Radio Cloud Native – Week of March 16, 2022

Nick Chase & Eric Gregory - March 16, 2022 - , , ,

Every Wednesday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news.

This week they discussed:

You can watch the full replay here.

To join Nick and Eric next Wednesday, March 23, at 1:00pm EST/10:00am PST, register here.

Cloud Ecosystem

Azure passes AWS

Eric Gregory: The cloud provider olympics reached a milestone this week with Azure seemingly surpassing AWS in enterprise cloud adoption. According to a survey by Flexera, 80% of surveyed enterprises are using Azure compared to 77% using AWS. This, of course, means an awful lot are using both, and the report bears that out, with 89% reporting that they use a multicloud strategy and 80% reporting that they are taking a hybrid cloud approach.

Intriguingly, the report finds AWS ahead with small business users, suggesting some bifurcation in the market. It will be interesting to see whether Azure’s ascendent trajectory continues, and across which segments of customers, and this will depend, in part, on how cloud needs evolve. At the moment, according to Flexera, the most commonly used cloud services for enterprises are data warehousing, relational databases-as-a-service, and containers-as-a-service.

Source: In an evolving cloud world, Azure passes AWS | InfoWorld

Google Cloud pricing changes

Left holding the bronze medal, of course, is Google Cloud. Last week we talked about acquisitions and restructuring at Google Cloud in pursuit of profitability; this week sees more changes at the cloud provider, with the announcement of price changes to take effect in October.

Google positions this as a customer-friendly restructuring of costs that will save some users money and create easier apples-to-apples comparisons with competitors’ services. Users will have new options for low-compute archival tasks in the latter part of this year with the addition of new archival snapshots that will be cheaper than other persistent disk options.

Of course, depending on what you use, you could see significant price increases as well, and this is where folks managing Google Cloud accounts will want to be mindful. Several services that were previously free such as Network Topology and the processing of outbound data by Google Cloud’s load balancer, and data reads to Google Cloud services from multi-region buckets. One area of interesting increase is price per operation for Coldline storage, which is analogous to AWS’ Glacier cold storage offering. Depending on the tier you’re using, prices have jumped as much as 400% – for example, Coldline Storage Class A operations in multi-regions and dual-regions are increasing from $0.10 per 10,000 operations to $0.40 per 10,000 operations.

Source: Unlock more choice with updates to Google Cloud’s infrastructure capabilities and pricing | Google

in-toto accepted into CNCF Incubator

In the cloud native tooling world, the CNCF accepted In-toto as a project in incubation. in-toto is a tool aimed at providing ongoing visibility into everything that happens in a software supply chain and ensuring that it is happening according to a predefined set of policies. Project sponsor Justin Cormack says, “A typical software supply chain is composed of multiple steps ‘chained’ together, including writing, testing, packaging, and distributing software. More steps mean more places an organization can be vulnerable. in-toto addresses this issue by providing secure and trustworthy ways to represent and attest all the operations within the cloud native pipeline. We are seeing strong community support for this.”

Source: Supply chain security project in-toto moves to the CNCF Incubator | CNCF

k8ssandra gets an operator

Meanwhile, DataStax announced an update for k8ssandra, its open source cloud native implementation of Apache Cassandra. The NoSQL database that runs on Kubernetes is now supported by an operator that facilitates multi-cluster deployments, so users with stateful apps that need to be highly available across clusters and across regions have another tool for consideration.

Source: DataStax Announces New K8ssandra Operator | Datanami

Chips and Hardware

Intel invests in European chip fab

Yesterday, Intel announced large-scale plans to develop centers for, “the entire semiconductor value chain” in the EU, including a 17 billion euro foundry “mega-site” in Magdeburg, Germany, an R&D center in France, and other research and foundry sites in Ireland, Italy, Poland, and Spain.

Supported by the EU’s Chips Act, the move underlines Intel’s recent efforts to own more of the chain of production and supply. Intel CEO Pat Gelsinger framed the investment as addressing the “global need for a more balanced and resilient supply chain.”

The mega-site in Germany is planned to produce Intel chips as well as non-Intel chips, and Intel expects it to be operational by 2027.

So what does this mean? We’re seeing a really robust effort to upend the status quo when it comes to semiconductors, and less constrained supply means more space for applied innovation. In a bit of, let’s say, audience-specific hype, European Commission president Ursula von der Leyen made a guest appearance on Intel’s announcement webcast where she anticipated that European chip centers would “[break] the three-nanometer node barrier, [create] energy efficient chips and also [develop] new technologies, new products and applications that our minds can’t even conceive today.”

Source: Intel Announces Initial Investment of Over €33 Billion for R&D and Manufacturing in EU | Intel

Neon gas supply faces disruptions due to Russia’s war on Ukraine

Now, a big part of the reason Intel wants a globally balanced and resilient chip ecosystem is to avoid the kind of supply chain disruptions we’ve seen over the past few years, and Russia’s war on Ukraine has created the prospect of another such disruption. One essential ingredient for chip fabrication is neon gas, and Reuters reports that about 50% of the world’s neon gas supply comes from two Ukrainian companies, Ingas and Cryoin, each of which have ceased operations during the war.

While it seems that companies like Intel and TSMC have reserve stocks of neon, analysts estimate that those reserves could be depleted within about two months, and activating new sources of neon could take nine months or more. Ingas and Cryoin are based in Mauripol and Odessa respectively; for the companies’ employees and everyone else in Ukraine, I just want to say that our thoughts and hopes remain with you.

Source: Ukraine war and neon gas supply disruption for chip manufacturing | EDN

Layoffs at Arm

In other sad news from the chip ecosystem, Arm announced plans to lay off 12 to 15 percent of its staff. This comes in the wake of a collapsed deal that would have seen Nvidia acquire Arm, which was ultimately stymied by regulatory bodies.

With ARM reportedly eyeing an IPO in the near future, some commentators such as The Register’s Simon Sharwood see the layoffs at the company as an effort to curate a balance book more appealing to investors by shedding less technical staff. If this is the strategy, it will be interesting to see whether these moves have wider ripple effects, since technical staff are highly in demand at a time of major market reorientation. In any case, we wish the best for everyone affected by this.

Source: Arm to drop up to 15 percent of staff – about 1,000 people | The Register

The first RISC-V portable computer is now available

Moving to something a little more fun, you can now buy, for the first time, a portable computer that uses a RISC-V processor. And for a certain kind of open source hobby nerd like myself, this thing is just catnip. Called the DevTerm R-01, it looks like an homage to the 1983’s BASIC-running TRS-100, and I don’t know how I’m going to resist buying one.

If you’re not familiar with RISC-V, it’s notable for being a chip architecture provided under an open source license—and a pretty direct competitor to Arm’s licensed architecture—meaning this story has more to do with the last one than it might appear at first glance. Indeed, there are already DevTerm models running on Arm chips. Now, Arm’s probably not sweating the open source 80’s pastiche tinkerer scene for its own sake, but this is a bit of a preview of things to come.

Source: DevTerm Kit R-01 | clockwork

Cryptocurrency Order

Nick Chase: Last week we talked about the fact that the Chinese government was trying to make cryptocurrency illegal. The US government is … well, not quite doing the opposite, though you could make a case for that. Here’s what happened.

Last Wednesday President Joe Biden signed an executive order regarding the regulation of cryptocurrency in the United States. Basically they’re trying to do a few different things.

First, and most obviously, the order directs the Department of the Treasury and other agencies to start looking into what they are going to need to do to “address the implications of the growing digital asset sector” to “protect US Consumers, Investors and Business”, which I’m pretty sure is code for “regulate this thing.”

It also talks explicitly about protecting U.S. and Global Financial Stability and Mitigating Systemic Risk by “encouraging the Financial Stability Oversight Council to identify and mitigate economy-wide (that is, systemic) financial risks posed by digital assets and to develop appropriate policy recommendations to address any regulatory gaps.” You know, in case you didn’t get “regulate this thing” from the first category.

It also explicitly talks about curbing the use of crypto for illicit financial transactions and national security risks, as well as promoting US leadership in the technology, including looking into potentially creating a digital US currency, and finally, to give them credit, looking into doing all this without burning the planet to ashes.

So what does this all mean? Naturally in today’s political climate, depending who you ask, he’s either making the world safe for cryptocurrency or destroying all hope of innovation. But if we look at actual hard facts, cryptocurrencies were up after the announcement, as were crypto-related stocks, and that’s not hard to understand, as the fact that the government is even talking about this means that it’s had to acknowledge the fact that these currencies even exist.

On the other end of the spectrum, American Banker magazine reports that “by and large, the crypto order set off a positive reaction from the banking corners of Washington. The Bank Policy Institute lauded the “clarity” more federal action of crypto would bring, and applauded the idea of bringing crypto and fintech startups into a regulatory scheme. The trade group noted that “regulated financial institutions have been stuck on the sidelines waiting for further regulatory action before expanding their digital offerings.”

Another reason this is important is, as Coindesk explains, “one of the main goals is to do away with the state/federal bifurcation of crypto regulation … crypto exchanges are by and large regulated at the state level as money services businesses/money transmitters, while derivatives and tokens that might be seen as securities are regulated at the federal level.”

And of course it’s unlikely that this has nothing to do with what’s going on in Europe, with talk about Russia trying to use ransomware payments to get around sanctions. Deputy national security and economic adviser to President Biden Daleep Singh told CNN that “crypto’s really not a workaround for our sanctions.”

I’m not sure exactly how they’re going to avoid that, but last week Coinbase did suspend about 25,000 cryptocurrency wallets belonging to Russians suspected of illegal activity.

On the other hand, even without the war, crypto has been coming to a law enforcement head for some time. The European parliament is voting on the Markets in Cryptocurrency Act (or MiCA), which, in addition to setting up a framework for uniform regulation of cryptocurrencies throughout the EU, targets illicit activity, and we reported on explicit cryptocurrency crime a couple of weeks ago with millions of dollars in illicit cryptocurrency being seized and arrests being made.

But there are also other, more regulatory issues happening. For example, there is the issue of stablecoins, which are cryptocurrencies that are pegged to a traditional, or fiat currency, that may not be appropriately capitalized, such as Tether, which was accused of not having enough US dollars on hand to cover the amount of existing Tether in the market, though I should say that they do claim that this is not an issue, and that some of their capitalization is just not in cash, but rather short term debt.

Sources:

Security

Escaping containers

Eric Gregory: In the world of security, we saw the disclosure of a new Linux kernel vulnerability, CVE-2022-0492, allowing for container escape through the use of cgroups. This is one of those very contingent vulnerabilities that doesn’t work under the most common configurations, but can cause a world of hurt if the stars align.

Specifically, two layers of defense in Docker have to be disabled for this to work: the seccomp filter and the AppArmor policy. Now, this is important because one of these layers of defense gets disabled by default when you’re using Docker with Kubernetes.

If you’re working with Docker and Kubernetes, there are a few things you can do to ensure that you’ve hardened your environment as much as possible. First, you can enable seccomp at the workload level, though that could get a little tedious or impractical depending on your workloads. Second, you can enable seccomp at the cluster level with mutating admission controllers like OPA Gatekeeper. No matter what, you should make sure your hosts are patched, and as always, don’t run containers as root unless you don’t have any choice.

Source: New Linux Kernel Vulnerability: Escaping Containers by Abusing Cgroups | Aqua Blog

Unfortunately, the cgroup-based container escape vulnerability is far from the only Linux kernel vulnerability to watch out for at the moment. Much online conversation has centered on the Dirty Pipeline exploit first identified last October, and now wreaking havoc by allowing overwrite of the password field for root. From there, of course, an attacker can do no end of damage, including but not limited to overwriting files in container images, which in turn can lead to all kinds of software supply chain shenanigans.

The good news is that the vulnerability has been patched in the latest Linux kernel releases. The bad news is that, at the time of our news prep this week, these changes haven’t trickled down to all of the major Linux distributions, including some big ones like Red Hat Enterprise Linux. With no simple mitigation available, the best you can do is monitor for signs of unusual activity and, uh, pray to the Linux gods.

Source: Dirty Pipeline Is an Awful Linux Mess | The New Stack

Cybersecurity in Ukraine & Russia

A major question mark and topic of concern in the cybersecurity landscape remains the ongoing war in Ukraine, and how this gets characterized really depends on who you talk to. On one hand, a managed service provider tells The Register that they’ve seen an 800% increase in cyberattacks. We likewise see a lot of headlines about efforts from and conflicts between hacktivists, and just today many Russian court webpages were overwritten with anti-war messages.

But military analysts continue to downplay the cyberwar initiatives that have been identified so far, tending to describe them as smaller-scale and less dramatic than experts predicted. A headline from the Twin Cities Pioneer described the cyber conflict as a “free for all but no crippling cyberattacks,” and cyberwarfare experts appear to concur with this assessment.

Meanwhile, independent hackers continue to align their efforts with one side or the other, with volunteers self-describing as an IT Army for Ukraine having an estimated 230,000 Telegram followers.

At Computer Weekly, Security Editor Alex Scroxton speaks with several security experts who advise independent actors to refrain from getting involved, arguing that independent hacking efforts run the risk of unintended consequences, such as attacking assets on the side one means to support or complicating negotiations between state actors.

Sources:

Solo.io and Service mesh

Nick Chase: This week we got news that Brian Gracely, senior director of product strategy for all Red Hat Open Hybrid Cloud, is no longer senior director of product strategy for all Red Hat Open Hybrid Cloud, but is now the vice president of product strategy at Solo.io. Solo.io is the company behind Gloo Mesh Enterprise, which is aimed at making the Istio Service Mesh easier for companies to use.

Now to me, the fact that he’s “defected” to a “Service Mesh Upstart”, as TechTarget phrased it, is less important than the reason why he’s done this.

Basically what he’s saying is that he feels like service mesh now is where Kubernetes was a few years ago.

Sources:

Russia

Internet

Russia has already blocked Facebook and Twitter, and as of Sunday Russians can no longer get access to Instagram. This comes after Russia’s Investigative Committee deemed Meta, the parent company of both Facebook and Instagram an “extremist organization.” Whether you feel that way or not, it’s interesting to look at their public justification for this move.

What it boils down to is a clarification on March 11 of a change to Instagram’s policy on inciting violence. Nick Clegg, President of Global Affairs for Meta wrote that the company was temporarily suspending its restrictions preventing speech that promotes violence, but only within Ukraine, and only in the sense that they didn’t want to suppress Ukrainians’ calls for action against the Russian army. They explicitly said that they would not allow a sort of general Russophobia, and they also clarified a couple of days later that you still couldn’t call for Vladimir Putin’s head on a platter, because whatever else he is, he’s still a head of state, and apparently that’s a line you just don’t cross.

Meanwhile, the information war goes on. Internet provider Lumen has turned off its access to Russia, but Cloudflare and Akamai have decided not to do the same, pointing out that removing internet access would make it even harder for ordinary Russians to get information not provided by the state.

Unfortunately, that battle may already have been lost. At the very least, Russians who used Virtual Private Networks to get around Russian censorship can’t pay for those VPNs because Visa and Mastercard no longer work in-country, and then there are those rumors.

You know the ones.

The rumors that Russia is about to disconnect itself from the internet entirely.

Is that going to happen? Well, damned if anybody on this side of the world knows, but let’s look at why people are saying it. First, and most obviously, the Russian government wants to control the news and information received by the Russian people, because how else can you turn a war in which you bomb hospitals and take hundreds of people hostage into a “special military operation”. (Breathe, Nick, breathe.)

But, on the less conspiratorial and more realistic side, Russia actually does have a program called RuNet that theoretically enables it to create its own spliternet much like what you see in North Korea, in which everything in or out goes through government control and can be turned on at will.

The government is also issuing its own TLS certificates to enable websites to continue using the more secure HTTPS protocol in the event that foreign certificate authorities go offline. For example, Digicert has announced that, “In response to the evolving geopolitical situation in Ukraine, DigiCert is pausing issuance and reissuance of all certificate types affiliated with Russia and Belarus. This includes suspending issuance and reissuance of certificates to TLDs related to Russia and Belarus, as well as to organizations with addresses in Russia or Belarus.”

But what really kicked off all of this speculation is that, as The Observatorial reports, “Russian newspaper Kommersant leaked some emails signed by the Deputy Minister of Digital Development, Andréi Chernenko, in which he urged state websites and services to change [to] the Russian domain name system before March 11. For its part, the Kremlin denied that it planned to isolate Russian cyberspace from the rest of the world. However, she did not deny that she is going to do it with government websites.”

The advice that was given was that companies within Russia should do three things: move from foreign hosting services to hosts in-country, ensure that their domains were hosted by DNS in-country, and remove any Javascript libraries downloaded from outside the country, which seems a little excessive to me, but I’m not the Deputy Minister of Digital anything, so what do I know.

Of course in this climate, all of these things could simply be good cybersecurity advice. I mean, if you’re a Ukrainian company, you certainly don’t want your web host in Russia, and we already know that volunteers are attacking the hell out of Russian systems.

But there’s really no way for us to know. As fast as things have been changing, the Russian internet could have gone offline since we started this show.

That said, Financial Times quoted Alena Epifanova, a cybersecurity expert at the German Council on Foreign Relations, reminding us that “the entire Russian economy is based on the global internet. If they were to go offline, a major collapse of the Russian economy could be expected.”

Sources:

Ukraine

Meanwhile, on the other side of the line of contact, Ukraine has been invited to join the NATO-affiliated Cooperative Cyber Defence Centre of Excellence (CCDCOE), and at that point I’m not sure it’s worth even abbreviating it. This does not mean that if Ukraine experiences a cyberattack all of the other NATO countries will be obliged to cyberattack Russia. InfoSecurity reports that they’re actually joining as a “contributing participant,” which apparently is a thing, alongside other non-NATO member countries, including Sweden, Finland, South Korea and Switzerland.

In addition to getting support, of course Ukraine has lots of experience with attacks that could be useful for the Cooperative Cyber Defence Centre of Excellence to know about.

Then finally, the last bit of Ukraine news is something that I myself am a little ambivalent about. Just as many western businesses are pulling out of Russia, many others are offering their assistance to Ukraine. For example, Reuters reports that Canadian satellite company MDA Ltd. is providing Ukraine with near real-time satellite images to track Russian troop movements. Reuters also reports that Clearview AI, the company that provides facial recognition to law enforcement based on 10 billion images it’s scraped from various social media sites, is now offering its services to Ukraine as well. In this case, it’s being used to identify dead Russian soldiers, which I can get support, as well as to potentially reunite refugees who have been separated from their families, which I can also get behind, but also to identify people at checkpoints which I have to say kind of makes my skin crawl a little. OK, it makes my skin crawl a lot. Critics point out that the software is far from perfect, and just as it has led to mistaken arrests in countries like the United States, it could potentially lead an innocent Ukrainian to be identified as a Russian agent. Is it important to find people who aren’t who they claim to be? Yes. Is this a terrifyingly slippery slope? Absolutely.

Sources:

China

Meanwhile China is acting a little weird this week, though that’s probably not too unusual. First, they claim that they have captured an NSA cyber spying tool, NOPEN, which is used to basically take over Unix and Linux systems and steal files. Now, this would be hugely embarrassing for the US if it weren’t for the fact that the tool they claim to have “captured” has actually been making the rounds since it was leaked by a group called the Shadow Brokers way back in 2016.

The Chinese government is also claiming to have seen “continuous attacks on the Chinese internet and computers in the nation by people who used the resources to also target Russia, Belarus, and Ukraine.” The Register claims to have investigated the IP addresses and confirmed that they do belong to US resources and colocation providers, though they also point out that there’s no proof that those systems hadn’t been commandeered by bad actors.

Sources:

Quantum

Fairly big news in Quantum Computing in the last week. Actually most week’s there’s something, though not enough to have an eternal Quantum Corner.

We start out with some fairly pedestrian news, which is that Germany’s Federal Ministry of Education and Research has provided the equivalent of just under $85 million over five years to bankroll the creation of QSolid, a consortium of 25 German companies and research institutions. Their goal is to create more stable qubits, which are the foundation of quantum computers. They figure that by embarking on this research, they’re not just helping to move the technology along, they’re potentially able to set some of the standards.

But the really big quantum news of the week is that Microsoft’s Azure Quantum has made a huge discovery in the field that could potentially enable them to make a huge leap. They’ve announced that they have “engineered devices that allow them to induce a topological phase of matter bookended by a pair of Majorana zero modes.”

Sources:

banner-img
From Virtualization to Containerization
Learn how to move from monolithic to microservices in this free eBook
Download Now
Radio Cloud Native – Week of May 11th, 2022

Every Wednesday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news. This week they discussed: Docker Extensions Artificial Intelligence shows signs that it's reaching the common person Google Cloud TPU VMs reach general availability Google buys MobileX, folds into Google Cloud NIST changes Palantir is back, and it's got a Blanket Purchase Agreement at the Department of Health and Human …

Radio Cloud Native – Week of May 11th, 2022
Where do Ubuntu 20.04, OpenSearch, Tungsten Fabric, and more all come together? In the latest Mirantis Container Cloud releases!

In the last several weeks we have released two updates to Mirantis Container Cloud - versions 2.16 and 2.17, which bring a number of important changes and enhancements. These are focused on both keeping key components up to date to provide the latest functionality and security fixes, and also delivering new functionalities for our customers to take advantage of in …

Where do Ubuntu 20.04, OpenSearch, Tungsten Fabric, and more all come together? In the latest Mirantis Container Cloud releases!
Monitoring Kubernetes costs using Kubecost and Mirantis Kubernetes Engine [Transcript]

Cloud environments & Kubernetes are becoming more and more expensive to operate and manage. In this demo-rich workshop, Mirantis and Kubecost demonstrate how to deploy Kubecost as a Helm chart on top of Mirantis Kubernetes Engine. Lens users will be able to visualize their Kubernetes spend directly in the Lens desktop application, allowing users to view spend and costs efficiently …

Monitoring Kubernetes costs using Kubecost and Mirantis Kubernetes Engine [Transcript]
LIVE WEBINAR
Manage your cloud-native container environment with Mirantis Container Cloud

Wednesday, January 5 at 10:00 am PST
SAVE SEAT
LIVE WEBINAR
Istio in the Enterprise: Security & Scale Out Challenges for Microservices in k8s

Presented with Tetrate
SAVE SEAT
Mirantis Webstore
Purchase Kubernetes support
SHOP NOW