https://spencerkrum.com/ Recent content on Spencer Krum Hugo -- gohugo.io en-us Wed, 27 Aug 2025 10:05:42 -0500 https://spencerkrum.com/posts/take_away_keys/ Wed, 27 Aug 2025 10:05:42 -0500 https://spencerkrum.com/posts/take_away_keys/ Its time to take away the keys This is a call to action to all the infra/devops type people out there. It’s time to take the keys away from 99% of your developers. You need to cut off their access to production services and give them other ways to access the things they need. I’ve received two concerning reports recently of coding agents such as Cursor and Claude Code taking surprisingly dangerous actions. https://spencerkrum.com/posts/django_otp/ Tue, 21 Jan 2025 12:05:42 -0500 https://spencerkrum.com/posts/django_otp/ When securing Django aps with django_otp it can be confusing how to manage these from the django shell. Some quick notes I could have used recently: # Enter django shell python manage.py shell # Imports import django_otp # Get User user = User.objects.filter(id=100)[0] # Get Device device = django_otp.devices_for_user(user) This is an instance of django_otp.models.Device. Or possibly a queryset of several devices if the user has more than one device. I only tested with TOTPDevice. https://spencerkrum.com/posts/delta_wifi_docker/ Wed, 01 May 2024 15:05:42 -0500 https://spencerkrum.com/posts/delta_wifi_docker/ Delta’s current (2024) wifi uses the 172.19.0.0/23 section of the RFC 1918 space. This conflicts with default Linux+Docker which uses nearby space. To get networking working on Linux while using Delta wifi, simply turn off docker and remove any bridges it created. On my current laptop I see one docker0 bridge and several other bridges, presumably created by docker for networking: br-05708c866d2e: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500 inet 172.19.0.1 netmask 255.255.0.0 broadcast 172. https://spencerkrum.com/posts/gke_least_priv/ Fri, 26 Apr 2024 18:10:22 -0500 https://spencerkrum.com/posts/gke_least_priv/ When deploying applications I try to separate the components by the frequency that they change. Low frequency items like kube clusters, ingress, databases etc will be handled by the infra pipeline and high frequency items like the app will be handled by the app pipeline. In the app pipeline I want to use a credential with least privilege to perform the deployment. The setup: Application on Google cloud (GCP) Deployed on Google Kubernetes Engine (GKE) Deployed via Github Actions The simple (but less than ideal) way to do this is to set up github actions to use a gcp service account with the gcp permission of container. https://spencerkrum.com/posts/ssh-askpass-wayland/ Mon, 20 Sep 2021 21:22:13 -0500 https://spencerkrum.com/posts/ssh-askpass-wayland/ Before moving to wayland, I always used an ssh-agent with ssh-add -c. This prompts me every time it wants to use my agent. This is a nice middle ground between security and convenience. However, since moving to wayland, I’ve been unable to get that working. Here are the hacks/learnings I have gained since sitting down to do this. This is a great writeup but it doesn’t cover getting it working in wayland. https://spencerkrum.com/posts/docker-desktop/ Wed, 01 Sep 2021 08:30:07 -0500 https://spencerkrum.com/posts/docker-desktop/ Yesterday, Docker announced that they will start charging per-seat fees for Docker Desktop. Docker Desktop is the user friendly application for Mac and Windows that sets up a VM running Linux with docker so the developer can use docker “natively” and “seamlessly”. Linux desktop users are not impacted by this change. How to avoid using docker desktop Docker has a client-server model. It’s possible and effective to run docker on any remote host. https://spencerkrum.com/posts/pppoe/ Tue, 19 Jan 2021 15:31:36 -0600 https://spencerkrum.com/posts/pppoe/ Introduction In my city I am able to get gigabit fiber from centurylink. It’s not the best service in the world but it’s decently priced and gigabit service is incredible compared to Comcast’s 100mbit with transfer limits. CTL provides either paid, rented, or promotional routers to use with their service. I was set up with a C4000XG. In this post I’ll describe how to replace the C4000XG with a standard linux router. https://spencerkrum.com/posts/cloud-init-trivia/ Wed, 02 Dec 2020 22:46:23 +0000 https://spencerkrum.com/posts/cloud-init-trivia/ Cloud init is the ubiquitous first-run config software used by most cloud providers. Recently I was messing with it trying to get some configuration to work, it’s always been a tool that requires a lot of fiddling. I wanted to write down my tips for debugging cloud init. First and foremost It says this on the website but the most common reasons the cloud-init user data isn’t working are these two reasons: https://spencerkrum.com/posts/terraform_plugins/ Wed, 18 Nov 2020 19:59:11 +0000 https://spencerkrum.com/posts/terraform_plugins/ Terraform now has an app store of sorts. The terraform registry is a web host for plugins and providers, and has tooling integration. In attempting to use the IBM Cloud provider, I ran into the following errors: $ terraform init Initializing the backend... Initializing provider plugins... - Finding latest version of hashicorp/ibm... Error: Failed to install provider Error while installing hashicorp/ibm: provider registry registry.terraform.io does not have a provider named registry. https://spencerkrum.com/posts/ibm-vpc-flavors/ Thu, 29 Oct 2020 19:39:31 +0000 https://spencerkrum.com/posts/ibm-vpc-flavors/ Mapping EC2 Instance Types to IBM Cloud Instance Profiles IBM’s new Generation 2 VM Service has new profiles (flavors). This table maps common EC2 types to a similar type in IBM Cloud. Note this is not official don’t sue me. This is for quick reference only, always check what you’re doing yourself. AWS EC2 IBM Equivalent vCPU(IBM) Memory(G)(IBM) Notes m4.large bx2-2x8 2 8 “Balanced” m4. https://spencerkrum.com/posts/inject_latency_docker/ Thu, 10 Sep 2020 20:38:36 +0000 https://spencerkrum.com/posts/inject_latency_docker/ When building decoupled systems that communicate over the network it is valuable to test them under less than ideal network situations1. In this post we’ll cover a very simple example: two docker hosts communicating over the network, with platform enforced latency between them. tc The traffic control utility, tc(8), will be our workhorse here. It’s been around since at least 2001 and can manipulate network interfaces, adjusting bandwidth, latency, bustable latency and more. https://spencerkrum.com/posts/cos-auth/ Tue, 28 Apr 2020 19:39:41 +0000 https://spencerkrum.com/posts/cos-auth/ Authenticating to the IBM Cloud Object Storage service is a bit odd. I wrote a simple wrapper script to help with the authentication bits until a fix is pushed into the client itself. I’ve put a copy of this script below but the authoritative copy will be in my misc scripts repository. Pull requests welcome if you have improvements. #!/bin/bash # Apache 2.0 License # No warranty # This script is a helper to handle authentication to a cos instance cos_instance=$1 if [ -z "${1}" ]; then echo "Please provide the name of the cos instance you intend to auth to" exit 1 fi if [ ! https://spencerkrum.com/posts/upcoming-projects/ Sat, 09 Nov 2019 20:36:08 -0600 https://spencerkrum.com/posts/upcoming-projects/ It’s always risky to announce projects that aren’t complete yet. But I’m very excited about a few projects on the docket to work on next. I have a collection of weird gear in the pile that I can’t wait to restore, hack up, and repurpose. I don’t have a start or completion date for any of these projects and the exact details are still waiting to get figured out. The order in this list is random, the project I’m the most excited about is the PiDP-11. https://spencerkrum.com/posts/serial-obs/ Fri, 08 Nov 2019 14:04:59 -0600 https://spencerkrum.com/posts/serial-obs/ As part of my recent live streaming on twitch I’ve been working with a microcontroller connected over USB. Actual communication with the microcontroller is done over serial. The device presents itself as /dev/ttyACM0. The developer loop is basically this: Wire up circuit Write up some code Change code Flash microcontroller Debug: Watch for LED blinks Read logs over serial GOTO: 1 It’s straightforward to read the serial device via screen: https://spencerkrum.com/posts/new_desktop/ Tue, 01 Oct 2019 12:04:46 -0500 https://spencerkrum.com/posts/new_desktop/ Introduction I haven’t taken notes on a soup to nuts Linux reinstall in several years so I thought I’d put my notes on reinstallation here for myself and for posterity. It is interesting to me that despite being in a mainstream and quick moving Linux distribution, I had to do an incredible amount of configuration outside of the package manager. There are a couple pieces here that make this easier. For one I’ve been keeping ‘the big list of packages’ for about a year now checked in to git. https://spencerkrum.com/posts/open_source_streaming_references/ Tue, 20 Aug 2019 10:15:29 -0500 https://spencerkrum.com/posts/open_source_streaming_references/ Today I am giving a talk at Open Source in Gaming (OSIG). These are the references for that talk. I hope to put the core of the talk into a blog post soon. Open Source Repositories: Twitch Title Updater: https://github.com/BurnySc2/TwitchTitleUpdater Tensorflow w/ OBS https://github.com/sergeykalutsky/vsc Library for OBS sources: https://github.com/nodecg/nodecg SC2 Recent Games Status: https://github.com/nibalizer/obs-scripts-examples/blob/master/sc2client.py Chat Votes Camera: https://github.com/nibalizer/obs-scripts-examples/blob/master/chat-votes-camera.py StreamLink: https://github.com/streamlink/streamlink Twitch Chat Lib: https://docs.tmijs.org/v1.3.0/Commands.html#part OBS Text source for Shell: https://github. https://spencerkrum.com/posts/openshift_falco/ Tue, 30 Jul 2019 15:52:00 -0500 https://spencerkrum.com/posts/openshift_falco/ In the process of getting Falco working on OpenShift on the IBM Cloud I had my first experience with Open Shift Security Context Constraints. These are limits you can use to secure your clusters and the applications that run within them. They go beyond Pod Security Policies and are unique to Red Hat Open Shift. While installing Falco, I was getting messages like this when running kubectl describe ds falco-daemonset: https://spencerkrum.com/posts/xtrlock/ Wed, 10 Jul 2019 13:44:57 -0500 https://spencerkrum.com/posts/xtrlock/ (Originally posted to dev.to) Part of the devrel life is the booth. When I’m boothing, I like to have my laptop there and open to a cool project or demo. If I’m lucky, there will be a TV or monitor for me to connect to as well. Folks will come up and talk to me and ask me questions. That’s great and literally what I am there for. But I get squeamish about being a step or two away from my unlocked computer. https://spencerkrum.com/about/ Wed, 03 Jul 2019 01:12:55 -0500 https://spencerkrum.com/about/ Spencer Krum is a developer and developer advocate working for IBM. Spencer Krum is a Developer Adovcate at IBM. He writes python (and recently go) applications to analyze esports and deploys them on kubernetes. Before that, he administered the development infrastructure for OpenStack and wrote a book on Puppet. He lives and works in Minneapolis. He likes cheeseburgers, tennis and StarCraft II. This website contains source code samples, links to videos and public speaking, and occasional blog posting. https://spencerkrum.com/posts/my-first-post/ Wed, 03 Jul 2019 00:11:15 -0500 https://spencerkrum.com/posts/my-first-post/ Hello World! This is my first post using the new blog system using Hugo. https://spencerkrum.com/posts/obs-python-scripting/ Tue, 23 Jan 2018 01:34:53 -0600 https://spencerkrum.com/posts/obs-python-scripting/ OBS just released version 21.0.1. This release includes a new subsystem for python and lua scripts. In order to use the scripting system, we have to recompile (for arch anyways). Install prereqs(from pkgbuild): # pacman -Sy cmake git libfdk-aac libxcomposite x264 jack vlc # pacman -Sy ffmpeg jansson libxinerama libxkbcommon-x11 qt5-x11extras curl gtk-update-icon-cache Even the pkgbuild from upstream git doesn’t have scripting, even though it has a high version. volt% /usr/bin/obs --version OBS Studio - 21. https://spencerkrum.com/posts/hodorv4/ Mon, 22 Jan 2018 23:32:47 +0000 https://spencerkrum.com/posts/hodorv4/ Several times in the past I’ve created a script called ‘hodor’. This week created the fourth version of the script. Hodor is a script to emit a test vm for me to do something with. Expected usage: $ hodor herpderp Hodor! Making vm VM ready! ssh root@herpderp.hodor.nibz.science In past iterations, hodor was written against HP cloud in bash. Then written against HP cloud, IBM cloud, and vexxhost using the shade library in python. https://spencerkrum.com/posts/ssh_honeypot_analysis/ Sun, 25 Jan 2015 21:41:41 -0700 https://spencerkrum.com/posts/ssh_honeypot_analysis/ Last week we built an ssh honeypot out of the open source kippo project. Today we will analyze the results. This will be part two of a two part post. In the first post we will set up the service, in this second post we will analyze the logs that were generated. Basic stats: Users who connected with the correct password: 136 Files downloaded with wget or curl: 11 Kippo stores the logs of the sessions that the user generated. https://spencerkrum.com/posts/ssh_honeypot/ Sun, 18 Jan 2015 19:56:59 -0700 https://spencerkrum.com/posts/ssh_honeypot/ Today we will build an ssh honeypot. An ssh honeypot is a program that pretends to be a an ssh daemon, but when an attacker connects, it lets them in. It provides a safe but realistic fake environment to the attacker, and logs everything they do. This means we can see what the attackers do after they try to gain access to our system. This will be part one of a two part post. https://spencerkrum.com/posts/ssh_log_analysis/ Sun, 11 Jan 2015 20:47:28 -0700 https://spencerkrum.com/posts/ssh_log_analysis/ Today we will analyze ssh logs on a server on the open internet. These connections generally fall into two categories, successful logins from legitimate users, and failed logins from attempted ssh brute force attacks. We will provide no information on the successful logins and will provide high level analysis of the unsuccesful logins. Basic stats: First log event: Jan 11 03:53:39< Last log event: Jan 12 05:41:32 Total log lines: 44853 OS Version: Centos 6.