Technology Short Take 177

Welcome to Technology Short Take #177! Wow, is it the middle of May already? The year seems to be flying by—much in the same way that all these technical articles keep flying by my Inbox, occasionally getting caught and included here! In this Technology Short Take, I have links on things ranging from physical network designs to running retro operating systems as virtual machines. Surely there will be something useful in here for you!

Networking

• Blogger Evert has a two part series (here and here) on managing NSX ALBs with Terraform.
• Ivan launches a series of blog posts exploring routing protocol designs that can be used to implement EVPN-with-VXLAN L2VPNs in a leaf-and-spine fabric. The first one is here. What’s really cool is that Ivan also includes a netlab topology readers can use to create a lab and see how it works.
• Eduard Tolosa discusses binding wireless network adapters to systemd-nspawn containers.
• Ioannis Theodoridis has a three-part series on how he and his team used tools like Nautobot, Nornir, and Python to help with some extensive network migrations. Check out the series (part 1, part 2, and part 3); I think you’ll find some useful information in there.

Servers/Hardware

• While in many respects Apple’s M series CPUs are amazing, all is not perfect: security researchers have discovered a flaw that would allow attackers to steal cryptographic keys. More details are available in this Zero Day article.

Security

• Rory McCune explores using Tailscale for getting persistence in a compromised Kubernetes cluster.
• The Cisco Talos team is warning of large-scale brute force attacks against VPN and SSH services on a variety of devices (including Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti).

Cloud Computing/Cloud Management

• Open Policy Agent (OPA) is approaching their 1.0 release, and they’ve already started discussing what users can do today to prepare for the big release. I must say I appreciate the OPA team’s efforts in making the transition to 1.0 as smooth and seamless as possible.
• A colleague shared this article on CPU limits and throttling in Kubernetes.
• Anton Weiss of PerfectScale explores memory QoS with EKS and Bottlerocket.
• Brian Grant explores the question of whether GitOps is actually useful.
• Via this blog post on the Docker web site, Diana Esteves of Pulumi shares how to use the new Docker Build provider to automate image builds. It also looks like the Pulumi team has added a Docker Build example to their “examples” repository. C’mon, Pulumi team—show us more than just TypeScript!

Operating Systems/Applications

• Julia Evans digs into what “current branch” means in Git.
• Nikhil shares a framework for selecting a Linux distribution.
• José Ignacio Amelivia Santiago takes readers on a detailed walkthrough of setting up Arch Linux on a new Framework 13 AMD-based laptop.
• Here’s a list of “crisis tools” recommended to install on your Linux servers before you need them.
• Only one word applies here: oops.
• I found this tool in the last couple of weeks, and it is so absolutely useful (to me, anyway).
• Envoy Gateway has officially released version 1.0.0, marking GA for the project. More details are available in this announcement.

Programming/Development

• This is a fantastic article by Jeremiah Lee about Spotify’s failed “squad model” and some of the key lessons folks can learn.

Storage

• Steven Sklar explains how CSI (Container Storage Interface) works.

Virtualization

• Talk about a blast from the past! William Lam discusses running a prerelease version of OS/2 2.0—an operating system I myself ran in the mid-1990s before switching to Windows NT—as a virtual machine on VMware ESXi. For what it’s worth, I remain convinced that OS/2 version 2 was technologically superior to its Windows peers (including Windows NT). It’s another example of when the best technology doesn’t always win.

Career/Soft Skills

• If you’re looking for a list of skills that are valuable for a DevOps engineer/SRE/platform engineer to know, look no further than this comprehensive list from Nick Janetakis.

OK, that’s all for this time around. Did you like this post, or another post on the site? Or maybe you have a question? Feel free to reach out! I always enjoy hearing from readers, so I invite you to find me on Twitter, on the Fediverse, or in one of the various Slack communities I frequent. (You can drop me an e-mail, if you’d prefer—my address isn’t too hard to find.) Thanks for reading!

Tracking EC2 Instances used by EKS with AWS CLI

As a sort of follow-up to my previous post on using the AWS CLI to track the specific Elastic Network Interfaces (ENIs) used by Amazon Elastic Kubernetes Service (EKS) cluster nodes, this post focuses on the EC2 instances themselves. I feel this is less of a “problem” than tracking ENIs, but I wanted to share this information nevertheless. In this post, I’ll show you which AWS CLI command to use to list all the EC2 instances associated with a particular EKS cluster.

If you read the previous post on tracking ENIs used by EKS, you might think that you could use a very similar AWS CLI command (aws ec2 describe-instances instead of aws ec2 describe-network-interfaces) to track the EC2 instances in a cluster—and you’d be mostly correct. Like the ENIs, EKS does add a cluster-specific tag to all EC2 instances in the cluster. However, just to make life interesting, the tag used for EC2 instances is not the same as the tag used for ENIs. (If someone at AWS knows of a technical reason why these tags are different, I’d love to hear it.)

Instead of using the cluster.k8s.amazonaws.com/name tag that is used on the ENIs, you’ll need to use the aws:eks:cluster-name tag instead, like this:

aws ec2 describe-instances --filters Name=tag:aws:eks:cluster-name,\
Values=<name-of-cluster>

Just replace <name-of-cluster> in the above command with the name of your EKS cluster, and you’re good to go. As I mentioned in the previous post, if you’re using an automation tool such as Pulumi or Terraform, you may need to explicitly specify the name of the cluster in your code (or look it up after the cluster is created).

I hope this information is useful to folks. If you have questions (or corrections, in the event I have something incorrect here!), please feel free to reach out. You can find me on Twitter, on the Fediverse, or in a number of different Slack communities. Thanks for reading!

Tracking ENIs used by EKS with AWS CLI

I’ve recently been spinning up lots of Amazon Elastic Kubernetes Service (EKS) clusters (using Pulumi, of course) in order to test various Cilium configurations. Along the way, I’ve wanted to verify the association and configuration of Elastic Network Interfaces (ENIs) being used by the EKS cluster. In this post, I’ll share a couple of AWS CLI commands that will help you track the ENIs used by an EKS cluster.

When I first set out to find the easiest way to track the ENIs used by the nodes in an EKS cluster, I thought that AWS resource tags might be the key. I was right—but not in the way I expected. In the Pulumi program (written in Go) that I use to create EKS clusters, I made sure to tag all the resources.

For example, when defining the EKS cluster itself I assigned tags:

eksCluster, err := eks.NewCluster(ctx, "eks-cluster", &eks.ClusterArgs{
    Name:    pulumi.Sprintf("%s-test", regionNames[awsRegion]),
    // Some code omitted here for brevity
    Tags: pulumi.StringMap{
        "Name":   pulumi.Sprintf("%s-test", regionNames[awsRegion]),
        "owner":  pulumi.String(ownerTag),
        "team":   pulumi.String(teamTag),
        "usage":  pulumi.String(usageTag),
        "expiry": pulumi.String("2025-01-01"),
    },
})

And I assigned tags again when defining the node group for the EKS cluster:

_, err = eks.NewNodeGroup(ctx, "node-group", &eks.NodeGroupArgs{
    ClusterName:   eksCluster.Name,
    // Some code omitted here for brevity
    Tags: pulumi.StringMap{
        "Name":   pulumi.Sprintf("%s-nodegroup-01", regionNames[awsRegion]),
        "owner":  pulumi.String(ownerTag),
        "team":   pulumi.String(teamTag),
        "usage":  pulumi.String(usageTag),
        "expiry": pulumi.String("2025-01-01"),
    },
})

I thought that these tags would carry over to the ENIs attached to the EC2 instances in the node group. Assuming the value of ownerTag was set to “slowe”, it would be possible to see all the ENIs with this command:

aws ec2 describe-network-interfaces --filters Name=tag:owner,Values=slowe

Alas, these tags don’t carry over (not that I’ve observed, anyway). However, all is not lost! EKS creates its own tag you can use with the describe-network-interfaces command:

aws ec2 describe-network-interfaces \
--filters Name=tag:cluster.k8s.amazonaws.com/name,Values=cluster-name

The cluster.k8s.amazonaws.com/name tag is automatically added to ENIs created for use by EKS; you just need to supply the correct value (to replace cluster-name in the above command). If you’re using an automation tool like Pulumi or Terraform, you’ll want to be sure you know what the EKS cluster name is; you can assign it, as I did in the code above, or you can look it up.

While I didn’t share anything amazingly unique or earth-shattering here, I do hope that this post is helpful to folks. Feel free to find me on various social media platforms—such as on Twitter or on the Fediverse—if you have questions or comments about this post. Constructive feedback is always welcome!

Technology Short Take 176

Welcome to Technology Short Take #176! This Tech Short Take is a bit heavy on security-related links, but there’s still some additional content in a number of other areas, so you should be able to find something useful—or at least interesting—in here. Thanks for reading!

Networking

• Lee Briggs (formerly of Pulumi, now with Tailscale) shows how to use the Tailscale Operator to create “free” Kubernetes load balancers (“free” as in no additional charge above and beyond what it would normally cost to operate a Kubernetes cluster).
• Ivan Pepelnjak dives deep on DHCP relaying on a Linux host.
• I also enjoyed Ivan’s realistic take on rollbacks in a network automation environment. (TL;DR: It’s not as easy as it might seem.)

Servers/Hardware

• Menno Finlay-Smits shares information on reducing fan noise on Intel NUCs.
• Rob McBryde shares his story of reviving a 2012 MacBook Pro with Linux.
• Kevin Houston previews the first AMD-powered Cisco UCS blade server.

Security

• In early February a vulnerability was uncovered in a key component of the Linux boot process. The vulnerability affects virtually all Linux distributions and allows attackers to bypass the secure boot protections and insert a low-level bootkit. While the requirements for exploiting the vulnerability are not insurmountable, they do require a certain level of effort. More details available via Ars Technica and via ZDnet.
• Nick Frichette shares how to bypass GuardDuty Tor client findings (basically, how to connect to Tor without GuardDuty detecting it).
• The Sysdig Threat Research Team uncovered the malicious use of a network mapping tool called SSH-Snake. Read more about it in this post.
• VMware is patching a set of severe “sandbox escape” bugs. Two of the vulnerabilities are rated a 9.3 out of 10, and even VMware’s flagship ESXi hypervisor is affected. More details are available from Ars Technica.
• Think Linux doesn’t have malware? A new Bifrost remote access trojan (RAT) for Linux employs a number of techniques to remain hidden, including using a “VMware-esque” domain name for command and control servers.
• And here’s another example of malware that is targeting Linux (along with Windows).
• This would be why I hate it when companies force me to use SMS for two-factor authentication—at least let me use a one-time passcode or something.

Cloud Computing/Cloud Management

• Mina Abadir shares some experiences around migrating from PlanetScale to Amazon Aurora.
• Rory McCune explains Kubernetes authentication.
• Falco has graduated within the CNCF.

Operating Systems/Applications

• Here’s one person’s take on sudo for Windows.
• This is a handy trick.
• David Both has an article on using systemd journals for troubleshooting. It looks like this is part of a larger series on systemd.
• Major Hayden talks about connecting Caddy to Porkbun to help with automating TLS certificates.

Storage

• Gergely Imreh discusses ZFS on a Raspberry Pi.
• Cal Paterson explains why S3 is not a filesystem.

Virtualization

• In the wake of Broadcom discontinuing VMware ESXi Free, Nutanix is hoping to fill the gap with Nutanix Community Edition. Vladan Seget provides some additional details in his blog post. Given that Nutanix Community Edition is based on the open source KVM hypervisor, this could lead to greater KVM adoption among small businesses and virtualization hobbyists who formerly would have used VMware’s solution.
• Staf Wagemakers (I think I have the name right) describes running OpenBSD as a UEFI virtual machine on a Raspberry Pi.
• I stumbled across a pair of articles by Greg Gant on the use of QEMU to run older versions of Mac OS (including pre-Mac OS X versions): there’s the original piece, and then an updated piece.

Career/Soft Skills

• Robb Owen shares why it’s OK to abandon your side project.
• This distinction between stories and tasks is probably applicable even outside agile development environments and practices, especially when it boils down to “you must still think about what the user needs”. Good stuff!

That’s all for now! I always love hearing from readers, so if you found something useful in this post—or in any post—don’t hesitate to reach out! You can reach me on Twitter, on the Fediverse, or in a number of different Slack communities. You’re also welcome to drop me an e-mail; my address is here on the site (it’s not hard to find). Enjoy!

Linting your Markdown Files

It’s no secret I’m a fan of Markdown. The earliest mention of Markdown on this site is all the way back in 2011, and it was only a couple years after that when I migrated this site from WordPress to Markdown. Back then, the site was generated from Markdown using Jekyll (via GitHub Pages); today it is generated from Markdown sources using Hugo. One thing I’ve not done, though, is perform linting (checking for errors or potential errors) of the Markdown source files. That’s all about to change! In this post, I’ll share with you how I started linting my Markdown files.

To handle the linting, there are (at least) a couple different options:

1. markdownlint-cli (GitHub repository)
2. markdownlint-cli2 (GitHub repository)

Both of these use the same markdownlint library under the hood. They’re both available as both a CLI tool or as a Docker container; markdownlint-cli2 is also available as a GitHub Action. In both cases, the CLI tool is installed via npm install (typically globally with --global or -g). The key difference between the two is that markdownlint-cli2 is configuration-driven, whereas markdownlint-cli offers the ability to use either a configuration file or command-line flags. I decided to use markdownlint-cli, as the ability to use command-line flags makes it a tad easier to get started.

I performed initial testing with the Docker container, which you would tend to invoke like this:

docker container run --rm -v "$PWD:/workdir" ghcr.io/igorshubovych/markdownlint-cli:latest "path/to/*.md"

However, I later switched to the CLI tool for better cross-platform portability (yes, I know that macOS can run Docker containers via Docker Desktop, but you still have to pay the tax of running a Linux VM in the background). The CLI tool is invoked in much the same way:

markdownlint "path/to/*.md"

In the default configuration, markdownlint-cli flagged a lot of violations in the over 2,200 blog posts on the site. After fine-tuning the configuration by disabling a few rules (more details on the rules is found here), there were still a lot of violations—but not nearly as many. Notably, I disabled MD013 (“line-length”) and MD052 (“reference-links-images”); the former because I use soft line-wraps in my Markdown paragraphs and the latter because I use Hugo’s relref shortcode for cross-referencing other posts.

Initially it was a bit unclear to me how to use the .markdownlint.jsonc configuration file to disable some of the rules. (This was probably just me being dense, if I’m honest.) For example, a configuration for MD052 might look like this:

// Rule details : https://github.com/DavidAnson/markdownlint/blob/v0.33.0/doc/md052.md
"reference-links-images": {
    "shortcut_syntax": false
},

To disable this rule, it needs to look like this:

// Rule details : https://github.com/DavidAnson/markdownlint/blob/v0.33.0/doc/md052.md
"reference-links-images": false,

In retrospect, setting the top-level entry to false is obvious now, but when I first started looking at the configuration file I was expecting a property like disabled: true or similar.

Even with a few rules disabled, there were still quite a few violations, which I fixed manually over the course of a couple weeks, until I was finally able to run markdownlint over the entire list of ~2,230 Markdown posts without any violations. Yay!

The next step was to automate the process of running the Markdown lint checks—but that’s a topic for a separate post!

Additional Resources

While researching what was involved in linting Markdown files, I found this post to be helpful in getting started with markdownlint. The GitHub repositories (here, here, and here) were, of course, also very helpful (especially the rule descriptions).

I hope this post is useful to some folks out there. Please feel free to reach out to me on Twitter or on the Fediverse if you have comments, questions, or feedback (on this post or any post on my site). Thanks for reading!

Technology Short Take 175

Welcome to Technology Short Take #175! Here’s your weekend reading—a collection of links and articles from around the internet on a variety of data center- and cloud-related topics. I hope you find something useful here!

Technology Short Take 174

Welcome to Technology Short Take #174! For your reading pleasure, I’ve collected links on topics ranging from Kubernetes Gateway API to recent AWS attack techniques to some geeky Linux and Git topics. There’s something here for most everyone, I’d say! But enough of my rambling, let’s get on to the good stuff. Enjoy!

Using NAT Instances on AWS with Pulumi

For folks using AWS in their day-to-day jobs, it comes as no secret that AWS’ Managed NAT Gateway—responsible for providing outbound Internet connectivity to otherwise private subnets—is an expensive proposition. While the primary concern for large organizations is the data processing fee, the concern for smaller organizations or folks like me who run a cloud-based lab instead of a hardware-based home lab is the per-hour cost. In this post, I’ll show you how to use Pulumi to use a NAT instance for outbound Internet connectivity instead of a Managed NAT Gateway.

Using SSH with the Pulumi Docker Provider

In August 2023, Pulumi released a version of the Docker provider that supported SSH-based connections to a Docker daemon. I’ve written about using SSH with Docker before (see here), and I sometimes use AWS-based “Docker build hosts” with my M-series Macs to make it easier/simpler (and sometimes faster) to build x86_64-based Docker images. Naturally, I’m using an SSH connection in those cases. Until this past weekend, however, I hadn’t really made the time to look deeper into how to use SSH with the Pulumi Docker provider. In this post, I’ll share some details that (unfortunately) haven’t yet made it into the documentation about using SSH with the Pulumi Docker provider.

Technology Short Take 173

Welcome to Technology Short Take #173! After a lull in links to share last time around, it looks like things have rebounded and folks are in full swing writing new content for me to share with you. I think I have a decent round-up of links for you; hopefully you can find something useful here. Enjoy!

Technology Short Take 172

Welcome to Technology Short Take #172, the first Technology Short Take of 2024! This one is really short, which I’m assuming reflects a lack of blogging activity over the 2023 holiday season. Nevertheless, I have managed to scrape together a few links to share with readers. As usual, I hope you find something useful. Enjoy!

Selectively Replacing Resources with Pulumi

Because Pulumi operates declaratively, you can write a Pulumi program that you can safely run (via pulumi up) multiple times. If no changes are needed—meaning that the current state of the infrastructure matches what you’ve defined in your Pulumi program—then nothing happens. If only one resource needs to be updated, then it will update only that one resource (and any dependencies, if there are any). There may be times, however, when you want to force the replacement of specific resources. In this post, I’ll show you how to target specific resources for replacement when using Pulumi.

Dynamically Enabling the Azure CLI with Direnv

I’m a big fan of direnv, the tool that lets you load and unload environment variables depending on the current directory. It’s so very useful! Not too terribly long ago, I wanted to find a way to “dynamically activate” the Azure CLI using direnv. Basically, I wanted to be able to have the Azure CLI disabled (no configuration information) unless I was in a directory where I needed or wanted it to be active, and be able to make it active using direnv. I finally found a way to make it work, and in this blog post I’ll share how you can do this, too.

Conditional Git Configuration

Building on the earlier article on automatically transforming Git URLs, I’m back with another article on a (potentially powerful) feature of Git—the ability to conditionally include Git configuration files. This means you can configure Git to be configured (and behave) differently based on certain conditions, simply by including or not including Git configuration files. Let’s look at a pretty straightforward example taken from my own workflow.

Automatically Transforming Git URLs

Git is one of those tools that lots of people use, but few people truly master. I’m still on my own journey of Git mastery, and still have so very far to go. However, I did take one small step forward recently with the discovery of the ability for Git to automatically rewrite remote URLs. In this post, I’ll show you how to configure Git to automatically transform the URLs of Git remotes.

Technology Short Take 171

Welcome to Technology Short Take #171! This is the next installation in my semi-regular series that shares links and articles from around the interwebs on various technology areas of interest. Let the linking begin!

Saying Goodbye to the Full Stack Journey

In January 2016, I published the first-ever episode of the Full Stack Journey podcast. In October 2023, the last-ever episode of the Full Stack Journey podcast was published. After almost seven years and 83 episodes, it was time to end my quirky, eclectic, and unusual podcast that explored career journeys alongside various technologies, products, and open source projects. In this post, I wanted to share a few thoughts about saying goodbye to the Full Stack Journey.

Guest Post: Moving Secrets Where They Belong

(This is a guest post by Simen A.W. Olsen.)

Pulumi recently shipped Pulumi ESC, which adds the “Environment” tab to Pulumi Cloud. For us at Bjerk, this means we can move secrets into a secrets manager like Google Secrets Manager. Let me show you how we did it!

Assigning Tags by Default on AWS with Pulumi

Appropriately tagging resources on AWS is an important part of effectively managing infrastructure resources for many organizations. As such, an infrastructure as code (IaC) solution for AWS must have the ability to ensure that resources are always created with the appropriate tags. (Note that this is subtly different from a policy mechanism that prevents resources from being created without the appropriate tags.) In this post, I’ll show you a couple of ways to assign tags by default when creating AWS resources with Pulumi. Code examples are provided in Golang.

Technology Short Take 170

Welcome to Technology Short Take #170! I had originally intended to get this published before the long Labor Day weekend, but didn’t quite have it ready. So, here you go—here’s your latest collection of links from around the internet focused on data center and cloud-related technologies. I hope that you find something useful here.

• Mac, iPad, or Both? 28 Aug 2023
• Technology Short Take 169 11 Aug 2023
• Spousetivities Returns to VMware Explore 2023 7 Aug 2023
• Technology Short Take 168 12 May 2023
• Technology Short Take 167 7 Apr 2023
• Creating a Talos Linux Cluster on Azure with Pulumi 31 Mar 2023
• Technology Short Take 166 10 Mar 2023
• Creating a Talos Linux Cluster on AWS with Pulumi 24 Feb 2023
• Technology Short Take 165 17 Feb 2023
• Stage Manager is Incomplete 9 Feb 2023
• Installing the Prerelease Pulumi Provider for Talos 8 Feb 2023
• Automating Docker Contexts with Pulumi 6 Feb 2023
• Technology Short Take 164 27 Jan 2023
• Technology Short Take 163 6 Jan 2023
• A Depth Year in 2023 5 Jan 2023
• Technology Short Take 162 9 Dec 2022
• Technology Short Take 161 28 Oct 2022
• Streamlining the User Experience for Accessing AKS Clusters 6 Oct 2022
• Technology Short Take 160 23 Sep 2022
• Referencing Configuration Values in Pulumi YAML 21 Sep 2022
• Managing AWS Key Pairs with Pulumi and Go 6 Sep 2022
• Technology Short Take 159 2 Sep 2022
• Jumping Off Cliffs 15 Aug 2022
• Technology Short Take 158 12 Aug 2022
• Revisiting X.509 Certificates in Kubeconfig Files 9 Aug 2022
• Posts from the Past, August 2022 8 Aug 2022
• Site Category Changes 7 Aug 2022
• Using Default AWS Resources with Pulumi 27 Jul 2022
• Technology Short Take 157 22 Jul 2022
• Network Programmability and Automation, Second Edition 8 Jul 2022