Sunday, July 31, 2022

The Home Automation Rabbit-Hole


So, I was fortunate enough to find myself in the possession of a used Raspberry Pi 4 Model B (the 4GB model) last week, completely at random. I've had Raspberry Pi's before of course, some of my previous posts on this blog were about how I used them to run a local ad-blocking recursive DNS server using Pi-Hole. That is a great use case, because they can continue to run and be useful by blocking ads in your house. And this is where my Pi 3 has been for years, and I've mostly forgotten about it other than updating the block lists from time to time.

Enter the Pi4. Something I've been wanting to test is running my home automation on a Raspberry Pi.  There are a few different open source projects for home automation, with the main contenders being Home Assistant and OpenHAB. For me, OpenHAB being based on Java was reason enough for me to steer clear. It turns out that Home Assistant is awesome and very easy to set up and customize with a full web interface! Really, I'm quite impressed with the ecosystem of app integrations and add-on functionality that is provided by Home Assistant. Kudos to the team maintaining this project. They also offer a cloud service that can simplify the integration into the cloud with the aptly named, HomeAssistant Cloud, provided by the partner Nabu Casa. What excites me though, is they have full guides on building your own integration using AWS Developer APIs and Lambda functions, which has me very interested. Hopefully there will be some more blog posts where I share my experiences as I dive into those guides.

In the process of setting up Home Assistant, I've stumbled across several new open-source projects that have really just blown my mind. One of them is Node-RED, which is an amazing visual development tool for programing event and API based automations.  Node-RED has an entire community of integrations that you can use to configure complex flows. 

Another gem that has turned up is TailScale, which is an ingenious solution to the problem of setting up and configuring WireGuard among a larger set of devices. I've always been cobbling together VPNs and this is the cleanest implementation of a mesh VPN that I've ever seen. It also seems to be pretty secure in that the private keys never leave the devices and you get MFA through Google or Apple login integration. I'm still learning here but I hope to have yet another blog post about TailScale in the future. 

Let me know in the comments if about your experiences and lessons learned with home automation.

Cheers!
Posted by at No comments:

Friday, July 13, 2018

Enabling DNSSEC on Cloudflare and Godaddy

In my previous post, I talked about how you can set up a local DNS resolver using a Raspberry Pi and how that device can utilize DNSSEC to validate the integrity of domain records as they pass through the intenets.  In this post, I would like to share with you my experience in configuring randomhack.com's DNS provider and registrar to support the feature.

As you can see from the short video, the process is relatively straightforward.  Cloudflare.com does a pretty good job of making the setup easy.  If I have time over the weekend I'll run through the same process on my Google Cloud DNS to compare.

Posted by at No comments:

Thursday, July 5, 2018

Secure your DNS with DNS over HTTPS and CloudFlare

So I recently set up a spare Raspberry Pi at my house in order to act as a local DNS server which blocks requests based on ad-lists and rules.  The software that does this is called, appropriately, Pi-Hole and is fully open source.  This has been great because it works across all devices on the network without having to install ad-blockers on each device.

After running this setup for a while and having it use the standard Google Public DNS servers at 8.8.8.8, I found an article about a new public DNS service hosted by CloudFlare on 1.1.1.1, which is a much faster server.  Instead of responses in and around the 30-50ms range, the CloudFlare DNS server typically resolves hosts around 11-20ms, or almost twice as fast!

In addition to changing the Pi-Hole software to use this DNS resolver, I read that the CloudFlare DNS server is also offering DNS over HTTPS.  (Google Also offers this service)  This is great because normal DNS queries are sent unencrypted, meaning anyone on the network between you and the resolver can eavesdrop on your requests and log which sites and services you are visiting with minimal effort.  In addition, some Internet Service Providers have even gone so far as to modify the DNS responses to some sites in order to inject ads into your browsing experience!! (pure evil, IMHO)

In order to protect against this type of hijacking and eavesdropping, you can encrypt and send your DNS requests using the HTTPS protocol.  The same protocol which protects secure web sites like your bank from being intercepted and read while they travel over the internet.

The guide that I used for configuring the DNS over HTTPS proxy can be found here:

https://bendews.com/posts/implement-dns-over-https/

Another benefit of using Pi-Hole is that it supports DNSSEC, which everyone should be using.  DNSSEC adds signature verification to detect and prevent tampering with the records in transit.  It's an extra layer of protection to the HTTPS protocol and it's supported by the Pi-Hole.  (just make sure to turn it on, as it's off by default!)


Posted by at No comments:

Thursday, May 24, 2018

OpenStack Summit 2018 - Encrypt your Volumes with Barbican

Sorry for the lack of updates!

I had the privilege today to present at the 2018 OpenStack summit in Vancouver.  Thanks everyone who was able to make it out to see the session, and thanks for all the folks that made it possible. 

Here is the slide deck on SlideShare, and the recording of the talk can be found here:  https://www.openstack.org/videos/vancouver-2018/encrypt-your-volumes-with-barbican

Also, the videos I created for setting up your own OpenStack Queens PoC with Barbican can be found here:

Part 1:   (Deploying PackStack All-In-One OpenStack Controller)
Part 2:  (Deploying the Barbican API)
Posted by at No comments:

Monday, May 8, 2017

OpenStack Summit 2017 - Monday Keynotes

 Monday Keynotes







Remotely Managed Clouds
  • About 30 public cloud providers running OpenStack
PAS Tools Running Today
  1. Kubernetes (45%)
  2. Openshift (17%)
  3. Cloudfoundry (17%)
GE Healthcare Enterprise Applications
Keys to cloud success
  • Everyone must be at the table 
  • No is not an option (problem solvers)
  • Target the impossible

200+ controls supporting security & compliance since 2015

Remotely managed Requirements
  • need to access internal applications
  • Secure platform to host private or sensitive data
  • Reuse automation for compliance and cost

Private CaaS Benefits
  • Reuse enabled our speed to implement and manage environment
  • Seamless interaction with our provider
  • OpenStack allows us to tailor solution
  • Open source = no vendor lock-in

Edge Computing

Use Cases:
  • Oil Rigs
  • Manufacturing
  • Self-Driving Cars

Verizon
  • Unified management across the network
  • Ability to move workloads between edge and core
  • Seamless customer experience
  • Flexible toolset delivers new services quickly
  • Vendor release coordination

Built Hosted Network Service Platform - Cloud in a box



















 (impressive demo)

US Army Cyber School
  • Trains 500 students annually in problem solving within the Cyber domain
  • Using GitHub flow, changed deployment time from 12-18 months to 12-18 hours

IaaS: Broadband Handrail (BB-H)
  • Global, secure access for individual skills training
  • Courseware updated on demand by instructors
  • IaaS + Automation + CM + DevOps + Everything-as-code

(demo of CI pipeline)

Mirantis
(fun comic book video)

  • Managed Open Cloud must be built following the vertical design pattern of public clouds
  • Mist be maintained on a continuous synchronized cycled with all components (vertically)
  • Must be delivered as-a-service to foce the focus on solving the right customer problems

Announcement:  New global partnership with Fujitsu

DirectTV & AT&T Entertainment Group
(violence, your way) -dstaffel
  • Some confusing slides for Next Gen Video Platform (photo)



















Using Openstack (Mitaka) for:
  • Content Processing
    • Encode
    • Encryption
  • Business Applications
  • Content Ingest

Today:
  • Using Heat Templates for CICD
  • K8S / Docker
  • Microservices
  • Hybrid Cloud

Future:
  • Containers/ Baremetal
  • Function as a Service
  • Serverless Computing
  • More K8S
  • Seamless Hybrid Clouds

(application demo) - on Apple TV

Containers

EBay (multicloud)

Cloud Stats (as of Q1-2017)
  • 167k VMs
  • 13PB Storage
  • 68k managed BMs
  • 95% traffic on cloud
  • 4k applications
  • 100B URLs per day

Why Kubernetes?
  • App centric
  • open source
  • container support
  • model driven
  • declarative
  • active community
  • sophisticated scheduling
  • geo federation (multi-datacenter)

Kubernetes today at eBay:
  • 22k cores
  • 6 availability zones
  • 178 apps
  • 4.2k pods
  • Support for bare metal, GPUs, VMs
  • Powered by OpenStack

Some workloads:
  • AI Platform
  • Elastic Search
  • Edge Services Stack
  • Kafka
  • Network Automation
  • Distributed NoSQL

Some challenges:
  • Multi Tenancy
  • Logging & Monitoring Integration
  • Application LCM
  • Application Security
  • High Availability
  • App CMDB Model
  • OpenStack, Compute, Storage, Network Integration
  • Security Standards
  • Container Registry

Introducing: TessMaster
  • Full lifecycle management of Kubernetes clusters across multiple providers (on OpenStack)
    • Model Driven
    • Declarative
    • Built on the Same Principles as K8s
    • Closed Loop
    • State Aware
    • Self Healing
    • Drift Proof


(tess.io live demo)

  • Designed to be Multi Provider
  • Currently implemented for VirtualBox and OpenStack
  • Open source in the next few months

Q&A with Jim Whitehurst (CEO RedHat)
  • Before RedHat he was COO at Delta Airlines
  • Much more open culture with RedHat
  • Originally RedHat was a Xen developer, fragmented into many flavors
  • Switched to KVM because a single open upstream community

RedHat

Data from OS User Survey:
  • 66% of OpenStack deployments are in production

Top 3 reasons orgs use OpenStack:
  1. Avoid Vendor Lock In
  2. Accelerate Innovation
  3. Increase Operational Efficiency


Neutron: ML2 plugin for OVS with OVN edge agents
Production Deployment: Triple-O and HEAT

Daniela Rus
Director of the Computer Science and AI Laboratory

Posted by at No comments:

Friday, December 2, 2016

New Official Plex Plugin for Kodi Available

Plex announced a few days ago that they are releasing a fully supported plugin for Kodi.  This is great and also kind of funny because they both spawned from the same Open Source roots.  Over 10 years ago now, those of us with modded Xbox consoles were happy to use Xbox Media Center (XBMC) as an app to turn our game consoles into very powerful media players.  The project became so popular that XBMC was ported to Linux and other operating systems.  They actually kept the XBMC name for a while until recently changing the name to Kodi.

Kodi has become more popular in the past few years for nefarious reasons, as it is also a popular platform for streaming pirated content from the internet.  In addition to Kodi's many features as a media player, Kodi can provide a pretty front end for many advanced Add-Ons that are written using Python.  Many people have written specialized add-ons that will scrape internet sources for file share sites that have copies of pirated television and movies.  These sites are often filled with malware and ads and are dangerous to use directly.  The add-on developers have basically done all of the dirty work for you so that you can easily search and stream from these online sources.  That's all well and good, but anyone who has used these Add-Ons will tell you that the scraping process is extremely slow and many of the streams are sub-par quality with subtitles from different languages often burned into your videos.

Why would you want to run Plex within Kodi?  Isn't that superfluous since they both are basically media players?  One reason is to use Kodi's built in AirPlay server to stream content from your Apple Devices, while watching a movie in Plex.  Another is the vast array of customization that Kodi allows within it's interface.  You also might be a Python developer and want the ability to program your own custom Add-Ons.   Now you don't have to close Kodi in order to run Plex.  It's definitely a welcome change and I would consider it a Win-Win for both Plex and Kodi users.


Posted by at No comments:
Labels: , ,

Friday, November 18, 2016

Cheap and Free DNS Hosting (updated)


Google Cloud DNS

So a few months ago I decided to stop paying over $25 a year for DNS hosting from my old provider, DynDNS, and move to something a little cheaper.  The first place I choose to look was Google hosted DNS.  This Google Cloud DNS service runs on the Google Compute Engine and was immensely cheap at $0.60 per month.

Update: Google Cloud DNS is also well positioned to handle DDoS attacks with their massive infrastructure.  Depending on the size of the attack, (number of queries) you may be charged a bit extra for absorbing all of that traffic.  Although judging from these very low costs per BILLION hits, I don't think it would be very much of a worry.  Also, for the security conscious administrators out there, Cloud DNS also has Alpha support for DNSSEC, along with the industry standard RSA.  You can sign up for the Alpha here: https://groups.google.com/d/msg/cloud-dns-discuss/WXNHtB9W0bg/5xf6RXLdCQAJ


Cloudflare Managed DNS


Then this week I found out about Cloudflare.  I've heard of them and seen in the news how they can protect web sites from DDoS attacks.  I thought it was just a gateway of some sort.  Now that I have visited their site I am a little more informed.  Not only are they a managed DNS provider but they are a global CDN that has many security and optimization features.  Best of all, they have a free tier that includes managed DNS and a handful of their most popular services.  I really dig the fact I was given a free auto-renewing wildcard SSL certificate for my site.  Check them out if you're looking for a free and feature packed option.

Update: Cloudflare also supports DNSSEC using ECDSA and NSEC with white lies.  I hear through the grapevine that this works most of the time, but some resolvers might not support this method.  It should definitely be taken into consideration before rolling DNSSEC into production.

Also, digging a little deeper into the limitations of the free DDoS protection for your website.  They are a little vague as to the specifics, saying "Basic DDoS protection is limited in our Free and Pro plans, and based on the attack's disturbance to our network."  So who knows what the limit is!
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)