#Infrastructure
300 posts
Docker in Practice #5 Pushing to Registries and Tag Strategy — The :latest Trap
Picking a registry (GHCR vs Docker Hub vs ECR) and tag strategy. Why :latest is dangerous in production, where semver and SHA tags belong, immutable tags, retention policies, and image size management — sorting out what comes after the push.
K8s Advanced #1: CNI in Depth — Calico / Cilium / eBPF
The first post in the K8s Advanced series. In [Intermediate #7](/en/posts/k8s-intermediate-7), one line was left while covering NetworkPolicy: "the manifest is K8s standard, but actually blocking traffic is the CNI plugin's job." This post unfolds that one line. What CNI is, how the same K8s manifest runs differently on Calico vs Cilium, and how eBPF redraws the data plane — all in one cycle.
RHEL Advanced #4: SELinux Advanced — Writing Policy and audit2allow
Going one level higher than the intermediate post: the structure of .te/.fc/.if policy files, the flow and limits of generating modules with audit2allow, the procedure to compile and install with checkmodule / semodule_package / semodule by hand, plus booleans and interfaces — all in one cycle. The goal is to follow an AVC denial all the way through to a permanent policy module.
AWS Advanced #4: API Gateway + Lambda
REST API vs HTTP API differences, Lambda integrations (proxy / non-proxy), routes / methods, authorization (IAM / Cognito / Lambda authorizer), stages / deployments / usage plans — the standard pattern for exposing Lambda over HTTP.
Docker in Practice #4: Building Images in CI — GitHub Actions and BuildKit Cache
The standard for building and pushing Docker images in GitHub Actions. docker/build-push-action, BuildKit GHA cache (type=gha), multi-arch (amd64+arm64) builds, build-time secrets, and build-time optimization — all in a single workflow.
K8s Intermediate #7: RBAC / NetworkPolicy / ResourceQuota — Security and Resource Policy
The final post in the K8s Intermediate series. Through [#6](/en/posts/k8s-intermediate-6) we covered the workload operations model — controllers, persistent data, external entry points, resource model, health checks, autoscaling. This post covers the three objects `RBAC`, `NetworkPolicy`, and `ResourceQuota` that fill the last gap of multi-tenant operation, where multiple teams and environments share one cluster. The three dimensions of who can create objects, what traffic flows, and how much can be made are all bundled as namespace-level policy, and the real value of Namespace briefly noted in [Basics #7](/en/posts/k8s-basics-7) is unfolded by these three objects. Since this is the last post in the series, a 7-post retrospective and a preview of the next track (K8s Advanced) is also included.
RHEL Advanced #3: Performance Analysis — sar, top/htop, iostat, vmstat, perf
Where to look first when a RHEL machine becomes slow. Get the first picture with top/htop, see CPU/memory/IO at once with vmstat, drill into disks with iostat, follow time with sar, and find CPU hotspots with perf — all framed by the USE (Utilization, Saturation, Errors) methodology in one cycle.
AWS Advanced #3: Lambda Basics
Where Lambda fits (vs ECS / EC2), runtime / handler / event / context, sync vs async invocation, cold start and Provisioned Concurrency, concurrency / limits, logging and monitoring — your first AWS serverless building block.
Docker in Practice #3: React/Next.js Build Containers — standalone and the NEXT_PUBLIC Place
Wrapping a Next.js app into a container. The deps → build → runner three-stage pattern with standalone output, the build-time-baking issue with NEXT_PUBLIC env vars, the static-export option, and hosting a Vite SPA with nginx.
K8s Intermediate #6: Autoscaling — HPA / VPA / Cluster Autoscaler
The model covered through [#5](/en/posts/k8s-intermediate-5) was at the dimension of a single Pod's resources and health signals. But operational load swings with time, user patterns, and events, and having a person manually adjust `replicas` each time quickly hits a wall. This post walks through the three dimensions of autoscaling that fill that gap — `HPA` which auto-scales Pod count, `VPA` which auto-recommends and adjusts a Pod's resource requests/limits, and `Cluster Autoscaler` which auto-adds and removes nodes themselves — in one cycle. The metrics-server precondition, HPA's `autoscaling/v2` manifest and algorithm, the asymmetric `behavior` of scale up/down, custom metrics and KEDA, VPA's three components, HPA/VPA conflict, Karpenter — all included.
RHEL Advanced #2: Kernel Tuning — sysctl, tuned, kdump
How to use sysctl to adjust kernel behavior at runtime, separating permanent settings into /etc/sysctl.d/, swapping workload profiles in one line with tuned, and capturing memory dumps at the moment of a kernel panic with kdump and analyzing them with crash — all in one cycle. Common keys like vm.swappiness and net.core.somaxconn, and the differences between tuned profiles, are covered together.
AWS Advanced #2: ECR — Image Registry
Amazon ECR private / public, IAM auth, docker push / pull, image scanning, lifecycle policies, multi-architecture (linux/amd64 + arm64) — where the images that ECS and Lambda will pull actually live.