Skip to content

Instantly share code, notes, and snippets.

View dmesser's full-sized avatar

Daniel Messer dmesser

33 followers · 4 following
View GitHub Profile
@dmesser
dmesser / ubi-micro-openssl.md
Last active November 6, 2025 22:01
Building security scanner-friendly UBI micro-based container images with FIPS-140 compliant OpenSSL

Building security scanner-friendly UBI micro-based container images with FIPS-140 compliant OpenSSL

If your goal is to leverage Red Hat Universal Base Image micro-variants to package your software with dependencies available via Red Hat RPMs and you need to leverage Red Hat's OpenSSL to support FIPS-140, you can use the following approach to install the correct OpenSSL module and keep your RPM database accurate so your image gets graded correctly by vulnerability scanners (which depend on this database):

  1. Use a multi-stage Dockerfile / Containerfile
  2. In the first stage, build your software with any RPM-based build time dependencies using regular UBI or builder images
  3. In the second stage, copy your software artifacts into a UBI micro image using COPY --from=...
  4. In the third stage, to install any RPM-based runtime dependencies using a regular UBI image, copy the root filesystem of the second stage into a directory like /mnt/rootfs and then install any needed RPMs using `dnf --installroot=/
@dmesser
dmesser / clusterserviceversion.yaml
Created February 26, 2020 17:11
A loose spec for structured visual metadata of Operators
/* cSpell:disable */
---
apiVersion: operators.coreos.com/v1alpha1
kind: ClusterServiceVersion
metadata:
annotations:
name: mongodb-enterprise.v1.4.2
namespace: placeholder
spec:
description:
@dmesser
dmesser / standalone-kubelet-rpi.md
Last active March 5, 2023 13:11

Warning

The below currently does not work on Raspbian Buster Lite (Debian 10). The kernel has been compiled without CONFIG_CFS_BANDWIDTH and pods will fail to spawn due to runc trying to write into cpu.cfs_period_us in the cgroup of the pod. This file does not exist and trying to create it yields permission denied.

Example:

open /sys/fs/cgroup/cpu,cpuacct/kubepods.slice/kubepods-besteffort.slice/kubepods-besteffort-pod3a1fe9eafc113856b2d4d409800ef99f.slice/crio-211c0bcc45f43e085415cff3736e38a552ee92657d879d4235f02a7d4dee097f.scope/cpu.cfs_period_us: permission denied

What is this about?

@dmesser
dmesser / standalone-kubelet-fc31.md
Last active March 5, 2023 13:10
Standalone Kubelet on Fedora 31

What is this about?

This gist describes how to set up standalone kubelet + CRI-O + CNI on Fedora Core 31. The goal is to place a Kubernetes Pod manifest on an single node and access the application from the network. This guide has been tested on x86-64 and armv7 deployments.

Prepare the system

Make sure the system is up to date:

dnf -y update

@dmesser
dmesser / hosts
Created January 11, 2018 23:20
openshift-ansible inventory file
[OSEv3:children]
masters
nodes
[OSEv3:vars]
deployment_type=openshift-enterprise
containerized=true
openshift_image_tag=v3.7.14
openshift_master_identity_providers=[{'name': 'htpasswd', 'login': 'true', 'challenge': 'true', 'kind': 'HTPasswdPasswordIdentityProvider', 'filename': '/etc/origin/master/htpasswd'}]
openshift_master_htpasswd_users={'developer': '$apr1$bKWroIXS$/xjq07zVg9XtH6/VKuh6r/','operator': '$apr1$bKWroIXS$/xjq07zVg9XtH6/VKuh6r/'}