Adding an IP address to a Bridge

OpenShift requires a load balancer for providing access to the hosted applications. Although I can run a three node cluster, I need a fourth location to provide a load balancer that can then provide access to the cluster.

For my home lab set up, this means I want to run one on my bastion host….but it is already running HTTP and (FreeIPA) Red Hat IdM. I don’t want to break that. So, I want to add a second IP address to the bastion host, and have all of the existing services make use of the existing IP address. Only the new HA Proxy instance will use the new IP address.

This would be trivial for a simple Ethernet port, but I am using a Bridge, which makes it a touch trickier, but not terribly so.

Continue reading

DHCP Lease Design

The key piece of persisted data in an DHCP server is the lease. A lease is a the mapping between a MAC address and an IP address, limited in time. A Lease typically has a start time and an end time, but can be renewed. Because I am still living in an IPV4 world, I have to deal with arbitrarily small pools of IP addresses. Thus, the design needs to strike the balance between static and dynamic: a machine should generally get back the same IP address each time. However, if addresses get tight, address reuse should be aggressive.

Continue reading

Extract Function Refactoring using inline functions.

The Extract Function refactoring is the starting point for much of my code clean up. Once a “Main” function gets sufficiently complicated, I pull pieces of it out into their own functions, often with an eye to making them methods of the involved classes.

While working with some rust code, I encountered an opportunity to execute this refactoring on some logging code. Here’s how I executed it.

Continue reading

Network Policy to Explicitly Allow access from all Namespaces

The Default network policy in OpenShift allows all access from all pods in all namespaces via the cluster IP. However, once you start enforcing policy on a project, all policy decision need to be made explicit. If you want to still allow access from all projects, you can use the following policy file.

kind: NetworkPolicy
  name: allow-all-namespaces
  - from:
    - namespaceSelector: {}

Deploying a Minimalistic Flask Application to OpenShift

Some colleagues and I were discussing the network access policy of OpenShift. I realized it would be very helpful to have a trivial app that I could deploy to OpenShift that would then try to make a call to another service. So I wrote it using Python3 and Flask. Now that I have it working, I want to deploy it in OpenShift, again, in a trivial manner.

I would not deploy a Flask App into production without a Web server to front it. But that is what I am going to do for this test app.

Continue reading

Injecting a Host Entry in podman-run

How does an application find its database? For all but the most embedded of solutions, the database exposes a port on a network. In a containerized development process, one container needs to find another container’s network address. But podman only exposes the IP address of a pod, not the hostname. How can we avoid hardcoding IP addresses of remote services into our containers?

Continue reading