Intro When I recently decided to port a “non-containerized” application onto Kubernetes, I struggled to find a solid approach to manage its lifecycle (deploy, upgrade, rollback, resize, etc.). It seems that most solutions involve delegating logic to a human or some custom scripts that need to be developed for every application. This, of course, is far from ideal. Thankfully, CoreOS came up with a solution called Operators. What is an Operator?...
Libvirt takes care of networking, whether a VM is in NAT or bridge mode. In order to enable proper networking, libvirt manages some iptables rules. However, if the host firewall is not aware of changes made to iptables by libvirt and vice versa, conflicts must be expected. Think of the following situation: A VM is NAT-ed and provides a webservice. In order to make the service accessible, a port-forwarding iptables rule is necessary to forward packets from the hypervisor to the VM....
TL;DR: Serious application-level network filtering on Linux is possible using netfilter NFQUEUE. However, NFQUEUE is a low-level facility for developers. Wait until firewall solutions are created that provide abstraction through a user-friendly interface. Update 14.02.2019: systemd is using cgroupsv2 in combination with bpf to enable per systemd-unit firewalling: https://www.youtube.com/watch?v=_obJr3a_2G8&app=desktop https://github.com/systemd/systemd/pull/6764 Application-level network filtering using iptables The “owner” module The owner module allows to filter outgoing network traffic: iptables -A OUTPUT -m owner --uid-owner 0 -j LOG iptables -A OUTPUT -m owner --uid-owner 0 -j DROP Use cases:...
I recently played around with various setups for my new home lab. One setup is fairly simple and old-fashioned, yet I like its flexibility: a virtualization environment using bridge mode. This post is a write up using KVM and libvirt for such an installation. Setup The hypervisor machine is a single host, directly connected to a untrusted network (like the Internet). Consequently, network security must be taken into consideration. Simply bridging all virtual machines (VMs) to the Internet might not be a wise move....
Recently, I discovered the i3 key mode feature. Immediately, I configured two scenarios for better i3 control: management of music/video and (external) screens. The configuration for either scenario is straight forward. Here is my config for the management of music and video: set $mode_playerctl "playerctl: [p]lay/[p]ause [n]ext [b]ack" bindsym $mod+m mode $mode_playerctl mode $mode_playerctl { bindsym p exec playerctl play-pause; mode "default" bindsym n exec playerctl next; mode "default" bindsym b exec playerctl previous; mode "default" bindsym Return mode "default" bindsym Escape mode "default" } As any i3 user realizes quickly, the number of shortcuts to configure with any keyboard comes with a finite number of possibilities....