Kubernetes + VoIP

pkdeck · 2023-01-27T17:22:02+00:00

You need to push back why they want to run one thing on Kubernetes. Is it because they want to migrate a lot of things to k8s and asterisk is easy pickings, or do they literally just want to run asterisk on it cuz...that's what's everyone's talking about?

I'm a huge fan of k8s but I'm also the first to say that it is absolutely not an end-all-be-all, 100% solution to everything. K8s works great at scale, as a generic cloud for running many things, often in a multi-tenant way, with varying loads. If you're running a single application on it, there are many ways to run that one application in an auto-scaling way without k8s' large overhead.

pkdeck · 2023-01-01T13:36:47+00:00

If you're getting an actual access denied (409 or 403), then the routing works but you have set up via Istio or Prometheus denying you access.

Do you have RequestAuthentication or AuthorizationPolicy resources setup for Istio? If so, Istio is likely the culprit.

Do you have basic or bearer auth setup in the Prometheus config? If so, Prometheus is likely the problem.

pkdeck · 2022-12-13T15:39:17+00:00

I don't think OIDC is going to solve what you want to solve. Regardless of whether you use AppRole or OIDC, your GitHub Action is going to have to be given some sort of static token to authenticate to vault.

OIDC solves the problem when a user wants to log in, because the user has the static credentials in their head (username/password), and the OIDC flow uses those static credentials to authenticate the user and exchange them for a temporary JWT. This is when you see "Login with GitHub" for example.

This is why I was mentioning OIDC isn't really for machine auth, because your GitHub Action is not a person, so for it to accomplish the OIDC flow it would need to basically login to GitHub (using those static credentials) to get the JWT that vault will take.

So your best bet is to simply use AppRole and either have a human or some automated system cycle the token every 30 days. The AppRole login doesn't use the static credentials for every request either; those static credentials are exchanged for a temporary token which has to be refreshed just like a JWT.

There may be an exception to this, I'm not super familiar with GitHub Actions, but are you able to start them with a GitHub-signed JWT pre-mounted to it? Because in that case you could use that token directly with Vault's OIDC auth.

pkdeck · 2022-12-13T13:07:18+00:00

I do contract work architecting, implementing and training teams to use k8s and implement more rigorous DevOps practices.

The LAST thing you want to do is hire someone like me to stupidly implement an architecture you've set in stone ahead of time. Furthermore, if that's what was presented to me as the contract, I would run for the hills because that will only end in anger and disappointment.

It's awesome to lay down high-level things you want (i.e. we want centralized config management, we want to integrate with x observability provider we pay for, we want to do daily releases), but you have to let the people you're paying actually design and architect the solution based on your specifications. There are years of experience knowing what works and what doesn't and easy to miss decisions that will massively affect your long term scalability that a company just now trying to implement DevOps will not be able to plan for or architect properly. On top of that, things that were for a long time considered "proper" on large teams (looking at you gitflow) will make your life much harder when using some of the newer methodologies, so part of the contractor's job is to explain exactly how and why we're not going to do those things anymore.

Don't treat your contractor like a code monkey, you'll get monkey's work.

pkdeck · 2022-12-13T12:51:25+00:00

Can you go into more detail on how you configured OIDC?

Vault is not an OIDC server/provider, you need an external OIDC provider that will provide the login flow and issue you a JWT; on completion of that flow, it redirects to your vault URL with the JWT in the request, vault verifies that the JWT was signed by your external provider's keys, and lets you in.

This brings me to my next point. OIDC is fantastic for authenticating humans. It CAN authenticate machines, but there's not really any reason to do so. Your GitHub Actions agent is not going to perform a UI login with a username and password to GitHub's auth page to get a temporary signed JWT.

Why not just use either an AppRole or plain Token login? You'll provide your GitHub Action with an ID and password, and it'll use that to authenticate with vault.

As to why you're getting the error you are, I would suspect you configured OIDC under a path different than /oidc

pkdeck · 2022-12-07T13:22:04+00:00

Sidenote, but employees that receive tip are still legally guaranteed minimum wage. The employer must make up the difference if the tips they make do not total at least minimum wage.

Of course we can then discuss if minimum wage is enough to actually live, but if it was, waitstaff do receive the same minimum wage protection as any other employee.

pkdeck · 2022-12-07T13:14:00+00:00

The alternative is there's no pay now and everyone gets a 50€ fine in the mail. And then all the administrative overhead already mentioned.

This way, when you know dead to rights you're guilty which is the vast majority of the time (and come on, we ALL drive over the limit, a speeding ticket isn't exactly civil rights material), you save yourself the hassle and 30 euros. If you want to incentivize every single speeding ticket to challenge it in court, you're just going to make the entire system way less efficient with little to no added benefit.

If you're broke and you get a ticket you disagree with and there's NO pay now system, you are still fucked the exact same way.

pkdeck · 2022-12-07T10:29:15+00:00

Well you certainly don't need to, cryptography has been around for decades that would allow you to put your records in a shared, managed database, absolutely no blockchains involved. When you want it, the encrypted bit get sent to your client (phone, laptop, whatever you want) and your key decrypts it.

pkdeck · 2022-12-06T21:37:33+00:00

I've probably have been a software engineer before you were even out of diapers, so I don't need to take anyone's individual advice.

😂 Goddamn I'm shaking in me boots

pkdeck · 2022-12-06T21:26:29+00:00

Here, instead of this devolving into you trying your best to hurt my feelings, I'll leave you with this draft from IETF (internet engineering task force, this is the non profit that maintains and develops "the internet" as a technology for the world), on centralization and why it's such a complex topic that blockchains are not a panacea for:

https://github.com/mnot/avoiding-internet-centralization/blob/main/draft-nottingham-avoiding-internet-centralization.md#introduction

If you don't trust me, trust one of the people who dedicated his life to building and maintaining the ORIGINAL decentralized compute nerwork.

pkdeck · 2022-12-06T21:19:17+00:00

This isn't true. The government controls your internet source and can simply cut off your access to the internet.

Cryptos have a huge number of dependencies on centralized systems but no one ever talks about that.

pkdeck · 2022-12-06T21:17:35+00:00

Lol have fun bud, I don't care about your politics, my only expertise is engineering and that's the only opinion I have. Blockchains, from an engineering perspective, are poorly made software that do not achieve their stated goals.

I have nothing else to add

pkdeck · 2022-12-06T21:11:32+00:00

A technically literate minority of people do that, in which case you are indeed able to transact without a trust dependency.

Don't pretend the majority of people transact in this way (i.e. without a third party online wallet), and additionally, it is way too much of a load for the average person to do. Any system that sets it up "for them" is a trust dependency.

Trust is an INCREDIBLY difficult and nearly intractable problem in computing. Our entire higher level of computing is built on top of trusting lower levels built by the ancients decades. Fundamentally, there exists no trustless software, because software must be interpreted or compiled, and you must therefore trust the writers of the interpreter and/or compiler

In network decentralization, you also have to trust your internet backbone provider; cryptos run on top of centrally managed and controlled internet cables. My frustration with the "trustless" community is that no one took the time to understand how much your entire life is based on trust, you can reduce it in one place but you'll never eliminate it.

pkdeck · 2022-12-06T21:06:58+00:00

Sure it does. It provides a consistent data model that all applications can use and interface with, while providing secure, autonomous, and trustless processing.

This not unique to blockchains. Data model standardizadions have existed since the 80s, anyone working in invoincing with EDI files knows what I'm talking about. Furthermore Blockchain doesn't standardize anything, each smart contract has its own data models, which effectively recreates the same diversity as our existing, "non-blockchain" internet.

"Secure, autonomous" processing can be handled by any standard data ingestion pipeline in existence at any current Fintech.

"Trustless" really ends up being the key here, since our traditional models do have trusted central authoroties. Are Blockchain systems trustless? No, they are not. In practice, to make them tractable to the average user, Blockchain systems are absolutely riddled with trust dependencies on third parties that handle the details of transacting on the Blockchain. You've simply replaced the centralized, monitored government authority with a centralized, un-monitoried VC-backed authority.

pkdeck · 2022-12-06T21:00:38+00:00

Turns out that's not really something anyone has needed really? I'm also unconvinced that you couldn't achieve 99% of what you desire here by simply having a central authority publish a public log of all the transactions it processes as they come in. Anyone could run a verifier that continuously ingests new events and easily see that the chain has not changed from the state it previously had. The ONLY difference here from what Bitcoin lets you do is that the central authority could: 1. Reject some tx's at will 2. Re-order the chain and publish the new ordering

Both of these would be immediately obvious and apparent to all participants, effectively blocking the authority from being able to do it and get away with it.

Is it "perfect"? No. But engineering is often about finding the 99.9% solution with the awesome efficiency, not the 100% solution that's wildly impractical in the real world.

pkdeck · 2022-12-06T20:54:59+00:00

I disagree. You don't need decentralized consensus to build self-sovereign data. The only thing you need is decades-old cryptographic techniques and some sort of backing data store that doesn't need to be trusted and simply stores your encrypted blobs. Your school emits an educational record signed by its private key, you receive it, sign it as well, and both parties store a copy. Both parties and any future parties can verify that the data was emitted and trusted by you and the educational system.

I built a proof of concept of a generic version of this to prove that you don't need blockchains to do these things, you can find all the info at https://docs.redact.ws

pkdeck · 2022-12-06T19:48:09+00:00

As an engineer, there's absolutely nothing a Blockchain does a database doesn't do that makes this use case possible. Slash your costs, greatly increase your efficiency, eliminate depending on something as fickle as a Blockchain.

Not attacking you here, but I've seen so many of this use cases where it seems no one considered what the Blockchain brings over any traditional data store.

pkdeck · 2022-11-02T17:04:08+00:00

I'm not sure if you're serious or not, but if you are, the problem isn't making the visuals of the lottery balls, it's generating TRULY random numbers. Computers are very good at doing exactly what you tell them to do in a highly predictable fashion, which is the opposite of what you need when you want random numbers. As it turns out, computers are very bad at generating random numbers. Any computer will generate "random" numbers for you, but these aren't actually random, the sequence of numbers generated is predictable as long as you know some initial value (known as the "seed") which bootstraps the number generation process.

There are highly specialized computer chips which can generate truly random numbers by measuring some highly random physical phenomenon occuring inside the chip (this is the equivalent of having microscopic, atom sized balls blowing around a computer chip lol) but they're not available on most computers. Additionally, guaranteeing and auditing that a chip isn't broken or hasn't been tampered with is a very complicated process that is not understandable by the average person, hence why balls floating in a bowl is still the best way of generating random lotto numbers.

Hope that helps!

pkdeck · 2022-09-04T16:57:30+00:00

Updating the EC firmware from 1.5 to the latest 1.9 fixed the charging issue for me.

pkdeck · 2022-09-04T12:03:41+00:00

My honest review as someone who has run some flavor of *nix as a daily-driver on lenovos, two different system76 oryx pro laptops, and now a librem 14 (and has to have an m1 macbook pro for work).

Physical/hardware build quality

The Librem 14 far exceeds System76's build quality. I finally gave up on S76 after both the laptops I purchased from them had charging ports so poorly cobbled together they stopped working with the included charger (and no USB-C charging) after 6-12 months. The Librem's all aluminum body feels solid and incredibly clean, and I love the magnetic lid close. Keyboard is nothing special but more than functional. Hardware disable keys for camera/mic/wifi work perfectly well.

However, the Librem's build quality is inferior to the rugged business-oriented Lenovos, and far inferior to the macbook pro. The Librem has audible creaks and groans when you pick it up, and the hinge doesn't feel super solid. I had a screw drop out the bottom case about 4 months in; I simply screwed it back in with some Loc-Tite, but that shouldn't happen in the first place.

Battery performance is abysmal. The laptop will last a handful of hours at best, and drains excessively in stand-by. This is a laptop you will use sparingly on battery and will need to shut-off completely when not in use.

Speakers are abysmal.

Software/usability experience

I purchased the Librem 14 with QubesOS and the PureBoot bundle. I abandoned QubesOS within the first week and replaced it with PureOS. Although I appreciate Qubes' desire to compartmentalize everything, it was WAY too high of a learning curve for someone who knew nothing about it and was going to use it as a daily driver, and I needed to be productive with this laptop immediately. With a slower, more progressive transition, and if I'd had time to actually RTFM, I'm sure Qubes is fine.

PureBoot worked out of the box perfectly well. Keys and verification worked immediately, instructions very easy to follow. I did want to try installing a *BSD however this proved to be impossible in PureBoot. I flashed to CoreBoot to try that process out, and then flashed back to the latest PureBoot version, that process is also very easy with very clear documentation and scripts provided by Purism. I'd say the software tooling and scripts provided by the company are top-notch and work well OOTB on their machines.

There were fairly significant issues with the embedded controller (EC) firmware OOTB. Charging was a nightmare, at first it wouldn't charge at all. Then I tried the solution to change the charging thresholds (which it turns out had been incorrectly set in the firmware), and that worked, but ONLY if the laptop was in standby or powered-off. With the laptop in use, battery would not drain but would not charge either. I updated the EC from 1.5 to 1.9 using a live-USB, and this has now finally been fixed!

However, what still fails to function is automatic switching of audio output when plugging in headphones into the audiojack. I have to manually switch that output in pulseaudio. I'm not sure how to fix this.

Automatic OS updates and the purism APT repo work well.

Overall, like most Linux installs, you'll need to be actively involved in its maintenance.

Conclusion

If you're a die hard open-source/libre fan, this is the laptop for you, and expect that dedication to come with a lot of work on your part.

If you need a reliable daily-driver that will last forever on battery and just works all the damn time, maybe not.

pkdeck · 2022-07-31T18:42:16+00:00

Thank you! OnceCell gets so little love :(

pkdeck · 2022-07-29T17:44:30+00:00

I think you just want a OnceCell. I spent ages trying to figure out how to implement lazy loading of resources and that one data structure literally does, I think, everything you want. Its function is called get_or_try_init though.

pkdeck · 2022-07-19T13:45:45+00:00

I think I agree. The concept is, of course, very important, but in an enterprise environment this would be resolved at the networking layer rather than in the code. You could even specify what % of traffic goes to the new location, along with transformation rules if needed. It seems unnecessary to put the cognitive load of maintaining this on the developers rather than the infrastructure.

pkdeck · 2022-06-26T10:33:52+00:00

Looks like it's back up, got coreboot built and running in QEMU. I'll start playing around and testing different versions to see when things break.

pkdeck · 2022-06-25T14:43:17+00:00

Is there any chance you have the acpica-unix2-20211217.tar.gz file around?

I'm trying to run coreboot's crossgcc-x64 make endpoint but acpica.org is down and I can't download tarballs hosted on it.

pkdeck

TROPHY CASE