Hello 👋

Ivan's here, with a slightly overdue roundup of all things Server Side for August.

What I was working on

The hands-on Docker Roadmap has remained my key priority. This time, the focus is on all things container storage. And it's a surprisingly tricky topic!

I've yet to find a clear explanation of how exactly mount namespaces are used in containers, and most "reproduce a Docker container using only shell commands" examples I've examined oversimplify the rootfs creation and pivot_root parts too much. And I'm not even talking about mounting host folders into containers or using volumes. So, keep an eye on your inbox in the coming weeks - I've got a couple of deep dives coming up.

To warm you up, here are a couple of fresh challenges that touch upon the storage and container state topics:

• ​Docker: Stop and Restart Containers​
• ​Linux: Mount an Existing Directory at a New Location (bind mount)​

As always, the challenges include helpful hints, a bit of theory, and complete step-by-step solutions. By the way, the Docker Roadmap already has 40 of such challenges - definitely enough to keep one busy for a few weeks, so if you haven't started yet, now is the best time.

What community was working on

Despite the holiday season, August was a fruitful month!

Adam Leskis recorded a 🎬 3-Tier WebApp speedrun (accompanied by a blog post) that demonstrates how to set up the most typical combo of an API server, a database, and a frontend application. This simple yet powerful architecture can take you a very long way. Add a reverse proxy for ingress and background jobs for long-running tasks, and you'll cover the requirements of 90% of the apps out there. Adam does a great job fitting a complete 3-tier webapp example setup in just 12 minutes of the video, and you can also find all the commands he typed in the blog post and a couple of satellite GitHub repos. If you're just getting started with dev, ops, or both, I recommend following the video's instructions to set up your own 3-tier webapp playground (or a few).

Dr. Constanze Roedig continued her mission of documenting the content authoring workflow while working on her Discover eBPF - By using it course. Check out the video if you want to get started with technical content publishing on iximiuz Labs:

​

​

Last but not least, Márk Sági-Kazár published two practical and well-illustrated Kubernetes tutorials:

• ​Kubernetes: Admission Control​
• ​Kubernetes: Runtime Class​

By the way, these Kubernetes and eBPF materials will be used in the upcoming hands-on training by Márk and Constanze that will be held on January 20-22, 2026, in Vienna. Don't miss your chance if you're located nearby and want to get started with Kubernetes and Cloud Native tech.

Disclaimer: The above is not a sponsored promo, but I'm obviously an interested party because the training materials will be hosted on iximiuz Labs.

What I was reading

Catching up on my reading list. Brace yourself 🙈

​How to connect Docker containers across multiple hosts with WireGuard by Pasha Sviderski, the guy behind Uncloud - A quality write-up (with reproducible instructions and nicely looking diagrams) on how to connect multiple disjoint servers, potentially running all over the world, into an "overlay Docker bridge network" using site-to-site VPN. Setups like that aren’t uncommon! For instance, iximiuz Labs runs on ad-hoc servers in Germany, Finland, and India, allowing me to pick the most optimal infra provider and often cut the costs by x10. So, I find not just this particular networking idea but the overall philosophy of Uncloud (open-source) very relatable.

​Kubernetes 1.34 is out - The release contains many features and improvements, but it's no revolutionary, which is rather a good thing for an enterprise-grade software, IMO. You can already play with it on iximiuz Labs.

​Kubernetes v1.34: Finer-Grained Control Over Container Restarts a.k.a. KEP-5307: Container Restart Rules - The restartPolicy attribute continues its expansion: first, it was only supported on the Pod level, then init containers gained an optional restartPolicy: Always attribute, introducing “Kubernetes-native sidecars”, and finally the feature is getting even more generalized with full support of restartPolicy on both regular and init containers and a new restartPolicyRules setting. It’s just an alpha at the moment, but I’m hopeful. The blog post also features a few real-world examples where the new feature may come in handy.

​Critical CVE-2025-9074 in Docker Desktop on macOS and Windows - This is pretty wild. The Docker API was accessible w/o authentication from any container on some internal (to the host) address. In other words, any container could send the standard POST /containers/create and POST /containers/ID/start requests to http://192.168.65.7:2375 and launch a (privileged too?) container with the entire host filesystem mounted as a volume. Good that it was fixed promptly. Vulnerabilities like this happen more often than you think, so this is your periodic reminder that running dev tools (including Docker itself or Docker containers) on your primary system is becoming more and more risky, and you should consider using a dedicated VM per project, limiting the blast (and leak) radius. And always keep your software up to date!

​Offensive Container Security: Techniques, Misconfigurations, and Attack Paths - Speaking of container breakouts, this is a good summary of things you should be aware of at least and avoid at best when dealing with Docker and Kubernetes workloads. It’s a long list of things to keep you up at night 😉

​Trying to break out of the Python REPL sandbox in a Kubernetes environment: a practical journey - An unsuccessful but nevertheless enlightening example of what anyone with access to a Python REPL (or probably any other REPL) can do. The author managed to get full command execution in the Kubernetes Pod where this REPL was running, but fortunately, the Pod itself was sufficiently isolated (no elevated privileges, properly restricted Kubernetes Service Account tokens, no host mounts, etc.), and no unattended ports were discovered. Layered defence at its best.

​SystemD Service Hardening - TIL systemd-analyze security, and its output is a scary read! Turns out, systemd is optimized for success [of services] out of the box and not necessarily for security. Luckily, systemd units allow tightening service isolation by a lot (and the available knobs suspiciously resemble containers - restricting filesystem and device access, revoking capabilities, etc.). However, hardening every single systemd service on a typical Linux host doesn't sound realistic - there are too many options to tweak, and services rarely come with good docs explaining the minimal required capabilities and access. So, systemd-analyze security is a great tool to have in your belt, but you probably want to apply it only to externally facing and/or most sensitive services.

​Go 1.25 is out - As it usually happens with Go releases, no(t much) breaking changes were introduced. The most noticeable (at least for me) changes were the container-aware GOMAXPROCS (honestly, setting it by default to the number of host cores for containerized apps didn't make much sense) and a new encoding/json/v2 package. The official release notes are a bit dry, so I recommend taking this interactive Go 1.25 tour and checking this deep dive on JSON encoding in Go instead. Both masterpieces are by Anton Zhiyanov - kudos to the author!

​Bitnami deprecation - Bitnami free container images is no more. Rory McCune summarized it well: "Bitnami are moving from freely available images under the Docker Hub Username bitnami to a split of commercially maintained images under bitnamisecure and unmaintained legacy images under bitnamilegacy" Sigh… I didn't use them in my projects, but there will be a wave of broken pipelines, including in the most resource-deprived projects like OSS or non-profit organizations that traditionally relied on free offerings.

​From Linux Primitives to Kubernetes Security Contexts - A true masterpiece that starts at the lowest level (Linux syscalls, cgroups, namespaces, etc.), and moves up the stack through Docker containers to the implementation of the Security Contexts in Kubernetes. A huge shoutout to LearnKube (previously known as LearnK8s) in general and Dave Altena (the author) in particular. Truly well done!

​Introducing Headlamp AI Assistant - Kubernetes Blog - Someone should point this Headlamp AI Assistant at iximiuz Labs Kubernetes challenges and see how it miserably fails. I would love to do it myself if I had even a tiny bit of spare time. After each release of a SOTA model, I ask it to rewrite a Dockerfile for one of my container image building challenges (Python, Node.js, Go) - with no success so far, either directly or via existing specialized Dockerfile writing agents (DockerShrink, dockerfile-optimizer, etc).

​Predictive CI: Why Smart Teams Are Already Making the Switch - This may sound like a clever idea, and (quite) a few companies are trying to build agentic CI/CD solutions around it, but if you ask me, it’s a flawed vision. The problem presumably stems from coding agents that lack a deep understanding of our codebases and end goals generating more code than human developers can review and comprehend. But solving it by putting more agents into CI/CD (that generate tests, check code quality, etc.) will be prone to the same fundamental issue - these agents will lack a deep understanding of the codebase and what constitutes a correct change. Instead, we should be looking for 1) ways to make coding agents better understand our goals and subtle design principles a particular codebase follows; 2) building tools and developing techniques that allow engineers to grasp (and edit/reject) the generated code faster.

​The Summer of Johann: prompt injections as far as the eye can see - Some tools are so vulnerable by design that they probably shouldn't have been even built. Or, at the very least, not popularized as something people should be running unconfined and trusting with their data. Every time someone, especially with a large internet following, claims publicly that they run coding agents locally and haven't observed any security issues, I get cold sweats. At the very least, you should put your coding agents into non-privileged containers, but using an ephemeral VM per project is an even better approach. New Apple containers sounds like a good option because they start each container in a dedicated microVM, but if you're not on a (fresh enough) Mac, iximiuz Labs "coding agent base" playground remains my recommended way of using tools like Claude Code, Gemini CLI, or OpenHands.

​Agentic Browser Security: Indirect Prompt Injection in Perplexity Comet by Simon Willison again (who's definitely becoming my favorite "AI reporter") - Quoting because I particularly like the truck part: "The security team from Brave took a look at Comet, the LLM-powered "agentic browser" extension from Perplexity, and unsurprisingly found security holes you can drive a truck through." But the problem is not with Perplexity (or any other agent). The fundamental flaw of all LLMs is that they don't distinguish between instructions and other input. The moment you ask an agent to summarize a web page, you're appending a bunch of untrusted content to your prompt, risking the agent being hijacked by the attacker to perform arbitrary actions on your system and data. So far, no one has come up with a fix or a reliable-enough mitigation for this de facto critical vulnerability.

​If You Want to Learn, Do by Naval Ravikant - I may have found a reasonable explanation of why "make it a project" has always been the most efficient way to acquire new skills and knowledge for me and so many other people: "[…] doing leads to the desire to learn and therefore to learning […] whereas if you're purely learning for learning's sake, it gets empty after a little while. The motivation isn't the same." Naval follows up: "If you’re not doing, then all the learning you’re picking up is too general and too abstract. […] You don’t know what applies where and when."

​Beauty Is Objective - The most frequently asked question about my work is what software I use to create my diagrams. It's likely coming from people who want to start producing well-looking tech diagrams, which is totally understandable. However, there is a chance that the key component is not the software, but the principles I subconsciously follow. I'm yet to figure out how to put them into words, but this piece on design is very close to what I'd probably want to write on producing appealing visuals. "Hierarchy guides the eye. Symmetry creates balance. Composition gives shape to thought. Spacing makes room for meaning."

Wrapping up

That's it for August. Before we adjourn, I wanted to clarify a few things about my recent announcement of the upcoming premium plans change. The current "all-inclusive premium access" is not going away - anyone who purchased it for a lifetime or has an active subscription will stay on this plan indefinitely (hence, will have full access to all iximiuz Labs features and content). A deal is a deal, and I'll be forever grateful for my early-day supporters! 🙏

However, the sales of new all-inclusive premium memberships will stop by the end of the year, and a new set of plans will be released as a more fine-grained (and hopefully also more affordable) replacement. Hope it summarizes the upcoming change well.

Thank you for supporting my work 🤗

Happy learning!

Ivan