S2E21: "Barenaked Boxen"
|Previous Episode||Next Episode|
|S2E20: "The Shell Game"||S2E22: "Shitshow III: Son of Shitshow"|
|Recorded (UTC)||Aired (UTC)||Editor|
|2017-11-28 03:55:51||2017-12-04 02:30:07||"Edita"|
In this episode, we talk about installation preconfiguration (via e.g. Kickstart, etc.) vs. configuration management (Ansible, Puppet, etc.) for baremetal turnups. We also answer an email from a listener!
“May many portable gloryholes descend upon you and surround you and make you feel wildly uncomfortable.” – Jthan
- (Not mentioned during news segment; see 1h11m0s) We are still running a contest! You need to get your answers/submissions in!
- Speaking of announcing contest winners, we are also having season 2’s shitshow December 6, 2017 at 2100EST! You can find more info here!
- There was an Imgur breach
- Some pro-repeal comments on the FCC’s Net Neutrality feedback might have been faked (again)
- Intel had firmware flaws in their ME (which we mention in S2E7, S2E15, and S2E20)
- It seems there’s a new version of Bank Bot making the rounds in Google Play Store
- TP-Link firmware downloads are pretty hard to come by in EU
- The drone company DJI has leaked a ton of information, including their private key
- AWS is finally moving to KVM from Xen
- Results from Pentagon’s bug bounty program (“Hack the Pentagon”) are released
Starts at 27m54s.
- Which tasks should you use baremetal provisioning for and which shoukd you use configuration management for?
- Baremetal provisioning (Kickstart, Preseed, AIF-NG, etc.)
- Jthan makes good points about “code” (task, etc.) re-use for configuration management
- He also mentions Kickstart doing the OS install and Puppet agent installation, and have Puppet handle literally everything else past that
- And he finds baremetal provisioning configurations a little too inflexible
- Paden follows the same methodology – baremetal prov for only installing the configuration management and using the cfg mgmt for everything else
- I hold to the same basic idea, but I make the additional suggestions of using baremetal provisioning to also install core packages (since it’s faster, especially if it’s a local repository mirror)
- I also mention using the baremetal configuration to set up the basic security controls as well (firewall rules, pubkey auth for SSH, etc.), as well as NTP (and, I didn’t mention this on-air, but a non-root administrative account is a good idea to set up in the baremetal configuration too).
- I also bemoan the disadvantages – it’s harder to get the current status of a build/provision/turnup/etc. when done via a baremetal install (unless you explicitly enable SSH to run for it) as opposed to a configuration management tool.
- I also speak specifically to role/group/etc.-based functionality. Baremetal provisioning should be reserved for the most common components shared across all machines, and should be tasks that should (ideally) only need to be done once.
- PXE (at least via PXELINUX) or iPXE can use things like host-specific configurations or scripted use of variables, respectively, to let you serve specific baremetal provisioning profiles to specific machines/specific VLANs, etc.
- However, cfg mgmt is (again) probably more ideal for role-based or group-based configuration.
- Just why do we hate the “Cloud”/containerization? (44m28s)
- Thanks to raindev in our IRC channel for the question!
- Jthan’s hate train is moving a little slower then Paden and I’s in this regard – his userbase (researchers) are getting easier grants …er, granted by targeting these large “cloud” providers (AWS, Google’s services, etc.)
- He also mentions the validated and custom-built container templates he built for specific research tasks.
- He kind of hints towards the cost-savings too.
- BUT he also is a little on the hate train – e.g. NodeJS developers suddenly think they’re able to deploy to production without considering things like resource consumption, security, comprehensive reliability, privacy, data integrity, etc.
- He also talks about the dangers of putting all your eggs in one basket that you don’t even have direct access to or control over.
- Paden mostly hates that it’s owned by someone else. The lack of liability for maintenance is nice, but the reliability of a third party does add complication.
- My hate for containers/the “cloud” is manifold.
- You can’t guarantee that third-parties are going to attempt to protect against cross-customer abuse.
- Paden mentions the prevalence of overselling, which is atrocious. (They’re essentially a perpetual minimum viable product.)
- One of the things I hate the most is how people will jump onto new/flashy/“hip” tech just because it’s popular, and try to shoehorn it into cases it doesn’t belong (see also: blockchain, the majority of startups that keep re-inventing existing things, etc.)
- And the security inherent to the technology of these containerization platforms etc. is flawed. They do not belong in production.
- I highly recommend in-house full virtualization over containerization.
In this segment, we highlight system administration mistakes. Think of them as the IT equivalent of the Darwin Awards. (1h13m30s)
Uber’s done it again! They:
- Dropped 100K USD to breachers who exfiltrated private data to keep them quiet
- 57 million users’ data was breached
- There is no way to verify that the breachers have indeed removed/deleted their data.
- They failed to release notice of the breach – we didn’t find this out until a long time after.
- This is after being in talks about previous privacy violations…
- AND an FTC case about mishandling customer data.
- I’m waiting on Jthan for the link to the Scotch Test Dummies video
- The datacenter I refer to on an abandoned oil rig was Sealand HavenCo – but it seems that it is no longer a thing as of 2008.
- Even Google’s plan at imitating this, Google barges, failed as well.
|Intro||It feels good to be alive too||Loyalty Freak Music||click||CC0 1.0||Outro||Close Your Eyes||Def Manic||click||CC-BY 4.0|