Random notes about random cloud and photo stuff

Privilege Escalation in Build Pipelines

I recently gave a talk at O’Reilly Velocity Conference in Berlin. My initial plan was to create a blog version of it also, but I didn’t have enough time. Luckily there is a recording and the slides are available! Here’s the abstract: CI/CD systems are usually tightly coupled, and inherit for the CD part a lot of administrative privileges combined with network access to production systems. We tend to believe that we only execute trusted software within those systems, but it quickly becomes clear that code from a huge variety of sources is loaded and executed in that system that isn’t under your control. Continue reading

ECS / Docker NFS Issue hunt down

This post appeared initially on the Scout24 Engineering Blog Who doesn’t know this situation: Sometime something weird is going on in your setup, but everything is so vague that you don’t know where to start. This is a story about a bug we experienced in a production setup and how we found out what was the root cause. The problem Imagine a ECS cluster with multiple tasks running with an NFS (EFS in this case) backed persistent root volume. Continue reading
Older posts