FEED Validator

for Atom and RSS and KML

Sorry

This feed does not validate.

line 7, column 4: Undefined channel element: author [help]

    <author>Scott Lowe</author>
    ^

line 8, column 4: Undefined channel element: rights [help]
```
    <rights>(C) 2024</rights>
    ^
```

line 9, column 4: Undefined channel element: updated [help]

    <updated>2024-05-17 09:00:00 -0600 MDT</updated>
    ^

line 16, column 26: Invalid email address: Scott Lowe (15 occurrences) [help]

        <author>Scott Lowe</author>
                          ^

line 647, column 2: Missing channel element: description [help]
```
  </channel>
  ^
```

In addition, interoperability with the widest range of feed readers could be improved by implementing the following recommendations.

line 81, column 0: style attribute contains potentially dangerous content: color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4; (24 occurrences) [help]
```
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34 ...
```
line 81, column 0: description should not contain data-lang attribute (24 occurrences) [help]
```
&lt;div class=&#34;highlight&#34;&gt;&lt;pre tabindex=&#34;0&#34; style=&#34 ...
```
line 647, column 2: Missing atom:link with rel="self" [help]
```
  </channel>
  ^
```

Source: http://blog.scottlowe.org/feed.xml

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom">
<channel>
<title>Scott's Weblog </title>
<link>https://blog.scottlowe.org/</link>
<language>en-us</language>
<author>Scott Lowe</author>
<rights>(C) 2024</rights>
<updated>2024-05-17 09:00:00 -0600 MDT</updated>
<item>
<title>Technology Short Take 177</title>
<link>https://blog.scottlowe.org/2024/05/17/technology-short-take-177/</link>
<pubDate>Fri, 17 May 2024 09:00:00 MDT</pubDate>
<author>Scott Lowe</author>
<guid>https://blog.scottlowe.org/2024/05/17/technology-short-take-177/</guid>
<description>Welcome to Technology Short Take #177! Wow, is it the middle of May already? The year seems to be flying by&mdash;much in the same way that all these technical articles keep flying by my Inbox, occasionally getting caught and included here! In this Technology Short Take, I have links on things ranging from physical network designs to running retro operating systems as virtual machines. Surely there will be something useful in here for you!
<h2 id="networking">Networking</h2>
<ul>
<li>Blogger Evert has a two part series (<a href="https://www.amcom.io/posts/managing-nsx-alb-with-terraform-part-1/">here</a> and <a href="https://www.amcom.io/posts/managing-nsx-alb-with-terraform-part-2">here</a>) on managing NSX ALBs with Terraform.</li>
<li>Ivan launches a series of blog posts exploring routing protocol designs that can be used to implement EVPN-with-VXLAN L2VPNs in a leaf-and-spine fabric. The first one is <a href="https://blog.ipspace.net/2024/04/evpn-designs-vxlan-leaf-spine-fabric.html">here</a>. What&rsquo;s really cool is that Ivan also includes a <code>netlab</code> topology readers can use to create a lab and see how it works.</li>
<li>Eduard Tolosa discusses <a href="https://blog.nspawn.org/posts/wireless-adapters-on-systemd-nspawn-containers/">binding wireless network adapters to <code>systemd-nspawn</code> containers</a>.</li>
<li>Ioannis Theodoridis has a three-part series on how he and his team used tools like Nautobot, Nornir, and Python to help with some extensive network migrations. Check out the series (<a href="https://www.mythryll.com/?p=1976">part 1</a>, <a href="https://www.mythryll.com/?p=2237">part 2</a>, and <a href="https://www.mythryll.com/?p=2238">part 3</a>); I think you&rsquo;ll find some useful information in there.</li>
</ul>
<h2 id="servershardware">Servers/Hardware</h2>
<ul>
<li>While in many respects Apple&rsquo;s M series CPUs are amazing, all is not perfect: security researchers have discovered a flaw that would allow attackers to steal cryptographic keys. More details are available in <a href="https://www.zetter-zeroday.com/apple-chips/">this Zero Day article</a>.</li>
</ul>
<h2 id="security">Security</h2>
<ul>
<li>Rory McCune explores <a href="https://raesene.github.io/blog/2024/03/24/Using-Tailscale-for-persistence/">using Tailscale for getting persistence</a> in a compromised Kubernetes cluster.</li>
<li>The Cisco Talos team is warning of <a href="https://www.bleepingcomputer.com/news/security/cisco-warns-of-large-scale-brute-force-attacks-against-vpn-services/">large-scale brute force attacks against VPN and SSH services</a> on a variety of devices (including Cisco, CheckPoint, Fortinet, SonicWall, and Ubiquiti).</li>
</ul>
<h2 id="cloud-computingcloud-management">Cloud Computing/Cloud Management</h2>
<ul>
<li>Open Policy Agent (OPA) is approaching their 1.0 release, and they&rsquo;ve already started <a href="https://blog.openpolicyagent.org/opa-1-0-is-coming-heres-what-you-need-to-know-c8fb0d258368">discussing what users can do today to prepare for the big release</a>. I must say I appreciate the OPA team&rsquo;s efforts in making the transition to 1.0 as smooth and seamless as possible.</li>
<li>A colleague shared this article on <a href="https://www.numeratorengineering.com/requests-are-all-you-need-cpu-limits-and-throttling-in-kubernetes/">CPU limits and throttling in Kubernetes</a>.</li>
<li>Anton Weiss of PerfectScale explores <a href="https://www.perfectscale.io/blog/cgroups-and-memoryqos-w-bottlerocket">memory QoS with EKS and Bottlerocket</a>.</li>
<li>Brian Grant explores the question of <a href="https://medium.com/@briankgrant/is-gitops-actually-useful-a1c851ba99d8">whether GitOps is actually useful</a>.</li>
<li>Via <a href="https://www.docker.com/blog/pulumi-and-docker-build-cloud/">this blog post on the Docker web site</a>, Diana Esteves of Pulumi shares how to use the new Docker Build provider to automate image builds. It also looks like the Pulumi team has added <a href="https://github.com/pulumi/examples/tree/master/dockerbuildcloud-ts">a Docker Build example</a> to their &ldquo;examples&rdquo; repository. C&rsquo;mon, Pulumi team&mdash;show us more than just TypeScript!</li>
</ul>
<h2 id="operating-systemsapplications">Operating Systems/Applications</h2>
<ul>
<li>Julia Evans digs into <a href="https://jvns.ca/blog/2024/03/22/the-current-branch-in-git/">what &ldquo;current branch&rdquo; means in Git</a>.</li>
<li>Nikhil shares <a href="https://www.unsungnovelty.org/posts/01/2024/a-linux-distro-recommendation-framework-and-my-picks-for-2024/">a framework for selecting a Linux distribution</a>.</li>
<li>José Ignacio Amelivia Santiago takes readers on <a href="https://namelivia.com/i-switched-to-a-framework-amd-13/">a detailed walkthrough</a> of setting up Arch Linux on a new Framework 13 AMD-based laptop.</li>
<li>Here&rsquo;s <a href="https://www.brendangregg.com/blog/2024-03-24/linux-crisis-tools.html">a list of &ldquo;crisis tools&rdquo;</a> recommended to install on your Linux servers before you need them.</li>
<li>Only one word applies <a href="https://thehftguy.com/2023/11/14/the-linux-kernel-has-been-accidentally-hardcoded-to-a-maximum-of-8-cores-for-nearly-20-years/">here</a>: oops.</li>
<li>I found <a href="https://difftastic.wilfred.me.uk/">this tool</a> in the last couple of weeks, and it is so absolutely useful (to me, anyway).</li>
<li>Envoy Gateway has officially released version 1.0.0, marking GA for the project. More details are available in <a href="https://gateway.envoyproxy.io/announcements/v1.0/">this announcement</a>.</li>
</ul>
<h2 id="programmingdevelopment">Programming/Development</h2>
<ul>
<li>This is a fantastic article by Jeremiah Lee <a href="https://www.jeremiahlee.com/posts/failed-squad-goals/">about Spotify&rsquo;s failed &ldquo;squad model&rdquo;</a> and some of the key lessons folks can learn.</li>
</ul>
<h2 id="storage">Storage</h2>
<ul>
<li>Steven Sklar explains <a href="https://sklar.rocks/how-container-storage-interface-works/">how CSI (Container Storage Interface) works</a>.</li>
</ul>
<h2 id="virtualization">Virtualization</h2>
<ul>
<li>Talk about a blast from the past! William Lam <a href="https://williamlam.com/2024/03/pre-release-microsoft-os-2-2-0-on-esxi.html">discusses</a> running a prerelease version of OS/2 2.0&mdash;an operating system I myself ran in the mid-1990s before switching to Windows NT&mdash;as a virtual machine on VMware ESXi. For what it&rsquo;s worth, I remain convinced that OS/2 version 2 was technologically superior to its Windows peers (including Windows NT). It&rsquo;s another example of when the best technology doesn&rsquo;t always win.</li>
</ul>
<h2 id="careersoft-skills">Career/Soft Skills</h2>
<ul>
<li>If you&rsquo;re looking for a list of skills that are valuable for a DevOps engineer/SRE/platform engineer to know, look no further than <a href="https://nickjanetakis.com/blog/120-skills-i-use-in-an-sre-platform-devops-developer-position">this comprehensive list from Nick Janetakis</a>.</li>
</ul>
OK, that&rsquo;s all for this time around. Did you like this post, or another post on the site? Or maybe you have a question? Feel free to reach out! I always enjoy hearing from readers, so I invite you to find me <a href="https://twitter.com/scott_lowe">on Twitter</a>, <a href="https://fosstodon.org/@scottslowe">on the Fediverse</a>, or in one of the various Slack communities I frequent. (You can drop me an e-mail, if you&rsquo;d prefer&mdash;my address isn&rsquo;t too hard to find.) Thanks for reading!</description>
</item>
<item>
<title>Tracking EC2 Instances used by EKS with AWS CLI</title>
<link>https://blog.scottlowe.org/2024/04/17/tracking-ec2-instances-used-by-eks-with-aws-cli/</link>
<pubDate>Wed, 17 Apr 2024 10:00:00 MDT</pubDate>
<author>Scott Lowe</author>
<guid>https://blog.scottlowe.org/2024/04/17/tracking-ec2-instances-used-by-eks-with-aws-cli/</guid>
<description>As a sort of follow-up to my previous post on using the AWS CLI to track the specific Elastic Network Interfaces (ENIs) used by Amazon Elastic Kubernetes Service (EKS) cluster nodes, this post focuses on the EC2 instances themselves. I feel this is less of a &ldquo;problem&rdquo; than tracking ENIs, but I wanted to share this information nevertheless. In this post, I&rsquo;ll show you which AWS CLI command to use to list all the EC2 instances associated with a particular EKS cluster.
If you read <a href="https://blog.scottlowe.org/2024/04/15/tracking-enis-used-by-eks-with-aws-cli/">the previous post on tracking ENIs used by EKS</a>, you might think that you could use a very similar AWS CLI command (<code>aws ec2 describe-instances</code> instead of <code>aws ec2 describe-network-interfaces</code>) to track the EC2 instances in a cluster&mdash;and you&rsquo;d be mostly correct. Like the ENIs, <a href="https://docs.aws.amazon.com/eks/latest/userguide/what-is-eks.html">EKS</a> does add a cluster-specific tag to all EC2 instances in the cluster. However, just to make life interesting, the tag used for EC2 instances is not the same as the tag used for ENIs. (If someone at AWS knows of a technical reason why these tags are different, I&rsquo;d love to hear it.)
Instead of using the <code>cluster.k8s.amazonaws.com/name</code> tag that is used on the ENIs, you&rsquo;ll need to use the <code>aws:eks:cluster-name</code> tag instead, like this:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash">aws ec2 describe-instances --filters Name=tag:aws:eks:cluster-name,\
Values=&lt;name-of-cluster&gt;
</code></pre></div>Just replace <code>&lt;name-of-cluster&gt;</code> in the above command with the name of your EKS cluster, and you&rsquo;re good to go. As I mentioned in the previous post, if you&rsquo;re using an automation tool such as <a href="https://www.pulumi.com/">Pulumi</a> or <a href="https://www.terraform.io/">Terraform</a>, you may need to explicitly specify the name of the cluster in your code (or look it up after the cluster is created).
I hope this information is useful to folks. If you have questions (or corrections, in the event I have something incorrect here!), please feel free to reach out. You can find me <a href="https://twitter.com/scott_lowe">on Twitter</a>, on <a href="https://fosstodon.org/@scottslowe">the Fediverse</a>, or in a number of different Slack communities. Thanks for reading!</description>
</item>
<item>
<title>Tracking ENIs used by EKS with AWS CLI</title>
<link>https://blog.scottlowe.org/2024/04/15/tracking-enis-used-by-eks-with-aws-cli/</link>
<pubDate>Mon, 15 Apr 2024 12:30:00 MDT</pubDate>
<author>Scott Lowe</author>
<guid>https://blog.scottlowe.org/2024/04/15/tracking-enis-used-by-eks-with-aws-cli/</guid>
<description>I&rsquo;ve recently been spinning up lots of Amazon Elastic Kubernetes Service (EKS) clusters (using Pulumi, of course) in order to test various Cilium configurations. Along the way, I&rsquo;ve wanted to verify the association and configuration of Elastic Network Interfaces (ENIs) being used by the EKS cluster. In this post, I&rsquo;ll share a couple of AWS CLI commands that will help you track the ENIs used by an EKS cluster.
When I first set out to find the easiest way to track the ENIs used by the nodes in an <a href="https://docs.aws.amazon.com/eks/latest/userguide/what-is-eks.html">EKS</a> cluster, I thought that AWS resource tags might be the key. I was right&mdash;but not in the way I expected. In the <a href="https://www.pulumi.com/">Pulumi</a> program (written in <a href="https://go.dev/">Go</a>) that I use to create EKS clusters, I made sure to tag all the resources.
For example, when defining the EKS cluster itself I assigned tags:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-go" data-lang="go">eksCluster, err := eks.NewCluster(ctx, &#34;eks-cluster&#34;, &amp;eks.ClusterArgs{
 Name: pulumi.Sprintf(&#34;%s-test&#34;, regionNames[awsRegion]),
 // Some code omitted here for brevity
 Tags: pulumi.StringMap{
&#34;Name&#34;: pulumi.Sprintf(&#34;%s-test&#34;, regionNames[awsRegion]),
 &#34;owner&#34;: pulumi.String(ownerTag),
 &#34;team&#34;: pulumi.String(teamTag),
 &#34;usage&#34;: pulumi.String(usageTag),
 &#34;expiry&#34;: pulumi.String(&#34;2025-01-01&#34;),
 },
})
</code></pre></div>And I assigned tags again when defining the node group for the EKS cluster:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-go" data-lang="go">_, err = eks.NewNodeGroup(ctx, &#34;node-group&#34;, &amp;eks.NodeGroupArgs{
 ClusterName: eksCluster.Name,
 // Some code omitted here for brevity
 Tags: pulumi.StringMap{
&#34;Name&#34;: pulumi.Sprintf(&#34;%s-nodegroup-01&#34;, regionNames[awsRegion]),
 &#34;owner&#34;: pulumi.String(ownerTag),
 &#34;team&#34;: pulumi.String(teamTag),
 &#34;usage&#34;: pulumi.String(usageTag),
 &#34;expiry&#34;: pulumi.String(&#34;2025-01-01&#34;),
 },
})
</code></pre></div>I thought that these tags would carry over to the ENIs attached to the EC2 instances in the node group. Assuming the value of <code>ownerTag</code> was set to &ldquo;slowe&rdquo;, it would be possible to see all the ENIs with this command:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash">aws ec2 describe-network-interfaces --filters Name=tag:owner,Values=slowe
</code></pre></div>Alas, these tags don&rsquo;t carry over (not that I&rsquo;ve observed, anyway). However, all is not lost! EKS creates its own tag you can use with the <code>describe-network-interfaces</code> command:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash">aws ec2 describe-network-interfaces \
--filters Name=tag:cluster.k8s.amazonaws.com/name,Values=cluster-name
</code></pre></div>The <code>cluster.k8s.amazonaws.com/name</code> tag is automatically added to ENIs created for use by EKS; you just need to supply the correct value (to replace <code>cluster-name</code> in the above command). If you&rsquo;re using an automation tool like Pulumi or Terraform, you&rsquo;ll want to be sure you know what the EKS cluster name is; you can assign it, as I did in the code above, or you can look it up.
While I didn&rsquo;t share anything amazingly unique or earth-shattering here, I do hope that this post is helpful to folks. Feel free to find me on various social media platforms&mdash;such as <a href="https://twitter.com/scott_lowe">on Twitter</a> or <a href="https://fosstodon.org/@scottslowe">on the Fediverse</a>&mdash;if you have questions or comments about this post. Constructive feedback is always welcome!</description>
</item>
<item>
<title>Technology Short Take 176</title>
<link>https://blog.scottlowe.org/2024/03/15/technology-short-take-176/</link>
<pubDate>Fri, 15 Mar 2024 09:00:00 MDT</pubDate>
<author>Scott Lowe</author>
<guid>https://blog.scottlowe.org/2024/03/15/technology-short-take-176/</guid>
<description>Welcome to Technology Short Take #176! This Tech Short Take is a bit heavy on security-related links, but there&rsquo;s still some additional content in a number of other areas, so you should be able to find something useful&mdash;or at least interesting&mdash;in here. Thanks for reading!
<h2 id="networking">Networking</h2>
<ul>
<li>Lee Briggs (formerly of Pulumi, now with Tailscale) shows <a href="https://leebriggs.co.uk/blog/2024/02/26/cheap-kubernetes-loadbalancers">how to use the Tailscale Operator to create &ldquo;free&rdquo; Kubernetes load balancers</a> (&ldquo;free&rdquo; as in no additional charge above and beyond what it would normally cost to operate a Kubernetes cluster).</li>
<li>Ivan Pepelnjak dives deep on <a href="https://blog.ipspace.net/2024/02/dhcp-relaying-linux-host.html">DHCP relaying on a Linux host</a>.</li>
<li>I also enjoyed Ivan&rsquo;s <a href="https://blog.ipspace.net/2024/02/undo-network-automation.html">realistic take</a> on rollbacks in a network automation environment. (TL;DR: It&rsquo;s not as easy as it might seem.)</li>
</ul>
<h2 id="servershardware">Servers/Hardware</h2>
<ul>
<li>Menno Finlay-Smits shares information on <a href="https://menno.io/posts/intel-nuc-fan-noise/">reducing fan noise on Intel NUCs</a>.</li>
<li>Rob McBryde shares his story of <a href="https://robmcbryde.com/reviving-a-2012-macbook-pro-with-linux/">reviving a 2012 MacBook Pro with Linux</a>.</li>
<li>Kevin Houston <a href="https://bladesmadesimple.com/2024/02/first-look-at-ciscos-amd-blade-server/">previews the first AMD-powered Cisco UCS blade server</a>.</li>
</ul>
<h2 id="security">Security</h2>
<ul>
<li>In early February a vulnerability was uncovered in a key component of the Linux boot process. The vulnerability affects virtually all Linux distributions and allows attackers to bypass the secure boot protections and insert a low-level bootkit. While the requirements for exploiting the vulnerability are not insurmountable, they do require a certain level of effort. More details available <a href="https://arstechnica.com/security/2024/02/critical-vulnerability-affecting-most-linux-distros-allows-for-bootkits/">via Ars Technica</a> and <a href="https://www.zdnet.com/article/shim-vulnerability-exposes-most-linux-systems-to-attack/">via ZDnet</a>.</li>
<li>Nick Frichette shares <a href="https://hackingthe.cloud/aws/avoiding-detection/guardduty-tor-client/">how to bypass GuardDuty Tor client findings</a> (basically, how to connect to Tor without GuardDuty detecting it).</li>
<li>The Sysdig Threat Research Team uncovered the malicious use of a network mapping tool called SSH-Snake. Read more about it <a href="https://sysdig.com/blog/ssh-snake/">in this post</a>.</li>
<li>VMware is patching a set of severe &ldquo;sandbox escape&rdquo; bugs. Two of the vulnerabilities are rated a 9.3 out of 10, and even VMware&rsquo;s flagship ESXi hypervisor is affected. More details are <a href="https://arstechnica.com/security/2024/03/vmware-issues-patches-for-critical-sandbox-escape-vulnerabilities/">available from Ars Technica</a>.</li>
<li>Think Linux doesn&rsquo;t have malware? A <a href="https://www.bleepingcomputer.com/news/security/new-bifrost-malware-for-linux-mimics-vmware-domain-for-evasion/#google_vignette">new Bifrost remote access trojan</a> (RAT) for Linux employs a number of techniques to remain hidden, including using a &ldquo;VMware-esque&rdquo; domain name for command and control servers.</li>
<li>And <a href="https://www.linuxsecurity.com/news/hackscracks/krustyloader-backdoor">here&rsquo;s another example</a> of malware that is targeting Linux (along with Windows).</li>
<li><a href="https://techcrunch.com/2024/02/29/leaky-database-two-factor-codes/">This</a> would be why I hate it when companies force me to use SMS for two-factor authentication&mdash;at least let me use a one-time passcode or something.</li>
</ul>
<h2 id="cloud-computingcloud-management">Cloud Computing/Cloud Management</h2>
<ul>
<li>Mina Abadir shares some experiences around <a href="https://www.flightcontrol.dev/blog/we-migrated-from-planetscale-to-aws-aurora-v2">migrating from PlanetScale to Amazon Aurora</a>.</li>
<li>Rory McCune <a href="https://securitylabs.datadoghq.com/articles/kubernetes-security-fundamentals-part-3/">explains Kubernetes authentication</a>.</li>
<li>Falco has <a href="https://sysdig.com/blog/falco-cncf-graduation/">graduated within the CNCF</a>.</li>
</ul>
<h2 id="operating-systemsapplications">Operating Systems/Applications</h2>
<ul>
<li>Here&rsquo;s one person&rsquo;s take <a href="https://www.tiraniddo.dev/2024/02/sudo-on-windows-quick-rundown.html">on <code>sudo</code> for Windows</a>.</li>
<li><a href="https://monospacementor.com/2023/09/save-a-file-from-vim-with-root-permissions/">This is a handy trick</a>.</li>
<li>David Both has an article on <a href="https://www.both.org/?p=3876">using systemd journals for troubleshooting</a>. It looks like this is part of a larger series on systemd.</li>
<li>Major Hayden talks about <a href="https://major.io/p/caddy-porkbun">connecting Caddy to Porkbun</a> to help with automating TLS certificates.</li>
</ul>
<h2 id="storage">Storage</h2>
<ul>
<li>Gergely Imreh <a href="https://gergely.imreh.net/blog/2024/02/zfs-on-a-raspberry-pi/">discusses ZFS on a Raspberry Pi</a>.</li>
<li>Cal Paterson <a href="https://calpaterson.com/s3.html">explains why S3 is not a filesystem</a>.</li>
</ul>
<h2 id="virtualization">Virtualization</h2>
<ul>
<li>In the wake of Broadcom discontinuing VMware ESXi Free, Nutanix is hoping to fill the gap with Nutanix Community Edition. Vladan Seget <a href="https://www.vladan.fr/nutanix-community-edition/">provides some additional details in his blog post</a>. Given that Nutanix Community Edition is based on the open source KVM hypervisor, this could lead to greater KVM adoption among small businesses and virtualization hobbyists who formerly would have used VMware&rsquo;s solution.</li>
<li>Staf Wagemakers (I think I have the name right) describes <a href="https://stafwag.github.io/blog/blog/2024/02/25/run-opentbsd-as-a-vm-on-pi/">running OpenBSD as a UEFI virtual machine on a Raspberry Pi</a>.</li>
<li>I stumbled across a pair of articles by Greg Gant on the use of QEMU to run older versions of Mac OS (including pre-Mac OS X versions): there&rsquo;s <a href="https://blog.greggant.com/posts/2021/01/13/install-powerpc-macos-osx-on-apple-silicon-m1-and-x86-intel.html">the original piece</a>, and then <a href="https://blog.greggant.com/posts/2021/12/18/ppc-qemu-mac-os-9-with-sound-on-apple-silicon-intel-mac.html">an updated piece</a>.</li>
</ul>
<h2 id="careersoft-skills">Career/Soft Skills</h2>
<ul>
<li>Robb Owen shares <a href="https://robbowen.digital/wrote-about/abandoned-side-projects/">why it&rsquo;s OK to abandon your side project</a>.</li>
<li><a href="https://ntietz.com/blog/work-on-tasks-not-stories/">This distinction between stories and tasks</a> is probably applicable even outside agile development environments and practices, especially when it boils down to &ldquo;you must still think about what the user needs&rdquo;. Good stuff!</li>
</ul>
That&rsquo;s all for now! I always love hearing from readers, so if you found something useful in this post&mdash;or in any post&mdash;don&rsquo;t hesitate to reach out! You can reach me <a href="https://twitter.com/scott_lowe">on Twitter</a>, <a href="https://fosstodon.org/@scottslowe">on the Fediverse</a>, or in a number of different Slack communities. You&rsquo;re also welcome to drop me an e-mail; my address is here on the site (it&rsquo;s not hard to find). Enjoy!</description>
</item>
<item>
<title>Linting your Markdown Files</title>
<link>https://blog.scottlowe.org/2024/03/01/linting-your-markdown-files/</link>
<pubDate>Fri, 01 Mar 2024 10:00:00 -0600</pubDate>
<author>Scott Lowe</author>
<guid>https://blog.scottlowe.org/2024/03/01/linting-your-markdown-files/</guid>
<description>It&rsquo;s no secret I&rsquo;m a fan of Markdown. The earliest mention of Markdown on this site is all the way back in 2011, and it was only a couple years after that when I migrated this site from WordPress to Markdown. Back then, the site was generated from Markdown using Jekyll (via GitHub Pages); today it is generated from Markdown sources using Hugo. One thing I&rsquo;ve not done, though, is perform linting (checking for errors or potential errors) of the Markdown source files. That&rsquo;s all about to change! In this post, I&rsquo;ll share with you how I started linting my Markdown files.
To handle the linting, there are (at least) a couple different options:
<ol>
<li>markdownlint-cli (<a href="https://github.com/igorshubovych/markdownlint-cli">GitHub repository</a>)</li>
<li>markdownlint-cli2 (<a href="https://github.com/DavidAnson/markdownlint-cli2">GitHub repository</a>)</li>
</ol>
Both of these use the same <a href="https://github.com/DavidAnson/markdownlint"><code>markdownlint</code> library</a> under the hood. They&rsquo;re both available as both a CLI tool or as a <a href="https://www.docker.com/">Docker</a> container; <code>markdownlint-cli2</code> is also available as a <a href="https://github.com/actions">GitHub Action</a>. In both cases, the CLI tool is installed via <code>npm install</code> (typically globally with <code>--global</code> or <code>-g</code>). The key difference between the two is that <code>markdownlint-cli2</code> is configuration-driven, whereas <code>markdownlint-cli</code> offers the ability to use either a configuration file or command-line flags. I decided to use <code>markdownlint-cli</code>, as the ability to use command-line flags makes it a tad easier to get started.
I performed initial testing with the Docker container, which you would tend to invoke like this:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash">docker container run --rm -v &#34;$PWD:/workdir&#34; ghcr.io/igorshubovych/markdownlint-cli:latest &#34;path/to/*.md&#34;
</code></pre></div>However, I later switched to the CLI tool for better cross-platform portability (yes, I know that macOS can run Docker containers via Docker Desktop, but you still have to pay the tax of running a Linux VM in the background). The CLI tool is invoked in much the same way:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash">markdownlint &#34;path/to/*.md&#34;
</code></pre></div>In the default configuration, <code>markdownlint-cli</code> flagged a lot of violations in the over 2,200 blog posts on the site. After fine-tuning the configuration by disabling a few rules (more details on the rules is found <a href="https://github.com/DavidAnson/markdownlint/blob/main/doc/Rules.md">here</a>), there were still a lot of violations&mdash;but not nearly as many. Notably, I disabled MD013 (&ldquo;line-length&rdquo;) and MD052 (&ldquo;reference-links-images&rdquo;); the former because I use soft line-wraps in my Markdown paragraphs and the latter because I use Hugo&rsquo;s <code>relref</code> shortcode for cross-referencing other posts.
Initially it was a bit unclear to me how to use the <code>.markdownlint.jsonc</code> configuration file to disable some of the rules. (This was probably just me being dense, if I&rsquo;m honest.) For example, a configuration for MD052 might look like this:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json">// Rule details : https://github.com/DavidAnson/markdownlint/blob/v0.33.0/doc/md052.md
&#34;reference-links-images&#34;: {
 &#34;shortcut_syntax&#34;: false
},
</code></pre></div>To disable this rule, it needs to look like this:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-json" data-lang="json">// Rule details : https://github.com/DavidAnson/markdownlint/blob/v0.33.0/doc/md052.md
&#34;reference-links-images&#34;: false,
</code></pre></div>In retrospect, setting the top-level entry to <code>false</code> is obvious now, but when I first started looking at the configuration file I was expecting a property like <code>disabled: true</code> or similar.
Even with a few rules disabled, there were still quite a few violations, which I fixed manually over the course of a couple weeks, until I was finally able to run <code>markdownlint</code> over the entire list of ~2,230 Markdown posts without any violations. Yay!
The next step was to automate the process of running the Markdown lint checks&mdash;but that&rsquo;s a topic for a separate post!
<h2 id="additional-resources">Additional Resources</h2>
While researching what was involved in linting Markdown files, I found <a href="https://emmer.dev/blog/linting-markdown-files-with-markdownlint/">this post</a> to be helpful in getting started with <code>markdownlint</code>. The GitHub repositories (<a href="https://github.com/igorshubovych/markdownlint-cli">here</a>, <a href="https://github.com/DavidAnson/markdownlint-cli2">here</a>, and <a href="https://github.com/DavidAnson/markdownlint">here</a>) were, of course, also very helpful (especially the <a href="https://github.com/DavidAnson/markdownlint/blob/main/doc/Rules.md">rule descriptions</a>).
I hope this post is useful to some folks out there. Please feel free to reach out to <a href="https://twitter.com/scott_lowe">me on Twitter</a> or <a href="https://fosstodon.org/@scottslowe">on the Fediverse</a> if you have comments, questions, or feedback (on this post or any post on my site). Thanks for reading!</description>
</item>
<item>
<title>Technology Short Take 175</title>
<link>https://blog.scottlowe.org/2024/02/23/technology-short-take-175/</link>
<pubDate>Fri, 23 Feb 2024 10:00:00 -0600</pubDate>
<author>Scott Lowe</author>
<guid>https://blog.scottlowe.org/2024/02/23/technology-short-take-175/</guid>
<description>Welcome to Technology Short Take #175! Here&rsquo;s your weekend reading&mdash;a collection of links and articles from around the internet on a variety of data center- and cloud-related topics. I hope you find something useful here!
<h2 id="networking">Networking</h2>
<ul>
<li>The good folks over at Packet Pushers have compiled <a href="https://packetpushers.net/blog/open-source-networking-projects/">a list of open source networking projects</a>.</li>
</ul>
<h2 id="security">Security</h2>
<ul>
<li>I attended a local meetup here in the Denver metro area a short while ago and was introduced to <a href="https://github.com/getsops/sops"><code>sops</code></a>.</li>
<li>AMD processors have been discovered to have multiple security flaws; more details available <a href="https://securityonline.info/high-alert-amd-processors-hit-by-multiple-security-flaws/">here</a>.</li>
<li>The Linux kernel project has become a CVE Numbering Authority (CNA); Greg Kroah-Hartman wrote <a href="http://www.kroah.com/log/blog/2024/02/13/linux-is-a-cna/">a blog post that discusses this in more depth</a>.</li>
</ul>
<h2 id="cloud-computingcloud-management">Cloud Computing/Cloud Management</h2>
<ul>
<li>Josh Biggley shows <a href="https://cribl.io/blog/taming-tetragon-with-cribl-cloud/">how to deploy Tetragon with Cribl Edge</a>. The blog post is a bit heavy on the Cribl marketing, but I suppose that is to be expected (it&rsquo;s extremely common with most vendor blogs).</li>
<li>Jack Lindamood&rsquo;s list of <a href="https://cep.dev/posts/every-infrastructure-decision-i-endorse-or-regret-after-4-years-running-infrastructure-at-a-startup/">infrastructure decisions he endorses or regrets</a> provides some valuable insight into his personal experience with a variety of technologies and processes. Well worth reading, in my opinion. (Hat tip to Simon Wardley for sharing this on Twitter.)</li>
<li>Ivan Yurochko of PerfectScale discusses <a href="https://www.perfectscale.io/blog/aws-s3-throttling">how to manage S3 throttling</a>.</li>
<li><a href="https://codeengineered.com/blog/2024/retro-cncf-toc/">This post</a> is an interesting look &ldquo;inside&rdquo; the CNCF Technical Oversight Committee (TOC), with a view on some of the challenges facing the CNCF and its related projects.</li>
<li>Tyler Treat argues that it&rsquo;s possible&mdash;preferable, perhaps&mdash;to do <a href="https://blog.realkinetic.com/cloud-without-kubernetes-d0487a4ab345">cloud without Kubernetes</a>.</li>
<li>Rory McCune reviews his <a href="https://raesene.github.io/blog/2024/02/17/a-final-kubernetes-censys/">final Kubernetes census</a>.</li>
<li>The Open Constructs Foundation <a href="https://www.open-constructs.org/">recently launched</a> a &ldquo;community-driven CDK construct library initiative,&rdquo; which seeks to provide a way for the CDK community to build and share CDK constructs.</li>
<li>Michael Levan insists that <a href="https://dev.to/thenjdevopsguy/cloud-native-is-in-shambles-1klf">cloud-native is in shambles</a>. I think the article title is a bit click-baity, but the key point in the article&mdash;focusing on the expected outcome&mdash;is spot on.</li>
<li>Tony Norlin discusses <a href="https://medium.com/@norlin.t/kubernetes-on-freebsd-with-linux-worker-nodes-and-cilium-a87c50daef03">running Kubernetes with Cilium on FreeBSD</a>.</li>
<li>This is an older post (but still useful, I think, given the review of the code that implements the functionality) on <a href="https://medium.com/michaelbi-22303/deep-dive-into-kubernetes-simple-leader-election-3712a8be3a99">Kubernetes leader election</a>.</li>
</ul>
<h2 id="operating-systemsapplications">Operating Systems/Applications</h2>
<ul>
<li>Google has open sourced Magicka, an AI-powered file type identification library. More details are available in <a href="https://opensource.googleblog.com/2024/02/magika-ai-powered-fast-and-efficient-file-type-identification.html">this blog post</a>.</li>
<li>Andy Ibanez has <a href="https://www.andyibanez.com/posts/rclone-basics-encryption/">a pretty thorough tutorial for <code>rclone</code></a> (which, if you aren&rsquo;t aware, is an extraordinarily useful utility).</li>
</ul>
<h2 id="programmingdevelopment">Programming/Development</h2>
<ul>
<li>Although it gets a bit deep into Rego, <a href="https://snyk.io/blog/automatic-source-locations-rego/">this article</a> by Jasper Van der Jeugt of Snyk explains how automatic source code location for violations&mdash;pinpointing the file, line, and column where policy violations occur.</li>
<li>Josh Collinsworth weighs in regarding LLMs and generative AI in <a href="https://joshcollinsworth.com/blog/copilot">his essay regarding GitHub Copilot</a>. The experiences Josh describes with Copilot are not unique to Copilot; I&rsquo;ve experienced the same with other LLM-based generative AI tools. The key takeaway (for me) is that generative AI doesn&rsquo;t make things more accessible; it&rsquo;s actually the opposite, because you need to know enough to know whether or not the generative AI tool is actually accurate or not.</li>
</ul>
<h2 id="virtualization">Virtualization</h2>
<ul>
<li>While certainly not unique to virtualization, I think it&rsquo;s fair to say that virtualization has had a pretty significant impact on home labs. Sean Massey takes a moment to provide <a href="https://thevirtualhorizon.com/2024/02/16/the-home-lab-update-2024/">an update on his latest home lab update</a>.</li>
</ul>
That&rsquo;s all I have for you this time around. I love to hear from readers, so if you have feedback on this post (or any post!) on my site, please feel free to reach out. You can find <a href="https://twitter.com/scott_lowe">me on Twitter</a>, <a href="https://fosstodon.org/@scottslowe">on the Fediverse</a>, or in a number of different Slack communities. My e-mail address is also on this site and isn&rsquo;t too hard to find&hellip;feel free to drop me a line!</description>
</item>
<item>
<title>Technology Short Take 174</title>
<link>https://blog.scottlowe.org/2024/02/09/technology-short-take-174/</link>
<pubDate>Fri, 09 Feb 2024 11:30:00 -0600</pubDate>
<author>Scott Lowe</author>
<guid>https://blog.scottlowe.org/2024/02/09/technology-short-take-174/</guid>
<description>Welcome to Technology Short Take #174! For your reading pleasure, I&rsquo;ve collected links on topics ranging from Kubernetes Gateway API to recent AWS attack techniques to some geeky Linux and Git topics. There&rsquo;s something here for most everyone, I&rsquo;d say! But enough of my rambling, let&rsquo;s get on to the good stuff. Enjoy!
<h2 id="networking">Networking</h2>
<ul>
<li>I want to be Ivan Pepelnjak when I grow up. Why? Read <a href="https://blog.ipspace.net/2024/01/vmware-nsx-availability-zones.html">this article</a> on his response to someone wanting to use NSX to create availability zones.</li>
<li>Nico Vibert has <a href="https://isovalent.com/blog/post/tutorial-redirect-rewrite-and-mirror-http-requests-with-cilium-gateway-api/">a tutorial</a> that takes readers through using Cilium&rsquo;s Gateway API functionality to do L7 traffic management (HTTP redirects, HTTP rewrites, and HTTP mirroring).</li>
</ul>
<h2 id="security">Security</h2>
<ul>
<li>Nick Frichette <a href="https://hackingthe.cloud/aws/exploitation/Misconfigured_Resource-Based_Policies/misconfigured_iam_role_trust_policy_wildcard_principal/">discusses</a> what he calls &ldquo;one of the more egregious mistakes&rdquo; that can be made in an AWS environment.</li>
<li>Cybernews is covering what is being called <a href="https://cybernews.com/security/billions-passwords-credentials-leaked-mother-of-all-breaches/">the &ldquo;mother of all breaches.&rdquo;</a> The amount of data rumored to be included&mdash;26 billion records&mdash;is almost impossible to comprehend.</li>
<li>Martin McCloskey and Christophe Tafani-Dereeper of Datadog Security Labs share <a href="https://securitylabs.datadoghq.com/articles/tales-from-the-cloud-trenches-ecs-crypto-mining/">some information on recent attack techniques</a> they&rsquo;ve observed.</li>
<li>Lee Holmes shines a light on the <a href="https://www.leeholmes.com/security-risks-of-postman/">security risks of Postman</a>, although the risks really could apply to just about any cloud-connected application. (And via this article I learned of <a href="https://github.com/ArchGPT/insomnium">a fork of Kong&rsquo;s Insomnia API client</a> that is local-only and privacy-focused. Neat.)</li>
<li>Snyk shatres some details on some <a href="https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/">Docker and <code>runc</code> container breakout vulnerabilities</a>.</li>
</ul>
<h2 id="cloud-computingcloud-management">Cloud Computing/Cloud Management</h2>
<ul>
<li>Darryl Ruggles walks readers through <a href="https://darryl-ruggles.cloud/serverless-data-processor-using-aws-lambda-step-functions-and-fargate-on-ecs-with-rust">building a serverless data processor</a>. The architecture incorporates AWS Lambda, AWS Step Functions, and Fargate on ECS (with some Rust thrown in there too).</li>
<li>Eleni Grosdouli explains <a href="https://medium.com/@eleni.grosdouli/argocd-deployment-on-rke2-with-cilium-gateway-api-ab1769cc28a3">how to use ArgoCD with Gateway API in Cilium</a>. (Note that the focus here is less about Cilium itself, and more about Gateway API and ArgoCD.)</li>
<li>Here&rsquo;s <a href="https://observability-360.com/docs/ViewDocument?id=cilium-aks-getting-started">another look at installing Cilium</a>, this time with a focus on AKS and using a Windows client.</li>
</ul>
<h2 id="operating-systemsapplications">Operating Systems/Applications</h2>
<ul>
<li><a href="https://containertoolbx.org/">Toolbx</a> now supports additional distributions; namely, Arch and Ubuntu. Read more details <a href="https://debarshiray.wordpress.com/2024/01/20/toolbx-now-offers-built-in-support-for-arch-linux-and-ubuntu/">here</a>.</li>
<li>While reading about Toolbx (as a result of the previous bullet), I found out about Distrobox (<a href="https://distrobox.it/">project website</a>, <a href="https://github.com/89luca89/distrobox/">GitHub repository</a>). I plan to try this project out myself, so don&rsquo;t be surprised if you see some Distrobox-related articles appearing on the site in the near future.</li>
<li>Joshua Byrd shares some information on <a href="https://josh.is-cool.dev/running-a-mastodon-instance-entirely-free-forever/">running your own Mastodon instance forever, for free</a>.</li>
<li>Eduard Tolosa talks about <a href="https://www.edu4rdshl.dev/posts/my-move-to-wayland-it-s-finally-ready/">his move to Wayland</a>.</li>
<li>Luc van Donkersgoed talks about <a href="https://lucvandonkersgoed.com/2023/12/11/retrieval-augmented-generation-rag-simply-explained/">retrieval-augmented generation (RAG) and LLMs</a>.</li>
<li>Here&rsquo;s an article on <a href="https://dev.to/github/how-i-bulk-closed-1000-github-issues-with-github-actions-d3b">using GitHub Actions to bulk close a bunch of issues</a>.</li>
<li>Hopefully you won&rsquo;t ever run into this particular issue, but if you do&hellip;here&rsquo;s some information on <a href="https://underlap.org/recovering-from-a-pacman-crash-on-arch-linux">recovering from a <code>pacman</code> crash on Arch Linux</a>.</li>
<li>Julia Evans helps with <a href="https://jvns.ca/blog/2024/02/01/dealing-with-diverged-git-branches/">fixing diverged Git branches</a>.</li>
<li>Robert Jensen <a href="https://www.robert-jensen.dk/posts/2024-fixing-cilium-with-kind/">shines a light</a> on an issue running Cilium on KinD; the issue turns out to be a problem in Docker Desktop for Mac, and switching to Colima <a href="https://github.com/cilium/cilium/issues/30278">fixes the issue</a>. Interesting&mdash;I am very curious to know the underlying details of why using Colima works.</li>
</ul>
<h2 id="programmingdevelopment">Programming/Development</h2>
<ul>
<li><a href="https://pkl-lang.org/blog/introducing-pkl.html">This blog post</a> announces the release of Pkl (pronounced &ldquo;pickle&rdquo;), described as a new &ldquo;programming language for producing configuration&rdquo;. Unless I&rsquo;m reading this wrong, this sounds like quite an overlap with <a href="https://cuelang.org/">CUE</a>. Or am I way wrong here?</li>
<li>Milas Bowman <a href="https://www.docker.com/blog/scaling-docker-compose-up/">examines some new features in Docker Compose</a> specifically targeted at improving the development experience.</li>
</ul>
<h2 id="careersoft-skills">Career/Soft Skills</h2>
<ul>
<li>I think this article <a href="https://jmetz.com/2024/02/of-scheiss-and-men/">speaks for itself</a>.</li>
</ul>
That&rsquo;s all I have for you this time around, but check back in 2-3 weeks for the next Technology Short Take. Until then, feel free to share this article on your favorite social media platform, and I invite you to contact me if you have any feedback about this or any article on my site. You can find me <a href="https://fosstodon.org/@scottslowe">on the Fediverse</a>, <a href="https://twitter.com/scott_lowe">on Twitter</a>, or in a number of different Slack communities. Heck, if you try hard enough you can find my e-mail address on this site and drop me a message that way!</description>
</item>
<item>
<title>Using NAT Instances on AWS with Pulumi</title>
<link>https://blog.scottlowe.org/2024/02/05/using-nat-instances-on-aws-with-pulumi/</link>
<pubDate>Mon, 05 Feb 2024 09:30:00 -0600</pubDate>
<author>Scott Lowe</author>
<guid>https://blog.scottlowe.org/2024/02/05/using-nat-instances-on-aws-with-pulumi/</guid>
<description>For folks using AWS in their day-to-day jobs, it comes as no secret that AWS&rsquo; Managed NAT Gateway&mdash;responsible for providing outbound Internet connectivity to otherwise private subnets&mdash;is an expensive proposition. While the primary concern for large organizations is the data processing fee, the concern for smaller organizations or folks like me who run a cloud-based lab instead of a hardware-based home lab is the per-hour cost. In this post, I&rsquo;ll show you how to use Pulumi to use a NAT instance for outbound Internet connectivity instead of a Managed NAT Gateway.
For a bit more about why Managed NAT Gateways aren&rsquo;t ideal for larger organizations, I&rsquo;d recommend <a href="https://www.lastweekinaws.com/blog/the-aws-managed-nat-gateway-is-unpleasant-and-not-recommended/">this article by Corey Quinn</a>. For smaller organizations or cloud-based labs, data processing fees probably aren&rsquo;t the main concern (although I could be wrong); it would be the ~$32/mo per Managed NAT Gateway. Since many tools configure a Managed NAT Gateway per availability zone, now you&rsquo;re talking more like $96/mo&mdash;and you haven&rsquo;t even spun up any real workloads yet! Running your own NAT instance can dramatically reduce but not eliminate this expense.
Now that I&rsquo;ve established why running a NAT instance can be beneficial, let&rsquo;s review what you&rsquo;ll need to have installed in order to follow along with (or use) what I&rsquo;ll show you in this post:
<ol>
<li>I&rsquo;m automating the entire process with <a href="https://www.pulumi.com/">Pulumi</a>, so you&rsquo;ll want to have the Pulumi CLI installed. (Installation instructions are <a href="https://www.pulumi.com/install/">here</a>.)</li>
<li>I write my Pulumi using <a href="https://go.dev/">Go</a>, so you&rsquo;d need Go installed. (Installation instructions are <a href="https://go.dev/doc/install/">here</a>.)</li>
<li>A typical EC2 AMI isn&rsquo;t pre-configured for NAT, so you&rsquo;ll need either a configuration mechanism for setting that up (like <a href="https://www.ansible.com/">Ansible</a> and an associated playbook) or a preconfigured AMI. I chose to go the latter route and am using the excellent fck-nat AMI (check out <a href="https://fck-nat.dev/stable/">the website</a> and the associated <a href="https://github.com/AndrewGuenther/fck-nat">GitHub repository</a>).</li>
</ol>
I&rsquo;ll walk through select pieces of the code below to explain what&rsquo;s being provisioned or configured. For your reference, the full code is found in <a href="https://github.com/scottslowe/learning-tools">my GitHub &ldquo;learning-tools&rdquo; repository</a>, in the <code>aws/nat-instance-pulumi</code> folder.
<h2 id="setting-up-the-vpc-and-subnets">Setting up the VPC and Subnets</h2>
All the Pulumi code for setting up the VPC and subnets is separated into a file named <code>vpc.go</code>, and is invoked from <code>main.go</code> through a function named <code>buildInfrastructure</code>. At a high-level, the <code>buildInfrastructure</code> function does the following things:
<ul>
<li>It gets the number of availability zones (AZs) and the names of the zones, and stores that information for later use.</li>
<li>It builds a VPC with a preconfigured CIDR block. (In most of my Pulumi programs I make this a configuration value, but in this particular case it&rsquo;s hard-coded. There&rsquo;s no reason for that other than my own lack of time.)</li>
<li>It creates a public subnet in each of the AZs.</li>
<li>It handles the routing configuration for the public subnets (creates an Internet Gateway, creates a route table, creates an outbound route via the gateway, and links the public subnets to the route table).</li>
<li>It creates a private subnet in each of the AZs.</li>
<li>It creates a route table for the private subnets and links the private subnets to the route table, but does not create a route.</li>
</ul>
All said, that&rsquo;s about 150 lines of code. You might wonder why I didn&rsquo;t use Pulumi&rsquo;s AWSX (Crosswalk for AWS) component for a VPC, which allows users to do almost the same thing in about 10 lines of code. That would be an excellent question! Currently, the AWSX VPC component <a href="https://github.com/pulumi/pulumi-awsx/pull/885">doesn&rsquo;t currently expose the route table IDs</a>, which are needed so that I can add a route of my own creation. The AWSX VPC component is outstanding otherwise; if you can use it for your use case, I generally recommend it.
<h2 id="setting-up-the-nat-infrastructure">Setting up the NAT Infrastructure</h2>
Now the program moves on to creating the necessary NAT infrastructure. This code is split into a separate file named <code>nat.go</code> and invoked from <code>main.go</code> via the <code>buildNat</code> function.
This code is reasonably straightforward:
<ul>
<li>It creates a security group to allow traffic to move through the NAT instance.</li>
<li>It dynamically looks up the AMI ID for the fck-nat instance.</li>
<li>It launches an EC2 instance (a &ldquo;tg4.nano&rdquo; is sufficient to handle Gbps-level traffic) using the fck-nat AMI.</li>
<li>Once the EC2 instance is launched, it adds a route to the private subnet route table that directs outbound traffic for the private subnets through the EC2 instance. (We couldn&rsquo;t do that earlier because we needed the interface ID associated with the EC2 instance.)</li>
</ul>
<h2 id="finishing-the-final-touches">Finishing the Final Touches</h2>
For your own architecture implementation, you could stop there, but my code continues on so that there&rsquo;s a way to test that the NAT instance is working as expected. All of this code is found in <code>main.go</code>.
Before <code>main.go</code> invokes the <code>buildInfrastructure</code> and <code>buildNat</code> functions, it first creates an SSH key and an associated AWS key pair. It passes the key pair name to the <code>buildNat</code> function so that the fck-nat instance is configured with the SSH key. This allows you to SSH into the NAT instance with the user &ldquo;ec2-user&rdquo; and the associated private key (which you can get from Pulumi using <code>pulumi stack output</code>).
After invoking <code>buildInfrastructure</code> and <code>buildNat</code>, the Pulumi program goes on to create an EC2 instance (based on a dynamically-obtained AMI ID) in one of the private subnets and a security group to allow SSH traffic to that instance. This allows you to test that the fck-nat instance is both a) working properly as an SSH bastion host, and b) working properly as a NAT instance.
Congratulations! You have now reduced your NAT costs to about 1/10th the cost of a Managed NAT Gateway.
<h2 id="caveats">Caveats</h2>
This code isn&rsquo;t necessarily intended for commercial production use, as there are a number of caveats with the architecture it creates:
<ul>
<li>There is only a single NAT instance for all AZs. If that AZ fails, then outbound traffic from all private subnets in other AZs is also down.</li>
<li>There is only a single NAT instance. If the NAT instance fails, then&hellip;well, you get the idea.</li>
</ul>
The fck-nat AMI has some functionality to help address some of these caveats, so I encourage you to review <a href="https://fck-nat.dev/stable/">the website</a> for more information. I&rsquo;ll leave updating this code to support these features as an exercise for the reader. (Feel free to submit one or more PRs if you are so inclined.)
<h2 id="additional-resources">Additional Resources</h2>
To get access to the full Pulumi program, see <a href="https://github.com/scottslowe/learning-tools">my GitHub &ldquo;learning-tools&rdquo; repository</a> in the <code>aws/nat-instance-pulumi</code> folder. If you have questions about the code or about Pulumi, feel free to join <a href="https://slack.pulumi.com/">the Pulumi Community Slack</a>, where I and other Pulumi enthusiasts and experts hang out. You&rsquo;re also welcome to find me online; I am available <a href="https://twitter.com/scott_lowe">on Twitter</a>, <a href="https://fosstodon.org/@scottslowe">on the Fediverse</a>, and in various other Slack communities. I&rsquo;d be more than happy to hear from readers with questions or feedback on this or any article on my site. Thanks for reading!</description>
</item>
<item>
<title>Using SSH with the Pulumi Docker Provider</title>
<link>https://blog.scottlowe.org/2024/01/22/using-ssh-with-the-pulumi-docker-provider/</link>
<pubDate>Mon, 22 Jan 2024 08:30:00 -0600</pubDate>
<author>Scott Lowe</author>
<guid>https://blog.scottlowe.org/2024/01/22/using-ssh-with-the-pulumi-docker-provider/</guid>
<description>In August 2023, Pulumi released a version of the Docker provider that supported SSH-based connections to a Docker daemon. I&rsquo;ve written about using SSH with Docker before (see <a href="https://blog.scottlowe.org/2019/08/01/accessing-docker-daemon-via-ssh-bastion-host/">here</a>), and I sometimes use AWS-based &ldquo;Docker build hosts&rdquo; with my M-series Macs to make it easier/simpler (and sometimes faster) to build x86_64-based Docker images. Naturally, I&rsquo;m using an SSH connection in those cases. Until this past weekend, however, I hadn&rsquo;t really made the time to look deeper into how to use SSH with the Pulumi Docker provider. In this post, I&rsquo;ll share some details that (unfortunately) haven&rsquo;t yet made it into the documentation about using SSH with the Pulumi Docker provider.
First, let&rsquo;s talk about some prerequisites to making this work.
<ol>
<li>You&rsquo;ll need <a href="https://www.docker.com/">Docker</a> installed locally. I fairly certain this is only the <code>docker</code> CLI (much in the same way the Pulumi Kubernetes provider requires <code>kubectl</code> to be installed locally), but I haven&rsquo;t verified this for certain yet. I tested this from a Linux system running Docker 24.0.7; I think the earliest version that is supported is 18.09.</li>
<li>You&rsquo;ll need Docker installed on the remote SSH host (obviously). I used <a href="https://flatcar.org/">Flatcar Container Linux</a> (stable channel) on <a href="https://aws.amazon.com/">AWS</a>.</li>
<li>You&rsquo;ll need <a href="https://www.pulumi.com/">Pulumi</a> installed locally. I tested with a pretty recent version of the <code>pulumi</code> CLI (v3.101.1).</li>
<li>I tested this with the latest version of the Docker provider as of this writing (v4.5.1), using <a href="https://go.dev/">Go</a> 1.21 as the programming language.</li>
</ol>
You may already be aware that there are a couple of ways to use Pulumi providers when writing Pulumi infrastructure as code programs:
<ul>
<li>There&rsquo;s the default provider. The default provider uses what I would call &ldquo;ambient&rdquo; configuration&mdash;for example, the default AWS provider uses whatever AWS credentials/profile are available (or are specified in the stack configuration), and the default Docker provider uses whatever is specified by the <code>DOCKER_HOST</code> environment variable.</li>
<li>There&rsquo;s also explicit providers. Explicit providers are declared programmatically in your Pulumi program, and you can pass configuration details to the provider when it&rsquo;s declared. You could, for example, declare a couple of explicit AWS providers so that you could provision resources in different accounts or in different regions (from within the same program).</li>
</ul>
More details on providers can be found <a href="https://www.pulumi.com/docs/concepts/resources/providers/">here</a>.
With regard to the Pulumi Docker provider, this means the following:
<ul>
<li>If you want to use the Docker provider against a Docker daemon that is preexisting, then you can use the default provider and supply configuration either through the <code>DOCKER_HOST</code> environment variable or via stack configuration (<code>pulumi config set docker:host &lt;ssh-url&gt;</code>). (Note that, as of the time of this writing, the Docker provider does not support Docker contexts.)</li>
<li>If you want to use the Docker provider with a resource being provisioned in the same stack or if you&mdash;for whatever reason&mdash;need to programmatically assign the Docker daemon endpoint in your program, then you need to use an explicit provider, and configure that explicit provider to use SSH.</li>
</ul>
Using and configuring the default provider is reasonably straightforward, so in this article I&rsquo;ll focus on the explicit provider; specifically, on the use of an explicit provider to make SSH-based connections to a Docker daemon.
Declaring a basic explicit provider is not terribly complex:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-go" data-lang="go">remoteDocker, err := docker.NewProvider(ctx, &#34;remote-docker&#34;, &amp;docker.ProviderArgs{})
</code></pre></div>To make the explicit provider actually work in this use case (i.e., connect over SSH to a remote Docker daemon), the configuration is a bit more complex:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-go" data-lang="go">remoteDocker, err := docker.NewProvider(ctx, &#34;remote-docker&#34;, &amp;docker.ProviderArgs{
Host: pulumi.Sprintf(&#34;ssh://&lt;username&gt;@%s&#34;, &lt;ip-address&gt;),
 SshOpts: pulumi.StringArray{
pulumi.String(&#34;-i&#34;), pulumi.String(&#34;/path/to/private/key&#34;),
pulumi.String(&#34;-o&#34;), pulumi.String(&#34;StrictHostKeyChecking=no&#34;),
pulumi.String(&#34;-o&#34;), pulumi.String(&#34;UserKnownHostsFile=/dev/null&#34;),
 },
})
</code></pre></div>You&rsquo;d need to substitute appropriate values for <code>username</code> (on Flatcar you&rsquo;d likely use &ldquo;core&rdquo;), <code>ip-address</code>, and <code>/path/to/private/key</code>. Since I&rsquo;m discussing using the Docker provider with a resource provisioned in the same stack, <code>ip-address</code> is most likely going to be a reference to the public IP address of an EC2 instance&mdash;such as <code>flatcarInstance.publicIp</code>. That&rsquo;s also why the code above uses <code>pulumi.Sprintf</code>, which is capable of dealing with Outputs in Pulumi code.
The syntax of the <code>SshOpts</code> section isn&rsquo;t currently defined in the docs; fortunately, I found a clue <a href="https://github.com/pulumi/pulumi-docker/blob/014b3fa8b3d9369d4108e71006cf8d429c19bc13/examples/test-ssh-conn/ts/index.ts#L26-L33">here</a> that led to the Go code you see above. Given that this is using a resource that was provisioned in the same stack, the only way to make it work is to disable strict host key checking.
There&rsquo;s one final complication. EC2 instances&mdash;or their equivalents on Azure or Google Cloud&mdash;take a small amount of time to boot up and become ready. The Docker provider needs to check the connection, and if it attempts that before the remote host is ready it will throw an error.
&ldquo;No problem!&rdquo; you say. &ldquo;Just throw a <code>sleep</code> in there.&rdquo;
Well&hellip;Pulumi doesn&rsquo;t necessarily execute your Go code in the way you might normally expect, so this won&rsquo;t work. What we need to do is create a resource that the Pulumi engine can add to the dependency graph that will insert a delay before creating the Docker provider. Fortunately, there is <a href="https://www.pulumi.com/registry/packages/time/">a Time provider</a> that provides <a href="https://www.pulumi.com/registry/packages/time/api-docs/sleep/">a Sleep resource</a> to accomplish exactly what we need. To create the necessary dependencies and insert the delay in the right place, we make the Sleep resource dependent on the EC2 instance and the Docker provider dependent on the Sleep resource.
Including the EC2 instance, the Sleep resource, and the Docker provider, the code now looks like this (I&rsquo;ve omitted error checking code for simplicity):
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-go" data-lang="go">// Launch an instance using Flatcar Linux AMI
flatcarInstance, err := ec2.NewInstance(ctx, &#34;flatcar-instance&#34;, &amp;ec2.InstanceArgs{
 Ami: pulumi.String(flatcarAmi.Id),
 InstanceType: pulumi.String(instanceType),
 AssociatePublicIpAddress: pulumi.Bool(true),
 KeyName: pulumi.StringPtr(userSuppliedKeyPair),
SubnetId: dockerVpc.PublicSubnetIds.Index(pulumi.Int(0)),
 VpcSecurityGroupIds: pulumi.StringArray{dockerSg.ID()},
 Tags: pulumi.StringMap{
 &#34;Name&#34;: pulumi.String(&#34;flatcar-instance&#34;),
 },
})

// Sleep for 20 seconds to allow instance to boot
instanceBootDelay, err := time.NewSleep(ctx, &#34;instance-boot-delay&#34;, &amp;time.SleepArgs{
 CreateDuration: pulumi.String(&#34;20s&#34;),
}, pulumi.DependsOn([]pulumi.Resource{flatcarInstance}))

// Create a new Docker provider
remoteDocker, err := docker.NewProvider(ctx, &#34;remote-docker&#34;, &amp;docker.ProviderArgs{
 Host: pulumi.Sprintf(&#34;ssh://core@%s&#34;, flatcarInstance.PublicIp),
 SshOpts: pulumi.StringArray{
pulumi.String(&#34;-i&#34;), pulumi.String(userSuppliedPrivateKeyFile),
pulumi.String(&#34;-o&#34;), pulumi.String(&#34;StrictHostKeyChecking=no&#34;),
pulumi.String(&#34;-o&#34;), pulumi.String(&#34;UserKnownHostsFile=/dev/null&#34;),
 },
}, pulumi.DependsOn([]pulumi.Resource{instanceBootDelay}))
</code></pre></div>Following this code, you could then have the remote Docker daemon pull an image and deploy a container from that image:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-go" data-lang="go">// Pull down a container image on the remote host
nginxImage, err := docker.NewRemoteImage(ctx, &#34;nginx-image&#34;, &amp;docker.RemoteImageArgs{
 Name: pulumi.String(&#34;nginx:1.17.4-alpine&#34;),
}, pulumi.Provider(remoteDocker))

// Launch a container on the remote host
_, err = docker.NewContainer(ctx, &#34;nginx-container&#34;, &amp;docker.ContainerArgs{
 Image: nginxImage.ImageId,
}, pulumi.Provider(remoteDocker))
</code></pre></div>Neat, right? (And useful!) In one Pulumi stack, you can provision the EC2 instance, create a Docker provider to communicate with that instance, and deploy containers on that instance&mdash;all in the programming language of your choice.
If you&rsquo;d like to see the full Pulumi program, you can find it in the <code>docker/docker-ssh-pulumi</code> folder of <a href="https://github.com/scottslowe/learning-tools/">my GitHub &ldquo;learning-tools&rdquo; repository</a>. The code is useful in that it illustrates the correct syntax for a number of useful constructs when using Pulumi with Go:
<ul>
<li>Creating a dependency between resources</li>
<li>Referencing an explicit provider for a resource</li>
<li>Configuring the SSH options for the Docker provider</li>
<li>Looking up the AMI for an instance (not shown above, but it is in the full code on GitHub)</li>
</ul>
I hope this proves useful to someone. If you have questions, you are welcome to open an issue on <a href="https://github.com/scottslowe/learning-tools/">my &ldquo;learning-tools&rdquo; GitHub repository</a>, or you can reach out to me directly. You can contact <a href="https://twitter.com/scott_lowe">me on Twitter</a>, <a href="https://fosstodon.org/@scottslowe">on the Fediverse</a>, or via Slack (I&rsquo;m active in a number of different Slack communities). I&rsquo;d love to hear from you, hear any feedback you might have, or try to answer questions about this article or any of my articles. Thanks for reading!</description>
</item>
<item>
<title>Technology Short Take 173</title>
<link>https://blog.scottlowe.org/2024/01/19/technology-short-take-173/</link>
<pubDate>Fri, 19 Jan 2024 09:00:00 -0600</pubDate>
<author>Scott Lowe</author>
<guid>https://blog.scottlowe.org/2024/01/19/technology-short-take-173/</guid>
<description>Welcome to Technology Short Take #173! After a lull in links to share last time around, it looks like things have rebounded and folks are in full swing writing new content for me to share with you. I think I have a decent round-up of links for you; hopefully you can find something useful here. Enjoy!
<h2 id="networking">Networking</h2>
<ul>
<li>This article on <a href="https://www.nikitakazakov.com/wireguard-vpn-in-docker">running WireGuard in Docker</a> may prove useful if that&rsquo;s an approach I decide to adopt for my AWS lab infrastructure.</li>
<li>Natalie Marek <a href="https://dev.to/aws-builders/lets-talk-about-aws-vpc-endpoints-2bj">educates readers on VPC endpoints</a>.</li>
<li>Russ White <a href="https://rule11.tech/making-networking-cool-again-2/">laments some of the issues</a> facing network engineering.</li>
</ul>
<h2 id="servershardware">Servers/Hardware</h2>
<ul>
<li>Alex Ellis provides some details on his workflow for <a href="https://blog.alexellis.io/booting-the-raspberry-pi-5-from-nvme/">booting Raspberry Pi 5 from NVMe</a>.</li>
<li>Tom Hummel <a href="https://tomhummel.com/posts/homelab-2023/">finds himself veering back</a> into a hardware-based home lab (instead of a cloud-based lab).</li>
</ul>
<h2 id="security">Security</h2>
<ul>
<li>Rory McCune shares some information about <a href="https://raesene.github.io/blog/2024/01/06/when-is-admin-not-admin/">a change in <code>kubeadm</code> version 1.29 pertaining to administrative credentials</a>.</li>
<li>Quintessence Anx of SPIRL shares some guidance on <a href="https://www.spirl.com/blog/how-to-construct-spiffe-ids/">how to construct SPIFFE IDs</a>.</li>
<li>A set of vulnerabilities in the open source reference implementation of the UEFI specification has been uncovered. The flaws, referred to as PixieFail, specifically affect the PXE network boot process. BleepingComputer has <a href="https://www.bleepingcomputer.com/news/security/pixiefail-flaws-impact-pxe-network-boot-in-enterprise-systems/">more details</a>.</li>
</ul>
<h2 id="cloud-computingcloud-management">Cloud Computing/Cloud Management</h2>
<ul>
<li>Dean has published information on <a href="https://veducate.co.uk/migrate-red-hat-openshiftsdn-ovn-kubernetes-cilium/">migrating your Red Hat OpenShift clusters to Cilium</a> (from one of the &ldquo;default&rdquo; networking solutions).</li>
<li>I think I&rsquo;ve linked to Ricardo Sueiras&rsquo; &ldquo;AWS open source newsletter&rdquo; before; it&rsquo;s such a useful resource. In <a href="https://community.aws/content/2arO7cYup4ShOVguSMZfHt9WgJa/aws-open-source-newsletter-184">edition 184</a>, Ricardo shares some links to some useful posts on EKS; the one on using Istio with EKS to improve the user experience caught my eye. (Check out the newsletter to get the link to the Istio article.)</li>
<li>Ian McKay <a href="https://onecloudplease.com/blog/https-endpoints-and-more-tricks-with-aws-step-functions">digs into the details</a> of the recently-announced support for HTTPS Endpoints in AWS Step Functions.</li>
<li>Matt Gowie of MasterPoint <a href="https://masterpoint.io/updates/terraform-null-label/">explains <code>terraform-null-label</code></a> and its use in providing more consistent naming and tagging of cloud resources.</li>
</ul>
<h2 id="operating-systemsapplications">Operating Systems/Applications</h2>
<ul>
<li>Julia Evans has <a href="https://jvns.ca/blog/2024/01/05/do-we-think-of-git-commits-as-diffs--snapshots--or-histories/">a lovely article on Git commits</a> that is well worth reading. Further, Julia&rsquo;s article links over to this substantial article on <a href="https://codewords.recurse.com/issues/three/unpacking-git-packfiles">Git packfiles</a> by Aditya Mukerjee. Julia has a bunch of other Git-related articles published recently; if you&rsquo;d like to better understand Git, they&rsquo;re a good resource.</li>
<li>Kyle Galbraith talks about <a href="https://depot.dev/blog/faster-builds-with-docker-caching">using the Docker build cache</a>.</li>
<li>Samuel Karp <a href="https://samuel.karp.dev/blog/2024/01/deprecation-warnings-in-containerd-getting-ready-for-2.0/">discusses some deprecation warnings</a> in containerd while on the road to version 2.0.</li>
<li>Jacob Gillespie <a href="https://depot.dev/blog/building-container-layers-from-scratch">decodes some of the basics of OCI container image layers</a>.</li>
<li>Vivek Gite aka nixCraft explains <a href="https://www.cyberciti.biz/faq/find-check-tls-ssl-certificate-expiry-date-from-linux-unix/">how to check the expiration date of a TLS/SSL certificate from the command line</a>.</li>
<li><a href="https://klog.jotaen.net/">This looks interesting</a>.</li>
<li>While doing some research on GPG keys, I came across <a href="https://jasonaowen.net/blog/2021/Jan/04/monitoring-gpg-key-expiration/">this tool for monitoring GPG key expiration</a>.</li>
</ul>
<h2 id="programmingdevelopment">Programming/Development</h2>
<ul>
<li>Jamie Tanna explains <a href="https://www.jvt.me/posts/2024/01/09/go-json-nullable/">how to represent</a> a JSON field in Go that could be absent, <code>null</code>, or have a value.</li>
</ul>
<h2 id="virtualization">Virtualization</h2>
<ul>
<li>Eric Sloof relates his experience <a href="https://www.ntpro.nl/blog/archives/3752-Setting-Up-ESXi-ARM-on-the-Raspberry-Pi-5.html">setting up ESXi ARM on a Raspberry Pi 5</a>.</li>
<li>William Lam has <a href="https://williamlam.com/2024/01/experimenting-with-esxi-cpu-affinity-and-intel-hybrid-cpu-cores.html">published the results</a> of some experiments with ESXi CPU affinity and Intel Hybrid CPU cores.</li>
</ul>
<h2 id="careersoft-skills">Career/Soft Skills</h2>
<ul>
<li>Anyone thinking of getting <a href="https://github.blog/2024-01-08-github-certifications-are-generally-available/">a GitHub certification</a>?</li>
</ul>
It&rsquo;s time to wrap up now; as always, I&rsquo;d love to hear from readers about what you find useful (or not useful!) about the Technology Short Takes&mdash;or any of the posts on my site. Feel free to reach out to me via social media; you can find <a href="https://twitter.com/scott_lowe">me on Twitter</a> as well as <a href="https://fosstodon.org/@scottslowe">on the Fediverse</a>. I also tend to frequent a few different Slack communities, so you&rsquo;re welcome to DM me there. Finally, if you&rsquo;d like to drop me an e-mail, my address isn&rsquo;t too hard to find. Thanks for reading!</description>
</item>
<item>
<title>Technology Short Take 172</title>
<link>https://blog.scottlowe.org/2024/01/05/technology-short-take-172/</link>
<pubDate>Fri, 05 Jan 2024 08:30:00 -0600</pubDate>
<author>Scott Lowe</author>
<guid>https://blog.scottlowe.org/2024/01/05/technology-short-take-172/</guid>
<description>Welcome to Technology Short Take #172, the first Technology Short Take of 2024! This one is really short, which I&rsquo;m assuming reflects a lack of blogging activity over the 2023 holiday season. Nevertheless, I have managed to scrape together a few links to share with readers. As usual, I hope you find something useful. Enjoy!
<h2 id="networking">Networking</h2>
<ul>
<li>Via <a href="https://blog.ipspace.net/2024/01/public-cloud-labs.html">this blog post</a>, I learned that Ivan Pepelnjak has <a href="https://github.com/ipspace/pubcloud">a GitHub repository of hands-on examples</a> for learning public cloud networking (including both AWS and Azure). Ivan&rsquo;s materials are always excellent, so if you&rsquo;re looking for resources to help with expanding your networking skills into the public cloud, this should be on the short list. (I plan to submit a PR soon to add Pulumi examples, which the repository is currently missing.)</li>
</ul>
<h2 id="cloud-computingcloud-management">Cloud Computing/Cloud Management</h2>
<ul>
<li>Jonathan Major shares his experience <a href="https://www.linkedin.com/pulse/working-pulumi-google-cloud-apis-jonathan-major-wi3zf">using Pulumi with Google Cloud APIs</a>. I think there are some code snippets in Jonathan&rsquo;s article, but my instance of Firefox wouldn&rsquo;t render the code snippets (instead only showing empty black boxes).</li>
<li>Nisar Ahmad <a href="https://dzone.com/articles/terraform-vs-pulumi-which-is-better-for-your-iac-r">explores</a> whether Terraform or Pulumi is better for your use case.</li>
</ul>
<h2 id="operating-systemsapplications">Operating Systems/Applications</h2>
<ul>
<li>Nick Janetakis shares another tip for <a href="https://nickjanetakis.com/blog/docker-tip-96-see-how-long-a-container-ran-for">determining how long a Docker container was running</a>. He uses <code>grep</code> against the output of <code>docker inspect</code>, but I&rsquo;m wondering if there&rsquo;s a similar way of doing it using <code>jq</code>.</li>
<li><a href="https://www.docker.com/blog/8-top-docker-tips-tricks-for-2024/">Here</a> is a list of eight Docker tips and tricks that you might find useful.</li>
</ul>
<h2 id="programmingdevelopment">Programming/Development</h2>
<ul>
<li><a href="https://threedots.tech/post/making-games-in-go/">This post</a> explores the idea of writing games as a way of &ldquo;reclaiming&rdquo; the hobby of writing code (as a means for avoiding/preventing burnout).</li>
<li>I enjoyed reading <a href="https://blog.liblab.com/pragmatic-engineers-philosophy-first-part/">this first post on the pragmatic engineer&rsquo;s philosophy</a>. Although this article references additional posts, it doesn&rsquo;t appear that any more posts on this topic have been published (yet).</li>
</ul>
<h2 id="virtualization">Virtualization</h2>
<ul>
<li>William Lam shares a <a href="https://williamlam.com/2024/01/quick-tip-new-method-to-mark-hdd-to-ssd-in-esxi-7-x-and-8-x-using-esxcli.html">new method for marking a hard drive as an SSD</a> in both ESXi 7.x and ESXi 8.x. As William mentions in the article, this can be useful when using nested ESXi or when the storage isn&rsquo;t properly recognized.</li>
</ul>
<h2 id="careersoft-skills">Career/Soft Skills</h2>
<ul>
<li>Yan Cui digs into the challenges around <a href="https://theburningmonk.com/2019/11/how-to-break-the-senior-engineer-career-ceiling/">breaking through the &ldquo;senior engineer&rdquo; career ceiling</a>.</li>
<li>While reading the article in the previous bullet, I was pointed to this article on <a href="https://charity.wtf/2019/09/08/reasons-not-to-be-a-manager/">why someone wouldn&rsquo;t want to be a manager</a>. If, however, you&rsquo;ve decided to become a manager anyway, then <a href="https://thenewstack.io/help-im-a-leader-now/">this article</a> might be helpful to you.</li>
</ul>
That&rsquo;s all for this time around&mdash;short, sweet, and to the point! I always love to hear feedback from readers, so feel free to find me online and reach out. I&rsquo;m <a href="https://twitter.com/scott_lowe">on Twitter</a>, <a href="https://fosstodon.org/@scottslowe">on the Fediverse</a>, and you can typically find me in a few different Slack communities (including the <a href="https://slack.pulumi.com/">Pulumi community Slack</a>). Thanks for reading!</description>
</item>
<item>
<title>Selectively Replacing Resources with Pulumi</title>
<link>https://blog.scottlowe.org/2024/01/03/selectively-replacing-resources-with-pulumi/</link>
<pubDate>Wed, 03 Jan 2024 11:00:00 -0600</pubDate>
<author>Scott Lowe</author>
<guid>https://blog.scottlowe.org/2024/01/03/selectively-replacing-resources-with-pulumi/</guid>
<description>Because <a href="https://www.pulumi.com/">Pulumi</a> operates declaratively, you can write a Pulumi program that you can safely run (via <code>pulumi up</code>) multiple times. If no changes are needed&mdash;meaning that the current state of the infrastructure matches what you&rsquo;ve defined in your Pulumi program&mdash;then nothing happens. If only one resource needs to be updated, then it will update only that one resource (and any dependencies, if there are any). There may be times, however, when you want to force the replacement of specific resources. In this post, I&rsquo;ll show you how to target specific resources for replacement when using Pulumi.
Here&rsquo;s an example: I use Pulumi to manage my <a href="https://aws.amazon.com/">AWS</a>-based lab resources, including <a href="https://blog.scottlowe.org/2015/11/21/using-ssh-bastion-host/">SSH bastion hosts</a>. However, because my code uses a dynamic AMI lookup, I&rsquo;ve instructed Pulumi to ignore changes in the AMI ID for the bastion hosts (by appending <code>pulumi.IgnoreChanges([]string{&quot;ami&quot;})</code> as a resource option). This gives me the control over when the bastion hosts get replaced, instead of Pulumi wanting to replace them every time the AMI ID changes.
With this in place, then, how do I tell Pulumi that I&rsquo;m ready to replace the bastion hosts? Tearing down the entire stack isn&rsquo;t an option. Fortunately, the <code>pulumi</code> CLI has a command-line flag that enables users to selectively destroy resources. The command looks like this:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell">pulumi destroy --target &lt;urn&gt;
</code></pre></div>This will destroy only the specified URNs (you can specify multiple <code>--target &lt;urn&gt;</code> flags). On the next run of <code>pulumi up</code>, Pulumi will note that the resources are missing, and recreate them&mdash;in this case, using the latest AMI ID.
So how does one get the URNs for the resources? The <code>pulumi stack export</code> command outputs JSON, and you can use tools like <code>gron</code> and <code>jq</code> to find and parse out the specific URNs you need. For example, to find EC2 instances in the stack, you could start like this:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell">pulumi stack export | gron - | grep &#39;ec2/instance:Instance&#39;
</code></pre></div>This will return some &ldquo;flattened&rdquo; JSON that will provide the specific path in the JSON output for any EC2 instances. You could then combine that with <code>jq</code> to parse/extract the URN, like this:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell">pulumi stack export | jq &#39;.deployment.resources[21].urn&#39;
</code></pre></div>(Obviously, you&rsquo;d need to change the <code>resources[21]</code> to match whatever resources were returned by the earlier command with <code>gron</code>.)
Once you&rsquo;re armed with the appropriate URNs, you can pass them to the <code>pulumi destroy --target &lt;urn&gt;</code> command to destroy the specific resources.
I will say that this all seems pretty obvious in retrospect, but I hope this information is useful to someone nevertheless. If you have any questions, feel free to find me online and I&rsquo;ll do my best to answer them. I&rsquo;m active <a href="https://twitter.com/scott_lowe">on Twitter</a>, on <a href="https://fosstodon.org/@scottslowe">the Fediverse</a>, and in various Slack communities (especially <a href="https://slack.pulumi.com">the Pulumi Community Slack</a>).</description>
</item>
<item>
<title>Dynamically Enabling the Azure CLI with Direnv</title>
<link>https://blog.scottlowe.org/2023/12/18/dynamically-enabling-azure-cli-with-direnv/</link>
<pubDate>Mon, 18 Dec 2023 08:30:00 -0600</pubDate>
<author>Scott Lowe</author>
<guid>https://blog.scottlowe.org/2023/12/18/dynamically-enabling-azure-cli-with-direnv/</guid>
<description>I&rsquo;m a big fan of <a href="https://direnv.net/"><code>direnv</code></a>, the tool that lets you load and unload environment variables depending on the current directory. It&rsquo;s so very useful! Not too terribly long ago, I wanted to find a way to &ldquo;dynamically activate&rdquo; the <a href="https://learn.microsoft.com/en-us/cli/azure/">Azure CLI</a> using <code>direnv</code>. Basically, I wanted to be able to have the Azure CLI disabled (no configuration information) unless I was in a directory where I needed or wanted it to be active, and be able to make it active using <code>direnv</code>. I finally found a way to make it work, and in this blog post I&rsquo;ll share how you can do this, too.
First, you&rsquo;ll need both <code>direnv</code> and the Azure CLI installed (obviously). I&rsquo;ll leave this as an exercise for the readers, but I&rsquo;ll mention that if you want to use Azure CLI in a Python virtual environment you might find <a href="https://erick.navarro.io/blog/activate-python-virtualenv-automatically-with-direnv/">this article</a> really helpful.
Next, you&rsquo;ll want to create a couple of directories. I chose to &ldquo;hide&rdquo; these directories in a <code>.config</code> directory in my home directory. This directory is very commonly found (and used) on many Linux systems, but doesn&rsquo;t typically exist on a macOS system. You can use this command to create the necessary directories:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell">mkdir -p ~/.config/azure{,-fake}
</code></pre></div>The <code>-p</code> tells <code>mkdir</code> to create the directory tree structure as needed, and the use of curly braces here means you&rsquo;ll end up with both an <code>azure</code> directory and an <code>azure-fake</code> directory. One of these will be the &ldquo;real&rdquo; directory where a valid Azure CLI configuration is stored; the other is a &ldquo;fake&rdquo; directory that will remain empty. The names aren&rsquo;t terribly important, but keep track of what names you use as you&rsquo;ll need them shortly.
Third, you&rsquo;ll configure your shell startup file(s) to point to the fake directory (<code>azure-fake</code>, in my case). This is generally the same for both Bash and Zsh, and involves adding a line to your <code>~/.bashrc</code> or <code>~/.zshrc</code>:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell">export AZURE_CONFIG_DIR=&#34;$HOME/.config/azure-fake&#34;
</code></pre></div>With this environment variable in place, the Azure CLI will be inactive, unable to function because it has no configuration.
The next step depends on whether you&rsquo;ve ever configured or used the Azure CLI previously, or if this is a completely fresh installation:
<ul>
<li>If the former (you&rsquo;ve configured or used the Azure CLI previously), then copy everything from the current Azure configuration directory&mdash;which defaults to <code>~/.azure</code> on macOS and Linux, if I&rsquo;m not mistaken&mdash;to the new directory you created earlier. Don&rsquo;t copy it to the fake directory specified in the environment variable above! Once you&rsquo;ve copied it, remove the old <code>~/.azure</code> directory.</li>
<li>If the latter (this is a fresh installation), no additional steps are needed (yet).</li>
</ul>
The final step is to activate the Azure CLI where and when needed. This is done by setting the <code>AZURE_CONFIG_DIR</code> environment variable to point to the &ldquo;real&rdquo; directory you created earlier (in my case, it was <code>~/.config/azure</code>). Since we&rsquo;re talking about using <code>direnv</code>, then put this into an <code>.envrc</code> file in the directory where you want or need the Azure CLI to be active:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell">export AZURE_CONFIG_DIR=&#34;$HOME/.config/azure&#34;
</code></pre></div>If you&rsquo;d already configured or used the Azure CLI, then when you are in a directory where <code>.envrc</code> contains this line the Azure CLI will pick up the configuration you copied over earlier and should just work (depending on your credentials and such you might need to do an <code>az login</code>). If this is a completely fresh installation of the Azure CLI, then you&rsquo;ll definitely need to do an <code>az login</code>, and then you should be good to go.
When you change out of a directory where <code>.envrc</code> has been configured to activate the Azure CLI, then the default value for <code>AZURE_CONFIG_DIR</code> kicks in&mdash;taken from your shell&rsquo;s startup file&mdash;and the Azure CLI will be inactive again because it has no configuration. (It&rsquo;s important to remember NOT to run <code>az login</code> when the fake directory is active.)
And that&rsquo;s it! The essence of this trick is pointing the <code>AZURE_CONFIG_DIR</code> to an empty directory with a non-existent Azure CLI configuration by default, then selectively pointing to a valid Azure CLI configuration using <code>direnv</code> and an <code>.envrc</code> file.
I hope you find this useful. If you have any feedback for me, I&rsquo;m active <a href="https://fosstodon.org/@scottslowe">on the Fediverse</a> and <a href="https://twitter.com/scott_lowe">on Twitter</a>, and I frequent a number of different Slack communities. I&rsquo;d love to hear from you!</description>
</item>
<item>
<title>Conditional Git Configuration</title>
<link>https://blog.scottlowe.org/2023/12/15/conditional-git-configuration/</link>
<pubDate>Fri, 15 Dec 2023 14:00:00 -0600</pubDate>
<author>Scott Lowe</author>
<guid>https://blog.scottlowe.org/2023/12/15/conditional-git-configuration/</guid>
<description>Building on the earlier article on <a href="https://blog.scottlowe.org/2023/12/11/automatically-transforming-git-urls/">automatically transforming Git URLs</a>, I&rsquo;m back with another article on a (potentially powerful) feature of <a href="https://www.git-scm.com">Git</a>&mdash;the ability to conditionally include Git configuration files. This means you can configure Git to be configured (and behave) differently based on certain conditions, simply by including or not including Git configuration files. Let&rsquo;s look at a pretty straightforward example taken from my own workflow.
Here&rsquo;s a configuration stanza from my own system-wide Git configuration:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-toml" data-lang="toml">[includeIf &#34;gitdir:~/Work/Code/Repos/&#34;]
path = ~/Work/Code/Repos/.gitconfig
</code></pre></div>The key here is the <code>includeIf</code> keyword. In this case, Git will include the referenced configuration file specified by <code>path</code>, if the location of the Git repository matches the path specification after <code>gitdir</code>. Basically, what this means is that all repositories under <code>~/Work/Code/Repos</code> will trigger the inclusion of the additional configuration file.
Here&rsquo;s the additional configuration file:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-toml" data-lang="toml">[user]
 email = name@work-domain.com
 name = Scott Lowe
[commit]
 gpgsign = false
</code></pre></div>As long as I group all work-related repositories in the specified directory path, these values override the system-wide values. This means I can specify my work e-mail address as the e-mail address to be associated with commits to work-related repositories while all others use a different e-mail address. This configuration also allows me to disable GPG signing of commits for work-related repositories (i.e., repositories in the specified path), since I don&rsquo;t have a GPG key associated with my work e-mail address.
Could you do this with per-repository configuration settings? Absolutely. This configuration mechanism allows you to apply configuration settings to groups of repositories based on their filesystem location, instead of having to do the same thing on a per-repository basis.
I hope you find this information useful. Do feel free to hit me up&mdash;<a href="https://fosstodon.org/@scottslowe">on the Fediverse</a>, <a href="https://twitter.com/scott_lowe">on Twitter</a>, or in any of a variety of Slack communities&mdash;if you have any questions or any feedback!</description>
</item>
<item>
<title>Automatically Transforming Git URLs</title>
<link>https://blog.scottlowe.org/2023/12/11/automatically-transforming-git-urls/</link>
<pubDate>Mon, 11 Dec 2023 13:30:00 -0600</pubDate>
<author>Scott Lowe</author>
<guid>https://blog.scottlowe.org/2023/12/11/automatically-transforming-git-urls/</guid>
<description><a href="https://www.git-scm.com/">Git</a> is one of those tools that lots of people use, but few people truly master. I&rsquo;m still on my own journey of Git mastery, and still have so very far to go. However, I did take one small step forward recently with the discovery of the ability for Git to automatically rewrite remote URLs. In this post, I&rsquo;ll show you how to configure Git to automatically transform the URLs of Git remotes.
The key here is the <code>url</code> configuration stanza and the associated <code>insteadOf</code> keyword. Added to your Git configuration&mdash;either globally or on a per-repository basis&mdash;these configuration options will tell Git to use a different URL every time it encounters the specified original URL.
Here&rsquo;s an example:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-toml" data-lang="toml">[url &#34;git@github.com:org/&#34;]
 insteadOf = &#34;https://github.com/org/&#34;
</code></pre></div>The <code>git@github.com:org/</code> is the replacement URL; that is, the URL that you want Git to use. The URL specified by the <code>insteadOf</code> keyword is the original URL; that is, the URL you want Git to replace. As you can see in the example, it&rsquo;s possible not only to transform HTTPS-based URLs to SSH URLs (or vice versa), but it&rsquo;s possible to constrain this transformation to repositories belonging to a specific organization or user. Being able to constrain the transformation of URLs is extraordinarily handy; I use this functionality to use SSH URLs for my work-related repositories automatically without affecting other GitHub-based URLs.
With this configuration in place, I could do this:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell">git clone https://github.com/org/repository.git
</code></pre></div>But running <code>git remote -v</code> in the newly-cloned repository would show this:
<div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-shell" data-lang="shell">origin git@github.com:org/repository.git (fetch)
origin git@github.com:org/repository.git (push)
</code></pre></div>Useful, wouldn&rsquo;t you say?
Got any other nifty but perhaps not-so-well-known Git features? Hit me up and share your favorite! You can reach me via a few different Slack communities (<a href="https://pulumi-community.slack.com/">Pulumi</a>, <a href="https://kubernetes.slack.com/">Kubernetes</a>), <a href="https://fosstodon.org/@scottslowe">on the Fediverse</a>, and <a href="https://twitter.com/scott_lowe">on Twitter</a>. I&rsquo;d love to hear from you!</description>
</item>
</channel>
</rss>

Home · About · News · Docs · Terms