Setting up VPC endpoint for Amazon S3

By default, accessing S3 resources from any instance or Kubernetes pod within a VPC involves outbound traffic via NAT or IGW. Not only this is less efficient, it also incurs a service fee due to the traffic. The cost can be significant if traffic is huge.

Setup

To keep the traffic within VPC, an S3 accesspoint for the specific S3 resources and a VPC endpoint can be created by following the general instruction.

After that, double check the policies at two places.

1. Policy for IAM

Go to AWS ConsoleIAM User. It is supposed to be a service account that has following policy attached

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ReplicateObject",
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject"
            ],
            "Resource": "*"
        }
    ]
}
As a security best practice, DO NOT grant Allow to all actions, i.e. "Action": ["*"].
2. Policy for the endpoint

Go to AWS ConsoleVPC Endpoints the endpointPolicy

{
    "Version": "2012-10-17",
    "Id": "Policy1637977229005",
    "Statement": [
        {
            "Sid": "Stmt1637977226759",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "*"
        }
    ]
}
This endpoint policy is less constrained than the policy for user, because want the policy for user to be more specific.

After all, run traceroute s3.ap-southeast-1.amazonaws.com from any of the instances within the VPC to verify.

  • Following output shows it is successful
$ traceroute s3.ap-southeast-1.amazonaws.com
traceroute to s3.ap-southeast-1.amazonaws.com (52.219.129.42), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
    ...
28  * * *
29  * * *
30  * * *
  • Following output shows it is still going thru NAT/IGW
$ traceroute s3.ap-southeast-1.amazonaws.com
traceroute to s3.ap-southeast-1.amazonaws.com (52.219.40.74), 30 hops max, 60 byte packets
 1  ec2-175-41-128-191.ap-southeast-1.compute.amazonaws.com (175.41.128.191)  42.290 ms ec2-175-41-128-195.ap-southeast-1.compute.amazonaws.com (175.41.128.195)  3.103 ms ec2-18-141-171-23.ap-southeast-1.compute.amazonaws.com (18.141.171.23)  36.088 ms
 2  100.65.32.176 (100.65.32.176)  1.149 ms 100.65.32.160 (100.65.32.160)  1.132 ms 100.65.33.144 (100.65.33.144)  4.671 ms
 3  100.66.16.248 (100.66.16.248)  3.400 ms 100.66.16.26 (100.66.16.26)  8.787 ms 100.66.16.244 (100.66.16.244)  4.695 ms
 4  100.66.19.122 (100.66.19.122)  3.511 ms 100.66.19.204 (100.66.19.204)  17.491 ms 100.66.18.104 (100.66.18.104)  18.193 ms
 5  100.66.3.241 (100.66.3.241)  15.377 ms 100.66.3.137 (100.66.3.137)  154.101 ms 100.66.3.61 (100.66.3.61)  19.897 ms
 6  100.66.0.135 (100.66.0.135)  10.907 ms 100.66.0.165 (100.66.0.165)  9.064 ms 100.66.0.201 (100.66.0.201)  11.826 ms
 7  100.65.2.41 (100.65.2.41)  3.090 ms 100.65.3.41 (100.65.3.41)  2.821 ms 100.65.2.41 (100.65.2.41)  2.648 ms
 8  s3-ap-southeast-1.amazonaws.com (52.219.40.74)  0.518 ms  0.569 ms  0.578 ms

Follow the troubleshooting steps if anything does not work.

Usage

Now we have both S3 access point and the VPC endpoint for S3 setup.

To access the S3 resource within VPC, instead of using s3://<bucket name> directly, use

s3://arn:aws:s3:ap-southeast-1:<account number>:accesspoint/<bucket name>

Some 3rd party library built for AWS S3 might not recognize the S3 access point URL and throw exceptions like

Caused by: java.lang.NullPointerException: null uri host.
        at java.util.Objects.requireNonNull(Objects.java:228)
        at org.apache.hadoop.fs.s3native.S3xLoginHelper.buildFSURI(S3xLoginHelper.java:71)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.setUri(S3AFileSystem.java:486)
        at org.apache.hadoop.fs.s3a.S3AFileSystem.initialize(S3AFileSystem.java:246)
        at org.apache.flink.fs.s3.common.AbstractS3FileSystemFactory.create(AbstractS3FileSystemFactory.java:123)
        ... 24 more

In that case, S3 access point alias could be used. It can be found under S3 BucketAccess Points. It looks something like

s3://<bucket name>-1ks47nsk5hyxi845kebsen1nyf11caps1b-s3alias

Clean unused firewall rules using PowerShell

In Windows, firewall rules can be easily cumulated over time. Every time a new application is launched, the user will be prompted to create a new firewall rule for the app. However, when applications get uninstalled, most of them would not remove the firewall rule it has created.

Once there are more than just a few unused firewall rules, the system becomes less secure due to the exposed protocols and ports. A mocked application at the exact same file path can easily take advantage of existing firewall rules created and make the system vulnerable.

Unused firewall rules can be cleaned up with just 3 lines of PowerShell commands, under elevated command prompt:

$unusedFilters = Get-NetFirewallApplicationFilter | Where-Object {$_.Program -notin ("Any", "System")} | Where-Object {-not (Test-Path ([System.Environment]::ExpandEnvironmentVariables($_.Program)))}

$unusedRules = Get-NetFirewallRule | Where-Object {$_.Name -in $unusedFilters.InstanceId}

$unusedRules | Remove-NetFirewallRule -Verbose
PSPrompt customized using oh-my-posh

Running docker on Nexus 5

My Raspberry Pi 3 died. It was used for running Plex server. It was running inside docker before the Pi died. I was looking for replacement. I looked into my basement and I found two Google_Nexus_5_(lg-hammerhead) phones. Then the story began…

Prerequisites

  • you are fairly familiar with how flashing works, e.g. fastboot stuff.
  • you’ve already running postmarketos on your phone
  • you know what docker is
  • you know that you are probably gonna remove all the fancy UIs from your phone, and switch to postmarketos-ui-fbkeyboard or some console only mode
  • you’d better have a LAN connection on your phone rather than wifi

Steps

I can only prove this is working on my phones for now.

1. Edit kernel config

NOTE: before you make any change to kernel, always backup ~/.local/var/pmbootstrap/cache_git/pmaports/main/linux-postmarketos-qcom-msm8974/config-postmarketos-qcom-msm8974.armv7

Run

pmbootstrap kconfig edit postmarketos-qcom-msm8974

where qcom-msm8974 is for my Nexus 5. You need to figure out what’s for your phone.

You have 2 options to learn what to set when configuring the kernel:

You can see the changes I made to my kernel config at https://gitlab.com/tigerinus/pmaports/-/commit/d4c1ad862f5485fd9a7577e59b95e97da1b988ae

BTW – I’ve got a Ugreen USB 2.0 network adapter hooked, so I took the chance and selected

Device Drivers => Network device support => <*> USB Network Adapters => <*> ASIX AX88xxx Based USB 2.0 Ethernet Adapters 

2. Build the kernel

pmbootstrap build linux-postmarketos-qcom-msm8974 --force

I had to add --force otherwise it won’t build.

If everything is successful, you should find something like below

~/.local/var/pmbootstrap/packages/edge/armv7/linux-postmarketos-qcom-msm8974-5.9.0_rc4-r0.apk

3. Install the kernel

Get the linux-postmarketos-qcom-msm8974-5.9.0_rc4-r0.apk copied onto your phone and do

sudo apk add -u linux-postmarketos-qcom-msm8974-5.9.0_rc4-r0.apk

Just in case, I also copied /boot/boot.img-postmarketos-qcom-msm8974 to local as boot.img, boot to bootloader and did

fastboot flash boot boot.img

Reboot the phone and run check-config.sh again to see if anything missing. My experience is you don’t need everything enabled.

4. Install docker

Boot to your phone, assuming you have a pretty good internet connection, then do

sudo apk add docker

Not only this installs docker, but also an important service containerd.

5. Get docker daemon running

Run

sudo service docker start

We are not there yet. This first-time boot is for creating files, directories, group it needs. The docker command won’t work because of couple things that have to happen at boot time below.

DO NOT make docker to start on boot or you will get “can’t load program: function not implemented: unknown.” error.

BTW – If you hate doing sudo docker... everytime, you can optionally add yourself to docker group by

sudo vi /etc/group

Now reboot so at least containerd service is effective, in terms of automatically mounting cgroup2 to /sys/fs/cgroup.

sudo reboot

After reboot, do

sudo service docker start

You should see something like

Sudo service docker start.png

which you won’t see if you tried to start docker service before the reboot.

6. Verify things are good

Docker info.png
health check
Docker run hello world.png
hello-world
Docker run fedora.png
fedora

What’s next?

It’d be fun to have kubernetes running on this little device. Not sure if I should go with k3s or microk8s.

References

最近 Windows 10 的锁屏壁纸都很赞

顺便分享一下 wsl 下如何找到这些图片的命令:

$ for asset in `file -i $(wslpath $(cmd.exe /c "<nul set /p=%UserProfile%" 2>/dev/null))/AppData/Local/Packages/Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy/LocalState/Assets/* | grep png | awk -F':' '{print $1}'`; do echo cp $asset /tmp$asset.png; done

输出是一堆 cp 命令,需要执行的话把 echo 去掉就行了。

cp /mnt/c/Users/xiaoh/AppData/Local/Packages/Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy/LocalState/Assets/04f9bd3de104a427ca557d53f05747c382a62bc3efb2422a0ba9bbe8aa21e757 /tmp/mnt/c/Users/xiaoh/AppData/Local/Packages/Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy/LocalState/Assets/04f9bd3de104a427ca557d53f05747c382a62bc3efb2422a0ba9bbe8aa21e757.png
cp /mnt/c/Users/xiaoh/AppData/Local/Packages/Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy/LocalState/Assets/1181ec5a0c631705dcaded34f58a171b842ed6783274b4bc7122e66eaa498a67 /tmp/mnt/c/Users/xiaoh/AppData/Local/Packages/Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy/LocalState/Assets/1181ec5a0c631705dcaded34f58a171b842ed6783274b4bc7122e66eaa498a67.png
cp /mnt/c/Users/xiaoh/AppData/Local/Packages/Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy/LocalState/Assets/ffadc5cae56e18df849d64d219b374745eb3f046a01a7ff3316c0ce4eb5d3c64 /tmp/mnt/c/Users/xiaoh/AppData/Local/Packages/Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy/LocalState/Assets/ffadc5cae56e18df849d64d219b374745eb3f046a01a7ff3316c0ce4eb5d3c64.png
...

羊肉串之夜

好吧,就由我来写这一篇总结吧。

自从上次 Yuanyuan 同学在他的 Blog 上耿耿于怀地注释说我拿写论文为理由不去出席 Xuan 家的包子会,我就一直觉得很冤枉。行动是最好的解释,于是就在图书馆关门之后去公司抓了一把刀叉盘碗风尘仆仆地跑去他家参加这个所谓的新疆不正宗烤羊肉串活动。此次活动传说计划了半个季度,Xuan 同学早早地就买好了 100 根定海玄铁神签儿,万事俱备,只欠光兄。果然不出所料,期间光同学再次一人独揽把新疆手艺发挥了淋漓尽致,烤起羊肉串那叫有模有样。不但如此,而且这样崇高的雷锋精神,还延伸到了后期的快打方块对抗中,源源不断地给对手送分。源于雷锋同志背老大娘过河的典故,作为光同学对手的 Yuanyuan 同学荣获“老大娘”一称。可惜后来光同学突然发飚,背负着“雷锋”的名义多次 KO 包括“老大娘”在内等多名人民群众,让人大跌眼镜。Shishi 和 Cancan 两位同学甚至在旁边煽风点火,不亦乐乎。

笙歌之后,Cancan 同学再次提出了去公司打桌球这个更加腐败的要求,被所有在座当场义正言辞地否决通过。然后一票人马在不到半个时辰之后内又杀到 2 个 Mile 之外的公司大楼,熟练地溜到了桌球台所在的楼层。可惜,Yuanyuan、Xuan 两位 Halo 神枪手在球杆的准确度上相当不济,还有提击球如抽丝的 Shishi、Cancan 两位。要不是某神人每每乌龙球黑带白入洞,这群乌合之众根本无立足之地。最后在最开始发起号召的 Cancan 同学连连的哈欠声中落下帷幕。许久,这群带着羊羶味的众颠儿神一哄而散,给一晚的欢笑画上了省略号句号。

回家的路上,一路绿灯,使得心情格外好。打开电脑,看到教授发的论文答辩时期安排,坦然。正所谓今朝有酒今朝醉,今晚有饭今晚饱。等明天太阳升起之时,又是一个催人发奋之日。+U!

提个醒

本来都到了春暖花开小鸟生蛋的节气了,谁知竟又下了一场小雪。雪片吧嗒吧嗒地打在车前,挡住了我回家的视线。许久没有开始的自行车上班计划,也随着这漫长的寒冷延了期。这个多事的季节,连个好消息也没有么?刚才从卧室走来客厅的征途中,一脚踢在了尖尖的 Futon 角上,咧着嘴的同时不由地发出类似韩国帅哥 Rain 在演唱会上那种很酷的“嘶”的声音。愚人节快到了,大家行事要小心。

盖川崎和鲍默尔

在吹水方面,两位都是我比较敬仰的人物。前者这个游荡在硅谷的风险投资拽人我之前提到过一次,就是 Guy 在 2006 年 TiECon 上的那次关于“开始的艺术”的经典演讲。后者这个叫做 Steve 的老头,也就是我的顶头上司的顶头上司的……的顶头上司,也在 2006 年差不多 Guy 的演讲之后进行了一次关于“People Ready”的演讲,同样也是一次演讲的典范。Guy 的演讲针对的是个人发展,而 Steve 的演讲则是针对企业进步的。虽然演讲只能说是高层次的大忽悠,但不能不说,在这个世界混,口才非常重要。下面是前几天两个人在 MIX’08 上的对话:

Watch Steve Ballmer and Guy Kawasaki Keynote

跟以前比,Guy 这次作为采访者的角色出现,发现他客气很多。毕竟是这个场子是微软罩着的,或者也许也跟他过去这段时间一直在跟微软打交道有关吧。很同意他所描述的现在这的“新微软”。就他的感觉来说,跟这个公司的人打交道很亲切,在交流沟通上也很高效。一个涉足 IT 领域深广的公司,很难保证在每个方面都做到满分,但主要是不断地吸取经验,改进产品和服务。后来他问,为什么这个公司在不断地往新的领域扩张?Steve 回答说,这个是没有选择的。开拓和进步是人的天性,对于一个企业来说也一样。一个公司总不能 100 年只靠一个产品过活,那很没意思。(在说可口可乐公司么?

说实话,鲍默尔的思维还是比较敏捷的。对于飞过来的问题,有些我猜也许提问的人都不知道他想得到什么答案,但是这个老头还是能给出一个完整的基于上下文的回复。他很清楚他在说什么,他对公司的产品和服务也如数家珍,对今后发展方向的言论也不会模棱两可。这个老家伙是 MBA 出身,但是后面 20 分钟有些人问到一些技术性比较强的问题的时候,比如基于 PHP 的平台怎么和现有的 Windows 整合,他仍然可以给出一些能让人接受的答案。而且到最后还是拿出以往那般活力喉了那么两下子,毕竟像 Guy 说的那样,在这个主力仍然是一些二、三十岁的年轻员工的公司里,领导还是要摆出一些年轻人的样子的。想象一下一个满步蹒跚的 CEO 坐在太师椅上眼睛都不睁一下地当领导,那这个企业也差不多气若游丝了。

最后只是希望老大那段酸酸地玩弄 MacBook Air 的画面别被水果公司的广告部拿去当作新一季“I’m a Mac. I’m PC.”的素材,LOL!