After trying ProtonMail for a year, I decided to migrate my email domain back to Google Workspace from ProtonMail. I like Proton, but in the end my users weren’t happy with the available features, and I was more interested in keeping my users happy. Anyway, I needed to migrate a corpus of email from ProtonMail to GMail, and all the Internet had to offer was that I should use the Import-Export app to export my mail to mbox, use an extension to load the mbox into Thunderbird, and copy the mail using GMail IMAP.…

Today I had to remind myself how the Kubernetes test-infra interacts with features. Unlike with the unit tests, feature gates for the e2e tests are frequently set externally by the CI test definitions rather than the test themselves. Tests that rely on features not set by default are tagged using [Feature:$name] and excluded from the default presubmit tests. In my case I was adding a test an alpha feature to the e2e node tests.…

Today we changed the API for Ephemeral Containers in Kubernetes. It’s a setback for those who were hoping for an Ephemeral Containers beta to get the feature enabled in production clusters, but I’m glad we took the time to change it while the feature is still in alpha. The new API use the simpler, well-known pattern that the kubelet uses to update Pod status through a separate subresource. It was quick to implement since it’s actually the same as a prior prototype.…

I noticed that systemd is spamming syslog with: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP. DVE-2018-0001 is a workaround for some captive portals that respond to DNSSEC queries with NXDOMAIN. systemd-resolver in Ubuntu retries every one of these NXDOMAIN responses without EDNS0. In practice this means one syslog entry every time a domain isn’t resolvable. This is surprising, so I dug further.…

Kubernetes pods allow cooperation between containers, which can be powerful, but they have always used isolated process namespaces because that’s all Docker supported at the time Kubernetes was created. This prevented one from doing things like signalling a main process from a logging sidecar, for example. I’ve been working with SIG Node to change this, though, and Process Namespace Sharing has been released as an Alpha feature in Kubernetes 1.10. Compatibility within an API version (e.…

Just stumbled across this obvious solution from the why didn’t I realize this earlie r? department. GNU grep makes an great regex debugger!…

I was really getting into building docker images from Alpine Linux. I like its philosophy and general 5MB-ness. I discovered tonight, however, that its libc resolver has some significant differences from that of GNU libc. Most notably, the resolver queries all nameservers in parallel and doesn’t support a search path. I don’t care that much about the search path for these images. Querying the nameservers in parallel sounds great, but unfortunately Kubernetes’ KubeDNS configures a resolv.…

Here’s an interesting article on Secure Secure Shell.…

Frustrated that the IPMI iKVM session on your brand new SuperMicro server says “Video Only” at the top and your virtual keyboard won’t work?  I was.  I’m sure the culprit could be any of a number of issues, but for me it was a BIOS setting.…

My patch to add support to duplicity for Google Cloud Storage was merged and released with duplicity version 0.6.22. Now backing up to GCS is as easy as backing up to S3. Here are the steps: Install duplicity >= 0.6.22. Enable Interoperable Access in the Cloud Storage Dashboard. Generate Interoperable Storage Access Keys in the Cloud Storage Dashboard. Create your bucket: $ gsutil mb -c DRA gs://BUCKETNAME The -c DRA flag enables Durable Reduced Availability for this bucket, which makes sense for backups.…