DevOps

TLDR; If you're looking for great engineering and best-practices... you should move away now. I'm creating a solution to a problem that nobody (including myself) has. I'm working with module federation between multiple cloud-providers to create an app that can use interoperable modules from multiple sources.

I have a webapp that I deploy with aws-cdk. It's a static webapp that I have on on S3.

AWS-cdk works as expected, but now id would like to investigate a multicloud deployment. Using something like pulumi or terraform (but not limited to those)

Most vendors have something like S3 and so I would like to have something that can deploy to multiple cloud vendors simultaneously.

In that approach, I would like an exhaustive number of vendor providers. I don't just want the top vendors like aws, gcloud, azure... But I'm looking for something that can also handle providers over seas like Alibaba cloud, Kamatera and I'm sure many I haven't heard of.

My project only needs something like S3 (static server) so I don't expect that being exhaustive in providers would be too expensive.

Im looking for something like terraform or pulumi, but I haven't user either enough to settle on one. When deploying to the S3 equivilent, i dont want it to deploy to either GCloud or Azure... i want it to be able to deploy to both.

(aws-cdk is handling things like the TLD so i think i'll have to stick with that setup.)

To provide more context about what I'm trying to do, I created a webapp that uses webpack module federation. (see my profile for more details)

The aim is for a resilient infrastructure. S3 is not expected to fail, but in a multicloud approach, if any cloud provider has issues, i want there to already be multiple redundancies in place.

I deploy the same app on gh-pages and aws-s3. Its set it up in a way that it can interoperate with statics from aws-s3 or gh-pages. It works as expected.

https://positive-intentions.com/blog/statics-as-a-chat-app-infrastructure#module-federation-in-action

I'd like to scale that up further, so the next level after that is to have something that can deploy to multiple cloud providers.

(Unrelated but worth mentioning: i will also be adding SRI on those imported static files to make sure they have a content-hash that matches expectations. I wont have to "trust" that the providers are serving the correct statics.)

Hi guys, I wanted to share a project I’ve been working on called xSpa. It's an implementation of Single Packet Authorization that works at the XDP level.

I built this because I wanted something faster and more DDoS-resilient than traditional port-knocking or SPA tools that rely on userspace processing or iptables. Here, the "drop-all" logic happens right at the driver level.

Key bits:

L1 verification (SipHash) in kernel space.

L2 (ChaCha20-Poly1305) in Go userspace.

It uses the eBPF ring buffer for communication.

This is my first Go project and my first shot at Open Source. I’m still a bit of a noob when it comes to kernel-level programming, so I’d love to get some feedback on the architecture and security. If anyone has time to check the code, I’d love to hear your thoughts on how to make it better.

Compiled the curl tricks I use for debugging production issues. The two biggest time savers:

1. The -w flag for detailed timing (DNS, connect, TLS, first byte, total) — instantly shows where latency lives
2. --resolve for bypassing DNS and hitting specific IPs with correct Host headers — essential for testing deployments before DNS propagation

Also covers retry with backoff, file uploads, .curlrc defaults, and JSON workflows.

Wrote up the 5 steps I run on every new server before doing anything else. Nothing novel for experienced admins, but useful as a checklist:

1. ed25519 key auth
2. Disable PasswordAuthentication
3. Non-standard port (kills 99% of brute force noise)
4. fail2ban (3 attempts, 1h ban)
5. AllowUsers + MaxAuthTries limits

Full commands and sshd_config snippets in the article. What would you add?

PVS-Studio announces a webinar on how to effectively integrate SAST into DevSecOps.

The host: Anton Tretyakov, an experienced DevOps engineer at PVS-Studio.

Whether you're modernizing your security practices or optimizing existing processes, this session will provide actionable insights to help you build secure code—faster.

Date: March 19, 2:00 PM UTC+1

When setting resources on Kubernetes pods, I'm finding it very difficult to achieve good memory efficiency.

I'm using the "no CPU limits, set memory=limits" philosophy that I hear heavily recommended on the internet.

The problem is, that many pods will have random memory spikes. In order for them not to be OOM Killed, you have to set the memory requests for them above their highest spike, which means most of the time they're only using like 25% or so of their memory allocation.

I've been trying to optimize this one cluster, and on average I'm only getting 33% of the total memory requested for all the pods in the cluster actually being used. Whenever I try decreasing some pod's memory requests, I eventually get OOMs. I was hoping I could reach closer to 50%, considering that this particular cluster has a stable workload.

I'm sure that I could optimize it a bit better, but not by much.

Is this a shared experience in Kubernetes? That you ultimately have to sacrifice a lot of memory efficiency.

The number of questions on Stack Overflow fell by 78 percent in December 2025 compared to a year earlier. Developers are switching en masse to AI tools in their IDEs, making the popular developer forum increasingly irrelevant.

cross-posted from: https://feddit.nl/post/47882275

https://fhoekstra.eu/posts/cks-tips/

I’ve been working on a "Linux Inside Out" series and wrote a post that might interest folks here who like low(ish)-level / OS internals.

The idea is to dissect the components of a Linux OS, layer by layer, and build a mental model of how everything fits together through experiments.

The first part is about the kernel, in the post I:

• take the same kernel image my distro boots from /boot
• boot it directly with QEMU (no distro, no init system)
• watch it panic
• write a tiny Go program and use it as PID 1
• build a minimal initramfs around it so the kernel can actually start our process

The goal isn’t to build a real distro, just to give a concrete mental model of:

• that the Linux kernel is just a compressed file, you can boot it
• without anything else
• what the kernel actually does at boot
• how it hands control to userspace
• what PID 1 / init is in practice
• what is kernel space vs user space

Link: https://serversfor.dev/linux-inside-out/the-linux-kernel-is-just-a-program/

I’m the author, would be happy to hear from other devs whether this way of explaining things makes sense, and what you’d add or change for future posts in the series.

Hope you find it useful.

Hi all,

I'm on a team right now that is converting a lot of apps that are running on ec2 over to eks, and we're starting with apps that make the most sense for eks. Apps like LGTM stack which have lots of distributed components, Airflow, etc.

We're setting up flux and renovate which really streamlines maintenance, and I like it so much that I'm wondering about converting apps that aren't particularly well suited for kubernetes over to eks just to use the same toolset.

We have some apps on ec2 that are essentially just a single docker container, they can be run in parallel but they don't have to talk to each other.

Some of these apps don't require many resources, so the $70 / month control plane cost of EKS is significant, which I imagine is the biggest reason we wouldn't convert over.

Just curious what thoughts are on this.

cross-posted from: https://feddit.nl/post/43404968

How-to: Cloudnative PG serving MongoDB with Automated Recovery from Continuous Backups

First post on my personal blog!

cross-posted from: https://lemmy.ml/post/35239632

Maak: The infinitely extensible command runner, control plane and project automator à la Make (written in Guile Scheme - Lisp)

https://codeberg.org/jjba23/maak

Free yourself of repetitive, lacking, weird and arcane Makefile. After some weeks working on this project, I am upstreaming it to Guix so soon you all can enjoy.

https://codeberg.org/guix/guix/pulls/2132

Also, see here an advanced example of a Maak file: https://codeberg.org/jjba23/sss/src/branch/trunk/maak.scm

With the full power of Scheme (Guile) directly in your command runner/control plane, easily define functions, data, lists, loop through them, macros, etc.

Maak has as core mission being your control center or command plane, and act as a command runner, not necessarily a build system, so it avoids much of Make's complexity. No need for .PHONY recipes here.

Maak replaces the arcane syntax of Make with the power and elegance of a full-featured programming language: GNU Guile Scheme λ.

Instead of learning a limited DSL, you can leverage your existing Lisp skills to define tasks, manage data, and automate your workflows with ease. Define functions, manipulate lists, use conditional, create macros—the entire language is at your disposal.

You can also easily call external shell commands and integrate with your existing scripts and tools.

I recently completed a project that involved a lot of deep diving into some newer k8s-related tools. I'd like to document my findings so that they may help others, but I don't know where to put them. Years ago, Medium seemed like an option, but it sucks now with all the monetization. Substack supports nazis, so not there either. Where do I post?

@devops is this lemmy now?

Hi DevOps, how do you think your ideal programming language would look like? I mean a language in which you would write pipeline logic, like Python or Bash, not define pipeline steps itself, like YAML.

I think for me it would have:

• very clean and readable syntax
• immutable state by default
• strong typing
• strong tooling and IDE support
• focus on DevOps-need things, like JSON and files manipulation
• absence of danger things like pointers

What are your preferred strategies when a MySQL/MariaDB database server grows to have too much traffic for a single host to handle, i.e. scaling CPU/RAM or using regular replication is not an option anymore? Do you deploy ProxySQL to start splitting the traffic according to some rule to two different hosts?

Has anyone migrated to TiDB? In that case, what was the strategy to detect if the SQL your app uses is fully compatible with TiDB?