Don’t Block ICMP

“Don’t ping my server!” — is the sentiment among many sysadmins, and usually leads to a full-on ICMP blocking. But, it’s a terrible idea. Here’s why.

The (painful) Enterprise Way to the Cloud

Use the cloud, they said. It will be great, they said. Why is it painful then?

Forwarding IP traffic through a VPN

You have two servers and want to serve the traffic for an IP address on one server from another server?

Getting started with Docker for the Inquisitive Mind

There are a million Docker tutorials out on the Internet, but few explain what’s actually going on behind the scenes when you issue your first commands. So let’s take a look!

The danger of monocultures

Monocultures already caused the death of one strand of banana. What can we learn from it in IT?

Immutable Infrastructure in Practice — Part 2

After setting up the server as a Docker baseline, we now venture in building a Docker infrastructure.

Immutable Infrastructure in Practice — Part 1

Recently I rebuilt the infrastructure that hosts this website following the principles of immutable infrastructure. Let’s see how that works!

Gentoo as a Docker build system?

Gentoo compiles everything from source, which sounds it might not be useful for Docker. Yet, it can be made to build a sub-100 MB image for PHP…

Why people want Kubernetes?

I’ve previously argued that running Kubernetes is hard. Why do people still want it? Let’s look past the hype train and take a gander through the valuable things k8s provides.

Monitoring: Basics

Monitoring your application is critical. But how do you do it? What are the important things you need to watch out for?

Immutable Infrastructure?

Immutability is an important concept I talked about before. But how do we apply it to infrastructure?

Host everything yourself!

Often when a big service provider messes up, there is an inevitable slew of people who tout the advantages of self-hosting everything. But is it really efficient?

Fundamentals: The Address Resolution Protocol

How does a computer know what MAC address belongs to an IP? How does ARP work?

Fundamentals: The Internet Protocol

How do you scale a network to global proportions? The answer is the Internet Protocol. Let’s dive into it.

What can we learn from Kubernetes' first major security hole?

Kubernetes first major security hole is out… does this mean Kubernetes is not secure? What can we learn from it?

Kubernetes is hard

Kubernetes won the container wars… allegedly. However, Kubernetes is still hard and causing a lot of grief.

Fundamentals: VLANs explained

How do you run multiple networks over the same physical network? How do virtual LANs work?

Fundamentals: Ethernet explained

Ethernet is one of the most fundamental protocols underpinning todays internet. It is so fundamental that we often take it as granted and don’t even think about it.

Make AWS less painful with Lambda functions

Amazon Web Services can sometimes be a royal pain in the backside, especially because a lot of their services are not entirely feature complete. A lot of these gaps can, however, be filled with Amazon Lambda.


Build environments, server setups should be reproducible, even 6 months down the line. How does this work?

LXC vs Docker

LXC is the older of the two, but how do they compare? What’s the difference? Which one should you choose for your next project?

Building your own CDN for Fun and Profit

Fresh from the hold-my-beer department, why don’t we build our own little CDN? Oh, and it actually makes sense.

Docker 101: Linux Anatomy

Docker is (mostly) used to run Linux, but in order to successfully create a Docker image, we must first understand how Linux works.

Under the hood of Docker

The runc and rkt container runtimes power Docker & co. But what powers the container runtimes? Read on for a deeper look into containerization technology.

Why Docker matters and why you should care

Have you ever wondered what all the fuss is about with this Docker thing? Are you having a hard time convincing your colleagues to take it seriously? Well then, read on, I’m going to lay it all out for you.

Intercontinental Docker Swarm

Docker is the new hotness. Swarm is an even newer, even hotter thing. The question is: will it blend? Can it run spanning multiple continents?

Interplanetary Filesystem

Quite by accident, I’ve stumbled upon a rather interesting technology called IPFS. It promises to replace HTTP as a transport protocol for websites and scale to interplanetary levels. Even though the claims sound just tiny bit far fetched, the technology behind it got me quite excited.

What is the CAP theorem?

The CAP theorem is one of the most fundamental principles of distributed system design. Yet, it is often misunderstood or outright disregarded.

Filtering spam with Exim and Spamassassin (properly)

SpamAssassin is a frequently used companion for Exim. However, most people set it up in a synchronous manner – spam is checked directly when the SMTP session is opened. While this is certainly a valid technique, it has it’s drawbacks. It leaves the server vulnerable to DOS attacks because the spam filtering is a big resource hog. Having SpamAssassin headers in the mail from the remote servers is also an issue, because the $h_X-Spam-* variables will start misbehaving suddenly.

Fixing RDNS_NONE with Spamassassin

When dealing with SpamAssassin and Exim, one may often encounter a mysterious RDNS_NONE

Setting up Apache with PHP-FPM

Nowadays nginx seems to experience a serious growth in terms of numbers when looking at HTTP server software. Almost all articles regarding PHP-FPM detail the setup with nginx, very few talk about the good old Apache HTTPd. Admittedly, it’s a little harder to set up due to the myriad hacks layered in it’s internal infrastructure. It has one major advantage however: it handles .htaccess files which allows customers to configure their own little corner of the webserver without poking the admin or endangering the server’s stability.

Don't use FTP — Here's why

FTP has been around since the early days of the internet. Even though it’s old and cranky a lot of sysadmins, especially those just getting into managing a server, still don’t know anything else. FTP is outdated, has a lot of problems and sometimes it can be outright dangerous, however it’s wide spread acceptance as an easy way for transferring files makes it hard to switch to alternative protocols. If you have a choice, don’t use it. I’ll show you why.

Filtering spam with Exim only

Defense against spam has always been a hassle. Statistical filters only get you so far and they consume a LOT of resources. For exactly that reason I like to employ basic checking policies before accepting e-mail at all. These policies have gotten me pretty far and my false positive rate is pretty low.

Logging PHP errors to syslog-ng

Ever so often I get to set up hosts for running PHP. When running a load balanced solution, you have more hosts and reading logs gets complicated, development gets tedious. So what helps, is a central logging server. This is pretty easy to set up with syslog-ng, however PHP has a annoying habit of logging everything with the NOTICE error level.

Debugging applications with strace

There are times, when we get an application and need to find out what it does fast. We don’t have the time to read the source code. Fortunately there are multiple tools to our rescue, one of which is the strace Linux utility. strace means system call trace, it shows us every system call the application does, such as opening or reading a file, writing data to a network socket. It’s not a magic pill, it won’t show the internal working of the application, but it’s still very useful to find out what it does externally (IO operations and such).

The Big Exim Tutorial

In September 2009 I created the big Exim tutorial consisting of 5 parts on the Hungarian Unix Portal. In January 2010, I transfered it to my Hungarian site. Now I’m translating it to English.