Search Results

Loki runs as a single binary on its own VM, storing log streams on local disk with a generous retention window. It's reached over the private network on port 3100. A deliberate simplification: Loki here runs with authentication disabled, because it's only ever...

The agent (Promtail) runs on every host, and what it ships — and how it's labelled — is what makes the logs useful. A label is how you slice the haystack later. Across the fleet, Promtail ships and labels: host shipped streams ...

Ship logs from day one. Bake the agent into the VM template so every host reports from birth; retrofitting later is painful. Pick tools that fit your scale. Loki indexing labels (not full text) is what keeps it light enough for a lab. Labels are the product. ...

The CI runner builds images; they have to live somewhere the cluster can pull them. You could push to a public registry, but a self-hosted one keeps the whole artifact flow inside the lab — and it's a great thing to understand, because a registry is conceptual...

Two containers, run with Docker Compose, plus a sprinkle of auth: Registry-Server (10.100.100.6) registry (registry:2) :5000 - the registry API registry-ui (joxit UI) :8080 - a browser front-end auth: htpasswd (user <REDAC...

Registries accumulate cruft. Delete an image tag and the underlying data blobs don't vanish — they linger until a garbage collection sweep removes anything no longer referenced. Run that sweep carelessly, though, and you can race a push that's happening at the...

Self-hosting closes the supply chain. Everything the cluster runs was built and stored by you. It's an API + a blob store + auth + TLS. Each piece is simple; the value is in assembling them safely. Push to the TLS name, not a plain-HTTP address. Saves per-cli...

The other books are how. This one is why — the handful of principles that shaped every decision in the lab, and the mistakes that taught them. If you're new to infrastructure work, this is the page I wish someone had handed me: not the commands, but the judgem...

The single most repeated decision in this lab: give each thing the narrowest access that lets it do its job. Every app gets its own database, user, and password, scoped to just its data. No app ever connects as the database admin. A compromised app can hurt o...

Two things in this lab are deliberately funnelled through a single chokepoint each: All HTTPS terminates at one edge proxy with one wildcard certificate. Nothing behind it touches a certificate. All inbound SSH lands on one bastion. No internal box is reachab...

Every VM was sized by doing the math first, against the one resource that actually runs out here: memory. CPU overcommits gracefully; disk is plentiful; RAM is the hard wall, especially with no swap on the host (the right call for a hypervisor, but it removes...

Three habits that show up in every corner of the lab: Reproducible. Every VM is a clone of one golden image, configured by cloud-init. Even these docs were built through an API. The goal is that nothing important exists only as a thing someone once clicked in...

The lab didn't go in a straight line. The detours taught the most, so here they are, plainly: Worker joins timed out on :6443. I blamed the workers; it was the host firewall on the control plane, plus ufw's default-DROP forwarding policy silently breaking pod...

A closing note, since teaching newcomers is half of why this lab exists. You don't learn infrastructure by reading; you learn it by building something real and then having to keep it working. A home lab like this — a host, some VMs, a cluster, the supporting s...

This guide installs Proxmox by hand on a clean Debian base, on a bare-metal dedicated server. A few of those choices are worth saying out loud, because the alternatives are tempting and usually wrong here. Why a dedicated root server, not managed virtualisati...

The things that bite, collected so they bite you less: Use the rescue system + installimage; don't fight a pre-installed OS. Starting from a clean, known base is faster and far more supportable than trying to bend whatever image came on the disk. Public netwo...

The whole reason this book exists comes down to one upstream rule: the network only forwards traffic for MAC addresses it has been told about. Bridge a VM with an arbitrary MAC straight onto the public interface and its packets are silently dropped. So you can...

The single-MAC rule is the gotcha that catches everyone. A VM that "has no network" on a public IP is, nine times out of ten, a VM whose MAC was never reserved upstream. The symptom looks like a broken VM; the cause is the provider dropping unknown-MAC frames...