I’m a passionate SRE who served for more than 6 years as lead system developer in the robotic team at EasyMile. EasyMile is a Toulouse, France, based company building self-driving vehicles like the EZ10 and the Tracteasy. Before that, I worked 4 years at OVHCloud, a French hosting company in the shared-hosting and anti-ddos teams. I love designing and building systems. I believe in simplicity and communication as a key success factors and learnt the hard way that “the only way to go fast,...| Yet another enthusiast blog!
One thing I love with ArgoCD design is the ability to run its UI out of the production cluster. In this mode, only the ‘core’ (ie. the controllers) is running in the cluster, all access control is delegated to Kubernetes itself and… that’s all. On the (human) operator side, argocd admin dashboard is all it takes to get a local instance of the dashboard to run locally, on demand. I was looking for a way to apply a similar design with Kubernetes dashboard with respect to the API server....| Yet another enthusiast blog!
I recently came across Talos, an immutable OS for Kubernetes and was immediately sold. Talos is precisely what I was striving to build during my 6+ (incredible) years at EasyMile and it does it well and cleanly. Talos is a minimalistic, secure by default, immutable OS for Kubernetes with transactional upgrades, fully controlled through APIs (no SSH) with built-in secure-boot and TPM-anchored disk encryption. While minimalistic and immutable, it still provides a powerful extension system to su...| Yet another enthusiast blog!
TL;DR: If you are here just for the fix (Which I would if I was you), the actual fixes are at the bottom of the post. Just search “TL;DR”. After 8 years, my Haswell-era laptop was showing sign of age. While the CPU was never really a blocking point, despite being a low-power variant, the RAM had been the maximum of 12 GB for a couple of years and, modern apps being what they are, it was no longer possible to run Firefox alongside and a virtual machine. A choice had to be made between the ...| Yet another enthusiast blog!
Linux eBPF ecosystem is growing fast with new features coming with every release cycle. The spirit remains the same. At the core, eBPF is like a safe way to script the Linux kernel by attaching to various pre-defines hooks and exported functions. For kernel / user spaces communication, the eBPF comes with various “map” types. Every few kernel versions, new “map” types are introduced or significantly improved and 3 years ago BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE was introduced and is now ...| Yet another enthusiast blog!
libguestfs is a set of tools for accessing and modifying virtual machine (VM) disk images. It can typically inject files in VM images, create or modify partitions, set partition labels and even expose the VM image content on a host mountpoint all this without root access. Under the hood, libguestfs spawns a Qemu/KVM virtual machine with all needed tools and relies on Fuse to expose the filesystem to a non privileged user mountpoint.| Yet another enthusiast blog!
EDIT 2021-09-02: A reader made me realize that the “socat” trick can be greatly improved by adding “,fork” on the server part. This allows socat to accept multiple consecutive connections, just like a real production server would. In practice, I find myself using a variation of this trick a lot, but without the ‘socat’. Indeed, if it is acceptable for the container to open a connection with the host, this easiest is to set X11UseLocalhost=no in /etc/ssh/sshd_config. The rest of th...| Yet another enthusiast blog!
I’ve been looking for a low level Linux network debugging tool for quite some time. Linux allows to build complex networks running directly on the host, using a combination of virtual interfaces and network namespaces. When something goes wrong, troubleshooting is rather tedious. If this is a L3 routing issue, mtr has a good chance of being of some help. But if this is a lower level issue, I typically end up manually checking each interface / bridge / network namespace / iptables and firing...| Yet another enthusiast blog!
A few years ago, back when I was a student, my school had rooms full of counters running Linux that any student could use at any time. We all had a personal account on the machines and the machine management was done by a dedicated team. Every once in a while, we found ourselves needing a specific tool like valgrind which was not readily available or a more recent version of another tool. Like gcc. Replace “valgring” and “gcc” with “Node”, “Rust” or “Go”. You get the idea.| Yet another enthusiast blog!
TL;DR: Using eBPF in recent (>=4.4) Linux kernel, you can turn any kernel function call into a user land event with arbitrary data. This is made easy by bcc. The probe is written in C while the data is handled by python. If you are not familiar with eBPF or linux tracing, you really should read the full post. It tries to progressively go through the pitfalls I stumbled unpon while playing around with bcc / eBPF while saving you a lot of the time I spent searching and digging.| Yet another enthusiast blog!
This post is an essay. I am not a business expert. I am not working for Cloudflare. Actually, I’m working for a competitor. This is an attempt to understand Cloudflare’s strategy, based on my own (rather short) experience. 2 days ago, Cloudflare announced they created a new Registrar, but not one like all the quadrillions other registrars. A registrar for security concerned companies. Just in case, a registrar is the guy who lends you a domain name.| Yet another enthusiast blog!
A few days ago, my hosting company sent me an automated email notifying me that port 25 had been blocked on my personal server. Cause: It had been found guilty of sending spam. As I’m not (at least officially) in the spam business, this could only mean one thing: I got hacked. I was shocked. If felt to me as though I was having a car accident. The first think to do in such situations is to restrict to the bare minimum connections from the outside world to regain control of the machine. In m...| Yet another enthusiast blog!
Yesterday, dealt with a machine in a pretty bad state: SSH was Down Memory was exhausted (OOM) Ctrl + Alt + Del from VNC was not responding A background operation on the OpenStack API was preventing any nova reboot --hard zombie-essential-instance.my-infra.net In such situations, the last resort is Alt+SysRQ+b to force the host into immediate reboot, possible loosing or corrupting data data in the way. The trick is that, obviously, you can not type this sequence on your laptop as usual, or th...| Yet another enthusiast blog!
Some weeks ago, I did an internal presentation on Docker. During the presentation, one of the ops asked an seemingly trivial question: Is there anything like a “diet program for Docker Images” ? You can find a couple of pretty decent common-sense powered approach on the web like removing well known cache folders, temporary files, installing all superfluous packages and flatten layers if not the full image. There is also the -slim declination of the official language images. But, thinking ...| Yet another enthusiast blog!
A couple of weeks ago, I wanted to run some experiment to see how Docker could run in a cloud / shared hosting like environment. In the mean time, Docker released version 1.4 bringing additional security/authentication and Docker machine to automate the process of creating and running a remote Docker instance. Shared hosting farms are usually built around some kind of public gateway for incoming/outgoing traffic as well as management traffic including FTP and SSH. Te largest part of the farm ...| Yet another enthusiast blog!
Last Week-End, I wanted to play around with Docker on a Power8 processor. Unfortunately, there no “ready-to-use” build available (yet) and Go support is still quite rough. Anyway, I love challenges and the process was eased a lot by the work of Dave Cheney from Canonical who did the hard work of porting the go command line to Power8 and IBM’s who is working with Docker to bring necessary fixes to gccgo. [UPDATE 2014-11-19]: IBM is currently porting Docker to gccgo/Power8, see the commen...| Yet another enthusiast blog!
Docker is the container system for reproducible builds. This is precisely what you want when dealing with bugs, especially the nastiest one: an environment where to reproduce it in a fully deterministic way. Not long ago, I had to troubleshoot the install process of a new cool piece of software. The weird and really uncool thing with this bug is that it only occurred on the first install install attempt. Even with a full (well, in theory) wipe, there still remained some kind of side effect on...| Yet another enthusiast blog!
Seccomp is basic yet efficient way to filter syscalls issued by a program. It is especially useful when running untrusted third party programs. Actually, it was first introduced in linux 2.6.12 as an essential building block of “cpushare” program. The idea behind this project was to allow anyone with the proper agent installed to rent cpu cycles to third parties, without compromising its the security. The initial implementation, also known as “mode 1 seccomp” only allowed ‘read‘, ...| Yet another enthusiast blog!
Following the previous post on PID namespace (Restart process numbering to “1”), would like to go further and fly eve closer to full-featured VMs ? Great ! The two last posts of this series will precisely focus on this. Isolate network interfaces with the “NET” namespace (Yes, really) and user/group identifier for even more transparency. If you haven’t done so already, I encourage you to read the first post of this series for an introduction to linux namespace isolation mechanism. [...| Yet another enthusiast blog!
Following the previous post on FS namespace (mountpoints table isolation), we will now have a look at an amazing one: isolated mount table. If you haven’t done so already, I encourage you to read the first post of this series for an introduction to linux namespace isolation mechanism. [EDIT 2014-01-08] A Chinese translation of this post is available here In the previous post we “chrooted” the PID namespace and got a new “1” process. But even with this namespace activated, there stil...| Yet another enthusiast blog!
Following the previous post on IPC namespace (Inter Process Communication isolation), I would now like to introduce my personal favorite one (as sysadmin): PID namespaces. If you haven’t done so already, I encourage you to read the first post of this series for an introduction to linux namespace isolation mechanism. [EDIT 2014-01-08] A Chinese translation of this post is available here Yes, that’s it, with this namespace it is possible to restart PID numbering and get your own “1” pro...| Yet another enthusiast blog!
Following the previous post on UTS namespace (hostname isolation), we will now go deeper and look at a more security oriented namespace: IPC, Inter-Process Communications. If you haven’t done so already, I encourage you to read the first post of this series for an introduction to linux namespace isolation mechanism. [EDIT 2014-01-08] A Chinese translation of this post is available here Activating the IPC namespace is only a matter of adding “CLONE_NEWIPC” to the “clone” call. It req...| Yet another enthusiast blog!
As a part of my job at OVH I dealt with Linux Namespaces as a security mechanism in a “yet to be announced” product. I was astonished by both how powerful and poorly documented it is. [EDIT 2014-01-08] A Chinese translation of this post is available here: Most of you have probably heard about LXC - LinuX Containers, “Chroot on steroids”. What it basically does is isolate applications from others. A bit like chroot does by isolating applications in a virtual private root but taking the...| Yet another enthusiast blog!
Que l’on souhaite disposer simplement d’un gestionnaire de version pour un projet occasionnel ou mettre en place une véritable solution “d’Intégration Continue” (“Continuous Integration” en anglais ou “CI”) GIT est probablement la solution la plus puissante et la plus versatile. Cet article retrace les étapes clés pour mettre en place GIT sur un serveur mutualisé. Prérequis: Compte Mutualisé avec accès SSH (à partir de l’offre pro chez OVH par ex) Connaissance de ...| Yet another enthusiast blog!
Disclaimer: This post is about a real virus, really seen in the wild. It was written on the sole goal of helping the reader to better protect itself. This post is NOT about writing viruses. I will NOT provide any source code nor any directions to build a virus. If this is what you were looking for: Please, I beg you to change your mind and start building something useful to the community instead of attacking it. Thanks for reading. This post is the source-code analysis part of the article. Fo...| Yet another enthusiast blog!
Disclaimer: This post is about a real virus, really seen in the wild. It was written on the sole goal of helping the reader to better protect itself. This post is NOT about writing viruses. I will NOT provide any source code nor any directions to build a virus. If this is what you were looking for: Please, I beg you to change your mind and start building something useful to the community instead of attacking it. Thanks for reading. I recently identified a virus called “iTunesHelper.vbe” o...| Yet another enthusiast blog!
Yesterday, a friend of mine asked me urgent help. He fully developed a WP based website for a research project on localhost/his_website. As WP stores full links pretty much everywhere in the database, his website was obviously completely broken when he moved it to production on his_website.com. I quickly put some PHP lines of codes together to fix the whole DB at once. Feel free to re-use it in your own projects.| Yet another enthusiast blog!
Remember my previous post about checking out only new mails from a IMAP account with Python ? The main issue with this was the absolute need for user’s password. The solution for this OAuth2… which has no decent support for Python 3. Well, it’s not exactly true. Guys behind oauthlib did quite a good job but OAuth2 is such a generic framework that using a library quickly requires you to write more code than without anyway.| Yet another enthusiast blog!
Recently, in a freelance project I had to parse incoming mails wherever they are in the mail account and, preferably, avoid re-parsing the whole mail account only for a couple of new mails. Fortunately, there is the low level imaplib module in Python’s toolbox. But, curiously enough, while the solution is quite simple, I have not been able to find any good solution on the net… By default, when you perform a SEARCH on an IMAP folder, it will provide you will relative identifiers in the fol...| Yet another enthusiast blog!
I’ve not posted here in a while as I’m now full time busy with my startup project. More on this later I’m also now the lucky owner of a brand new Google Nexus 4 phone. Sadly, it does not work out of the box with Ubuntu yet and most forums recommends some kind of manual hacking/mounting. Luckily, there is a much easiest solution. Ubuntu 13.04 will see an updated MTP GVFS stack which Philip Langdale back-ported in a PPA. To get it on your Ubuntu box, just enter this in a terminal:| Yet another enthusiast blog!
It goes without saying that a 5000ms latency is… unacceptable in a real-time environment. Honestly, we first blamed our home-grown DynamoDB-Mapper and, indeed found, and fixed, a nasty design. Here is the specific commit for those liking juicy details Ok, so “case closed” you might think. Sadly not, it did not change anything but since this behavior was random and the application still under very low load (development environment) it took some time to spot it again. Case re-opened.| Yet another enthusiast blog!
DynamoDB is a key:value store of the NoSQL family developed and offered by Amazon as part of AWS. It focuses on high performance throughput vs functionality. I started to work with DynamoDB 3 month ago. It is lean enough to be easily mastered and I started answering more and more advanced questions from my colleagues and then from SO people. DynamoDB is NOT NoSQL Database DynamoDB belongs to the huge family of NoSQL. But NoSQL does not define what it is. It defines what it is not not. Dynamo...| Yet another enthusiast blog!
I recently moved to a new dedicated server and decided it also was a good to time do start doing things “the good way” tm. A good backup strategy was especially needed. Most articles I found on the net explains how to backup your data and they do it well. But they lack something essential that might someday become a real issue in case there is a disaster. Main disk crash ? Yes, you know what I mean Let me introduce Duplicity command line utility. It supports multiple storage backends incl...| Yet another enthusiast blog!
A couple of days ago, well, 5 to be precise, I moved this blog to a new server, new Nginx based stack. In the move, I decided to enforce secured HTTPS force all my services, including this blog. Privacy matters! Surprisingly enough, I suddenly disappeared from Google at the very same time.| Yet another enthusiast blog!
I just installed the beautiful NGINX reverse proxy on my personal server. I use it to run various personal web-based services like this blog, Etherpad or Gitlab. That’s 3 different programming languages, PHP, JS, Ruby. Wow. Sadly, none of them handles natively HTTPS nor IPv6 moreover, they all require a standalone port to run on. Hopefully, reverse proxies are here to solve the problem. And I chose NGINX. I was previously using a home grown one which is much, much easier to configure but no...| Yet another enthusiast blog!
[UPDATE] I still did not find the real source of the problem but it seems that both OVH and Ubuntu stock kernel fail to renew the default routes. Good news, it can be manually renewed, including from a Cron job: rdisc eth0 [ORIGINAL POST] This blog as well as a couple other private tools are hosted on a kimsufi 2G OVH server. They’ve offered IPv6 on their dedicated boxes for quite a while yet and I’m proud to be hosted by such leaders.| Yet another enthusiast blog!
« La preuve de la faillite du système communiste, c’est sa condition de survie. Pour survivre, ils doivent adopter un modèle économique libérale. » Combien de fois ai-je entendu cette affirmation pompeuse ? Quoi qu’étant, à titre strictement personnel, fermement opposé au communisme, je ne voudrais certainement pas que cette opposition se fasse au prix de ma lucidité et de ma capacité à prendre du recul. Avez-vous observé la tendance actuelle en matière de modèles économiq...| Yet another enthusiast blog!
Pour peu que l’on s’intéresse à l’IT en France, il est difficile de passer à coté de l’appel d’offre qui oppose l’AFNIC et un nouvel entrant, FRNIC dans la gestion du ‘.fr’ et les 10 autres domaines français. Avant de rentrer plus avant dans le vif du sujet, je tiens à insister sur un point: mes propos n’engagent que moi. Ils relèvent plus d’une tentative de réflexion indépendante que d’une analyse poussée.| Yet another enthusiast blog!
About 1 month ago, OVH launched its “Public Cloud”. This basically is a solution taking inspiration from Amazon’s AWS without being subject to the Patriot Act. At the moment, the “Public Cloud” is still pretty young and lacks some vital functionality as custom templates or a real storage solution but it’s on the way. X2go is an open source remote desktop solution based on the very per-formant NX protocol. It feels very much like the remote server is in the same room. After a very ...| Yet another enthusiast blog!
Coming from the PHP/MySQL world, I got used to frameworks such as the lightweight CodeIgniter or the very complete Symfony and I missed clean MVC coding. My previous node.js app barely stand in a single controller as it was a reverse proxy. This time, I wondered how I could write a bare minimum clean registration form. For this “application”, the goals were to Provide users with a registration form Provide us with a registered user list and a CSV exporter Store the registrations in a Mo...| Yet another enthusiast blog!
When a friend tried to syndicate my blog on his, his server was unable to complete the sync. Page http://blog.jtlebi.fr/feed/ simply timed out. After quite a few tests, we noticed that this issue never happened with a browser like Firefox. Aside, Wget hanged for 2 minutes after downloading more than Firefox. Strange In my previous post, I explained that WordPress is hosted behind Apache2, Apache2 behind itself reachable behind my house-made reverse-proxy. The main goal being to host all ser...| Yet another enthusiast blog!
When I rented this OVH server, I wanted to be able to host all my web tools on it on port 80 using both my IPv6 and IPv4 stack. This is usually done with Apache’s “ports.conf” and VHost feature.| blog.yadutaf.fr
If you are reading this, chances are you are already familiar with Linux’s veth| blog.yadutaf.fr