Forwarded from Bug Hunter Notes
YouTube
Log4j Vulnerability (Log4Shell) Explained // CVE-2021-44228
Let's try to make sense of the Log4j vulnerability called Log4Shell. First we look at the Log4j features and JNDI, and then we explore the history of the recent log4shell vulnerability. This is part 1 of a two part series into log4j.
Log4j Issues:
2013:…
Log4j Issues:
2013:…
Forwarded from CatOps
Last week, I promised a series of posts about modern application delivery. Last time, we briefly discussed the problems that are generated by the disconnection between application code and its infrastructure dependencies.
Today, let's talk about a proposed formal way of solving this issue - Open Application Model. This is a specification of application bundle definition that contains all the required components as well as traits (we'll talk later on this one). The main purpose is to provide a reasonable abstraction for customers. So, they can use components and traits as building blocks for their application's infra dependencies.
This concept was proposed by people from Alibaba Cloud (and Microsoft?) and the whole thing is fairly new. However, it already has an implementation for Kubernetes - KubeVela. Although, I still have unanswered questions for this tool. For example, is it possible to provide default traits? What should I do if I want all my apps to have an autoscaler, etc.?
In any case, those are implementation details. Nothing stops you from embracing concepts of OAM and implementing them using, let's say, Helm.
As a bonus, here is a great video by Viktor Farcic about KubeVela with some basic "Hello world" example. It helps to better understand the problem that OAM is trying to solve as well as its concepts like components, traits and the difference between them. 'Coz the official documentation, let's be honest, is not that great.
https://youtu.be/2CBu6sOTtwk
#oam #app_bundle #kubernetes
Today, let's talk about a proposed formal way of solving this issue - Open Application Model. This is a specification of application bundle definition that contains all the required components as well as traits (we'll talk later on this one). The main purpose is to provide a reasonable abstraction for customers. So, they can use components and traits as building blocks for their application's infra dependencies.
This concept was proposed by people from Alibaba Cloud (and Microsoft?) and the whole thing is fairly new. However, it already has an implementation for Kubernetes - KubeVela. Although, I still have unanswered questions for this tool. For example, is it possible to provide default traits? What should I do if I want all my apps to have an autoscaler, etc.?
In any case, those are implementation details. Nothing stops you from embracing concepts of OAM and implementing them using, let's say, Helm.
As a bonus, here is a great video by Viktor Farcic about KubeVela with some basic "Hello world" example. It helps to better understand the problem that OAM is trying to solve as well as its concepts like components, traits and the difference between them. 'Coz the official documentation, let's be honest, is not that great.
https://youtu.be/2CBu6sOTtwk
#oam #app_bundle #kubernetes
YouTube
Cloud-Native Apps With Open Application Model (OAM) And KubeVela
Can we define cloud-native applications without dealing with resources related to underlying platforms? One possible solution is to use the Open Application Model (OAM) combined with KubeVela.
#oam #kubevela #k8s #kubernetes #cloud-native
▬▬▬▬▬▬ Timecodes…
#oam #kubevela #k8s #kubernetes #cloud-native
▬▬▬▬▬▬ Timecodes…
очередная уязвимость и выпуск 2.17 версии, чтоб защититься от DoS атаки через log4j
https://www.bleepingcomputer.com/news/security/upgraded-to-log4j-216-surprise-theres-a-217-fixing-dos/
https://www.bleepingcomputer.com/news/security/upgraded-to-log4j-216-surprise-theres-a-217-fixing-dos/
BleepingComputer
Upgraded to log4j 2.16? Surprise, there's a 2.17 fixing DoS
Yesterday, BleepingComputer summed up all the log4j and logback CVEs known thus far. Ever since the critical log4j zero-day saga began last week, security experts have time and time again recommended version 2.16 as the safest release to be on. That changes…
https://twitter.com/therceman/status/1470768985302048774
https://therceman.medium.com/log4j-vulnerability-cheatsheet-66b7aeabc607
https://therceman.medium.com/log4j-vulnerability-cheatsheet-66b7aeabc607
Twitter
Anton
Bug Bounty Tip :: Log4j Vulnerability Cheatsheet 🔹 How It Works 🔹 Test Environments 🔹 Challenges & Labs (Rooms) 🔹 Where Payloads can be Injected 🔹 What Information can be Extracted 🔹 How To Identify (Services & Scanners)
k8s_from_dev_to_prod.pdf
3.2 MB
How Kubernetes traffic management tools work?
Get sense of solving the challenges of resilience, visibility, and security that come with running Kubernetes in production.
An Ingress controller and service mesh topics are included.
Get sense of solving the challenges of resilience, visibility, and security that come with running Kubernetes in production.
An Ingress controller and service mesh topics are included.
"DevOps is not a person".
We have this picture in mind, but to move current situation on client or our side, we need to have some people to bring this culture into it.
Sometimes hiring stuff, client, managers or other people, easy to name it as "DevOps engineer" to just hire such members, who help them to bring this culture.
But I guess we are all Engineers and need to help people to solve their problems.
So possibly like in Agile, in different level of maturity we have separate SCRUM Master, who help team to start working in that behaviour, sometimes it is just a role, and sometimes it is not needed. The same picture with DevOps. At start, when people work in silos, they need someone to share new vision, culture, methodology and experience, because they cannot work in that way. But this process to work as a whole team, not as many separate teams, but as One Team, it can be long time process of transformation. And not always, it can be changed in some understandable period of time. It can go as continuous process.
Just leave it here: https://web.devopstopologies.com/ as a different topologies of DevOps
We have this picture in mind, but to move current situation on client or our side, we need to have some people to bring this culture into it.
Sometimes hiring stuff, client, managers or other people, easy to name it as "DevOps engineer" to just hire such members, who help them to bring this culture.
But I guess we are all Engineers and need to help people to solve their problems.
So possibly like in Agile, in different level of maturity we have separate SCRUM Master, who help team to start working in that behaviour, sometimes it is just a role, and sometimes it is not needed. The same picture with DevOps. At start, when people work in silos, they need someone to share new vision, culture, methodology and experience, because they cannot work in that way. But this process to work as a whole team, not as many separate teams, but as One Team, it can be long time process of transformation. And not always, it can be changed in some understandable period of time. It can go as continuous process.
Just leave it here: https://web.devopstopologies.com/ as a different topologies of DevOps
Devopstopologies
DevOps Topologies
The primary goal of any DevOps effort within an organisation is to improve the delivery of value for customers and the business, not in itself to reduce costs, increase automation, or drive everything from configuration management; this means that different…
Forwarded from CatOps
From our subscribers.
People can use AWS Elastic Container Registry to cache public Docker images.
From their press-release:
This new capability gives AWS customers a simple and highly available way to pull Docker Official Images, while taking advantage of the generous AWS Free Tier. Customers pulling images from Amazon ECR Public to any AWS Region get virtually unlimited downloads. For workloads running outside of AWS, users not authenticated on AWS receive 500 GB of data downloads each month. For additional data downloads, they can sign up or sign in to an AWS account to get up to 5TB of data downloads each month after which they pay $0.09 per GB.
If you have any interesting things to share, you can always do it in our chat!
#aws
People can use AWS Elastic Container Registry to cache public Docker images.
From their press-release:
This new capability gives AWS customers a simple and highly available way to pull Docker Official Images, while taking advantage of the generous AWS Free Tier. Customers pulling images from Amazon ECR Public to any AWS Region get virtually unlimited downloads. For workloads running outside of AWS, users not authenticated on AWS receive 500 GB of data downloads each month. For additional data downloads, they can sign up or sign in to an AWS account to get up to 5TB of data downloads each month after which they pay $0.09 per GB.
If you have any interesting things to share, you can always do it in our chat!
#aws
Amazon
Docker Official Images now available on Amazon Elastic Container Registry Public | Amazon Web Services
Developers building container-based applications can now discover and download Docker Official Images directly from Amazon Elastic Container Registry (Amazon ECR) Public. This new capability gives AWS customers a simple and highly available way to pull Docker…
https://contains.dev/
Отличная замена приложению dive, которая позволяет посмотреть что внутри публичного докер образа
Отличная замена приложению dive, которая позволяет посмотреть что внутри публичного докер образа
contains.dev
Contains.dev - Power tools for Docker
Power tools for Docker. See what's in your Docker. Explore your images, view their files, layers and dependencies.
Forwarded from itsecforu (Информационная безопасность)
🖧 30+ вопросов и ответов на интервью по SSH
SSH – это важная часть технического собеседования по Linux.
Как новички, так и опытные технические специалисты могут проверить свои знания
Это очень обширная и интересная тема.
Читать
SSH – это важная часть технического собеседования по Linux.
Как новички, так и опытные технические специалисты могут проверить свои знания
Это очень обширная и интересная тема.
Читать