Skip to content

Instantly share code, notes, and snippets.

View gc-ss's full-sized avatar

gc-ss gc-ss

21 followers · 398 following
View GitHub Profile
@gc-ss
gc-ss / README.md
Created August 5, 2021 17:22 — forked from the-maldridge/README.md
Pomerium on Nomad with Traefik

Pomerium on Nomad - Forward Auth

Pomerium is a potential implementation of a BeyondCorp architecture that is similar to ORY OathKeeper or GCP IAP. This architecture is a newer security model than traditional VPNs and allows you to guard your internal services while still having them be directly internet facing. This makes both your individual machine story much easier as well as your BYOD story.

Pomerium has several limitations that may make it unsuitable for your network.

  • In order to work with a consul service mesh you are limited to forward-auth mode. This has only limited upstream support and can be fiddly to get working due to questionable documentation surrounding it both with proxy implementations and with Pomerium itself.
  • Even though Pomerium isn't proxying the traffic, the policy that you can create is limited by what Envoy (which is vendored into Pomerium as a binary artifact...) is capable of matching. This is why Pomerium has a static port attached to its consul service registratio
@gc-ss
gc-ss / mount_nvme.sh
Created July 24, 2021 09:08 — forked from ctompkinson/mount_nvme.sh
set -o pipefail
set -o errtrace
set -o nounset
set -o errexit
set -a
# Scratch mount is the device which will be mounted on /mnt
# and generally used for logs, core dumps etc.
if ! $(mount | grep -q /mnt) ; then
# Detected NVME drives
@gc-ss
gc-ss / Job_anti-affinity_in_action.md
Created June 9, 2021 00:26 — forked from angrycub/Job_anti-affinity_in_action.md

Job Anti-Affinity in Action

Overview

This guide will walk you through creating and executing a job that will demonstrate Nomad's job anti-affinity rules and, in clusters with memory limited Nomad clients, filtering based resource exhaustion.

Sample Environment

  • One Nomad Server Node
  • Three Nomad Client Nodes
    • 768 MB RAM total (providing 761 MB RAM in nomad node-status -self)
@gc-ss
gc-ss / docker.md
Created June 9, 2021 00:26 — forked from angrycub/docker.md
Enabling pre-Nomad 0.12 Docker mount behavior for dev agents

Create a configuration file and a sample job.

docker.hcl

plugin "docker" { 
  config {
     volumes {
       enabled = true
     }
@gc-ss
gc-ss / eventstream.py
Created June 9, 2021 00:25 — forked from angrycub/eventstream.py
Minimal Python Client for Nomad Event Stream
import json
import requests
import sys
URL_BASE = "http://127.0.0.1:4646"
URL_API_PATH = "/v1/event/stream"
URL_QUERY_STRING = ""
#URL.QUERY_STRING = "?topic=Node:*"
url = URL_BASE + URL_API_PATH + URL_QUERY_STRING
@gc-ss
gc-ss / consul-connect-p1.md
Created June 9, 2021 00:22 — forked from angrycub/consul-connect-p1.md
Consul Connect - Consul ACL Token Handling Part 1

Consul Connect / ACL Enformcement Flow

Nomad starts the JobEndpoint

In the beginning of time, the Nomad server makes a JobEndpoint using the NewJobEndpoints function.

Job is submitted

A job is submitted to the API (either directly or via the CLI).

The API sends a JobRegisterRequest to Register(). The Register() call is forwarded to the leader where execution continues.

@gc-ss
gc-ss / carl_hewitt_actor_model.md
Created May 12, 2021 06:43 — forked from rbishop/carl_hewitt_actor_model.md
Notes from Carl Hewitt on the Actor Model

Carl Hewitt on Actors

Actor - Fundamental unit of computation, a computation model - not just a form of concurrency

An Actor has three essential elements:

  • 1 - Processing - you have to get something done
  • 2 - Storage - you have to be able to remember things
  • 3 - Communication