I'm a developer that uses Kubernetes in production purely because I want to be able to use the same Docker images that I use in development.
I am not a Kubernetes advocate but what else is there that handles all of the issues faced when deploying containers? Such as scaling, deployment, configuration etc?
There are alternatives such as Hashicorps Nomad, but I don't see how this is any better/worse that K8s.
I'm aware of these products, but do not fit my use case.
I need to run some services on premises and have set up a self hosted Kubernetes instance on a physical server in a rack.
It could be overkill and maybe I could use something like Docker Swarm. Apart from this I am unsure what I can use that isn't K8s to orchestrate my containers on site.
Nomad is a lot easier to get into, all the while it provides almost the same functionality as k8s, including a lot of the edge cases like orchestrating vm's, lxc, firecracker and ofc workloads on windows and freebsd too. Weakest point of nomad compared to k8s IMO is the size of the community.
It is fascinating. People often disregard the book because its main thesis, the identity of a mole within MI5, appears to be misguided in light of post-Cold War knowledge. But there's more to the book than Wright's speculations -- it's his direct experiences with things like analyzing The Thing that make the book worth reading.
"The Ministry of Ungentlemanly Warfare: Churchill's Mavericks" by Giles Milton describes a lot of the equipment that SOE developed - e.g. the original limpet mine depending on condoms and boiled sweets and, of course, developed in someone's shed and tested at the local swimming pool.
Seconded. It really emphasises how far things have come in a relatively short time, with the technology not so long ago being very basic compared to what we read about from, for example, Snowden.
Another frustrating tactic they have started to use is bait positions with attractive "specifications". They use these to draw you into communicating with them and start offering subpar positions than those initially mentioned in the first communication. The classic bait and switch.
I'm fed up getting messages on LinkedIn along the lines of:
Hi LeBowen
You are exactly what TheWorldsBestCompany are looking for, is it OK for us to have a phone call to discuss?
Of course when you try to obtain any information about the position, you're met with vague details about it, but they have this other position you might be interested in.
I get these all the time and I simply don't respond to them anymore.
The initial email needs to hook me somehow, and show that you've at least put some amount of effort into personalizing your pitch to me, specifically (you know, show that you've actually read my profile and explain why'd I'd be a great fit for your client).
Oh yeah, plenty of advertised functional programming positions are really run-of-the-mill Java positions, but recruiters have found that noone answers true ads, so its a total bait-and-switch, “do this Java for a few years and they might one day think about Clojure...” spoiler: they won’t
A few years ago I also found a serious bug in a debt collection agencies web software. I ordered a phone and neglected to pay import tax and was chased by the agency. I found their website and saw that they developed their management software in-house and made it available for purchase for other agencies.
They offered a demo which I used to navigate around, in the demo was a reporting tool which essentially allowed you to send raw SQL queries to an AJAX endpoint. Something along the lines of:
I switched out the demo software domain name for the live version and it worked, not only could I query the database there was no authentication preventing me hitting this end point.
At this point I was left with a dilemma, do I "erase" my debt, do I disclose the bug and pay the debt, or simply pay the debt and move on. I chose to pay the debt and move on due to fear of any recriminations. However it has left me uneasy ever since knowing that this company have such bad security and any debtors they are chasing for payments potentially will have all of their personal data leaked.
> you open up Tor browser and drop the entire database
Apart from being a federal crime (CFAA), it would be rather obvious by the logs that a user was testing SQL injection on the demo system minutes before the production system was vandalised.
A better option would be to pay the debt, and then let them know you found a potential issue on their demo system. Let them connect the dots between demo system and production system. If they can't make the logical leap, then they deserve whatever someone else does.
Well obviously if you do that you wouldn't be testing the SQL injection for your main connection to begin with.
I'm not arguing against paying the debt - I would pay it in either case. However leaving such a vulnerability exposed is so bad they deserve to get their entire database dropped (and in this case I hope they don't have backups).
> However leaving such a vulnerability exposed is so bad they deserve to get their entire database dropped (and in this case I hope they don't have backups).
I understand the feeling here, but no, they don't deserve to get their assets destroyed because of a lack of care.`
Well the issue is that there are no penalties. Only free money for lawyers and nothing for the people who got their PII stolen.
Dropping the DB means there's no more PII to leak, makes a pretty good financial penalty for the company and doesn't make millions for useless lawyers. That sounds like an acceptable solution by my standards.
Better to pay your debt, wait till your PII has been removed, then issue a public disclosure of the bug.
Public disclosure because everybody should know about something like this that may impact them. Not because some random vigilante will see it and drop their DB for which they probably have no backups.
Such companies are usually extremely shady and unethical, I would not consider it evil at all to delete all of their recorded debts via tor or something.
Also, it is worth considering that debt collection agencies are very good at finding people, and very bad at upholding ethical standards. Going to prison is not the worst case scenario.
If you think you can't get caught because you use Tor, I know of a few people who can testify otherwise. See, e.g., Ross Ulbricht and Christopher Grief, to name a few.
I personally would have said to them "Would you like a fair trade? I've discovered a huge problem in your software that could allow anyone to remotely wipe their debt without you really knowing about it. I'll give that information in exchange for elimination of my debt. The money you'd lose from me is utterly dwarfed by the money you'd save by locking down this security issue, an issue which many bad actors would pay millions for. It makes financial sense and you'd be covering yourself security-wise. Win-win for all involved!"
I just wish someone would build a decent CMS on top of silex/symfony/laravel, rather than implement their own framework to drive their CMS, such as in this case (Lime?!).
I want all the extensibility of a fully tested framework but with some batteries included. Pagekit looks as though this could cover my needs.
Cockpit is about simplicity. I like it to be lightweight and with a minimum of overhead ... but I also understand you arguments. It's all a matter of taste :)
Even if there were an overhead, I'd rather have the stability of a fully tested framework than relying on an implementation with no tests.
What you have essentially done is created a framework, which in order for me to extend your CMS, I am going to have to learn. I also would lose the added benefit of not being able to use existing packages for (insert widely used fw here).
I can't really understand why you aren't using composer as well, it seems as though you are managing your own dependencies in the vendor/ folder?
Look, I have respect for you going out and creating your own cms. But I seem to get constantly disappointed when I dig into the nuts and bolts, and unfortunately this one is no different.
I am not a Kubernetes advocate but what else is there that handles all of the issues faced when deploying containers? Such as scaling, deployment, configuration etc?
There are alternatives such as Hashicorps Nomad, but I don't see how this is any better/worse that K8s.