Evilham

Evilham.com

Kubernetes ausprobieren: etcd

Introduction

As part of trying out Kubernetes, we are going to set up etcd!

etcd is a “distributed reliable key-value store for the most critical data of a distributed system “

This is where Kubernetes state lives, given how important that is and how it seems to make sense to run it separated from the Kubernetes cluster for High Availability, we will be doing just that, using WMF’s etcd guide as inspiration for decisions that are important.

Weiterlesen!

Kubernetes ausprobieren: Netz

Introduction

As part of trying out Kubernetes: planning, we are going to set up the network and VMs!

Quick reminder that this will be virtualised Linux on a FreeBSD physical host. This part is FreeBSD-specific.

Weiterlesen!

Kubernetes ausprobieren: vorplanen

Introduction

Kubernetes turned 9 years old a couple months ago, so it’s about time I took a more serious look at it.

Kubernetes is an open-source container orchestration system for automating software deployment, scaling, and management.

I have followed its development somewhat closely and kept up with the concepts and architecture, even if I haven’t jumped to actually using it.

First it was due to waiting for things to get stable, then I decided to let the hype wear off.

Now, hype hasn’t worn off, but it is at least a topic treated with some level of nuance: Kubernetes is great, but it comes with some complexity; complexity that is not necessary in many cases. And so we have to make sure that the benefits actually outweigh the overhead for our particular use-case.

As that point nears and I have some days off, I jump in at learning the best way I know how to: by actually doing things and, this time around, by writing them down for future reference / to better ask for clarification.

Let’s create a “High Availability Kubernetes cluster”! (I guess we’ll [re]define what HA means here a couple times while doing the deed)

Note I do this from a FreeBSD laptop, against a FreeBSD physical host, but the actual Control Plane and Nodes will be running on bhyve Virtual Machines running Linux in that remote FreeBSD physical host. Should not be too relevant, it just makes networking easier =D (debatable, yes).

This will likely take several posts :-).

Weiterlesen!

YubiKey: PGP and SSH authentication

Introduction

I own a few YubiKeys and use them, a lot.

If not familiar with YubiKeys, they are hardware tokens that help improve security in multiple ways:

  • They can do WebAuthn (modern web-based two factor authentication)
  • They can hold secret keys in a way that cannot be extracted, supporting these operations:
    • Signature
    • Encryption
    • Authentication

The most common use, and what is already very useful, is using these hardware tokens for two-factor authentication. For that there are plenty of online resources (though, people certainly can use help understanding and setting that up).

What I really care about is the latter bit: securing secret keys, particularly when it comes to securing SSH access to servers, and how that fits with PGP.

Incidentally, this is where I see most online documentation falling short.

There are similar hardware tokens, YubiKeys are what I’m familiar with, and what I’ll assume here.

Weiterlesen!

ZFS replication tools

Introduction

Back when I first started using FreeBSD and ZFS, I needed tools with an extremely low barrier of entry, that did their job well.

When it comes to creating and pruning snapshots, the job was first done by sysutils/zfs-periodic.

Over time however, even with minor improvements on my part, it has come short for my current needs.

As inspired by Dan Langille’s wonderful blog (Dan always writes great blog posts, that end up being lovely complementary documentation), I document here my somewhat bumpy road when it comes to ZFS replication tools and why you might want to use something different at each step.

Weiterlesen!