On June 2023, I've decided to abandon "desktop" Linux. I can't bear having to work around everything all the time, not even counting the tons of problems that occur whenever I do a major version upgrade (e.g., when I upgraded from 21.10 to 22.04, my PPAs broken obviously, and also I lost all the hack I had made to the /etc to work around problems). I am officially back to macOS starting 26 June 2023. I'll still use my Linux workstation remotely over Mosh, but not as a desktop environment. To smoothen the transition, I use the following hacks on macOS: Linear Mouse since I can't stand macOS' mouse acceleration and also to fix my mouse wheel's direction. My config:SettingValuePointer -> Pointer acceleration0.5Pointer -> Pointer speed0.1717Scrolling -> Scrolling modeBy LinesScrolling -> Distance2 Magnet to be able to move windows around and move them to 1/2 of the display. AltTab to switch between windows instead cmd+tab's application switching. Audio Switch to make sure my bluetooth headset's microphone never get used (any wired mic close enough to the mouth is better than a bluetooth mic; the macbook pro's mics are good for that matter). MenuMeters to see the network activity in the top menu bar. Screenshots tweaks:​​​​defaults write com.apple.screencapture location ~/Downloads

Memory Limits When the the Agent starts up it downloads and caches all the Kubernetes API resources which it has been configured to report. Depending on the combined size of these resources, the memory usage will briefly spike at startup and if the memory limit on the Agent Pod is set too low, the Agent may breach the memory limit and be OOM killed. To figure out whether it is being OOM killed: kubectl describe -n venafi pod -l app.kubernetes.io/name=venafi-kubernetes-agent :book: Read more about scaling TLSPK components Remove the Memory Limit Try removing the memory limit and measuring the peak memory usage.

Gateway API: cool, but why can't I configure TLS myself? Maël Valais, 21 May 2025 Why care about Gateway API? Gateway API = role-aware version of Ingress API + many more knobs and less annotations Ingress API not well defined, e.g., one team may silently be claiming traffic from another team's hostname nginx-ingress obsolescent: no new feature, will be deprecated by 2026

See thread on #sig-network-gateway-api (Slack). This document details why supporting ListenerSet in cert-manager will fix a problem raised by application developers: they are used to managing TLS using the Ingress API and are not being able to manage TLS with Gateway API. This problem has been raised by the community in cert-manager#7473. Plan Step 1: Support the XGateway resource in cert-manager (not required, but good to have since users may want to use XGateway to keep using experimental features) -> #7647. Step 2: Add XListenerSet (see gep-1713) support to cert-manager, giving users a way to do what's described in cert-manager#7473. Step 3: contribute to ingress2gateway to support the cert-manager annotations. Today: developers coming from Ingress can't configure cert-manager because they can't edit Gateway resources

Good first issues: https://docs.google.com/spreadsheets/d/1zThfUB22HHdHAiRvS3ctbj4Da7j30imnUleURjxTYE0/edit For convenience we recommend that you use GitHub Codespace today. This should be well within the free allowance from GitHub (60 hours for the 2-core instance), but if not we do have some manual steps too. General We always use forks for development so it's a good idea to fork the project you are going to work on now. Assuming you have gh CLI installed:

The problem: When using cert-manager's Venafi built-in issuer or when running vcert enroll with TPP, people get "stuck" with an error of the like: ​​​​500 Certificate \VED\Policy\Test\foo.com has encountered an error while processing, ​​​​Status: This certificate cannot be processed while it is in an error state. Fix any ​​​​errors, and then click Retry., Stage: 700. This message occurs when a past enrollment has failed or an enrollment was still in progress for that certificate. The current workaround is to call to POST /reset with Restart=False, and then re-run the command vcert enroll (or renew the certificate in cert-manager). Resolution Progress cert-manager cert-manager

For the past few years, I have been using an Automator script that would compress PNGs using tinypng-cli that I could call from the Finder. I recently learned how TinyPNG compresses PNGs: it calls out to pngquant, which is an open-source program that you can download yourself. Not using TinyPNG means I no longer need to send my images to a third-party, and I no longer need a network connection to compress images. To do that, you will first have to install pngquant: brew install pngquant Then, get the shortcut: https://www.icloud.com/shortcuts/a63b010001c547b196f89eaa6262e9ef It looks like this:

⚠️ This is just meant to unblock you temporarily for things like finding out your actual latency. But remember that the VPN's MITM is there for a reason, so let your IT team if having to work around the VPN is the only way to do your job! Fortunately, Global Protect will reset the routes after an hour or two, so the changes proposed in this page shouldn't be too concerning. IT might require an always-on VPN on your Mac. It is sometimes useful to disable it for a time, e.g., to check your real latency or to diagnose network issues. What the always-on VPN does is that it creates a catch-all route, and all traffic goes to the utun0 interface which gets routed to the VPN's gateway: $ netstat -rn | head Destination Gateway Flags Netif default 10.220.43.57 UGScg utun0 <- cuplrit default 192.168.1.1 UGScIg en8

I've always like the idea of being able to ssh into a running job to debug CI-specific things like firewall rules. In GitHub Actions, the solution is super simple. Just use the action owenthereal/action-upterm: name: CI jobs: build: runs-on: ubuntu-latest steps: - name: Setup upterm session

Table-driven tests in Go are a widespread way to structure unit tests, making it easier to spot missing cases and (somewhat) easier to maintain over time. However, they have a significant downside: when a test fails, identifying the exact failing case requires looking for the test name in the go test output, and searching for it in the test file. Take this example from undent_test.go: func Test_Undent(t *testing.T) { tests := []struct { name string given string

Problem Go's errors.As works as expected with custom error types. You don't need to do anything special to make it work. But errors.Is is different: by default, it uses == to compare the error with the target (1). This is OK for simple custom types that don't have struct fields, and it is particularly well suited to what Go calls "sentinel errors". A sentinel error is a well-known error value that you can use to know what an error is. An example of sentinel error is

I use GitLab CI scripts that rely on Docker images, and these images aren't multi-arch. The only platform available is linux/amd64. So, the first thing I need is to tell gitlab-ci-local to run the containers using the linux/amd64 platform: export DOCKER_DEFAULT_PLATFORM=linux/amd64 Then, I create a file named .gitlab-ci-local-variables.yml to set up the variables as they appear in the project's secret variables: $ cat .gitlab-ci-local-variables.yml GITHUB_DEPLOY_KEY: LS0tLS1CRUdJ...0VZLS0tLS0K Then, I run the job I want to debug:

If you are using Microsoft AD Certificate Services as a certificate authority, you may be looking for a way to configure the "acceptable" maximum path length for intermediate CAs (or "sub CAs") issued by your CA. By default, if you are using the “Subordonate Certificate Authority” certificate template, you will see that the basic constraints UI has two checkboxes. The second one is the one that interests us: • Do not allow subject to issue certificates to other CAs When checked, the issued CA will have a max path len of 0. When unchecked, the issued CA will not have the max path len field configured.

Bug in ipp-usb I own an Epson ET-2850 printer. I often get prints that cancel themselves 1/3 through being printed. I thought that wifi might have been the issue. Unfortunately, the ET-2850 doesn't come with an ethernet port. The issue is hard to reproduce. I found that around 1/10 of the prints of photos made using an AirPrint on iPhones get cancelled. ipp-usb is a project that allows you to turn any IPP-capable USB printer into an IPP network printer with capabilities such as mDNS, which make the printer AirPrint-capable. I plugged my printer to a Raspberry Pi and installed ipp-usb, and configured it to listen to 0.0.0.0 rather than localhost so that I could use AirPrint from my iPhone. Unfortunately, ipp-usb doesn't work with my printer: when selecting the printer in AirPrint from my iPhone, it would would immediately unselect itself. Also, the printer shows as "offline" in AirPrint. Fortunately, I can easily man-in-the-middle the IPP traffic to see what's going on. When running Wireshark from the Pi, I noticed that AirPrint does two consecutive requests using the method Get-Printer-Attributes: Screenshot 2024-12-22 at 18.24.28

This is a list of discrepencies I came across while trying to while cross-system compatible makefiles and Bash scripts. sed -i (in-place editing) can work without an argument with GNU sed, but won't work without an argument on BSD sed and on Busybox. On BSD sed and Busybox sed, you have to give an argument that corresponds to the suffix added to the file name when the back up file is created. The following works on BSD, GNU, and Busybox sed:

In this post, I explain why slashes should be avoided, and how to use them properly in case they make sense. Avoid Slashes A recurring issue I often notice in pull requests is the use of slashes when enumerating aternatives. Examples found in the cert-manager project: This diagram shows the lifecycle of a Certificate named cert-1 using an ACME / Let's Encrypt issuer. The username / password authentication is deprecated. Configure an Issuer / ClusterIssuer.

I've tested your changes manually and was happy to see that the "random" (or rather, unexpected) updates to the target configmaps no longer take place. I wrote this page as part of my review of the PR 380. This PR introduces a deterministic ordering to the CA bundle and aims to fix two things: On one hand, a feature that was requested: people want to be able to change the order of the sources in the sources array without having the configmaps updated. On the other hand, a serious bug that forces the target configmaps to be updated for no reason and seems to only occur when label selectors are used. Item (2) doesn't have a clear minimal working example, so I decided to reproduce it here. My hypotheses for item (2) are:

I've always been confused as to what purpose subPath serves. I've come across subPath whenever a configmap was mounted: it looked like it was used as a way to control which keys in a configmap or secret are projected... but I was never sure. In this page, I'll try to uncover what exactly is happening when using subPath and finally get some firm understanding. We will be using Kind to test things out. Let's create a kind cluster: kind create cluster We will need the tree utility too: docker exec kind-control-plane sh -c "apt update && apt install tree -y"

I created this tutorial to reproduce the scenario (3) in the cert-manager issue #6150. Tested on macOS with Docker running on a VM created by limactl. It should also work on macOS with Docker Desktop, but also on Linux. The reason we run Vault in a container instead of locally is because it needs to be on the same VM as the kind cluster so that cert-manager can reach Vault, and Vault can reach kube-apiserver. # yq version 4 or above is required. Here, I use Vault 1.14.2. kind create cluster

package linux_cap import ( "bufio" "bytes" "fmt" "io/fs" "log" "strings" )