profile

Ivan Velichko

Ivan on Containers, Kubernetes, and Backend Development

Published over 1 year agoΒ β€’Β 5 min read

Hello friends!

Ivan's here with November's roundup of all things Containers, Kubernetes, and Server-Side craft!

This time I've got for you:

  • An ask, an offer, and a promise πŸ™
  • cdebug (a swiss army knife of container debugging) update πŸ”§
  • Hot off the press: A new blog post on Container Networking ✏️
  • And a bunch of good reads πŸ“š

Let's get started!


​

My first ever Patreon page

Some time ago, I asked on Twitter how people would react if I created a Patreon page:

The poll results came out rather positive, so I decided to give it a try πŸ™ˆ

There are two main goals that I'm pursuing with my Patreon campaign:

The blog articles and the newsletter will remain free - I want my technical content to reach as many people as just possible, especially in places where $5 a month is a shit load of money. So, here is my ask for those of you who find my work helpful and can afford to spend a few bucks a month on virtual coffee for an internet stranger - go become a patron.

However, I don't want it to look like a charity campaign. Over the years, I've learned quite a few tricks on how to write online, how to produce memorable diagrams, and how to grow the audience on different platforms. Traditionally, I've been keeping notes, but I haven't been sharing them with anyone πŸ˜‰ So, here is my offer: I'll start sharing the technical writing advice and insights into my creative process with those of you who become patrons. This will definitely come in handy for folks looking to start their own technical blogs or grow their twitter following.

The promise? I'm serious about that learning platform! And when I deliver it, patrons will be generously rewarded with all sorts of discounts.


​

cdebug gets port forwarding support

The development of the new port-forward command took an unexpectedly long time (that's why this newsletter issue is smaller than usual), but it did worth it! Now you can "publish" ports of already running containers and even access services listening on the container's localhost with ease:

You can read more about cdebug and what makes it stand out from similar container debugging tools in the last issue of the CTTT newsletter.

The plan for cdebug now is to replicate the exec and port-forwarding functionality for other container runtimes, and the containerd support is already in the works.


​

Container Networking Is (Not So) Simple

The pretty successful Visual Guide to SSH Tunnels was a by-product of cdebug development. To design the port-forwarding command well, I had to study the ssh tunneling capabilities in great detail. This month, I had to do a similar exercise but for container port publishing. Do you know what actually happens when you publish a port in Docker? What is the difference between Docker Engine's port publishing implementation and Docker Desktop's? I do know now, and I gladly share my knowledge with you in this blog article.

Here is a sneak peek:

By the way, the post also covers containerd, nerdctl, and Lima!


​

What I was reading

​Accountability in Software Development by Kent Beck (the person who virtually introduced me to programming many years ago) - this is how I want to work myself (I must admit it hasn't always been the case) and what I want to see in my colleagues. The principle of accountability is so generic that it applies in daily life too: I'm accountable to my family, and I expect the same from my partner. But back to programming... Here is an unobvious example of accountability: "The tests are an account of my thoughts as I program." When we write code that covers only the happy path, or (even worse) we think that it does, we fall short of accountability.

First, Adam and now Craig - Kubernetes Podcast will never be the same for me. These two voices will forever be the sounding of Kubernetes for me. But Craig Box is now a newsletter author! Go check it out.

​The State of Frontend in 2022 - Some interesting stats (and thoughts) by Gergely Orosz based on a survey of more than 3000 frontend developers. I used to be doing (a little bit of) frontend in the past, and while I gave up on keeping my fronted skills up to date, it's still interesting for me to read such (thoroughly compiled!) reports. By the way, while it's not a part of this particular piece, I do think that the familiarity with how things are done on the frontend makes you better on the backend too - you can borrow some cool tricks and apply them on the server- of infra-side and it also helps you develop better APIs.

​CrowdStrike Identifies New Kiss-a-Dog Cryptojacking Campaign Targeting Vulnerable Docker and Kubernetes Infrastructure - clear and highly-technical analysis of the recent crypojacking campaign. Once you get through the marketing fluff in the first part of the article, you'll be able to see how the malicious workload gets into a publicly exposed Docker instance, how it breaks out of a container using volume mounts, and how it moves laterally by compiling C++ code right on your servers and starting Redis servers as backdoors. An atypically good technical read for this sort of publication!

​Exploiting Distroless Images - what a fun terrifying read. GoogleContainerTools/distroless base images lack shells, but thanks to the openssl binary that is almost always there you an attacker can read files with a simple `docker exec -it <distroless-container> /usr/bin/openssl enc -in /etc/passwd`. And with slightly more effort you can even execute arbitrary base64-encoded binaries.

​The Finch CLI from AWS - a first-ever β€œLima distribution”? Lima is a way to run containers on non-Linux hosts, especially on macOS. It's based on containerd paired with BuildKit running in a VM and frontend by a docker-like nerdctl CLI. Flinch brings another OS-native client (called flinch) and promises a handy installer to get Lima and its subcomponents to your system. To be honest, I still don’t see the point for those of us who's not bound to AWS ecosystem - installing and updating Lima hasn’t been that complicated. But for people with tighter AWS binds this intro mentions some AWS integrations that can be bundled with Lima using Flinch, so maybe there is some value in the end. Anyways, the good part here is that it’ll make AWS folks contribute back to Lima, containerd, and nerdctl, strengthening these amazing open-source projects.

​Technical Posts Overview and Roundup by Matt Rickard - I'll just list a few titles here: "Non-obvious Docker uses," "An Overview of Docker Desktop Alternatives," "Why Did Heroku Fail," "What Comes After Git," "Don't Use Kubernetes, Yet" and more. An invaluable collection.

​How to Tail Kubernetes Logs: Using the Kubectl Command to See Pod, Container, and Deployment Logs - a handy collection of commands to get all sorts of Kubernetes logs (apiserver, kubelet, kube-proxy, pods, deployments, etc).


Stay tuned

That's it for November. Hope you enjoyed the issue. But in any case, hit reply and share your thoughts, I'm always looking forward to your emails!

Cheers

Ivan
​

Ivan Velichko

Software Engineer at day. Tech Storyteller at night. Helping people master Containers.

Read more from Ivan Velichko

Hello there! πŸ‘‹ Debugging containerized applications is... challenging. Debugging apps that use slim variants of container images is double challenging. And debugging slim containers in hardened production environments is often close to impossible. Before jumping to the DevOps problems that I prepared for you this week, let's review a few tricks that can be used to troubleshoot containers. If the container has a shell inside, running commands in it with docker exec (or kubectl exec) is...

10 days agoΒ β€’Β 1 min read

Hey hey! Are you ready for your next DevOps challenge? Last week, we all witnessed yet another terrifying cyber-security event, and this time, it was a direct hit - researchers from Snyk discovered a way to break out of containers! 🀯 The vulnerability was found in the fundamental component of the containerization ecosystem - the most popular implementation of the (low-level) OCI container runtime - runc. Notice how, on the diagram above, most high-level container runtimes actually rely on the...

29 days agoΒ β€’Β 1 min read

Hello friends! Ivan's here - with my traditional monthly roundup of all things Linux, Containers, Kubernetes, and Server-Side craft πŸ§™ What I was working on After my announcement of the iximiuz Labs GA earlier this month, the platform's usage has more than doubled, so I had to focus on the system's stability and UX. As a result, I increased observability and test coverage, added one more bare-metal server, streamlined a bunch of use cases, and fixed a few bugs. The most notable user-facing...

about 1 month agoΒ β€’Β 3 min read
Share this post