Torvalds is not a huge fan of the ‘security community’ as he doesn’t see it as black and white. He maintains that bugs are part of the software development process and they cannot be avoided, no matter how hard you try. “constant absolute security does not exist, even if we do a perfect job,” said Torvalds in a conversation with Jim Zemlin, the executive director of the Linux Foundation.
“As a technical person, I’m always very impressed by some of the people who are attacking our code,” Torvalds said. “I get the feeling that these smart people are doing really bad things that I wish they were on our side because they are so smart and they could help us.”
This is a scribble post — a WIP/incomplete post, so read with the understanding that it will have holes in the knowledge or gaps
This article just goes through my tinkering with Kubernetes on AWS.
Create a new S3 bucket to store the state of your Kubernetes clusters
aws s3 mb s3://k8sstate --region eu-west-2
aws s3 ls
Create a Route 53 hosted zone. I’m creating
aws route53 create-hosted-zone --name k8stest.blenderfox.uk \ --caller-reference $(uuidgen)
dig the nameservers for the hosted zone you created
dig NS k8stest.blenderfox.uk
If your internet connection already has DNS setup to the hosted zone, you’ll see the nameservers in the output:
;; QUESTION SECTION: ;k8stest.blenderfox.uk. IN NS ;; ANSWER SECTION: k8stest.blenderfox.uk. 172800 IN NS ns-1353.awsdns-41.org. k8stest.blenderfox.uk. 172800 IN NS ns-1816.awsdns-35.co.uk. k8stest.blenderfox.uk. 172800 IN NS ns-404.awsdns-50.com. k8stest.blenderfox.uk. 172800 IN NS ns-644.awsdns-16.net.
If your connection isn’t setup to resolve to the aws dns (like mine), you’ll get this instead:
;; QUESTION SECTION: ;k8stest.blenderfox.uk. IN NS ;; AUTHORITY SECTION: uk. 603 IN SOA dns1.nic.uk. hostmaster.nic.uk. 1403374706 7200 900 2419200 603
This means you need to do a bit of dns hacking to get this to work. The quick and dirty method is to add one of the aws DNS hosts to your
dig using one of the aws DNS servers and see if that resolves properly
dig @ns-1816.awsdns-35.co.uk NS k8stest.blenderfox.uk
If it does, then look for line near the end:
Add this into
/etc/resolv.conf (make sure you’re root/sudo’ed up)
# Dynamic resolv.conf(5) file for glibc resolver(3) generated by resolvconf(8) # DO NOT EDIT THIS FILE BY HAND -- YOUR CHANGES WILL BE OVERWRITTEN nameserver 18.104.22.168 nameserver 127.0.1.1
Now try to dig the nameservers and confirm it now returns the nameservers correctly
dig NS k8stest.blenderfox.uk
If that works, we can now continue
First, export your AWS credentials as environment variables (I’ve found Kubernetes doesn’t reliably pick up the credentials from the aws cli especially if you have multiple profiles
export AWS_ACCESS_KEY_ID='your key here' export AWS_SECRET_ACCESS_KEY='your secret access key here'
You can also add it to a bash script and source it.
Create the cluster using
kops. Note that the master zones must have an odd count (1, 3, etc.) since eu-west-2 only has two zones (a and b), I have to have only one zone here
kops create cluster --cloud aws --name cluster.k8stest.blenderfox.uk \ --state s3://k8sstate --node-count 3 --zones eu-west-2a,eu-west-2b \ --node-size m4.large --master-size m4.large \ --master-zones eu-west-2a \ --ssh-public-key ~/.ssh/id_rsa.pub \ --master-volume-size 50 \ --node-volume-size 50
If you get this message:
error doing DNS lookup for NS records for "k8stest.blenderfox.uk": lookup k8stest.blenderfox.uk on 127.0.1.1:53: no such host
It means you haven’t done the resolv.conf hack
Assuming the create completed successfully, update the cluster so it pushes the update out to your cloud
kops update cluster cluster.k8stest.blenderfox.uk --yes --state s3://k8sstate
While the cluster starts up, all the new records will be setup with placeholder IPs. Remove your resolv.conf hack as this can affect your DNS resolution
Now you’re at a stage where the cluster is starting up but the API server is failing. Currently trying to figure that part out.
Looking forward to when LineageOS can upgrade to Oreo. There’s a lot of new features that may make life a lot easier generally. Take a look in the article for details
We take a 20,000 word deep-dive on Android’s “foundational” upgrades.
Cyanogen’s fork is beginning to take shape. Currently my devices aren’t showing but fingers crossed it will.
Few points worth noting from their site:
The build roster is ever growing, but we are supporting Marshmallow and Nougat capable devices.
- We’ll list the 80+ devices in a separate post.
Our release cadence will be ‘weekly’ by default (to be nice to all the donated hardware).
We will NOT be shipping root baked into the ROM.
- Root will be a downloadable zip based install similar to gapps installation (only need to flash it once).
- Home builders that want to bake su back into the ROM can use the command ‘export WITH_SU=true’ prior to building.
Our official builds will all be signed with a private key for authentication and signature permission control
This will not break, prevent or stop any ‘unofficial’ builds.
Key verification info can be found on the wiki Verifying Build Authenticity page
However, also notable and I’m really happy about this:
Regarding installation, we recommend that users wipe when switching to LineageOS, and reinstall their gapps. However, we recognize that this can be time consuming, so we are offering an EXPERIMENTAL (read as, if it fails, you’ll have to wipe anyways) solution.
- Alongside the ‘weekly’ release for your supported device, we’ll provide an EXPERIMENTAL data migration build.
- This build will allow you to ‘upgrade’ from CM to the signed LineageOS weekly
- This build may wipe permissions (you’ll have to re-allow app permissions), but should retain all user data
- This build will be watermarked with an ugly banner to ensure that you don’t permanently run this EXPERIMENTAL release, and upgrade to a normal weekly after.
- The process for this installation will be as follows:
- Install EXPERIMENTAL migration build on top of cm-13.0 or cm-14.1 build (don’t try to install LineageOS 13.0 on top of CM 14.1, that will not work).
- Install LineageOS weekly build
- Re-setup your application permissions
Given the EXPERIMENTAL nature of this process, we are going to remove this option in two months time.
All systems operational
Despite being a library that most people outside of the technology industry have never heard of, the Heartbleed bug in OpenSSL caught the attention of the mainstream press when it was uncovered in April 2014 because so many websites were vulnerable to theft of sensitive server and user data. At LinuxCon Europe, Rich Salz and Tim Hudson from the OpenSSL team did a deep dive into what happened with Heartbleed and the steps the OpenSSL team are taking to improve the project.
An attempt to bust some of the myths that surround Linux. Not a lot of them, but still some of them – some of which I see a lot in Windows communities. And the old classic “Linux is CLI only” (facepalm)