![](/static/253f0d9b/assets/icons/icon-96x96.png)
![](https://lemmy.world/pictrs/image/8f2046ae-5d2e-495f-b467-f7b14ccb4152.png)
2024 is going to be the year of frenzied elections with no preparation
(Justin)
Tech nerd from Sweden
2024 is going to be the year of frenzied elections with no preparation
I’m using IPv6 on Kubernetes and it’s amazing. Every Pod has its own global IP address. There is no NAT and no giant ARP routing table slowing down the other computers on my network. Each of my nodes announces a /112 for itself to my router, allowing it to give addresses to over 65k pods. There is no feasible limit to the amount of IP addresses I could assign to my containers and load balancers, and no routing overhead. I have no need for port forwarding on my router or worrying about dynamic IPs, since I just have a /80 block with no firewall that I assign to my public facing load balancers.
Of course, I only have around 300 pods on my cluster, and realistically, it’s not really possible for there to be over 1 million containers in current kubernetes clusters, due to other limitations. But it is still a huge upgrade in reducing overhead and complexity, and increasing scale.
I haven’t really looked into it, but it doesn’t seem like it.
Heres the documentation about having multiple cidr pools in one cluster with the Cilium network driver, and it seems to imply that each Pod only gets one IP.
https://docs.cilium.io/en/stable/network/concepts/ipam/multi-pool/
There’s something called Multus that I haven’t looked into, but even then it looks like that is for multiple interfaces per Pod, not multiple IPS per interface.
https://github.com/k8snetworkplumbingwg/multus-cni
Containers are just network namespaces on Linux, and all the routing is done in iptables or ebpf, so it’s theoretically possible to have multiple IP addresses, but doesn’t look like anybody has started implementing it. There’s actually a lot of Kubernetes clusters that just use stateful IPv6 NAT for the internal Pod network, unfortunately.
They block IPv6 tunnels too.
Yeah, I wonder if there’s any proposals to allow for multiple IPV6 addresses in Kubernetes, it would be a much better solution than NAT.
As far as I know, it’s currently not possible. Every container/Pod receives a single IPv4 and/or IPv6 address on creation from the networking driver.
I’ve been using sudo-rs as a drop-in replacement for sudo, it works well. The codebase is like 1/5 of the size, it drops some of the crazier features of sudo, extremely minimal dependencies, and it’s all written in memory-safe rust. NixOS also has an option for setting the sudo binary to be executable by wheel only, so the attack surface is very small.
https://www.memorysafety.org/initiative/sudo-su/ https://github.com/memorysafety/sudo-rs https://search.nixos.org/options?channel=24.05&size=50&sort=relevance&type=packages&query=sudo-rs
I have static IPs for my Kubernetes nodes, and I actually use DHCPv6 for dynamic dns so I can reach any device with a hostname, even though most of my devices don’t have static IPs.
The issue is those static IPs are tied to my current ISP, preventing me from changing ISPs without deleting my entire Kubernetes cluster.
Hurricane Electric gives me a /48.
Site-local ipv6 would work here as well, true. But then my containers wouldnt have internet access. Kubernetes containers use Ipam with a single subnet, they can’t use SLAAC.
1:1 stateless NAT is useful for static IPs. Since all your addresses are otherwise global, if you need to switch providers or give up your /64, then you’ll need to re-address your static addresses. Instead, you can give your machines static private IPs, and just translate the prefix when going through NAT. It’s a lot less horrible than IPv4 NAT since there’s no connection tracking needed.
This is something I probably should have done setting up my home Kubernetes cluster. My current IPv6 prefix is from Hurricane Electric, and if my ISP ever gives me a real IPv6 prefix, I will have to delete the entire cluster and recreate it with the new prefix.
deleted by creator
I’m pretty sure Swedish engineers have studied this extensively. There’s plenty of streets in the cities that ban studded tires, and there’s harsh fines if you use studded tires outside of winter.
Entire Floridian cities will be lost this hurricane season.
It is illegal in Europe, but not widely enforced.
1, These days the machines used to etch chips (flash light onto the chips to carve them out) are mostly made by ASML. The most modern machines are the ASML Twinscan NXE and Twinscan EXE. The raw silicon is coated with different chemicals that react to light, and when the light patterns are flashed onto the silicon, it carves physical arrangements of atoms on the silicon that forms complex electrical circuits.
CPUs were literally drawn by hand, and then the drawing was shrunk down with a magnifying glass back in the day. Programs could be written into electrical memory with physical switches (think 100 light switches), punch cards, or electric typewriters. You could pause the computer so that it would wait for you to type in the next program for it to run. By the time we had kernels, we already had large memory banks in the kilobytes that could store the OS between program runs. So you’d type in the OS once when you turned on the computer, and it would keep in in memory until you turned the computer off again.
The internet is different computers connected together. This website is just data sitting on a server somewhere, and your computer connects to the server over the internet and asks for the data.
Everything is built on the shoulders of giants. There is plenty to learn, but there will always be something you don’t know.
There’s tons of information online if you know where to look. There’s also some good courses out there to understand more specific things like cpu design, networking, programming, etc. In university these sorts of questions fall into the field of Computer Engineering, if you’re looking for a university program to get into.
With regards to the limits of programming: Making websites is already challenging enough, but the cutting edge can be rewarding too :) Software Engineering is a massive field with infinite opportunities. Start small and work your way towards more complex projects with larger teams.
Here’s a good 20 minute video about the history of making microchips: https://youtu.be/Pt9NEnWmyMo
No shit. These machines are as advanced as a nuclear power plant, they’re gonna have a bit more proprietary software and security protocols than you’d think. Not as simple as just pressing “start” with these machines.
I wonder if asianometry will do a video about the software on ASML machines sometime.
Definitely! If your VPN keeps logs, is in a surveillance-friendly jurisdiction, etc, then details of your internet traffic can be revealed by your VPN. I recommend Mullvad, paid with cash, for the most security. It can also help to pick VPN servers outside of the most egregious jurisdictions, like picking EU servers over US or HK servers.
DoH is meant to hide your internet activity from your ISP/cell-provider since DNS is otherwise unencrypted. If you trust your VPN, then you can trust unencrypted DNS.
The first step in security is to answer who you’re defending against. Someone stealing your phone? A cop with a STINGRAY device? All the security decisions you make are based on your initial threat model.
Generally, home internet, wifi, and cellular data are considered safe against passers-by (assuming your wifi password is strong). However, they are also assumed to be eavesdropped on by your ISP and government. Details of your internet traffic can then also be revealed by your ISP to other people during legal action, such as if you’re being investigated for piracy.
There are ways to further protect your internet traffic from being snooped on, even from your ISP and government, by using things like HTTPS, DNS over HTTPS, and of course, VPNs.
RCV will end the two party system. France uses runoff and they have more than two parties
That said, I’m partial to the systems in Sweden and Germany, plenty of options to choose from.