Welcome! This is the eighth edition of CloudProfs, sent to subscribers on September 17. See the email in-browser here.

If you enjoyed this newsletter, why not sign up to receive it in your inbox every week? Or if you have any feedback, email the editor.

What’s Been Said and Done in Cloud This Week

Microsoft has addressed a series of critical vulnerabilities in OMI, a vital but lesser-known software agent which is deployed on a large amount of Linux VMs in Azure. The vulns were found by Wiz, who called them OMIGOD. Three of the vulns relate to privilege escalation, while the other relates to unauthenticated RCE as root.

A Wiz survey found approximately two thirds of sampled Azure customers could be affected by the opening and were unknowingly at risk. This was for two reasons: the ‘secret’ agent is undocumented within Azure, and open source, so widely used.

Microsoft has released OMI 1.6.8-1, which is patched, but customers are advised to manually update OMI. You can see the remediation steps here. Wiz also recommends limiting network access to ports 5985, 5986 and 1270 if you have OMI listening enabled.

Previous CloudProfs readers will recall a vuln in Cosmos DB, reported in issue 5, which was described by Wiz as ‘the worst you can imagine.’

Wells Fargo has signposted its multi-cloud path, signing up to both Microsoft and Google Cloud. The financial services provider has chosen Azure as its primary public cloud provider, while Google will be utilised for ‘additional business-critical public cloud services.’ The latter will entail ‘advanced workloads’, as well as hinting at artificial intelligence.

Microsoft and Google’s clouds will be combined with private cloud and traditional hosting services, though the company added its longer-term strategy will ‘rely predominantly on public cloud.’. Source

IDC forecasts global ‘whole cloud’ spending to hit $1.3 trillion US by 2025. The analyst puts this year’s figure at $706.6bn for comparison. The big question is, what does ‘whole cloud’ mean? Almost two thirds (64.1%) of the total figure relates to ‘as-a-service’ – SaaS, IaaS, PaaS and its various flavours, as well as dedicated cloud services. The key area which is not ‘aaS’ is what IDC calls cloud buildout, which relates to compute and storage infrastructure products for cloud infrastructure itself. TL:DR If you’re struggling with this word salad, then there are two key takeaways: for cloud infrastructure providers, IDC says the development of specialised capabilities will become more important than generalised solutions, while enterprises will focus more on ‘outcomes’ in their cloud selection process. Source

IBM Security released its 2021 X-Force Cloud Threat Landscape Report this week. The report had several alarming findings.  Almost half of the more than 2,500 disclosed vulnerabilities in cloud-deployed applications recorded to date were disclosed in the last 18 months, while ‘thousands’ of cloud accounts and resources were spotted for sale on the dark web. In 71% of such cases, threat actors offered remote desktop protocol (RDP) access to cloud resources, enabling direct access for attackers. You can read the full report here (no signup required).

Introducing… Ballerina Swan Lake

At the beginning of June, a press release from WSO2 hit the wires announcing the beta release of a programming language which promised to ‘lower the barriers to delivering cloud-native applications.’ The Swan Lake beta release of Ballerina was trumpeted as a ‘radical simplification’ of how developers built and deployed cloud-native applications, through an intuitive syntax for developing services and APIs, seamless JSON support, and built-in concurrency control.

Ballerina itself has been going since 2016 and is designed for the cloud, with various features supporting it. This includes constructs that seamlessly map to services and network resource among other network programming concepts, as well as built-in language support to deploy apps using Docker and Kubernetes.

“Ballerina provides a unique developer experience to move from code to cloud,” the company notes. “The compiler can be extended to read the source code and generate artifacts to deploy your code into different clouds.” These can be Dockerfiles or Docker images, Kubernetes YAML files, or serverless functions.

An example can be seen here in how Ballerina functions can be deployed in Azure – by annotating a Ballerina function with @azure_functions: Function:

import ballerina/uuid;
import ballerinax/azure_functions as af;

// HTTP request/response with no authentication
@af:Function
public function hello(@af:HTTPTrigger { authLevel: “anonymous” } string payload)
returns @af:HTTPOutput string|error {
return “Hello, ” + payload + “!”;
}

Likewise with AWS Lambda, annotating a Ballerina function with @awslambda:Function, which should have the function (awslambda:Context, json) returns json|error function signature.

import ballerinax/awslambda;

// The `@awslambda:Function` annotation marks a function to
// generate an AWS Lambda function
@awslambda:Function
public function echo(awslambda:Context ctx, json input) returns json {
return input;
}

The Swan Lake release focuses on several features to help developers build and deploy enterprise-class, cloud-native applications. Concurrency control, as previously mentioned, is an inherent feature of Ballerina; with Swan Lake, Ballerina automatically determined when it is safe to run the concurrent components in an application parallel with concurrency control features added in Swan Lake. The ability to automatically create deployments for Kubernetes and Docker is included, to further simplify the development and deployment of Ballerina code to the cloud.

An article from InfoQ, written by Dakshitha Ratnayake of WSO2, outlines 10 compelling language characteristics of Ballerina for cloud-native programming.

The first, and clearest, is its positioning in between a scripting and application language. A scripting language, for instance, does not typically have visual components. Ballerina is intrinsically graphical; it is “the only language where the diagram is the code, and the code is the diagram,” in the words of the Swan Lake release. “Abstractions and syntax for concurrency and network interaction are included in the language to closely correspond with sequence diagrams, which enables a bidirectional mapping for any Ballerina source code between its textual representation and its graphical representation as a sequence diagram.”

This sitting-between-stools can also be evidenced in Ballerina’s type system. Application languages have traditional static types, as in C++ or Java, while scripting languages have dynamic typing. Ballerina is defined by Ratnayake as a scripting language but with a static type system. This static type, however is more flexible than in application languages. It is primarily structural with added support for nominal typing, per documentation. Type compatibility is identified by considering the structure of the value, rather than relying on the name of the type, like Java, C++ and C#.

The latest version of Ballerina is Swan Lake Beta2, which dropped in early July.

Packt is publishing Cloud-Native Applications With Ballerina, by Dhanushka Madushan, in October. Find out more or pre-order your copy here.

MD-100: Windows 10 Role-Based Certification – Exam Study Guide

By Shabaz Darr

This article is based helping people prepare for the Microsoft role-based certification, MD-100: Windows 10.  In this article I will share my experience of preparing for the exam, what topics you need to cover if you are planning on studying for this exam, the resources I used when preparing and some key exam tips.

The MD-100 exam is the first of two you need to complete to gain the ‘Modern Desktop Associate Administrator’ qualification.  The following table shows a beak-down of the skills measured and how much of the exam percentage they count towards:

You can find a further breakdown of each of these skillsets here.

This exam focuses on the Windows 10 operating system, including upgrading methods from older operating systems, the different ways in which you can keep it updated and also the security that Windows 10 brings with it.

Study resources

There are a few different ways you can go about studying for an exam, either a tutor-led course or self-paced learning. For this specific exam I decided to go for the self-paced learning approach and the best way I found to get started was the Microsoft Learning resources which are free and can be done at your own pace. To get started on my MD-100 journey I worked through the following course from the learning site: https://docs.microsoft.com/en-us/learn/paths/m365-getmodern/

The second resource I found really helpful, and which is also free from Microsoft, was this. This last link is via the Microsoft Partner site, and I found that it was a very informative and helpful course.  It is also much more interactive than the Microsoft Learn path as it includes labs as well as activities you can complete and actually quite fun.  Another positive element about these resources is that each module has a set of questions that you are graded on and at the end of the full course you have a final test which is marked. This will give you a great indication of how your preparation is going.

Topics you need to cover

The link shared early in this article breaks down the main topics of this exam that need to be covered. These include deploying Windows 10, managing devices, configuring connectivity and maintaining Windows. From my own experience taking this exam, I would recommend covering the following topics in greater detail:

•    NTFS permissions
•    Windows permissions
•    Group Policy
•    PowerShell cmdlets
•    Autopilot
•    BitLocker

These are topics I found were covered in the exam the most and would recommend understanding not only the theory but practical elements before taking your exam.

Exam tips

The Microsoft role-based exam format covers a few different question types, with your standard multiple choice, scenario based, use cases, and finally practical labs. With this particular exam however I did not get any labs.

The exam was 45 questions, 40 of which were multiple choice and 5 were based on one big scenario.  Not all exams have the same number of questions so please note that yours may vary. I do not think there is anything new I can tell you about the multiple choice questions that you do not already know, however with the scenario based questions I was not to bothered about reading the full scenario in too much detail as you can always refer back to it. Once I skim read it, I looked at the question, found the relevant part in the scenario which I read in detail and then looked at the possible answers. I found this saved a lot of time and needless reading of information that is not really valid for the questions.

One thing to note is that I had over 2 hours to complete the 45 questions in, which means you can take your time and even go back and review your answers before finally submitting them.

Cory Wilkerson, GitHub: On Codespaces and the future of development in the cloud

Cory Wilkerson, senior director of engineering at GitHub, spoke with the Changelog podcast in an episode released earlier this week on how GitHub Codespaces came into being, and what it means for cloud development longer-term.

Last month, GitHub began a broader rollout of Codespaces – previously a cloud-hosted-but-browser-based coding environment – to Team and Enterprise plans. The company also revealed it was using Codespaces as the default development environment for GitHub.com.

In a separate article on JAXenter published earlier this month, Wilkerson noted that GitHub engineers can now bootstrap their dev environments in the cloud in less than 10 seconds, rather than up to 45 minutes. Speaking to Changelog, Wilkerson noted that the ‘raw ingredients’ of in-the-cloud development are all now here, and the mentality has shifted. “Scepticism around cloud-based workflows is basically non-existent at this point,” he said.

“We’re moving more and more precious workloads to the cloud on a daily basis,” Wilkerson added. “There’s no reason we can’t do that with our development environments today, which are kind of single-track. We looked at the idea that containers are everywhere, we have VS Code, this really powerful tool that we work closely with, and we’ve got the fact that the industry now has almost exclusively adopted the cloud. It felt like we had the raw materials in place to go pursue this.”

Wilkerson told the story of a colleague who was won over by Codespaces. Her local dev environment broke, so she switched – and shipped her task before her local environment rebuilt. These were the use cases which enabled Codespaces usage within GitHub – and aided wider understanding of the business case outside of it.

Part of the understanding of cloud-based development is synchronisation, as well as a more comfortable experience on the developer’s machine. As co-host Jerod Santo put it: “I’m used to my laptop being on fire while I’m developing.” “Docker is not running on my desktop; it is running out on a cloud. It’s just a really cool moment and experience,” added Wilkerson.

“You used to run your server in a grey tower underneath your desk, right?” said Wilkerson. “Those days are gone. This is the next wave – we’re now moving development environments out into the cloud. It just feels to me like two years from now, we’re going to see some incredible adoption in this space.”

But that should not be the only use case. “I don’t want you just to recreate your laptop in the cloud – I think we discourage that model,” said Wilkerson. “You don’t want to go curate this bespoke laptop replacement in the cloud. You want to think about a thousand, an infinite number of laptops in the cloud that you can provision on-demand for the task at hand. We think about these as task-based; you work on a branch for a week, or something, and with it your codespace. At the end of that, you retire that codespace and spin up a new one for your next set of work.”

Hidden Gems and Secret Knowledge

A cool selection of recent (or recently updated) cloud repositories and tools across vendors and languages. Got a tip or are you working on a project you want the world to know about? Email the editor today!

100DaysOfCloud: John Breth is documenting his learning journey on how to design, configure, and manage cloud environments. Currently on day 2 at time of print so bookmark this for future reference.

devops-exercises: More than 1700 interview questions on various DevOps and DevOps-related topics, including Docker, Jenkins, Prometheus and Terraform. Primary language: Python (83.3%)

kubeone: Automates cluster operations on all cloud, on-prem, edge and IoT environments. Latest release: v1.3.0 (Sep 15). Primary language: Go (97.4%)

minecraft-ondemand: An ‘almost free’ serverless on-demand Minecraft server in AWS. Useful as a teaching resource. Primary language: Shell (88.6%)

pleco: Automatically removes cloud-managed services and Kubernetes resources based on tags with TTL. Latest release: v0.8.8 (Sep 16). Primary language: Go (97.9%)

BONUS: Watch this 15 minute session from the IEEE Cloud Computing Conference earlier this month on Theta-Scan: Leveraging Behavior-Driven Forecasting for Vertical Auto-Scaling in Container Cloud (IBM/Barcelona Supercomputing Center). For advanced users only! (Link goes direct to mp4 session)