For some of us, we need a break. Going at a break neck speed while stretched out mentally and physically is exhausting. I find myself needing a break from at least one of the things I do. Can’t cut out my job; can’t cut out the newsletter. I think until the new year, I’m going to take a break from open source contributions. Expect no open source work from me until 2022 (minus writing because I enjoy that).
Log4j dominated the news this week. I was pulling nuggets in for KubeWeekly earlier this week and it literally felt like every other post was about Log4j. I have know lost count of how many CVEs there in Log4j. But, it’s all impactful. Even if your in house systems aren’t based around Java there is likely something in your enterprise that requires log4j and you need to make sure your vanquish this at multiple layers of the stack.
People
The metaverse has a groping problem already
I really hope to avoid the metaverse.
Infrastructure as Code Automation for Terrafrom and GitOps workflows
See how env0 automates and simplifies the provisioning of cloud deployments for Terraform. We offer Variables and Secrets granularity, Full CLI support, integration with OPA, Dynamic RBAC and SAML. Get Started for FREE SPONSORED
Reducing e-waste: Could refurbished IT equipment be better than new?
Greener IT means making use of what we have for longer periods of time. This is why I bought a used server for the house. This is also why I’d do it again if I needed one.
Developer Avocados - Chris Short
Developer Avocados did a profile on me (I genuinely do thank them).
Process
A Log4J Vulnerability Has Set the Internet ‘On Fire’
Wired being ever so subtle. “The problem lies in Log4j, a ubiquitous, open source Apache logging framework that developers use to keep a record of activity within an application. Security responders are scrambling to patch the bug, which can be easily exploited to take control of vulnerable systems remotely. At the same time, hackers are actively scanning the internet for affected systems. Some have already developed tools that automatically attempt to exploit the bug, as well as worms that can spread independently from one vulnerable system to another under the right conditions.” Find more Log4j coverage in the notes for this issue. Also, check out log4j memes.
Pulumi: Infrastructure as Code
Developing on the cloud is complex. What if you could use your existing programming knowledge to build, deploy, and manage cloud infrastructure using your favorite languages and tools? Pulumi is a cloud engineering platform that lets you write infrastructure as code in any programming language and on any cloud platform. Get started for free at pulumi.com SPONSORED
Minimum viable action – how to advance things that are stuck
A process in which to get the hard stuff done.
GitOps on Kubernetes: Deciding Between Argo CD and Flux
“Below are the results of exploring the differences between these two projects. Both have their uses, and both are quite well maintained and have active communities.”
Summary of the AWS Service Event in the Northern Virginia (US-EAST-1) Region
Thundering herds gonna thunder.
Tools
Kubernetes isn’t about containers
It’s about APIs.
In modern architecture, slow is the new down. Distributed tracing shows your deeply hidden problems so you can fix the right issue the first time. It’s never been easier to get started. Use Honeycomb and OpenTelemetry to quickly find hidden slowness–for free. SPONSORED
What happens when you upgrade to Kubernetes v1.24?
Jim Angel wonders what happens when you rip out dockershim when you need it.
gRPC - Best Practices
“Designing gRPC services is different from designing REST services, where the API contract (ex. OpenAPI) is often generated from the server implementation. With gRPC, it’s the other way around. The API contract is first defined in protobuf, then the client and server stubs are generated from that API definition. In this section, we explain some of the best practices when designing gRPC APIs.”
LogMeIn to spin off password manager LastPass as a separate company
It didn’t make sense when LogMeIn bought LastPass. It only makes sense they’re spinning it out.
aws/amazon-ec2-instance-selector
A CLI tool and go library which recommends instance types based on resource criteria like vcpus and memory
ossf/wg-best-practices-os-developers “The Best Practices for OSS Developers working group is dedicated to raising awareness and education of secure code best practices for open source developers.”
hjacobs/kube-ops-view
“Kubernetes Operational View - read-only system dashboard for multiple K8s clusters”
reddec/ingress-dashboard
Kubernetes-native automatic dashboard for Ingress
aws-samples/kubernetes-log4j-cve-2021-44228-node-agent
Cybereason/Logout4Shell
Use Log4Shell vulnerability to vaccinate a victim server against Log4Shell
Want more? Be sure to check out the notes from this week’s issue to see what didn’t make it to the newsletter but are still worth your time.