Ivan Velichko
LightNews LightNews
banner
iximiuz.bsky.social
Ivan Velichko
@iximiuz.bsky.social
1.2K followers 200 following 110 posts
Software Engineer. Educator. Entrepreneur. Bootstrapping labs.iximiuz.com - a learning platform to help you master Linux, Containers, and Kubernetes 🚀
Posts Replies Media Videos
iximiuz.bsky.social
Kubernetes "native" sidecars are slated for GA in 1.33, so it's a good time to brush up on how (and why) to use them.

Solve this practical challenge by reworking a flawed pod, making it use a native sidecar:

> Kubernetes Pod With a Faulty Init Sequence

labs.iximiuz.com/challenges/k...
February 18, 2025 at 11:55 AM
iximiuz.bsky.social
Works for me 🙈
February 9, 2025 at 8:21 PM
iximiuz.bsky.social
It's very easy to start a Docker container:

docker run nginx ☑️

But can you explain what actually happens when you run this command?

I prepared a Docker 101 challenge that helps you explore the internals of Linux containers - check it out: labs.iximiuz.com/challenges/s...
February 5, 2025 at 1:11 PM
iximiuz.bsky.social
How do you containerize a Python app the right way? 🤔

Building small and secure images for Python projects is surprisingly hard:

- Which base image to choose?
- How to manage dependencies?
- How to structure the Dockerfile?

Learn more (with solutions): labs.iximiuz.com/challenges/d...
February 1, 2025 at 6:24 PM
iximiuz.bsky.social
Container images to avoid in production - part II:

python:3

Yes, it's a Docker Official Image, and it's a good image to build your app, but:

- It has TWO pythons inside 🐍 x 2 = 🤯
- It brings 800MB+ of dev/build packages.

What to use instead in production 👉 python:3-slim
January 27, 2025 at 2:28 PM
iximiuz.bsky.social
SSH Tunnels: An age-old trick that's still widely used

- Expose a local service to the Internet
- Map a remote service to a local port
- Query an AWS RDS database with a local GUI client
- Access a server in your private VPC from a dev machine

...and a lot more. Visual memo 👇
January 24, 2025 at 5:33 PM
iximiuz.bsky.social
What's Inside Distroless Container Images: Taking a Closer Look 🧐

Distroless images come in many flavors, and it might not be obvious which one (if any!) is the best fit for your application.

Here is my attempt to explain the difference and use cases on a single diagram:
January 23, 2025 at 5:52 PM
iximiuz.bsky.social
Pulling and Pushing Container Images 🔽

Did you know that the below commands:

docker pull nginx
docker pull nginx:latest
docker pull library/nginx:latest
docker pull docker[.]io/library/nginx:latest

...pull exactly the same Docker Hub image?

Learn more 👉 labs.iximiuz.com/skill-paths/...
January 19, 2025 at 8:28 PM
iximiuz.bsky.social
How To Build a Production-Ready Container Image For a Go App 🔽

Is "FROM scratch" good enough for you? Check out these hands-on challenges to learn about the most typical Go container pitfalls:

- static linking labs.iximiuz.com/challenges/d...
- dynamic linking labs.iximiuz.com/challenges/d...
January 10, 2025 at 5:11 PM
iximiuz.bsky.social
6/6: Port publishing and dNAT (optional ingress)

Port publishing is a form of traditional Port Forwarding implemented with iptables (kernel).

When the host receives a packet on a "published" port, its destination address (i.e., the host's IP) is replaced with the container's IP.
January 10, 2025 at 12:23 PM
iximiuz.bsky.social
5/6: Routing and sNAT (egress)

An IP address is assigned to the bridge device, and each container connected to this bridge gets a Default Gateway route with this IP.

For outgoing (from containers) packets, the source IPs get replaced ("translated") with the bridge IP (via iptables).
January 10, 2025 at 12:23 PM
iximiuz.bsky.social
4/6: Virtual switch (bridge device)

The host's ends of the veth pairs are connected to a virtual switch (a.k.a. bridge) device.

One bridge forms one container network, where containers can intercommunication on L2/L3 (Ethernet/IP).
January 10, 2025 at 12:23 PM
iximiuz.bsky.social
3/6: Container addressing (IP)

An IP address is assigned to the container's end of the veth pair. For the container, it creates a route table record to access its network.

However, the host's ends of the veth pairs remain without addresses to avoid introducing routing conflicts.
January 10, 2025 at 12:23 PM
iximiuz.bsky.social
2/6: Virtual Ethernet Devices (veth)

A pair of connected virtual network devices is used to access an otherwise isolated container.

One end of the veth pair is moved to the container's network namespace, and the other end remains in the host's network context.
January 10, 2025 at 12:23 PM
iximiuz.bsky.social
How Container Networking Works 🧵

1/6: Network namespaces (netns)

A separate network namespace gives a Linux container its own virtualized (and fully isolated from the host) network "context" - a loopback device, a route table, netfilter/iptables rules, etc.
January 10, 2025 at 12:23 PM
iximiuz.bsky.social
Computer Networking 101: Forward Ports Like a Pro 🧙‍♂️

The only way to mastery is through practice. Can you map one port to another using:

- socat labs.iximiuz.com/challenges/p...
- netcat labs.iximiuz.com/challenges/p...
- iptables labs.iximiuz.com/challenges/p...

Happy hacking!
January 8, 2025 at 9:53 AM
iximiuz.bsky.social
If you want to practice some Linux & Networking, I've got two "classic" sysadmin problems for you:

- Which Port Is a Service Listening On? labs.iximiuz.com/challenges/l...

- Which Process Is Listening on a Port? labs.iximiuz.com/challenges/l...

How fast can you solve them?
December 30, 2024 at 7:44 PM
iximiuz.bsky.social
Containers Pro Tip: You can inspect the rootfs on any container image, including viewing textual files, by simply opening a URL like:

ima.ge.cx/docker.io/library/nginx
December 29, 2024 at 8:53 PM
iximiuz.bsky.social
A huge quality of life improvement for folks creating playgrounds or authoring content on iximiuz Labs:

Tasks Dev Tools 🚀

Inspect the status, duration, stdout, stderr, and other attributes of the init and regular tasks in a slick new UI.

Start here 👉 labs.iximiuz.com/playgrounds/...
December 28, 2024 at 3:14 PM
iximiuz.bsky.social
The best Christmas/New Year gift for a software engineer? Fun education! 😎

Treat yourself with a bunch of endorphin injections by cracking interactive Linux, networking, Docker, and Kubernetes puzzles and dive into quality long reads on the same topics: labs.iximiuz.com/premium
December 27, 2024 at 2:48 PM
iximiuz.bsky.social
Why Set GOMEMLIMIT for Go Apps in Containers/Kubernetes Pods? 🔽

- Linux containers isolate network and fs but share host CPU cores/RAM.
- cgroup memory limits aren’t considered by the Go runtime.
- The Go GC assumes the host’s total memory.
- Ignoring cgroup limits risks terminations by OOM Killer.
December 22, 2024 at 5:55 PM
iximiuz.bsky.social
Did you know you can explore your Kubernetes clusters visually on iximiuz Labs? 🧐

Every Kubernetes playground comes equipped with k'exp - an exploration-tailored Kubernetes UI that I wrote some time ago.

Here is me poking around in the K3s playground labs.iximiuz.com/playgrounds/... 👇
December 11, 2024 at 2:57 PM
iximiuz.bsky.social
Grasp Docker Commands Without Memorizing 🔽

Why do some commands mimic process management while others resemble file operations? 🤔

Understanding the dual nature of containers is the key. Dive deeper: labs.iximiuz.com/tutorials/do...
December 9, 2024 at 7:18 PM
iximiuz.bsky.social
😎 Pro Tip: If you use iximiuz Labs playgrounds from a more eastern location, try switching the region on the home page. It may significantly improve your terminal latency.

The "Asia" server is located in India (Mumbai), and it's a big one 🚀
December 9, 2024 at 12:47 PM
iximiuz.bsky.social
iximiuz Labs is coming to Mumbai! 🚀

capacity++ && latency--

$300/mo for this beauty 🙈 But now I can afford it - thanks to everyone who supported the platform this week and got the premium membership!
December 1, 2024 at 8:32 PM