Bullish DevOps News/Updates — June 2021

Catch Bullish DevOps News/Updates June edition! We’ve prepared a new collection of trending DevOps news and updates including the latest methodologies, guides, tips, recommendations to deal with tough DevOps projects. Bullish DevOps is the DevOps that drives the IT business up, unlike Bearish DevOps that is not only helpful but also kills productivity and performance at most. DevOps at It Svit is Bullish enough, and nobody can deny it. We created this article for DevOps engineers, developers, system administrators, and IT leaders to catch up with the DevOps World’s latest updates and other DevOps-worthy stuff. 

HashiCorp announcing Terraform 1.0 general availability

On June 8th, 2021 HashiConf Europe announced the general availability of HashiCorp Terraform 1.0, a major tool for synergy, ease of upgrades, and support for your automation flows. Terraform 1.0 is immediately available for download as well as for use in HashiCorp Terraform Cloud. In this post, you’ll take a look at what’s new, and what the 1.0 designation means for Terraform users.

Technically, this is the same version of 0.15.5 that came out a little earlier. However, now Hashicorp guarantees nothing will break in Terraform’s new releases – both in the language, the format of the government files and in the format of the program interface. There are some exceptions, though. Read this post for a complete list.

What ‘s new with Grafana? 

June 8th became the date when Grafana Labs released Grafana v8.0.  With Grafana you can create, explore and share all of your data through convenient and flexible dashboards. Grafana doesn’t require you to ingest data to a backend store or vendor database. Instead, Grafana takes a unique approach to provide a “single-pane-of-glass” by unifying your existing data, wherever it lives. With Grafana, you can take any of your existing data (Kubernetes cluster data, Raspberry Pi, different cloud services, or even Google Sheets,  and visualize it from a single dashboard. By democratizing data, Grafana helps to facilitate a culture where data can easily be used and accessed by the people that need it, helping to break down data silos and empower teams. So, what’s new in Grafana v8.0:

• Integration with external alert systems with alert manager from Prometheus.
• Packing charts into libraries for reuse on other dashboards.
• Support for a push model for updating dashboards in real-time, for example, updating charts by events from MQTT or by HTTP POST to an endpoint in Grafana.
• Several new types of visualization, data sources, and authentication.
• Other minor changes. More information here. 

HTTP Performance Tuning: 1.2M API req/s on a 4 vCPU EC2 Instance

In this post, Marc Richards will walk you through the performance tuning steps that he took to serve 1.2 million JSON “API” requests per second from a 4 vCPU AWS EC2 instance. For this recreated quest he was moving steadily from serving 224k req/s at the start, with the default configuration, to a mind-blowing 1.2M req/s by the time we reach the end. The main takeaway from this post should be an appreciation for the tools and techniques that can help you to profile and improve the performance of your systems. Though you probably should not expect to get a 5x performance boost from your web app by implementing these configuration changes. Many of the optimizations presented here won’t benefit you unless you are already serving more than 50k req/s, to begin with. On the other hand, applying the profiling techniques to any application should give you a much better understanding of its overall behavior, and you just might find an unexpected bottleneck.

How Netflix uses eBPF flow logs at scale for network insight

Netflix software infrastructure is a large distributed ecosystem that consists of specialized functional tiers that are operated on the AWS and Netflix-owned services. While they strive to keep the ecosystem simple, the inherent nature of leveraging a variety of technologies will lead us to challenges such as app dependencies and data flow mappings, pathway validation, service segmentation, and network availability. Cloud Network Insight is a suite of solutions that provides both operational and analytical insight into the cloud network infrastructure to address the identified problems. To that end, Netflix developed a network observability sidecar called Flow Exporter that uses eBPF tracepoints to capture TCP flows in near real-time. At much less than 1% of CPU and memory on the instance, this highly performant sidecar provides flow data at scale for network insight. Further details are here. 

Awesome firewall management system presenting 

Need consistent network access rules across hundreds of servers in multiple regions on multiple providers? Need defense-in-depth, beyond gateway firewalls? Need blocklists with thousands of addresses distributed across many servers updated constantly? Need to limit the number of connections and/or bandwidth usage? Sick of error-prone manual updates of per-server iptables rules? You need a Dog. The Dog is a distributed firewall management system designed to manage more than a hundred per-server firewalls. Currently, iptables on Linux are supported, but others could be added. The Dog is your network guard dog that can centrally manage hundreds (and more) of per-server iptables firewalls, work across clouds, regions, and on-premise infrastructure, adapt to dynamic address changes, alert if servers fail to communicate or if their firewalls are modified outside of the dog control, and many other quite helpful features. 

Linux capabilities uncovering and exploiting 

Capabilities in Linux are special attributes that can be allocated to processes, binaries, services, and users and they can allow them specific privileges that are normally reserved for root-level actions. Capabilities are a powerful tool for system administrators and DevOps engineers to be able to do their job and work around some of the restrictions of the Linux operating system, however, they should be carefully set as if misconfigured they could lead to a full system compromise. In this article, you will find a full list of Linux capabilities with a description, a danger list, tips on how to determine, and examples of privileges raising. Once the capabilities have been assigned, a great resource to find out if they can be vulnerable is through GTFOBins, as for each applicable binary it has a handy “Capabilities” section that shows how certain capabilities can be exploited to elevate privileges. This HackTricks page is also great. Alternatively, googling for the capability and the object it is assigned to normally does the trick.

How you can best use etcd key-value store in your app

Etcd is a distributed key/value store designed as a highly available and robustly coherent data store for distributed systems. Actually, Kubernetes itself uses etcd to store all of its cluster data, such as configurations and metadata. As with any system design, different architectural solutions lead to different trade-offs that affect the optimal way to use and operate the system. In this article, Michelle Nguyen Principal Engineer at New Relic, Founding engineer Pixie Labs discusses the inner workings of etcd to help conclude about how to use this key and value store in your own application.

Wrapping things up

Now you’ve finished Bullish DevOps News/Updates June edition!  You are very welcome to share your thoughts in the comments and tell us what was good to learn and what you want to read about next.