Hi there 👋

Rethinking the Trust Boundary of Kubernetes Nodes Most Kubernetes security mechanisms implicitly assume that worker nodes are trustworthy. In practice, this assumption is weak. The operating systems running underneath Kubernetes are often mutable, difficult to audit, and only loosely tied to what was originally provisioned. Even when containers are well isolated and supply chains are secured, a compromised or drifted node OS undermines the entire stack. A more robust approach is to treat the node operating system as a security boundary, not just a runtime dependency. This is where immutable and attestable operating systems become relevant. By making the OS immutable and cryptographically verifiable, Kubernetes can rely on a foundation whose integrity is provable rather than assumed. ...

Context I often run into this problem: I have a local file on my computer that I want to share with a friend or colleague on the other side of the world. While I could upload it to a file sharing service, it’s can be very annoying to have to upload it somewhere first, especially if it’s a one-off situation and if the file is big. More over, it’s my data and I don’t necessarily want to upload it to a Google or Dropbox server. Similarly, when I’m developing a web application on my local machine, I often want to show it to someone else for testing or feedback. Again, uploading it to a public server can be cumbersome and I don’t want to start dealing with a deployment strategy if I just stated prototyping. ...

Open source tools like Ollama and Open WebUI are convenient for building local LLM inference stacks that let you create a ChatGPT-like experience on your own infrastructure. Whether you are a hobbyist, someone concerned about privacy, or a business looking to deploy LLMs on-premises, these tools can help you achieve that. Prerequisites We assume here that you are running an LTS version of Ubuntu (NVIDIA and AMD tooling is best supported on LTS releases) and that you have a GPU installed on your machine (either NVIDIA or AMD). If you don’t have a GPU, you can still follow this guide, but inference will be much slower as it will run on CPU. ...

Intro A few years ago I built a tool called genesis to build images of Ubuntu. The tool has a very basic CLI interface and is written in Python. I was asked recently if I had ever built desktop images of Ubuntu from scratch and had to admit that I had never tried. I decided to give it a go and found the process rather straight forward. Steps First, install genesis in a venv: ...

For a while, I wanted to set up an Ubuntu archive mirror using Cloudflare. It felt like a natural idea: the archive is a set of static files that could be easily cached, and Cloudflare is very good at caching files close to users around the world. What is an archive mirror? If you have ever run apt update on Ubuntu, you have used the archive. It is a big collection of files: packages (.deb files) and index files (Packages.gz, Release, etc.) that tell apt what is available. ...

Linux systems may seem complex, but at their core, they consist of two fundamental components: the kernel and a root filesystem. Understanding how these elements interact during the boot process can demystify Linux and provide insight into how your system comes to life each time you power it on. The Two Main Components of a Linux Distribution 1. The Linux Kernel The kernel is the heart of any Linux system. It’s responsible for: ...

Linux Networking: Bridged and Routed VM Networking Scenario 1: Bridged Networking (Layer 2 Integration) Goal: VMs/containers appear as full LAN peers, get IPs from the LAN’s DHCP, and are reachable directly. Create a bridge interface (br0). Add the physical interface (e.g., eth0) to the bridge. Assign IP or DHCP to br0 only. eth0 should have no IP. Virtual interfaces (e.g., tap0) are also added to br0. Key Commands: 1 2 3 4 sudo ip link add br0 type bridge sudo ip link set eth0 master br0 sudo ip link set br0 up sudo dhcpcd br0 No NAT, no subnetting. Full LAN access. ...

Make sure the system is up-to-date This section is important to avoid pulling DKMS NVIDIA drivers during the installation. First make sure your server is up-to-date: 1 2 sudo apt update sudo apt full-upgrade -y If your system needs reboot, reboot it before running: 1 sudo apt autoremove -y Note: You can check if your system needs to be rebooted by checking if this file exists: /var/run/reboot-required. ...

Basic Config [Distribution] Distribution=ubuntu [Output] Format=disk [Content] Packages= apt cloud-init dbus grub-efi-amd64-signed iproute2 linux-virtual netplan.io openssh-server openssl shim-signed ssh-import-id sudo systemd systemd-resolved udev vim Bootloader=grub ShimBootloader=signed BiosBootloader=none Bootable=true RootPassword=ubuntu KernelCommandLine=console=ttyS0 Hostname=ubuntu Then simply run mkosi. Boot the image Use this script (use –no-snapshot to make the changes persist): 1 ./start-vm.sh ./image.raw To go further At the moment, mkosi only supports producing raw disk images. To convert the image to qcow2: 1 qemu-img convert -f raw -O qcow2 /tmp/image.raw /tmp/ubuntu.img And to make it (virtually) bigger: ...

Boot process - context In general, the boot process looks like this: ROM | DISK Pre-EFI initialization -> EFI firwmare -|> shim -> grub -> Linux The pre-efi initialization is about initializing CPU and devices. Especially, it is responsible for initializing the DRAM controller on the CPU. Before this step the system is in a very precurious state and can only use its cache as memory (aka Cache as RAM). ...