Hello 👋

Ivan's here with a monthly roundup of all things Linux, networking, containers, and Kubernetes.

What I was working on

April was a busy and fruitful month.

The Hands-On Docker Roadmap 2.0

After several weeks of thinking about it, I couldn't help but revamp the Docker roadmap. A plain SVG worked fine when the roadmap had only a few dozen links, but now it points to over 100 challenges and tutorials, so a more structured UX was very much needed. And it can now ping you, so you don't break the streak.

Check out the recording - this time it's easier to show than tell:

​

New Playgrounds: Kubernetes 1.36, Ubuntu 26.04, Fedora 44

Keeping iximiuz Labs playgrounds up to date is one of my key priorities. This month's upgrade includes:

• The Kubernetes "Omni" Playground moved to the 1.36 release (which was announced just about a week ago). The release has a few tasty features like user namespaces going GA or the ability to mount OCI images as volumes, so I do recommend spending some time playing with it.
• A new Ubuntu 26.04 Playground, which I expect to soon make it into the Top-3, taking over the current leader, Ubuntu 24.04 (since 26.04 is the new LTS version).

New Playground Features: Nested Virtualization and 24h Uptime

A quick recap of the playground features released earlier this month.

iximiuz Labs has finally received support for nested virtualization via the new Cloud Hypervisor-powered microVM backend. You can activate it either in the UI (on every playground's front page) or using the labctl playground start --backend cloud-hypervisor flag.

Why is it a big deal? Because now you can experiment with all the shiny sandbox solutions without polluting your local system - Firecracker, Docker's sbx, Kata Containers, and many more can now run in iximiuz Labs playgrounds.

All paid-tier playgrounds had their memory limit increased from 8GB to 10GB (hopefully enabling some local LLM use cases), and it is now also possible to set a max playground uptime of up to 24 hours.

Last but not least, building kernel modules and experimenting with software that requires kernel headers installed has become way easier - thanks to the new "dev" kernel variants that include the headers for the custom kernel versions iximiuz Labs uses.

New LabCTL Features

Connecting to Kubernetes clusters running in playgrounds is now easier with the new labctl kube-proxy command. The command forwards the Kubernetes API port to your local machine, downloads and patches the kubeconfig, and makes your local kubectl talk to the remote cluster. Check out the docs to learn more, or follow this Kubernetes MCP Server recipe to practice both LLM-assisted cluster management and the new labctl command.

It has also become possible to securely expose TCP services running on your local machine to the playground VM using the labctl port-forward -R command - a simplified equivalent of the standard ssh -R (a.k.a. remote port forwarding).

Remote port forwarding comes in handy when you need to make a service running on your local machine (on the intranet) accessible for services running in the remote playground. For example, you can use it to expose Chrome's debugging port (9222) to a coding agent running in the sandbox VM.

Lastly, even though it's not a key use case for iximiuz Labs playgrounds, you can now expose HTTP(S) services running on your local machine to the internet with labctl expose local:

New Linux, Sandbox, and Docker Learning Materials

While shipping all these features, I also managed to prepare a bunch of learning materials 🤯

Not listing all of them here, but the last 15-ish Challenges in the Official Collection were added in April. And I also started working on a Firecracker course (thanks to the nested virtualization support), sharing my experience from 3 years of running iximiuz Labs. Here is the first lesson, and I'll definitely have a dedicated newsletter issue about it, too.

iximiuz Labs community update

The community has also been busy!

​Nick Taylor published a tutorial on Pomerium - an open source identity-aware access proxy that lets you put identity-aware access control in front of any SSH server (with no tunnels or custom clients, which is slick). The tutorial walks you through a complete setup with a self-hosted authentication service and a GitHub OAuth app as the identity provider, running entirely in Docker.

​Teodor Podobnik continued methodically covering eBPF network programming topics - and each of his tutorials is a unique gem (despite somewhat look-alike titles 🙈):

• ​Accelerating Transparent Ingress Proxy with eBPF and Envoy​
• ​Building an eBPF/XDP NAT-Based Least Connection Load Balancer from Scratch​
• ​Building an eBPF/XDP NAT-Based Round Robin Load Balancer from Scratch​

​Kaloyan Preslavski, our debuting author, prepared four Kubernetes challenges, and I particularly like how crisp they are - to the point, and yet there is enough guidance and learning opportunities on the way:

• ​Kubernetes - Build and Deploy a Production-Ready Container Image​
• ​Kubernetes - Proxy Outbound Traffic with an Ambassador Container​
• ​Kubernetes - Normalize Application Output with an Adapter Container​
• ​Kubernetes Ingress: Expose Multiple HTTP Backends the Imperative Way​

Last but not least, Omkar Shelke crashed it again with another portion of CKA/CKAD/CKS-styled Kubernetes challenges 👏

• ​Configure a Memory-Backed emptyDir Volume with a Size Limit​
• ​Create an OpenEBS StorageClass and Set It as the Default​
• ​Secure ServiceAccount Token Mounting Using Projected Volumes​
• ​Resolve Service and External DNS Using a Temporary Pod​
• ​Copy a File into a Running Pod to Serve a Custom NGINX Page​
• ​Control Cross-Namespace Traffic Using NetworkPolicy​
• ​Schedule Pods Using Taints, Tolerations, and NodeSelector with Host Namespaces​
• ​Create a Redis StatefulSet with Stable Pod Identities and Persistent Storage​
• ​Grant Read-Only Access to a Developer Using RBAC Role and RoleBinding​
• ​Configure Selective Pod-to-Pod Communication Using NetworkPolicies Under Default-Deny​
• ​Enforce a NetworkPolicy to Block All Traffic Except DNS​
• ​Configure Ingress Routing with Traefik for a Multi-Service Shop Application​
• ​Why LimitRange Is Not Injecting Default Requests and Limits into Running Pods​
• ​Expose Internal Services Using NGINX Kubernetes Gateway API​
• ​Resolve a Container Port Conflict and Expose Multiple Ports Through a Single Service​
• ​Mount Specific ConfigMap Keys as Files into a Node.js Deployment​

What I was reading

​The invisible engineering behind Lambda's network by Werner Vogels - a pretty dense read, full of networking terms, that tells the story of the AWS Lambda cold start latency optimization. Interestingly enough, the better part of it sounds way too familiar - iximiuz Labs (obviously) isn't as optimized as Lambda, but it does use the same set of technologies under the hood (microVMs, network namespaces, veth pairs, iptables for NAT and traffic isolation, etc.), and it also started with all of these resources created on the hot path and gradually moving to warm pooling. By the way, solving iximiuz Labs networking challenges (veth, netns, NAT) would help you understand this post at least, or perhaps even apply for a network engineer position at AWS.

​Ubuntu 26.04 can install APT packages from GitHub Container Registry by Akihiro Suda - Everything has blended - container registries can now be used to distribute OS packages. The title of the post is a bit too narrow. What has actually just become possible is to oras push then apt install . In other words, if you distribute APT packages, you don't need to maintain your own package repository anymore - just put your package into a container image and push it to any OCI-compatible registry (any modern registry). Of course, GHCR comes to mind first as it's still fully free to use. And here is the funniest part: you can install an OS package distributed as a container image while building a container image that will then be pushed to the same or another registry. Did I already mention that everything has blended into one big ball of… OCI manifests?

​Kubernetes 1.36: VolumeSource: OCI Artifact and/or Image is also GA - …and Kubernetes can now mount OCI images as volumes. At that pace, container images will soon become a more popular technology than containers themselves (especially since containers are in direct competition with more isolated runtimes like microVMs). By the way, if you want to learn how OCI images work, I've got a deep dive for you.

​Kubernetes v1.36: User Namespaces in Kubernetes are finally GA - That's it, that's the post. It took Kubernetes (well, more like Linux kernel and the container ecosystem) 10 years to come to this point. But that's an important milestone.

​A field guide to sandboxes for AI - A solid piece on sandboxing tech. I particularly liked how systematic the author is. They classify the available solutions into containers, userspace kernel (e.g., gVisor), microVM, and embedded sandboxes (e.g., Wasm), and then go over the strengths and weaknesses of each type. Plus, they also differentiate between "isolation boundaries" and "policies" - because even the strongest boundaries may not prevent a breakout if the right policies aren't in place.

​What every dev should know about AI sandboxes - A complementary to the above post. It's more shallow, and the opening part can feel like a rehash of the first post (which may or may not be the case). But it is helpful both as a quick recap and also because it expands on higher-level topics like agent observability, agent-to-agent communication, and the changing threat model.

​How will AI change operating systems? Part 1: Ubuntu and Linux - The Pragmatic Engineer - This is actually an interesting one. Windows and macOS are "obvious" options for AI adoption on the OS level. Cannot say I'm looking forward to Apple Intelligence taking over control of my devices, but sooner or later, they will force it on us. And it's a relief to hear that Linux distros seem to be taking a more pragmatic route. For instance, in the case of Ubuntu, AI adoption boils down to better hardware support (via improved drivers), focus on local inference, and OS-native agent sandboxing. OS-native agentic workflows are on the radar, but it's still in the research and experimentation phase.

Wrapping up

That's it for April! Hope you find something useful in this update 🙌

Ah, and before we go, the pricing pilot is still live. I'm testing lower price points (40% off original prices + regional PPP discount) for all plans to better understand what makes iximiuz Labs sustainable while allowing as many learners as possible to use the platform.

The pilot prices are temporary and may change once the test ends, but subscriptions started during the pilot will keep their lower prices indefinitely. If you wanted to upgrade your membership, now is a good time.

Cheers

Ivan