Quick list of software tools that I find make using Kubernetes even better. I consider these tools must haves.

In 2004 I took delivery of a new car that was equipped with a CD changer. Until then I had only ever had cars with a single disc player so stepping up to a deck with a six disc changer was incredible. No longer did I need to keep a sleeve of CDs in the car that would get scratched or lost, I could just keep what I was listening to at the time right in the deck. It was still a time where creating and burning playlists to a burnable CD was totally acceptable and all was well in the world.

I kept that car for about ten years and during that time we saw the iPod and other music players gain tremendous popularity. And why wouldn’t they? You could put as much music onto the device as it would hold and carry it around with you anywhere you went! The original iPod even had this slick wheel based interface for getting around quickly and easily. Amazing! Unfortunately, when my car was designed, these types of players weren’t common yet and there was no way to interface an iPod or any type of music player with my deck because I didn’t have an AUX input. Bluetooth connectivity was even less of a thing at the time so that option was out as well.

So I kept on making CDs of the music I wanted to listen to and feeding them into the changer knowing that some day I would sell the car and pick one up that had a Bluetooth interface. I thought, one day I’ll finally be able to listen to all of my music at anytime and it’ll be great.

Well, as it turns out it wasn’t all rainbows and unicorns.

A few years ago I picked up a newer Mazda, one with Bluetooth and iPod connectivity, an AUX port and even Pandora! The possibilities before me seemed perfect and I got to working figuring out which method would work best for me. After much tinkering I settled on using Bluetooth because it offered wireless connectivity and worked with whatever music app I wanted to use. I loaded up Spotify with downloaded music and that was that.

After awhile though the flaws in this new system started to appear. I discovered that Mazda’s Bluetooth implementation was less than ideal. It takes a lot of time for it to connect to my phone and start playing music, sometimes over a minute. I can no longer just hop in the car and have it resume where it left off just moments after starting the car. Other times it connects but can’t tell me what is playing or just refuses to play anything at all until I visit Spotify and select something from there.

And herein lies the primary issue and why I miss the venerable CD changer. It isn’t because Mazda’s Bluetooth implementation is bad (and it is really bad), it’s that the process of selecting music is so much more involved. To select music, I have to get my phone, unlock it, open the Spotify app and go digging for the playlist or album I want…while driving. It turns out that having a large selection of music requires changes to how you interface and interact with that music. It requires that you look at a screen to scroll and make selections. All of these interactions are fine when you can spend the time doing them but in the car speeding down the highway is not the right time.

So why is the CD changer the better option here? It’s because interacting with a CD changer is fundamentally different than a music app on your phone, even if your vehicle has a stellar deck and you are able to interact with the music app using steering wheel controls or the touch screen you still need to look at a screen to know where you are. Not so with a CD changer. You put six discs into a changer and you know what slot they are in. You know, using your ears, which track you are listening, which CD it is on and from that you know what slot is it in. If you want to listen to a different disc you know how many times to press the disc change button. Listening to Taylor Swift on disc 1 and now you want to listen to the third song on your new Metallica album in slot 3? Press the disc change button twice and then press the next track button a couple of times. Done and you didn’t even have to take your hands off the steering wheel. Such an interaction isn’t an option anymore. In a music app the interface is 100% on the device, with a CD changer half the interface is in your head.

In the end, it isn’t really the CD changer I miss. It’s actually the “interface” that CD changers provided. There is no equivalent, that I’m aware of, in today’s music apps that emulates the CD changer interface. I believe the ideal solution would be to allow a user to configure a set of playlists as “slots” like a CD changer that are in a locked order. Controls are then offered on screen and the steering wheel to switch between playlists in a locked order, just like a CD changer.

I like the progress that has been made with technology. I appreciate being able to put more music than I could possibly listen to in a year in my pocket. I just wish this progress didn’t come at the expense of usability. Burning a CD was a hassle but when it was done it was done but interacting with your player happens every time.

When Docker first came out it was a real mind bender of an experience for me. I simply couldn’t wrap my head around what a Docker image was, how it was different from a virtual machine and so on. “Why not just install the software from rpm?” I said.

I also struggled with how the app in the container was running inside of something and didn’t have access to anything. At the time I saw this just as a silly hurdle that made it more difficult than it should be to get something running rather than a core benefit of using containers.

Over time I got to know Docker and containers better. I gained an understanding of now images are created, how they could be given restricted resources, easily shared and so on. I started creating my own containers to further understand the process, got to know multi stage builds and so in.

Although I had gained a better understanding of the container itself I still couldn’t find a good use case for containers in my line of work. I was too used to creating VMs that ran a static set of services that rarely changed. Docker containers still seemed like another packaging format that has few additional advantages. It wasn’t until I started playing with container orchestration that things really started to click.

With container orchestration, and in particular Kubernetes, the power and convenience of containers becomes much harder to ignore. Orchestration was definitely the missing piece of the puzzle for me that sealed the deal. This is because orchestration solves a number common issues with running larger software infrastructure. One of the biggest issues that Kubernetes solves is how to swap out the running application with little fuss. By simply declaring that a running workload should update the Docker image in use Kubernetes will go through the process of starting the new container, waiting for it to be ready, adding it to the load balancer and then draining connections from the old container. While it’s true you can achieve all of that with a traditional setup it requires a lot more effort. This feature alone is what sold me on using Kubernetes at all and from there my current state of container acceptance.

With Kubernetes revealing the huge potential of containers I’ve since come back to exploring them for other uses outside of orchestration. Now, core features of containers that once bothered me are seen as advantages. I still see containers as a packaging format but one that works equally well on macOS and Windows as well as it does on Linux or in Kubernetes. As an “expert” I can provide a container to a user that has everything installed for some to tool. Previously this may have required me to write extensive documentation detailing the requirements, installation process and finally the configuration of whatever software it took to meet the user’s needs. A process that may end up failing or not work at all because the end user is using a different operating system or because of some other environment specific reason. With containers, if it works for me there is a much greater chance it will work for someone else as well.

Today I find myself building more and more containers for use in CI/CD pipelines. I see them as little utilities that I can chain together to create a larger solution. Similar to the Unix philosophy, I am creating containers that do one thing and do it well. These small containers are easy to maintain, easy to document and easy to use. And this, I believe, is one of the core strengths of containers. They encapsulate a solution into something that is easier to understand. Even though a container is technically more bloated because it contains not only the application itself but also all of its requirements, the end result is something that is ultimately easier to understand. Like writing code, you can write the most incredible for loop ever devised but if the next person can’t understand it is it still a good solution?

Throughout my career I’ve always enjoyed trying out new things to see how I can apply them to everyday problems or how they can be used to create great new opportunities. Docker was one the first things that I really struggled to understand and initially I thought “this is it, this is the tech my kids will understand that I won’t.” Today, however, I can see what a game changer containers are. When properly constructed containers are easier to understand, easier to share with others and easier to document. These are powerful reasons too use containers. There are new hurdles to overcome, like how to maintain them for security, but all things have tradeoffs and it’s up to us to decide which ones are worth it.

For some time I’ve been meaning to publicly release the custom component I’ve been using to show which if my Xbox friends are online and what they are playing. There was one issue I had with my component that kept me from releasing it however, it requires access to an API endpoint I would prefer to not offer to an unknown number of people and I’m not interested in scaling it up to sell.

What I decided to do instead is allow the service to be self hosted in the form of some add-ons for hass.io that the custom component can then talk to. The service is broken out into three parts. A part to manage an auth token, a part to basically proxy Xbox Live API requests and a part that glues to two together so the auth token can be shared. The original design was meant to scale well and easily and this is basically just a 1:1 port of the setup. 

The add-ons can be installed by adding this custom add-on URL to your add-on store on your hass.io instance – https://github.com/hassio-xbox/add-ons. Add the URL, refresh and then install the services in the following order

  • Redis Server
  • Xbox Live Credentials Manager (and then configure your username/password)
  • Xbox Live API Service

Once all services are up and running you can configure the component which is installed automatically. The component needs to be given the IP address of your hass.io instance as well as a list of gamertags to keep track of. The format looks like this:

sensor:
- platform: xru
ip: <hass.io instance ip>
gamertags:
- RealAngryMonkey
- Qwik

Once configured restart Home Assistant and you’ll see the status of your friends in the form of individual sensors for each. You can then group them to create a nice panel in your groups.yml file:

xbl_friends:
name: Xbox Live Friends
view: no
entities:
- sensor.realangrymonkey
- sensor.qwik

The end result looks like this:

MariaDB log output showing encryption is working

Utilizing encryption at rest to protect the database data living on your hard drive is a smart choice, especially when dealing with sensitive customer data. Encryption at rest protects the data files by encrypting the actual files the MySQL/MariaDB server reads and writes to on the file system. Although they are binary files they can still be read relatively easily using standard tools as well as being “imported” into a different MySQL/MariaDB server. Encryption at rest is just one part of a total solution and this post is going to cover what it takes to get it running using the AWS Key Management System for key control on macOS using Homebrew.

Continue reading

There are times when it is necessary or desirable to access servers through a single host, called a bastion. This is the first host you'd access prior to using ssh to access some other host. Limiting access to the other hosts would either be controlled by firewall rules or simply because they don't have public IPs. Whatever your reason, a bastion host is a great way to increase security by decreasing the number of exposed hosts on the internet.

For the best security, all hosts should be configured to allow only key based authentication. This immediately negates any brute force based attempts to access your server. While convenient, it isn't necessary for you to use the same keys on all servers you access. Search the web for the best way to achieve key only authentication on your distribution of choice.

Configuring access to any server using a bastion host starts by first defining how you will connect to the bastion host itself. To get started, simply add an entry into your .ssh/config file that describes how to access the bastion host itself. As an example, lets say you have a bastion host at IP 192.168.0.1 and you've installed your public key to user called 'bastionuser'. Your entry would look like this:

HostName bastionhost
User bastionuser
Host 192.168.0.1

This entry does two things. It gives you a very easy way to ssh to your bastion host and it gives you a target you can use as a proxy to access other hosts. To use the entry you can simply issue 'ssh bastionhost' and you'll access your bastion host as user bastionuser using your default private key.

With access to the bastion host itself out of the way, you're now ready to create .ssh/config entries to access other servers that are only accessible through the bastion host. For this example, lets say a server with IP 192.168.1.2 is available from the bastion host. You'd create an entry that looks like this:

HostName targetserver
User targetuser
Host 192.168.1.2
ProxyCommand ssh bastionhost -W %h:%p

That's it! When you want to ssh to the target server, simply issue ssh targetserver and your connection will first hit the bastion host to be used as a proxy. Note that, at all times, your local private key will be used to make the connection unless you explicitly tell ssh to use something else using IdentityFile <path to file>. Even if you use different keys, those keys must always exist on your local system, keys on remote systems will never be used. It's up to you to find a way to distribute your keys to all other target servers.

In addition to using a bastion host for to access a single server or a set of them, you can also chain multiple bastion hosts together simply by configuring more entries with ProxyCommand. For example, lets say a server at 192.168.2.2 is only accessible from targetserver. You'd create an entry like this:

HostName finaldestination
User finaluser
Host 192.168.2.2
ProxyCommand ssh targetserver -W %h:%p

With this entry in place it is now possible to access your final destination by issuing ssh finaldestination. This configuration will instruct ssh to attempt to access finaldestination using target server, but in order to access targetserver to first go through the bastion host. There is technically no limit to the number of hosts you can proxy through but you'll eventually hit the limits of latency.

Whatever your reason for placing an NGINX proxy in front of your Gitlab installation, you need to ensure you’re using the right configuration to support all of Gitlab’s features. I recently discovered that although my installation was mostly working I couldn’t get pipeline/build logs properly. I discovered that my proxy configuration was to blame. After some searching around I finally found that my config wasn’t quite right. To get the most out of Gitlab and ensure a smooth experience use configuration shown below as a template for your own. In my setup I use LetsEncrypt for SSL so if you’re not you can remove any of the SSL specific parts. The important configuration information is contained the the location block.

 

upstream gitlab {
  server <ip of your gitlab server>:<port>;
}

server {
    listen          443;
    server_name     <your gitlab server hostname;

    ssl on;
    ssl_certificate <path to cert>;
    ssl_certificate_key <path to key>;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    server_tokens off;


    gzip on;
    gzip_vary on;
    gzip_disable "msie6";
    gzip_types application/json;
    gzip_proxied any;
    gzip_comp_level 6;
    gzip_buffers 16 8k;
    gzip_http_version 1.1;

    location / {
       client_max_body_size   0;
       proxy_set_header    Host                $http_host;
       proxy_set_header    X-Real-IP           $remote_addr;
       proxy_set_header    X-Forwarded-Ssl     on;
       proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
       proxy_set_header    X-Forwarded-Proto   $scheme;

      proxy_pass https://gitlab;
    }
}

This configuration will properly pass all requests through to your Gitlab server as well as allow CI/CD pipeline logs to pass through properly.