Blog
Notes from the journey. Things I've built, lessons learned and concepts that finally clicked.
Running AI models on your own hardware is more practical than it sounds. This covers why local inference is worth the setup, how Hugging Face fits into the picture, the security and cost arguments that actually hold up and how to get something running without spending a week on configuration.
What two days at DevOpsCon Amsterdam taught me about where I am in my DevOps journey, the talks that stuck, the tools I had never heard of and the knowledge gaps I am taking home to close.
How I created a timeline for myself to start visualising my DevOps journey.
The mental models that finally made containers click: layers, volumes and networking.
A visual breakdown of the four foundational building blocks every Kubernetes user needs to understand before going further.
A practical guide to the three core Service types. What they do, when to use each and how they layer on top of each other.
How K9s turns painful kubectl commands into a fast, interactive terminal dashboard and why it belongs in every Kubernetes workflow.
When the cluster state and the repository state start diverging quietly, nobody notices until something breaks in a way that is hard to explain. Argo CD keeps them in sync by treating Git as the single source of truth.
All three services run Kubernetes and expose the same API. The differences are in how deeply they integrate with their cloud, where they put the operational burden and how much they abstract away. Here is how to think about each one.
OpenShift takes Kubernetes as its foundation and adds everything upstream deliberately left out: a built-in registry, a container build system, opinionated networking and security defaults that are meaningfully stricter than a bare cluster. Here is what that looks like in practice.
A freshly created Kubernetes cluster will accept almost anything. RBAC is the mechanism that changes that. Here is how Roles, ClusterRoles, bindings and subjects compose into a permission model that keeps workloads and humans scoped to exactly what they need.
LoadBalancer Services get expensive fast. Ingress puts a single entry point in front of all your HTTP workloads, handles TLS in one place and routes by hostname and path without provisioning a separate load balancer for every Service.
Pod storage resets on every restart. PersistentVolumes, PersistentVolumeClaims and StorageClasses are how Kubernetes separates the concern of providing storage from the concern of requesting it, making stateful workloads possible without tying workloads to specific infrastructure.
A pod without a node assignment sits in Pending, waiting. The scheduler is what resolves that. It filters out nodes that cannot work, scores the ones that can and binds the pod to the best match. Understanding how it makes that decision explains most placement behaviour in a cluster.
Most pods go through the API server. Static pods skip all of that. They are defined by files on a node's filesystem and managed entirely by the kubelet. No scheduler. No controller. No API server required. This is how the control plane bootstraps itself.
Node affinity lets pods choose where they go. Taints let nodes decide what they will accept. A tainted node repels every pod that does not carry a matching toleration. It is how Kubernetes reserves node pools, handles node conditions and manages workload isolation without separate clusters.
The scheduler places pods on nodes with enough capacity. When the node itself matters, you need node affinity. It lets you express hard requirements and soft preferences using label matching operators that go well beyond what a simple nodeSelector can do.
In a shared cluster, nothing stops one namespace from consuming all available CPU and memory. ResourceQuota changes that by setting hard limits on what a namespace can request. One object, applied once, protects the rest of the cluster from runaway workloads.
Applications need configuration. ConfigMaps are how Kubernetes separates that configuration from the container image, making it possible to deploy the same image across environments with different settings. Here is how they work and where they fit.
Some workloads do not scale with load. They scale with nodes. Log collectors, metrics agents, network plugins and storage drivers all need to run exactly once on every machine in the cluster. DaemonSets are how Kubernetes handles that requirement automatically.
A cluster will accept almost anything you submit to it. Kyverno sits at the admission layer and changes that. Policies written as plain Kubernetes resources validate, mutate and generate objects before they are stored, keeping configuration drift from ever reaching etcd.
A practical breakdown of iptables. Tables, chains, targets and the default policy that ties it all together.
Background processes that run without a terminal, survive after you log out and power most of what Linux does. Here is what they actually are.
A practical guide to systemd. Units, targets, timers and the systemctl commands you will actually use when managing Linux services.
How to query the systemd journal effectively. Filtering by unit, time, priority and boot session so you find what you need fast.
Cron has been scheduling tasks on Unix systems since the 1970s. Here is how the daemon works, how to read and write crontab expressions and the pitfalls that catch everyone at least once.
Every program running on Linux exists as a numbered process with a state, a parent and a place in the process tree. Here is how to observe them, what their states mean and how signals let you communicate with them from the outside.
Every file on Linux belongs to an owner and a group. Nine permission bits decide who can read it, write to it or execute it. ACLs extend that model when three classes are not enough. Here is how all of it works.
Every process has an identity. Every file has an owner. Users and groups are the foundation that access control is built on. Here is how Linux stores them, how to manage them and why service accounts exist.
Every piece of software on a Linux server arrived through a package manager. Here is how apt and dnf work, how repositories are structured and what to reach for when something needs installing, updating or rolling back.
SSH is the protocol that makes remote Linux administration possible. Here is how key-based authentication works, how to manage keys across sessions with an agent, how to configure the client for jump hosts and tunnels and how to harden the server.
Containers are not a kernel feature. They are regular Linux processes that namespaces keep isolated and cgroups keep constrained. Here is how both mechanisms work and why understanding them makes container behaviour predictable.
What the seven layers actually mean, how data moves through them and why the model still matters when something on your network stops working.
What ping actually does, how ICMP works under the hood and what the output is really telling you when something on the network stops responding.
TCP and IP are two separate protocols with two separate jobs. Here is what each one does, how they fit together and why the distinction matters when something goes wrong.
Every web request uses HTTP. HTTPS wraps it in TLS. Here is what the request and response cycle actually looks like, how TLS secures the connection and what the certificate chain is really doing.
FTP has been moving files between machines since 1971 and it sends everything in plaintext. SFTP fixed that by being a completely different protocol. Here is what each one actually does and why the distinction matters.
SMTP sends your messages. POP3 downloads them to a device. IMAP keeps them on the server in sync across everything. Three separate protocols that most email setups use at once and most people never think about until something stops working.
Every connection on the internet starts with a name lookup. Here is how DNS resolves a hostname to an IP address, what the record types actually do and why changes take time to take effect.
Every device on a network needs an IP address before it can communicate. DHCP assigns one automatically through a four-message handshake, along with a gateway, DNS servers and a lease timer. Here is what that process actually looks like.
TLS secures most of the internet's traffic and nearly every protocol you interact with daily. Here is how the handshake works, what the certificate chain is actually checking and why the TLS version a server advertises still matters.
UDP skips the handshake, skips the acknowledgements and sends datagrams without waiting to see if they arrived. Here is why that is not a flaw, where it matters and what the eight-byte header is actually doing.
A forward proxy sits between clients and the internet. Requests go through it before they leave the network. Here is what that means in practice, how HTTPS tunnelling works and where forward proxies actually show up.
A reverse proxy sits in front of your backends and handles every inbound request before it reaches them. TLS termination, load balancing, caching and access control all happen here. Here is how it works and why almost every production service uses one.
A firewall sits in the path of network traffic and decides which packets are allowed to pass. Here is how rule evaluation works, what stateful inspection actually means and where firewalls fit in a layered security model.
A load balancer sits in front of a pool of servers and distributes incoming requests across them. Here is how distribution algorithms work, what health checks are doing and why session persistence is a tradeoff worth understanding.
When you have more than one backend service, clients need a single place to send requests. An API gateway provides that entry point and handles authentication, rate limiting, routing and observability in one layer so your services do not have to.
IPv4 has been running out of addresses for decades. IPv6 was designed to fix that permanently, along with several other problems along the way. Here is how the two protocols compare, what changed in the header, and how the transition between them actually works.
Static credentials stored in config files and environment variables are a liability waiting to surface. Vault replaces them with dynamic, short-lived secrets, centralised access control and a full audit trail of who touched what.
Prometheus collects numeric measurements from your infrastructure on a regular schedule, stores them efficiently and gives you a query language to ask questions about what those numbers are doing over time. Here is how the pieces fit together.
Metrics, logs and traces are only useful if you can look at them. Grafana sits in front of your data sources and turns raw numbers into dashboards you can actually read during an incident. Here is how the pieces fit together.
Every service writes logs. The challenge is finding the right lines across dozens of containers running on multiple nodes. Loki collects log streams from your infrastructure, stores them cheaply by indexing only labels and lets you query everything through LogQL.
Clicking through cloud consoles works once. By the third environment, nobody is sure what is running where. Terraform lets you describe infrastructure in configuration files, review changes before they happen and apply them consistently every time.
At some point, managing servers by hand stops being manageable. Ansible lets you describe the state a machine should be in and apply that description to as many hosts as you need, all at once, over plain SSH.