PI-Victor

Cryptographic Best Practices

Putting cryptographic primitives together is a lot like putting a jigsaw puzzle together, where all the pieces are cut exactly the same way, but there is only one correct solution. Thankfully, there are some projects out there that are working hard to make sure developers are getting it right.

The following advice comes from years of research from leading security researchers, developers, and cryptographers. This Gist was [forked from Thomas Ptacek's Gist][1] to be more readable. Additions have been added from

PI-Victor

for i in {1..9}; do gsettings set "org.gnome.shell.keybindings" "switch-to-application-$i" "[]"; done

PI-Victor

Ubuntu:

docker run -v $(pwd):/app -w /app -ti ubuntu:19.04 /bin/bash
clone https://github.com/davatorium/rofi/releases

clone and install https://github.com/libcheck/check/releases

apt-get update && apt-get install -y wget gcc make bison flex libxkbcommon-dev gir1.2-glib-2.0 libglib2.0-dev libx11-xcb1 libxcb-xinerama0-dev libxcb-xinerama0-dev libxcb-util-dev libxcb-randr0 libxcb-randr0-dev libxcb-xrm-dev libxkbcommon-x11-dev libxcb-ewmh-dev libxcb-icccm4-dev libpango1.0-dev libstartup-notification0-dev librsvg2-dev librsvg2-dev 

./configure

PI-Victor

iptables -N DOCKER-USER
iptables -I FORWARD -j DOCKER-USER
iptables -A DOCKER-USER -j RETURN
iptables -I DOCKER-USER -i br0 ! -s 192.168.1.1 -j DROP

PI-Victor

[Service]
ExecStart=
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --exec-opt native.cgroupdriver=systemd

PI-Victor

# How to monitor a secure external etcd service with Prometheus Operator
This guide will help you monitor an external etcd cluster. When the etcd is not hosted inside Kubernetes.
This is often the case with the Kubernetes setup. This has been tested with kube-aws but same principals will apply to other tools.

# Step 1 - Make the etcd certificates available to Prometheus pod
Prometheus Operator (and Prometheus) allow us to specify a tlsConfig. This is required as most likely your etcd metrics end points is secure.

## a - Create the secrets in the namespace 
Prometheus Operator allows us to mount secrets in the pod. By loading the secrets as files, they can be made available inside the Prometheus pod.

PI-Victor

original https://unix.stackexchange.com/questions/257163/reduce-title-bar-height-in-gnome-3-gtk-3

After Gnome 3.20, .header-bar.default-decoration doesn't work.

You can put follow content into ~/.config/gtk-3.0/gtk.css:


/* shrink headerbars (don't forget semicolons after each property) */
headerbar {

PI-Victor

Kafka 0.11.0.0 (Confluent 3.3.0) added support to manipulate offsets for a consumer group via cli kafka-consumer-groups command.

1. List the topics to which the group is subscribed

kafka-consumer-groups --bootstrap-server <kafkahost:port> --group <group_id> --describe

Note the values under "CURRENT-OFFSET" and "LOG-END-OFFSET". "CURRENT-OFFSET" is the offset where this consumer group is currently at in each of the partitions.

2. Reset the consumer offset for a topic (preview)

PI-Victor

You had ONE JOB -- A Kubernetes job.

Let's take a look at how Kubernetes jobs are crafted. I had been jamming some kind of work-around shell scripts in the entrypoint* for some containers in the vnf-asterisk project that Leif and I have been working on. And that's not perfect when we can use Kubernetes jobs, or in their new parlance, "run to completion finite workloads" (I'll stick to calling them "jobs"). They're one-shot containers that do one thing, and then end (sort of like a "oneshot" of systemd units, at least how we'll use them today). I like the idea of using them to complete some service discovery for me when other pods are coming up. Today we'll fire up a pod, and spin up a job to discover that pod (by querying the API for info about it), and put info into etcd. Let's get the job done.

This post also exists as a [gist on github](https

PI-Victor

You had ONE JOB -- A Kubernetes job.

Let's take a look at how Kubernetes jobs are crafted. I had been jamming some kind of work-around shell scripts in the entrypoint* for some containers in the vnf-asterisk project that Leif and I have been working on. And that's not perfect when we can use Kubernetes jobs, or in their new parlance, "run to completion finite workloads" (I'll stick to calling them "jobs"). They're one-shot containers that do one thing, and then end (sort of like a "oneshot" of systemd units, at least how we'll use them today). I like the idea of using them to complete some service discovery for me when other pods are coming up. Today we'll fire up a pod, and spin up a job to discover that pod (by querying the API for info about it), and put info into etcd. Let's get the job done.

This post also exists as a [gist on github](https