Technology Short Take 189

Welcome to Technology Short Take #189, Halloween Edition! OK, you caught me—this Tech Short Take is not scary. I’ll try harder next year. In the meantime, enjoy this collection of links about data center-related technologies. Although this installation is lighter on content than I would prefer, I am publishing anyway in the hopes of trying to get back to a somewhat-regular cadence. Here’s hoping you find something useful and informative!

Networking

• Kevin Myers dissects EVPN/VXLAN interoperability with MicroTik and IP Infusion.
• Ivan Pepelnjak has a new project: open source EVPN/VXLAN labs. I plan to tackle these myself in the near future!

Servers/Hardware

• Kevin Houston takes a look at the availability of Xeon 6 CPUs across blade server vendors.

Security

• Security researchers recently published some research on a new microarchitectural exploit called “VMScape.” The TL;DR on VMScape is that it allows hypervisor information to leak from a malicious VM. Oops! Olivier Lambert has a write-up that explains why the Xen hypervisor is not affected by this exploit. (Side note: be sure to read the comments—Olivier shares some useful information there.)
• The leaking of source code for F5 appliances by a “nation-state affiliated cyber threat actor” has lead the CISA to call on all federal agencies to mitigate vulnerabilities in F5 appliances due to “an imminent threat to federal networks using F5 devices and software.” That’s not good.
• In early October of this year, Red Hat confirmed the breach of one of its GitLab instances, leading to the theft of nearly 570GB of data across 28,000 repositories. Oof.

Cloud Computing/Cloud Management

• Iain Smart reviews some common exploit paths when trying to build multi-tenant Kubernetes clusters. As Iain says, multi-tenancy is hard.
• Digital Society discusses their migration off AWS and Digital Ocean to Hetzner.
• Just this past week I learned of Pulumi’s resource hooks, a feature made available back in June of this year.
• Hrittik Roy discusses vCluster Standalone, a multi-tenancy solution for Kubernetes that now no longer requires an underlying host cluster.
• Mattis Fjellström discusses Terraform-related options for managing tags in AWS.

Operating Systems/Applications

• Do you, like Cory Doctorow, believe an AI economic apocalypse is near?
• I recently published a post on Git pre-commit hooks. The next day I wake up to an email from Ivan Pepelnjak, who has—not surprisingly—already explored Git pre-commit hooks and found a framework for making them easier to work with. Ivan uses this framework to perform a variety of checks against his blog posts. Now he has inspired me to go even farther with my pre-commit script!
• Anthropic, along with the UK AI Institute and the Alan Turing Institute, have found that as few as 250 malicious documents can produce a “backdoor” vulnerability in a large language model (LLM). You can get more details, as well as a link to the paper published from their research, by reading the associated Anthropic blog post.
• Here is a handy tool to generate a Mermaid diagram from your Terraform configuration.
• Familiar with pwru? If not, read this guide to getting started with pwru.

That’s it for this time around. As always, I welcome your feedback—I’d love to hear from you! Feel free to reach me on Twitter/X, Mastodon, or Bluesky. Or email me, that is fine too (my address is here on the site, it is not too hard to find). I truly do enjoy hearing from readers. You can also find me in a variety of Slack communities, so feel free to DM me there if you would prefer. Thanks for reading!

Posts from the Past, October 2025

Every now and then, I publish one of these “Posts from the Past” articles that looks back on content I’ve created and posted over the life of this site. This year marks 20 years of content—I can hardly believe it! Don’t worry, though; you won’t have to go through 20 years of past posts. Here is a selection of posts from mid- to late October over the last decade or so. I hope you find something useful, informative, or at least entertaining!

October 2024

Last year I shared information on how to use Pulumi to stand up an Amazon Elastic Kubernetes Service (EKS) cluster with Bottlerocket OS on the Kubernetes nodes—without using any higher-level Pulumi components.

October 2022

In 2022, after getting irritated with what I felt was a poor user experience when accessing Azure Kubernetes Service (AKS) clusters created with Pulumi, I published this post on how to change the Kubeconfig file for a more streamlined user experience.

October 2021

Cluster API is the name of the game for multiple posts in October 2021. First I wrote this article on kustomize transformer configurations for Cluster API v1beta1 (so that you can use kustomize to manipulate Cluster API manifests), followed up later that month with an article on influencing Cluster API AMI selection.

I also touched upon using the external (out of tree) cloud provider for AWS that month, a topic I am revisiting soon as I explore integrating Talos Linux with AWS.

October 2020

More Cluster API content—this time discussing IaC considerations for Cluster API (think things like integrating workload clusters with existing AWS workloads or services).

October 2019

In October 2019 I explored using jk to programmatically create Kubernetes manifests, and discussed how to use kustomize with kubeadm configuration files.

October 2018

Plenty of articles discuss the use of kubeadm to bootstrap Kubernetes clusters (including a few I wrote!), but what of talking about using kubeadm to stand up an etcd cluster? I’ve got you covered!

October 2017

Let’s get recursive: check out this “Posts from the Past” article from October 2017!

October 2016

Amid a bunch of content related to Vagrant, I found this gem on using Ansible to manage your AWS infrastructure.

October 2015

Flashing back an entire decade, the OpenStack Summit was happening in Tokyo, Japan, and I was liveblogging sessions. Among the sessions I attended and liveblogged was a session on Carina, a containers-as-a-service offering. Read my liveblog of the Carina session.

Interested in finding more posts from the past? Feel free to browse the site archives, which have a link to every single post I’ve ever published. If you find something interesting, share it on social media and tag me! I’m on Twitter/X, Mastodon, and Bluesky.

Thanks for reading!

Using Git Pre-Commit Hooks

A while ago I wrote an article about linting Markdown files with markdownlint. In that article, I presented the use case of linting the Markdown source files for this site. While manually running linting checks is fine—there are times and situations when this is appropriate and necessary—this is the sort of task that is ideally suited for a Git pre-commit hook. In this post, I’ll discuss Git pre-commit hooks in the context of using them to run linting checks.

Before moving on, a disclaimer: I am not an expert on Git hooks. This post shares my limited experience and provides an example based on what I use for this site. I have no doubt that my current implementation will improve over time as my knowledge and experience grow.

What is a Git Hook?

As this page explains, a hook is a program “you can place in a hooks directory to trigger actions at certain points in git’s execution.” Generally, a hook is a script of some sort. Git supports different hooks that get invoked in response to specific actions in Git; in this particular instance, I’m focusing on the pre-commit hook. This hook gets invoked by git-commit (i.e., the user running a git commit command) and allows users to perform a series of checks or tests before actually making a commit. If the pre-commit script exits with a non-zero status, then Git aborts the commit.

Using a Pre-Commit Hook to Lint Markdown

For my use case, I wanted to run Markdownlint to lint the Markdown files (as described in the previous article on linting Markdown) before the commit. To do that, I came up with the following script:

#!/usr/bin/env bash

MDLINT="/usr/local/bin/markdownlint"

for file in $(git diff --cached --name-only --diff-filter=ACM | grep "\.md"); do
    if ! $MDLINT "$file"; then
        echo "Lint check failed on file '$file'."
        echo "Run markdownlint to identify the errors and try again."
        exit 1
    fi
done

To make this script active as a pre-commit hook, you must name it pre-commit, you must place it into Git’s hook directory (which defaults to .git/hooks in the current repository), and you must make it executable.

This script is readable enough for most folks to understand what it is doing, but there are a couple of things that might be helpful to point out:

• The git diff --cached --name-only command will return a list of the files staged for commit using git add. This list of files is what will Markdownlint will check.
• The --diff-filter=ACM parameter tells git diff to return only Added, Copied, and Modified files. This prevents git diff from returning the filename of a deleted file, which would then generate an error from Markdownlint.
• Using grep here further restricts the list of files to include only Markdown files.
• The exit 1 command is critical; without returning a non-zero exit code, Git wouldn’t know to abort the commit.

With the script in the right place and marked as executable, it’s automatically invoked by Git when I try commit any Markdown files. If the check succeeds, the commit proceeds as normal (my editor opens for me to edit the commit message); if the check fails, then I see an error message and the commit aborts. Exactly what I needed!

Additional Resources

I found the following articles useful when I was learning about pre-commit hooks and how to use them:

How to use git pre-commit hooks, the hard way and the easy way

Git Pre-Commit Hook: A Practical Guide (with Examples)

I hope you’ve found this post helpful in some fashion. As I previously mentioned, I don’t pretend to be an expert on this topic. If you spot an error or mistake in this post, then please reach out and let me know. You can reach me on Twitter, on the Fediverse, or in a variety of Slack communities. Positive feedback is also welcome—thanks for reading!

Technology Short Take 188

Welcome to Technology Short Take #188! I’m back once again with a small collection of articles and links related to a variety of data center-related technologies. I hope you find something useful!

Networking

• Scott Hogg discusses using dual-stack network configurations on your DNS name servers as part of an overall IPv6 deployment plan.
• Leon Adato explains why knowing what’s under the hood helps when it comes to networking telemetry.
• Via Ivan Pepelnjak, I found Suresh Vina’s article on using netlab to build network labs.

Security

• The use of malicious software packages continues to be a vector for attacks; here’s the latest discovery of malicious Go and npm packages.
• James Kettle explains why HTTP/1.1 must die.
• Gary Marcus and Nathan Hamiel discuss why the combination of LLMs plus coding agents has the potential to result in a security nightmare.
• Weaponized RAR files are delivering a backdoor to Linux systems using only a filename—more details in the linked article.
• WhatsApp patches a zero-click exploit targeting iOS and macOS devices. I don’t use WhatsApp, but I know lots of folks that do (it’s especially popular among my international friends). If you’re a WhatsApp user, be sure to update.
• More software supply chain attacks, this time targeting CrowdStrike’s npm packages, have been observed as part of a larger campaign known as “Shai-Hulud.”

Cloud Computing/Cloud Management

• Mike Roberts explains why you probably don’t want to use AWS’ new GitHub Actions Lambda Deployment action.
• What would you do if AWS deleted your account and all your data?
• AWS has finally released universal macOS installers for the AWS CLI.

Operating Systems/Applications

• Adam Thompson shares how to improve Logitech MX Master 3 mouse support on Arch Linux.
• Mitchell Hashimoto shares some lessons learned when they rewrote the Ghostty GTK application.
• Some of the creators of Open Policy Agent (OPA) are joining Apple. Interesting.
• Simon Späti shares details on their journey from macOS to Arch Linux with Omarchy.
• Here is a useful post on systemd service hardening.
• The details of this post on Apple’s new Memory Integrity Enforcement (MIE) are a bit beyond me, I’ll be honest. I’m of two minds on the new technology. On one hand, it’s nice to see progress at fixing memory safety-related bugs and exploits. On the other hand, this progress could only be achieved, as the article states, through combining “the unique strengths of Apple silicon hardware with our advanced operating system security.” In other words, more tightly coupling the hardware and the OS.

Programming/Development

• Go has changed the way the language handles GOMAXPROCS in the 1.25 release.

Virtualization

• In advance of VMware Explore 2025—which apparently is/was this week in Las Vegas—William Lam shares an update on the nested ESXi 8.0 and ESXi 9.0 virtual appliance.

Career/Soft Skills

• Ashley Willis talks about the value and importance of the quiet season. I particularly found this sentence applicable to my own life: “So yes, I’m writing again. And maybe I’m less ’everywhere’ than I used to be. But I’d rather show up less often and have something worth saying than burn myself out trying to convince the world I’m still here.” Well said, IMO.
• All too true.
• I don’t know if I would go so far as to say I am an AI hater, but I am most definitely opposed to AI in its current form. (I don’t even like calling it “AI” when it’s really nothing more than a statistical model for putting words together. But that’s another discussion for another day…) As the author says, being a hater is a “kind of integrity” all its own—so I say, if you’re an AI hater, don’t be afraid to say so.

It’s time to wrap up now—but don’t be sad, I’ll be back soon with more content. In the meantime, if you’d like to reach out to me to provide some feedback on this article or any article, I’d love to hear from you! Feel free to contact me via Bluesky, via Mastodon, via X/Twitter, via Slack (I frequent a number of different communities, including the Kubernetes Slack instance) or even via email. Thanks for reading!

Creating a Talos Linux Cluster on AWS with Pulumi, 2025 Edition

A little over two years ago, I wrote a post on creating a Talos Linux cluster on AWS using Pulumi. At the time of that post, the Pulumi provider for Talos was still a prerelease version. Since then, the Talos provider has undergone some notable changes necessitating an update to the example code I have on GitHub. For your reading pleasure, therefore, I present you with the 2025 edition of a tutorial for using Pulumi to create a Talos Linux cluster on AWS.

The updated Pulumi code can be found in this GitHub repository. Note that I’ve tagged the original version from the 2023 blog post with the “2023-post” tag, in the event you’d like to see the original code. While I chose to write my Pulumi code in Go, note that Pulumi supports a number of different languages (such as JavaScript/TypeScript, Python, one of the .NET languages, Java, or even YAML). I leave it as an exercise for the reader to re-implement this functionality in a different language. This Pulumi program is based on the Talos documentation for standing up a cluster on AWS.

The Pulumi program has four major sections:

1. First, it creates the underlying base infrastructure needed for a Talos Linux cluster to run. This includes a VPC (and all the assorted other pieces, like subnets, gateways, routes, and route tables) and a load balancer. The load balancer is needed for the Kubernetes control plane, which we will bootstrap later in the program. This portion also creates the EC2 instances for the control plane.
2. Next, it uses the Talos Pulumi provider to generate the Talos configuration that will be applied to the instances after they are created. This configuration needs information from step 1; specifically, it needs the DNS name of the load balancer and the IP addresses of the control plane nodes.
3. Third, it applies the correct configuration to the control plane nodes, and launches some EC2 instances to serve as worker nodes in the Kubernetes cluster. The program then takes the Talos configuration from step 2 and applies it to the worker nodes.
4. The fourth and final step is to bootstrap the cluster.

For those who need a “TL;DR”: you can clone the associated repository, run pulumi up, and have a working Talos Linux cluster in a few minutes.

For those who want a bit more detail, read on.

Creating the AWS Infrastructure

The first part of the Pulumi program (running through about line 270) creates the necessary AWS infrastructure. The program leverages Crosswalk for AWS to simplify the creation of the underlying VPC and associated components. Most of the code involves creating security groups and security group rules.

This part of the program also creates the load balancer that will be used for the Kubernetes API.

Finally, the program launches three EC2 instances using one of the official Talos AMIs. In the original version of the code, you had to supply the AMI ID as a configuration value; this version looks up the AMI when it runs. The IDs and the private IP addresses for these EC2 instances are stored in two different arrays; we’ll need this information later.

Creating the Talos Configuration

The next part of the Pulumi program builds the Talos configuration, using the Pulumi provider and information (outputs) from the resources created earlier. Specifically, the Talos configuration uses the DNS name of the load balancer created earlier, and the IP addresses of the EC2 instances (which will become the control plane nodes for the Kubernetes cluster).

There are three parts to the configuration:

1. A client configuration file, which the talosctl command-line utility uses to connect to the Talos Linux nodes
2. Machine configuration for the control plane nodes
3. Machine configuration for the worker nodes

Configuring the Nodes

Once the Talos provider builds the correct machine configurations, the program then applies the configuration to each of the control plane nodes (worker nodes are handled later). The most efficient way would be to range over the array with the instance IP addresses and apply the configuration to each instance. However, in this particular case we need to build a dependency on applying the machine configuration, so the program does it “manually.”

Once the machine configuration has been applied to the control plane nodes, three more EC2 instances are launched for worker nodes, and then the correct machine configuration is applied to those nodes (this time iterating through the array).

Bootstrapping the Cluster

Finally, it comes down to bootstrapping the cluster (see line 397), which—again using the Talos provider for Pulumi—is accomplished with calling machine.NewBootstrap against the first control plane node to be created. The Pulumi program will complete after this; it doesn’t wait for the bootstrap process to complete (which will take a few more minutes).

At this point, you can use pulumi stack output to retrieve a configuration file for the talosctl command-line utility, and then run talosctl health to watch the cluster bootstrap. Once the cluster is up and running, talosctl kubeconfig will get you a Kubeconfig file you can use to access the Kubernetes API via kubectl. Nice!

Additional Resources

The updated Pulumi code is available on GitHub in this repository. Please note that I tested the code and it works for me, but it is supplied “as-is”. Don’t use this for your production environment without performing your own testing and validation!

Thanks for reading! I hope this post is helpful. If you have questions, you’re welcome to open an issue in the GitHub repository, or you can contact me directly. If you have a potential enhancement to the code, you’re invited to open a pull request. For more in-depth discussions, it’s not hard to get in touch with me—you can find me on Twitter, on Mastodon, and on various Slack communities (including the Kubernetes and Pulumi Slack communities).

Technology Short Take 187

Welcome to Technology Short Take #187! In this Technology Short Take, I have a curated collection of links on topics ranging from BGP to blade server hardware to writing notes using a “zettelkasten”-style approach, along with a few other topics thrown in here and there for fun. I hope you find something useful!

Technology Short Take 186

Welcome to Technology Short Take #186! Yes, it’s been quite a while since I published a Technology Short Take; life has “gotten in the way,” so to speak, of gathering links to share with all of you. However, I think this crazy phase of my life is about to start settling down (I hope so, anyway), and I’m cautiously optimistic that I’ll be able to pick up the blogging pace once again. For now, though, here’s a collection of links I’ve gathered since the last Technology Short Take. I hope you find something useful here!

Bootstrapping Dual-Stack Kubernetes on Flatcar with Kubeadm

Recently I needed to be able to stand up a dual-stack (IPv4/IPv6) Kubernetes cluster on Flatcar Container Linux using kubeadm. At first glance, this seemed like it would be relatively straightforward, but as I dug deeper into it there were a few quirks that emerged. Given these quirks, it seemed like a worthwhile process to write up and publish here. In this post, you’ll see how to use Butane and kubeadm to bootstrap a dual-stack IPv4/IPv6 Kubernetes cluster on AWS.

Technology Short Take 185

Welcome to Technology Short Take #185, the first of 2025! I’m excited for the opportunity to continue to bring readers articles and links of interest across data center- and cloud-related technologies (along with some original content along the way). I had originally intended for this post to be my last post of 2024, but personal challenges got in the way. Enough of that, though—on to the content!

Using Multiple AWS Regions with Pulumi and S3 Backend

For a while now, I’ve been using Direnv to manage environment variables when I enter or leave certain directories. Since I have to work with more than one AWS account, one of the use cases for me has been populating AWS-specific environment variables, like AWS_REGION or AWS_PROFILE. This generally works really well for me, but recently I ran into a bit of a corner case involving multiple AWS regions, Pulumi, and using S3 as the Pulumi backend. In this post, I’ll share the workaround that allows this configuration to work as expected.

Technology Short Take 184

Welcome to Technology Short Take #184! This Tech Short Take is a bit shorter than the usual ones, but then again this week—at least in the US—is a bit shorter than most weeks due to the Thanksgiving holiday. Even so, I hope that I’ve managed to include some information that folks find useful. Also, thanks to some feedback from readers, I’ve tried hard to ensure that links are more descriptive and informative than they’ve sometimes been in the past; let me know how I did. Now, on to the content!

EKS, Bottlerocket, and Cilium with Pulumi

In late 2023, I added some Go code for use with Pulumi to stand up an Amazon Elastic Kubernetes Service (EKS) cluster “from scratch,” meaning without using any prebuilt Pulumi components (like the AWSX VPC component or the EKS component). The code is largely illustrative for newer users, written to show how to stitch together all the components needed for an EKS cluster. In this post, I’ll show you how to modify that code to use Bottlerocket OS as the node OS for your EKS cluster—and share some information on installing Cilium into (onto?) the cluster.

Technology Short Take 183

Welcome to Technology Short Take #183! Fall is in the air; the nights and mornings are cooler and the leaves are turning (or have already turned in some areas!). I’ve got a slightly smaller collection of links for you this time around, but I do hope that you’ll find something shared here useful. Enjoy!

Technology Short Take 182

Welcome to Technology Short Take #182! I have a slightly bulkier list of links for you today, bolstered by some recent additions to my RSS feeds and supplemented by some articles I found through social media. There should be enough here to keep folks entertained this weekend—enjoy!

Preloading Extra Images with Kubernetes Image Builder

The Image Builder project is a set of tools aimed at automating the creation of Kubernetes disk images—such as VM templates or Amazon Machine Images (AMIs). (Interesting side note: Image Builder is the evolution of a much older Heptio project where I was a minor contributor.) I recently had a need to build a custom AMI with some extra container images preloaded, and in this post I’ll share with you how to configure Image Builder to preload additional container images.

Storing Pulumi State in the Project Directory

Pulumi, like Terraform and OpenTofu, has the ability to store its state in a supported backend. You can store the state in one of the blob/object storage services offered by the major cloud providers, via Pulumi’s SaaS offering (called Pulumi Cloud), or even locally. It’s this last option I’ll explore a little bit in this post, where I’ll show you how to configure Pulumi to store the state in the project directory instead of somewhere else.

Review: Lenovo ThinkPad X1 Carbon Gen11

I’ve recently had the opportunity to start using a Lenovo ThinkPad X1 Carbon (X1C) Gen11 as my primary work system. Since I am not a Windows person—I don’t think I’ve used Windows as a daily driver since before the turn of the century—I’m running Linux on the X1C Gen11. Now that I’ve had a few weeks of regular use, in this post I’ll provide my review of this laptop.

Technology Short Take 181

Welcome to Technology Short Take #181! The summer of 2024 is nearly over, and Labor Day rapidly approaches. Take heart, though; here is some reading material for your weekend. From networking to security and from hardware to the cloud, there’s something in here for just about everyone. Enjoy!

Using SOPS with Pulumi

I was first introduced to SOPS at a platform engineering event hosted in Denver last year. SOPS, which is an acronym for Secrets OPerationS, describes itself as “an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP” (taken directly from the project’s GitHub repository). In this post, I’ll explore using Pulumi with SOPS—and I’ll also touch upon whether this combination of tools offers value or users or not.

Bootstrapping Talos Linux over SSH

For those that aren’t aware, Talos Linux is a purpose-built Linux distribution designed for running Kubernetes. Bootstrapping a Talos Linux cluster is normally done via the Talos API, but this requires direct network access to the Talos Linux nodes. What happens if you don’t have direct network access to the nodes? In this post, I’ll share with you how to bootstrap a Talos Linux cluster over SSH.

• Using Vale to Improve my Writing 29 Jul 2024
• Technology Short Take 180 26 Jul 2024
• Using a Git Commit Template 15 Jul 2024
• Technology Short Take 179 28 Jun 2024
• Technology Short Take 178 31 May 2024
• Endpoint Selectors and Kubernetes Namespaces in CiliumNetworkPolicies 30 May 2024
• Getting Barrier Working Between Arch Linux and Ubuntu 29 May 2024
• Technology Short Take 177 17 May 2024
• Tracking EC2 Instances used by EKS with AWS CLI 17 Apr 2024
• Tracking ENIs used by EKS with AWS CLI 15 Apr 2024
• Technology Short Take 176 15 Mar 2024
• Linting your Markdown Files 1 Mar 2024
• Technology Short Take 175 23 Feb 2024
• Technology Short Take 174 9 Feb 2024
• Using NAT Instances on AWS with Pulumi 5 Feb 2024
• Using SSH with the Pulumi Docker Provider 22 Jan 2024
• Technology Short Take 173 19 Jan 2024
• Technology Short Take 172 5 Jan 2024
• Selectively Replacing Resources with Pulumi 3 Jan 2024
• Dynamically Enabling the Azure CLI with Direnv 18 Dec 2023
• Conditional Git Configuration 15 Dec 2023
• Automatically Transforming Git URLs 11 Dec 2023
• Technology Short Take 171 8 Dec 2023
• Saying Goodbye to the Full Stack Journey 17 Nov 2023
• Guest Post: Moving Secrets Where They Belong 12 Oct 2023
• Assigning Tags by Default on AWS with Pulumi 11 Sep 2023
• Technology Short Take 170 8 Sep 2023
• Mac, iPad, or Both? 28 Aug 2023
• Technology Short Take 169 11 Aug 2023
• Spousetivities Returns to VMware Explore 2023 7 Aug 2023