Technology Short Take 194

This is Technology Short Take #194, the latest in my semi-regular series of posts sharing data center technology-related links and articles from around the web. What have I gathered for readers this time? Key topics in Tech Short Take 194 include a new cryptography-based network stack, a look at why folks are revolting against AI, and an in-depth comparison of microVM technologies. On to the content!

Networking

• This is cool.
• Longtime reader Todd Smith pointed me to Reticulum, a new cryptography-based network stack. Todd also spent some time messing around with Reticulum and shared his findings in two blog posts: first, an initial/introductory post, followed by a post sharing his experience with some Reticulum experiments.
• Scott Hogg examines building an IPv6 training and testing lab.

Security

• eBPF is taking hold in security exploits, like the tool named “BPFdoor” that is penetrating critical infrastructure networks.
• Paul Meyer discusses reproducing and mitigating BadAML, an ACPI-based attack vector that can be used to potentially gain access to confidential VMs. Meyer admits that the model in the article assumes the attacker has full control over the host, at which point I would assume “game over” and move on.
• This site provides not only an illustrated TLS 1.2 connection diagram, but also offers diagrams for QUIC, DTLS, and TLS 1.3 (see the links in the upper right corner).
• Rory McCune continues his series on unpatchable Kubernetes vulnerabilities.
• David Chisnall posted a scathing analysis of Mythos on Mastodon (hat tip to Bruce Davie for boosting it into my timeline), and shared a link to an advisory on critical command injection vulnerabilities in Claude Code.

Cloud Computing/Cloud Management

• I recently found this alternative to LocalStack for AWS emulation.
• How to hide regions and services in the AWS console is a useful thing to know about.

Operating Systems/Applications

• Chris Down breaks down the differences between zswap and zram.
• Micah Kepe introduces his new Rust-based JSON search tool, jsongrep, which purports to be faster than other JSON search tools.
• Christian Hofstede-Kuhn shares some shell tricks that actually make life easier. I really liked this line from the end of his post: “Stop letting the terminal push you around, and start rearranging the furniture. It’s your house now.” Love it!
• The Unknown Universe (I couldn’t find the author’s actual name for attribution) is concerned that the year of the Linux desktop might be a trap, thanks to pending age verification laws. All I can say is I am squarely in the Free Rebel camp.
• This Docker blog post on assessing ARM64 readiness points out an often overlooked issue: hard-coded dependencies that don’t account for architecture.
• I know I am behind on this, but I have been investigating Docker versus Podman and I found this in-depth comparison of both tools to be helpful.

Programming/Development

• Your job isn’t programming, according to Nick at Code and Cake. It’s managing complexity.
• Working with a local LLM has been on my radar for some time now. With the new Linux PC build complete, I am ready to move forward—and I might just start by leveraging this script to use Claude Code with a local LLM (after I make sure I provide the workaround to the recently-disclosed Claude Code command injection vulnerability; see the “Security” section above).
• Nathaniel Fishel asserts that your code is worthless and that “vibe coding” and agentic AI programming techniques are “financing technical debt.” I like this phrase Fishel uses because it’s so true—technical debt, like real financial debt, has a cost and is paid over time (with interest).
• Sam Rose explains bloom filters (hat tip to David Flanagan).

Storage

• When I came across this article stating that Amazon S3 Files is still not a file system, I expected to find an argument supporting the title’s claim. What I found was instead an explanation of S3 Files and how it presents a file system interface to S3—useful content, but not aligned with the article’s title, in my opinion.

Virtualization

• Emir Beganović shares their perspective on the state of microVM isolation in 2026.
• Time will tell if Docker’s decision to build a new microVM virtual machine monitor (VMM) for Docker Sandboxes was the right move. With so much activity in the microVM VMM space (see previous link!), it’s a bit of a surprising move—but it sounds like the Windows and macOS support is what forced their hand.

Career/Soft Skills

• Having recently taken a role as a manger leading a team of highly-skilled folks, I resonated with some of the things in this article on seeing like a software company, which examines the concept of legibility.
• Brian Merchant explains why the AI backlash has turned violent. No one deserves violence—I am glad that Merchant explicitly states this in the article—yet it’s not hard to see why people feel threatened (and are getting defensive).

That’s all I have for you today. I hope it was useful! Feel free to send interesting links you find my way—you can hit me up on Mastodon, on Bluesky, or on X/Twitter (although I use the latter infrequently). My email also isn’t hard to find, and I love to hear from readers. Thanks for reading!

Technology Short Take 193

Welcome to Technology Short Take #193! I know it has only been a couple weeks since the last Tech Short Take, but I am guessing that readers won’t really mind another one. Here is my latest collection of articles and posts about data center-related technologies. Enjoy!

Networking

• Brian Linkletter shares his 2026 list of network simulators and emulators. (Hat tip to Ivan P. for the link.)
• Emmanuel Vitus brings to light a battle over IPv4 address space and the control of the regional internet registries.
• Doug Dawson discusses the recent FCC ban on consumer-grade routers and the potential impacts to industry and ISPs.

Servers/Hardware

• RIP Mac Pro. I had a “classic Mac Pro” (2012 era) for a long time, and I loved that system. (I even ran Linux on it for a while.) It is a shame to see it go.
• I mentioned on social media (Mastodon/Bluesky) that I recently purchased all the hardware for a new PC build. It’ll be part PC/part home server, as I look to expand the type and scope of services that I self-host. Don’t be surprised if a few articles emerge out of this.

Security

• Trivy’s GitHub Actions were compromised by attackers, leading to the exposure of CI/CD secrets. This post on the Socket blog has more details, and Rose Security has a write-up that provides more details on how a typosquatted domain and a fake version tag were involved.
• At least one other software supply chain exploit has been tracked back to the Trivy compromise: the Python litellm module on PyPI steals credentials.
• The Docker side of the Trivy compromise is shared in detail in this Docker blog post.

Cloud Computing/Cloud Management

• Looking for some help in migrating away from Ingress-NGINX? This announcement of Ingress2Gateway 1.0 might be just what you are seeking.
• The FluxCD team published a post discussing Morgan Stanley’s “Stairway to GitOps” presentation, which describes the firm’s five-year journey from push-based pipelines to a self-service GitOps platform.
• Although I am not an AI fanboy, I do recognize that LLMs can offer value in a variety of areas, and so exploring the utility of local LLMs is something of a side project of mine. As a result, this article on using the Terraform MCP with a local LLM was of interest to me.
• InfraKitchen kind of feels like “Backstage for Terraform.”
• I’ve been talking about KISS versus DRY in IaC for a while now, but Rose Security unpacks KISS versus DRY in IAC so much more elegantly than I can.
• I am apparently behind the times, as it was just this past week that I learned about waypoint proxies in Istio ambient mode. John Howard has a “waypoint proxies the hard way” tutorial that might prove useful if you’re interested in learning more.

Operating Systems/Applications

• Akkana Peck shares how it was an HDMI connection that was causing USB errors in the dmesg log.
• Terence Eden re-affirms that is 100% OK to wait on AI.
• And while I am on the topic of AI, I enjoyed this article explaining some of the rational reasons people may resist AI (and other modern technologies).
• Samuel Karp shares a little bit of the reasoning behind the move to annual LTS releases of containerd.
• Bcachefs is out of the Linux kernel and moving to DKMS.
• This tale of fixing eBPF spinlock issues in the Linux kernel is a long and detailed read—but interesting! I didn’t understand all the code, but I still enjoyed reading about the journey of finding the root cause(s) and addressing them.
• William Collins introduces gridctl, a tool for managing MCP configurations.
• Andre Garzia shares why Apple lost them as a customer. This is just a continuation of trends that have been around for some time—as far back as 2012 when I first discussed leaving OS X (as macOS was known then). It is also why the majority of my time is spent on Linux now (I use Ubuntu at work and Arch Linux BTW on my personal systems).

Storage

• Frank Denis has a good article on options for full disk encryption on Linux.

Programming/Development

• Markus Unterwaditzer shares how to move from GitHub to Codeberg. I stop relying on GitHub alone some time ago, although many of my repositories/projects are still there just for accessibility.

Virtualization

• Looking for a few weekend home lab experiments?
• William Lam explains how to create custom Virtual Machine Classes using an updated to the vSphere Automation REST API.

That’s all for this time around. I hope you found something useful! I am always open to hearing from readers, so I invite you to contact me—I am available on social media (Bluesky, Mastodon, and X/Twitter), and you can find me in some Slack communities (the Kubernetes Slack instace is one notable example). My email address also is not hard to find. I’d love to hear from you!

Talking About Pulumi and Network Automation

Heard about Pulumi, but aren’t sure what it is? Maybe you know a little bit about Pulumi—like that it does infrastructure as code (IaC), but using general purpose programming languages—and you’re wondering where it fits in a larger automation framework? Or maybe you’re a network engineer just starting to dabble in network automation, and you’re wondering if this Pulumi thing is something you should check out. If any of these apply to you, then the latest Network Automagic podcast episode is right up your alley.

I recently had the opportunity to join Steinn Bjarnarson and Urs Baumann for an episode of Network Automagic. The focus of our discussion—although I will say we diverged a bit here and there—was on Pulumi, what it is, and whether it fits into a larger network automation framework. After all, if you can use general purpose programming languages like Python with Pulumi, why not just use Pulumi in a Python program that also does network automation stuff?

All in all, recording the podcast with Steinn and Urs was great fun, and I hope that the final product ends up being helpful for folks. There’s a variety of ways to listen in on the episode:

Via the Network Automagic web site

Via the Network Automagic channel on YouTube (here is a link to the specific episode)

Via Spotify

Via Apple Podcasts

As you can see, there are plenty of options to listen (and a few that I didn’t include—check the Network Automagic web site for more!). Thanks to Steinn and Urs for having me on the show!

Technology Short Take 192

Welcome to Technology Short Take #192! Who’s interested in some links to data center technology-related articles and posts? If that’s you, you’re in the right place. Here’s hoping you find something useful!

Networking

• Interested in an autonomous network engineering agent powered by Claude? (Hat tip to Russ S. for sending this my way.)

Security

• Google’s Threat Intelligence Group recently published some details around Coruna, an iOS exploit kit targeting a range of iOS versions and equipped with a number of potential exploits.
• As an example of one of the challenges around “default” secuity settings, Rory McCune highlights the fact that MicroK8s does not enable role-based access control.
• Bryce Kerley explains Web PKI—the infrastructure that powers secure connections on the modern Web.
• Mike Masnick writes about the massive surveillance stack hiding inside the “age verification” checks.

Cloud Computing/Cloud Management

• I’ve had this article on AWS Lambda for the containers developer sitting in my read queue since first publication in 2023. (Sorry, Massimo.) I finally got around to reading it—really reading it, not just skimming it—and I found it to be helpful in helping me get a better grasp on Lambda.
• The AWS Load Balancer Controller recently gained support for Kubernetes Gateway API. This allows Kubernetes administrators to use AWS ALBs or NLBs for Gateway resources, and eliminates annotation-based configuration in favor of Custom Resource Definitions (CRDs).

Operating Systems/Applications

• While using containers is certainly a step forward in securing autonomous agents—such as what NanoClaw is doing—I don’t think it’s enough on its own. Helpful, yes, but there is still more to do. Am I wrong?
• Does Gentoo’s migration from GitHub to Codeberg—obstensibly due to Microsoft’s AI emphasis—signal a turning point?
• The recent announcement of a partnership between Motorola and GrapheneOS opens the possibility for the privacy-focused smartphone OS to arrive on new hardware platforms.
• Although some sites are sensationalizing early news about Windows 12 (in particular, how much of the OS will be subscription-based), the PC World article that appears to be the source for these sites paints a different picture.
• Tara Tarakiyee says it’s not about “the year of the Linux desktop,” it’s about the decade of Linux.
• KubeSimplify introduces ing-switch, a tool to assist in migrating away from Ingress NGINX to Traefik or Gateway API.
• The fmd command-line tool provides an way to find Markdown files based on metadata. I’ve been looking for something like this!
• Nick Janetakis has a shell alias for getting outdated packages across distributions (Arch, Debian, and macOS+Homebrew).

Programming/Development

• I was recently introduced to ast-grep (website, GitHub repository), a CLI tool that leverages the abstract syntax tree (AST) of code to allow users to find (and potentially change) values in code without great effort and at scale. I am not a programmer by trade so I do not have any immediate use cases, but there is one use case that I am exploring (if it works out, it will be the topic of a future blog post). Here is one example of what you can do with ast-grep.
• Datadog reviews how they reduced the size of their Agent Go binaries by 77%.
• Andrew Nesbitt makes the assertion that package registries are more than just infrastructure—they are also governance.
• Via Chris Short, I noted the OSI has adopted SPDX IDs for open source license URLs. (By the way, Chris’ DevOps’ish newsletter is outstanding—highly recommended.)
• David Anderson shares some thoughts on LLM coding. One quote really stood out to me: “The psychology of LLMs use worries me deeply. It’s a system that could not be better designed to encourage harmful behaviors if you tried, because it mixes a couple of very potent psychological traps. And it’s further being pushed by a large amount of venture money, and being co-opted by grifters with vested interests.”
• Leonardo de Moura argues for the need for formal verification of AI-written software.

Career/Soft Skills

• A colleague (thanks James L.!) shared this rather long essay on generative AI with me. While the article is a lengthy read, it really resonated with me. I am including it here in this situation because so much of the discusion in the article relates to our careers and how we view our work.
• These two articles (part 1, part 2) paint a not-rosy picture of the future should AI have the impact people are saying (hoping?) it will have. (Hat tip to Michael K for the link.)

That’s all I have for now. I love to hear from readers, so feel free to reach out and say hi! You can find me on X/Twitter, Mastodon, and Bluesky. My email address isn’t hard to find, so you also have the option of sending me a message that way. Thanks for reading!

Using Mitmproxy to Observe kubectl Traffic

When I first started learning Kubernetes, I had the idea that observing the network traffic between a client system using kubectl and the Kubernetes API Server would be a useful thing to do. The source of the idea is unclear; I am unsure why I thought this would be useful as a learning tool. Regardless, I continued on with learning Kubernetes and never really pursued this idea—until this week. I found it can be a useful troubleshooting technique, but I will leave it up to you to determine if it is a useful learning technique. In this post, I will show you how to observe kubectl traffic using mitmproxy.

This technique is inspired by/informed by Ahmet Alp Balkan’s similarly-named blog post from 2019. Unfortunately, I found the instructions there to be incomplete (most likely just due to the passage of time and continued evolution of the tools involved).

I used the following tools and environments in my testing:

• The tests were conducted on a Linux system running Ubuntu 24.04.4. The commands should work similarly on macOS.
• Mitmproxy was installed from the Ubuntu repositories using apt.
• kubectl version 1.33.3 was used to communicate to a self-managed cluster on AWS (in other words, not Amazon EKS) running Kubernetes 1.32.9. The cluster was bootstrapped using kubeadm. I wouldn’t expect any major/significant differences with other versions of kubectl or Kubernetes.
• I was using a client certificate to authenticate to Kubernetes. It’s unclear to me how this might work—if it works at all—with alternate authentication mechanisms.

Prepare Client Certificates

Before you can start mitmproxy, you’ll first need to extract the client certificates from the Kubeconfig file. A couple of ways exist to do this; a blog post of mine from 2022 contains what I believe is the easiest way. The method involves yq (to extract information from the Kubeconfig) and base64 (to decode the client certificate and client key). Refer to the linked blog post for full details.

1. First, extract the client certificate (adjust the users[0] as needed based on the Kubeconfig file):

   yq '.users[0].user.client-certificate-data' < kubeconfig | base64 -d >> client-cert.pem
   

2. Next, extract the client key:

   yq 'users[0].user.client-key-data'< kubeconfig | base64 -d >> client-cert.pem
   

Running Mitmproxy and Watching Traffic

Now that you have the client certificate and key in hand, you’re ready to launch mitmproxy and observe some traffic. Mitmproxy requires a few specific configuration flags for this use case:

• You’ll need to disable HTTP/2 support with --set http2=false.
• Mitmproxy must be configured with the client certificate you extracted above (using --set client_certs=client-cert.pem).
• In this particular case, since the cluster CA isn’t trusted, mitmproxy also has to be told not to verify the upstream certificate with --set ssl_insecure=true.

Putting all this together, the full command looks like this:

mitmproxy -p 5000 --set ssl_insecure=true --set http2=false --set client_certs=client-cert.pem

Then, in a separate window, run your kubectl command:

HTTPS_PROXY=:5000 kubectl get po -A --insecure-skip-tls-verify

You should see the traffic pop up in the window running mitmproxy, and can review the traffic flow(s) in detail.

As explanation: the HTTPS_PROXY part redirects traffic through the instance of mitmproxy you just launched, and --insecure-skip-tls-verify tells kubectl not to verify the upstream certificate—which it can’t do because it’s seeing mitmproxy’s certificate, not the cluster’s certificate.

There you go—now you can observe traffic between kubectl and the Kubernetes API server. As I mentioned at the start of this post, this technique is useful for troubleshooting. I did not find it useful as a learning tool, but others might.

I hope you find this useful. Thanks to Ahmet for setting me down the right path! If you have questions, feel free to reach out. I’m available on social platforms (X/Twitter, Mastodon, Bluesky, and LinkedIn), or you can drop me an email. I’d be happy to help if I’m able.

Running the Azure CLI in a Container

Like perhaps some readers, I am quite particular about what gets installed on my systems. I try to keep my systems as “clean” as possible, doing my best to avoid tools that have an extensive list of dependencies that must be installed and updated. Where that isn’t possible—such as with the Azure CLI, which has a massive number of Python modules that are required in order for the tool to function—I will use various isolation mechanisms. For the Azure CLI, that’s typically been a Python virtual environment. Somewhat recently, though, I had an idea to try using a container. In this post, I’ll share what worked and what did not work when trying to run the Azure CLI in a container.

Technology Short Take 191

Welcome to Technology Short Take #191! This is my semi-regular collection of links related to technology disciplines, including networking, security, cloud computing, storage, and programming/development. I hope that I’ve managed to curate an interesting and useful set of links for readers. Enjoy!

Technology Short Take 190

Welcome to Technology Short Take #190! This is the first Tech Short Take of 2026, and it has been nearly three months (wow!) since the last one. I can’t argue that I fell off the blogging bandwagon over the end of 2025 and early 2026. I won’t get into all the reasons why (if you’re interested then feel free to reach out and I’ll fill you in). Enough about me—let’s get to the technical content! Here’s hoping you find something useful.

Setting up a VPC Route Server with Pulumi

If you need to work with BGP in your AWS VPCs—so that BGP-learned routes can be injected into a VPC route table—then you will likely need a VPC Route Server. While you could set up a VPC Route Server manually, what’s the fun in that? In this post, I will walk you through a Pulumi program that will set up a VPC Route Server. Afterward, I will discuss some ways you could check the functionality of the VPC Route Server to show that it is indeed working as expected.

Technology Short Take 189

Welcome to Technology Short Take #189, Halloween Edition! OK, you caught me—this Tech Short Take is not scary. I’ll try harder next year. In the meantime, enjoy this collection of links about data center-related technologies. Although this installation is lighter on content than I would prefer, I am publishing anyway in the hopes of trying to get back to a somewhat-regular cadence. Here’s hoping you find something useful and informative!

Posts from the Past, October 2025

Every now and then, I publish one of these “Posts from the Past” articles that looks back on content I’ve created and posted over the life of this site. This year marks 20 years of content—I can hardly believe it! Don’t worry, though; you won’t have to go through 20 years of past posts. Here is a selection of posts from mid- to late October over the last decade or so. I hope you find something useful, informative, or at least entertaining!

Using Git Pre-Commit Hooks

A while ago I wrote an article about linting Markdown files with markdownlint. In that article, I presented the use case of linting the Markdown source files for this site. While manually running linting checks is fine—there are times and situations when this is appropriate and necessary—this is the sort of task that is ideally suited for a Git pre-commit hook. In this post, I’ll discuss Git pre-commit hooks in the context of using them to run linting checks.

Technology Short Take 188

Welcome to Technology Short Take #188! I’m back once again with a small collection of articles and links related to a variety of data center-related technologies. I hope you find something useful!

Creating a Talos Linux Cluster on AWS with Pulumi, 2025 Edition

A little over two years ago, I wrote a post on creating a Talos Linux cluster on AWS using Pulumi. At the time of that post, the Pulumi provider for Talos was still a prerelease version. Since then, the Talos provider has undergone some notable changes necessitating an update to the example code I have on GitHub. For your reading pleasure, therefore, I present you with the 2025 edition of a tutorial for using Pulumi to create a Talos Linux cluster on AWS.

Technology Short Take 187

Welcome to Technology Short Take #187! In this Technology Short Take, I have a curated collection of links on topics ranging from BGP to blade server hardware to writing notes using a “zettelkasten”-style approach, along with a few other topics thrown in here and there for fun. I hope you find something useful!

Technology Short Take 186

Welcome to Technology Short Take #186! Yes, it’s been quite a while since I published a Technology Short Take; life has “gotten in the way,” so to speak, of gathering links to share with all of you. However, I think this crazy phase of my life is about to start settling down (I hope so, anyway), and I’m cautiously optimistic that I’ll be able to pick up the blogging pace once again. For now, though, here’s a collection of links I’ve gathered since the last Technology Short Take. I hope you find something useful here!

Bootstrapping Dual-Stack Kubernetes on Flatcar with Kubeadm

Recently I needed to be able to stand up a dual-stack (IPv4/IPv6) Kubernetes cluster on Flatcar Container Linux using kubeadm. At first glance, this seemed like it would be relatively straightforward, but as I dug deeper into it there were a few quirks that emerged. Given these quirks, it seemed like a worthwhile process to write up and publish here. In this post, you’ll see how to use Butane and kubeadm to bootstrap a dual-stack IPv4/IPv6 Kubernetes cluster on AWS.

Technology Short Take 185

Welcome to Technology Short Take #185, the first of 2025! I’m excited for the opportunity to continue to bring readers articles and links of interest across data center- and cloud-related technologies (along with some original content along the way). I had originally intended for this post to be my last post of 2024, but personal challenges got in the way. Enough of that, though—on to the content!

Using Multiple AWS Regions with Pulumi and S3 Backend

For a while now, I’ve been using Direnv to manage environment variables when I enter or leave certain directories. Since I have to work with more than one AWS account, one of the use cases for me has been populating AWS-specific environment variables, like AWS_REGION or AWS_PROFILE. This generally works really well for me, but recently I ran into a bit of a corner case involving multiple AWS regions, Pulumi, and using S3 as the Pulumi backend. In this post, I’ll share the workaround that allows this configuration to work as expected.

Technology Short Take 184

Welcome to Technology Short Take #184! This Tech Short Take is a bit shorter than the usual ones, but then again this week—at least in the US—is a bit shorter than most weeks due to the Thanksgiving holiday. Even so, I hope that I’ve managed to include some information that folks find useful. Also, thanks to some feedback from readers, I’ve tried hard to ensure that links are more descriptive and informative than they’ve sometimes been in the past; let me know how I did. Now, on to the content!

• EKS, Bottlerocket, and Cilium with Pulumi 10 Oct 2024
• Technology Short Take 183 4 Oct 2024
• Technology Short Take 182 6 Sep 2024
• Preloading Extra Images with Kubernetes Image Builder 30 Aug 2024
• Storing Pulumi State in the Project Directory 23 Aug 2024
• Review: Lenovo ThinkPad X1 Carbon Gen11 21 Aug 2024
• Technology Short Take 181 16 Aug 2024
• Using SOPS with Pulumi 14 Aug 2024
• Bootstrapping Talos Linux over SSH 5 Aug 2024
• Using Vale to Improve my Writing 29 Jul 2024
• Technology Short Take 180 26 Jul 2024
• Using a Git Commit Template 15 Jul 2024
• Technology Short Take 179 28 Jun 2024
• Technology Short Take 178 31 May 2024
• Endpoint Selectors and Kubernetes Namespaces in CiliumNetworkPolicies 30 May 2024
• Getting Barrier Working Between Arch Linux and Ubuntu 29 May 2024
• Technology Short Take 177 17 May 2024
• Tracking EC2 Instances used by EKS with AWS CLI 17 Apr 2024
• Tracking ENIs used by EKS with AWS CLI 15 Apr 2024
• Technology Short Take 176 15 Mar 2024
• Linting your Markdown Files 1 Mar 2024
• Technology Short Take 175 23 Feb 2024
• Technology Short Take 174 9 Feb 2024
• Using NAT Instances on AWS with Pulumi 5 Feb 2024
• Using SSH with the Pulumi Docker Provider 22 Jan 2024
• Technology Short Take 173 19 Jan 2024
• Technology Short Take 172 5 Jan 2024
• Selectively Replacing Resources with Pulumi 3 Jan 2024
• Dynamically Enabling the Azure CLI with Direnv 18 Dec 2023
• Conditional Git Configuration 15 Dec 2023