The latest tag in container images might seem convenient, but it’s a recipe for trouble in production, using this tag points to the newest image available, which could introduce unexpected behavior or bugs with an update.
For reliable and predictable deployments, use specific version tags, these tags represent tested, stable images knowing what is the exact version running simplifies troubleshooting and simplifies rollbacks to previous versions if needed.
After choosing a stable version tag, consider verifying the image integrity using checksums like SHA-256 or MD5. These checksums act like fingerprints, ensuring the downloaded image matches the one expected. Most container registries provide these checksums alongside image tags.
By adhering to these principles and practices, you can deploy with confidence and avoid production headaches!
Seriously, you need to stop using the latest tag in production!
➜ tlschecker -h jpbd.dev expired.badssl.com
--------------------------------------
Issued domain: sni.cloudflaressl.com
Subject Name :
Country or Region: US
State or Province: California
Locality: San Francisco
Organizational Unit: None
Organization: Cloudflare, Inc.
Common Name: sni.cloudflaressl.com
Issuer Name:
Country or Region: US
Organization: Cloudflare, Inc.
Common Name: Cloudflare Inc ECC CA-3
Valid from: Aug 2 00:00:00 2021 GMT
Valid to: Aug 1 23:59:59 2022 GMT
Days left: 263
Expired: false
Certificate version: 2
Certificate algorithm: ecdsa-with-SHA256
Certificate S/N: 2345778240388436345227316531320586380
Subject Alternative Names:
DNS Name: sni.cloudflaressl.com
DNS Name: *.jpbd.dev
DNS Name: jpbd.dev
--------------------------------------
Issued domain: *.badssl.com
Subject Name :
Country or Region: None
State or Province: None
Locality: None
Organizational Unit: Domain Control Validated
Organization: None
Common Name: *.badssl.com
Issuer Name:
Country or Region: GB
Organization: COMODO CA Limited
Common Name: COMODO RSA Domain Validation Secure Server CA
Valid from: Apr 9 00:00:00 2015 GMT
Valid to: Apr 12 23:59:59 2015 GMT
Days left: -2404
Expired: true
Certificate version: 2
Certificate algorithm: sha256WithRSAEncryption
Certificate S/N: 99565320202650452861752791156765321481
Subject Alternative Names:
DNS Name: *.badssl.com
DNS Name: badssl.com
➜ tlschecker --json -h jpbd.dev
{
"subject": {
"country_or_region": "US",
"state_or_province": "California",
"locality": "San Francisco",
"organization_unit": "None",
"organization": "Cloudflare, Inc.",
"common_name": "sni.cloudflaressl.com"
},
"issued": {
"country_or_region": "US",
"organization": "Cloudflare, Inc.",
"common_name": "Cloudflare Inc ECC CA-3"
},
"valid_from": "Aug 2 00:00:00 2021 GMT",
"valid_to": "Aug 1 23:59:59 2022 GMT",
"validity_days": 263,
"is_expired": false,
"cert_sn": "2345778240388436345227316531320586380",
"cert_ver": "2",
"cert_alg": "ecdsa-with-SHA256",
"sans": ["sni.cloudflaressl.com", "*.jpbd.dev", "jpbd.dev"]
}
You can checkout source code Github
Terminate a sidecar container in Kubernetes
kubectl apply -f great-job.yaml
➜ ~ kubectl get pods
NAME READY STATUS RESTARTS AGE
great-job-1575331260-mjl68 0/2 Completed 0 2m28s
great-job-1575331320-p6srg 0/2 Completed 0 88s
great-job-1575331380-xqk49 0/2 Completed 0 28s
➜ ~ kubectl logs -f great-job-1575331380-xqk49 -c count-log
0: Tue Dec 3 00:03:12 UTC 2019
1: Tue Dec 3 00:03:13 UTC 2019
2: Tue Dec 3 00:03:14 UTC 2019
3: Tue Dec 3 00:03:15 UTC 2019
4: Tue Dec 3 00:03:16 UTC 2019
5: Tue Dec 3 00:03:17 UTC 2019
6: Tue Dec 3 00:03:18 UTC 2019
7: Tue Dec 3 00:03:19 UTC 2019
8: Tue Dec 3 00:03:20 UTC 2019
9: Tue Dec 3 00:03:21 UTC 2019
Killed 7 because the main container terminated.
Based on Medium from Koji Nishikiori
You can download Gist
Three years ago, I started a personal project related to my favorite GNU/Linux, Slackware, this distribution was created in 1993 by Patrick Volkerding. Originally based on SLS Linux, Slackware is the oldest GNU/Linux distribution still in maintenance. The main philosophy is based on principles such as KISS (Keep it simple stupid) or keep it simple and stable, referring to a design point of view, instead of being easy to use. Your init scripts are BSD scripts, this allows that in a transparent and simple way be create or changed, unlike System V. The package system is also minimalist, it has dependency managers such as slackpkg, slapt-get, Some of these tools determine the dependencies by analyzing the installed packages, determining what libraries are needed, and then discovering which packages are available. This automatic process, very similar to the Debian APT and generally produces satisfactory results.
Slackware is a distribution that does not focus on having the latest versions of the programs, but its focus is to have a stable system. The new packages are tested and are not delivered until they are stable (this does not imply that it is the latest available version of the program), for example, the Linux 2.6 kernel was not included until 2007, having been released version 2.6.0 in the year 2003. But when some package has an update for bugs or security improvements, these are incorporated into the Slackware packages and advertised through from a mailing list of those updates and in the change log that is found on the website. Slackware includes inside the / extra directory of the installation CD the Slackpkg program that helps keep the system updated.
To keep up-to-date with new security updates, I created a bot called Slackawaresa. This bot reads from changes list(changelog) and posts the messages in the SlackwareSecAdv twitter account. Please, feel free to follow the SlackwareSecAdv on twitter to get the latest security updates advisors.
It’s been a while, and my commitment continue.
Let’s Encrypt is Certificate Authority (CA) and provide free SSL/TLS certificates to enable HTTPS connections on our website. It’s very simple to implement and integrate to nginx, you just have to generate the certificate with certbot script and add it to the server configuration. I am currently running Slackware 14, to run certbot, I need install the follow pyhton packages with easy_install:
Now, running this command will get a certificate.
certbot certonly -a webroot --webroot-path=/usr/share/nginx/html -d mydomain.cl
After obtaining the cert, you will have the following PEM-encoded files:
You can check that the files exist by running the command:
ls -l /etc/letsencrypt/live/mydomain.cl
Within this file, we just need to set:
the nginx.conf should looks like this:
# HTTPS server
#
server {
listen 443 ssl;
server_name mydomain.cl;
ssl_certificate /etc/letsencrypt/live/mydomain.cl/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/mydomain.cl/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /var/www/nginx/public;
index index.html index.htm;
}
...
}
Currently I’m running Slackware Linux 14.2 on a VPS with Kernel 4.9.50-x86_64 provided by Linode.com. The main specifications are 2GB RAM, 1 CPU Core Intel(R) Xeon(R) CPU E5-2680 v2 @ 2.80GHz, 30 GB SSD Storage, 2TB Transfer, 40 Gbps Network In and 1000 Mbps Network Out, enough to be a happy user!
At the moment, I’ve running few services like nginx stable version 1.12.2 with http2 as HTTP server and jekyll as static website, Let’s Encrypt as Certificate Authority provider for free SSL/TLS support I will soon install postfix mail server,