Learn how to simplify access to your Synology NAS by enabling single sign-on (SSO) with personal Google accounts.| maelvls.dev
I often use mitmproxy in order to see the HTTP calls that programs are making under the hood. vcert, a tool used for operating Venafi TPP and Venafi Cloud, did not seem to be working with mitmproxy. This post presents the steps I took to discover that the issue comes from an unsupported feature of mitmproxy: TLS renegotiation.| maelvls.dev
We often talk about avoiding unnecessary comments that needlessly paraphrase what the code does. In this article, I gathered some thoughts about why writing comments is as important as writing the code itself, and how to spot comments that should be refactored using the 'what' and the 'why'.| maelvls.dev
Terms A domain name (or just “domain”) is a string the form bar.foo.com.. Not all domains refer to physical machines; for example, one of my domains, k.maelvls.dev., do not point to any physical machine. We often represent the domain name space using a tree. Each node is a domain. Leaves and nodes may have A records. Here is a simple example of the domain space represented as a tree: . ├── com.| maelvls.dev
Although the Kubernetes documentation is excellent, the API reference does not document the conditions that can be found in a deployment's status. The Available condition has always eluded me!| maelvls.dev
Kind offers an excellent UX to Kubernetes developers but lacks support for caching images; each time you recreate a new cluster, all the previous downloaded images are gone. In this post, I explain why the default Docker network is a trap and how to set up a registry & make sure that it actually works.| maelvls.dev
Mitmproxy is an excellent tool that helps us understand what network calls are made by programs. And kubectl is one of these interesting programs, but it uses a mutual TLS authentication which is tricky to get right.| maelvls.dev
Dynamic libraries and PIC (position-independant code) are great features of modern systems. But trying to get the right library built can become a nightmare as soon as you rely on other libraries that may or may not have these features in the first place... In this post, I detail the hacks I made to the ./configure-based build system of Yices, a C++ library.| maelvls.dev
Terraform makes it easy to manage infrastructure at scale; you might want to share code between modules, and that's where it becomes tricky. In this post, I try to give some clues on how to use terraform across private Github repos.| maelvls.dev
Kubernetes' extensibility is probably its biggest strength. Controllers and CRDs are all over the place. But finding the right information to begin writing a controller isn't easy due to the sheer amount of tribal knowledge scattered everywhere. Here are some links to help you start.| maelvls.dev
Client-go is the client library that allows anyone (including Kubernetes itself) to talk to the Kubernetes apiserver. Recently, the Kubernetes team chose to release a breaking version of client-go that adds support for context.Context, without really giving anyone notice. In this post, I detail the workaround and what that happened.| maelvls.dev
In one of my previous posts, I studied how traffic flows when using Kubernetes Services. While drawing the last diagram, I did not clearly see how traffic could make its way back to the user. In this post, I focus on how packets find their way back and what makes stateless rewriting interesting.| maelvls.dev
I present what hardware I have been using and what changed between 2019 and 2022!| maelvls.dev
My free trial on GKE was ending in 2 days and I had to find a way to migrate away. I decided to switch to Civo's managed K3s.| maelvls.dev
The Service and Ingress respectively brings L4 and L7 traffics to your pods. In this article, I focus on how traffic flows in and what are the interactions between the ingress controller and the service-lb controller (the thing that creates the external load balancer). I also detail how the `hostPort` approach shapes traffic.| maelvls.dev
Some pods were unable to connect to the kube-proxy pod on one of my GKE Kubernetes clusters. This post present an in-depth investigation using tcpdump, wireshark and iptables tracing.| maelvls.dev
I want to avoid using the expensive Google Network Load Balancer and instead do the load balancing in-cluster using akrobateo, which acts as a LoadBalancer controller.| maelvls.dev
ROLE OF THE CERTIFICATE AUTHORITY +------------------------------+ +-----------------+ CERTIFICATE AUTHORITY (NOT A CERT) | CA KEY | |+----------------------------+| |+---------------+| || O=GlobalSign,CN=GlobalSign || || private key || |+----------------------------+| |+-------|-------+| |+----------------------------+| +--------|--------+ || public key (= VERIFY) || | |+----------------------------+| | +------------------------------+ | | CA cert's pub key = signature | --------------------...| maelvls.dev
At some point, the Go team chose to disable the proxy for requests coming from localhost or 127.0.0.1. This is annoying when debugging services locally.| maelvls.dev
GO111MODULE is all over the place. It appears in README install instructions, in Dockerfiles, in makefiles. On top of that, the behavior of GO111MODULE has changed from Go 1.11 to 1.12, changed again with Go 1.13 and Go 1.15 and changed a last time in Go 1.16, and is stable since then.| maelvls.dev
tcpdump -i eth0 -U -w - 'not port 22' | wireshark -k -i - wireshark -i en9 -k -Y "ip.addr == 35.211.248.124 && tcp.port == 22" nc -v 35.211.248.124 22| maelvls.dev
Difference between CA and cert Ssh authentication themes Case A: unknown host Case B: host already in known_host but ip changed Case C: host already known (ip/fqdn in ~/.ssh/known_hosts) Case D: host has client’s pub key in authorized_keys Ssh + certificates Reason why ssh host cmd not using .bashrc/.login/.zshrc Passwordless connexion to a server Glossary WARNING: many things in this memo are wrong or very wrong.| maelvls.dev
From: https://apple.stackexchange.com/questions/220670/run-boot-camp-windows10-partition-inside-virtualbox First, find which disks are EFI and BOOTCAMP with diskutil list. diskutil list diskutil unmount /Volumes/BOOTCAMP sudo chmod 777 /dev/disk0s1 sudo chmod 777 /dev/disk0s3 sudo VBoxManage internalcommands createrawvmdk -rawdisk /dev/disk0 -filename win10raw.vmdk -partitions 1,3 Uncheck “Enable EFI”, uncheck “Enable VT-x/AMD-V”| maelvls.dev
I know two main ways of using OAuth2 password-based client grant (2-leg oauth flow: on the project I worked on, the OAuth client was not third party server, but instead, it was the front-end.) authorization code based grant (3-legs oauth flow) What is “the client”? The RFC 6749 that presents OAuth2 is very readable, but some terms like “client” or “code” are confusing. What I found is that trying to understand “why” the main flow (3-legged oauth, or “authorization code flow...| maelvls.dev
kubectl run --generator=run-pod/v1 tmp-shell --rm -i --tty --image nicolaka/netshoot -- /bin/bash gcloud ssh ... docker ps --format='{{.ID}} {{.Names}}' kubectl run --generator=run-pod/v1 tmp-shell --rm -i --tty --image nicolaka/netshoot -- /bin/bash sudo iptables-save > a && vim a && sudo iptables-restore < a % mvalais@gke-august-period-micro-g961 ~ $ vmstat -SM 1 10 procs -----------memory---------- ---swap-- -----io---- -system-- ------cpu----- r b swpd free buff cache si so bi bo in cs us...| maelvls.dev
I installed https://gist.github.com/cybic/6375457 in ~/.bash_completion (file) to get the bash completion. General shortcuts tmux attach -> opens tmux tmux ls -> lists open windows tmux attach -d 0 -> reopens window 0 Inside tmux. prefix = ctrl+b prefix d -> detach window (closes tmux) prefix w -> lists windows prefix x -> close window prefix c -> create window prefix , -> rename window prefix [ -> scroll among history prefix arrow -> move among panes prefix " -> split vertically (up-down); %...| maelvls.dev
If there is a Nvidia card: nvidia-smi Otherwise: cat /proc/cpuinfo lscpu| maelvls.dev
sudo dd if=$HOME/Downloads/elementaryos-0.4.1-stable.20170814.iso of=/dev/disk3s1 status=progress df -h diskutil unmountDisk /dev/...| maelvls.dev
Use docker-machine for remoting docker docker-machine create --driver generic --generic-ip-address=141.115.74.15 --generic-ssh-key ~/.ssh/id_rsa --generic-ssh-user=mvalais polatouche-docker-host eval $(docker-machine env polatouche-docker-host) Tunneling docker-machine ssh default -L 0.0.0.0:8000:localhost:8000 Namespaces, cgroups namespaces cgroup (systemd-cgls) Commands docker run --rm -it ubuntu -i means interactive (stdin will be attached) -t (--tty) means that this is a pseudo-tty termin...| maelvls.dev
From https://docs.gitlab.com/runner/install/linux-manually.html sudo wget -O /usr/local/bin/gitlab-runner https://gitlab-runner-downloads.s3.amazonaws.com/latest/binaries/gitlab-runner-linux-amd64 sudo chmod +x /usr/local/bin/gitlab-runner| maelvls.dev
On macOS, install msmtp: brew install mutt msmtp I read this thread: https://www.engadget.com/2010/05/04/msmtp-a-free-tool-to-send-email-from-terminal/ In order to use msmtp from command-line ‘mail’ add to ~/.mailrc: set sendmail=/usr/local/bin/msmtp In Keychain Access.app, go to File > New Password Item (Cmd+N) and fill it with smtp://smtp.gmail.com email@gmail.com mypassword In Keychain Access.app, select System Roots, select all certificates and File > Export Items (Shift+Cmd+E) > Priv...| maelvls.dev
How is a TCP connection uniquely identified Kill a process that is using a TCP port you need: lsof -n -i :8001 # copy PID kill 43903 A TCP connection is identified by four things: source port source ip dest port dest ip This is why there is no confusion between two requests to a web server on 80 port. Stateful vs. Stateless Firewall This only applies to appliances in between two computers, for example a router using some kind of firewall.| maelvls.dev
Many times, I used git reset --hard and found out later that all my changes had disappeared. I think this is because I do not fully understand what git reset --hard does: move the branch ref pointer to the given reference set HEAD to this ref Depending on the option: –soft: working dir and stage are not touched, useful when git reset --hard HEAD^ to change the content of the commit without having to re-add everything –mixed: working dir is not touched, but the stage is set to match the HE...| maelvls.dev
Sign my message Things on securiry Public-key protocol is slow Errors I got To list the keys I have in my keyring, use gpg --list-key. Here, I can see one public key in the file pubring.pgp: > gpg --list-key /Users/mvalais/.gnupg/pubring.gpg ------------------------------- pub 4096R/27F4C016 2016-03-04 uid Maël Valais sub 4096R/A3D4828E 2016-03-04 The identifier for my public key is 27F4C016 and the sub identifier A3D4828E. 4096R = 4096-bits RSA encrypted.| maelvls.dev
The Epson iPrint soft is producing PDFs in 300dpi but the 300 information does not seem to be stored in the PDF metadata; thus, the PDF reader thinks by default that it is a 72 dpi PDF and thus the huge size: 87,49 × 123,72 cm instead of an A4 paper: 21 × 29,7 cm To convert this 300 dpi into a real 300 dpi: gs -sDEVICE=pdfwrite -dCompatibilityLevel=1.4 -dPDFSETTINGS=/ebook -dNOPAUSE -dQUIET -dBATCH -dDetectDuplicateImages -dCompressFonts=true -sPAPERSIZE=a4 -dPDFFitPage -sOutputFile=out...| maelvls.dev
Here: https://unix.stackexchange.com/questions/12195/how-to-avoid-being-asked-passphrase-each-time-i-push-to-bitbucket Two solutions: Using ssh-agent eval $(ssh-agent) ssh-add Using keychain (debian/ubuntu) apt-get install keychain Using ‘ForwardAgent yes’ in .ssh/config Here: https://developer.github.com/v3/guides/using-ssh-agent-forwarding If it doesn’t work at first, check that the key ~/.ssh/id_rsa is added to ssh-agent, i.e., ssh-add has been run. To avoid re-typing ‘ssh-add’ a...| maelvls.dev
tlmgr install texliveonfly texliveonfly main.tex will install automatically all packages called using \usepackage{} To find a specific file that latex yells it cannot find: tlmgr search --global --file fullpage.sty| maelvls.dev
Token server at IRIT: matlab -nodecktop -nodisplay -c 27000@licence.irit.fr or SERVER licence.irit.fr 0050568A1251 27000 USE_SERVER in /Applications/MATLAB_R2016a.app/licenses/irit.lic What toolbox can I access? ver Know what licence file is used: matlab -e or matlab -n Which licenses at IRIT connecto to bali and do /usr/local/matlab/etc/lmstat -a On cauchy.math.ups-tlse.fr /opt/MATLABR2016a/toolbox/distcomp/bin ./mdce start ./admincenter ./nodestatus Matlab R2015a hangs at startup Edit the s...| maelvls.dev
Warning ‘Ignoring… because its extensions are not built’ The message is: Ignoring atomic-1.1.101 because its extensions are not built. Try: gem pristine atomic --version 1.1.101 Try: gem 2>&1 | perl -ne '/Try: gem pristine ([^ ]+)/ && print $1 . " "' | xargs gem pristine| maelvls.dev
convert -resample 72x72 -compress JPEG -quality 20 a.jpg a.pdf convert -resample 72x72 -compress JPEG -quality 20 a.jpg a.pdf WARNING: convert (imagemagick) often bugs as it uses external tools such as gs and ffmpeg; reinstalling Ghostcript can help.| maelvls.dev
On the university server azteca or inca (must use vpn or sassh through-pass) export http_proxy=proxy.univ-tlse3.fr:3128 export https_proxy=proxy.univ-tlse3.fr:3128 Then, ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Linuxbrew/install/master/install)" But on linux with gcc-4.4.7 only, I had also to follow the instructions on https://github.com/Linuxbrew/homebrew-core/issues/4077. It will first install glibc 2.20 install gcc-5 and others then upgrade to glibc 2.23 brew install --only-...| maelvls.dev
open -a MacDown README.md # open README.md in MacDown mdfind # spotlight pbcopy # copy from stdin to pb pbpaste # paste from pb killall MacDown # same as kill but with app name| maelvls.dev
General information Sed Shell, terminal, console, command line .bash_profile vs .bashrc Tty, pty, interactive vs non-interactive Login vs. non-login shells Use bashrc also on login shell Parallelize xargs Discrepencies between /bin/sh versions General information Xargs for creating positionnals through stdin included_figures.sh | xargs git add Avoid the sub-shell problem when while read a while read a; do ...; done < <(ls) pour éviter d’avoir le while dans un sous-shell C.| maelvls.dev
Hi! My name is Maël, I am a software engineer based in Toulouse, France. I mostly write Go, Kubernetes controllers and network-related components. I like details. I currently work on cert-manager, an open-souce CNCF incubated x509 lifecycle manager that Jetstack is maintaining. See my resume at https://github.com/maelvls. Previously: Ori Industries. I completed a PhD in logic in 2019 (papers).| maelvls.dev
// Old: // https://maelvls.dev/print-your-cert?asn1=MIICXDCCAgOgAwIBAgIQdPaTuGSUDeosii4dbdLBgTAKBggqhkjOPQQDAjAnMSUwIwYDVQQDExxUaGUgY2VydC1tYW5hZ2VyIG1haW50YWluZXJzMB4XDTIyMDUxNjEzMDkwMFoXDTIyMDgxNDEzMDkwMFowLDEqMCgGA1UEAwwhZm9vIGJhciBmb28gYmFyIDxmb28uYmFyQGJhci5mb28%2BMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtmGM5lil9Vw%2Fy5LhpgO8t5gSb5oUo%2BDp5vWw0Z5C7rjvifi0%2FeD9MbVFkxb%2B%2BhmOaaNCVgqDUio1OBOZyL90KzdnGW7nz1fRM2KCNrDF5Y1mO7uv1ZTZa8cVBjF67KjFuNkvvHp74m65bKwXeCHXJBmO3Z1FH8hudICU74%2BNl6t...| maelvls.dev
Although progress is being made, Kubernetes controllers and operators still require prior knowledge about Kubernetes internals. Information on how to set the status is scattered across comments, issues, PRs and the Kubernetes code itself. Conditions may be a good solution for your controller, but for what?| maelvls.dev
Readability is a property we all love about Go. In other languages, it might be fine to have a lot of nested if statements; in Go, it is a good practice to keep away from overly-nested logic.| maelvls.dev