- Page Under Construction
- Our Service Commitment
- Red Hat Delivers Accessible, Open Source Generative AI Innovation with Red Hat Enterprise Linux AI
- Is Red Hat OpenShift Container Platform Virtualization the Best Alternative to VMware Amid Rising Costs?
- Top 10 Stories About Compute Engines, Linux of 2024 (So Far) - ITPro Today
UR Solutions News
Open-source News
Isonzo is a new WW1 FPS from the dev of Verdun out now - GamingOnLinux
Isonzo is a new WW1 FPS from the dev of Verdun out now GamingOnLinux
Mesa 22.3 Lands S3TC Texture Compression Software Fallback
As a follow-up to the recent article about Mesa preparing a software fallback for S3TC, that code was merged for next quarter's Mesa 22.3...
You never walk alone: The SideWalk backdoor gets a Linux variant - We Live Security
You never walk alone: The SideWalk backdoor gets a Linux variant We Live Security
Linux 6.1 To Try Enabling HID++ For All Logitech Bluetooth Devices
A change queued in HID-next ahead of the Linux 6.1 cycle aims to enable HID++ protocol usage for all Logitech Bluetooth devices...
Linux Foundation May Soon Form The OpenWallet Foundation - Open Source For You
Linux Foundation May Soon Form The OpenWallet Foundation Open Source For You
3 steps to protect your home network
3 steps to protect your home network
Seth Kenlon
Wed, 09/14/2022 - 03:00
The typical setup for Internet connectivity today is for your home to have a router, usually a little physical box located somewhere in your house, that acts as a gateway to the rest of the world. The router creates a local network, and you connect your devices to it, including your computer, mobile, TV, game console, and anything else that needs to connect to the Internet or to each other. It's deceptively easy to think of this setup as there being two "sides" of your router: On one side there's the Internet, and on the other, your devices. That's an awful colloquial, though, because in reality there's an entire worldwide network of computers on one side of your router, and your digital life on the other. When you use the Internet directly, you're logging onto a shared area of somebody else's computer. When you're not using the Internet, it doesn't go away, and there are lots of scripts and programs out there designed to visit millions upon millions of routers in an attempt to find open ports or services. With the Internet of Things (IoT) commonplace, there are sometimes more services running on your home network than you realize. Here are three steps you can take to audit and protect your home network from unwanted traffic.
[ Related read Run your network with open source software ]
1. Think about protocolPart of your router's job is to keep the Internet separate from your home network. But when you access the Internet, you invite some portion of the Internet into your home. You're making an exception to the general rule that the Internet should stay off your network.
On many websites, what's allowed through your router is just text. When you visit your favorite blog site to read up on the latest tech news, for instance, you're downloading a page or two of text. You read the text, and then move on. That's a simple one-to-one transaction.
However, the HTTPS protocol is robust and the applications running on the Internet are full of variety. When you visit Opensource.com, for instance, you're not just downloading text. You get graphics, and maybe a cheat sheet or ebook. You're also downloading cookies in the background, which helps site administrators understand who visits the site, which has led to improved mobile support, a new design for greater accessibility, and content that readers enjoy. You may not think about cookies or traffic analysis as something you interact with when you're on the Internet, but it's something that gets "snuck" into page interactions because the HTTPS protocol is designed to be broad and, in many ways, high trust. When you visit a website over HTTPS (that is, in a web browser), you're implicitly agreeing to automatic downloads of files that you're probably not conscious of, but that you trust are useful and unobtrusive. For a model of file sharing designed for less trust, you might try the Gemini or Gopher space.
You make a similar agreement when you join a video conference. Not only are you downloading text on the page, cookies for traffic monitoring, but also a video and audio feed.
Some sites are designed for even more. There are sites designed to allow people to share their computer screen, and sometimes even the control of their computer. In the best case scenario, this helps a remote technician repair a problem on someone's computer, but in practice users can be tricked into visiting sites only to have financial credentials and personal data stolen.
You'd rightfully be suspicious if a website offering text articles required you to grant it permission to look through your webcam while you read. You should cultivate the same level of suspicion when an appliance requires Internet access. When you connect a device to your network, it's important to consider what implicit agreement you're making. A device designed to control lighting in your house shouldn't require Internet access to function, but many do, and many don't make it clear what permissions you're granting that device. Many IoT devices want access to the Internet so that you can access the device over the Internet while you're away from home. That's part of the appeal of a "smart home". However, it's impossible to know what code many of these devices run. When possible, use open source and trusted software, such as Home Assistant to interface with your living space.
[ Also read How to choose a wireless protocol for home automation ]
More on edge computing Understanding edge computing Why Linux is critical to edge computing eBook: Running Kubernetes on your Raspberry Pi Download now: The automated enterprise eBook eBook: A practical guide to home automation using open source tools The latest on edge 2. Create a guest networkMany modern routers make it trivial to create a second network (usually called a "guest network" in the configuration panels) for your home. You probably don't feel like you need a second network, but actually a guest network can be useful to have around. Its eponymous and most obvious use case is that a guest network provides people visiting your house access to the Internet without you telling them your network password. In the foyer of my house, I have a sign identifying the guest network name and password. Anyone who visits can join that network for access to the Internet.
The other use case is for IoT, edge devices, and my home lab. When I purchased "programmable" Christmas lights last year, I was surprised to find that in order to connect to the lights, they had to be connected to the Internet. OF course, the $50 lights from a nameless factory didn't come with source code included, or any way to interface or inspect with the firmware embedded in the power brick, and so I wasn't confident in what I was agreeing to by connecting them to the Internet. They've been permanently relegated to my guest network.
Every router vendor is different, so there's no single instruction on how to create a "sandboxed" guest network on yours. Generally, you access your home router through a web browser. Your router's address is sometimes printed on the bottom of the router, and it begins with either 192.168 or 10.
Navigate to your router's address and log in with the credentials you were provided when you got your Internet service. It's often as simple as admin with a numeric password (sometimes, this password is printed on the router, too). If you don't know the login, call your Internet provider and ask for details.
In the graphical interface, find the panel for "Guest network." This option is in the Advanced configuration of my router, but it could be somewhere else on yours, and it may not even be called "Guest network" (or it may not even be an option.)
Image by:(Opensource.com, CC BY-SA 4.0)
It may take a lot of clicking around and reading. If you find that you have the option, then you can set up a guest network for visitors, including people walking through your front door and applications running on a lightbulb.
3. Firewall your firewallYour router probably has a firewall running by default. A firewall keeps unwanted traffic off your network, usually by limiting incoming packets to HTTP and HTTPS (web browser traffic) and a few other utility protocols, and by rejecting traffic you didn't initiate. You can verify that a firewall is running by logging onto your router and looking for "Firewall" or "Security" settings.
However, many devices can run firewalls of there own. This is important because a network is a network because devices connect to one another. Placing firewalls "between" devices is like locking a door to a room inside your house. Guests may roam the halls, but without the right key they're not invited into your office.
On Linux, you can configure your firewall using firewalld interface and the firewall-cmd command. On other operating systems, the firewall is sometimes in a control panel labeled as "security" or "sharing" (and sometimes both.) Most default firewall settings allow only outgoing traffic (that's the traffic you initiate by, for instance, opening a browser and navigating to a website) and incoming traffic that's responding to your requests (that's the web data responding to your navigation). Incoming traffic that you didn't initiate is blocked.
You can customize this setup as needed, should you want to allow specific traffic, such as an SSH connection, a VNC connection, or a game server host.
Monitor your networkThese techniques help build up your awareness of what's happening around you. The next step is to monitor your network. You can start simple, for instance by running Fail2ban on a test server on your guest network. Take a look at logs, if your router provides them. You don't have to know everything about TCP/IP and packets and other advanced subjects to see that the Internet is a busy and noisy place, and seeing that for yourself is great inspiration to take precautions when you set up a new device, whether it's IoT, mobile, a desktop or laptop, a game console, or a Raspberry Pi, in your home.
Who has access to your home network? With the Internet of Things (IoT) commonplace, there are sometimes more services running on your home network than you realize. Protect it from unwanted traffic.
Image by:Opensource.com
Edge computing Networking Internet of Things (IoT) Security and privacy What to read next A beginner's guide to network management Control your home automation remotely with Raspberry Pi and Traefik Hub This work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License. Register or Login to post a comment.Packaging Job scripts in Kubernetes operators
Packaging Job scripts in Kubernetes operators
Bobby Gryzynger
Wed, 09/14/2022 - 03:00
#!/bin/sh
echo "Starting task script."
# Something complicated...
echo "Task complete."
//go:embed embeds/task.sh
var taskScript string
func (r *MyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
ctxlog := ctrllog.FromContext(ctx)
myresource := &myresourcev1alpha.MyResource{}
r.Get(ctx, req.NamespacedName, d)
// STEP 2: create the ConfigMap with the script's content.
configmap := &corev1.ConfigMap{}
err := r.Get(ctx, types.NamespacedName{Name: "my-configmap", Namespace: myresource.Namespace}, configmap)
if err != nil && apierrors.IsNotFound(err) {
ctxlog.Info("Creating new ConfigMap")
configmap := &corev1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Name: "my-configmap",
Namespace: myresource.Namespace,
},
Data: map[string]string{
"task.sh": taskScript,
},
}
err = ctrl.SetControllerReference(myresource, configmap, r.Scheme)
if err != nil {
return ctrl.Result{}, err
}
err = r.Create(ctx, configmap)
if err != nil {
ctxlog.Error(err, "Failed to create ConfigMap")
return ctrl.Result{}, err
}
return ctrl.Result{Requeue: true}, nil
}
// STEP 3: create the Job with the ConfigMap attached as a volume.
job := &batchv1.Job{}
err = r.Get(ctx, types.NamespacedName{Name: "my-job", Namespace: myresource.Namespace}, job)
if err != nil && apierrors.IsNotFound(err) {
ctxlog.Info("Creating new Job")
configmapMode := int32(0554)
job := &batchv1.Job{
ObjectMeta: metav1.ObjectMeta{
Name: "my-job",
Namespace: myresource.Namespace,
},
Spec: batchv1.JobSpec{
Template: corev1.PodTemplateSpec{
Spec: corev1.PodSpec{
RestartPolicy: corev1.RestartPolicyNever,
// STEP 3a: define the ConfigMap as a volume.
Volumes: []corev1.Volume{{
Name: "task-script-volume",
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: "my-configmap",
},
DefaultMode: &configmapMode,
},
},
}},
Containers: []corev1.Container{
{
Name: "task",
Image: "busybox",
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
corev1.ResourceCPU: *resource.NewMilliQuantity(int64(50), resource.DecimalSI),
corev1.ResourceMemory: *resource.NewScaledQuantity(int64(250), resource.Mega),
},
Limits: corev1.ResourceList{
corev1.ResourceCPU: *resource.NewMilliQuantity(int64(100), resource.DecimalSI),
corev1.ResourceMemory: *resource.NewScaledQuantity(int64(500), resource.Mega),
},
},
// STEP 3b: mount the ConfigMap volume.
VolumeMounts: []corev1.VolumeMount{{
Name: "task-script-volume",
MountPath: "/scripts",
ReadOnly: true,
}},
// STEP 3c: run the volume-mounted script.
Command: []string{"/scripts/task.sh"},
},
},
},
},
},
}
err = ctrl.SetControllerReference(myresource, job, r.Scheme)
if err != nil {
return ctrl.Result{}, err
}
err = r.Create(ctx, job)
if err != nil {
ctxlog.Error(err, "Failed to create Job")
return ctrl.Result{}, err
}
return ctrl.Result{Requeue: true}, nil
}
// Requeue if the job is not complete.
if *job.Spec.Completions == 0 {
ctxlog.Info("Requeuing to wait for Job to complete")
return ctrl.Result{RequeueAfter: time.Second * 15}, nil
}
ctxlog.Info("All done")
return ctrl.Result{}, nil
}
2022-08-07T18:25:11.765Z INFO controller.myresource Creating new Job {"reconciler group": "myoperator.myorg.com", "reconciler kind": "MyResource", "name": "myresource-example", "namespace": "default"}
2022-08-07T18:25:11.780Z INFO controller.myresource All done {"reconciler group": "myoperator.myorg.com", "reconciler kind": "MyResource", "name": "myresource-example", "namespace": "default"}Go for Kubernetes
When using a complex Kubernetes operator, you often have to orchestrate Jobs to perform workload tasks. Examples of Job implementations typically provide trivial scripts written directly in the manifest. In any reasonably-complex application, however, determining how to handle more-than-trivial scripts can be challenging.
In the past, I've tackled this problem by including my scripts in an application image. This approach works well enough, but it does have a drawback. Anytime changes are required, I'm forced to rebuild the application image to include the revisions. This is a lot of time wasted, especially when my application image takes a significant amount of time to build. This also means that I'm maintaining both an application image and an operator image. If my operator repository doesn't include the application image, then I'm making related changes across repositories. Ultimately, I'm multiplying the number of commits I make, and complicating my workflow. Every change means I have to manage and synchronize commits and image references between repositories.
More on Kubernetes What is Kubernetes? Free online course: Containers, Kubernetes and Red Hat OpenShift technical over… eBook: Storage Patterns for Kubernetes Test drive OpenShift hands-on An introduction to enterprise Kubernetes How to explain Kubernetes in plain terms eBook: Running Kubernetes on your Raspberry Pi homelab Kubernetes cheat sheet eBook: A guide to Kubernetes for SREs and sysadmins Latest Kubernetes articlesGiven these challenges, I wanted to find a way to keep my Job scripts within my operator's code base. This way, I could revise my scripts in tandem with my operator's reconciliation logic. My goal was to devise a workflow that would only require me to rebuild the operator's image when I needed to make revisions to my scripts. Fortunately, I use the Go programming language, which provides the immensely helpful go:embed feature. This allows developers to package text files in with their application's binary. By leveraging this feature, I've found that I can maintain my Job scripts within my operator's image.
Embed Job scriptFor demonstration purposes, my task script doesn't include any actual business logic. However, by using an embedded script rather than writing the script directly into the Job manifest, this approach keeps complex scripts both well-organized and abstracted from the Job definition itself.
Here's my simple example script:
$ cat embeds/task.sh#!/bin/sh
echo "Starting task script."
# Something complicated...
echo "Task complete."
Now to work on the operator's logic.
Operator logicHere's the process within my operator's reconciliation:
- Retrieve the script's contents
- Add the script's contents to a ConfigMap
- Run the ConfigMap's script within the Job by
- Defining a volume that refers to the ConfigMap
- Making the volume's contents executable
- Mounting the volume to the Job
Here's the code:
// STEP 1: retrieve the script content from the codebase.//go:embed embeds/task.sh
var taskScript string
func (r *MyReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctrl.Result, error) {
ctxlog := ctrllog.FromContext(ctx)
myresource := &myresourcev1alpha.MyResource{}
r.Get(ctx, req.NamespacedName, d)
// STEP 2: create the ConfigMap with the script's content.
configmap := &corev1.ConfigMap{}
err := r.Get(ctx, types.NamespacedName{Name: "my-configmap", Namespace: myresource.Namespace}, configmap)
if err != nil && apierrors.IsNotFound(err) {
ctxlog.Info("Creating new ConfigMap")
configmap := &corev1.ConfigMap{
ObjectMeta: metav1.ObjectMeta{
Name: "my-configmap",
Namespace: myresource.Namespace,
},
Data: map[string]string{
"task.sh": taskScript,
},
}
err = ctrl.SetControllerReference(myresource, configmap, r.Scheme)
if err != nil {
return ctrl.Result{}, err
}
err = r.Create(ctx, configmap)
if err != nil {
ctxlog.Error(err, "Failed to create ConfigMap")
return ctrl.Result{}, err
}
return ctrl.Result{Requeue: true}, nil
}
// STEP 3: create the Job with the ConfigMap attached as a volume.
job := &batchv1.Job{}
err = r.Get(ctx, types.NamespacedName{Name: "my-job", Namespace: myresource.Namespace}, job)
if err != nil && apierrors.IsNotFound(err) {
ctxlog.Info("Creating new Job")
configmapMode := int32(0554)
job := &batchv1.Job{
ObjectMeta: metav1.ObjectMeta{
Name: "my-job",
Namespace: myresource.Namespace,
},
Spec: batchv1.JobSpec{
Template: corev1.PodTemplateSpec{
Spec: corev1.PodSpec{
RestartPolicy: corev1.RestartPolicyNever,
// STEP 3a: define the ConfigMap as a volume.
Volumes: []corev1.Volume{{
Name: "task-script-volume",
VolumeSource: corev1.VolumeSource{
ConfigMap: &corev1.ConfigMapVolumeSource{
LocalObjectReference: corev1.LocalObjectReference{
Name: "my-configmap",
},
DefaultMode: &configmapMode,
},
},
}},
Containers: []corev1.Container{
{
Name: "task",
Image: "busybox",
Resources: corev1.ResourceRequirements{
Requests: corev1.ResourceList{
corev1.ResourceCPU: *resource.NewMilliQuantity(int64(50), resource.DecimalSI),
corev1.ResourceMemory: *resource.NewScaledQuantity(int64(250), resource.Mega),
},
Limits: corev1.ResourceList{
corev1.ResourceCPU: *resource.NewMilliQuantity(int64(100), resource.DecimalSI),
corev1.ResourceMemory: *resource.NewScaledQuantity(int64(500), resource.Mega),
},
},
// STEP 3b: mount the ConfigMap volume.
VolumeMounts: []corev1.VolumeMount{{
Name: "task-script-volume",
MountPath: "/scripts",
ReadOnly: true,
}},
// STEP 3c: run the volume-mounted script.
Command: []string{"/scripts/task.sh"},
},
},
},
},
},
}
err = ctrl.SetControllerReference(myresource, job, r.Scheme)
if err != nil {
return ctrl.Result{}, err
}
err = r.Create(ctx, job)
if err != nil {
ctxlog.Error(err, "Failed to create Job")
return ctrl.Result{}, err
}
return ctrl.Result{Requeue: true}, nil
}
// Requeue if the job is not complete.
if *job.Spec.Completions == 0 {
ctxlog.Info("Requeuing to wait for Job to complete")
return ctrl.Result{RequeueAfter: time.Second * 15}, nil
}
ctxlog.Info("All done")
return ctrl.Result{}, nil
}
After my operator defines the Job, all that's left to do is wait for the Job to complete. Looking at my operator's logs, I can see each step in the process recorded until the reconciliation is complete:
2022-08-07T18:25:11.739Z INFO controller.myresource Creating new ConfigMap {"reconciler group": "myoperator.myorg.com", "reconciler kind": "MyResource", "name": "myresource-example", "namespace": "default"}2022-08-07T18:25:11.765Z INFO controller.myresource Creating new Job {"reconciler group": "myoperator.myorg.com", "reconciler kind": "MyResource", "name": "myresource-example", "namespace": "default"}
2022-08-07T18:25:11.780Z INFO controller.myresource All done {"reconciler group": "myoperator.myorg.com", "reconciler kind": "MyResource", "name": "myresource-example", "namespace": "default"}Go for Kubernetes
When it comes to managing scripts within operator-managed workloads and applications, go:embed provides a useful mechanism for simplifying the development workflow and abstracting business logic. As your operator and its scripts become more complex, this kind of abstraction and separation of concerns becomes increasingly important for the maintainability and clarity of your operator.
Embed scripts into your Kubernetes operators with Go.
Kubernetes Go programming language What to read next This work is licensed under a Creative Commons Attribution-Share Alike 4.0 International License. Register or Login to post a comment.Suricata – A Intrusion Detection, Prevention, and Security Tool
The post Suricata – A Intrusion Detection, Prevention, and Security Tool first appeared on Tecmint: Linux Howtos, Tutorials & Guides .
Suricata is a powerful, versatile, and open-source threat detection engine that provides functionalities for intrusion detection (IDS), intrusion prevention (IPS), and network security monitoring. It performs deep packet inspection along with pattern matching a
The post Suricata – A Intrusion Detection, Prevention, and Security Tool first appeared on Tecmint: Linux Howtos, Tutorials & Guides.MGLRU Looks Like One Of The Best Linux Kernel Innovations Of The Year
Hopefully being mainlined next cycle with Linux 6.1 is the Multi-Gen LRU, or better known as MGLRU, as a superior alternative to the kernel's existing page reclamation code. Assuming it lands for Linux 6.1 as the last complete kernel cycle of 2022, this would make it one of the most exciting innovations to make it into the kernel this year...