Unsharing is Caring – User Namespace, Rootless containers and Security

Those who have been working with containers, have long been worried about security aspects associated with underlying containers. One of the vulnerability associated with containers is with running containers as root user. Containers have often required to do some privileged tasks such as mount filesystems, associated with packet route tables on the host networks etc which have historically needed privileged access on the underlying host machine. So this has allowed malicious actors to try to exploit vulnerabilities in containers host.

With rootless containers, we are slowly shifting to overcome this scenario. Rootless containers refers to the ability for an unprivileged user to create, run and otherwise manage containers. This term also includes the variety of tooling around containers that can also be run as an unprivileged user.

Read More »

Another blog on docker depreciation in Kubernetes and what needs to be done about it

In the Kubernetes release v1.20, the development team has marked dockershim as deprecated. There was initially some shock and confusion, as it was perceived that team is moving away from docker completely, however that is not the case. As its turns out, what the team is doing, is steering the Kubernetes away from the proprietary parts of Docker or Docker Engine or just simply called Docker. The Docker Engine is further comprised of many different sub-components like dockerd, containerd, runc etc., many of which were initially developed by Docker Inc and then given away to community. These were later standardized and maintained by the community.

The Kubernetes community has written a detailed blog post about deprecation with a dedicated FAQ page for it. This blog post is being written to understand the impact and what needs to be done about it. Depending on how do you use Docker, think and understand about it, you may or may not have to do anything about it or get worried about sleepless nights.

Read More »

Working with arguments in Bash Scripting

Bash scripting has many special shell variables like $*, $#, $?, etc. to help users write more powerful and versatile scripts. One can code for many scenarios, using these shell variables, which are otherwise not possible.

One of the common requirements is to write a more generic code and run it specifically using the arguments supplied at the run time. Since script users can’t be always trusted with supplying all arguments properly, its beneficial to adjust script to properly check for conditions like how many arguments are supplied, if arguments are proper, etc. Since bash also does not natively offer a way to write parameters for the scripts, you also need to process the arguments in the correct order. For this, bash offers special variables $1, $2$9 as positional parameters.

Read More »

Setup Local Kubernetes Cluster with Docker, WSL2 and KinD

Kubernetes has raced ahead of other container management platforms in last few years. However there remain difficulties in setup and running multi node clusters for developers to test their container workloads. Many organizations come around this by provisioning separate kubernetes clusters for devs. Some other go to the extent of provisioning one kubernetes cluster per developer. However it soon becomes additional hassle for devs and ops alike and also keeps contributing to company’s rising cost.

Minikube is one of solutions that can be used to solve this scenario but minikube is limited to single node setup. But to gain Kubernetes experience, most need to run multi node solutions or clusters. KinD is a tool which can be used for running local Kubernetes clusters using Docker container nodes. KinD was primarily designed for testing Kubernetes itself, but may be used for local development or CI.

Read More »

Get timestamps in Bash history

Although history command utility in Linux is already nice, it would have been great if we can have timestamp to understand when certain commands were run. This is particularly useful for organizations, that needs to match certain audit requirements. We can easily configure timestamps by using HISTTIMEFORMAT environmental variable in following way:

HISTTIMEFORMAT="%d/%m/%y %T "  # for e.g. "13/03/21 15:59:59"
HISTTIMEFORMAT="%F %T "        # for e.g. "2021-03-13 15:59:59"
Read More »

Solve your CIDR calculations without leaving terminal in Linux

Every system admin in this world has ran into problem of calculating IP address range, network masks, usable IP addresses, etc. for one or the other reason. It is very important part of networking related operations and what a server would be without any clients or IP addresses. Some people consider it so important, they expect you to do calculations like these in your mind in your job interviews. There are also various websites online to just run CIDR calculations. However its all additional steps and a hassle.

Fortunately, if you are a linux user, you can make life easy for yourself by using utility sipcalc. It is a simple command line tool which is available in epel repo.

Read More »

Convert JKS and P12 to Crt and Key files with OpenSSL

PKCS#12 is a successor to Microsoft’s PFX format. It defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X509 certificate or to bundle all the members of a chain of trusted certificates, starting from the root certificate authority. The files PFX (.pfx) and PKCS#12 (.p12), including terms, are somewhat used interchangeably and refer to same standard.

PKCS#12 are normally generated using OpenSSL, which is an open-source tool. We can use the same tool to convert JKS, which is Java keystore and PKCS#12 certs to crt and key files.

Read More »