-
posts
-
Leaving Google
Today is my last day as a Google employee. After nearly 10 years working on the Google Cloud Developer Relations team, I’ve decided to step away and pursue other challenges. Before Google Joining Google in January 2015 seemed like a natural career progression. My first exposure to Google Cloud came in the summer of 2008 when I attended Google Developer Day. Google App Engine for Python was just released and it felt pretty special. It supported Python only, which was unusual at the time and this was a boon for the Python community in Japan. I attended a workshop to...
-
Understanding GitHub Artifact Attestations
GitHub recently introduced Artifact Attestations, a beta feature that enhances the security of Open Source software supply chains. By linking artifacts to their source code repositories and GitHub Actions, it ensures that artifacts are not built with malicious or unknown code or on potentially compromised devices. GitHub’s blog post and documentation provides a comprehensive explanation of how Artifact Attestations work. However, some questions remain unanswered, such as the specific security measures implemented by the verification process, the reasons behind achieving SLSA Build Level 2 instead of L3, and potential avenues for further improvement. I’ll try to shed some light on...
-
Code Signing is not Enough
Code signing is often used as a method for ensuring that software artifacts like binaries, drivers, and software packages haven’t been modified by a third party before they are used. Many folks may be familiar with packages that were gpg signed and distributed with an Armored ASCII (.asc) file. Code signing is a great step towards securing the software supply chain above simply providing software as-is, but has a number of downsides that can be addressed with other methods like software provenance. Signing Code Code signing is the name given to cryptographically signing release artifacts with a cryptographic key. In...
-
Four Tips for Writing Better Go APIs
Go is a really powerful programming language that allows you to write concurrent code that is still easy to understand. But designing APIs can be hard, even for seasoned Go programmers. When designing APIs for libraries and applications in Go it’s important to keep in mind the strengths of the language to make your APIs easier to use and avoid pitfalls like goroutine leaks. With that in mind, here are a few common issues I see often with Go APIs and some tips for how to make them better. Don’t Take APIs Out of Context The context package is a...
-
Container Runtimes Part 4: Kubernetes Container Runtimes & CRI
This is the fourth and last part in a four part series on container runtimes. It’s been a while since part 1, but in that post I gave an overview of container runtimes and discussed the differences between low-level and high-level runtimes. In part 2 I went into detail on low-level container runtimes and built a simple low-level runtime. In part 3 I went up the stack and wrote about high-level container runtimes. Kubernetes runtimes are high-level container runtimes that support the Container Runtime Interface (CRI). CRI was introduced in Kubernetes 1.5 and acts as a bridge between the kubelet...
-
Container Runtimes Part 3: High-Level Runtimes
This is the third part in a four-part series on container runtimes. It’s been a while since part 1, but in that post I gave an overview of container runtimes and discussed the differences between low-level and high-level runtimes. In part 2 I went into detail on low-level container runtimes and built a simple low-level runtime. High-level runtimes are higher up the stack than low-level runtimes. While low-level runtimes are responsible for the mechanics of actually running a container, high-level runtimes are responsible for transport and management of container images, unpacking the image, and passing off to the low-level runtime...
-
Container Runtimes Part 2: Anatomy of a Low-Level Container Runtime
This is the second in a four-part series on container runtimes. In part 1, I gave an overview of container runtimes and discussed the differences between low-level and high-level runtimes. In this post I will go into detail on low-level container runtimes. Low-level runtimes have a limited feature set and typically perform the low-level tasks for running a container. Most developers shouldn’t use them for their day-to-day work. Low-level runtimes are usually implemented as simple tools or libraries that developers of higher level runtimes and tools can use for the low-level features. While most developers won’t use low-level runtimes directly,...
-
Container Runtimes Part 1: An Introduction to Container Runtimes
One of the terms you hear a lot when dealing with containers is “container runtime”. “Container runtime” can have different meanings to different people so it’s no wonder that it’s such a confusing and vaguely understood term, even within the container community. This post is the first in a series that will be in four parts: Part 1: Intro to Container Runtimes: why are they so confusing? Part 2: Deep Dive into Low-Level Runtimes Part 3: Deep Dive into High-Level Runtimes Part 4: Kubernetes Runtimes and the CRI This post will explain what container runtimes are and why there is...
-
The Almighty Pause Container
When checking out the nodes of your Kubernetes cluster, you may have noticed some containers called “pause” running when you do a docker ps on the node. $ docker ps CONTAINER ID IMAGE COMMAND ... ... 3b45e983c859 gcr.io/google_containers/pause-amd64:3.0 "/pause" ... ... dbfc35b00062 gcr.io/google_containers/pause-amd64:3.0 "/pause" ... ... c4e998ec4d5d gcr.io/google_containers/pause-amd64:3.0 "/pause" ... ... 508102acf1e7 gcr.io/google_containers/pause-amd64:3.0 "/pause" ... What are these “pause” containers and why are there so many of them? What’s going on? In order to answer these questions, we need to take a step back and look at how pods in Kubernetes are implemented, particularly with the Docker/containerd runtime. If you...
-
Blue/Green Deployments on Kubernetes
For those that want to dive right in, I have put up a tutorial and some sample manifests on GitHub. Check it out at https://github.com/IanLewis/kubernetes-bluegreen-deployment-tutorial Kubernetes has a really awesome built-in feature called Deployments. Deployments come with the ability to do rolling updates of containers when you update your application to a new version. Rolling updates are a great way to update applications because your app uses about the same amount of resources during an update as it does when not updating, all with minimal impact to performance and availability. However, there are many legacy applications out there that don’t...
