Apache Issues 3rd Patch to Fix New High-Severity Log4j Vulnerability
Tracked as CVE-2021-45105 (CVSS score: 7.5), the new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16.0, which the open-source nonprofit shipped earlier this week to remediate a second flaw that could result in remote code execution (CVE-2021-45046), which, in turn, stemmed from an "incomplete" fix for CVE-2021-44228, otherwise called the Log4Shell vulnerability.
#security
Tracked as CVE-2021-45105 (CVSS score: 7.5), the new vulnerability affects all versions of the tool from 2.0-beta9 to 2.16.0, which the open-source nonprofit shipped earlier this week to remediate a second flaw that could result in remote code execution (CVE-2021-45046), which, in turn, stemmed from an "incomplete" fix for CVE-2021-44228, otherwise called the Log4Shell vulnerability.
#security
Yet another post from the #app_bundle series. This is again a video from Viktor Farcic on how to combine ArgoCD, Crossplane, and KubeVela to completely abstract Kubernetes away from your product engineers aka developers and (allegedly) make their lives easier.
In the end of each year, many people make predictions on what upcoming times would look like. And I can say that abstracting clusters away will be a big thing in the industry. This brings us to the logical question: "So, why do all this stuff and not just use serverless options out of the box?". I will let you answer this question on your own.
P.S. You can save this post to blame me later, if this prediction happens to be wrong.
#kubernetes #cicd
In the end of each year, many people make predictions on what upcoming times would look like. And I can say that abstracting clusters away will be a big thing in the industry. This brings us to the logical question: "So, why do all this stuff and not just use serverless options out of the box?". I will let you answer this question on your own.
P.S. You can save this post to blame me later, if this prediction happens to be wrong.
#kubernetes #cicd
YouTube
Combining Argo CD (GitOps), Crossplane (Control Plane), And KubeVela (OAM)
Can we make Kubernetes disappear? Can we make infrastructure and application management so simple that anyone can do it? Can we leverage DevOps, SRE, ops, and sysadmin experience to create a system that would make developers autonomous?
TL;DR We can do that…
TL;DR We can do that…
AWS launches its own version of StackOverflow - AWS re:Post.
It's meant to be a community-driven Q&A service. Although, there are already questions there. Some of them even have answers.
Well, let's wish good luck to AWS. TBH, it would be nice to have some sort of Q&A service with official answers from AWS developers.
#aws
It's meant to be a community-driven Q&A service. Although, there are already questions there. Some of them even have answers.
Well, let's wish good luck to AWS. TBH, it would be nice to have some sort of Q&A service with official answers from AWS developers.
#aws
Amazon
AWS re:Post – A Reimagined Q&A Experience for the AWS Community | Amazon Web Services
The internet is an excellent resource for well-intentioned guidance and answers. However, it can sometimes be hard to tell if what you’re reading is, in fact, advice you should follow. Also, some users have a preference toward using a single, trusted online…
👍1
I re-designed my blog not just for the sake of re-designing. At least, I hope so.
So, here is a new article from a wannabe series about Kubernetes.
This series started with a review of Velero backup tool. Now, I want to extend this topic a bit and share my thoughts on whether it makes sense to back up a Kubernetes cluster at all.
P.S. This is the last technical article in my blog this year. I usually do a generic recap of the year, but haven't done one yet. Also, this is the last post in CatOps channel this year.
Wish y'all reliability during the festive season and only five nines in the new year!
#kubernetes #backup #blog
So, here is a new article from a wannabe series about Kubernetes.
This series started with a review of Velero backup tool. Now, I want to extend this topic a bit and share my thoughts on whether it makes sense to back up a Kubernetes cluster at all.
P.S. This is the last technical article in my blog this year. I usually do a generic recap of the year, but haven't done one yet. Also, this is the last post in CatOps channel this year.
Wish y'all reliability during the festive season and only five nines in the new year!
#kubernetes #backup #blog
grem1.in
Why backup Kubernetes?
This is the second part of a series of articles regarding Kubernetes backups. You can find the first part about Velero tool here.
Why Backup Kubernetes? In the previous part I provided a brief overview of the backup & restore tool for Kubernetes called Velero.…
Why Backup Kubernetes? In the previous part I provided a brief overview of the backup & restore tool for Kubernetes called Velero.…
From our subscribers.
People can use AWS Elastic Container Registry to cache public Docker images.
From their press-release:
This new capability gives AWS customers a simple and highly available way to pull Docker Official Images, while taking advantage of the generous AWS Free Tier. Customers pulling images from Amazon ECR Public to any AWS Region get virtually unlimited downloads. For workloads running outside of AWS, users not authenticated on AWS receive 500 GB of data downloads each month. For additional data downloads, they can sign up or sign in to an AWS account to get up to 5TB of data downloads each month after which they pay $0.09 per GB.
If you have any interesting things to share, you can always do it in our chat!
#aws
People can use AWS Elastic Container Registry to cache public Docker images.
From their press-release:
This new capability gives AWS customers a simple and highly available way to pull Docker Official Images, while taking advantage of the generous AWS Free Tier. Customers pulling images from Amazon ECR Public to any AWS Region get virtually unlimited downloads. For workloads running outside of AWS, users not authenticated on AWS receive 500 GB of data downloads each month. For additional data downloads, they can sign up or sign in to an AWS account to get up to 5TB of data downloads each month after which they pay $0.09 per GB.
If you have any interesting things to share, you can always do it in our chat!
#aws
Amazon
Docker Official Images now available on Amazon Elastic Container Registry Public | Amazon Web Services
Developers building container-based applications can now discover and download Docker Official Images directly from Amazon Elastic Container Registry (Amazon ECR) Public. This new capability gives AWS customers a simple and highly available way to pull Docker…
🔥2
New Year resolutions is a very common practice. I do mine as well, but this time I want to share a review of databases in 2021 with Dr. Andy Pavlo.
Some points from the article:
- RDBMS is an old concept, but it dominates the market even for greenfield projects and it‘s here to stay
- PostgreSQL gains more and more popularity. It might be not the most popular database, but it steadily moving to the top
- “…only old people care about official TPC numbers.”
- More and more money is invested into DB-related startups. Size of each funding series has also increased comparing to previous big takes. ”We are in the golden era of databases. There are so many excellent choices available today. Investors are searching for database start-ups that can become the next Snowflake-like IPO.”
- People have moved away from MapReduce and Hadoop technologies nowadays.
- Larry Ellison - a co-founder of Oracle - is back to the 5th position of the richest persons list
#databases
Some points from the article:
- RDBMS is an old concept, but it dominates the market even for greenfield projects and it‘s here to stay
- PostgreSQL gains more and more popularity. It might be not the most popular database, but it steadily moving to the top
- “…only old people care about official TPC numbers.”
- More and more money is invested into DB-related startups. Size of each funding series has also increased comparing to previous big takes. ”We are in the golden era of databases. There are so many excellent choices available today. Investors are searching for database start-ups that can become the next Snowflake-like IPO.”
- People have moved away from MapReduce and Hadoop technologies nowadays.
- Larry Ellison - a co-founder of Oracle - is back to the 5th position of the richest persons list
#databases
Andy Pavlo - Carnegie Mellon University
Databases in 2021: A Year in Review
Andy's take on 2021 database industry happenings - PostgreSQL, Performance Wars, Passings, and Larry Ellison.
Once everybody patched their Log4j dependencies and went back from holidays, it's time to process, what just happened.
In his article Professional Maintainers: a Wake-up Call Filippo Valsorda argues that the current open-source model is unsustainable. Thus, the only viable alternative to solve this status-quo, in his onion, is for open-source maintainers to start issuing invoices to companies that require support or new features.
I know that such maintainers already exist, but this is definitely not a common practice.
Anyways, there are so many non-sustainable things in this world and our usual way of solving them is to pretend that they don't exist. So, let this article be just an invitation to think about the current state of affairs.
P.S. If you're a maintainer or a contributor to an open-source project, you're doing a god's work! Thank you!
#open_source #culture
In his article Professional Maintainers: a Wake-up Call Filippo Valsorda argues that the current open-source model is unsustainable. Thus, the only viable alternative to solve this status-quo, in his onion, is for open-source maintainers to start issuing invoices to companies that require support or new features.
I know that such maintainers already exist, but this is definitely not a common practice.
Anyways, there are so many non-sustainable things in this world and our usual way of solving them is to pretend that they don't exist. So, let this article be just an invitation to think about the current state of affairs.
P.S. If you're a maintainer or a contributor to an open-source project, you're doing a god's work! Thank you!
#open_source #culture
Filippo Valsorda
Professional maintainers: a wake-up call
Open Source software runs the Internet, and by extension the economy. This is an undisputed fact about reality in 2021. And yet, the role of Open Source maintainer has failed to mature from a hobby into a proper profession.
👍6👎1🔥1
Yesterday I shared this video in our chat and it looks like people liked it. So, I would like to share it here with the broader audience.
In this video Victor Farcic speaks about AWS Karpenter and its advantages comparing to good old cluster-autoscaler.
A few notable things:
- Karpenter is workload-aware. It means that it can determine, how many resources does your workload needs and scale up a cluster accordingly. So, if you need to place just a tiny pod, you’ll get a smaller node comparing to a situation if you need to run a few heavy tasks
- Karpenter is topology-aware. So, for example, you can schedule nodes for a given workload in a specific AZ only. It’s neat if you use EBS volumes or additional network interfaces
- It’s groupless, meaning that it doesn’t have a concept of “instance groups” like cluster-autoscaler (and many other autoscalers). So, cluster-autoscaler modifies parameters of instance group, Karpenter on another hand talks to AWS APIs directly. In theory, this should reduce scale-up and scale-down times
#kubernetes #aws
In this video Victor Farcic speaks about AWS Karpenter and its advantages comparing to good old cluster-autoscaler.
A few notable things:
- Karpenter is workload-aware. It means that it can determine, how many resources does your workload needs and scale up a cluster accordingly. So, if you need to place just a tiny pod, you’ll get a smaller node comparing to a situation if you need to run a few heavy tasks
- Karpenter is topology-aware. So, for example, you can schedule nodes for a given workload in a specific AZ only. It’s neat if you use EBS volumes or additional network interfaces
- It’s groupless, meaning that it doesn’t have a concept of “instance groups” like cluster-autoscaler (and many other autoscalers). So, cluster-autoscaler modifies parameters of instance group, Karpenter on another hand talks to AWS APIs directly. In theory, this should reduce scale-up and scale-down times
#kubernetes #aws
YouTube
How To Auto-Scale Kubernetes Clusters With Karpenter
Karpenter is an open-source Kubernetes cluster auto-scaler built by AWS.
#Karpenter #Cluster #AutoScaler #Kubernetes
Consider joining the channel: https://www.youtube.com/c/devopstoolkit/join
▬▬▬▬▬▬ 🔗 Additional Info 🔗 ▬▬▬▬▬▬
➡ Gist with the commands:…
#Karpenter #Cluster #AutoScaler #Kubernetes
Consider joining the channel: https://www.youtube.com/c/devopstoolkit/join
▬▬▬▬▬▬ 🔗 Additional Info 🔗 ▬▬▬▬▬▬
➡ Gist with the commands:…
Morning! New Year - new HUG Kyiv events. Now, with HashiCorp co-founders
What: Q/A session with Mitchell Hashimoto and Armon Dadgar
You can ask and vote for questions via this link.
Who: Mitchell Hashimoto and Armon Dadgar and one of your old friends as moderator ;)
When: Thursday 3rd February, 19:50 (Kyiv TZ)
Where: Online
Language: English
Please, register here
#event
What: Q/A session with Mitchell Hashimoto and Armon Dadgar
You can ask and vote for questions via this link.
Who: Mitchell Hashimoto and Armon Dadgar and one of your old friends as moderator ;)
When: Thursday 3rd February, 19:50 (Kyiv TZ)
Where: Online
Language: English
Please, register here
#event
👍3🔥1🎉1
Mess with DNS
Julia Evans has built a site where you can do experiments with DNS. It shows you a live stream of all DNS queries coming in for records on the free subdomain provided to you (a “behind the scenes” view).
You can make up your experiments or check out her examples of experiments you can try., including "weird" (when you broke something), "useful" and "tutorial" experiments.
#dns
Julia Evans has built a site where you can do experiments with DNS. It shows you a live stream of all DNS queries coming in for records on the free subdomain provided to you (a “behind the scenes” view).
You can make up your experiments or check out her examples of experiments you can try., including "weird" (when you broke something), "useful" and "tutorial" experiments.
#dns
👍9😱1
A friend of mine has shared some news about recent security breaches in government websites. Unfortunately, the possibility of a security breach is an inherent vice of any software system.
Developing systems is hard. Catching all the edge cases and unexpected behaviors is even harder. That’s why we almost always rely on the community of fellow engineers to spot the bugs and security vulnerabilities. Unfortunately, there is also a backside of this coin.
Some people are spamming infrasec contacts with insignificant problems demanding money. Thus, people are getting tired with that and really critical issues have a chance of being buried under an avalanche of these requests.
Troy Hunt - a founder of haveibeenpwned.com - summarized this behavior with a few examples in his article “Beg Bounties”
P.S. Also, Inherent Vice is a cool movie, that I can recommend if you like a slow-pacing dramas that focus on acting.
#culture #security
Developing systems is hard. Catching all the edge cases and unexpected behaviors is even harder. That’s why we almost always rely on the community of fellow engineers to spot the bugs and security vulnerabilities. Unfortunately, there is also a backside of this coin.
Some people are spamming infrasec contacts with insignificant problems demanding money. Thus, people are getting tired with that and really critical issues have a chance of being buried under an avalanche of these requests.
Troy Hunt - a founder of haveibeenpwned.com - summarized this behavior with a few examples in his article “Beg Bounties”
P.S. Also, Inherent Vice is a cool movie, that I can recommend if you like a slow-pacing dramas that focus on acting.
#culture #security
Troy Hunt
Beg Bounties
When someone passed me hundreds of thousands of records on kids taken from CloudPets a few years ago, I had a nightmare of a time getting in touch with the company. They'd left a MongoDB instance exposed to the public without a password and someone had snagged…
Another cybersecurity post.
A few days prior Log4j storm, researchers from Orca Security discovered CloudFormation vulnerability and managed to get access to an internal account. It means that an attacker could potentially get access to any AWS account by mimicking CloudFormation API calls.
Previously, Orca Security research team managed to do something similar with [AWS Glue.
Kudos to AWS team here. They managed to fix this vulnerability in less than 25 hours and it took 6 days to populate the fix in all their regions.
#aws #security
A few days prior Log4j storm, researchers from Orca Security discovered CloudFormation vulnerability and managed to get access to an internal account. It means that an attacker could potentially get access to any AWS account by mimicking CloudFormation API calls.
Previously, Orca Security research team managed to do something similar with [AWS Glue.
Kudos to AWS team here. They managed to fix this vulnerability in less than 25 hours and it took 6 days to populate the fix in all their regions.
#aws #security
Orca Security
AWS CloudFormation Vulnerability | Orca Research Pod
Orca Security discovered a zero day AWS XXE (XML External Entity) CloudFormation vulnerability, which AWS quickly mitigated within 6 days. Learn more here!
👍3
Open Policy Agent (OPA) is a powerful framework that allows you to validate your data structures against some policies, written in Rego. There are multiple implementations of OPA for various tools and systems e.g. Gatekeeper for Kubernetes.
However, you can write your own implementation and use if, for example, for unit tests. This articles provides some examples of how to write your own OPA checks in Go.
#programming #opa
However, you can write your own implementation and use if, for example, for unit tests. This articles provides some examples of how to write your own OPA checks in Go.
#programming #opa
DZone
Building With Open Policy Agent (OPA) for Better Policy as Code
Dive into a new way of thinking about Policy as Code. Learn to leverage OPA for learning deep insights about your systems, their resource utilization, and more.
Microsoft in its blog reviled some details on the recent cyberattack on the number of Ukrainian governmental websites
Investigation is still ongoing. However, we already know that attackers have overridden Master Boot Record (MBR) on infected machines. Microsoft also published hashes of malicious software in the same blog article.
I also found information that hackers initially broke through a proprietary Content Management System (CMS) tool. However, I haven’t found any official proofs of it.
#security
Investigation is still ongoing. However, we already know that attackers have overridden Master Boot Record (MBR) on infected machines. Microsoft also published hashes of malicious software in the same blog article.
I also found information that hackers initially broke through a proprietary Content Management System (CMS) tool. However, I haven’t found any official proofs of it.
#security
Microsoft News
Destructive malware targeting Ukrainian organizations
Microsoft Threat Intelligence Center (MSTIC) has identified evidence of a destructive malware operation targeting multiple organizations in Ukraine.
After I published my article about Kubernetes backups, I got some questions regarding cluster organization and maintenance procedure. Specifically about managing Kubernetes clusters “as cattle” and this statement:
…*investing in cluster automation early on* is important. You may end up in a situation when you need to re-create a cluster from scratch.
I started writing an article about managing clusters “as cattle” to address these questions. Moreover, that was my initial plan. However, I realized that I have very little exposure on how other people are managing their clusters! I have only the perspective of my current and my previous employers.
Thus, I decided to issue a survey on how people are managing their Kubernetes clusters, their core components like CNI, Ingress, etc., and business applications.
I would appreciate it, if you can spend some time filling up this survey. You can also reach out to me directly and share your story of managing Kubernetes in your company. I left contacts in that Google form.
Here’s the link to that article about backups, in case you missed it.
Have a great week, y’all!
#kubernetes
…*investing in cluster automation early on* is important. You may end up in a situation when you need to re-create a cluster from scratch.
I started writing an article about managing clusters “as cattle” to address these questions. Moreover, that was my initial plan. However, I realized that I have very little exposure on how other people are managing their clusters! I have only the perspective of my current and my previous employers.
Thus, I decided to issue a survey on how people are managing their Kubernetes clusters, their core components like CNI, Ingress, etc., and business applications.
I would appreciate it, if you can spend some time filling up this survey. You can also reach out to me directly and share your story of managing Kubernetes in your company. I left contacts in that Google form.
Here’s the link to that article about backups, in case you missed it.
Have a great week, y’all!
#kubernetes
Google Docs
Kubernetes Cluster Operations Survey by CatOps
Hello and thank you for participating in our Kubernetes Cluster Operations Survey!
The goal of this survey for us to have a glance on how do people manage their Kubernetes clusters, what is the adoption rate for cloud cluster management solutions, and what…
The goal of this survey for us to have a glance on how do people manage their Kubernetes clusters, what is the adoption rate for cloud cluster management solutions, and what…
I'm a bit late with these news, but it looks like Helm plugin helm-diff now supports three-way-merge option.
Thus, it should be able to show, which changes were made manually aka the drift.
#kubernetes #helm
Thus, it should be able to show, which changes were made manually aka the drift.
#kubernetes #helm
GitHub
upgrade command add three-way-merge option by luxurine · Pull Request #304 · databus23/helm-diff
upgrade command add three-way-merge option to show diff for actual state vs desired state #176
prepared resource for testing
1、last release:
---
# Source: base-app/templates/service.yaml
apiVersion...
prepared resource for testing
1、last release:
---
# Source: base-app/templates/service.yaml
apiVersion...
The channel denoscription says "... and other issues", right?
So, today I want to share with you WSJF model of SAFe framework, which helps to compare priorities of different projects. WSJF stands for "Weighted Shortest Job First".
This concept won't be new at all for the product people and project managers. And this is exactly why I want to share it here. Through my career, I saw a lot of examples, when platform teams or OPS teams didn't have their dedicated product/project manager. Therefore, there were a lot of struggles in what to prioritize among multiple projects.
I saw this framework in action and I think it's useful. Ofc, this is not a silver bullet. You may need to make a few tweaks to the process here and there, but in general this is a good start if you're not sure what you should pick up next from the pile of platform work.
#management #agile #safe
So, today I want to share with you WSJF model of SAFe framework, which helps to compare priorities of different projects. WSJF stands for "Weighted Shortest Job First".
This concept won't be new at all for the product people and project managers. And this is exactly why I want to share it here. Through my career, I saw a lot of examples, when platform teams or OPS teams didn't have their dedicated product/project manager. Therefore, there were a lot of struggles in what to prioritize among multiple projects.
I saw this framework in action and I think it's useful. Ofc, this is not a silver bullet. You may need to make a few tweaks to the process here and there, but in general this is a good start if you're not sure what you should pick up next from the pile of platform work.
#management #agile #safe
👍2🔥1
Not so long time ago, I shared with you a tool called Acra for encryption/decryption of sensitive data in a database. This tool is written in Go, and obviously it uses TLS.
Now, they have written an article about TLS implementation in Go, specifically about the implementation of OCSP and CRL extensions.
This article would be interesting for you, foremost, to get some ideas on OCSP and CRL extensions and their use cases. Secondly, if you need to implement TLS in your apps or advise on the implementation to your developers.
#security #programming #go #tls
Now, they have written an article about TLS implementation in Go, specifically about the implementation of OCSP and CRL extensions.
This article would be interesting for you, foremost, to get some ideas on OCSP and CRL extensions and their use cases. Secondly, if you need to implement TLS in your apps or advise on the implementation to your developers.
#security #programming #go #tls
Cossack Labs
TLS certificate validation in Golang: CRL & OCSP examples | Cossack Labs
All developers need to know about using OCSP and CRL for validating TLS certificates in Go apps. Things we’ve learnt while building our own OCSP/CRL validation tooling: design, implementation and security tips, example code and popular mistakes.
If you haven’t read a Roblox’s postmortem on October‘s 73-hour outage, you definitely should!
Even though this event happened in October, the postmortem was released just a few days ago. And in this case, this is a very good decision! Especially, because this write up provides a detailed analysis on what happened at that time and what chain of events caused that.
It‘s cool to read postmortem the next day after an outage - we are all curious human beings. Unfortunately, those postmortems usually they are lacking many details. This is understandable: it‘s not enough time for a thorough analysis, also your team is probably already tired.
In this case, though, you can have a detailed overview of what happened as well as plans to prevent this chain of events happening again. Moreover, with some plans already implemented.
It‘s a pity that not may companies do similar postmortems. And I must say that this is probably in their disadvantage either. After reading this document I have a feeling that Roblox is a cool place to work, TBH.
#postmortem #hashicorp #consul
Even though this event happened in October, the postmortem was released just a few days ago. And in this case, this is a very good decision! Especially, because this write up provides a detailed analysis on what happened at that time and what chain of events caused that.
It‘s cool to read postmortem the next day after an outage - we are all curious human beings. Unfortunately, those postmortems usually they are lacking many details. This is understandable: it‘s not enough time for a thorough analysis, also your team is probably already tired.
In this case, though, you can have a detailed overview of what happened as well as plans to prevent this chain of events happening again. Moreover, with some plans already implemented.
It‘s a pity that not may companies do similar postmortems. And I must say that this is probably in their disadvantage either. After reading this document I have a feeling that Roblox is a cool place to work, TBH.
#postmortem #hashicorp #consul
Roblox
Roblox Return to Service | Roblox
Roblox is a global platform where millions of people gather together every day to imagine, create, and share experiences with each other in immersive, user-generated 3D worlds.
👍7
Just a friendly reminder that we still have our Kubernetes survey form opened!
We would appreciate it if you can spend some time filling it!
Cheers!
#kubernetes
We would appreciate it if you can spend some time filling it!
Cheers!
#kubernetes
Google Docs
Kubernetes Cluster Operations Survey by CatOps
Hello and thank you for participating in our Kubernetes Cluster Operations Survey!
The goal of this survey for us to have a glance on how do people manage their Kubernetes clusters, what is the adoption rate for cloud cluster management solutions, and what…
The goal of this survey for us to have a glance on how do people manage their Kubernetes clusters, what is the adoption rate for cloud cluster management solutions, and what…