Author: Paul Bastide

  • 🔥 Boost Your VS Code Workflow with a Custom Hotkey

    Sometimes, the smallest automation can make a big difference in your coding flow. If you frequently type . // >—maybe as part of a comment convention, markdown formatting, or a custom syntax—you can streamline your workflow by creating a hotkey in Visual Studio Code to insert it instantly.

    Here’s how to do it without installing any extensions.


    ✅ Step 1: Create a Keybinding to Trigger the Snippet

    While VS Code doesn’t allow direct keybinding to a named snippet, you can work around this by using the built-in editor.action.insertSnippet command with an inline snippet.

    🔧 How to Set It Up:

    1. Open the Command Palette:Ctrl+Shift+P (or Cmd+Shift+P on macOS)
    2. Type and select:Preferences: Open Keyboard Shortcuts (JSON)
    3. Add the following entry to your keybindings.json file:

    JSON

    [

    {

    “key”: “ctrl+shift+q”,

    “command”: “editor.action.insertSnippet”,

    “args”: {

    “snippet”: “. // >”

    },

    “when”: “editorTextFocus”

    }

    ]

    💡 You can change "ctrl+shift+q" to any key combination that suits your workflow.


    ✅ Step 2: Test It

    Now, whenever you’re focused in a text editor in VS Code and press Ctrl+Shift+Q, it will instantly insert:

    . // >
    

    No extensions. No fuss. Just a clean, efficient shortcut.


    🧠 Bonus Tip

    Want to scope this to specific file types like Markdown or Python? You can add a condition to the "when" clause, such as:

    JSON

    “when”: “editorTextFocus && editorLangId == ‘markdown’”

  • Aside: Developing Applications Using Python Packages on IBM Power

    Janani Janakiraman posted Developing Applications Using Python Packages on IBM Power

    Are you an independent software vendor (ISV) or a customer looking to develop Python applications on the IBM Power platform? Then this blog is for you! It walks you through examples of using IBM’s Open Source Edge (OSE) and optimized, prebuilt Python wheels to accelerate development on IBM Power.


    IBM Power-optimized Python wheels are available via a DevPi repository, offering performance and compatibility benefits for AI/ML workloads. For best results, use Python versions 3.10–3.12 and set up a virtual environment with --prefer-binary and --extra-index-url to install packages from the IBM wheel repository.


    The OSE tool helps evaluate package availability and encourages community contributions to build scripts. Practical workflows are available in the pyeco GitHub repository, and troubleshooting tips for native libraries like libopenblas.so and libgfortran.so are included. Pinning package versions in requirements.txt ensures reproducibility and stability across environments.


    Community feedback is welcome—suggest packages, report issues, or contribute via GitHub to help grow the ecosystem!

    Please use these great resources.

  • Securing OpenShift UPI: Hardening DNS, HTTP, NFS, and SSL

    OpenShift UPI (User-Provisioned Infrastructure) offers flexibility and control, but with that comes the responsibility of securing the underlying services. In this post, we’ll walk through practical steps to lock down common services—DNS, HTTP, NFS, and SSL—to mitigate known vulnerabilities and improve your cluster’s security posture.


    🔐 DNS Server Hardening

    DNS is often overlooked, but it can be a rich source of information leakage and attack vectors. Here are four common DNS-related vulnerabilities and how to mitigate them:

    1. Cache Snooping – Remote Information Disclosure

    Attackers can infer what domains have been queried by your server.

    2. Recursive Query – Cache Poisoning Weakness

    Unrestricted recursion can allow attackers to poison your DNS cache.

    3. Spoofed Request – Amplification DDoS

    Open DNS resolvers can be abused for DDoS amplification attacks.

    4. Zone Transfer – Information Disclosure (AXFR)

    Misconfigured zone transfers can leak internal DNS data.

    ✅ Mitigation Script

    Use the following script to lock down named (BIND) and restrict access to trusted nodes only:

    # Backup
    cp /etc/named.conf /etc/named.conf-$(date +%s)
    
    # Remove bad includes
    if [[ $(grep -c "include /" /etc/named.conf) -eq 1 ]]; then
      grep -v -F -e "include /" /etc/named.conf > /etc/named.conf-temp
      cat /etc/named.conf-temp > /etc/named.conf
    fi
    
    # Add trusted include if missing
    if [[ $(grep -c 'include "/etc/named-trusted.conf";' /etc/named.conf) -eq 0 ]]; then
      echo 'include "/etc/named-trusted.conf";' >> /etc/named.conf
    fi
    
    # Build trusted ACL
    echo 'acl "trusted" {' > /etc/named-trusted.conf
    export KUBECONFIG=/root/openstack-upi/auth/kubeconfig
    for IP in $(oc get nodes -o wide --no-headers | awk '{print $6}'); do
      echo "  ${IP}/32;" >> /etc/named-trusted.conf
    done
    echo "  localhost;" >> /etc/named-trusted.conf
    echo "  localnets;" >> /etc/named-trusted.conf
    echo "};" >> /etc/named-trusted.conf
    

    🔧 Insert into named.conf after recursion yes;:

    allow-recursion { trusted; };
    allow-query-cache { trusted; };
    request-ixfr no;
    allow-transfer { none; };
    

    Then restart named to apply changes.


    🚫 HTTP TRACE / TRACK Methods

    TRACE and TRACK methods are legacy HTTP features that can be exploited for cross-site tracing (XST) attacks.

    ✅ Disable TRACE / TRACK

    Create /etc/httpd/conf.d/disable-track-trace.conf:

    RewriteEngine on
    RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
    RewriteRule .* - [F]
    

    Restart Apache:

    systemctl restart httpd
    
    
    
    

    📁 NFS Shares – World Readable Risk

    Exposing NFS shares to the world can lead to unauthorized access and data leakage.

    ✅ Lock NFS to Cluster Nodes

    echo "[NFS Exports Lock Down Started]"
    export KUBECONFIG=/root/openstack-upi/auth/kubeconfig
    cp /etc/exports /etc/exports-$(date +%s)
    echo "" > /etc/exports
    for IP in $(oc get nodes -o wide --no-headers | awk '{print $6}'); do
      echo "/export ${IP}(rw,sync,no_root_squash,no_all_squash)" >> /etc/exports
    done
    echo "/export 127.0.0.1(rw,sync,no_root_squash,no_all_squash)" >> /etc/exports
    exportfs -r
    

    🔐 SSL Certificates – CLI Access Challenges

    Managing SSL certificates for CLI access can be tricky, especially during updates.

    ✅ Recommendations

    • Use the Ingress Node Firewall Operator to restrict access to sensitive ports.
    • Monitor and rotate certificates regularly.
    • Validate CLI certificate chains and ensure proper trust anchors are configured.

    Final Thoughts

    Security in OpenShift UPI is not just about firewalls and RBAC—it’s about hardening every layer of the stack. By locking down DNS, HTTP, NFS, and SSL, you reduce your attack surface and protect your infrastructure from common threats.

  • Security Profiles Operator on OpenShift Container Platform on IBM Power

    :alert:*Security Profiles Operator (SPO)*:alert: simplifies security policy management for namespaced workloads and integrates seamlessly with OpenShift Container Platform’s compliance tooling. SPO manages *seccomp* and *SELinux* profiles as custom resources to keep workloads secure and compliant. The SPO features include:

    • *Creation and distribution* of seccomp and SELinux profiles
    • *Binding policies* to pods for fine-grained security control
    • *Recording workloads* to generate tailored profiles
    • *Synchronizing profiles* across worker nodes
    • *Advanced configuration*: log enrichment, webhook setup, metrics, and namespace restrictions

    You can install right from Operator Hub and use it on your OpenShift Container Platform on IBM Power. See https://docs.redhat.com/en/documentation/openshift_container_platform/4.19/html/security_and_compliance/security-profiles-operator#spo-overview for detailed install instructions

  • Dynamic GOMAXPROCS

    Go 1.25 add container-ware GOMAXPROCS. Instead of assuming it has all available processors, go respects the cgroupv2 specified CPU limits. This feature ensures resources aren’t incorrectly used or killed for trying to access or use too much CPU.

    You can disable this feature using containermaxprocs=0 or tweaking it as you need (for instance only specifying 1 CPU when you have 2 or 8 threads available).

    Thanks to Karthik for the heads up….

    Go 1.25 Release Notes

  • FYI: Announcing watsonx.data on IBM Power Tech Demo Availability

    Power clients who are running solutions on the platform for business-critical data such as Oracle, Db2®, Db2 for i, and SAP HANA, and who want to remain on Power for their AI and analytics solutions, can do exactly that with watsonx.data on Power. That is why today we are announcing the availability of a Tech Demo of watsonx.data on IBM Power Virtual Server. You can register here or contact your IBM sales representative or IBM Business Partner to access watsonx.data on Power with Presto or Spark engines to execute SQL queries or build machine learning models using sample data stored in IBM Cloud Object Storage. IBM is committed to making watsonx.data available on-prem on Power processor-based servers by the end of the year to unify, govern, and active enterprise data at scale for AI and analytics.    

    You can learn more at the ibm site.

  • 🚀 Builds for OpenShift 1.5 is now GA!

    Now available on OpenShift 4.16–4.19, this release brings powerful new features for building container images natively on your cluster—including support for ppc64le!

    🔧 Highlights:

    • NodeSelector & Scheduler support via shp CLI
    • Shallow Git cloning for faster builds

    💡 Built on Shipwright, Builds 1.5 simplifies image creation with Kubernetes-native APIs, Buildah/S2I strategies, and full CLI + web console integration.

    Perfect for teams running on IBM Power Systems or running Multi-Architecture Compute clusters. Start building smarter, faster, and more consistently across all the architectures in your cluster.

    📘 Learn more: https://docs.redhat.com/en/documentation/builds_for_red_hat_openshift/1.5/html/release_notes/ob-release-notes

  • Great News… IBM has Open Source Wheel Packages for Linux on Power

    Priya Seth posted about Open Source Wheel Packages for Linux on Power:

    IBM provides a dedicated repository of Python wheel packages optimized for the Linux on Power (ppc64le) architecture. These pre-built binaries simplify Python development on Power systems by eliminating the need to compile packages from source—saving time and reducing complexity.

    Wheel files (.whl) are the standard for distributing pre-compiled Python packages. For developers working on Power architecture, having access to architecture-specific wheels ensures compatibility and speeds up development.

    IBM hosts a curated collection of open-source Python wheels for the ppc64le platform listed at https://open-source-edge.developerfirst.ibm.com/

    Use pip to download the package without installing it:

    pip download <package_name>==<version> --prefer-binary --index-url=https://wheels.developerfirst.ibm.com/ppc64le/linux --verbose --no-deps
    

    Replace <package_name> and <version> with the desired values.

    Whether you’re building AI models, data pipelines, or enterprise applications, this repository helps accelerate your Python development on Power.

    You can also refer to https://community.ibm.com/community/user/blogs/nikhil-kalbande/2025/08/01/install-wheels-from-ibm-python-wheel-repository

  • Optimizing Workloads with NUMA-Aware CPU Distribution in Kubernetes

    DRAFT This is not a complete article. I haven’t yet fully tested and vetted the steps I built. I will come back and hopefully update.

    Kubernetes 1.30 introduces a powerful enhancement to CPU resource management: the ability to distribute CPUs across NUMA nodes using a new CPUManager policy. This feature, part of KEP-2902, enables better performance and resource utilization on multi-NUMA systems by spreading workloads instead of concentrating them on a single node.

    Non-Uniform Memory Access (NUMA) is a memory design used in modern multi-socket systems where each CPU socket has its own local memory. Accessing local memory is faster than accessing memory attached to another CPU. Therefore, NUMA-aware scheduling is crucial for performance-sensitive workloads.

    Traditionally, Kubernetes’ CPUManager used a “packed” policy, allocating CPUs from a single NUMA node to reduce latency. However, this can lead to resource contention and underutilization in systems with multiple NUMA nodes.

    • High-throughput applications like databases or analytics engines
    • Multi-threaded workloads that benefit from parallelism
    • NUMA-aware applications that manage memory locality explicitly

    The new “distributed” policy spreads CPU allocations across NUMA nodes, improving parallelism and overall system throughput.

    To enable the distributed CPUManager Policy, here is a step-by-step guide to enable and use this feature on Kubernetes v1.30+:

    1. Label the nodes you want to be enabled with cpumanager and the distributed policy.
    oc label node worker-0 custom-kubelet=cpumanager-enabled
    
    1. Create a custom KubeletConfig to allow the CPUManager to use distributed cpuManagerPolicy.
    cat << EOF | oc apply -f -
    apiVersion: machineconfiguration.openshift.io/v1
    kind: KubeletConfig
    metadata:
      name: cpumanager-enabled
    spec:
      machineConfigPoolSelector:
        matchLabels:
          custom-kubelet: cpumanager-enabled
      kubeletConfig:
         cpuManagerPolicy: distributed 
         cpuManagerReconcilePeriod: 5s 
    EOF
    
    1. Wait for the Node to restart the Kubelet
    2. Create a Pod to request Guaranteed QoS by specifying equal CPU requests and limits:
    apiVersion: v1
    kind: Pod
    metadata:
      name: numa-aware-pod
    spec:
      containers:
      - name: workload
        image: your-image
        resources:
          requests:
            cpu: "4"
          limits:
            cpu: "4"
    

    Kubernetes will now distribute the 4 CPUs across NUMA nodes instead of packing them on one.

    To visualize the difference, here’s a conceptual graphic to illustrate the difference between the two policies:

    Packed Policy:

    NUMA Node 0: [CPU0, CPU1, CPU2, CPU3, CPU4, CPU5, CPU6, CPU7] ← All assigned here
    NUMA Node 1: [CPU0 ]
    

    Distributed Policy:

    NUMA Node 0: [CPU0, CPU1, CPU2, CPU3]
    NUMA Node 1: [CPU0, CPU1, CPU2, CPU3] ← Balanced across nodes
    

    This balance reduces memory contention and improves cache locality for distributed workloads.

    This enhancement gives Kubernetes administrators more control over CPU topology, enabling better performance tuning for complex workloads. It’s a great step forward in making Kubernetes more NUMA-aware and suitable for high-performance computing environments.b

  • 🚀 In-Place Pod Resize in Kubernetes: What You Need to Know

    DRAFT This is not a complete article. I haven’t yet fully tested and vetted the steps I built. I will come back and hopefully update.

    In Kubernetes v1.33, In-Place Pod Resize has entered Beta. This feature allows you to resize the CPU and memory resources of containers in a running Pod without needing to restart them. This feature is fairly nice for Power customers who scale their systems vertically. You would need to also restart the kubelet.

    One no longer has to change the resource requests or limits of a pod in Kubernetes and restart the Pod. This restart was disruptive for long-running workloads.

    With in-place pod resize, autoscaling workloads, improving stateful applications is a real win.

    1. Enable the InPlacePodVerticalScaling featuregate in a kind config called kind-cluster-config.yaml
    kind: Cluster
    apiVersion: kind.x-k8s.io/v1alpha4
    featureGates:
      InPlacePodVerticalScaling: true
    nodes:
    - role: control-plane
      kubeadmConfigPatches:
      - |
        kind: ClusterConfiguration
        apiServer:
            extraArgs:
              v: "1"
        scheduler:
            extraArgs:
              v: "1"
        controllerManager:
            extraArgs:
              v: "1"
      - |
        kind: InitConfiguration
        nodeRegistration:
          kubeletExtraArgs:
            v: "1"
    - role: worker
      kubeadmConfigPatches:
      - |
        kind: JoinConfiguration
        nodeRegistration:
          kubeletExtraArgs:
            v: "1"
    
    1. Download kind
    mkdir -p dev-cache
    GOBIN=$(PWD)/dev-cache/ go install sigs.k8s.io/kind@v0.29.0
    
    1. Start the kind cluster
    KIND_EXPERIMENTAL_PROVIDER=podman dev-cache/kind create cluster \
    		--image quay.io/powercloud/kind-node:v1.33.1 \
    		--name test \
    		--config kind-cluster-config.yaml\
    		--wait 5m
    
    1. Create a namespace
    apiVersion: v1
    kind: Namespace
    metadata:
      labels:
        kubernetes.io/metadata.name: resize-test
        pod-security.kubernetes.io/audit: restricted
        pod-security.kubernetes.io/audit-version: v1.24
        pod-security.kubernetes.io/enforce: restricted
        pod-security.kubernetes.io/warn: restricted
        pod-security.kubernetes.io/warn-version: v1.24
      name: resize-test
    
    1. Create a Pod
    apiVersion: v1
    kind: Pod
    metadata:
      name: resize-test
    spec:
      containers:
      - name: resize-test
        image: registry.access.redhat.com/ubi9/ubi
        resizePolicy:
        - resourceName: cpu
          restartPolicy: NotRequired
        - resourceName: memory
          restartPolicy: NotRequired
        resources:
          limits:
            memory: "200Mi"
            cpu: "1"
          requests:
            memory: "200Mi"
            cpu: "1"
    
    1. Edit kubectl edit pod/test -n resize-test
    2. Check kubectl describe pod/test -n resize-test
    3. Check oc rsh pod/test and run lscpu to see the size changed

    You’ve seen how this feature functions with Kubernetes and can resize your Pod without a restart.

    References

    1. Kubernetes v1.33: In-Place Pod Resize Graduated to Beta
    2. Resize CPU and Memory Resources assigned to Containers