Search Results

Registries accumulate cruft. Delete an image tag and the underlying data blobs don't vanish — they linger until a garbage collection sweep removes anything no longer referenced. Run that sweep carelessly, though, and you can race a push that's happening at the...

Self-hosting closes the supply chain. Everything the cluster runs was built and stored by you. It's an API + a blob store + auth + TLS. Each piece is simple; the value is in assembling them safely. Push to the TLS name, not a plain-HTTP address. Saves per-cli...

The other books are how. This one is why — the handful of principles that shaped every decision in the lab, and the mistakes that taught them. If you're new to infrastructure work, this is the page I wish someone had handed me: not the commands, but the judgem...

The single most repeated decision in this lab: give each thing the narrowest access that lets it do its job. Every app gets its own database, user, and password, scoped to just its data. No app ever connects as the database admin. A compromised app can hurt o...

Two things in this lab are deliberately funnelled through a single chokepoint each: All HTTPS terminates at one edge proxy with one wildcard certificate. Nothing behind it touches a certificate. All inbound SSH lands on one bastion. No internal box is reachab...

Every VM was sized by doing the math first, against the one resource that actually runs out here: memory. CPU overcommits gracefully; disk is plentiful; RAM is the hard wall, especially with no swap on the host (the right call for a hypervisor, but it removes...

Three habits that show up in every corner of the lab: Reproducible. Every VM is a clone of one golden image, configured by cloud-init. Even these docs were built through an API. The goal is that nothing important exists only as a thing someone once clicked in...

The lab didn't go in a straight line. The detours taught the most, so here they are, plainly: Worker joins timed out on :6443. I blamed the workers; it was the host firewall on the control plane, plus ufw's default-DROP forwarding policy silently breaking pod...

A closing note, since teaching newcomers is half of why this lab exists. You don't learn infrastructure by reading; you learn it by building something real and then having to keep it working. A home lab like this — a host, some VMs, a cluster, the supporting s...

This guide installs Proxmox by hand on a clean Debian base, on a bare-metal dedicated server. A few of those choices are worth saying out loud, because the alternatives are tempting and usually wrong here. Why a dedicated root server, not managed virtualisati...

The things that bite, collected so they bite you less: Use the rescue system + installimage; don't fight a pre-installed OS. Starting from a clean, known base is faster and far more supportable than trying to bend whatever image came on the disk. Public netwo...

The whole reason this book exists comes down to one upstream rule: the network only forwards traffic for MAC addresses it has been told about. Bridge a VM with an arbitrary MAC straight onto the public interface and its packets are silently dropped. So you can...

The single-MAC rule is the gotcha that catches everyone. A VM that "has no network" on a public IP is, nine times out of ten, a VM whose MAC was never reserved upstream. The symptom looks like a broken VM; the cause is the provider dropping unknown-MAC frames...

The cluster makes a few structural choices on purpose: Two vSwitches, not one. One private (cluster heartbeat plus VM east-west traffic), one public (inbound). Keeping the latency-sensitive cluster chatter on its own network means a busy public link can't dis...

MTU is the one that will haunt you. A vSwitch with VXLAN encapsulation adds overhead to every frame. Leave the VM/bridge MTU at the default 1500 and you get the classic, maddening symptom: ping works, but SSH hangs and TLS half-loads — small packets pass, lar...

What you'll learn What an IP address actually is and why machines need one. The difference between a public and a private address. What "a network" means, and how a host knows whether a destination is local or remote. The role of the default gateway and DNS i...

What you'll learn What a subnet mask is and what the /24 in 10.100.100.0/24 means. How to split an address into its network part and host part. Why the network address and broadcast address can't be used for hosts. How to look at any two addresses and decide ...

What you'll learn Why IP addresses alone aren't enough — and what a port adds. The difference between TCP and UDP, and when each is the right choice. What the TCP three-way handshake is and why "connection" means something specific. How to read ss/netstat out...