Technology Short Take 185

Welcome to Technology Short Take #185, the first of 2025! I’m excited for the opportunity to continue to bring readers articles and links of interest across data center- and cloud-related technologies (along with some original content along the way). I had originally intended for this post to be my last post of 2024, but personal challenges got in the way. Enough of that, though—on to the content!

Networking

• Rasika Nayanajith has a detailed overview of Wi-Fi 7.
• Just before the end of 2024, John Howard (whose blog I only recently discovered—lots of great content there!) posted a write-up on using Vault to provision TLS certificates onto a network appliance.
• Federico Paolinelli shared information on running Podman pods as systemd units in the context of an architecture to terminate EVPN inside Kubernetes nodes. Federico’s blog is another one I only recently discovered; there’s lots of great networking content here.
• Julio Perez has a nice write-up on Codespaces for network engineers and educators. (Hat tip to Ivan Pepelnjak for pointing me to Julio’s site.)

Servers/Hardware

• Bryan Cantrill shares some thoughts on why Gelsinger was wrong for Intel.

Security

• Brian Krebs’ article on the operations of a prolific voice phishing crew was both enlightening and frightening.
• ESET has an article with information on Bootkitty, which they label as “the first UEFI bootkit designed for Linux systems.”

Cloud Computing/Cloud Management

• I haven’t personally used mirrord, but this article on port forwarding with mirrord piqued my interest. I might have to give this a try soon.
• Rory McCune asks the question, “When is read-only not read-only?” (This is in the context of a Kubernetes RBAC and, in Rory’s words, “a possible sharp corner”.)
• Frederic Branczyk with Polar Signals discusses kubezonnet, a tool for identifying and measuring cross-zone pod network traffic in Kubernetes clusters.
• This article is a good write-up on troubleshooting/identifying a memory leak that wasn’t actually there.
• Dan Slimmon reviews the metrics that are relevant to latency- and throughput-optimized clusters.

Operating Systems/Applications

• This article from Edward Zitron is a scathing indictment of generative AI, but I can’t really disagree with any of it. My hope—and the hope of others I’ve talked to that share the same perspective—is that the fall of GenAI doesn’t mean the fall of the entire tech economy.
• Matthew Sanabria shares a list of tools worth changing to in 2025. None of these tools are new to me, but it’s nice to hear about another user’s direct experience. I will say that I have thus far dismissed LLMs—see my thoughts about generative AI in the previous bullet—but I may reconsider local use of an LLM via Ollama. I don’t have a GPU to throw at it, so the experience may be subpar.

Virtualization

• William Lam kicks off his 2025 blogging content with an article on an easier way to simulate custom ESXi SMBIOS hardware strings.

Career/Soft Skills

• Does social media count as a soft skill? I’m going to say “Yes” so that I can put Virginia Craft’s article on how to quit mainstream social media and join Mastodon in this section. Twitter/X is the only “mainstream social media” platform I use, and—if I’m honest—I’m using it less these days in favor of Mastodon and Bluesky.
• Something Tom Hollingsworth said in his recent post looking back at 2024 really stuck with me: “I want to make sure I’m bringing you the kind of content that you want to read instead of just posting because I need to create something.” That really resonated with me. I know my blogging frequency has gone down in recent years, but I don’t want to sacrifice blogging quality just for the sake of posting more often. Thanks, Tom—it’s nice to know that other writers have the same struggles I do.

That’s all for now. If you have any feedback, or if you just want to reach out and say hello, you can find me online in a variety of places. My email address isn’t too hard to find, so you’re welcome to drop me an email message if that’s your preference. Otherwise, find me on Bluesky, on Mastodon, on Twitter, and in a variety of Slack communities. I’d love to hear from you!

Using Multiple AWS Regions with Pulumi and S3 Backend

For a while now, I’ve been using Direnv to manage environment variables when I enter or leave certain directories. Since I have to work with more than one AWS account, one of the use cases for me has been populating AWS-specific environment variables, like AWS_REGION or AWS_PROFILE. This generally works really well for me, but recently I ran into a bit of a corner case involving multiple AWS regions, Pulumi, and using S3 as the Pulumi backend. In this post, I’ll share the workaround that allows this configuration to work as expected.

I describe this as a “bit of a corner case” because it only affects specific configurations (which included my configuration):

• You must be setting the AWS_REGION environment variable and not setting the aws:region configuration value used by the Pulumi AWS provider.
• You must be using S3 as the backend for Pulumi, and using an S3 URL of s3://bucket-name.
• You want to deploy resources into an AWS region that is different than the AWS region where the backend state bucket resides.

In my specific situation, my backend state bucket resides in the AWS us-west-2 (Oregon) region, as this offers the lowest latencies from my home office in Colorado. I control this via the PULUMI_BACKEND_URL environment variable using the s3://bucket-name syntax. I needed to deploy resources into the us-east-2 (Ohio) region, so I set the AWS_REGION environment variable accordingly. Because I used AWS_REGION, I did not set the aws:region Pulumi provider configuration value.

When I ran pulumi stack init to create a Pulumi stack for the Ohio resources, I got an error message containing the text “incorrect region, the bucket is not in ‘us-east-2’ region at endpoint ‘’, bucket is in ‘us-west-2’ region”.

After a bit of Googling, I realized the problem: Pulumi was looking for the backend state bucket in the region specified by AWS_REGION. How, then, does one deploy to one AWS region when needing to use a backend state bucket in a different region?

The answer sits buried in this section of the Pulumi documentation; specifically, in this callout (emphasis mine):

As of Pulumi CLI v3.33.1, instead of specifying the AWS Profile, add awssdk=v2 along with the region and profile to the query string.

Ah ha! All that’s required is to amend the PULUMI_BACKEND_URL setting to look something more like this:

s3://bucket-name?region=us-west-2&awssdk=v2&profile=aws-profile

That worked perfectly—Pulumi now knew to look for the backend state bucket in the us-west-2 (Oregon) region while deploying resources to the region specified by the AWS_REGION environment variable. In theory, since I didn’t need to use different AWS profiles for the backend state bucket versus where resources live, it might be possible to remove &profile=aws-profile from the S3 URL. I haven’t tested that yet.

There you have it—to use different AWS regions for your S3 backend state bucket and the resources you’re deploying, make sure your PULUMI_BACKEND_URL setting properly includes the region in the URL as described above.

I hope this helps someone else out there! Hit me up on Twitter, on Mastodon, or on Bluesky if you have any feedback or any questions.

Technology Short Take 184

Welcome to Technology Short Take #184! This Tech Short Take is a bit shorter than the usual ones, but then again this week—at least in the US—is a bit shorter than most weeks due to the Thanksgiving holiday. Even so, I hope that I’ve managed to include some information that folks find useful. Also, thanks to some feedback from readers, I’ve tried hard to ensure that links are more descriptive and informative than they’ve sometimes been in the past; let me know how I did. Now, on to the content!

Networking

• I love reading geeky blog posts like this one that combines Linux network namespaces with WireGuard for VPN split tunneling. Neat stuff.
• Scott Laird shares his experience using Pulumi to connect UniFi and Netbox together in his home network.

Security

• Ofek Itach and Yakir Kadkoda discuss a security vulnerability in AWS CDK that could—under the right conditions—allow an attacker to gain administrative access to an AWS account.
• Carlos Mora reviews a (now-patched) confused deputy vulnerability in Amazon DataZone.

Cloud Computing/Cloud Management

• Luc van Donkersgoed explains how he optimized caching for his AWS News site to improve performance.
• Rory McCune takes a moment to explain the many IP addresses of Kubernetes (like node addresses, pod addresses, and service addresses).
• SkyScalpel is an open source tool that “obfuscates, deobfuscates, and detects obfuscated JSON documents”. It makes perfect sense now, but before reading about SkyScalpel I hadn’t considered the idea of obfuscating JSON documents in policy statements (such as an AWS IAM policy) to hide the policy’s true intent. Sneaky hackers!
• Adriana Villela reviews troubleshooting an issue with GitHub Codespaces and KinD (Kubernetes-in-Docker).
• The AWS open source newsletter is always a great source of information; check out issue #204.
• Similarly, the AWS Cloud Security weekly newsletter is another great source of information. Here’s a link to issue 71.

Operating Systems/Applications

• Soatok provides some guidance on what to use instead of PGP.
• Announced recently at KubeCon North America, the eBPF community has recently released an eBPF Security Threat Model and an eBPF verifier code audit. More details are available in this blog post from the eBPF Foundation.
• This blog post lays out a slightly different reason for choosing Linux as your primary operating system.
• Chainguard recently released kernel-independent FIPS images.
• I like kustomize but it seems like the functionality the tool offers—as well as the syntax behind the YAML files it uses—is constantly changing. Here’s a case in point: Nick Janetakis describes the replacement functionality for commonLabels, patchesJson6902, and patchesStrategicMerge. I genuinely believe that one of the reasons kustomize hasn’t seen greater adoption is that users are having a hard time keeping up with all the changes required to use it.

Storage

• Stephen Foskett discusses how to migrate from Docker Volumes to external storage.

Career/Soft Skills

• Bluesky has been taking off recently as an alternative/replacement for X/Twitter; you can even find yours truly on Bluesky. Bret Fisher has a good “introduction”-type post on Bluesky, and this treatise is helpful if you’re concerned/wondering about Bluesky and decentralization.
• Tom Hollingsworth extols the virtues of being flexible by invoking Gumby, that lovable childhood toy.

That’s all for this week! To my readers in the US, I hope that you have a safe and enjoyable Thanksgiving holiday. In spite of whatever may be happening in the world, there are many things for which to be thankful! For my readers outside the US, I hope that you have an enjoyable rest of the week. Be thankful for the decrease in email from your US-based colleagues! Finally, feel free to follow me or interact with me on social media; I’m available on Twitter, on the Fediverse (via Mastodon), and on Bluesky. I’d love to hear from you!

EKS, Bottlerocket, and Cilium with Pulumi

In late 2023, I added some Go code for use with Pulumi to stand up an Amazon Elastic Kubernetes Service (EKS) cluster “from scratch,” meaning without using any prebuilt Pulumi components (like the AWSX VPC component or the EKS component). The code is largely illustrative for newer users, written to show how to stitch together all the components needed for an EKS cluster. In this post, I’ll show you how to modify that code to use Bottlerocket OS as the node OS for your EKS cluster—and share some information on installing Cilium into (onto?) the cluster.

The example code can be found in the pulumi/eks-from-scratch folder in my “learning-tools” GitHub repository. As I mentioned, it’s written in Go, and the associated README file has full instructions for how to use that code in your own environment. Since the code was intended to be illustrative, I have tried to provide enough comments in the code for readers to be able to decode what’s happening without too much difficulty.

To use Bottlerocket OS on the EKS nodes in your cluster, you’ll have to modify the main.go file. Specifically, changes are needed in the section of code that creates a node group (starting on line 62):

// Create a node group for the EKS cluster
_, err := eks.NewNodeGroup(ctx, "node-group", &eks.NodeGroupArgs{
    ClusterName: testCluster.Name,
    // Additional code omitted for brevity
})

Amazon EKS node groups support specifying an AMI type. You’ll leverage this functionality to provide a value (found on this page in the Amazon EKS documentation) that instructs EKS to use Bottlerocket OS. You’ll supply this value via the amiType argument to Pulumi’s node group resource (described in more detail on this page in the Pulumi documentation).

If you modify main.go to add the amiType to the node group definition, then it should look something like this:

// Create a node group for the EKS cluster
_, err := eks.NewNodeGroup(ctx, "node-group", &eks.NodeGroupArgs{
    amiType: pulumi.String("BOTTLEROCKET_x86_64") // Or BOTTLEROCKET_ARM_64
    ClusterName: testCluster.Name,
    // Additional code omitted for brevity
})

Optionally, you could also include the instanceTypes argument to the node group definition, which would allow you to control the specific instance types that Amazon EKS would use in the node group.

Once you make that change, just run pulumi up and watch Pulumi do its magic. When it’s all said and done (it’ll take a little bit of time, so go grab coffee or tea while you wait), you’ll have an Amazon EKS cluster with nodes running Bottlerocket OS. If you’re at all unsure why that’s a (generally) good thing, then I encourage you to check out the Bottlerocket OS web site for more details on Bottlerocket OS and its advantages over a traditional general purpose OS.

(I’m also working on how to use Flatcar Container Linux on EKS nodes, but that’s proving to be a tad more difficult.)

Once the cluster is up and running, then installing Cilium is a matter of following the instructions, found on this page in the Cilium documentation. However, if I know in advance that I’m planning to deploy Cilium on the cluster, then there are a few additional changes I make to my Pulumi code.

Put these changes in your main.go file, starting on line 47 where the EKS cluster itself is defined:

// Create an EKS cluster
testCluster, err := eks.NewCluster(ctx, "test-cluster", &eks.ClusterArgs{
    DefaultAddonsToRemoves: pulumi.StringArray{ // This line is new
        pulumi.String("vpc-cni") // Prevents default CNI from being installed
        pulumi.String("kube-proxy") // If using Cilium kube-proxy replacement
    },
    Name: pulumi.String("testcluster"),
    // Additional code omitted for brevity
})

These additional lines (the DefaultAddonsToRemoves argument and its parameters) prevent Amazon EKS from installing certain default add-ons. In this example, the AWS VPC CNI and kube-proxy are not installed. This allows you to more easily install Cilium in ENI mode with kube-proxy replacement functionality (you can skip a couple of steps related to cleaning up configurations from these components), but the drawback is that the Pulumi program takes far longer to run since the EKS nodes never go into a ready state. For me, the tradeoff is worth it; however, you’ll need to decide for yourself which approach works best in your environment and for your situation.

That’s all I have to share this time around! While I didn’t share anything revolutionary or incredibly insightful, I hope that sharing this information in the context of example code has been useful. If you have any questions, I’d certainly love to hear from you; feel free to reach out to me on Twitter, on the Fediverse, in the Cilium Slack instance, or via e-mail. Thanks for reading!

Technology Short Take 183

Welcome to Technology Short Take #183! Fall is in the air; the nights and mornings are cooler and the leaves are turning (or have already turned in some areas!). I’ve got a slightly smaller collection of links for you this time around, but I do hope that you’ll find something shared here useful. Enjoy!

Networking

• Network World provides some coverage of the recent 2024 eBPF Summit, discussing why eBPF is critical and how it’s getting better.
• I first learned of Kmesh via this article by Jimmy Song. There’s no doubt eBPF is impacting lots of different areas of networking; this is just one more example.
• ARM-based architectures continue to see expanded usage in lots of different areas; here’s just one more example.

Security

• This article is a fascinating look into a series of misconfigurations and security flaws that culminates with full cluster admin privileges and access to internal software repositories. Wow! Remember, kids: outbound sidecars are not secure enforcement points.
• A group of individuals being able to accidentally become the admins of a top-level domain (TLD) underscores just how fragile many parts of the Internet are today.
• Ricky Mondello (who works on Apple’s new Passwords app) advises people to consider slowing down when switching password managers.
• James Sheard discusses a (now patched) security flaw in AWS Transit Gateway Peering Attachments.
• This article discusses a security vulnerability in the Arc browser; more specifically, in the Arc browser’s companion online services.
• A botnet of up to a quarter million devices?

Cloud Computing/Cloud Management

• Spurred on by a comment from a colleague that in turn pointed me to a random GitHub issue, I’ve learned about CEL (Common Expression Language). You can learn more about CEL via the CEL web site. Why does this matter? This is notable for its inclusion in Kubernetes, and the use of CEL in Validating Admission Policies (which are GA as of Kubernetes 1.30). I do wonder about the future of other tools used for admission control (top of mind for me is OPA/Gatekeeper) and how CEL will affect them.
• In the event you aren’t familiar with the structure of a Kubeconfig file (for connecting to a Kubernetes cluster), this article is somewhat helpful.

Operating Systems/Applications

• Minderbinder is a tool that injects failures into running processes via eBPF. I could be reading this wrong, but it looks like Minderbinder is (currently) focused around injecting network-centric failures.
• I haven’t tried this out yet, but it looks interesting/useful.
• Thinking of trying Arch Linux? Here’s a walkthrough of setting it up on a laptop.
• I am absolutely in love with kubecolor.

Programming/Development

• Here’s a good article on rate limiting, cells, and GCRA.

Virtualization

• Gina Minks mourns the loss of the vCommunity after attending VMware Explore (formerly VMworld) in Las Vegas. While we might disagree whether the Broadcom acquisition was a good thing or not, and while we might disagree about the future of VMware, I think we can agree that the VMware Community of days past is on its way out (some might say it’s already gone). Gina rightfully calls out just how unique the VMware community was during its heyday—I am thankful to have been a small part of it.
• Eric Sloof recently shared a link to a set of performance best practices for vSphere 8.0 Update 3, if that’s what you’re using.

That’s all for now, folks! Thanks for reading; I appreciate the opportunity to share information with you. If you have any feedback for me—or if you just want to say hi—feel free to reach out to me on Twitter, on the Fediverse, in one of the Slack communities I frequent, or by dropping me an e-mail (my address isn’t hard to find). I’d love to hear from you!

Technology Short Take 182

Welcome to Technology Short Take #182! I have a slightly bulkier list of links for you today, bolstered by some recent additions to my RSS feeds and supplemented by some articles I found through social media. There should be enough here to keep folks entertained this weekend—enjoy!

Preloading Extra Images with Kubernetes Image Builder

The Image Builder project is a set of tools aimed at automating the creation of Kubernetes disk images—such as VM templates or Amazon Machine Images (AMIs). (Interesting side note: Image Builder is the evolution of a much older Heptio project where I was a minor contributor.) I recently had a need to build a custom AMI with some extra container images preloaded, and in this post I’ll share with you how to configure Image Builder to preload additional container images.

Storing Pulumi State in the Project Directory

Pulumi, like Terraform and OpenTofu, has the ability to store its state in a supported backend. You can store the state in one of the blob/object storage services offered by the major cloud providers, via Pulumi’s SaaS offering (called Pulumi Cloud), or even locally. It’s this last option I’ll explore a little bit in this post, where I’ll show you how to configure Pulumi to store the state in the project directory instead of somewhere else.

Review: Lenovo ThinkPad X1 Carbon Gen11

I’ve recently had the opportunity to start using a Lenovo ThinkPad X1 Carbon (X1C) Gen11 as my primary work system. Since I am not a Windows person—I don’t think I’ve used Windows as a daily driver since before the turn of the century—I’m running Linux on the X1C Gen11. Now that I’ve had a few weeks of regular use, in this post I’ll provide my review of this laptop.

Technology Short Take 181

Welcome to Technology Short Take #181! The summer of 2024 is nearly over, and Labor Day rapidly approaches. Take heart, though; here is some reading material for your weekend. From networking to security and from hardware to the cloud, there’s something in here for just about everyone. Enjoy!

Using SOPS with Pulumi

I was first introduced to SOPS at a platform engineering event hosted in Denver last year. SOPS, which is an acronym for Secrets OPerationS, describes itself as “an editor of encrypted files that supports YAML, JSON, ENV, INI and BINARY formats and encrypts with AWS KMS, GCP KMS, Azure Key Vault, age, and PGP” (taken directly from the project’s GitHub repository). In this post, I’ll explore using Pulumi with SOPS—and I’ll also touch upon whether this combination of tools offers value or users or not.

Bootstrapping Talos Linux over SSH

For those that aren’t aware, Talos Linux is a purpose-built Linux distribution designed for running Kubernetes. Bootstrapping a Talos Linux cluster is normally done via the Talos API, but this requires direct network access to the Talos Linux nodes. What happens if you don’t have direct network access to the nodes? In this post, I’ll share with you how to bootstrap a Talos Linux cluster over SSH.

Using Vale to Improve my Writing

Back in March of this year, I talked about how I started using markdownlint-cli to perform linting against the Markdown source files that are used by Hugo to generate this site. At the same time, I also started exploring the use of similar tools to check (or lint, if you will) my writing itself. In this post, I’ll share with you how I started using Vale to perform some checks against my writing.

Technology Short Take 180

Welcome to Technology Short Take #180! It’s hard to believe that July is almost over, and that 2024 is flying past us. It’s probably time that you, my readers, took some time to slow down and read more technical blogs. To help with that, I just happen to have a little collection of links to share. Enjoy!

Using a Git Commit Template

Although I’m sure that I’d seen or read about Git commit templates previously, the idea of using a Git commit template was brought to the forefront recently with the release of version 11 of Tower for Mac. When I’m using macOS, Tower is my graphical Git client of choice. However, most of my Git operations are via the terminal, and I’m not always using macOS (I also spend a fair amount of time using Linux). For that reason, I wanted to implement a more “platform-neutral” solution to Git commit templates. In this post, I’ll share with you what I learned about using a Git commit template.

Technology Short Take 179

Welcome to Technology Short Take #179! I’m back with another set of links to articles on various data center- and IT-related topics. In the interest of full transparency, I’d like to give credit to Russ White for his “Weekend Reads” series of posts, which are similar in nature to my Technology Short Takes. If you aren’t reading Russ’ “Weekend Reads” posts, you’re missing out on a good source of useful information. Several of the links included below are taken from recent posts by Russ. Thanks, Russ—and to all the other content creators and content curators referenced here—for your great work! Now, on to the content.

Technology Short Take 178

Welcome to Technology Short Take #178! This one is notably shorter than many of the Technology Short Takes I publish; I’m still trying to fine-tune my collection of RSS feeds (such a useful technology that seems to have fallen out of favor), removing inactive feeds and looking for new feeds to replace them. Regardless, I have managed to collect a few links for your reading pleasure this weekend. Enjoy!

Endpoint Selectors and Kubernetes Namespaces in CiliumNetworkPolicies

While performing some testing with CiliumNetworkPolicies, I came across a behavior that was unintuitive and unexpected to me. The behavior centers around how an endpoint selector behaves in a CiliumNetworkPolicies when Kubernetes namespaces are involved. (If you didn’t understand a bit of what I just said, I’ll provide some additional explanation shortly—stay with me!) After chatting through the behavior with a few folks, I realized the behavior is essentially “correct” and expected. However, if I was confused by the behavior then there’s a good chance others might be confused by the behavior as well, so I thought a quick blog post might be a good idea. Keep reading to get more details on the interaction between endpoint selectors and Kubernetes namespaces in CiliumNetworkPolicies.

Getting Barrier Working Between Arch Linux and Ubuntu

I recently had a need to get Barrier—an open source project aimed at enabling mouse/keyboard sharing across multiple computers, aka a “software KVM”—running between Arch Linux and Ubuntu 22.04. Unfortunately, the process for getting Barrier working isn’t as intuitive as it should be, so I’m posting this information in the hopes it will prove useful to others who find themselves in a similar situation. Below, I’ll share how I got Barrier working between an Arch Linux system and an Ubuntu system.

Technology Short Take 177

Welcome to Technology Short Take #177! Wow, is it the middle of May already? The year seems to be flying by—much in the same way that all these technical articles keep flying by my Inbox, occasionally getting caught and included here! In this Technology Short Take, I have links on things ranging from physical network designs to running retro operating systems as virtual machines. Surely there will be something useful in here for you!

• Tracking EC2 Instances used by EKS with AWS CLI 17 Apr 2024
• Tracking ENIs used by EKS with AWS CLI 15 Apr 2024
• Technology Short Take 176 15 Mar 2024
• Linting your Markdown Files 1 Mar 2024
• Technology Short Take 175 23 Feb 2024
• Technology Short Take 174 9 Feb 2024
• Using NAT Instances on AWS with Pulumi 5 Feb 2024
• Using SSH with the Pulumi Docker Provider 22 Jan 2024
• Technology Short Take 173 19 Jan 2024
• Technology Short Take 172 5 Jan 2024
• Selectively Replacing Resources with Pulumi 3 Jan 2024
• Dynamically Enabling the Azure CLI with Direnv 18 Dec 2023
• Conditional Git Configuration 15 Dec 2023
• Automatically Transforming Git URLs 11 Dec 2023
• Technology Short Take 171 8 Dec 2023
• Saying Goodbye to the Full Stack Journey 17 Nov 2023
• Guest Post: Moving Secrets Where They Belong 12 Oct 2023
• Assigning Tags by Default on AWS with Pulumi 11 Sep 2023
• Technology Short Take 170 8 Sep 2023
• Mac, iPad, or Both? 28 Aug 2023
• Technology Short Take 169 11 Aug 2023
• Spousetivities Returns to VMware Explore 2023 7 Aug 2023
• Technology Short Take 168 12 May 2023
• Technology Short Take 167 7 Apr 2023
• Creating a Talos Linux Cluster on Azure with Pulumi 31 Mar 2023
• Technology Short Take 166 10 Mar 2023
• Creating a Talos Linux Cluster on AWS with Pulumi 24 Feb 2023
• Technology Short Take 165 17 Feb 2023
• Stage Manager is Incomplete 9 Feb 2023
• Installing the Prerelease Pulumi Provider for Talos 8 Feb 2023