http://blog.ghanmi.me/posts/Recent content in Posts on MLogHugo -- gohugo.ioen-ushttp://blog.ghanmi.me/posts/2-nodes-k8s-cluster-with-terraform-libvirt-and-ansible/Sun, 02 Feb 2025 00:00:00 +0000http://blog.ghanmi.me/posts/2-nodes-k8s-cluster-with-terraform-libvirt-and-ansible/What we are building Prerequisites The KVM host needs the following packages installed. Commands are for Debian/Ubuntu. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 # Virtualization stack sudo apt-get update sudo apt-get install -y \ qemu-kvm libvirt-daemon-system libvirt-clients \ bridge-utils virtinst virt-manager # Terraform (via HashiCorp APT repo) wget -O- https://apt.releases.hashicorp.com/gpg | \ sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.http://blog.ghanmi.me/posts/single-node-k8s-terraform-libvirt-ansible/Mon, 14 Oct 2024 00:00:00 +0000http://blog.ghanmi.me/posts/single-node-k8s-terraform-libvirt-ansible/Why This Stack? Running Kubernetes locally or in a homelab doesn’t require a cloud account. If you have a Linux host with KVM support, you can provision virtual machines with Terraform’s dmacvicar/libvirt provider, configure them with Ansible, and end up with a reproducible, single-node cluster that mirrors how you’d build real infrastructure. minus the cloud bill. This guide walks through every layer: host prerequisites, Terraform configuration, cloud-init bootstrapping, Ansible playbooks for kubeadm, and post-install verification.http://blog.ghanmi.me/posts/building-k8s-cni-plugin-with-ebpf/Tue, 03 Sep 2024 00:00:00 +0000http://blog.ghanmi.me/posts/building-k8s-cni-plugin-with-ebpf/Prerequisites A working Kubernetes cluster for testing (a single-node kind or kubeadm cluster works perfectly) clang/llvm for compiling eBPF programs, bpftool What We’re Building Our plugin will handle a single, well-defined scope: pod-to-pod connectivity on a single node. That means every pod gets an IP address, and any pod can reach any other pod on the same machine. We won’t handle multi-node routing, services, or network policy. each of those is a project unto itself.http://blog.ghanmi.me/posts/building-an-ebpf-tracing-tool/Mon, 12 Aug 2024 00:00:00 +0000http://blog.ghanmi.me/posts/building-an-ebpf-tracing-tool/What Is eBPF, and Why Should You Care? eBPF (extended Berkeley Packet Filter) started life as a packet filtering mechanism, but it has evolved into a general-purpose in-kernel virtual machine. The key properties that make it so powerful: Safety. eBPF programs are verified before they run. The kernel’s built-in verifier performs static analysis to guarantee your program terminates, doesn’t access out-of-bounds memory, and doesn’t crash the kernel. You get kernel-level access with userspace-level safety guarantees.http://blog.ghanmi.me/posts/local-iac-with-terraform-kvm/Tue, 30 Jul 2024 00:00:00 +0000http://blog.ghanmi.me/posts/local-iac-with-terraform-kvm/Phase 1: Host Preparation 1. Install KVM and Libvirt tools (Commands for Ubuntu/Debian) 1 2 sudo apt update sudo apt install -y qemu-kvm libvirt-daemon-system libvirt-clients bridge-utils virtinst libvirt-daemon virt-manager 2. Install ISO generation utility Terraform uses this to generate the Cloud-Init ISO that injects your SSH keys. 1 sudo apt install -y genisoimage 3. Permissions Add your user to the libvirt and kvm groups so Terraform can run without sudo.http://blog.ghanmi.me/posts/understanding-tshark/Fri, 21 Jun 2024 00:00:00 +0000http://blog.ghanmi.me/posts/understanding-tshark/Basic Usage 1 2 3 4 5 6 tshark -i <interface> # Capture on interface (e.g., eth0) tshark -r <file.pcap> # Read from capture file tshark -w <file.pcap> # Write capture to file tshark -c <num> # Stop after capturing <num> packets tshark -f "<capture filter>" # Use a capture filter (tcp, udp, port 80, etc.) tshark -Y "<display filter>" # Use a display filter (http, ip.addr==1.2.3.4, etc.) Common Options Option Description -i Interface to capture from -w Write packets to file -r Read packets from file -c Capture packets then stop -f Capture filter (BPF syntax) -Y Display filter (Wireshark syntax) -T fields Output specific fields -e Specify field to output (with -T fields) -E Output formatting (e.http://blog.ghanmi.me/posts/understanding-pyc-python-compiled-files/Wed, 01 May 2024 00:00:00 +0000http://blog.ghanmi.me/posts/understanding-pyc-python-compiled-files/Python Compiled Files (.pyc) are binary files generated by Python when a script is executed. These files contain the compiled bytecode, which helps Python run programs faster by skipping the compilation step on subsequent runs. When you import a module, Python automatically creates a .pyc file in the __pycache__ directory, storing the bytecode for future use. What is a PYC File? A .pyc file is the result of compiling a Python source file (.http://blog.ghanmi.me/posts/building-a-firewall-with-iptables/Wed, 10 Apr 2024 00:00:00 +0000http://blog.ghanmi.me/posts/building-a-firewall-with-iptables/Phase 1 1. View Current Rules Check if you already have firewall rules running. 1 sudo iptables -L -v -n 2. If you want a clean slate, flush the existing rules. Note: If the default policy is currently set to DROP, running this will lock you out immediately. Only run this if the policy is ACCEPT. 1 2 3 4 5 6 sudo iptables -P INPUT ACCEPT sudo iptables -P FORWARD ACCEPT sudo iptables -P OUTPUT ACCEPT # flush all rules sudo iptables -F Phase 2: Building the “Allow” List A good firewall follows the principle of “Default Deny”.