12 posts tagged with "Open Source"

If you're involved with software creation or deployment, you likely use Docker. If so, the following saga probably rings some bells with you:

The web has revolutionized how the world operates, enabling everything from banking and shopping to social media and general business transactions. However, as with all technological advancements, malicious actors quickly found ways to exploit the web for fraudulent activities. The anonymity provided by internet usage allowed criminals to deceive users and providers, leading to significant financial losses. In response, technologies like SSL/TLS and public trust architectures were developed to enhance security, helping users verify the servers they communicate with and feel more secure in their online interactions. Despite these measures, software is inherently fallible, as it is created by humans who can make mistakes.

We created OpenZiti so that anyone can implement distributed applications over the Internet, incorporating the principles of zero-trust networking for free into almost anything and for any use case.

We started the OpenZiti  GitHub org back in May 2020. One of the most common questions we get today is, "Why haven't you bumped the version to 1.0 yet?" It's a fair question. OpenZiti boasts a robust feature set and sees widespread use in mission-critical applications, including Fortune 50 environments, with billions of sessions annually.

So, why the long wait? Well, making secure connectivity simple at scale is non-trivial, and we’ve held ourselves to a high standard.

We’ve proved, and our users have proved, that OpenZiti stands up to large-scale production use. But one of the most important things we wanted to do before flipping to v1.0 was show off OpenZiti in action in its most potent use case: as a foundation for what we call “ziti-native apps.” These are applications built from the ground up with security, privacy, and resilience designed in.

In 2022, we showed you how to run a Minecraft server privately and securely using OpenZiti.

I have a website I built using Django; it's just a personal site meant to be used by friends and family. This makes it a perfect fit for zero trust as, I can hide it from the world and hand out specific access to friends and family I want to allow to use it. The site has all sorts of tools to keep track of things as a family. We have the "Tool Pool" so each friend or family member can see who has what special tools so they can borrow them instead of buying their own, and it keeps track of who borrowed what. There's another called "Packer Tracker" which keeps track of what you bring on a camping trip (personal or shared trip) so you can review what was missing or isn't needed for future trips and see what other people are bringing on a shared trip. There are many others, but, in any case, this site is just a personal site to be used on an invite-only basis, so I don't need the world to have access to it, but I do want it publicly available for those using it. So, I spun up an Oracle cloud instance (totally free "forever") and hosted it there. Currently, I create an account and send a link to anyone who wants to use it. The problem is it's still publicly accessible and prone to security issues from unwanted guests and/or web crawlers. I already have an OpenZiti zero trust network running in another Oracle cloud instance where I've secured my NAS, CCTV, and HomeAssistant access with zero trust, so why not just add this?

zrok is officially in public beta. Feel free to download the latest release of zrok and invite yourself to the public instance using the zrok invite command (there is no longer an invite token requirement):

$ zrok invite 

enter and confirm your email address...

> michael.quigley@netfoundry.io 
> michael.quigley@netfoundry.io 


[_Submit_]

invitation sent to 'michael.quigley@netfoundry.io'!

I’m a big fan of commercially supported open source. I’m biased, of course, in that it’s how I get my paycheck. However, having worked on OSS without getting paid to do so, I think there are better outcomes for everyone when a project has financial backing.

A few jobs ago, when I was still working on my degree, I wrote a workflow engine for my capstone project. I was able to open-source it and used it at my work. I felt comfortable making improvements that were relevant to work on my paid time, but any community support or maintenance fell on my free time. When I moved to a new company, the project slowly bit-rotted into uselessness. I tried to find a new maintainer and I moved it to GitHub from code.google.com, to keep it on life support, but it’s functionally dead. If someone tried to adopt it today, I wouldn’t have the time to support them.

Compare that to my current project. If I got hit by a bus tomorrow, the project would carry on. Not only do I get to work on OSS, but I have time to spend with my family. In addition to writing code, I’m not just allowed, but expected to write docs, ensure we have a solid build process, respond to user questions and, in general, engage with the community to make sure users are successful and improve the project based on user needs. It feels like a sustainable approach to developing open-source software, at least for large projects.

Commercial backing does complicate community engagement somewhat. As soon as there’s a profit motive involved, people look at what you’re offering them with some suspicion. I would argue that when you’re engaging with the community, it’s not only ethical but more effective, to follow a few simple rules.

1. Be honest

2. Respect people’s time

3. Be nice

All developers have at some point used cloud-provided compute hosts. It's very easy, it's very convenient, and it's relatively cheap. One problem that you frequently run into is how to use these hosts in local development.

At work, we use cloud-provided hosts extensively and I often need the hosts to connect back to my local environment to read data. One such example is when we use the Salt stack to manage software on the hosts.

Introduction​

eBPF enables you to safely run sandboxed programs for functions like security and networking in the OS kernel, without changing kernel source code or loading kernel modules. eBPF-TC specifically has robust packet mangling capability, and enables ingress and egress operations, with high performance.

For a long time, I've been concerned about relying on a company's focus on security. I generally expect the least focus on security as many companies just want to be first to market. Yikes, that sounds bad, but many companies indeed focus too little on security. I do not expose my internal network to the world by opening ports on my firewall. While I'd like access to a few things like my security camera system, network storage device, home assistant, etc., I am very concerned that some bad actor will somehow find my hosted service and find a way in because of some CVE that hasn't been patched. Now that I've drawn a severely dark picture let's bring some light in, haha.