So I used to frequent Mexico city. On one of my trips there I was going to see someone muy importante. Our local guy was a very good host, would drive me everywhere, make sure I had a good time, etc. On this trip, we had a few minutes to kill in the hotel lobby and he suggested I had time for a shoe-shine. I kind of brushed this suggestion off, my shoes are scruffy, not much point. Later I realised I had offended him, he was trying to make me look a bit more presentable. Rodolfo, if you are reading this, I’m sorry 🙂

Every time I would go, he would always offer, wherever you want. However, there was only ever one place I would want to go for lunch, dinner, breakfast, midnight snack, tee, whatever, you name it. This taco place. its not expensive, its not fancy. Its merely fantastic.

They start by sprinkling some parmesan-type cheese on the griddle, and then take this huge spatula and roll it up. It cools, and they bring this baseball-bat of parmesan to your table. You flick it, it shatters, and you munch contentedly while they work on the rest.

I spoke of this taco place so much that my other co-workers fell into two basic camps: those that demanded to go and enjoy, and those who put it in the same category as everything else I said and tuned it out. Half of them are better people for it 🙂

Now, taco’s are not the only thing I had in Mexico, and not always from this place (there were the duck tacos for example, the street tacos, a pretty decent japanese hibachi place, and The Expensive Lunch. The Expensive Lunch involved ~6 hours of discussion, and at one stage a bottle of wine was brought in that needed several stewards with white gloves and some sort of delicate pick to remove the cork. It was good, but no where near as good as the taco place.

Some day I am going to go there, find the people who own this place, and convince them to move it to waterloo where we will become taco trillionaires together.

I’m using Gitlab, and one of the things they promote is Auto-Devops. In a nutshell, you use the Gitlab-CI as your means from start to finish, starting w/ an idea, through code, unit-test, address-space-tests, dynamic-tests, thread-tests, license-checks, lint, code-format, static scans, … all the way until it lands on a running server somewhere for your customers to get their grubby virtual fingers on it.

And I gotta say, it works really well.

Enter weave. They have a pattern ‘gitops‘. It has ‘git’ in the name so it must be good, right? They also have some opinions on whether a CI tool is good for continuous deployment. In short: NO:

Your CI server is not an orchestration tool.  You need something that continually attempts to make progress (until there are no more diffs). CI fails when it encounters a difference.  In combination with a human operator, a CI server can be made to force convergence, but this creates other issues. For example your CI scripts might not be able to enforce an idempotent and/or atomic group of changes.  

They  have coined the term ‘CIOps’ for the alternative, and they diagram it thusly:

 

versus their product (gitops) which is thusly:

 

They don’t talk about gitlab-CI (which I think is stronger than the travis and circle ones they reference), its much better integrated to Kubernetes. Also, gitlab does monitoring where the others don’t. It also supports ‘environments’ (e.g. staging, dev, production).

So, gentle reader, any opinions on this?

Many years ago Hitler decided to open a 2nd front in World War 2, against Russia. This turned out to be a bad idea for him, but ultimately a good thing for the rest of us. Today we saw a similar issue, Google being accused of search bias is opening a new front, why pick that fight?

A couple of years ago I happened to be in Moscow during the primaries. There was a huge spat between Romney and Trump. Hand size was mentioned (by marco rubio), things got ugly. And then Romney issued a set of remarks which minced no words. The news blew up.

However, for me in my hotel room in Moscow, it didn’t seem to. Interested, I decided to do some quick field research. I used Google.ru, and via vpn, Google.ca.  You expect that other than maybe regional things, these would be the same?

To my surprise, part of this story is censored in Russia. Specifically, the results about Romney’s early ‘Anybody but Trump’ speech. Its all gone.

Lets examine. I used ‘google.ca‘ via a proxy and google.ru. The google.ru results are below, see that last line “results delisted because of local information law”. 100% of the results that are Romney critical of Trump are gone. E.g. on google.ca, I see this washington post article “Romney slams Trump“, this Time article is also gone as is the NPR, boston globe, etc. In fact, there is no negative at all. Its like Romney never called Trump dangerous.

The below image is the actual search result as seen in russia at that time, and that last line is ominous.

You’ve no doubt noticed that chrome now marks any non https-site as insecure. Its no longer that ‘https is secure the rest is unspoken’. Its actively insecure.

Some sites have no support for https (shame). Some have support, but you have to remember to use that URL (should redirect).

But, what is the thinking behind ones that actively down-grade you? Witness Canadian Cire. A great spot to buy a belt perhaps. But why if i try ‘https://www.canadiantire.ca/’ it will force me to ‘http://www.canadiantire.ca’?

Here’s the tale of the tape.  We see the server has a valid certificate. It even supports HTTP/2. But, it forces me to drop to non-encrypted flow. You see those last couple of lines? These are your session cookies. They maintain if you do switch to ssl to buy something online w/ them. This is terrible.

Google has also started to raise the search relevance of secure sites, so it actively hurts them.

So who’s with me in starting a campaign. If we see a web site that is not TLS, lets say something. Let’s Encrypt has made it free and easy. Google has launched the .app domain, SSL included w/ your name. Its 2018. We should be demanding TLS 1.3 w/ encrypted SNI, 0-RTT, elliptic-curve only.  We should not be accepting ‘downgrade to in-the-clear’.

Lets make a ‘see something say something’ type campaign. #tlsorbust ? #tlswallofshame?

$ curl -v https://www.canadiantire.ca/
*   Trying 23.79.217.166...
* TCP_NODELAY set
* Connected to www.canadiantire.ca (23.79.217.166) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
 ...
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: C=CA; ST=Ontario; L=Toronto; O=Canadian Tire corporation; CN=www.canadiantire.ca
*  start date: May  9 00:00:00 2018 GMT
*  expire date: Aug  8 12:00:00 2019 GMT
*  subjectAltName: host "www.canadiantire.ca" matched cert's "www.canadiantire.ca"
*  issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=GeoTrust RSA CA 2018
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: www.canadiantire.ca
> User-Agent: curl/7.58.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Content-Type: text/html; charset=iso-8859-1
< Content-Length: 250
< X-Frame-Options: SAMEORIGIN
< Location: http://www.canadiantire.ca/en.html
< Cache-Control: max-age=86400
< Expires: Thu, 30 Aug 2018 20:56:26 GMT
< Content-Encoding: gzip
< Date: Wed, 29 Aug 2018 20:56:26 GMT
< Connection: keep-alive
< Set-Cookie: disp_id_prd11=173769bf046e88 ...; path=/
< Set-Cookie: BIG_COOKIE_PRD2=rd40o000 ...; path=/
< Set-Cookie: TS01915929=012ceeafe60a6c ... Path=/

Today I ‘released’ endoscope. This is a tool that solves a couple of ‘simple’ problems:

  1. I have a running container in Kubernetes. I wish I could have a shell inside it that is root, but also with a bunch of tools like gdb or ptrace. My container doesn’t allow root or ptrace. I don’t want to rebuild a debug version of it and create a new Pod
  2. I want to ping/create network traffic as if it originated from a specific pod
  3. I want to capture network traffic from/to a specific pod

If you have those problems, well, this is for you!

Lets look at an example:

scope -n NAMESPACE -p POD strace [-p #] [-e expr]

What sourcery is this? You mean from my current host I can run strace on a remote application in a container without knowing the node or ssh or anything? Yes! Simply run with the namespace/pod info (and -p #if there is more than one pid in the container, default is the first), and optionally e.g. -e file to filter. You can use ‘scope pids’ to show the pids if you want (the first one is not always the right one for more complex containers).

Current commands include gdb, ping, shell, strace, hping. If you use ‘shell’, you are in the network + pid namespace of the debugee (check ifconfig if you don’t believe me!).

Work in progress is to allow you to, from the Wireshark GUI, simply select a pod and capture/filter its traffic in real time. Pull requests welcome 🙂