|
Blinkz0rz posted:A 1-2 week delay in wanting to use a dependency to approval? Yeah, at least it was better than what was previous, which was pushes only on quarterly releases or with emergency approval (two separate approvals up to senior director level signoff). It was a compromise, and security inserting themselves as a gate of any code going into the isolated environment was a mandatory part of the process due to factors outside our control  only having a 1-2 weeks delay from internet was considered a triumph
|
#
?
Nov 20, 2021 17:20
|
|
|
|
| # ? May 15, 2024 22:08 |
|
|
Bhodi posted:Yeah, at least it was better than what was previous, which was pushes only on quarterly releases or with emergency approval (two separate approvals up to senior director level signoff). It was a compromise, and security inserting themselves as a gate of any code going into the isolated environment was a mandatory part of the process due to factors outside our control Oof, that's brutal. At least the new process is an improvement! Onwards and upwards towards better security, right?
|
|
#
?
Nov 20, 2021 17:29
|
|
|
Would a lighter weight compromise be to use the 2 week delay only with updates to npm dependencies. When someone needs a new dependency it seems unlikely that it has just been hacked yesterday. Instead if you update the dependencies in quick cycle it's just waiting for someone to hack something sooner or later.
|
|
#
?
Nov 20, 2021 19:47
|
|
|
cum jabbar posted:Anybody in here self-hosting their Terraform state? We work in a tough regulatory environment and basically need to keep it on our own servers. I'm not sure which storage is most ergonomic and safe. I am not, we just trust S3 and amazon's promise of the nines That said, do you have multiple physical locations or just one data center? I'd consider some distributed file system like consul (maybe with vault on top, if you're a real masochist) or ceph As mentioned, state files are tiny; the default max file size for etcd is 1.5mb but you can increase it to 4mb. Kind of painting your future self into a corner but whatever, 4mb is a lot of state file Surely someone sells a rack mounted disk appliance that mirrors the s3 api for private datacenter use? Just use that? Even google and azure's s3 products use the s3 api.
|
|
#
?
Nov 20, 2021 20:06
|
|
|
I'm in the challenging position of developing standard customer solutions for a private cloud for a BigCorp. We have a few datacenters, but our cloud offering is a bit barebones for now (VMs, disks, loadbalancers only). We do have our own S3, but it lacks self-service at the moment. I might just have to deal with that. I'm not in a position to set up something like Consul for customer use, although I have enough clout to get it on the roadmap as a proper product if it's worthwhile. In this environment, it would be a problem if teams had the ability to access each others' secrets, either by accident or malicious intent. Got to be sure about the default security settings on our S3 offering.
|
|
#
?
Nov 20, 2021 20:18
|
|
|
Hadlock posted:I am not, we just trust S3 and amazon's promise of the nines You could run localstack on a server in your DC and make sure the disk is mirrored. Just have to set the service endpoints in your provider block.
|
|
#
?
Nov 20, 2021 20:19
|
|
|
Blinkz0rz posted:You could run localstack on a server in your DC and make sure the disk is mirrored. Reminds me. Remember openstack? Lol, just lol. Flew too close to the overcomplex sun.
|
|
#
?
Nov 20, 2021 20:26
|
|
|
cum jabbar posted:In this environment, it would be a problem if teams had the ability to access each others' secrets, either by accident or malicious intent. Got to be sure about the default security settings on our S3 offering. If security is that bad there, vault officially supports consul as a storage backend, and now you have an extremely fine-grained encrypted security model for your terraform state files. I think the turtles stop there and hashicorp isn't a terrible company to buy a support contract from if need be. I haven't used vault in production for a couple of years but I think they've made improvements to simplify it's use, it's very powerful but originally was pretty unweidly but if you need a self-hosted KMS/datacenter permissions system or enterprise encrypted data store it's not a terrible option. Nobody ever got fired for using vault(tm) Hadlock fucked around with this message at 20:34 on Nov 20, 2021 |
|
#
?
Nov 20, 2021 20:31
|
|
|
cum jabbar posted:Anybody in here self-hosting their Terraform state? We work in a tough regulatory environment and basically need to keep it on our own servers. I'm not sure which storage is most ergonomic and safe. Your security posture allows you to use terraform to create presumably public cloud resources, but disallows you to store state in s3? What kind of regulatory environment is, this exactly. But whatever, if this is a regular thing for you, I'm a bit surprised you don't have your own self hosted swift/minio/s3 compatible object storage already which would be the next best thing.
|
|
#
?
Nov 20, 2021 20:40
|
|
|
Methanar posted:Your security posture allows you to use terraform to create presumably public cloud resources, but disallows you to store state in s3? I bet they're using Terraform with VMware or openstack or the k8s provider against something in a data center and nothing touches cloud at all
|
|
#
?
Nov 20, 2021 23:06
|
|
|
Right, it's some set of VMware products in our own datacenters with our own HTTP API and UI controlling it. We also have our own Terraform provider. I'm inclined to recommend our users standardize on Terraform for server creation, but figuring out the easiest sane CI workflow isn't something I have the experience to do without serious thought.
|
|
#
?
Nov 20, 2021 23:55
|
|
|
Let’s not forget that the reality of security in most organizations is a checklist gating mechanic religious ceremony giving auditors jobs and CISOs comfortable kick-backs from vendors that are normally ignored after an initial implementation or despised passive aggressively if present any longer until the inevitable breach happens at which point politically the security organization becomes so important and can yell and scream at everyone else with impunity for not following their mandates pedantically at which point they resign shortly and new bishops are assigned and the cycle begins again.
|
|
#
?
Nov 21, 2021 00:35
|
|
|
cum jabbar posted:Anybody in here self-hosting their Terraform state? We work in a tough regulatory environment and basically need to keep it on our own servers. I'm not sure which storage is most ergonomic and safe. We store it in an encrypted S3 bucket using DynamoDB for locking. cum jabbar posted:In this environment, it would be a problem if teams had the ability to access each others' secrets, either by accident or malicious intent. Got to be sure about the default security settings on our S3 offering. You can gate this with IAM roles and KMS key policies / IAM bucket policies, for example using a separate bucket per team or separate path per team. You should also be taking steps to put most secrets in something like AWS Secret Storage or Vault - terraform will unfortunately still store some but you can minimize this. We generally have one bucket per account which the terraform IAM role has access to. Terragrunt makes this fairly easy to set up too.
|
|
#
?
Nov 21, 2021 01:24
|
|
|
Hadlock posted:I mean, if you start with k8s and only design 12 factor apps, it's pretty straight forward K8s is a great platform for what it is. If you're already extensively using a cloud provider, it also makes you do 2x the work understanding Kubernetes concepts and mapping them back onto the underlying primitives for AWS or whatever. If you can do everything you need to do using K8s as a management engine for your application infrastructures, maybe you've won something. But if your app team engineers are still using Terraform to manage their resources alongside K8s, what have you bought them? Throw that poo poo in App Runner or Fargate or something.
|
|
#
?
Nov 21, 2021 23:12
|
|
|
We lean heavily on containers deployed to azure app service environments and it works pretty well for us We have one application on aks and they constantly have problems, but that’s probably more of a statement about aks than k8s
|
|
#
?
Nov 21, 2021 23:22
|
|
|
Vulture Culture posted:, what have you bought them? Throw that poo poo in App Runner or Fargate or something. Yeah I played this game at my last job "Why use kubetnetes? It's so complex! Just use aws batch for batch jobs!" Ok so now Ben is the AWS batch job expert, it has it's own idiosyncrasies, so if you have any trouble with it, go bug him since nobody else knows it. "Screw kubetnetes, we're running our container on fargate. Out team owns our infrastructure and this is the non standard tool we use, and it's going to take three weeks to onboard you to our workflows, so watch out if you want to join our team" "Hey we're the back end team, we aren't bandwagon people so we went with ECS. Talk to Fred over there, he sort of knows Ben and they got our backend working over on ECS so as long as neither of them get hit by a bus the company is safe. It uses a different configuration methodology from AWS batch and fargate though, so we only allow transfers to this team if you already know ECS. Gosh why is it so hard to find people with ECS experience?" "Why can't we hire and why is our velocity so low? What do you mean each team uses an entirely different tool with completely different configuration philosophies, what do you mean you can't deploy our entire stack with a single command line? Oh man we are super vendor locked in, there's not a single engineer who understands how our entire stack is deployed across the cloud"  After I left they merged with another company and their CTO gave them six months to transition everything to kubetnetes so that all the engineers could work across the entire stack and services could be shared Kubetnetes is not perfect but it gives you a cloud agnostic lingua franca to deploy code in a consistent manner and works for an overwhelming majority of companies Edit: current company, 95% of our deployments are in kubetnetes and we were ready to do a major DR project but got halted when we realized this other highly siloed team is running their poo poo on elastic beanstalk and it's going to take a couple of quarters to get them up to snuff with the rest of the company so they're actively holding back that project and they're not compatible with the rest of the company's deployment/IAC yay Hadlock fucked around with this message at 02:28 on Nov 22, 2021 |
|
#
?
Nov 22, 2021 02:23
|
|
|
So recently I started a new job that partially involves inhereting a giant Kubernetes cluster on DigitalOcean. I've never used Kubernetes so its all a massive learning curve. This moring I got into the office and realised the entire cluster down with all the pods in "Pending" mode (Including about a bazillion cronjob containers that seemed to be piling up). It would seem at some point in the night for reasons I'm completely unsure of the whole drat thing was reset causing it to reissue a whole bunch of nodes which where in an unlabeled state. So after labelling them, it all came back up, although I had to delete the node spec for the cronjobs because there where literally hundreds of the bloody things trying to be created. Followed by a slow recycling of nodes to get the drat things to exit the "Terminating" state. Massive and disrupive pain in the arse. Is there a way to tell Kubernetes how to label nodes after a rebuild? Beause this *sucks*
|
|
#
?
Nov 22, 2021 07:31
|
|
|
duck monster posted:So recently I started a new job that partially involves inhereting a giant Kubernetes cluster on DigitalOcean. I've never used Kubernetes so its all a massive learning curve. The process you should be looking at is kubelet. Looks like you can modify the kubelet config to have the kubelet come up with whatever node labels you want.
|
|
#
?
Nov 22, 2021 08:33
|
|
|
my homie dhall posted:The process you should be looking at is kubelet. Looks like you can modify the kubelet config to have the kubelet come up with whatever node labels you want. Thats not a thing you can do with Digitaloceans kubernetes system.
|
|
#
?
Nov 22, 2021 08:53
|
|
|
According to this Github issue there's a CLI tool you can use to set the node labels https://github.com/digitalocean/DOKS/issues/3
|
|
#
?
Nov 22, 2021 20:29
|
|
|
necrobobsledder posted:According to this Github issue there's a CLI tool you can use to set the node labels https://github.com/digitalocean/DOKS/issues/3 Yeah i ended up figuring out that digital oceans cli can do it too., doctl kubernetes cluster node-pool update <cluster name> <nodepool name> --label <key>=<value> I probably have to learn about how the taints and affinities and poo poo works. ("Hey love , guess what I did at work today? I put labels on taints! Do you have an affinity for taint? Better label that too! I'll go drain the pool.").
|
|
#
?
Nov 24, 2021 06:32
|
|
|
they call them taints becvause they t'aint here and they t'aint there
|
|
#
?
Nov 24, 2021 13:03
|
|
|
So I have another dumb question. When I do:code:code:How do I execute someCommand on someComputer from inside a script? (A GH action again...)
|
|
#
?
Nov 26, 2021 06:03
|
|
|
Newf posted:someCommand is running on MY computer. Er, no it isn't. The difference in the two ways of using ssh is that one gets you an interactive session and one runs a single command and then closes the connection. The command runs on the remote server either way.
|
|
#
?
Nov 26, 2021 07:41
|
|
|
Hadlock posted:Yeah I played this game at my last job I'm making an observation about a technology choice that I think, for most organizations, is not the right technology choice. There are lots of good reasons why it might be the right choice for a given company in a given situation. You are, however, not arguing those reasons. You are arguing that the opposite of Kubernetes is an organization with no governance, no standards, and no experts. If you do not adopt Kubernetes, you have a dysfunctional organization. I propose, gently, that you might be confusing some ideas. Hadlock posted:Edit: current company, 95% of our deployments are in kubetnetes and we were ready to do a major DR project but got halted when we realized this other highly siloed team is running their poo poo on elastic beanstalk and it's going to take a couple of quarters to get them up to snuff with the rest of the company so they're actively holding back that project and they're not compatible with the rest of the company's deployment/IAC yay
I'm sure there are parts of this that having a unified technology platform makes simpler for you, and maybe even having K8s specifically makes simpler for you. But I'm having a really hard time drawing a line between the chosen technology platform and the problem you're describing. Vulture Culture fucked around with this message at 20:40 on Nov 28, 2021 |
|
#
?
Nov 28, 2021 20:38
|
|
|
This is a really interesting discussion you two are having and I’m enjoying it, I hope it continues. I’m not being sarcastic - anytime someone can talk about technical roles and organizations in a way that includes the non-technical realities and externalities, it’s a good time.
|
|
#
?
Nov 28, 2021 21:20
|
|
|
Vulture Culture posted:You're arguing from the standpoint of two things, which are different, being the same thing. I would like to argue the opposite: ...and the problem you're describing. Oh, thank God, I was genuinely concerned I was just screaming into the void (probably) sir. Will follow up soon
|
|
#
?
Nov 29, 2021 11:20
|
|
|
To be blunt, I summarized your post mentally as an assertion that you can use kubernetes or you can use every other adjacent tool at the same time, and that using kubernetes is obviously better because one tool is better than every other tool, and I didn't have enough Care to respond to that in a serious way. I appreciate that Vulture Culture took the time to respond and also to come up with better phrasing. Something constructive I have to add to this topic is that a big thing I'm seeing a lot lately in this field is people pushing ecosystems, platforms, paradigms or whatever. If you don't push back against this you end up with dozens of neighborhoods of competing ecosystems -- k8s needs you to run batch jobs like this, airflow needs them specified like that, aws batch has its own opinions, etc. IMHO the most valuable skill an infra eng can have is the ability to sit down and solve only the problem right in front of them. I've been asked many, many times to spin up "a handful of pods that are of <ec2 instance type>" which is the main indicator that your k8s deployment has failed and that you should have used ec2. If we assume that this is the problem that's right in front of me, that we need ~20-75 running instances of an m5.4xlarge hosting some software we wrote, we have an entire constellation of ways of solving that problem that don't involve running etcd, a bunch of agents, that don't involve consensus-sourced DNAT over iptables or introducing yet another network overlay, warm IP targets, and all that poo poo. We can just run the instances, as requested, and we can move onto the next ticket. "Mean time to pulling the next ticket" is an often undervalued metric for ops teams, in my experience.
|
|
#
?
Nov 29, 2021 18:10
|
|
|
Hadlock posted:You might want to look into buildah/podman to streamline your build process, instead of docker in docker where do i start? im looking to remove dind this sprint
|
|
#
?
Dec 7, 2021 21:56
|
|
|
Depends on your CI/build env, but Buildah was more or less a drop in for Docker for us. We implemented in parallel, so every build also kicked off a non blocking job that doesn't push artifacts.
|
|
#
?
Dec 8, 2021 02:05
|
|
|
Kaniko is also another solution you might want to look at, my area uses it as our replacement for docker in docker
|
|
#
?
Dec 8, 2021 02:30
|
|
|
x1o posted:Kaniko is also another solution you might want to look at, my area uses it as our replacement for docker in docker Just Use Kaniko.
|
|
#
?
Dec 8, 2021 03:18
|
|
|
https://github.com/kedacore/keda/blob/d5b29339c46b7635a568ff65013ea212604bde9f/pkg/scalers/prometheus_scaler.go#L211 https://github.com/kubernetes/kubernetes/blob/master/pkg/controller/podautoscaler/horizontal.go#L375-L395 https://pkg.go.dev/k8s.io/api/autoscaling/v2beta2#MetricTarget code:This has been a nightmare to track down why applications are failing to scale up in response to kafka lag sometimes. It's because at low pod counts, that per-pod average is dividing by a small number. At large pod counts, it divides by a large number. If I had a threshold of 50k unprocessed messages. Well if I'm at a milliion lag dividing that by 10 pods is still 100k lag when the threshold is 50k. nbd it will work. I have a lag threshold of 50k and a million lag divided by 100 pods, well that's an average of 10k lag per pod. less than the threshold of 50k and nothing will happen. of course, the act of scaling up increases the number of pods. So you will see the app scale up at first, but eventually stop scaling up due to the above scenario. for some reason this is never at all once in the documentation identifying that despite being Kind Of Important. The kafka scaler does the same thing lmfao https://github.com/kedacore/keda/blob/d5b29339c46b7635a568ff65013ea212604bde9f/pkg/scalers/kafka_scaler.go#L359 Who cares about lag per pod. I care that there is lag. Methanar fucked around with this message at 22:36 on Dec 8, 2021 |
|
#
?
Dec 8, 2021 22:28
|
|
|
Methanar posted:https://github.com/kedacore/keda/blob/d5b29339c46b7635a568ff65013ea212604bde9f/pkg/scalers/prometheus_scaler.go#L211 Your topic has a finite number of partitions, and your consumers consistently hash onto them. One partition has at most one consumer. If you get an irregular latency distribution because you have, say, a single slow consumer that's failing to drain a single partition, there's no reasonable expectation that increasing your number of consumers is going to even help the lag. So if you're keying off of a maximum, and adding more pods doesn't actually ease your latency condition, what's going to happen is that the autoscaler is just going to continue spinning up more useless pods—your max latency is still over threshold, right, so why wouldn't it add more pods?—until you continue to hit the max limit configured on your autoscaler. You do nothing to solve your problem, waste a bunch of money, and probably destabilize your app with useless Kafka rebalances in the process. What I think you actually want is to SLA the throughput of each of your consumers, and if one of your consumers falls below the expected rate—i.e. you have single identifiable partitions that are underperforming the others—you kill the consumer and replace it with one that works correctly. You then couple that with pod autoscaling off the average. Vulture Culture fucked around with this message at 16:09 on Dec 11, 2021 |
|
#
?
Dec 11, 2021 16:02
|
|
|
Vulture Culture posted:What I think you actually want is to SLA the throughput of each of your consumers, and if one of your consumers falls below the expected rate—i.e. you have single identifiable partitions that are underperforming the others—you kill the consumer and replace it with one that works correctly. You then couple that with pod autoscaling off the average.
|
|
#
?
Dec 11, 2021 18:26
|
|
|
Vulture Culture posted:My gut here is that what you're trying to do is completely the wrong approach for Kafka, and this is hardcoded this way to protect you from a bad idea. Under normal circumstances we often have many partitions attached to a single consumer. It's a regular scaling operation for SRE to be scaling up the number of consumers of a topic to dilute the number of partitions each consumer is assigned to work over and it does work for increasing throughput - up until the point of consumers being 1:1 with partitions. The situation you describe where a single partition is falling behind is real; but at least in the cases I'm familiar with it, it's caused not by a consumer being slow but rather data being disproportionately assigned to the partition in the first place by a hot producer. You are absolutely correct that this nuance is lost in a single global measure of lag. We have tens of very large topics, with >=240 partitions, that may process multiple million messages per second. Lag must often be measured in several million for 60 seconds before any scaling operation is considered to avoid unnecessary scaling decisions and associated kafka rebalances. Under normal circumstances lag should just be zero, it would take a very severely overloaded partition to actually trigger a lag threshold intended to trip only when the entire consumer group is falling behind. I disagree that a per-pod average measure of latency is any better at mitigating the above hot partition scenario. It's really the same sort of thing, it's just that the math changes and becomes more unpredictable and less capable of adapting to large variations in processing requirements throughout a day. I have cases where the low period and the high periods of traffic differ by a factor of 5. It just breaks down that you can't have a single static threshold value work well as the number of consumers greatly changes. 100 partitions each at a lag of 50k for a sum of 5000k lag with a lag threshold of 100k per-consumer with 10 consumers will result in a per-consumer lag of 500k. A scale up will occur to process the 5000k lag. 100 partitions each at a lag of 50k for a sum of 5000k lag with a lag threshold of 100k per-consumer with 50 consumers will result in a per-consumer lag of 100k. You will just be dancing at the precipice of the threshold and no action will be taken even though you have 5000k unprocessed messages! If the absolute lag is measured in multiple millions for an extended period of time something is wrong and a scaling operation should take place, even if only to dilute the number of partitions per consumer to increase individual partition throughput - what else is there to do? You could argue that this is still stupid and expensive and you might be right. But you have two choices, do nothing and allow the traffic spike to naturally be processed through over some length of time, or to scale up for only a tiny subset of your partitions. It's a business decision at that point on whether it's worth to spend the money or not. Nor am I willing to give credit to the choice to use the averageValue interpretation of the measure as being deliberate: I can see it to be copy pasted across the board for every scaler implementation I bother to check, even though I think it makes little sense. In fact when I wrote my scaler, all I did was copy/paste the decision to use the averageValue from the Prometheus scaler! quote:What I think you actually want is to SLA the throughput of each of your consumers, and if one of your consumers falls below the expected rate—i.e. you have single identifiable partitions that are underperforming the others—you kill the consumer and replace it with one that works correctly. You then couple that with pod autoscaling off the average. If you have a consumer that is actually processing fewer messages for some reason, there is going to a reason for it. Whether that's you've screwed up your resource allocation and throttling CPU somehow, you've got noisey neighbour issues, you've got some network issues causing increased latency or you've got some weird type of message coming in that is disproportionately computationally intense. Hot partitions are always caused by a partition being over produced to by a hot producer because of application-level sharding/affinity reasons at least in my org. Methanar fucked around with this message at 19:41 on Dec 23, 2021 |
|
#
?
Dec 11, 2021 18:39
|
|
|
I forget if you're a fedramp operation but there's enough information in that post for me to make some guesses about what you're doing and how effective it is, I love this kind of stuff but that's maybe a lot of specific information for the right person. If I'm wrong please ignore
|
|
#
?
Dec 23, 2021 19:11
|
|
|
Has anyone here taken a swing at Proxmox integration with Jenkins in the last ever? I’ve started tinkering with a pmox instance along with Jenkins to help get some dust and spiderwebs cleared out while taking some PTO. The issue is I’m having a bastard of a time getting pmox set up and it’s proving difficult to tell if it’s an issue with the plug-in itself (no documentation) or if I’m not doing something right by way of pmox user creation/security/API/ect. Worst comes to worst I can just make a dedicated agent VM for now, but this is going to drive me nuts until I sort it out.
|
|
#
?
Dec 27, 2021 04:26
|
|
|
code:somebody thought secretly turning on source address validation for infrastructure that is highly dependent on vxlans and nat abuse without any sort of heads up whatsoever was a good idea. glad you were able to tick your checkbox mr security man. 
|
|
#
?
Dec 29, 2021 20:11
|
|
|
|
| # ? May 15, 2024 22:08 |
|
|
What would be the best way to set up an windows build VM, with minimal manual work? Background: Everything is in a Proxmox environment with a bunch of VMs on it, on the local network. I have a Gitlab instance and I'm using its CI/CD capabilities to build my programs for various platforms. One of them is Windows. Since I'm not willing to buy a windows key nor to go the pirate route (yet), I am using a Windows development VM, which they provide for free, but are only working for 75 days or so. I've only had to do this twice so far, but this is my setup: - Disk 0 (what becomes C:) is the OS itself. That should be replaceable since I do have to replace it every 70+ days or whatever. - Disk 1 (what I want to become E:) is where the gitlab runner is running and where I have my Powershell scripts to set everything up (for now). So far, my powershell scripts download Chocolatey, try to download and install git, cmake, ninja, vcpkg, wix, gitlab runner and a bunch of other things.Visual Studio that comes preinstalled, needs to have the C++ packages downloaded and installed since it doesn't have them by default for whatever reason. Everything still requires some manual intervention, since chocolatey wants to reboot the system before it's usable, VS installer needs me to click on stuff, and so on. I'd like to have something, some system of some kind that would, ideally: - Download the latest VM from MS website - Delete old disk, convert & replace it with the new one - Make sure the drive letters are setup appropriately (last time I updated, Disk 1 was assigned letter D:, I had to manually change it since some scripts relied on E:) - Install choco and the other tools (with potential reboots inbetween) - Install the VS C++ stuff - Install gitlab runner - Victory dance? What would be the best/easiest way to achieve this (other than just use some pirate key, set it and forget it)? I have access to other linux VMs/systems where this could all be setup in a cron job. Ideally everything would be done with no manual intervention (unless major things happen, like upgrading from VS 2019 to VS 2022 for example, that surely cannot be scripted).
|
|
#
?
Dec 30, 2021 01:27
|
|