Hacker News: paulfurtado

New comment by paulfurtado in "AWS Adds support for nested virtualization"

paulfurtado — Fri, 13 Feb 2026 01:19:04 +0000

It is great for isolation. There are so many VM based containerization solutions at this point, like Kata Containers, gvisor, and Firecracker. With kata, your kubernetes pods run in isolated VMs. It also opens the door for live migration of apps between ec2 instances, making some kinds of maintenance easier when you have persistent workloads. Even if not for security, there are so many ways a workload can break a machine such that you need to reboot or replace (like detaching an ebs volume with a mounted xfs filesystem at the wrong moment).

The place I've probably wanted it the most though is in CI/CD systems: it's always been annoying to build and test system images in EC2 in a generic way.

It also allows for running other third party appliances unmodified in EC2.

But also, almost every other execution environment offers this: GCP, VMWare, KVM, etc, so it's frustrating that EC2 has only offered it on their bare metal instance types. When ec2 was using xen 10+ years ago, it made sense, but they've been on kvm since the inception of nitro.

New comment by paulfurtado in "Xiaomi Home Integration for Home Assistant"

paulfurtado — Tue, 17 Dec 2024 00:06:02 +0000

The benefit of docker for home assistant is the packaging of it, rather than isolation. You can always run a container with host network mode and privileged mode so that it can access everything it needs to the same as if it were running directly on the host.

New comment by paulfurtado in "Deploying fiber in the home"

paulfurtado — Mon, 04 Mar 2024 21:01:44 +0000

You don't need a fiber splicer for this. You can order a pre-terminated fiber cable online.

On fs.com you can order fiber in custom lengths. An armored pre-terminated 350ft OS2 duplex cable costs $128: https://www.fs.com/products/20720.html Non-armored would be as cheap as $40: https://www.fs.com/products/50147.html?attribute=58053&id=17...

If you don't have a conduit, you can buy direct-burial cable. Two strands at 350 feet would be $590: https://www.lanshack.com/2-Strand-CustomLine-Corning-ALTOS-O... 6 strands at 350 feet would be $687: https://www.lanshack.com/6-Strand-CustomLine-Corning-ALTOS-O...

If you have some extra length, just coil it somewhere in the wall and don't bother splicing or re-terminating it. You can also use keystone jacks or couplers at both ends too so you have flexibility later without re-running it through the conduit.

New comment by paulfurtado in "Deploying fiber in the home"

paulfurtado — Mon, 04 Mar 2024 18:02:41 +0000

I used the VLAN "trick" for connecting my cable modem to my router for a few years in an old multi-floor apartment with pre-wired ethernet, but it's not ideal because the router is then not able to detect the link state of the modem. For example, if you unplug a cable modem and plug it back in, normally the link would go down on the router and then come back up, and when the link returns the router will attempt to fetch a new DHCP lease.

If you have a static IP, it should be fine, but this became an annoyance the couple of times the IP changed when I was living there.

New comment by paulfurtado in "Reaching the Unix philosophy's logical extreme with WebAssembly"

paulfurtado — Tue, 29 Aug 2023 03:04:43 +0000

This is of course not the purpose of your post, but since you're interested in this topic, I wanted to mention that you can now create memory-backed files on linux using the memfd_create syscall without using any filesystem (nor unlink) and you can also execute them without the /proc/self/fd trick by using the execveat syscall. In glibc, there is fexecve which uses execveat or falls back to the /proc trick on older kernels.

New comment by paulfurtado in "Unbounded memory usage by Linux TCP for receive buffers, and how we fixed it"

paulfurtado — Tue, 30 May 2023 02:57:50 +0000

Do you have any references to specific bugs here? We depend pretty heavily on containers and I'd love to look into these and see if we are impacted and whether we should carry these patches

New comment by paulfurtado in "I replaced grub with systemd-boot"

paulfurtado — Thu, 16 Feb 2023 21:38:01 +0000

FWIW on AWS, all nitro instance types can boot as UEFI if the AMI has itself set to use UEFI and all arm64 instances only support UEFI. So if you stick to modern instance types, you can happily use UEFI in AWS.

GCP looks like it does UEFI too. And Azure Gen2 instances use UEFI too.

New comment by paulfurtado in "Can I exec a new process without an executable file? (2015)"

paulfurtado — Fri, 04 Nov 2022 23:18:01 +0000

memfd is a tmpfs file descriptor, but does not use any mounted tmpfs filesystem. It works no matter what filesystems are mounted or access you have.

It's truly great for situations where APIs refuse to take anything other than files and you don't worry about cleanup. Ex: loading certs from memory into a python openssl context.

New comment by paulfurtado in "Show HN: SadServers – Test your Linux troubleshooting skills"

paulfurtado — Wed, 26 Oct 2022 23:21:51 +0000

If the goal of the test is to debug a sad linux server, containers are going to severely limit what ways the server can be sad in, isn't it?

New comment by paulfurtado in "Show HN: SadServers – Test your Linux troubleshooting skills"

paulfurtado — Wed, 26 Oct 2022 23:19:06 +0000

User namespaces have resulted in multiple new container breakout CVEs in the last year. Some guides actually recommend disabling user namespaces because they are still somewhat new and perilous.

New comment by paulfurtado in "Kubernetes Hardening Guidance [pdf]"

paulfurtado — Wed, 05 Oct 2022 23:56:02 +0000

If you use cri-o as the runtime along with an openshift container registry, it will actually verify signatures at the runtime layer. In addition to crio, podman and anything based on containers/image supports this too.

Really that just means a registry that sends back a header indicating it supports signatures and serves up the right signature endpoints. It's shocking this isn't more common.

But if you just want to check signatures at the cluster's point of entry, you can use an admission controller to block the pods from being created with unsigned images.

New comment by paulfurtado in "When Every Ketchup but One Went Extinct"

paulfurtado — Fri, 09 Sep 2022 07:19:46 +0000

Are you from the US or another country? Heinz uses different ketchup recipes in different countries and I personally think there is a huge difference. In the US, it is by far the best ketchup, but I hate the heinz in Canada.

https://www.livingabroadincanada.com/2009/05/13/why-does-ket...

New comment by paulfurtado in "Why Xen Wasn't Hit by RETBleed on Intel CPUs"

paulfurtado — Sat, 27 Aug 2022 05:20:25 +0000

Since 2017, all new aws instance types have been "nitro", which is based on kvm https://www.brendangregg.com/blog/2017-11-29/aws-ec2-virtual...

AWS does continue to support older instance types, however, but only legacy workloads are using them. They actually now even run the XEN based legacy instance types on nitro. https://perspectives.mvdirona.com/2021/11/xen-on-nitro-aws-n...

New comment by paulfurtado in "How Discord supercharges network disks for extreme low latency"

paulfurtado — Tue, 16 Aug 2022 13:49:32 +0000

When standard filesystems like ext4 and xfs hit enough io errors,they unmount the filesystem. I find that this happens pretty reliably in AWS at least and I can't imagine the filesystem possibly continuing to do very much when 100% of the underlying data has disappeared.

That said, from further reading of the GCP docs, it does sound like if they detect a disk failure they will reboot the VM as part of the not-so-live migration.

New comment by paulfurtado in "How Discord supercharges network disks for extreme low latency"

paulfurtado — Tue, 16 Aug 2022 05:05:52 +0000

Yes, under a graceful live migration with no hardware failure, the data is seamlessly moved to a new machine. The problem of moving local data is ultimately no different that live migrating the actual RAM in the machine. The performance does degrade briefly during the migration, but typically this is a very short time window.

You can read more about GCP live migrations here: https://cloud.google.com/compute/docs/instances/live-migrati...

New comment by paulfurtado in "Scaling Kubernetes to Thousands of CRDs"

paulfurtado — Tue, 16 Aug 2022 04:49:00 +0000

I can actually say that not supporting this really does hinder crossplane adoption. At work we operate large shared kubernetes clusters. A team attempted to use crossplane and we immediately had to remove it from our clusters immediately because it made kubectl and a variety of other tools completely unusable due to all the rate limiting and how frequently it refreshes cached discovery data. They wanted to use crossplane for like 10-20 of its supported object types. Instead, they had to actually run crossplane inside of a vcluster because there is no option to filter the number of CRDs it creates.

So while I can get behind this sentiment philosophically, until something changes upstream in kubernetes, this makes it really difficult to use crossplane in a cluster used for anything else and it probably makes sense to offer a workaround until then. Also, in practice, any security conscious users running crossplane in production are probably going to give it AWS credentials scoped to only the resources they want to allow it to manage, so even if you do install all of the CRDs in the cluster, 90% of them won't work due to their AWS credentials anyway.

New comment by paulfurtado in "My network home setup v3.0"

paulfurtado — Tue, 16 Aug 2022 04:38:27 +0000

It's not exactly normal, but it's probably a common enough experience in the US with 120v circuits and 15A breakers. Especially if in an old building with imperfect wiring causing excess resistance.

Many devices also operate less efficiently in high heat. If the AC unit is on a circuit with other devices, it is possible that the influx current when starting the AC unit trips the breaker. One might even be able to get away with 2 AC units on a 15A breaker as long as both compressors never start at the exact same time, but cause a trip when then kick in together.

New comment by paulfurtado in "How Discord supercharges network disks for extreme low latency"

paulfurtado — Tue, 16 Aug 2022 04:11:00 +0000

The disks are physically attached to the host. The VM running on that host moves from one host to another. GCP live-migrates every single VM running on GCP roughly once per week, so live migration is definitely seamless. Standard OSS hypervisors support live migration.

When hardware fails, the instance is migrated to another machine and behaves like the power cord was ripped out. It's possible they go down this path for failed disks too, but it's feasible that it is implemented as the disk magically starting to work again but being empty.

You can read more about GCP live migrations here: https://cloud.google.com/compute/docs/instances/live-migrati...

New comment by paulfurtado in "How Discord supercharges network disks for extreme low latency"

paulfurtado — Tue, 16 Aug 2022 04:06:33 +0000

When a local disk fails in an instance, you end up with an empty disk upon live migration. The disk won't disappear, but you'll get IO errors, and then the IO errors will go away once the migration completes but your disk will be empty.

New comment by paulfurtado in "How Discord supercharges network disks for extreme low latency"

paulfurtado — Tue, 16 Aug 2022 04:01:51 +0000

Both GCP and AWS provide super fast and cheap, but fallible local storage. If running an HA database, the solution is to mitigate disk failures by clustering at the database level. I've never operated scylladb before, but it claims to support high-availability and various consistency levels so the normal way to deal with this problem is to use 3 servers with fast local storage and replace an entire server when the disk fails.