Forem: Sudhakar Daggubati The latest articles on Forem by Sudhakar Daggubati (@mrdaggubati). https://forem.com/mrdaggubati https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F162572%2F271b03fa-08e7-489c-a608-e97df992151d.jpg Forem: Sudhakar Daggubati https://forem.com/mrdaggubati en PCI GPU passthrough Sudhakar Daggubati Wed, 13 May 2026 09:33:37 +0000 https://forem.com/mrdaggubati/pci-gpu-passthrough-1m6h https://forem.com/mrdaggubati/pci-gpu-passthrough-1m6h <p>Little snippet to prepare the host for GPU passthrough<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c">#!/usr/bin/env bash</span> <span class="nb">set</span> <span class="nt">-euo</span> pipefail <span class="nb">echo</span> <span class="s2">" This enables vfio passthroug on ubuntu 24+ "</span> <span class="c"># =========================</span> <span class="c"># CONFIG</span> <span class="c"># =========================</span> <span class="nv">GPU_PCI</span><span class="o">=</span><span class="s2">"0000:01:00.0"</span> <span class="nv">GPU_AUDIO_PCI</span><span class="o">=</span><span class="s2">"0000:01:00.1"</span> <span class="nv">GPU_IDS</span><span class="o">=</span><span class="s2">"10de:2820,10de:22bd"</span> <span class="nv">GRUB</span><span class="o">=</span><span class="s2">"/etc/default/grub"</span> <span class="nv">VFIO_CONF</span><span class="o">=</span><span class="s2">"/etc/modprobe.d/vfio.conf"</span> <span class="nv">BLACKLIST</span><span class="o">=</span><span class="s2">"/etc/modprobe.d/blacklist-nvidia.conf"</span> <span class="nv">RECOVERY_FLAG</span><span class="o">=</span><span class="s2">"/boot/vfio_last_state"</span> <span class="nv">SAFE_ENTRY_FILE</span><span class="o">=</span><span class="s2">"/etc/grub.d/40_vfio_safe_mode"</span> <span class="c"># ⚠️ IMPORTANT: replace once with `blkid`</span> <span class="nv">ROOT_UUID</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span>findmnt <span class="nt">-no</span> UUID /<span class="si">)</span><span class="s2">"</span> <span class="nv">ROOT_FSTYPE</span><span class="o">=</span><span class="s2">"</span><span class="si">$(</span>findmnt <span class="nt">-no</span> FSTYPE /<span class="si">)</span><span class="s2">"</span> <span class="c"># SAFETY CHECK: Ensure UUID was actually captured</span> <span class="k">if</span> <span class="o">[[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$ROOT_UUID</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"[!] ERROR: Could not determine ROOT_UUID."</span> <span class="nb">echo</span> <span class="s2">" Check if findmnt is installed or if you have sufficient permissions."</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># 2. Check for Filesystem Compatibility</span> <span class="k">if</span> <span class="o">[[</span> <span class="s2">"</span><span class="nv">$ROOT_FSTYPE</span><span class="s2">"</span> <span class="o">!=</span> ext<span class="k">*</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"===================================================="</span> <span class="nb">echo</span> <span class="s2">" [!] WARNING: NON-EXT FILESYSTEM DETECTED (</span><span class="nv">$ROOT_FSTYPE</span><span class="s2">)"</span> <span class="nb">echo</span> <span class="s2">"===================================================="</span> <span class="nb">echo</span> <span class="s2">" Your Safe Mode GRUB entry is currently hardcoded for 'insmod ext2'."</span> <span class="nb">echo</span> <span class="s2">" To ensure recovery works, you should update the 'insmod' line"</span> <span class="nb">echo</span> <span class="s2">" in the ensure_safe_mode_entry function to 'insmod </span><span class="nv">$ROOT_FSTYPE</span><span class="s2">'."</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">read</span> <span class="nt">-p</span> <span class="s2">"Continue anyway? (y/n): "</span> confirm <span class="o">[[</span> <span class="s2">"</span><span class="nv">$confirm</span><span class="s2">"</span> <span class="o">!=</span> <span class="s2">"y"</span> <span class="o">]]</span> <span class="o">&amp;&amp;</span> <span class="nb">exit </span>1 <span class="k">fi</span> <span class="c"># =========================</span> <span class="c"># BANNER</span> <span class="c"># =========================</span> show_recovery_banner<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"===================================================="</span> <span class="nb">echo</span> <span class="s2">" VFIO SAFE CONTROLLER"</span> <span class="nb">echo</span> <span class="s2">"===================================================="</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"RECOVERY OPTIONS:"</span> <span class="nb">echo</span> <span class="s2">" → GRUB: 'Ubuntu (SAFE MODE - iGPU only)'"</span> <span class="nb">echo</span> <span class="s2">" → OR 'Advanced options'"</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="nb">echo</span> <span class="s2">"SAFE MODE = NO VFIO, NO NVIDIA, iGPU ONLY"</span> <span class="nb">echo</span> <span class="s2">"===================================================="</span> <span class="nb">echo</span> <span class="s2">""</span> <span class="o">}</span> <span class="c"># =========================</span> <span class="c"># VM SAFETY CHECK</span> <span class="c"># =========================</span> check_vms<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"[*] Checking running VMs..."</span> <span class="nv">RUNNING</span><span class="o">=</span><span class="si">$(</span>virsh list <span class="nt">--state-running</span> 2&gt;/dev/null | <span class="nb">awk</span> <span class="s1">'NR&gt;2 {print $2}'</span><span class="si">)</span> <span class="k">if</span> <span class="o">[[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="k">${</span><span class="nv">RUNNING</span><span class="p">// </span><span class="k">}</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nv">RUNNING</span><span class="o">=</span><span class="si">$(</span>virsh list 2&gt;/dev/null | <span class="nb">awk</span> <span class="s1">'NR&gt;2 &amp;&amp; $3=="running" {print $2}'</span><span class="si">)</span> <span class="k">fi if</span> <span class="o">[[</span> <span class="nt">-n</span> <span class="s2">"</span><span class="nv">$RUNNING</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"[!] Running VMs detected:"</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$RUNNING</span><span class="s2">"</span> <span class="k">return </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"[✓] No running VMs"</span> <span class="k">return </span>0 <span class="o">}</span> <span class="c"># =========================</span> <span class="c"># PREFLIGHT</span> <span class="c"># =========================</span> preflight<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"[*] Preflight check..."</span> <span class="nb">local </span><span class="nv">blocked</span><span class="o">=</span>0 <span class="nb">local </span>running_vms <span class="nv">running_vms</span><span class="o">=</span><span class="si">$(</span>virsh list <span class="nt">--name</span> 2&gt;/dev/null | <span class="nb">sed</span> <span class="s1">'/^$/d'</span><span class="si">)</span> <span class="k">if</span> <span class="o">[[</span> <span class="nt">-z</span> <span class="s2">"</span><span class="nv">$running_vms</span><span class="s2">"</span> <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"[✓] No running VMs"</span> <span class="nb">echo</span> <span class="s2">"[✓] Preflight OK"</span> <span class="k">return </span>0 <span class="k">fi for </span>vm <span class="k">in</span> <span class="nv">$running_vms</span><span class="p">;</span> <span class="k">do if </span>virsh dumpxml <span class="s2">"</span><span class="nv">$vm</span><span class="s2">"</span> 2&gt;/dev/null | <span class="nb">grep</span> <span class="nt">-qE</span> <span class="s2">"</span><span class="nv">$GPU_PCI</span><span class="s2">|</span><span class="nv">$GPU_AUDIO_PCI</span><span class="s2">"</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"[!] Running VM '</span><span class="nv">$vm</span><span class="s2">' is using configured GPU passthrough devices"</span> <span class="nv">blocked</span><span class="o">=</span>1 <span class="k">else </span><span class="nb">echo</span> <span class="s2">"[i] Running VM '</span><span class="nv">$vm</span><span class="s2">' does not use passthrough GPU"</span> <span class="k">fi done if</span> <span class="o">[[</span> <span class="nv">$blocked</span> <span class="nt">-eq</span> 1 <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"[!] Stop affected VM(s) before changing VFIO state"</span> <span class="k">return </span>1 <span class="k">fi </span><span class="nb">echo</span> <span class="s2">"[✓] No running VM currently uses the dGPU"</span> <span class="nb">echo</span> <span class="s2">"[✓] Preflight OK"</span> <span class="k">return </span>0 <span class="o">}</span> <span class="c"># =========================</span> <span class="c"># STATUS</span> <span class="c"># =========================</span> status<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"===================="</span> <span class="nb">echo</span> <span class="s2">" SYSTEM STATUS"</span> <span class="nb">echo</span> <span class="s2">"===================="</span> virsh list 2&gt;/dev/null <span class="o">||</span> <span class="nb">true echo</span> <span class="s2">""</span> lspci <span class="nt">-nnk</span> <span class="nt">-s</span> <span class="k">${</span><span class="nv">GPU_PCI</span>:5:7<span class="k">}</span> <span class="o">||</span> <span class="nb">true</span> <span class="o">}</span> <span class="c"># =========================</span> <span class="c"># SAFE MODE GRUB ENTRY</span> <span class="c"># =========================</span> ensure_safe_mode_entry<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"[*] Ensuring SAFE MODE GRUB entry for </span><span class="nv">$ROOT_FSTYPE</span><span class="s2">..."</span> <span class="nb">local </span><span class="nv">grub_mod</span><span class="o">=</span><span class="s2">"</span><span class="nv">$ROOT_FSTYPE</span><span class="s2">"</span> <span class="o">[[</span> <span class="s2">"</span><span class="nv">$ROOT_FSTYPE</span><span class="s2">"</span> <span class="o">==</span> ext<span class="k">*</span> <span class="o">]]</span> <span class="o">&amp;&amp;</span> <span class="nv">grub_mod</span><span class="o">=</span><span class="s2">"ext2"</span> <span class="nb">sudo tee</span> <span class="s2">"</span><span class="nv">$SAFE_ENTRY_FILE</span><span class="s2">"</span> <span class="o">&gt;</span>/dev/null <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> #!/bin/sh exec tail -n +3 </span><span class="se">\$</span><span class="sh">0 menuentry "Ubuntu (SAFE MODE - iGPU only, NO VFIO)" { insmod part_gpt insmod </span><span class="nv">$grub_mod</span><span class="sh"> search --no-floppy --fs-uuid --set=root </span><span class="nv">$ROOT_UUID</span><span class="sh"> linux /boot/vmlinuz root=UUID=</span><span class="nv">$ROOT_UUID</span><span class="sh"> ro quiet splash intel_iommu=off modprobe.blacklist=vfio_pci,vfio,vfio_iommu_type1,nvidia,nvidia_drm,nvidia_modeset initrd /boot/initrd.img } </span><span class="no">EOF </span> <span class="nb">sudo chmod</span> +x <span class="s2">"</span><span class="nv">$SAFE_ENTRY_FILE</span><span class="s2">"</span> <span class="o">}</span> <span class="c"># =========================</span> <span class="c"># GRUB APPLY VFIO</span> <span class="c"># =========================</span> apply_vfio_grub<span class="o">()</span> <span class="o">{</span> <span class="nb">sudo cp</span> <span class="s2">"</span><span class="nv">$GRUB</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$GRUB</span><span class="s2">.bak.</span><span class="si">$(</span><span class="nb">date</span> +%s<span class="si">)</span><span class="s2">"</span> <span class="nb">sudo sed</span> <span class="nt">-i</span> <span class="s1">'s/vfio-pci.ids=[^ ]*//g'</span> <span class="s2">"</span><span class="nv">$GRUB</span><span class="s2">"</span> <span class="nb">sudo sed</span> <span class="nt">-i</span> <span class="s1">'s/intel_iommu=on//g'</span> <span class="s2">"</span><span class="nv">$GRUB</span><span class="s2">"</span> <span class="nb">sudo sed</span> <span class="nt">-i</span> <span class="s1">'s/iommu=pt//g'</span> <span class="s2">"</span><span class="nv">$GRUB</span><span class="s2">"</span> <span class="c">#sudo sed -i "s/^GRUB_CMDLINE_LINUX_DEFAULT=\"/GRUB_CMDLINE_LINUX_DEFAULT=\"quiet splash intel_iommu=on iommu=pt vfio-pci.ids=$GPU_IDS /" "$GRUB"</span> <span class="nb">sudo sed</span> <span class="nt">-i</span> <span class="s1">'s/^GRUB_CMDLINE_LINUX_DEFAULT=.*/GRUB_CMDLINE_LINUX_DEFAULT="quiet splash intel_iommu=on iommu=pt vfio-pci.ids='</span><span class="s2">"</span><span class="nv">$GPU_IDS</span><span class="s2">"</span><span class="s1">' rd.driver.pre=vfio-pci"/'</span> <span class="s2">"</span><span class="nv">$GRUB</span><span class="s2">"</span> <span class="o">}</span> verify_vfio_binding<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"[*] Checking GPU driver binding..."</span> <span class="k">if </span>lspci <span class="nt">-nnk</span> <span class="nt">-s</span> <span class="k">${</span><span class="nv">GPU_PCI</span>:5:7<span class="k">}</span> | <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"vfio-pci"</span><span class="p">;</span> <span class="k">then </span><span class="nb">echo</span> <span class="s2">"[✓] GPU correctly bound to VFIO"</span> <span class="k">return </span>0 <span class="k">else </span><span class="nb">echo</span> <span class="s2">"[!] VFIO FAILED — GPU still not isolated"</span> <span class="nb">echo</span> <span class="s2">" Do NOT launch VM"</span> <span class="k">return </span>1 <span class="k">fi</span> <span class="o">}</span> <span class="c"># =========================</span> <span class="c"># GRUB RESTORE (iGPU)</span> <span class="c"># =========================</span> restore_igpu_grub<span class="o">()</span> <span class="o">{</span> <span class="nb">sudo cp</span> <span class="s2">"</span><span class="nv">$GRUB</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$GRUB</span><span class="s2">.bak.</span><span class="si">$(</span><span class="nb">date</span> +%s<span class="si">)</span><span class="s2">"</span> <span class="nb">sudo sed</span> <span class="nt">-i</span> <span class="s1">'s/vfio-pci.ids=[^ ]*//g'</span> <span class="s2">"</span><span class="nv">$GRUB</span><span class="s2">"</span> <span class="nb">sudo sed</span> <span class="nt">-i</span> <span class="s1">'s/intel_iommu=on//g'</span> <span class="s2">"</span><span class="nv">$GRUB</span><span class="s2">"</span> <span class="nb">sudo sed</span> <span class="nt">-i</span> <span class="s1">'s/iommu=pt//g'</span> <span class="s2">"</span><span class="nv">$GRUB</span><span class="s2">"</span> <span class="nb">sudo sed</span> <span class="nt">-i</span> <span class="s1">'s/^GRUB_CMDLINE_LINUX_DEFAULT=.*/GRUB_CMDLINE_LINUX_DEFAULT="quiet splash"/'</span> <span class="s2">"</span><span class="nv">$GRUB</span><span class="s2">"</span> <span class="o">}</span> <span class="c"># =========================</span> <span class="c"># ENABLE VFIO</span> <span class="c"># =========================</span> enable_flow<span class="o">()</span> <span class="o">{</span> show_recovery_banner preflight <span class="o">||</span> <span class="nb">exit </span>1 <span class="nb">echo</span> <span class="s2">"[*] Enabling VFIO..."</span> <span class="nb">cat</span> <span class="o">&lt;&lt;</span><span class="no">EOF</span><span class="sh"> | sudo tee "</span><span class="nv">$BLACKLIST</span><span class="sh">" &gt;/dev/null blacklist nvidia blacklist nvidia_drm blacklist nvidia_modeset blacklist nvidia_uvm blacklist nvidia_nouveau </span><span class="no">EOF </span> <span class="nb">printf</span> <span class="s1">'%s\n'</span> <span class="se">\</span> <span class="s2">"options vfio-pci ids=</span><span class="nv">$GPU_IDS</span><span class="s2"> disable_vga=1"</span> <span class="se">\</span> <span class="s2">"softdep nvidia pre: vfio-pci"</span> <span class="se">\</span> <span class="s2">"softdep nvidia_drm pre: vfio-pci"</span> <span class="se">\</span> <span class="s2">"softdep nvidia_modeset pre: vfio-pci"</span> <span class="se">\</span> <span class="s2">"softdep nvidia_uvm pre: vfio-pci"</span> <span class="se">\</span> | <span class="nb">sudo tee</span> <span class="s2">"</span><span class="nv">$VFIO_CONF</span><span class="s2">"</span> <span class="o">&gt;</span>/dev/null <span class="c"># Block udev from loading nvidia modules</span> <span class="nb">sudo tee</span> /etc/udev/rules.d/71-nvidia.rules <span class="o">&gt;</span>/dev/null <span class="o">&lt;&lt;</span> <span class="sh">'</span><span class="no">EOF</span><span class="sh">' # VFIO override — block nvidia module loading via udev ACTION=="add", DEVPATH=="/bus/pci/drivers/nvidia", RUN+="/bin/false" </span><span class="no">EOF </span> <span class="nb">sudo </span>systemctl disable <span class="nt">--now</span> nvidia-persistenced.service 2&gt;/dev/null <span class="o">||</span> <span class="nb">true sudo </span>systemctl disable <span class="nt">--now</span> nvidia-powerd.service 2&gt;/dev/null <span class="o">||</span> <span class="nb">true sudo </span>systemctl disable <span class="nt">--now</span> nvidia-cdi-refresh.path 2&gt;/dev/null <span class="o">||</span> <span class="nb">true </span>apply_vfio_grub ensure_safe_mode_entry <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$GPU_IDS</span><span class="s2">"</span> | <span class="nb">sudo tee</span> <span class="s2">"</span><span class="nv">$RECOVERY_FLAG</span><span class="s2">"</span> <span class="o">&gt;</span>/dev/null <span class="nb">sudo </span>update-initramfs <span class="nt">-u</span> <span class="nb">sudo </span>update-grub <span class="nb">echo</span> <span class="s2">"[*] Verifying GRUB configuration..."</span> <span class="nb">grep</span> <span class="nt">-q</span> <span class="s2">"vfio-pci.ids=</span><span class="nv">$GPU_IDS</span><span class="s2">"</span> <span class="s2">"</span><span class="nv">$GRUB</span><span class="s2">"</span> <span class="o">||</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"[!] GRUB injection failed"</span> <span class="nb">exit </span>1 <span class="o">}</span> <span class="nb">echo</span> <span class="s2">"[✓] VFIO enabled safely"</span> <span class="o">}</span> <span class="c"># =========================</span> <span class="c"># DISABLE VFIO</span> <span class="c"># =========================</span> disable_flow<span class="o">()</span> <span class="o">{</span> show_recovery_banner <span class="nb">sudo rm</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$VFIO_CONF</span><span class="s2">"</span> <span class="nb">sudo rm</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$BLACKLIST</span><span class="s2">"</span> <span class="nb">sudo rm</span> <span class="nt">-f</span> /etc/udev/rules.d/71-nvidia.rules <span class="nb">sudo </span>udevadm control <span class="nt">--reload-rules</span> restore_igpu_grub ensure_safe_mode_entry <span class="nb">sudo rm</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$RECOVERY_FLAG</span><span class="s2">"</span> <span class="c"># Re-enable nvidia services</span> <span class="nb">sudo </span>systemctl <span class="nb">enable</span> <span class="nt">--now</span> nvidia-persistenced.service 2&gt;/dev/null <span class="o">||</span> <span class="nb">true sudo </span>systemctl <span class="nb">enable</span> <span class="nt">--now</span> nvidia-powerd.service 2&gt;/dev/null <span class="o">||</span> <span class="nb">true sudo </span>systemctl <span class="nb">enable</span> <span class="nt">--now</span> nvidia-cdi-refresh.path 2&gt;/dev/null <span class="o">||</span> <span class="nb">true sudo </span>update-initramfs <span class="nt">-u</span> <span class="nb">sudo </span>update-grub <span class="nb">echo</span> <span class="s2">"[✓] VFIO disabled"</span> <span class="o">}</span> <span class="c"># =========================</span> <span class="c"># RECOVERY MODE</span> <span class="c"># =========================</span> recover_flow<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"[!] RECOVERY MODE ACTIVATED"</span> restore_igpu_grub <span class="nb">sudo rm</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$VFIO_CONF</span><span class="s2">"</span> <span class="nb">sudo rm</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$BLACKLIST</span><span class="s2">"</span> <span class="nb">sudo rm</span> <span class="nt">-f</span> <span class="s2">"</span><span class="nv">$RECOVERY_FLAG</span><span class="s2">"</span> <span class="nb">sudo rm</span> <span class="nt">-f</span> /etc/udev/rules.d/71-nvidia.rules <span class="nb">sudo </span>udevadm control <span class="nt">--reload-rules</span> ensure_safe_mode_entry <span class="c"># Re-enable nvidia services</span> <span class="nb">sudo </span>systemctl <span class="nb">enable</span> <span class="nt">--now</span> nvidia-persistenced.service 2&gt;/dev/null <span class="o">||</span> <span class="nb">true sudo </span>systemctl <span class="nb">enable</span> <span class="nt">--now</span> nvidia-powerd.service 2&gt;/dev/null <span class="o">||</span> <span class="nb">true sudo </span>systemctl <span class="nb">enable</span> <span class="nt">--now</span> nvidia-cdi-refresh.path 2&gt;/dev/null <span class="o">||</span> <span class="nb">true sudo </span>update-initramfs <span class="nt">-u</span> <span class="nb">sudo </span>update-grub <span class="nb">echo</span> <span class="s2">"[✓] System restored to iGPU SAFE MODE"</span> <span class="o">}</span> <span class="c"># =========================</span> <span class="c"># MAIN CONTROLLER</span> <span class="c"># =========================</span> main<span class="o">()</span> <span class="o">{</span> show_recovery_banner <span class="k">case</span> <span class="s2">"</span><span class="k">${</span><span class="nv">1</span><span class="k">:-}</span><span class="s2">"</span> <span class="k">in </span>status<span class="p">)</span> status <span class="p">;;</span> preflight<span class="p">)</span> preflight <span class="p">;;</span> <span class="nb">enable</span><span class="p">)</span> enable_flow <span class="p">;;</span> disable<span class="p">)</span> disable_flow <span class="p">;;</span> recover<span class="p">)</span> recover_flow <span class="p">;;</span> verify<span class="p">)</span> verify_vfio_binding <span class="o">||</span> <span class="nb">exit </span>1 <span class="p">;;</span> <span class="k">*</span><span class="p">)</span> <span class="nb">echo</span> <span class="s2">"Usage: </span><span class="nv">$0</span><span class="s2"> {status|preflight|enable|disable|recover|verify}"</span> <span class="p">;;</span> <span class="k">esac</span> <span class="o">}</span> main <span class="s2">"</span><span class="nv">$@</span><span class="s2">"</span> </code></pre> </div> automation linux tutorial ubuntu open-source API gateway solutions and their managed offerings. Sudhakar Daggubati Fri, 27 Sep 2024 14:48:14 +0000 https://forem.com/mrdaggubati/api-management-gateways-4h0f https://forem.com/mrdaggubati/api-management-gateways-4h0f <p><a href="https://konghq.com/" rel="noopener noreferrer">Kong</a> and <a href="https://apisix.apache.org/" rel="noopener noreferrer">APISIX</a>, two popular open-source #APIGateway solutions. #kong looks versatile Unified Gateway but how it fares against #APISIX backed by a similar enterprise <a href="https://api7.ai" rel="noopener noreferrer">API7</a> offering. </p> <p>Key Features:</p> <ul> <li>API Gateway and API Management</li> <li>Plugin architecture</li> <li>NGINX-based</li> <li>Config management</li> <li>Seamless Kubernetes integration</li> <li>Security</li> </ul> <p>Differentiation:</p> <ul> <li> <strong>AI Gateway:</strong> Only Kong offers an AI gateway, leveraging AI for tasks like traffic management and anomaly detection.</li> <li> <strong>Performance:</strong> API7 claims superior performance, but real-world benchmarks may vary.</li> <li> <strong>Cost:</strong> Self-hosting Kong can be cost-effective, SaaS offering pricing are complex, its better to check the fine print and usage patterns <a href="![Image%20description](https://dev-to-uploads.s3.amazonaws.com/uploads/articles/i4tm0nrch9vmd9tkjfpp.png)"> Pricing Models </a> </li> <li> <strong>Service Mesh:</strong> Kong uses Envoy, while API7 uses Istio (which also uses Envoy).</li> <li> <strong>Cloud Costs:</strong> Running AI and API gateways at scale in the cloud can be expensive, Network design, workload pattern and application architecture going to play a critical role in how costly its going to be.</li> </ul> <p>Choosing the Right API Gateway:</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F35qrxqt1rocvduv7rpx5.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F35qrxqt1rocvduv7rpx5.png" alt="Image description" width="800" height="436"></a></p> <p><strong>APISIX(API7):</strong> If performance and native service mesh capabilities are your primary concerns, then API7 might be a good choice. While #APISIX is a top #CNCF project and cloud-native with its out-of-the-box plugins, API7's focus on performance and service mesh integration is a compelling factor.</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F347jlck0bso6wjomq4zm.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F347jlck0bso6wjomq4zm.png" alt="Image description" width="800" height="424"></a></p> <p><strong>Kong:</strong> if that #AIGateway is exiting, in-house team is capable and priority is for long standing community support and self management then considering kong is advisable; you could self mange or opt for enterprise option.<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi4tm0nrch9vmd9tkjfpp.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fi4tm0nrch9vmd9tkjfpp.png" alt="Image description" width="800" height="450"></a></p> <p>The best choice between Kong and APISIX depends on organizational inclinations and specific requirements, including the need for AI integration, performance demands, and budget constraints. Carefully evaluate your needs and consider the strengths and weaknesses of each platform to make an informed decision.</p> <p>Considering both are open source in nature/base and a big community driving the adoption, over a period of time, feature coverage would eventually catch-up, so better to be cost &amp; performance conscious when choosing the gateway. Watch out those pricing models; getting on is easy but not getting off :-)</p> <h1> PlatformEngineering </h1> apigateway kubernetes Automating DNS with Confidence: Terraform + DNScontrol Sudhakar Daggubati Mon, 23 Sep 2024 15:09:55 +0000 https://forem.com/mrdaggubati/automating-dns-with-confidence-terraform-dnscontrol-566m https://forem.com/mrdaggubati/automating-dns-with-confidence-terraform-dnscontrol-566m <p>A split origin DNS setup with multi origin and multi subscription creating route via a gateway subnet is complex</p> <p>Its even more challenging to keep it running smoothly and not to break things inadvertently; it's not a joke when people say <code>its all DNS</code> :-)</p> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmvtnp3vh4hsl8skeq58u.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fmvtnp3vh4hsl8skeq58u.png" alt="Image description" width="" height=""></a></p> <p>Terraform can automate most of this infra at scale but one aspect that it lacks is management of DNS in a complex setup in which one often need additional capabilities to test and validate before plan is applied.</p> <p>There are multiple scenarios in which lack of this capability makes it hard to customize DNS and do not get into troubles. </p> <h1> Temporary zone and validate before apply </h1> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjh2dktf3z5qzm3msi740.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fjh2dktf3z5qzm3msi740.png" alt="Image description" width="" height=""></a></p> <ul> <li>Use terraform to create temporary DNS zone</li> <li>Use curl or <a href="https://httpie.io/" rel="noopener noreferrer">https://httpie.io/</a> to validate the DNS entries</li> <li>this setup ensures DNS changes are tested and impact is known <ul> <li>Each provider has their own SDK, format that they support and API; for example terraform has no zone file import while azure does besides integration tests are non exist and complex to craft, mostly simple nslookup validation.</li> </ul> </li> </ul> <h1> Combination of native DNS mgmt + Terraform </h1> <p><a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F12btgxy6je7mn0khbp2a.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2F12btgxy6je7mn0khbp2a.png" alt="Image description" width="" height=""></a></p> <p>DNScontrol and Terraform are both powerful tools for managing DNS records, but they have different capabilities and use cases. Let's use them together to make a DNS management predictable and fault proof.</p> <ul> <li>Designed specifically for DNS: DNScontrol is tailored for DNS management, offering features and integrations that are optimized for DNS-related tasks.</li> <li>Flexibility: It provides a high level of flexibility, allowing you to define DNS records using various formats (e.g., YAML, JSON) and supports a wide range of DNS providers.</li> </ul> <p>You could leave whole DNS management to DNSControl or use it for complex validations and DNS records mgmt and use AZ CLI to export and import in a CI/CD task with necessary approval flows +/- terraform.</p> azure terraform dns kyverno-json; to extend kyverno policy rules framework beyond K8S resources Sudhakar Daggubati Wed, 14 Aug 2024 11:06:57 +0000 https://forem.com/mrdaggubati/kyverno-json-to-extend-kyverno-policy-rules-framework-beyons-k8s-resources-5b2d https://forem.com/mrdaggubati/kyverno-json-to-extend-kyverno-policy-rules-framework-beyons-k8s-resources-5b2d <p><a href="https://kyverno.io/" rel="noopener noreferrer"><strong>kyverno</strong></a> is a powerful policy engine for #Kubernetes artifacts governance, What if you need to extend same capabilities beyond Kubernetes resources?<br> <a href="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqi45aol0bc51c3tujped.png" class="article-body-image-wrapper"><img src="https://media.dev.to/cdn-cgi/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Farticles%2Fqi45aol0bc51c3tujped.png" alt="Image description" width="800" height="413"></a></p> <p>Check <a href="https://kyverno.github.io/kyverno-json/latest/" rel="noopener noreferrer">kyverno-json</a>, it is natural extension when one already having #kyverno as policy engine for #k8s governance.</p> <p>Exploring as we got a config driven PaaS infra setup,by extending existing policy coverage to other configuration items and at plan stage itself and as a pipeline, we hope to minimize config induced errors.</p> <p><strong>Kyverno-json</strong> bridges the gap by allowing you to apply Kyverno policies to validate any JSON or YAML data. This opens doors to validating:</p> <ul> <li><p><strong>Terraform files</strong>: Ensure your infrastructure configurations adhere to best practices and security guidelines.</p></li> <li><p><strong>Dockerfiles</strong>: Validate image builds for compliance and prevent potential vulnerabilities.</p></li> <li><p>Cloud configurations: Maintain consistency and avoid errors across your cloud infrastructure.</p></li> <li><p><strong>Authorization</strong> requests: Enforce granular access control at the request level.</p></li> </ul> <p><strong>Beyond Deployment-Time Validation:</strong></p> <p>With kyverno-json, validation extends beyond deployment time:</p> <p><strong>DevOps Pipelines</strong>: Integrate seamlessly into your DevOps pipelines for continuous validation.<br> <strong>Pre-commit hooks</strong>: Enforce validation before code commits, catching errors early in the development cycle.<br> <strong>Atlantis</strong> (Terraform PR Automation): Enhance your Terraform pull request automation with robust validation capabilities., atlantis also doubles up as self service tool for developers.<br> <strong>Makefiles</strong>: Utilize kyverno-json in your makefiles for streamlined validation as part of your build process.</p> <p>Terraform plan can be validated taking its JSON output and passing to CLI when complex validation is required.</p> <p>Terraform input validation is limited, kyverno-json covers a lot more with <a href="https://jmespath.org/" rel="noopener noreferrer">JMESPath </a>; a query language for JSON.</p>