024
• Selectively Replacing Resources with Pulumi 3 Jan 2024
• Dynamically Enabling the Azure CLI with Direnv 18 Dec 2023
• Conditional Git Configuration 15 Dec 2023
• Automatically Transforming Git URLs 11 Dec 2023
• Technology Short Take 171 8 Dec 2023
• Saying Goodbye to the Full Stack Journey 17 Nov 2023
• Guest Post: Moving Secrets Where They Belong 12 Oct 2023
• Assigning Tags by Default on AWS with Pulumi 11 Sep 2023
• Technology Short Take 170 8 Sep 2023
• Mac, iPad, or Both? 28 Aug 2023
• Technology Short Take 169 11 Aug 2023
• Spousetivities Returns to VMware Explore 2023 7 Aug 2023
• Technology Short Take 168 12 May 2023
• Technology Short Take 167 7 Apr 2023
• Creating a Talos Linux Cluster on Azure with Pulumi 31 Mar 2023
• Technology Short Take 166 10 Mar 2023
• Creating a Talos Linux Cluster on AWS with Pulumi 24 Feb 2023
• Technology Short Take 165 17 Feb 2023
• Stage Manager is Incomplete 9 Feb 2023
• Installing the Prerelease Pulumi Provider for Talos 8 Feb 2023
• Automating Docker Contexts with Pulumi 6 Feb 2023
• Technology Short Take 164 27 Jan 2023
• Technology Short Take 163 6 Jan 2023
• A Depth Year in 2023 5 Jan 2023
• Technology Short Take 162 9 Dec 2022