#random (2024-06)

Non-work banter and water cooler conversation

A place for non-work-related flimflam, faffing, hodge-podge or jibber-jabber you’d prefer to keep out of more focused work-related channels.

Archive: https://archive.sweetops.com/random/

2024-06-04

Катерина Кучернюк avatar
Катерина Кучернюк

Hi everyone. Today join a new DevOpsDays Ukraine: Let’s Talk Security edition on June 4-5!

During two days dedicated to DevSecOps 13 speakers will share presentations and insightful ignites on creating an action plan and building security measures into every stage of development.

Learn how to integrate security as a shared responsibility throughout the entire IT lifecycle. Register: https://devopsdays.com.ua/

DevOpsDays: Let’s Talk Security - DevOpsDaysattachment image

Let’s Talk Security conference by DevOpsDays Ukraine community. We’ll discuss context-based security, cloud hacking scenarios, cyberattacks and the complexities of cyber warfare, vulnerability management implementation with AWS and more. Participation is free! See you on June 4-5!

1

2024-06-06

Hao Wang avatar
Hao Wang
Eelco Dolstra steps down from NixOS Foundation board

The NixOS Foundation board

announced on April 30 that Eelco Dolstra is stepping down from the board following the recent calls for his resignation.

Eelco is the principal author of Nix and undoubtedly a central figure in the ecosystem that grew around it. We confirm that Eelco showed no intention to be perceived as or act like the BDFL [Benevolent Dictator for Life] of the Nix ecosystem, or the Nix code base. To commit to that in a timely manner, he has decided to formally step down from the board.

Hao Wang avatar
Hao Wang

k8s turns 10, and proved it is not Openstack

1
Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It’s quite remarkable indeed!

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I had the same thought…

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

It doesn’t shows signs of slowing down either.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
Hao Wang avatar
Hao Wang

I tried OpenStack at the first few releases, after that I understood why it failed, it is a disaster lol

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
4
1
Ryan avatar

Hi all. Been a while since I posted and connected with some of the community. There is an exciting semi controversial livestream next week about DevSecOps!

Former Netflix head of security Jason Chan and Resourcely CEO Travis McPeak have a deep dive into DevSecOps.

The interview-style livestream will cover:

How DevSecOps got started Hear some real stories about adopting DevSecOps at modern organizations like Netflix What’s wrong with DevSecOps today The future for security embedded into developer workflows

https://www.linkedin.com/events/deathofdevsecops-experiencesatn7201635030605987840

2024-06-07

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)
11
1
1
1

2024-06-10

Alex Atkinson avatar
Alex Atkinson

Anyone ever have issues with setfacl commands persisting in a docker build with Github Actions with the ubuntu-latest runner? I’m setting acls, but when running the container they get lost…

Alex Atkinson avatar
Alex Atkinson

IE: If you build an image with this dockerfile in Github Actions, you don’t get any ACLs, but if you build it locally, you get ACLs…. https://gist.github.com/AlexAtkinson/c57574cfad70fa50e11dd58c2b1730b5

Alex Atkinson avatar
Alex Atkinson

A hint… Running that container like docker run acl-test:latest getfacl /var/cache/sit reveals that the acls exist while in github runner…. After pulling that container from ECR they no longer exist….

Alex Atkinson avatar
Alex Atkinson

Pushing that docker image to dockerhub from GHA and pulling it has the same result as when pushing the image to ECR from GHA and pulling it…. No acls persisted.

Alex Atkinson avatar
Alex Atkinson

I’m missing something basic.

Alex Atkinson avatar
Alex Atkinson

“Docker imposes certain limitations that make working with capabilities much simpler. For example, file capabilities are stored within a file’s extended attributes, and extended attributes are stripped out when Docker images are built. This means you will not normally have to concern yourself too much with file capabilities in containers.
It is of course possible to get file capabilities into containers at runtime, however this is not recommended.

kevcube avatar
kevcube

Either the gist is private or deleted, but I don’t understand the rationale for doing this in a container.

2024-06-11

Hao Wang avatar
Hao Wang
02:25:05 AM

got some time to play with NixOS and feel this distro will be the one to bridge dev and ops together

recently I took a look NixOS, it seems it will grow to be a big competitor to a few projects, like Ansible/Chef, snpad…

Hao Wang avatar
Hao Wang

NixOS community needs an actor to accelerate like IBM to RedHat 25 years ago

recently I took a look NixOS, it seems it will grow to be a big competitor to a few projects, like Ansible/Chef, snpad…

Hao Wang avatar
Hao Wang

Oracle should invest into NixOS community before others start

venkata.mutyala avatar
venkata.mutyala

I feel like most things oracle touches get ruined by their enterprise approach of trying to make money off everything

bradym avatar

Please don’t let oracle near anything useful.

1
Hao Wang avatar
Hao Wang

Lol agreed, one of companies I worked for was acquired by Oracle… now it is struggling to get back the battle field with the old competitors, feeling like it is interesting if it can start with a strategic one as NixOS, then IBM and Ubuntu and SUSE will be shaking…

2024-06-12

Hao Wang avatar
Hao Wang

Cloudflare Account Executive Records Herself Being Laid Off (2024): https://www.youtube.com/watch?v=u7G7OpgKROw

1
Hao Wang avatar
Hao Wang

I know people are experiencing this kind of situation every day, I had before too. Some decision makers are stupid, e.g. the persons who decided license change in Ha$hicorp. Keep calm and Learn Open Source!

Hao Wang avatar
Hao Wang

my respects to this lady

kevcube avatar
kevcube

I know that CloudFlare’s CEO is hard on their sales team, but as I understand, sales is a cutthroat industry where it’s extremely easy to develop metrics for measuring employee performance and also necessary for companies to drop low performers. It’s very meritocratic and that’s a pro and a con of the field. I hope she can find work elsewhere but I don’t think the decision makers are stupid here.

1
Hao Wang avatar
Hao Wang

To err is human, but some wouldn’t just admit, this stupid is bigger and has more impact on people during this tough time

2024-06-13

Hao Wang avatar
Hao Wang

M$’s Open Service Mesh failed to compete with Istio, https://github.com/openservicemesh/osm

openservicemesh/osm

Open Service Mesh (OSM) is a lightweight, extensible, cloud native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.

1
Hao Wang avatar
Hao Wang

Azure AKS still supports both OSM and Istio. I tested Istio/Cilium on AKS. Istio can be enabled after AKS is created but Cilium requires to recreate AKS cluster

openservicemesh/osm

Open Service Mesh (OSM) is a lightweight, extensible, cloud native service mesh that allows users to uniformly manage, secure, and get out-of-the-box observability features for highly dynamic microservice environments.

Eamon Keane avatar
Eamon Keane

IIRC from various podcasts, Microsoft wanted to use Istio but felt they couldn’t commit to it given its funky governance.

There were some weird internal dynamics at Google who were trying to gain some advantage from having it outside the CNCF. I think some on the business side saw AWS getting a lot of the kubernetes benefits and wanted to keep Istio for themselves.

Istio and envoy were also a key part of the Google and GCP roadmap so they perhaps wanted more say on the initial features.

Publicly, Google was arguing disingenuously that Istio was already fully open source and had open governance (just not CNCF) so this was all FUD on Microsoft’s and IBM’s part.

Then at some point Google gave in after a few years, partly because some big customers wanted it in CNCF. At that point, OSM was no longer needed, and it never really had the featureset for adoption.

1
Hao Wang avatar
Hao Wang

got it, felt OSM is more simple and straightforward, another M$ attempt tapping into open sources failed…

Eamon Keane avatar
Eamon Keane

I think the community consensus is that a service mesh is mainly for big companies who need all the features that Istio has (e.g. expansion of mesh to on prem virtual machines).

Smaller companies can make do with something in between (like pod security groups on AWS, or DAPR for mtls).

Hao Wang avatar
Hao Wang

I followed Cilium and Consul for a few years, even though Istio defeated OSM, the learning curve is hard, it depends on Envoy which is also not easy to configure. After eBPF is in production, Istio may face a strong competitor

Eamon Keane avatar
Eamon Keane

good point on cilium/eBBF. Cisco is using it for its distributed HyperShield. GCP’s distributed firewall is another transparent option for L7 protection without needing to deploy a proxy - not sure if it uses cilium under the cover but more likely a mulit-tenant envoy as that’s the standard proxy Google uses corporation wide.

But yea for most people and most features Cilium/eBPF would also do the job, especially if it’s the managed dataplane by the Cloud Provider. There’s the ongoing vendor debate about whether Cilium is suitable for strong identity and multi-tenant L7 protection but they’re edge cases that only maybe some auditors and companies like Bloomberg would view as dealbreakers.

Ultimately service mesh (istio) solves around 10 problems, is expensive to rollout and requires a mature organisation. If you don’t have all 10 problems, don’t need it for regulatory purposes, and aren’t multi-cloud, there are many less expensive solutions in-between.

Hao Wang avatar
Hao Wang

yes, cloud firewall is expensive, I used Istio recently to reduce the costs in a proof-of-concept project, much cheaper

1

2024-06-14

2024-06-15

kevcube avatar
kevcube

Does anyone have experience with secrets management in IoT devices? Planning to deploy a fleet of Things that will need privileged access to a backend, and I’ll need some solution to either store secrets only in memory or invalidate them on power-loss

kevcube avatar
kevcube

I’m thinking about just having a management console with SSH access to the fleet where I can manually acknowledge and authorize them after power-on to grab secrets and store in memory.

Jack Langston avatar
Jack Langston

Manual, remote authorization is basically the only cost effective pattern available if you need 99% security on devices that anyone can physically access. Of course, once physical access to the device is a possibility, there is no way to prevent access to its local data, even if only stored in memory.

1

2024-06-17

venkata.mutyala avatar
venkata.mutyala
1
    keyboard_arrow_up