Posts

Key functions — rate, irate, increase, histogram_quantile, absent, absent_over_time, delta, predict_linear, age Aggregations — sum, count, topk, by/without, quantile_over_time, bool, offset Label manipulation — label_replace, label_join Useful queries — CPU %, pod restarts, error rate, SLO, memory, network by AZ, nodegroup, cardinality Relabeling tricks — drop metrics, series, labels Pre-commit validation — promtool, pint Architecture — agent mode, VictoriaMetrics, Thanos, Mimir Tools Key functions rate vs irate...

AWS quietly launched S3 Files - a way to mount an S3 bucket and work with it like a regular file system. No custom SDK, no aws s3 cp, just standard file operations on top of S3. How it works You mount the bucket via a managed endpoint and get a POSIX-compatible interface on EC2, Lambda, EKS, and ECS. Your existing tools and applications don’t need to know it’s S3 underneath....

Claude Code is a powerful local agent. By default it can read most files on your machine. Here is how to lock it down and extend it for your workflow. Block access to credential files Put this in your global Claude settings at ~/.claude/settings.json. Claude will refuse to read any of these paths — even if you accidentally ask it to. { "permissions": { "deny": [ "Read(~/.aws/**)", "Read(~/.config/gcloud/**)", "Read(~/.azure/**)", "Read(~/....

npm min-release-age Use npm ci, not npm install Hardening GitHub Actions Summary In late March 2026, compromised axios builds briefly appeared on the npm registry (for example 1.14.1 and 0.30.4 on affected release lines). Attackers added a malicious dependency and used lifecycle scripts so a npm install could pull down far more than an HTTP client — a pattern we have seen before in registry incidents, not a bug in axios’ normal code....

Click to enlarge GuardDuty screams about a phishing domain. The node looks fine — no malware, no stolen creds. Often the real story is simpler: your app looked up a URL someone pasted in a message, and that hostname is on a threat list. The alert is still “true” (DNS to a bad name happened), but it is not a hacked cluster. The uncomfortable part: if you resolve or fetch any user URL with no checks, you also open the door to SSRF — for example a link to 169....

If you’re running Ingress-NGINX in production, you’ve probably seen the writing on the wall. The retirement was announced back in November 2025, and as of March 2026, it’s happening. The Ingress API isn’t going away overnight, but active development on Ingress-NGINX is done. Time to move. The good news: SIG Network just shipped Ingress2Gateway 1.0, a migration tool that actually works now. What Changed in 1.0 Previous versions were barely usable — they supported only three Ingress-NGINX annotations....

One of the superpowers of containers is their isolated filesystem view — from inside a container it looks like a full Linux distro, often different from the host. Run docker run nginx, and Nginx lands in its familiar Debian userspace no matter what Linux flavor your host runs. But how is that illusion built? In this post, we’ll walk through how to assemble a tiny but realistic container using only stock Linux tools: unshare, mount, and pivot_root....

Martin Fowler published a fascinating report from a February 2026 retreat where senior engineering practitioners from major tech companies gathered to discuss how AI is reshaping software development. It’s dense, so here’s what stood out to me. Where Does the Rigor Go? The biggest question of the retreat: if AI writes the code, where does the engineering discipline move? The answer is — it doesn’t disappear, it migrates: Upstream to specs — Bad specs produce bad code at scale....

If you’re building AI systems in production — or just getting started — these repos are worth bookmarking. LLM Serving & Inference vLLM (66k+ stars) — The industry standard for high-throughput LLM serving. Continuous batching and maximum GPU utilization. If you’re serving LLMs in production, this is probably what you should be using. Ollama (162k+ stars) — The easiest way to run LLMs locally. Great for fast experimentation before you commit to a cloud setup....

SQS is cheap until it isn’t. Real example from the wild: $500k in a weekend — and Amazon reportedly asked the team not to delete everything at once in certain regions, as it could impact the service. The usual culprit isn’t message volume; it’s how often you call ReceiveMessage when the queue is empty. How SQS Billing Works You pay per request (SendMessage, ReceiveMessage, DeleteMessage, etc.), not per message. Standard queue: about $0....