Its up to you to make your systems redundant, not them. So a "break in redundancy" does not fall on the provider.

https://www.vultr.com/company/sla/

This page is nonsensical as 100% uptime is not a realistic achievable metric. I think the credit is just a way to not be held to a specific SLA and it's cheaper for them to give credits out than to provide consistent 4-5 9's of service.

Anyway it's on the consumer to provide the redundancy. I'm assuming with VPS providers like Vultr it's harder to do cross AZ replication because I'm assuming things like instance groups don't span data centers, but I could be wrong.

@scottalanmiller said in SolarWinds' Orion monitoring platform may have been tampered with by attackers:

https://thenewstack.io/solarwinds-the-worlds-biggest-security-failure-and-open-sources-better-answer/

Looks like someone doesn't know what k8s Network Policies are and has never used a service mesh

Honestly the best thing in my opinion is put k3os on it and run the stuff in a single node Kubernetes cluster. You'll get experience with k8s and the applications use very little resources when deployed this way.

I don't know Windows at all, but wasn't there like a fast boot option that you had to shut it down a specific way to bypass? Is that still a thing?

@Dashrender said in Work from Home - Computer setups:

reading things at the top of the vertical monitor would seem to potentially be an issue, no?

Nah, it's not bad. Having that for code is much nicer. That was kind of a low picture. At sitting height it's not that bad.

Pardon the unfinished basement in the background. This was before I had my thunderbolt dock so only the one monitor would come on.

I'm full remote, and I have a Macbook Pro for work and an XPS 13 for personal. I use both for work interchangeably. I have a 34" curved ultrawide and a vertical 27" beside it. Everything is on a desk that's standing or sitting (by crank). And I have a desk I made that I can attach to my treadmill to walk and work at the same time.

@DustinB3403 said in SolarWinds' Orion monitoring platform may have been tampered with by attackers:

but if SolarWinds supplied MD5 and SHA256 checksums for their installations, and organizations verified it against what they downloaded they might have noticed that something was at least off

Sadly this most likely wouldn't have caught it. If the vulnerability was done during the build pipeline (source code injection, artifact injection, etc) the check sums would still match.

@Dashrender said in SolarWinds' Orion monitoring platform may have been tampered with by attackers:

@scottalanmiller said in SolarWinds' Orion monitoring platform may have been tampered with by attackers:

@Dashrender said in SolarWinds' Orion monitoring platform may have been tampered with by attackers:

Really? What makes you say that?

Because it can be audited. It simply takes a situation that is X and improves it. Better is better, it's that simple.

Didn't some bug that was in Linux for more than a decade just get discovered last year? Being open source makes it easier to find them, sure, but more likely? Only if someone is looking.

This is an anecdote and means nothing here. How many bugs have been in closed source software for decades, sometimes even AFTER someone discovered them? How many are in there now, you don't know, because it's closed. So never, ever, ever can you state something like this and imply that it's meaningful.

You are implying the "perfect or nothing" argument. You are ignoring the simple fact that being open has to improve the chances of catching a bug (because there's nothing that makes it worse and so much than makes it better) and pointing out only that by being open source it didn't prevent the possibility of bugs. No one ever has claimed such a ridiculous thing. So pointing it out has no purpose. The point is that being open would make it many times more likely to be found, and many, many times more likely to have been disclosed once found.

That this is closed source, we have to assume that the vendor is keeping stuff hidden. We have zero reason to believe that they did or didn't already know about it. Closed source is not just a mechanism for hiding how things are done, it's also a major mechanism for hiding mistakes.

Being open means that nothing can be hidden. And it means that there are more mechanisms for finding something. Both of those things mean that, on average, things are found (and disclosed) sooner.

That wasn't my point -

I agree open is better, but bug still exist, often time for years, decades even, until someone looks.

There is so much believe that just because it's open source that it's been vetted by many many people, and that's just simply not true.

Those are bugs. It's different, because this was purposefully injected. There are tons of tools that scan for malicious code. An example is being at FDX they used Sonarqube and other tools like Fortify to find vulnerabilities in code.

This may not have been source code though. That's why there's initiatives for things like supply chain trust in software (TUF,notary,in-toto, etc). This was either source code, an artifact in the build process, or something in the release process.

Open source is great, but if you can't verify the build was done properly then there could be injections during the build which you wouldn't catch in the code. Companies need to start demanding the build process be auditable with some kind of supply chain verification like the tools mentioned, where the BOM can be signed and audited.

Put one of these on the wall and attach it to the phone:

@Dashrender said in SolarWinds' Orion monitoring platform may have been tampered with by attackers:

Really? What makes you say that?

Didn't some bug that was in Linux for more than a decade just get discovered last year? Being open source makes it easier to find them, sure, but more likely? Only if someone is looking.

I think the difference is one was a bug and one was injected maliciously. I'm not saying it would have definitely been found, but bugs look a bit different than purposefully malicious code.

It's also that it at least has the opportunity to be found.

A lot also depends on how things like pull requests/merge requests are approved as well.

@scottalanmiller said in Virtual appliances?:

@stacksofplates said in Virtual appliances?:

What do you mean about third party applications? That's pretty much what most people use it for unless you're an enterprise and writing micro services.

Meaning an application that's coming from an outside vendor rather than an internal team. When I see Docker being used by developers who are accountable (because they are internal) to the operations team, it seems to get used when. But too often what I see is developers just using Docker to presumably skip the due diligence in making things deployable and the result is a mess that "works for them" but no one else can figure out how to get to work as no one knows what their dependencies were that made it work.

Docker makes it easy to feel like you don't have to do anything and can just throw the product "over the wall" and not have to deal with it. And when devs aren't accountable to anyone, there's nothing to stop them from doing that.

I'd have to see an example of what you mean about "works for them but no one else can figure it out". Everything is defined in the Dockerfile. Its not hidden from anyone. So you can clearly see the dependencies.

Coming from a large enterprise that still wrote some legacy apps that weren't containerized, the throwing over the wall happened way more often on the not containerized side. I'd have to see an example of how that would work in the container space to understand what you mean here.

@travisdh1 said in Virtual appliances?:

@stacksofplates What the what?

1. Install Fedora
2. sudo dnf install -y kubernetes
3. `systemctl enable --now podman1

That's all it takes.

Yeah I see you haven't actually done that.

1. Podman is not Kubernetes. Also when you install Kubernetes you don't get a podman1 service (or any type of podman service).
2. When you install Kubernetes that way you don't get a Kubernetes service. You seemingly have to start the kube-proxy, kube-scheduler, kube-controller-manager, kube-api-server, and the kubelet separately.
3. It installs docker, which is deprecated in k8s now. They have switched to using containerd which is pretty much the standard runtime now.

So I'll stick with my original recommendation.

Here's an example. To set up Flux you run these couple commands:

helm repo add fluxcd https://charts.fluxcd.io

kubectl apply -f https://raw.githubusercontent.com/fluxcd/helm-operator/master/deploy/crds.yaml

kubectl create namespace flux

helm upgrade -i flux fluxcd/flux \
   --set [email protected]:user/some-repo \
   --namespace flux

that sets up Flux. Flux is now watching the repo you told it there in the last command.

If you don't use a predefined key, you just grab the SSH key Flux created and add it to your repo.

Then to deploy something like NextCloud, you need these two files. The first creates a namespace for nextcloud. Not a requirement, but makes sense. The second is a HelmRelease file that the Flux Helm Operator uses to read the Helm chart for NextCloud.

apiVersion: v1
kind: Namespace
metadata:
  name: nextcloud

apiVersion: helm.fluxcd.io/v1
kind: HelmRelease
metadata:
  name: nextcloud
  namespace: nextcloud
  annotations:
    fluxcd.io/automated: "true"
    filter.fluxcd.io/chart-image: "glob:*"
spec:
  releaseName: nextcloud
  chart:
    repository: https://nextcloud.github.io/helm/
    name: nextcloud
  values:
    replicaCount: 2
    any other values here to override in the chart

that's it. You now have a fully automated system that will automatically deploy the new updates to your NextCloud pods. You can disable the auto updates by removing the annotations and then manually update the container versions by adding the version in the HelmRelease. Once it's approved, then Flux will update the containers.

You also have have a deployment that created a replicaset of your pod because you defined 2 for your replicacount. So any traffic entering your cluster will be split between both replicas (or more if you define more). By default, k8s does a rolling update. So pods aren't all killed at once. The first pod will be terminated and a new one spun up with the updates. When it's live, the second will be terminated and recreated with the updates. So your service stays live during updates.

It's that easy. It shouldn't take you more than 10 minutes to set Flux up. And then the rest is the specific things you need the apps to do. Like with NextCloud the type of database, if you want ingress or not, those kinds of options.

Containers and container orchestrators help literally every business from small to giant enterprises developing hundreds to thousands of internal microservices.

I don't even have some things installed on my system anymore. I'll just run a container to use a specific tool and kill the container when I'm done. You can even have full dev environments packaged up in a contianer and have VSCode deploy itself in the container so you have a consistent development environment across different users. And that happens literally with the push of a button in VSCode.

@JaredBusch said in Virtual appliances?:

@stacksofplates said in Virtual appliances?:

@JaredBusch said in Virtual appliances?:

@stacksofplates said in Virtual appliances?:

This day and age Id just prefer a container. They're so much easier to deploy and manage.

Only when done right, which is still not often, IMO.

Btw not trying to argue with you. People def do it wrong. I'm just saying I've seen them do it wrong with VMs too.

Oh I completely understand. Docker is super abused though.

What do you mean by abused?

@Pete-S said in Virtual appliances?:

@stacksofplates said in Virtual appliances?:

@scottalanmiller said in Virtual appliances?:

@stacksofplates said in Virtual appliances?:

@JaredBusch said in Virtual appliances?:

@stacksofplates said in Virtual appliances?:

This day and age Id just prefer a container. They're so much easier to deploy and manage.

Only when done right, which is still not often, IMO.

That argument could be made for pretty much anything though. I think even on a single host it's easier to manage.

True. I think the problem is that Docker feels like it's never set up correctly for third party application deployments. As a tech it's amazing, in the real world, it seems to result it devs bypassing all operational oversight and apps that have good code and no production way to deploy.

What do you mean about third party applications? That's pretty much what most people use it for unless you're an enterprise and writing micro services.

There isn't any need for operational oversight of devs because it's all done through things like merge/pull requests. Then tools like Flux/Argo/whatever deploy it for you.

I'm not sure what you mean about no production way to deploy. Automated pipelines are a more production way that just installing packages in systems. You have easier rollback, easier ways to apply seccomp profiles, resources, etc. Its very production ready.

I think there is a big difference in the production environment of say a SaaS company compared to the rest of the companies that are not in the software business.

CI/CD pipelines seems highly unlikely in a company that doesn't develop software or provide software services. Why would they have that?

If you have enough workloads you need automation tools to deploy patches and administrate your environment but that is a different thing and something all environments of size needs.

SaaS companies aren't the only ones with internal development. Pretty much any fortune 1000 and up has that.

But yes pipelines are mostly for internal development. But you also can just deploy containers the same way. If you aren't using a CD tool to deploy the update containers automatically, you would have a merge/pull request with the new container tag. The same idea applies, just not with the CI part.

Its not about enough workloads to automate deployment. It takes almost no effort to automate container deployments. You run a helm install command against your cluster to set Flux up and then have it read a couple yaml files. Its less work to do that than update software the old way.

@travisdh1 said in Virtual appliances?:

@stacksofplates said in Virtual appliances?:

I think it's more of the application now. If it was something designed for Windows 2003 and you put it in a container it wouls be terrible, but it would also be terrible installed normally. K8s is so easy to set up now that it's trivial to get things going. Even if you just use podman and systemd I think it's a step above installing the application in a VM.

I need to try out K8s again. The first time I tried using it was early days and a pain. From what your saying it's a lot better/easier now.

For remote systems, k3s is probably easiest.

curl -sfL https://get.k3s.io | sh - Run that and you have k8s.

For local work, kind is probably easiest. It runs containers as k8s nodes that then run Docker so you can deploy to them. It works really well.

@scottalanmiller said in Virtual appliances?:

@stacksofplates said in Virtual appliances?:

@JaredBusch said in Virtual appliances?:

@stacksofplates said in Virtual appliances?:

This day and age Id just prefer a container. They're so much easier to deploy and manage.

Only when done right, which is still not often, IMO.

That argument could be made for pretty much anything though. I think even on a single host it's easier to manage.

True. I think the problem is that Docker feels like it's never set up correctly for third party application deployments. As a tech it's amazing, in the real world, it seems to result it devs bypassing all operational oversight and apps that have good code and no production way to deploy.

What do you mean about third party applications? That's pretty much what most people use it for unless you're an enterprise and writing micro services.

There isn't any need for operational oversight of devs because it's all done through things like merge/pull requests. Then tools like Flux/Argo/whatever deploy it for you.

I'm not sure what you mean about no production way to deploy. Automated pipelines are a more production way that just installing packages in systems. You have easier rollback, easier ways to apply seccomp profiles, resources, etc. Its very production ready.

@JaredBusch said in Virtual appliances?:

@stacksofplates said in Virtual appliances?:

This day and age Id just prefer a container. They're so much easier to deploy and manage.

Only when done right, which is still not often, IMO.

Btw not trying to argue with you. People def do it wrong. I'm just saying I've seen them do it wrong with VMs too.

I think it's more of the application now. If it was something designed for Windows 2003 and you put it in a container it wouls be terrible, but it would also be terrible installed normally. K8s is so easy to set up now that it's trivial to get things going. Even if you just use podman and systemd I think it's a step above installing the application in a VM.