Introducing bunkerized-nginx 🔗I heard about bunkerized-nginx a while ago and I thought it would be nice to use it as a reverse proxy so I can expose my internal services to the internet ‘safely’. A non-exhaustive list of features (copy & paste from the README): HTTPS support with transparent Let’s Encrypt automation State-of-the-art web security : HTTP security headers, prevent leaks, TLS hardening, … Integrated ModSecurity WAF with the OWASP Core Rule Set Automatic ban of strange behaviors with fail2ban Antibot challenge through cookie, javascript, captcha or recaptcha v3 Block TOR, proxies, bad user-agents, countries, … Block known bad IP with DNSBL and CrowdSec Prevent bruteforce attacks with rate limiting Detect bad files with ClamAV Easy to configure with environment variables or web UI Automatic configuration with container labels A must have for me was having support for Let’s Encrypt and having an easy way to configure it.

podman play kube 🔗One of the cool things about podman is that is not just a docker replacement, it can do so much more! The feature I’m talking about is being able to run Kubernetes YAML pod definitions! How cool is that? You can read more about this feature in the podman-play-kube man, but essentially, you just need a proper pod yaml definition and podman play kube /path/to/my/pod.yaml will run it for you.

Introduction 🔗Inspektor Gadget is a collection of tools (or gadgets) to debug and inspect Kubernetes applications. Inspektor Gadget is deployed to each node as a privileged DaemonSet. It uses in-kernel BPF helper programs to monitor events mainly related to syscalls from userspace programs in a pod. The BPF programs are run by the kernel and gather the log data. Inspektor Gadget’s userspace utilities fetch the log data from ring buffers and display it.

Preparation 🔗Ensure your workers have the virtualization flag enabled: for node in $(oc get nodes -o name | grep kni1-worker); do oc debug ${node} -- grep -c -E 'vmx|svm' /host/proc/cpuinfo done That snippet should return the number of cpu cores with virtualization enabled (it should be all of them). Subscription 🔗cat <<EOF | oc apply -f - apiVersion: v1 kind: Namespace metadata: name: openshift-cnv --- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: kubevirt-hyperconverged-group namespace: openshift-cnv spec: targetNamespaces: - openshift-cnv --- apiVersion: operators.

Preparation 🔗Label the nodes you want to use for OCS, in my case: for node in $(oc get nodes -o name | grep kni1-worker); do oc label ${node} cluster.ocs.openshift.io/openshift-storage='' done Local storage operator 🔗Deploy the local storage operator cat <<EOF | oc apply -f - apiVersion: v1 kind: Namespace metadata: name: local-storage spec: {} --- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: annotations: olm.providedAPIs: LocalVolume.v1.local.storage.openshift.io name: local-storage namespace: local-storage spec: targetNamespaces: - local-storage --- apiVersion: operators.

SCCs 🔗There are tons of information out there about SCCs, but in this post we will be focused on how to create and use a custom SCC only. See the OpenShift official documentation on Managing Security Context Constraints for more details. Custom SCC 🔗In the event of requiring a custom SCC, there are a few steps that need to be done to be able to use the SCC properly. Minimal capabilities 🔗The best way to create a custom SCC would be to build it based on the most restricted one (hint: its name is restricted) and then start adding capabilities and permissions depending on the application requisites.

I wanted to easily switch between my regular desktop configuration: All the external displays: To a single external display: Or just the laptop screen: This usually required to open gnome-control-center, then click displays, etc. So I thought it would be nice to look for a extension in the Gnome Extensions site… but I couldn’t find any that worked as I wanted… so let’s try to do our own method! :)

Quick howto to make podman rootless containers work in RHEL7: sudo yum clean all sudo yum update -y sudo yum install slirp4netns podman -y echo "user.max_user_namespaces=28633" | sudo tee -a /etc/sysctl.d/userns.conf sudo sysctl -p /etc/sysctl.d/userns.conf sudo usermod --add-subuids 200000-300000 --add-subgids 200000-300000 $(whoami) podman system migrate Then, logout and log-in again. Easy peasy!

Introduction 🔗NetApp filers can be used to provide dynamic storage to OCP4/k8s using NetApp’s Trident storage orchestrator. In order to be able to use it, you need to have a real NetApp hardware to play with. It is also true that NetApp offers a simulator to play with. NOTE: The Simulator is not publicly available and you can only access to it if you are a customer or partner. It is required for you to have a proper NFS license.

Intro 🔗As I mentioned in my previous post, everything was working flawlessly… except for a bluetooth issue in my raspberry pi 3 that basically renders bluetooth unusuable… but it is rebooted daily via a cron job, so minor issue :) (I know I know, I’m planning to do a better workaround…) This was good enough, but a few days ago I decided to give k3sup a chance and install k3s (a lightweight Kubernetes distribution focused on ARM/IoT devices) in a spare pine64 that was gathering dust in a drawer :)