The meteoric rise of containerization and microservices has been necessary to meet the growing demand for applications, but getting it right means overcoming some critical network orchestration challenges. Out of the complexities that developers of cloud-native applications face, strategically utilizing Kubernetes ingress controllers is among the most difficult components to understand—and among the most important.

Before diving into ingress controllers, you need to understand why networking is so important to developer workflows.

It is common for development teams to create backend API services to enable connectivity for external applications and users. In early development phases, teams often use implementations of container environments on local development machines, which more simply rely on direct container invocations through Docker Compose or similar local orchestrators for access.

However, when the time comes to shift to a shared development or staging environment and match the configuration that will be used in production, these direct-access stopgaps are no longer sufficient. The access patterns often assume trusted access, which can't be assumed in production, or they rely on static values that are likely to change in a cloud infrastructure.

• Celebrate Sysadmin Appreciation Day today

  Happy Sysadmin Appreciation Day, and thank you for all you do. When email is flowing, databases just work as they should, and the network is screaming (in a good way), you can focus on more challenging things, like how to automate tasks to make your sysadmin life easier.

  But when things break, and we know they will, it's all hands on deck to fix the problem and find the root cause, so it doesn't happen again. Sometimes, you'll find that elusive answer, and sometimes you put your hands up and move on to the next fire.

  Here at Enable Sysadmin, we're building a great community of authors who want to share their stories, their expertise, and learn from each other. In May 2020, we officially launched our Sudoers program to recognize our core contributors, and we invite you to check it out and join us.

• Celebrate Sys Admin Appreciation Day with Special Free Issue from ADMIN Magazine

  System Administrator Appreciation Day is a special day dedicated to system administrators around the world. This year, FOSSlife and ADMIN Network & Security are partnering to provide another installment of the ADMIN "Terrific Tools" series, dedicated to the tireless professionals who keep our networks alive and well.

  Celebrate System Administrator Appreciation Day with this collection of articles on free tools for IT professionals. This special digital issue includes useful utilities that will help you search out rootkits, monitor network traffic, generate easy-to-use passwords, and much more. Bonus articles explore hidden command-line tools and describe how to find resource bottlenecks with eBPF.

• July 31, 2020: Celebrate “System Administrator Appreciation Day” Today

  Ted Kekatos, a System Administrator by profession got inspired by an Advertisement in Hewlett-Packard Magazine where an Administrator is greeted in the form of flowers and fruit-baskets by thankful co-workers for their new printer installed.

  Kekatos idea was further recognized and promoted by lots of IT organizations and professional including the ‘League of Professional System Administrator‘, SAGE/USENIX, etc.

  The first System Administrator Appreciation Day was celebrated on July 28, 2000. And since then celebrating System Administrator Appreciation Day every year gets a worldly recognition and today we reached the figure 21st.

• What sysadmins wish their co-workers knew about their jobs

  You have a problem, and reach out to the help desk or your friendly neighborhood admin. It's a quick fix, you're sure, but ugh they want you to file a ticket! What a pain, right? It might sound like they're giving you the cold shoulder but that's (usually) not the case. Admins want users to file tickets for a number of reasons.

  First of all, it helps them manage their time. It's hard to focus on longer projects when you are pelted with "this will just take five minutes" requests all day. Also, other people have been waiting for their ticket to be handled.

  Secondly, admins may need to account for their work and demonstrate that they are -- in fact -- busy and not just playing Doom Eternal all afternoon.

  Also, it helps keep track of problems that crop up frequently and assists with institutional memory. A well-kept ticketing system with a good search tool can help admins identify long-term problems that need fixing, and reduce the time to fix problems in the future by documenting how they were fixed today.

• The sysadmin's journey: A series of unexpected events

  As part of the 21st annual System Administrator Appreciation Day celebration, I want to share these four pillars to help you improve your skills, just as they did with me.

• Security updates for Thursday

  Security updates have been issued by Arch Linux (webkit2gtk), CentOS (GNOME, grub2, and kernel), Debian (firefox-esr, grub2, json-c, kdepim-runtime, libapache2-mod-auth-openidc, net-snmp, and xrdp), Gentoo (chromium and firefox), Mageia (podofo), openSUSE (knot and tomcat), Oracle (grub2, kernel, postgresql-jdbc, and python-pillow), Red Hat (firefox, grub2, kernel, and kernel-rt), SUSE (grub2), and Ubuntu (firefox, grub2, grub2-signed, and librsvg).

• Grub2 updates for Red Hat systems are making some unbootable

  As reported in the comments on the Grub2 secure-boot vulnerabilities report, the updates for grub2 for RHEL 8 and CentOS 8 are making some systems unbootable. The boot problems are seemingly unrelated to whether the system has secure boot enabled. It may be worth waiting a bit for that to shake out.

• Servers at risk from “BootHole” bug – what you need to know

  That’s our tongue-in-cheek name for a cybersecurity vulnerability that not only gets assigned an identifier like CVE-2020-10713, but also acquires an impressive name plus a jaunty logo (and even, in one intriguing case, a theme tune).

  This month’s bug with an impressive name (see what we did there?) is called BootHole, and its logo rather cheekily shows a boot with a worm sticking out of a hole in the toecap.

  The bad news is that this bug affects the integrity of bootup process itself, meaning that it provides a way for attackers to insert code that will run next time you restart your device, but during the insecure period after you turn on the power but before the operating system starts up.

  The good news for most of us is that it relies on a bug in a bootloader program known as GRUB, short for Grand Unified Boot Loader, which is rarely found on Windows or Mac computers.

• Why the GRUB2 Secure Boot Flaw Doesn’t Affect Purism Computers

  To understand why this flaw does not affect Purism computers, it helps to understand why UEFI Secure Boot exists to begin with, and how it and the security exploit works. Attacks on the boot process are particularly nasty as they occur before the system’s kernel gets loaded. Attackers who have this ability can then compromise the kernel before it runs, allowing their attack to persist through reboots while also hiding from detection. UEFI Secure Boot is a technology that aims to protect against these kinds of attacks by signing boot loaders like GRUB2 with private keys controlled ultimately by Microsoft. UEFI Firmware on the computer contains the public certificate counterparts for those private keys. At boot time UEFI Secure Boot checks the signatures of the current GRUB2 executable and if they don’t match, it won’t allow the executable to run.

  If you’d like to understand the GRUB2 vulnerability in more detail, security journalist Dan Goodin has a great write-up at Ars Technica. In summary, an attacker can trigger a buffer overflow in GRUB2 as it parses the grub.cfg configuration file (this file contains settings for the GRUB2 menu including which kernels to load and what kernel options to use). This buffer overflow allows the attacker to modify GRUB2 code in memory and execute malicious code of their choice, bypassing the protection UEFI Secure Boot normally would have to prevent such an attack.

  Unfortunately, UEFI Secure Boot doesn’t extend its signature checks into configuration files like grub.cfg. This means you can change grub.cfg without triggering Secure Boot and the attack exploited that limitation to modify grub.cfg in a way that would then exploit the running GRUB2 binary after it had passed the signature check.

  Further complicating the response to this vulnerability is the fact that it’s not enough to patch GRUB2. Because the vulnerable GRUB2 binaries have already been signed by Microsoft’s certificate, an attacker could simply replace a patched GRUB2 with the previous, vulnerable version. Patching against this vulnerability means updating your UEFI firmware (typically using reflashing tools and firmware provided by your vendor) so that it can add the vulnerable GRUB2 binary signatures to its overall list of revoked signatures.

• Music and math: the Kubernetes 1.17 release interview

  Every time the Kubernetes release train stops at the station, we like to ask the release lead to take a moment to reflect on their experience. That takes the form of an interview on the weekly Kubernetes Podcast from Google that I co-host with Craig Box. If you're not familiar with the show, every week we summarise the new in the Cloud Native ecosystem, and have an insightful discussion with an interesting guest from the broader Kubernetes community.

  At the time of the 1.17 release in December, we talked to release team lead Guinevere Saenger. We have shared the transcripts of previous interviews on the Kubernetes blog, and we're very happy to share another today.

  Next week we will bring you up to date with the story of Kubernetes 1.18, as we gear up for the release of 1.19 next month. Subscribe to the show wherever you get your podcasts to make sure you don't miss that chat!

• New default: tmpfs on /tmp

  We made an important change for our Container Host OS openSUSE MicroOS, which our Kubernetes platform openSUSE Kubic will inherit since it is based on openSUSE MiceroOS: we use now tmpfs for /tmp.

  tmpfs is a temporary filesystem that resides in memory. Mounting directories as tmpfs can be an effective way of speeding up accesses to their files and to ensure that their contents are automatically cleared upon reboot.

  A fresh installation will use tmpfs for /tmp by default. Old installations needs to be converted to this manually, but it is still possible to switch back to use disk space for /tmp. This is especially useful and important, if big files are stored in /tmp.

• TiddlyWiki, 12 Use-cases and 5 Tips for New Users.

  I have been using TiddlyWiki for years, mainly as personal memo, to-do organizer and encrypted data reserve (to keep track about some of my patients, or while learning). I always recommend this amazing project to my friends, colleagues doctors and developers alike, because I believe the value it gives is far so great than its minimal size and humble look.

  As a self-learner, TiddlyWiki was my main choice and companion to record what I learn, links I collect, code snippets, medical cases and algorithms. It's the only tool I am still using for more than decade.

  I consider a TiddlyWiki is a masterpiece, not in coding but its simplicity and flexibility, needless to say its rich features list.

• WordPress 5.5 Beta 4

  WordPress 5.5 Beta 4 is now available!

  This software is still in development, so it’s not recommended to run this version on a production site. Consider setting up a test site to play with the new version.

  [...]

  WordPress 5.5 is slated for release on August 11th, 2020, and we need your help to get there!

  Thank you to all of the contributors who tested the beta 3 development release and gave feedback. Testing for bugs is a critical part of polishing every release and a great way to contribute to WordPress.