date:20210407

Re: (Slightly OT?) K8S Platform As A Service Recommendations

2021-04-07 Thread Raymond Burkholder

On 4/7/21 9:16 AM, Charles N Wyble wrote:> Does anyone have a 
recommendation for a self-hosted, on premise,

> platform as a service layer for k8s (specifically k3s)?
FWIW:

Maybe you don't need kubernetes:
https://endler.dev/2019/maybe-you-dont-need-kubernetes/

Manually install a single node Kubernetes cluster on Debian
http://meta.libera.cc/2021/03/manually-install-single-node-kubernetes.html

Or run Salt or something and spin up LXC containers.

(Slightly OT?) K8S Platform As A Service Recommendations

2021-04-07 Thread Charles N Wyble


Hello all,


I know this is primarily a networking list, but I know lots of server 
admins hang out here.


Does anyone have a recommendation for a self-hosted, on premise, 
platform as a service layer for k8s (specifically k3s)?


I have written up some context here:

https://github.com/TSYSGroup/docs-techops/blob/master/Applications/AppRuntimeLayerTodo.md

tl:dr : I have about 70 to 200 apps / (micro) services that will need to 
run across a handful of k3s servers . I already have HA 
database/networking/certificate/application load 
balanacer/authentication stacks in production use, I am currently 
running the actual websites/applications on a single Ubuntu LAMP server 
and want to build out an HA runtime layer for all the 
properties/applications and need a way to orchestrate k3s/metallb


Rancher rio has come up a few times in my 
research:https://bram.dingelstad.works/blog/finding-the-right-paas-for-k8s/ 



In addition to the web apps , I will also will be running a number of 
r applications and CUDA enabled containers (across a mix of physical 
x86/jetson/tegra machines with k3s workers).


Suggestions/comments/questions/flames welcome :)

On or off list as you prefer.

NANOG 82 Call for Presentations is Open

2021-04-07 Thread NANOG News

NANOG Community,

The NANOG Program Committee (PC) is now accepting proposals for all
sessions at NANOG 82, happening June 14-16, 2021. The PC also welcomes
suggestions for speakers and topics.

Presentations at NANOG meetings are a gathering of the industry’s top
minds. Join us, as we spark  imagination, encourage dialog, and drive new
solutions to our greatest networking challenges. Presentations may cover
current technologies, soon-to-be deployed technologies, and industry
innovation. Vendors are welcome to submit talks which cover relevant
technologies and capabilities, but presentations should not be promotional,
or discuss proprietary solutions.  Find out more at  Call For Presentations


The primary speaker, moderator, or author should submit a presentation
proposal and abstract via the Program Committee Tool found here.

.

• Sign in with your profile account
• Select the type of talk to present
• Complete the form

Timeline for submission and proposal review:

• Applicants enter abstract (and draft slides if possible) in the Program
Committee Tool

prior
to the deadline for slide submission.

• PC performs initial review and assigns a “shepherd” to help develop the
submission — estimated time is typically within 2 weeks.

• Applicant develops draft slides of talk, if not already submitted with
the initial proposal. Please submit initial draft slides early — the PC
does not evaluate submissions until draft slides are available for review.
NANOG Staff is available to assist with slide templates upon request from
the applicant.

• Panel and Track submissions should provide a topic list and
intended/confirmed participants in the abstract.

• PC reviews the slides and continues to work with the Applicant as needed
to develop the topic.

• Draft presentation slides should be submitted prior to the published
deadline for slides (April 12, 2021).

• PC evaluates submissions to determine presentations for the agenda
(posted on May 10, 2021).

• Agenda assembled and posted.

• Applicants notified.

• Final presentation slides must be submitted prior to the published
deadline for slides (May 10, 2021 for Pre-recordings).

If you think you have an interesting topic but want feedback or suggestions
for developing an idea into a presentation, please email the PC and a
representative will respond to you in a timely manner. Otherwise, submit
your talk, keynote, track, or panel proposal to the Program Committee Tool

at
your earliest convenience.

We look forward to reviewing your submission!

NANOG 82 Calendar of Events

Date - Event/Deadline
Mar 1, 2021 - CFP Announced
April 12, 2021 - CFP Deadline: Draft Presentation Slides Due
May 10, 2021 - Pre-Record Presentation FINAL Slides Due
May 10, 2021 - Topics List + Highlights Posted
May 24, 2021 - NANOG 82 Agenda Published
May 28, 2021 - Speaker Presentation Recordings Finalized
June 14-16, 2021 - NANOG 82 Conference

Final slides for pre-recorded presentations must be submitted by Monday,
May 10, 2021. No changes will be accepted between the recording date and
the conference. Materials received after that date may be updated on the
website after the completion of the conference.

We look forward to seeing you in June!

Sincerely,

The NANOG Program Committee

Re: login.authorize.net has A and CNAME records

2021-04-07 Thread Bjørn Mork

Mark Andrews  writes:

> It shouldn’t matter.  Only non-rfc-compliant servers allow A and CNAME
> to co-exist at the same name.  That combination was prohibited by RFC
> 1034.

Right.  Thanks.  I confused myself multiple times here ;-)


The issue seems to be that the cloudflare servers takes a shortcut and
convert the CNAME to A, dropping the intermediate CNAME.   That's
obviously not OK.


So it looks correct when you do:


bjorn@miraculix:/tmp$ dig CNAME login.authorize.net 
@ns0210.secondary.cloudflare.com

; <<>> DiG 9.16.13-Debian <<>> CNAME login.authorize.net 
@ns0210.secondary.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52372
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;login.authorize.net.   IN  CNAME

;; ANSWER SECTION:
login.authorize.net.300 IN  CNAME   
login.authorize.net.cdn.cloudflare.net.

;; Query time: 28 msec
;; SERVER: 162.159.33.85#53(162.159.33.85)
;; WHEN: Wed Apr 07 10:01:23 CEST 2021
;; MSG SIZE  rcvd: 97

bjorn@miraculix:/tmp$ dig A login.authorize.net.cdn.cloudflare.net 
@ns0210.secondary.cloudflare.com

; <<>> DiG 9.16.13-Debian <<>> A login.authorize.net.cdn.cloudflare.net 
@ns0210.secondary.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54740
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;login.authorize.net.cdn.cloudflare.net.IN A

;; ANSWER SECTION:
login.authorize.net.cdn.cloudflare.net. 300 IN A 104.18.8.127
login.authorize.net.cdn.cloudflare.net. 300 IN A 104.18.9.127

;; Query time: 28 msec
;; SERVER: 162.159.33.85#53(162.159.33.85)
;; WHEN: Wed Apr 07 10:01:41 CEST 2021
;; MSG SIZE  rcvd: 99



But not when you query for A directly:



bjorn@miraculix:/tmp$ dig A login.authorize.net @ns0210.secondary.cloudflare.com

; <<>> DiG 9.16.13-Debian <<>> A login.authorize.net 
@ns0210.secondary.cloudflare.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26197
;; flags: qr aa rd; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;login.authorize.net.   IN  A

;; ANSWER SECTION:
login.authorize.net.300 IN  A   104.18.9.127
login.authorize.net.300 IN  A   104.18.8.127

;; Query time: 24 msec
;; SERVER: 162.159.33.85#53(162.159.33.85)
;; WHEN: Wed Apr 07 10:02:25 CEST 2021
;; MSG SIZE  rcvd: 80



So a Cloudflare bug.



Bjørn

Re: login.authorize.net has A and CNAME records

2021-04-07 Thread Mark Andrews

> On 7 Apr 2021, at 17:20, Bjørn Mork  wrote:
> 
> Bjørn Mork  writes:
> 
>> Seth Mattinen  writes:
>>> On 4/6/21 11:35 AM, Arne Jensen wrote:
 login.authorize.net. is a CNAME, but does not have any A records itself.
>>> 
>>> 
>>> This one returns A records:
>> 
>> Looks like they host DNS on both cloudflare and akami, but zone contents
>> are different on the two platforms:
>> 
>> bjorn@miraculix:~$ for s in $(dig +short ns authorize.net|sort); do echo -n 
>> "$s: ";dig +short login.authorize.net @$s|xargs; done
>> a10-64.akam.net.: login.authorize.net.cdn.cloudflare.net.
>> a1-190.akam.net.: login.authorize.net.cdn.cloudflare.net.
>> a2-65.akam.net.: login.authorize.net.cdn.cloudflare.net.
>> a9-64.akam.net.: login.authorize.net.cdn.cloudflare.net.
>> ns0090.secondary.cloudflare.com.: 104.18.8.127 104.18.9.127
>> ns0210.secondary.cloudflare.com.: 104.18.9.127 104.18.8.127
> 
> Doh! I should know better.  Sorry, ignore that.  Don't ask for A records
> if you want to see CNAMEs..

It shouldn’t matter.  Only non-rfc-compliant servers allow A and CNAME
to co-exist at the same name.  That combination was prohibited by RFC
1034.

"The domain system provides such a feature using the canonical name
(CNAME) RR.  A CNAME RR identifies its owner name as an alias, and
specifies the corresponding canonical name in the RDATA section of the
RR.  If a CNAME RR is present at a node, no other data should be
present; this ensures that the data for a canonical name and its aliases
cannot be different.  This rule also insures that a cached CNAME can be
used without checking with an authoritative server for other RR types.”

Returning a signed CNAME is cryptographic proof that an A record does not
exist at the name with DNSSEC.

Mark

> Bjørn

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

Re: login.authorize.net has A and CNAME records

2021-04-07 Thread Bjørn Mork

Bjørn Mork  writes:

> Seth Mattinen  writes:
>> On 4/6/21 11:35 AM, Arne Jensen wrote:
>>> login.authorize.net. is a CNAME, but does not have any A records itself.
>>
>>
>> This one returns A records:
>
> Looks like they host DNS on both cloudflare and akami, but zone contents
> are different on the two platforms:
>
>  bjorn@miraculix:~$ for s in $(dig +short ns authorize.net|sort); do echo -n 
> "$s: ";dig +short login.authorize.net @$s|xargs; done
>  a10-64.akam.net.: login.authorize.net.cdn.cloudflare.net.
>  a1-190.akam.net.: login.authorize.net.cdn.cloudflare.net.
>  a2-65.akam.net.: login.authorize.net.cdn.cloudflare.net.
>  a9-64.akam.net.: login.authorize.net.cdn.cloudflare.net.
>  ns0090.secondary.cloudflare.com.: 104.18.8.127 104.18.9.127
>  ns0210.secondary.cloudflare.com.: 104.18.9.127 104.18.8.127

Doh! I should know better.  Sorry, ignore that.  Don't ask for A records
if you want to see CNAMEs..


Bjørn

Re: login.authorize.net has A and CNAME records

2021-04-07 Thread Bjørn Mork

Seth Mattinen  writes:
> On 4/6/21 11:35 AM, Arne Jensen wrote:
>> login.authorize.net. is a CNAME, but does not have any A records itself.
>
>
> This one returns A records:

Looks like they host DNS on both cloudflare and akami, but zone contents
are different on the two platforms:

 bjorn@miraculix:~$ for s in $(dig +short ns authorize.net|sort); do echo -n 
"$s: ";dig +short login.authorize.net @$s|xargs; done
 a10-64.akam.net.: login.authorize.net.cdn.cloudflare.net.
 a1-190.akam.net.: login.authorize.net.cdn.cloudflare.net.
 a2-65.akam.net.: login.authorize.net.cdn.cloudflare.net.
 a9-64.akam.net.: login.authorize.net.cdn.cloudflare.net.
 ns0090.secondary.cloudflare.com.: 104.18.8.127 104.18.9.127
 ns0210.secondary.cloudflare.com.: 104.18.9.127 104.18.8.127

Interesting enough the serial number is consistent though:

 bjorn@miraculix:~$ for s in $(dig +short ns authorize.net|sort); do echo -n 
"$s: ";dig +short soa authorize.net @$s; done
 a10-64.akam.net.: ns1.dnsvisa.com. premiumdns.support.neustar. 2019103361 600 
300 1209600 300
 a1-190.akam.net.: ns1.dnsvisa.com. premiumdns.support.neustar. 2019103361 600 
300 1209600 300
 a2-65.akam.net.: ns1.dnsvisa.com. premiumdns.support.neustar. 2019103361 600 
300 1209600 300
 a9-64.akam.net.: ns1.dnsvisa.com. premiumdns.support.neustar. 2019103361 600 
300 1209600 300
 ns0090.secondary.cloudflare.com.: ns1.dnsvisa.com. premiumdns.support.neustar. 
2019103361 600 300 1209600 300
 ns0210.secondary.cloudflare.com.: ns1.dnsvisa.com. premiumdns.support.neustar. 
2019103361 600 300 1209600 300


I wish I could say that this is surprising



Bjørn

Re: (Slightly OT?) K8S Platform As A Service Recommendations

(Slightly OT?) K8S Platform As A Service Recommendations

NANOG 82 Call for Presentations is Open

Re: login.authorize.net has A and CNAME records

Re: login.authorize.net has A and CNAME records

Re: login.authorize.net has A and CNAME records

Re: login.authorize.net has A and CNAME records

7 matches

Site Navigation

Mail list logo

Footer information