Skip to main content

Nichi Yorozuya


Nick Cao
Golang / Arch Linux / Backend
An imperfect perfectionist
NOC of AS209297


Mail: [email protected]
GPG Key: 09CC69622E8D4EE343B4E8954D0BA456DF028C15


An independently operated research network
with an open peering policy, PoPs mainly in Asia-Pacific region
PeeringDB RIPEstat

Terraform with Fedora CoreOS

what if a reinstallation is required 此文为上文的一点补充。 As far as I understand the sole purpose of cloud-init or user-data scripts is to do early initialization of instances. From that perspective, it may not make sense to use it as a way to re-provision or re-configure instances since that’s what tools like Puppet, Chef, Ansiable and Salt are for. Terraform was thought out as a way of creating and destroying infrastructure resources, and resource immutability is all over the place. 然而Fedora CoreOS这样的immutable system的加入改变了这一现状,我们不再需要ansible/puppet或是其他的配置管理工具,而terraform,很遗憾,尚未对此作出相应的改变。我们所需求的特性

Fedora CoreOS

对于基础设施的管理,往往有两种approach,transactional与declarative。transactional描述动作,比如安装一个软件包,比如向文件中写入一行内容。而declarative描述结果,比如一个软件包已经被安装且满足特定version constraint,或是一个文件中存在某行内容。传统的手工操作是transactional的,负责任的运维可能会记录自己所运行的每一条

Container Escape

本文谨记一次container escape,文中出现的服务提供商名称为化名(估计他们还没修洞呢)TL;DR:container不是sandbox,运行不可信container最好增加安全措施。 前些时日找到了一个Kuberntes as a Service平台 - ekoott,为用户提供隔离的namespace运行任意manifest,这样的平台现在似乎还挺多的,不过这家给的quota比较多,我将大部分non