https://brainbit.uk/tags/linux/Recent content in linux on BrainBit Latest ArticlesHugo -- gohugo.ioen-usThu, 13 Jan 2022 00:00:00 +0000https://brainbit.uk/posts/containerd/Thu, 13 Jan 2022 00:00:00 +0000https://brainbit.uk/posts/containerd/So long dockershim Hey as you know the latest versions of kubernetes have gotten rid of dockershim, so for example in GKE docker is not the default runtime anymore … which is a bit of a pain in a way cause is kind of handy to ssh into gke node and: docker exec --id 0 --privileged -it container bash Sometimes when contianers are run unprivielged and as non-root inside kubernetes , for example when you need to strace tcpdump etc.https://brainbit.uk/posts/customdialers/Thu, 25 Nov 2021 00:00:00 +0000https://brainbit.uk/posts/customdialers/Custom Dialers Why do you need them. Things like net.Dial are amazing , you can very simply create a socket and write to them , and the same for any abstraction really , but the problem begins when you want to do something not covered by the abstraction , this happened to me this week. Socket Options So I’ve been doing a lot of work with go and rabbitmq , and mostly interacting with this library :https://github.https://brainbit.uk/posts/pwru/Tue, 02 Nov 2021 00:00:00 +0000https://brainbit.uk/posts/pwru/PWRU (Packet Where Are you) Taken from the their github repo https://github.com/cilium/pwru : “pwru is an eBPF-based tool for tracing network packets in the Linux kernel with advanced filtering capabilities. It allows fine-grained introspection of kernel state to facilitate debugging network connectivity issues.” So it is a tool that attach a bunch of kprobes to specific kernel functions or interfaces I’m not so sure and it shows places in the kernel data path that a given packet traverseshttps://brainbit.uk/posts/cilium-tls-inspection/Sat, 11 Sep 2021 00:00:00 +0100https://brainbit.uk/posts/cilium-tls-inspection/TLS in simple terms When your browser verifies a TLS certificate , it checks for expiration , domains , sans etc… but the most important thing it does is it verifies that the certificate has been signed by a CA (Certificate Authority ) it (the browser) trusts. These CAs are a bunch of arbitrary organisations that are allowed to sign certificate requests etc. A self-signed certificate , in general terms , is as valid as a certificate singed by a CA , the main difference is that is not signed by a CA that is trusted by the browser.https://brainbit.uk/posts/gcp-internal-lbs-how-dirty/Wed, 23 Dec 2020 13:22:03 +0000https://brainbit.uk/posts/gcp-internal-lbs-how-dirty/If you ever decide to tcpdump on a node behind an GCP internal Loadbalancer you will be surprised to see that the packets aren’t destined to the interface ip on your VM , the ip headers maintain the destination address of the load balancer , let me draw it: I have a normal NLB passing traffic to a instance group with a bunch of dnsmasq nodes , nothing out of the ordinary.https://brainbit.uk/posts/bashand-others-things-that-i-use-every-day/Tue, 28 Jul 2020 19:23:37 +0000https://brainbit.uk/posts/bashand-others-things-that-i-use-every-day/More and more we embrace bash to do things that maybe in the past we used lower level languages (Dockerfiles , Makefiles , Pipelines etc etc), or at least that’s the way im seeing it , so im leaving some bash little things i user every day: for loops: for i in $(seq 0 3) ; do echo ${i} ;done for i in {0..3} ; do echo $i ; done for i in "a\nb\nc" ; do echo $i ; done if else oneliners: [[ $( pgrep nginx | wc -c ) > 0 ]] && echo "nginx running" || echo "nginx running" [[ $( pgrep nginx | wc -c ) > 0 ]] && echo "nginx running" || { echo "nginx not running" , systemctl start nginx.https://brainbit.uk/posts/docker-quotas-and-mario-bros/Thu, 08 Feb 2018 19:33:48 +0000https://brainbit.uk/posts/docker-quotas-and-mario-bros/Intro: I’ve been meaning to write about docker and CFS (completely fair scheduler) for a long time , but I’ve been busy with work etc. I’m gonna use Docker to limit process’s cpu usage, and we gonna explore what kind of metrics do we have to maybe troubleshoot an under-provisioned application , we’re going to be playing with fceux and mario CFS (Scheduler): CFS has been the default scheduler of the linux kernel for a while , this isn’t an attempt to explain it in depth , but there’s a lot of interesting data about this , especially something about the main developer coming from the medical area or something like that.https://brainbit.uk/posts/leaked-malware-outlawcountry-review/Wed, 05 Jul 2017 12:58:39 +0000https://brainbit.uk/posts/leaked-malware-outlawcountry-review/This week there was a reported leak coming “supposedly” from some security agency , It’s called OC (OutLawCountry) , and i don’t know if it should be called malware because it really doesn’t need to exploit anything to be fair . OC , It’s supposed to route some or all your traffic to a specific endpoint , but the catch is that this “malware” comes prepackaged in a kernel object (.https://brainbit.uk/posts/kubernetes-daemonsets-sharp/Tue, 13 Jun 2017 09:57:38 +0000https://brainbit.uk/posts/kubernetes-daemonsets-sharp/Hello all , So today we will take a little look at daemonsets(DS) in Kubernetes, the idea behind DS is to ensure that all nodes (or some, depending on the selector) are running a copy of a given pod. A good question would be when to use these , and the documentation refer to things that you might want to run forcefully and all nodes: Log Aggregation and collection Storage Clusters Monitoring They’re described in yaml files like:https://brainbit.uk/posts/lets-look-inside-the-loopback/Sat, 10 Jun 2017 13:04:39 +0000https://brainbit.uk/posts/lets-look-inside-the-loopback/Hi guys , i just wanted to take a look inside special devices in the linux kernel , especially the loopback . It’s a virtual device that comes with the network stack, as we talked in previous articles (https://medium.com/@garciaj.uk/the-network-stack-153c92e35b26) the network stack refers to “struct net” . To recap every time we create a new network namespace we are instantiating a struct net . (include/net/net_namespace.h) So that’s the first step , the second step is that the loopback device is implemented as a driver as far as i can see , so most of its methods are implemented in https://github.https://brainbit.uk/posts/from-userland-up-to-the-stack/Thu, 08 Jun 2017 15:13:54 +0000https://brainbit.uk/posts/from-userland-up-to-the-stack/In the previous story we seen what the network stack really represent and how is built up in the kernel , the interesting question would be to see how does this work from user-land. The real question would be: How is it that i see only the namespace’s interfaces when i do ifconfig from within a namespace??? Let me illustrate it Root Namespace (We get the loopback to eths and a veth pair)https://brainbit.uk/posts/network-stack/Wed, 07 Jun 2017 09:27:43 +0000https://brainbit.uk/posts/network-stack/If you’ve been reading articles/books about Linux namespaces you might have come across with variances of this statement “each network namespace has it’s own network stack” . If you seen this before you might have wondered what does it really mean? it seems something very abstract , like one would guess that then a namespace would have it’s own and isolated “methods/functions” to manage network connections coming in and out ?https://brainbit.uk/posts/routing-to-namespaces/Tue, 06 Jun 2017 09:35:26 +0000https://brainbit.uk/posts/routing-to-namespaces/I was interested to know how a buffer (skb) is “routed” to a specific namespace or process . Simple as that , i want to know the mechanism in which userland tells the kernel to send data to a specific namespace /interface. So what i’ve found is that the kernel has a specific interface created around 2.4 that is specific for this use . AF_NETLINK , you might find it familiar to AF_UNIX or AF_INET , and it is cause it is built on top of bsd sockets architecture , so it uses methods such as bind() listen() accept() etc.https://brainbit.uk/posts/kubernetes-rollouts-sharp/Wed, 31 May 2017 07:53:51 +0000https://brainbit.uk/posts/kubernetes-rollouts-sharp/So what happens when you rollout , some containers will be destroyed , maybe some containers that live traffic go to , sitcky sessions etc etc. I wanted to quickly see how smooth the transition is so, lets create a deployment , update the image and run siege to see how much we loose: Siege: The % might not be an accurate measure since i was running siege before the rollout , but 37 transactions failed at a rate of 78/sec, this isn’t so bad , but im sure there’s ways to do this better.https://brainbit.uk/posts/kubernetes-sharp-rollouts/Wed, 31 May 2017 07:26:25 +0000https://brainbit.uk/posts/kubernetes-sharp-rollouts/Quick one about rollouts , so the idea is “update” docker images to a new version “without” disrupting services… that is relative and it is something i would like to investigate later on. But the general idea is , you have a deployment using a given version: So this deployment will create a replicaset with 3 containers running nginx:1.7.9. So the idea is that you change the image and update the deployment , this can be done in a few different ways , but one of them would be:https://brainbit.uk/posts/kubernetes-iptables-sharp/Tue, 30 May 2017 14:27:39 +0000https://brainbit.uk/posts/kubernetes-iptables-sharp/I wanted to do some digging about how services work within the nodes , that is how packets are forwarded from the outside , evil and relentless world to the container through bridges etc. So step 1 , find what port has the service bound to: port is 30235 , apparently , now let’s look into iptables inside the node. Notice that is doing a -j (jump) to another chain/extension , in this case KUBE-SVC-URRHIARQWDHNXJTWhttps://brainbit.uk/posts/quickly-jsonparse-on-command-line/Tue, 30 May 2017 13:16:43 +0000https://brainbit.uk/posts/quickly-jsonparse-on-command-line/I was trying to get some data out of etcd (kubernetes) and i found the value was returned as a string: you can see the quotes in the beginning, so after playing with sed for a bit , getting me nowhere , i discovered the -r flag of jq so… As you can see now you have a json object back that we can pass back to jq: just that.https://brainbit.uk/posts/kubernetes-services-sharp/Tue, 30 May 2017 08:58:50 +0000https://brainbit.uk/posts/kubernetes-services-sharp/So i wanted to talk a little bit about services and addressing today , when you create a deployment , “A declarative update for pods and replicasets” , like the one we’ve created in the previous article you get: pod (with x ammount of replicas) replicaset So we will need services , services are an abstraction laying “logically” on top of pods , the idea is that as pods are sort of non static entities , as in pods died (old releases) and new ones are created .https://brainbit.uk/posts/kubernetes-basics-sharp/Mon, 29 May 2017 08:41:39 +0000https://brainbit.uk/posts/kubernetes-basics-sharp/Hi all , I’ve started playing with kubernetes some time back , and i wanted to write a series of articles about it , maybe starting with the basics and syntax and finishing with the internals ( if i get time to learn it myself) First of all , we gonna use minikube for these series , when we get to parts where minikube isn’t enough then we’ll plan something else.https://brainbit.uk/posts/tmux-productivity/Sat, 14 Jan 2017 19:24:35 +0000https://brainbit.uk/posts/tmux-productivity/Screen multiplexers have been around for a long time , but for me i never been a big fan of screen , for a long time I’ve used dedicated terminals , until tmux came up . I have spent ridiculous amounts of time looking to work with the minimum effort possible and without reaching for the mouse , so this list is what i think it’s essential for my productivity: