Deep dives into DevOps and Server Side topics where theory blends with hands-on examples. You can try out commands from each tutorial in the attached remote playground, either from the browser or via SSH access from your local terminal — no extra setup required.
Begin with the basics to understand Docker and Kubernetes networking: learn how to create and interconnect Linux network namespaces using only command-line tools.
Learn how Linux containers are built from the ground up. Starting with the mount namespace and a root filesystem, see why PID, cgroup, UTS, and network namespaces naturally follow - and how this foundation makes concepts like bind mounts, volumes, and persistence in Docker or Kubernetes much easier to grasp.
How Virtual Machines were used to deploy services. What old problems containers solve and what new problems create. How Kubernetes used containers to recreate Virtual Machines in a better way?
Learn how to limit process resources using Linux cgroups - from the most basic and labour-intensive cgroupfs manipulation to the handiest systemd-run command.
A practical deep dive into container image internals that will help you build a clear mental model of how images are composed, identified, stored, and distributed across registries.
Learn how to build smaller, more secure Docker container images using Multi-Stage Builds. This guide explains common sources of image bloat, best practices for slimming down production images, and practical examples for Node.js, Go, Rust, and other application stacks. Start optimizing your containers today!
Can a Kubernetes Pod be created with plain Docker commands? Learn the difference between Containers and Pods by exploring how they are implemented under the hood.
Understand the "native" sidecar containers, learn their difference from regular and init containers and discover their advantages in this focused and highly practical tutorial.
Dive into the internals of the Docker run, attach, and exec commands by following this highly visual and hands-on tutorial.
When you are new to Docker, the number of commands to study might be truly overwhelming. This tutorial shows a way to internalize the most important Docker commands without the brute-force memorization.
How to explore the filesystem of a container image using nothing but the standard Docker means (and without running any containers).
Choosing the right base image for your Node.js application can drastically affect its security, size, and performance. This post breaks down popular options - from slim and distroless to full-sized images - helping you navigate the trade-offs and pick the best fit for your development, build, and production needs.
While "FROM scratch" containers may seem functional, they often lack essential components that programs expect to find in their execution environment. Discover the most common pitfalls of building container images "FROM scratch" and learn how to avoid them.
What are these distroless images, really? Why are they needed? What's the difference between a container image built from a distroless base and a container image built from scratch? Let's take a deeper look.
What is Tetragon, how it works, and how to use it to detect and react to security-significant events in your Kubernetes, Docker, or plain Linux environment.
This lab shows how to use eBPF to transparently redirect inbound traffic through an Envoy proxy on the server side, without modifying the application or client. You’ll learn how eBPF can intercept and restore connections so the service remains unaware of the proxy in the network path.
This lab teaches you how to use eBPF to transparently intercept and redirect a client's outgoing traffic to an Envoy proxy without requiring any changes to the application code. You will build a system that recovers original connection metadata via socket-level hooks and uses SO_MARK to prevent infinite routing loops, replacing traditional, complex iptables rules with a high-performance eBPF alternative.
In this tutorial you will learn different ways to implement loops in eBPF, explaining how iteration evolved from manual loop unrolling to modern mechanisms like bounded loops, helper functions, and open-coded iterators. It walks through the limitations, kernel version requirements, and practical examples for each approach so you can choose the most appropriate looping method for your eBPF programs.
In this tutorial, you’ll learn how eBPF applications send kernel events into user space using perf buffer and ring buffer, exploring their design, trade-offs, and performance implications. You’ll also learn how moderns solutions like Jibril handle high-throughput event delivery.
In this tutorial, you will learn how to build a IPIP DSR load balancer using eBPF/XDP, where backends from arbitrary networks send responses directly back to clients bypassing the load balancer.
Exploit a Kubernetes RBAC authorization bypass where nodes/proxy GET permissions allow command execution in any Pod.
In this tutorial, you will learn how to build an Layer 2 DSR load balancer using eBPF/XDP, where backends send responses directly back to clients bypassing the load balancer.
Learn what a unikernel is and how it compares to a Linux container. Build and run your first unikernel inside a playground box.
Learn how an eBPF/XDP-based NAT Layer 4 load balancer works by building one from scratch. We implement simple connection tracking, deterministic hashing, and IP/MAC rewriting with a small, easy-to-follow example.
Learn how to build an eBPF/XDP firewall that filters packets by IP ranges using BPF_MAP_TYPE_LPM_TRIE and longest-prefix matching.
Learn how to create and manage a multi-machine Uncloud cluster from scratch. This hands-on tutorial walks you through initializing a cluster, adding machines, managing contexts, and deploying your first containerized service.
In this tutorial, you’ll learn the fundamentals of eBPF and XDP through example code that parses packets across different protocol layers, demonstrates how XDP actions work, and shows how these building blocks form the foundation for high-performance networking applications.
Learn how to implement a basic per-client ICMPv6 packet rate limiter using eBPF/XDP. This tutorial shows how to track client activity with eBPF maps and enforce limits directly in the kernel—without any user-space interaction.
In this tutorial, we look at why eBPF programs can fail across kernel versions due to changes in structs, tracepoints, and function layouts. We look at examples of how these differences cause portability issues and how BPF CO-RE, BTF and vmlinux.h address them.
In this tutorial, you’ll learn how to make your eBPF programs portable across kernels that lack built-in BTF support.
In this tutorial, we’ll look at how different eBPF tracing mechanisms work in practice by focusing on a single use case: capturing execve system call events. We’ll start with tracepoints, move on to raw tracepoints, and then cover kprobes and fprobes, showing how each attaches to the kernel and what data they expose. Along the way, we’ll compare their trade-offs in terms of stability, performance, and portability.
In this tutorial, you’ll learn why it is safe to run eBPF code in the kernel, some of its advantages compared to kernel modules, and why the verifier is the most crucial component of eBPF.
In this tutorial, you’ll learn how to inspect eBPF programs and maps loaded into the kernel with bpftool, gaining deeper visibility into how your eBPF application runs. We’ll also explore bpftop, a top-like interface that lets you monitor eBPF program activity in real time.
In this tutorial, you’ll learn how to store and update data inside the kernel, turning a simple eBPF Hello World program into one that tracks useful state. We’ll also briefly learn a few basics of bpftool, a handy CLI tool that will allow us to list and inspect our eBPF map.
In this first tutorial, you’ll run a pre-coded eBPF program and see it in action without writing any code yourself. We’ll walk through the important parts of the program so you understand how eBPF hooks and runs in the kernel. The goal is to get familiar with the workflow and core concepts before you start writing your own eBPF programs.
Learn how to configure and use Kubernetes Runtime Classes to specify different container runtimes for your workloads. Explore different OCI runtimes and their scheduling constraints.
OpenScience Demo content: How to capture a massive piece of high-performance compute (HPC) code named Kaiju and Gamera in a Container
Dive deep into Kubernetes admission control with hands-on examples. Learn how admission controllers influence cluster behavior, apply default configurations, and enforce policies for consistency and compliance.
Learn how to set up a Kubernetes cluster from scratch using kubeadm.
Learn how to auto-unseal works by using OpenBao'/Vault's builtin mechanism.
Learn how to get started with OpenBao/Vault by walking through the basics of initialization, unsealing, authentication, and secret management.
In this tutorial, we'll dive into the world of Docker Security, look at the attack surface of a Docker installation and show some straightforward container breakouts
Learn how to integrate Dagger into your existing CI pipelines on GitHub Actions.
Learn how to test, package and release Helm charts using Dagger.
In this brief tutorial we'll explore the idea that Docker containers are just processes, from the perspective of the operating system. Based on this Securitylabs blog post https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-1/
Learn how to run any database on Kubernetes with KubeBlocks!
Learn how to run any database on Kubernetes with KubeBlocks!
Learn how to run any database on Kubernetes with KubeBlocks!
Learn how to run any database on Kubernetes with KubeBlocks!
Learn how to run any database on Kubernetes with KubeBlocks!
