fidzu : tech

Comments

02 Feb 2023 9:06pm GMT

Comments

02 Feb 2023 9:00pm GMT

The anticipated elementary OS 7 "Horus" release is here, continuing to compete for the prize of best Linux desktop. Here's our review!

02 Feb 2023 8:59pm GMT

Comments

02 Feb 2023 8:56pm GMT

MLOps (short for machine learning operations) is slowly evolving into an independent approach to the machine learning lifecycle that includes all steps - from data gathering to governance and monitoring. It will become a standard as artificial intelligence is moving towards becoming part of everyday business, rather than an innovative activity. Get an intro to […]

02 Feb 2023 6:26pm GMT

GNOME Shell's 'Activities' button is iconic, but could the space it takes be put to better use? One GNOME extension developer thinks so, and this is how…

This post, This GNOME Extension Makes the 'Activities' Label More Useful is from OMG! Ubuntu!. Do not reproduce elsewhere without permission.

01 Feb 2023 11:59pm GMT

Get the most out of your Fedora's virtualization capabilities by installing VMware Workstation Player. Learn how here!

01 Feb 2023 11:42pm GMT

Multipass 1.11 is here! This release has some particularly interesting features that we've been wanting to ship for a while now. We're excited to share them with you! For those who aren't familiar with Multipass, it's software that streamlines every aspect of managing and working with virtual machines. We've found that development, particularly for cloud […]

01 Feb 2023 3:35pm GMT

Linux Mint 21.2 will be released at the end of June. It has the codename "Victoria". New features will be added to the login screen and the Pix photo app.

This post, Linux Mint 21.2 Codename, New Features Revealed is from OMG! Ubuntu!. Do not reproduce elsewhere without permission.

31 Jan 2023 10:28pm GMT

See what's new in elementary OS 7, the latest stable release of this Ubuntu-based Linux distro. From UI changes, to new apps, to powerful new features.

This post, elementary OS 7 Released, This is What's New is from OMG! Ubuntu!. Do not reproduce elsewhere without permission.

31 Jan 2023 5:00pm GMT

A discussion that began in 2018 about adopting OpenSnitch in Debian repositories will probably find a resolution in Debian 12.

30 Jan 2023 2:45pm GMT

Join Canonical and Ubuntu at Mobile World Congress Barcelona 2023 to discuss open source innovation in telecommunications.

30 Jan 2023 9:18am GMT

#​623 - January 27, 2023 Read on the Web JavaScript Weekly Astro 2.0: The Next-Gen 'Islands'-Oriented Web Framework - 2.0 includes hybrid rendering (mixing of SSR and SSG outputs), type safety for Markdown & MDX, and an upgrade to Vite 4.0. Astro is worth exploring when performance is key as it works with popular frameworks but lets you deliver the least JS possible to get pages rendered. Fred Schott Prefer a talk? Nate Moore's ViteConf talk ▶️ Islands Architecture, Astro, and You will bring you up to speed. Deep Cloning Objects in JavaScript, The Modern Way - If you've been leaning on something like Lodash for deep cloning, you might not need to any longer. "It's been a long time coming, but we finally now have the built-in structuredClone function to make deep cloning objects in JavaScript a breeze." Steve Sewell Go From Professional Web Developer to Lead Engineer - Aspiring lead developer? Our collection of comprehensive video courses cover the fundamentals of JavaScript, TypeScript, React, web performance, and more. Frontend Masters sponsor Announcing TypeScript 5.0 Beta - A new major version number, but users of the popular typed JS superset will face a 'similar upgrade experience' to previously. Decorators make it in as a first class feature, significant performance and package size optimizations are present, export type * is supported, all enums are now union enums, and much more. Daniel Rosenwasser (Microsoft) AlaSQL.js 3.0: Isomorphic JavaScript SQL Database - A SQL database you can use in the browser, Node.js or mobile apps. An interesting bit of functionality is you can use SQL to query JavaScript objects - example. "The library adds the comfort of a full database engine to your JavaScript app. No, really." Andrey Gershun IN BRIEF: 🏅 If you're really into Vue.js, you'll soon be able to become officially certified in it. If you're using React, you should be using a React framework, 🐦 says Andrew Clark of the core team. The creator of alternative JS runtime Bun asks: "If there's one thing missing from Bun for you to switch, what is it?" You can reply on Twitter. jQAPI.com is an amazing meeting of old and new JavaScript - it's an Astro powered version of jQuery's documentation! RELEASES: Shoelace 2.0 ↳ Agnostic library of web components. μFuzzy 1.0 ↳ Tiny fuzzy search library. React Router 6.8 Node.js 19.5.0 📒 Articles & Tutorials Getting Started with SvelteKit - SvelteKit only recently hit 1.0 and this is a comprehensive overview of how to build a site using the Svelte-oriented app framework. It covers topics like routing, layouts, data, props and more. Adam Rackis Using .NET Code from JavaScript using WebAssembly - "Starting with .NET 7, you can easily run any .NET method from JavaScript without needing the whole Blazor framework." Gérald Barré JavaScript Scratchpad for VS Code (2m+ Downloads) - Quokka.js is the #1 tool for exploring/testing JavaScript with edit-continue experience to see realtime execution and runtime values. Wallaby.js sponsor scrollend: A New JavaScript Event - Finally an event you won't need a hotel booking for. scrollend provides a new way to detect that a scrolling operation is complete in the browser. Is it another Chrome-only nicety? Surprisingly not - Firefox 109+ supports it too. Adam Argyle (Chrome Team) Packaging Rust Apps for the npm Registry - Isn't npm just for JavaScript projects? Nope. Node is required to make this technique work, but as long as you can package and execute a binary, you're good to go. Orhun Parmaksız Making Sense of TypeScript using Set Theory - This article certainly doesn't hang around. Neat diagrams too. Vladimir Klepov React Authentication, Simplified Userfront sponsor Accessible Hamburger Buttons without JavaScript - Sometimes you need to consider if modern techniques allow you to avoid JavaScript. Here's a CodePen if you want to play. Pausly While we're on the topic of less JavaScript, the latest episode of the Stack Overflow podcast ▶️ 'The less JavaScript, the better' focuses on Astro. 🛠 Code & Tools Uppy 3.4: Powerful, Modular JavaScript File Uploader - Upload not just from local sources but even Dropbox or Instagram. Integrates with popular frameworks and supports resumable uploads. GitHub repo. Transloadit Nut.js 3.0: Desktop Automation from Node - Take control of your desktop (Windows, macOS or Linux) in code with control over keyboard + pointer, along with image matching functionality. GitHub repo. Simon Hofmann Optimize Your Systems' Performance With TelemetryHub - Real-Time Data Monitoring & Analysis - An advanced data visualization and analysis tool that can help you identify and resolve unseen issues in your environment. Try free. TelemetryHub by Scout sponsor Eleventy v2.0: First Beta of the Popular Site Generator - Eleventy is a popular Node.js static site generator and v2.0 includes enough major changes that a thorough beta is needed. The creator ▶️ made this quick video about the release. Zach Leatherman Mock Service Worker 1.0: API Mocking Library for Browser and Node - Intercepts requests which you can then mock. Capture outgoing requests using an Express-like routing syntax, complete with parameters, wildcards, and regexes. GitHub repo. Artem Zakharchenko Drift: A Self-Hostable Gist-Like / Pastebin Service - Built with Next.js 13. Max Leiter Dygraphs 2.2 ↳ Interactive charts of time series data. actions/github-script 6.4 ↳ Write GitHub Actions workflows in JS. Playwright 1.30 ↳ Browser automation framework. Faast.js 6.4 ↳ Serverlessly call JS functions on AWS Lambda & Google Cloud Functions. Cypress 12.4 ↳ Testing framework for anything in a browser. D3plus 2.1 ↳ Extend D3.js with more visualization types. 💻 Jobs Developer Relations Manager - Join the CKEditor team to build community around an Open Source project used by millions of users around the world 🚀 CKEditor Senior Full-Stack Engineer - React + TypeScript - Come help Qwire modernize how studios, composers, artists, publishers, labels, and the rest of the industry manage music rights. Qwire Find JavaScript Jobs with Hired - Create a profile on Hired to connect with hiring managers at growing startups and Fortune 500 companies. It's free for job-seekers. Hired

27 Jan 2023 12:00am GMT

#​622 - January 20, 2023 Read on the Web JavaScript Weekly Why Not document.write()? - Many moons ago, document.write was a mainstay of client-side JavaScript code, but it's long been considered a bad practice - why? Harry digs in, noting that it "guarantees both a blocking fetch and a blocking execution, which holds up the parser for far longer than necessary". Harry Roberts New: The WebAssembly JavaScript Promise Integration API - A technical explanation from the V8 team on a new API to let WebAssembly apps bridge the synchronous / asynchronous gap of expectations around external functionality (consider that many apps are written synchronously, but modern Web APIs are usually asynchronous). JSPI helps bridge both worlds and can be tested via a flag in Chrome. McCabe, Michaud, Rezvov, Dahl / V8 Team Break the Programming Mold with Dependency Injection - Keep your code on the cutting edge with dependency injection in JavaScript. Check out Snyk's guide that gives a breakdown of what dependency injection is, when you should use it, and what popular JavaScript frameworks it's implemented. Snyk sponsor Why Is My Jest Suite So Slow? - Jest is known for its speed and simplicity so the author was surprised at how quickly his team's test suite was slowing down. This is a write up of the ensuing investigation along with the improvements that slashed test running time. Steven Lemon Bun v0.5 Released - Bun is another JavaScript runtime taking the world by storm and a level of Node compatibility has been baked in from the start. v0.5 adds support for node:readline, workspaces, a node:dns shim, and network socket creation support such that more Node.js-based database libraries work out of the box. Ashcon Partovi IN BRIEF: The ▶️ latest episode of the JS Party podcast tackles 'the rise and fall' of JavaScript frameworks and the modern trend towards smaller ones. The folks at NodeSource have put together a top 10 list of Node open-source projects 'to keep an eye on' in 2023. Aurelia 2 is now in beta. RELEASES: ⭐️ esbuild 0.17.0 ↳ Popular bundler. Note that this is a key release with backwards incompatible changes. Inertia.js 1.0 ↳ Build SPAs for any backend. React Native 0.71 Remix 1.10.0 ↳ Popular full stack framework. 📒 Articles & Tutorials 🎨 Building an Accessible Theme Picker - An attractively presented, easy to follow tutorial for a handy site feature. Sarah L. Fossheim Fixing a Memory Leak in a Production Node.js App - Kent encountered a variety of weird memory and CPU usage spikes in his Node-powered app and decided to figure out what was going on. This post walks through his complete journey, with plenty of side problems encountered along the way, before discovering the root cause was where he least expected it. Kent C Dodds Build a Mobile-Responsive Telehealth Pager App Using Stream's Chat API - Build a responsive chat app with emojis/reactions, built-in GIF support, ability to edit/delete messages, direct & group chat, and more. Stream sponsor 📊 A Beginner's Guide to Chrome Tracing - For when you want to go deeper than the Performance tab. With tracing, you can record what a browser is up to far behind the scenes. Nolan Lawson Handling Errors Like a Pro in TypeScript - "Learn the design pattern I use to handle errors and write cleaner code." Kolby Sisk A Beginner's Guide to async/await with Examples James Hibbard 10 Mistakes to Avoid When Starting with Vue 3 Fotis Adamakis 🛠 Code & Tools RoughNotation: Cute Animated 'Rough' Text Annotations - Uses Rough.js (itself a project worth checking out) to get a hand-drawn look. Lots of nice interactive examples on the page showing a variety of annotation styles (boxes, underlines, circles..) Preet Shihn Free Website Speed Test: Does Your Site Meet Google's Core Web Vitals? - Get an in-depth technical analysis of your site and learn how to make it fast. Rank higher in Google & deliver great UX. DebugBear sponsor Modern Errors: Handle Errors in a Simple, Stable, Consistent Way - Create error classes, wrap or aggregate errors, or use one of several plugins to do things like print bug reporting info, print stack traces, or more. Happy in both Node and the browser. ehmicky Shifty: A Small, Fast Tweening Engine - All it does is tweening. It's a low level animation solution that you can integrate into any rendering mechanism of your choice. The examples here demonstrate it well as it can be used for 'animating' things in an unconventional sense. GitHub repo. Jeremy Kahn Barba.js: For Smooth Visual Transitions Between Pages - You certainly can't say the project's homepage doesn't show off all of its features! For such a dramatic set of effects, things feel smooth and.. surprisingly tolerable 😁 GitHub repo. De Rosa, Michel, et al. Rete.js 1.5: A Framework for Visual Programming - Create a node-based editor in the browser and apply logic. Check out these demos on CodePen. GitHub repo. Vitaliy Stoliarov Don't Let Your Issue Tracker Be a Four-Letter Word. Use Shortcut Shortcut (formerly Clubhouse.io) sponsor gpu-io: GPU-Accelerated Computing Library - for physics simulations and other mathematical calculations. A neat look at the power of WebGL. Several examples. Amanda Ghassaei Chart.js 4.2 ↳ Simple Canvas-based charts. (Samples.) Serialize JavaScript 6.0.1 ↳ Serialize JS to a JSON superset. axios-retry 3.4 ↳ Axios plugin that retries failed requests. Axios 1.2.3 - Popular HTTP client library. Commander.js 10.0 - Node.js CLIs made easy. Mineflayer 4.7 - JS API for Minecraft bots. Wretch 2.4 - Fetch API wrapper with niceties. 💻 Jobs Developer Relations Manager - Join the CKEditor team to build community around an Open Source project used by millions of users around the world 🚀 CKEditor Find JavaScript Jobs with Hired - Create a profile on Hired to connect with hiring managers at growing startups and Fortune 500 companies. It's free for job-seekers. Hired

20 Jan 2023 12:00am GMT

Author: David Hadas (IBM Research Labs)

This post warns Devops from a false sense of security. Following security best practices when developing and configuring microservices do not result in non-vulnerable microservices. The post shows that although all deployed microservices are vulnerable, there is much that can be done to ensure microservices are not exploited. It explains how analyzing the behavior of clients and services from a security standpoint, named here "Security-Behavior Analysis", can protect the deployed vulnerable microservices. It points to Guard, an open source project offering security-behavior monitoring and control of Kubernetes microservices presumed vulnerable.

As cyber attacks continue to intensify in sophistication, organizations deploying cloud services continue to grow their cyber investments aiming to produce safe and non-vulnerable services. However, the year-by-year growth in cyber investments does not result in a parallel reduction in cyber incidents. Instead, the number of cyber incidents continues to grow annually. Evidently, organizations are doomed to fail in this struggle - no matter how much effort is made to detect and remove cyber weaknesses from deployed services, it seems offenders always have the upper hand.

Considering the current spread of offensive tools, sophistication of offensive players, and ever-growing cyber financial gains to offenders, any cyber strategy that relies on constructing a non-vulnerable, weakness-free service in 2023 is clearly too naïve. It seems the only viable strategy is to:

➥ Admit that your services are vulnerable!

In other words, consciously accept that you will never create completely invulnerable services. If your opponents find even a single weakness as an entry-point, you lose! Admitting that in spite of your best efforts, all your services are still vulnerable is an important first step. Next, this post discusses what you can do about it...

How to protect microservices from being exploited

Being vulnerable does not necessarily mean that your service will be exploited. Though your services are vulnerable in some ways unknown to you, offenders still need to identify these vulnerabilities and then exploit them. If offenders fail to exploit your service vulnerabilities, you win! In other words, having a vulnerability that can't be exploited, represents a risk that can't be realized.

The above diagram shows an example in which the offender does not yet have a foothold in the service; that is, it is assumed that your service does not run code controlled by the offender on day 1. In our example the service has vulnerabilities in the API exposed to clients. To gain an initial foothold the offender uses a malicious client to try and exploit one of the service API vulnerabilities. The malicious client sends an exploit that triggers some unplanned behavior of the service.

More specifically, let's assume the service is vulnerable to an SQL injection. The developer failed to sanitize the user input properly, thereby allowing clients to send values that would change the intended behavior. In our example, if a client sends a query string with key "username" and value of "tom or 1=1", the client will receive the data of all users. Exploiting this vulnerability requires the client to send an irregular string as the value. Note that benign users will not be sending a string with spaces or with the equal sign character as a username, instead they will normally send legal usernames which for example may be defined as a short sequence of characters a-z. No legal username can trigger service unplanned behavior.

In this simple example, one can already identify several opportunities to detect and block an attempt to exploit the vulnerability (un)intentionally left behind by the developer, making the vulnerability unexploitable. First, the malicious client behavior differs from the behavior of benign clients, as it sends irregular requests. If such a change in behavior is detected and blocked, the exploit will never reach the service. Second, the service behavior in response to the exploit differs from the service behavior in response to a regular request. Such behavior may include making subsequent irregular calls to other services such as a data store, taking irregular time to respond, and/or responding to the malicious client with an irregular response (for example, containing much more data than normally sent in case of benign clients making regular requests). Service behavioral changes, if detected, will also allow blocking the exploit in different stages of the exploitation attempt.

More generally:

• Monitoring the behavior of clients can help detect and block exploits against service API vulnerabilities. In fact, deploying efficient client behavior monitoring makes many vulnerabilities unexploitable and others very hard to achieve. To succeed, the offender needs to create an exploit undetectable from regular requests.

• Monitoring the behavior of services can help detect services as they are being exploited regardless of the attack vector used. Efficient service behavior monitoring limits what an attacker may be able to achieve as the offender needs to ensure the service behavior is undetectable from regular service behavior.

Combining both approaches may add a protection layer to the deployed vulnerable services, drastically decreasing the probability for anyone to successfully exploit any of the deployed vulnerable services. Next, let us identify four use cases where you need to use security-behavior monitoring.

Use cases

One can identify the following four different stages in the life of any service from a security standpoint. In each stage, security-behavior monitoring is required to meet different challenges:

Fortunately, microservice architecture is well suited to security-behavior monitoring as discussed next.

Security-Behavior of microservices versus monoliths

Kubernetes is often used to support workloads designed with microservice architecture. By design, microservices aim to follow the UNIX philosophy of "Do One Thing And Do It Well". Each microservice has a bounded context and a clear interface. In other words, you can expect the microservice clients to send relatively regular requests and the microservice to present a relatively regular behavior as a response to these requests. Consequently, a microservice architecture is an excellent candidate for security-behavior monitoring.

The diagram above clarifies how dividing a monolithic service to a set of microservices improves our ability to perform security-behavior monitoring and control. In a monolithic service approach, different client requests are intertwined, resulting in a diminished ability to identify irregular client behaviors. Without prior knowledge, an observer of the intertwined client requests will find it hard to distinguish between types of requests and their related characteristics. Further, internal client requests are not exposed to the observer. Lastly, the aggregated behavior of the monolithic service is a compound of the many different internal behaviors of its components, making it hard to identify irregular service behavior.

In a microservice environment, each microservice is expected by design to offer a more well-defined service and serve better defined type of requests. This makes it easier for an observer to identify irregular client behavior and irregular service behavior. Further, a microservice design exposes the internal requests and internal services which offer more security-behavior data to identify irregularities by an observer. Overall, this makes the microservice design pattern better suited for security-behavior monitoring and control.

Security-Behavior monitoring on Kubernetes

Kubernetes deployments seeking to add Security-Behavior may use Guard, developed under the CNCF project Knative. Guard is integrated into the full Knative automation suite that runs on top of Kubernetes. Alternatively, you can deploy Guard as a standalone tool to protect any HTTP-based workload on Kubernetes.

See:

• Guard on Github, for using Guard as a standalone tool.
• The Knative automation suite - Read about Knative, in the blog post Opinionated Kubernetes which describes how Knative simplifies and unifies the way web services are deployed on Kubernetes.
• You may contact Guard maintainers on the SIG Security Slack channel or on the Knative community security Slack channel. The Knative community channel will move soon to the CNCF Slack under the name #knative-security.

The goal of this post is to invite the Kubernetes community to action and introduce Security-Behavior monitoring and control to help secure Kubernetes based deployments. Hopefully, the community as a follow up will:

1. Analyze the cyber challenges presented for different Kubernetes use cases
2. Add appropriate security documentation for users on how to introduce Security-Behavior monitoring and control.
3. Consider how to integrate with tools that can help users monitor and control their vulnerable services.

Getting involved

You are welcome to get involved and join the effort to develop security behavior monitoring and control for Kubernetes; to share feedback and contribute to code or documentation; and to make or suggest improvements of any kind.

20 Jan 2023 12:00am GMT

#​621 - January 13, 2023 Read on the Web JavaScript Weekly The State of JS 2022 - The State of JS is one of the JavaScript ecosystem's most popular surveys and this time 39,471 folks took part giving us a snapshot of the tools, technologies, and language features people are using (or not using!) There's a lot to go through, but here are some key points: top-level await is the most newly adopted feature recently. The JavaScript / TypeScript balance shows a majority of developers using TypeScript over JS. Express remains by far the most popular backend framework with Nest, Fastify, Strapi, and Koa following somewhat behind. Other interesting results can be found in JS pain points, what is currently missing from JS, and the 'Awards' for stand out items (complete with snazzy visual effects). Devographics 🧈 Retire your Legacy CMS with ButterCMS - ButterCMS is your new content backend. We're SaaS so we host, maintain, and scale the CMS. Enable your marketing team to update website + app content without needing you. Try the #1 rated SaaS Headless CMS for your JS app today. Free for 30 days. 🧈 ButterCMS sponsor 🗣 Is TypeScript Worth It? - Time saver or waste of time? The relationship between TypeScript and JavaScript remains a complex one. An extensive discussion took place on Hacker News this week and, notably, TypeScript PM Daniel Rosenwasser popped up to respond to some of the concerns. Hacker News IN BRIEF: You'll be aware of JavaScript's strict mode but one developer thinks we need a stricter mode to fix several other syntax issues. Publint is an online tool for 'linting' live npm packages to see if they are packaged correctly, as a way to ensure maximum compatibility across environments. RELEASES: Node v19.4.0 and v18.13.0 (LTS) Commander.js 9.5 ↳ Node.js command-line interface toolkit. Angular 15.1 Pixi.js 7.1 - Fast 2D on WebGL engine. 📒 Articles & Tutorials The Gotcha of Unhandled Promise Rejections - A rough edge with promises that can sneak up on you. Jake looks at a 'gotcha' around unhandled promise rejections and how to work around it. Jake Archibald HTML with Superpowers: The Guidebook - A free resource introducing Web Components, what they are, and what problems they're trying to solve. You can see the Guidebook directly here. Dave Rupert With Retool You Ship Apps Fast with 100+ Perfectly Crafted UI Components - The fast way for devs to build and share internal tools. Teams at companies like Amazon, DoorDash & NBC collaborate around custom-built Retool apps to solve internal workflows. Retool sponsor Everything About React's 'Concurrent Mode' Features - An in-depth, example-led exploration of Concurrent Mode (now more a set of features integrated into React 18 than a distinct 'mode'). Henrique Yuji Using GitHub Copilot for Unit Testing? - Even if you find the idea of a AI tool like Copilot writing production code distasteful, it may have a place in speeding up writing tests. Ianis Triandafilov How to Destructure Props in Vue (Composition API) - How to correctly destructure props object in a Vue component while maintaining the reactivity. Dmitri Pavlutin Using Inline JavaScript Modules to Prevent CSS Blockage Stoyan Stefanov How to Build a GraphQL Server with Deno Andy Jiang 🛠 Code & Tools Gluon: Framework for Creating Desktop Apps from Sites - A new approach for building desktop apps on Windows and Linux from Web sites using Node (or Deno) and already installed browsers (Chromium or Firefox). Initial macOS support has just been added too. Gluon Structura.js: Lightweight Library for Immutable State Management - " It is based on the idea of structural sharing. The library is very similar to Immer.js, but it has some advantages over it." Giuseppe Raso Tuple, a Lightning-Fast Pairing Tool Built for Remote Developers - High-resolution, crystal-clear screen sharing, low-latency remote control, and less CPU usage than you'd think possible. Tuple sponsor Bay.js: A Lightweight Library for Web Components - Makes it easy to create web components that can be reused across projects. It also boasts performant state changes and secure event binding. Ian Dunkerley Twify: Scaffold a Tailwind CSS Project with a Single Command - You can use your preferred package manager and it supports creating projects with Next.js, Nuxt 2/3, SvelteKit, Remix, Angular, and more. Kazi Ahmed Lazy Brush 2.0: A Library for Smooth Pointer Drawing - Allow your users to draw smooth curves and straight lines with your mouse, finger or any pointing device. This long standing library has just migrated to TypeScript and gained a new 'friction' option to customize the feel. GitHub repo. Jan Hug ➗ Mafs: React Components for Interactive Math - Build interactive, animated visualizations using declarative code with illustrative demos like bezier curves. The documentation is fantastic - check out how easy it is to make plots. Or just head to the GitHub repo. Steven Petryk Are You Looking for a New Observability Tool? TelemetryHub by Scout sponsor Hyphenopoly 5.0: A Polyfill for Client-Side Hyphenation - An interesting use of WebAssembly here. Mathias Nater visx 3.0 ↳ D3-powered visualization React components. Atrament 3.0 ↳ Library for drawing and handwriting on a canvas element. HLS.js 1.3 ↳ Library to play HLS (HTTP Live Streaming) in browsers, with MSE support. 💻 Jobs Developer Relations Manager - Join the CKEditor team to build community around an Open Source project used by millions of users around the world 🚀 CKEditor Backend Engineer, TypeScript (Berlin / Remote) - Thousands of people love our product (see Trustpilot for yourself). Join the team behind it and help us scale. 🚀 Feather Find JavaScript Jobs with Hired - Create a profile on Hired to connect with hiring managers at growing startups and Fortune 500 companies. It's free for job-seekers. Hired 🎶 Écoute la musique.. Oxygene Pt 4, as Performed by JavaScript - This is fun. Dittytoy is a simple, JavaScript-powered online generative music tool and someone has put together a surprisingly faithful rendition of perhaps one of the best known instrumental synth songs ever, all the way from 1976. Dittytoy

13 Jan 2023 12:00am GMT

Author: Sunny Bhambhani (InfraCloud Technologies)

Kubernetes has been widely adopted, and many organizations use it as their de-facto orchestration engine for running workloads that need to be created and deleted frequently.

Therefore, proper scheduling of the pods is key to ensuring that application pods are up and running within the Kubernetes cluster without any issues. This article delves into the use cases around resource management by leveraging the PriorityClass object to protect mission-critical or high-priority pods from getting evicted and making sure that the application pods are up, running, and serving traffic.

Resource management in Kubernetes

The control plane consists of multiple components, out of which the scheduler (usually the built-in kube-scheduler) is one of the components which is responsible for assigning a node to a pod.

Whenever a pod is created, it enters a "pending" state, after which the scheduler determines which node is best suited for the placement of the new pod.

In the background, the scheduler runs as an infinite loop looking for pods without a nodeName set that are ready for scheduling. For each Pod that needs scheduling, the scheduler tries to decide which node should run that Pod.

If the scheduler cannot find any node, the pod remains in the pending state, which is not ideal.

The below diagram, from point number 1 through 4, explains the request flow:

Typical use cases

Below are some real-life scenarios where control over the scheduling and eviction of pods may be required.

1. Let's say the pod you plan to deploy is critical, and you have some resource constraints. An example would be the DaemonSet of an infrastructure component like Grafana Loki. The Loki pods must run before other pods can on every node. In such cases, you could ensure resource availability by manually identifying and deleting the pods that are not required or by adding a new node to the cluster. Both these approaches are unsuitable since the former would be tedious to execute, and the latter could involve an expenditure of time and money.

2. Another use case could be a single cluster that holds the pods for the below environments with associated priorities:

   • Production (prod): top priority
   • Preproduction (preprod): intermediate priority
   • Development (dev): least priority

In the event of high resource consumption in the cluster, there is competition for CPU and memory resources on the nodes. While cluster-level autoscaling may add more nodes, it takes time. In the interim, if there are no further nodes to scale the cluster, some Pods could remain in a Pending state, or the service could be degraded as they compete for resources. If the kubelet does evict a Pod from the node, that eviction would be random because the kubelet doesn't have any special information about which Pods to evict and which to keep.

3. A third example could be a microservice backed by a queuing application or a database running into a resource crunch and the queue or database getting evicted. In such a case, all the other services would be rendered useless until the database can serve traffic again.

There can also be other scenarios where you want to control the order of scheduling or order of eviction of pods.

PriorityClasses in Kubernetes

PriorityClass is a cluster-wide API object in Kubernetes and part of the scheduling.k8s.io/v1 API group. It contains a mapping of the PriorityClass name (defined in .metadata.name) and an integer value (defined in .value). This represents the value that the scheduler uses to determine Pod's relative priority.

Additionally, when you create a cluster using kubeadm or a managed Kubernetes service (for example, Azure Kubernetes Service), Kubernetes uses PriorityClasses to safeguard the pods that are hosted on the control plane nodes. This ensures that critical cluster components such as CoreDNS and kube-proxy can run even if resources are constrained.

This availability of pods is achieved through the use of a special PriorityClass that ensures the pods are up and running and that the overall cluster is not affected.

$ kubectl get priorityclass
NAME VALUE GLOBAL-DEFAULT AGE
system-cluster-critical 2000000000 false 82m
system-node-critical 2000001000 false 82m

The diagram below shows exactly how it works with the help of an example, which will be detailed in the upcoming section.

Pod priority and preemption

Pod preemption is a Kubernetes feature that allows the cluster to preempt pods (removing an existing Pod in favor of a new Pod) on the basis of priority. Pod priority indicates the importance of a pod relative to other pods while scheduling. If there aren't enough resources to run all the current pods, the scheduler tries to evict lower-priority pods over high-priority ones.

Also, when a healthy cluster experiences a node failure, typically, lower-priority pods get preempted to create room for higher-priority pods on the available node. This happens even if the cluster can bring up a new node automatically since pod creation is usually much faster than bringing up a new node.

PriorityClass requirements

Before you set up PriorityClasses, there are a few things to consider.

1. Decide which PriorityClasses are needed. For instance, based on environment, type of pods, type of applications, etc.
2. The default PriorityClass resource for your cluster. The pods without a priorityClassName will be treated as priority 0.
3. Use a consistent naming convention for all PriorityClasses.
4. Make sure that the pods for your workloads are running with the right PriorityClass.

PriorityClass hands-on example

Let's say there are 3 application pods: one for prod, one for preprod, and one for development. Below are three sample YAML manifest files for each of those.

---
# development
apiVersion: v1
kind: Pod
metadata:
 name: dev-nginx
 labels:
 env: dev
spec:
 containers:
 - name: dev-nginx
 image: nginx
 resources:
 requests:
 memory: "256Mi"
 cpu: "0.2"
 limits:
 memory: ".5Gi"
 cpu: "0.5"

---
# preproduction
apiVersion: v1
kind: Pod
metadata:
 name: preprod-nginx
 labels:
 env: preprod
spec:
 containers:
 - name: preprod-nginx
 image: nginx
 resources:
 requests:
 memory: "1.5Gi"
 cpu: "1.5"
 limits:
 memory: "2Gi"
 cpu: "2"

---
# production
apiVersion: v1
kind: Pod
metadata:
 name: prod-nginx
 labels:
 env: prod
spec:
 containers:
 - name: prod-nginx
 image: nginx
 resources:
 requests:
 memory: "2Gi"
 cpu: "2"
 limits:
 memory: "2Gi"
 cpu: "2"

You can create these pods with the kubectl create -f <FILE.yaml> command, and then check their status using the kubectl get pods command. You can see if they are up and look ready to serve traffic:

$ kubectl get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
dev-nginx 1/1 Running 0 55s env=dev
preprod-nginx 1/1 Running 0 55s env=preprod
prod-nginx 0/1 Pending 0 55s env=prod

Bad news. The pod for the Production environment is still Pending and isn't serving any traffic.

Let's see why this is happening:

$ kubectl get events
...
...
5s Warning FailedScheduling pod/prod-nginx 0/2 nodes are available: 1 Insufficient cpu, 2 Insufficient memory.

In this example, there is only one worker node, and that node has a resource crunch.

Now, let's look at how PriorityClass can help in this situation since prod should be given higher priority than the other environments.

PriorityClass API

Before creating PriorityClasses based on these requirements, let's see what a basic manifest for a PriorityClass looks like and outline some prerequisites:

apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
 name: PRIORITYCLASS_NAME
value: 0 # any integer value between -1000000000 to 1000000000 
description: >-
  (Optional) description goes here!
globalDefault: false # or true. Only one PriorityClass can be the global default.

Below are some prerequisites for PriorityClasses:

• The name of a PriorityClass must be a valid DNS subdomain name.
• When you make your own PriorityClass, the name should not start with system-, as those names are reserved by Kubernetes itself (for example, they are used for two built-in PriorityClasses).
• Its absolute value should be between -1000000000 to 1000000000 (1 billion).
• Larger numbers are reserved by PriorityClasses such as system-cluster-critical (this Pod is critically important to the cluster) and system-node-critical (the node critically relies on this Pod). system-node-critical is a higher priority than system-cluster-critical, because a cluster-critical Pod can only work well if the node where it is running has all its node-level critical requirements met.
• There are two optional fields:
  • globalDefault: When true, this PriorityClass is used for pods where a priorityClassName is not specified. Only one PriorityClass with globalDefault set to true can exist in a cluster.
    If there is no PriorityClass defined with globalDefault set to true, all the pods with no priorityClassName defined will be treated with 0 priority (i.e. the least priority).
  • description: A string with a meaningful value so that people know when to use this PriorityClass.

PriorityClass in action

Here's an example. Next, create some environment-specific PriorityClasses:

apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
 name: dev-pc
value: 1000000
globalDefault: false
description: >-
  (Optional) This priority class should only be used for all development pods.

apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
 name: preprod-pc
value: 2000000
globalDefault: false
description: >-
  (Optional) This priority class should only be used for all preprod pods.

apiVersion: scheduling.k8s.io/v1
kind: PriorityClass
metadata:
 name: prod-pc
value: 4000000
globalDefault: false
description: >-
  (Optional) This priority class should only be used for all prod pods.

Use kubectl create -f <FILE.YAML> command to create a pc and kubectl get pc to check its status.

$ kubectl get pc
NAME VALUE GLOBAL-DEFAULT AGE
dev-pc 1000000 false 3m13s
preprod-pc 2000000 false 2m3s
prod-pc 4000000 false 7s
system-cluster-critical 2000000000 false 82m
system-node-critical 2000001000 false 82m

The new PriorityClasses are in place now. A small change is needed in the pod manifest or pod template (in a ReplicaSet or Deployment). In other words, you need to specify the priority class name at .spec.priorityClassName (which is a string value).

First update the previous production pod manifest file to have a PriorityClass assigned, then delete the Production pod and recreate it. You can't edit the priority class for a Pod that already exists.

In my cluster, when I tried this, here's what happened. First, that change seems successful; the status of pods has been updated:

$ kubectl get pods --show-labels
NAME READY STATUS RESTARTS AGE LABELS
dev-nginx 1/1 Terminating 0 55s env=dev
preprod-nginx 1/1 Running 0 55s env=preprod
prod-nginx 0/1 Pending 0 55s env=prod

The dev-nginx pod is getting terminated. Once that is successfully terminated and there are enough resources for the prod pod, the control plane can schedule the prod pod:

Warning FailedScheduling pod/prod-nginx 0/2 nodes are available: 1 Insufficient cpu, 2 Insufficient memory.
Normal Preempted pod/dev-nginx by default/prod-nginx on node node01
Normal Killing pod/dev-nginx Stopping container dev-nginx
Normal Scheduled pod/prod-nginx Successfully assigned default/prod-nginx to node01
Normal Pulling pod/prod-nginx Pulling image "nginx"
Normal Pulled pod/prod-nginx Successfully pulled image "nginx"
Normal Created pod/prod-nginx Created container prod-nginx
Normal Started pod/prod-nginx Started container prod-nginx

Enforcement

When you set up PriorityClasses, they exist just how you defined them. However, people (and tools) that make changes to your cluster are free to set any PriorityClass, or to not set any PriorityClass at all. However, you can use other Kubernetes features to make sure that the priorities you wanted are actually applied.

As an alpha feature, you can define a ValidatingAdmissionPolicy and a ValidatingAdmissionPolicyBinding so that, for example, Pods that go into the prod namespace must use the prod-pc PriorityClass. With another ValidatingAdmissionPolicyBinding you ensure that the preprod namespace uses the preprod-pc PriorityClass, and so on. In any cluster, you can enforce similar controls using external projects such as Kyverno or Gatekeeper, through validating admission webhooks.

However you do it, Kubernetes gives you options to make sure that the PriorityClasses are used how you wanted them to be, or perhaps just to warn users when they pick an unsuitable option.

Summary

The above example and its events show you what this feature of Kubernetes brings to the table, along with several scenarios where you can use this feature. To reiterate, this helps ensure that mission-critical pods are up and available to serve the traffic and, in the case of a resource crunch, determines cluster behavior.

It gives you some power to decide the order of scheduling and order of preemption for Pods. Therefore, you need to define the PriorityClasses sensibly. For example, if you have a cluster autoscaler to add nodes on demand, make sure to run it with the system-cluster-critical PriorityClass. You don't want to get in a situation where the autoscaler has been preempted and there are no new nodes coming online.

If you have any queries or feedback, feel free to reach out to me on LinkedIn.

12 Jan 2023 12:00am GMT

Authors: Filip Křepinský (Red Hat), Morten Torkildsen (Google), Ravi Gudimetla (Apple)

Ensuring the disruptions to your applications do not affect its availability isn't a simple task. Last month's release of Kubernetes v1.26 lets you specify an unhealthy pod eviction policy for PodDisruptionBudgets (PDBs) to help you maintain that availability during node management operations. In this article, we will dive deeper into what modifications were introduced for PDBs to give application owners greater flexibility in managing disruptions.

What problems does this solve?

API-initiated eviction of pods respects PodDisruptionBudgets (PDBs). This means that a requested voluntary disruption via an eviction to a Pod, should not disrupt a guarded application and .status.currentHealthy of a PDB should not fall below .status.desiredHealthy. Running pods that are Unhealthy do not count towards the PDB status, but eviction of these is only possible in case the application is not disrupted. This helps disrupted or not yet started application to achieve availability as soon as possible without additional downtime that would be caused by evictions.

Unfortunately, this poses a problem for cluster administrators that would like to drain nodes without any manual interventions. Misbehaving applications with pods in CrashLoopBackOff state (due to a bug or misconfiguration) or pods that are simply failing to become ready make this task much harder. Any eviction request will fail due to violation of a PDB, when all pods of an application are unhealthy. Draining of a node cannot make any progress in that case.

On the other hand there are users that depend on the existing behavior, in order to:

• prevent data-loss that would be caused by deleting pods that are guarding an underlying resource or storage
• achieve the best availability possible for their application

Kubernetes 1.26 introduced a new experimental field to the PodDisruptionBudget API: .spec.unhealthyPodEvictionPolicy. When enabled, this field lets you support both of those requirements.

How does it work?

API-initiated eviction is the process that triggers graceful pod termination. The process can be initiated either by calling the API directly, by using a kubectl drain command, or other actors in the cluster. During this process every pod removal is consulted with appropriate PDBs, to ensure that a sufficient number of pods is always running in the cluster.

The following policies allow PDB authors to have a greater control how the process deals with unhealthy pods.

There are two policies IfHealthyBudget and AlwaysAllow to choose from.

The former, IfHealthyBudget, follows the existing behavior to achieve the best availability that you get by default. Unhealthy pods can be disrupted only if their application has a minimum available .status.desiredHealthy number of pods.

By setting the spec.unhealthyPodEvictionPolicy field of your PDB to AlwaysAllow, you are choosing the best effort availability for your application. With this policy it is always possible to evict unhealthy pods. This will make it easier to maintain and upgrade your clusters.

We think that AlwaysAllow will often be a better choice, but for some critical workloads you may still prefer to protect even unhealthy Pods from node drains or other forms of API-initiated eviction.

How do I use it?

This is an alpha feature, which means you have to enable the PDBUnhealthyPodEvictionPolicy feature gate, with the command line argument --feature-gates=PDBUnhealthyPodEvictionPolicy=true to the kube-apiserver.

Here's an example. Assume that you've enabled the feature gate in your cluster, and that you already defined a Deployment that runs a plain webserver. You labelled the Pods for that Deployment with app: nginx. You want to limit avoidable disruption, and you know that best effort availability is sufficient for this app. You decide to allow evictions even if those webserver pods are unhealthy. You create a PDB to guard this application, with the AlwaysAllow policy for evicting unhealthy pods:

apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
 name: nginx-pdb
spec:
 selector:
 matchLabels:
 app: nginx
 maxUnavailable: 1
 unhealthyPodEvictionPolicy: AlwaysAllow

How can I learn more?

• Read the KEP: Unhealthy Pod Eviction Policy for PDBs
• Read the documentation: Unhealthy Pod Eviction Policy for PodDisruptionBudgets
• Review the Kubernetes documentation for PodDisruptionBudgets, draining of Nodes and evictions

How do I get involved?

If you have any feedback, please reach out to us in the #sig-apps channel on Slack (visit https://slack.k8s.io/ for an invitation if you need one), or on the SIG Apps mailing list: kubernetes-sig-apps@googlegroups.com

06 Jan 2023 12:00am GMT