今日已更新 386 条资讯 | 累计 20358 条内容
关于我们

标签:#devops

找到 359 篇相关文章

开发者

Great Stack to Doesn't Work #2 — Kafka: "Where Did My Messages Go?"

A survival guide for when everything goes wrong in production. There's a moment every engineer who works with Kafka experiences. You check the producer. Messages are sending. You check the consumer. Nothing. The consumer group shows zero lag because there's nothing to lag behind — as far as the consumer knows, the topic is empty. But it's not empty. The messages are there. Somewhere. In some partition, at some offset, behind some configuration you set six months ago and forgot about. Kafka doesn't lose messages. But it's very good at hiding them from you. Consumer Lag: The Number Everyone Watches Wrong Consumer lag is the difference between the latest offset in a partition and the offset your consumer group has committed. Simple concept. Dangerous in practice. The mistake: treating lag as a single number. Lag is per-partition. If you have 30 partitions and one consumer is stuck on partition 17 while the others are healthy, the total lag looks manageable. But partition 17's data is hours behind, and whatever downstream system depends on that data is serving stale results. Monitor lag per partition. Tools like Burrow, Kafka Exporter for Prometheus, or even kafka-consumer-groups.sh --describe break it down. If one partition's lag is growing while others are stable, you have a stuck consumer, a hot partition, or a poison message. A poison message is a record your consumer can't process — malformed data, unexpected schema, null where it shouldn't be null. The consumer throws an exception, the offset doesn't commit, and it retries the same message forever. Lag grows. The consumer looks "alive" because it's processing — just not making progress. The fix: dead letter queues. After N retries, move the message to a separate topic, commit the offset, and move on. Alert on the dead letter topic. Investigate later. Don't let one bad record block millions of good ones. Rebalance Storms: The Silent Killer Consumer rebalancing is Kafka's mechanism for redistributing partitions acro

2026-05-31 原文 →
AI 资讯

[Imposter syndrome] Back to the beginning (DevSecOps path)

I’ve been writing my project - Python port scanner for 9 months now. You might be wondering, “Why is it taking so long?” Most of the time was spent figuring out how raw sockets work, how to write a function for manually assembling a packet, calculating the checksum, packing the IP packet bytes, the TCP header, the pseudo-header using struct.pack, sending the packet, and how SYN scanning works. Why did I decide to take such a complicated route instead of just using Scapy? I’m a principled person and have a very exhausting yet useful skill—understanding everything. That’s how I got acquainted with big-endian, or “network byte order.” I won’t go into the details of big-endian logic, to be honest, I’m already mentally exhausted It took several evenings and nights to analyze and understand the principles—watching videos, reading RFCs, and looking at GitHub code (which I didn’t understand)—but what bothered me most was that I had to ask gemini for an explanation. As I mentioned above, I’m very principled; I can’t just copy code without understanding it, so I ask gemini for a prompt like this: “Don’t write the code for me. If I end up asking you for an example because I’m tired, explain it line by line.” Yesterday I realized I don’t fully understand Python (basics)—I don’t remember REPL—so I went to ask Gemini for advice; I don’t have anyone competent who could help me with advice. I’m not very sociable, and the only thing that’s interested me for the last four years is IT. I used to make music. Lately, something strange has been going on with my health, the day before yesterday I woke up because of a nosebleed; this has happened before, but on a larger scale. I stopped working on the scanner yesterday and decided to try writing a backup script in Python. I found an article and jotted down in Obsidian what the project should and shouldn’t do. Previously, the project used Docker, Prometheus, and Grafana. My questions: Am I a good developer, and am I even one at all? Should

2026-05-31 原文 →
AI 资讯

Run Aider on Ollama, Bedrock, or Any LLM Provider — One Gateway, Every Model

Aider is the best terminal AI coding tool I've used. But by default it sends every diff through your OpenAI or Anthropic key, which gets expensive fast on real refactors — a single 100-file repo map can torch a few dollars before Aider even reads your prompt. This post shows how to run Aider against any LLM provider — Ollama for free local runs, OpenRouter for mixed-provider routing, AWS Bedrock for the enterprise plate — through a single OpenAI-compatible endpoint. I'll use Lynkr , the self-hosted gateway I maintain, but the pattern works with any OpenAI-compatible proxy. Full disclosure: I build Lynkr. I'll point out where it loses to LiteLLM and OpenRouter further down so you can make an honest call. The setup in three commands # 1. Start the gateway npx lynkr@latest # 2. Point Aider at it export OPENAI_API_BASE = http://localhost:8081/v1 export OPENAI_API_KEY = any-value # 3. Run Aider with any model name Lynkr knows about aider --model openai/gpt-4o That's it. Aider speaks the OpenAI Chat Completions protocol; Lynkr speaks it back and quietly translates the call to whichever upstream provider you've configured (Ollama, Bedrock, Anthropic, Azure, OpenRouter, Databricks, llama.cpp, LM Studio, ...). Aider has no idea it's talking to a router. Why bother? The cost math Aider's own leaderboard shows GPT-4o and Claude 3.5 Sonnet at the top — but you don't need a $3-per-million-tokens model to rename a variable. You need it for the architecture decisions. Lynkr's tier routing splits the work: Aider call type Routes to Cost Repo map summarization qwen2.5-coder:7b (Ollama, local) $0 File edits, single-function diffs gemini-flash-1.5 (OpenRouter) ~$0.075/M Architecture / multi-file refactors claude-3.5-sonnet (Anthropic) $3/M On a typical 4-hour Aider session, 80–90% of the calls are repo-map and small-diff calls. Routing those to local + cheap models while keeping Claude Sonnet for the hard reasoning has cut my own Aider spend by roughly 70%. Your mileage will vary base

2026-05-30 原文 →
AI 资讯

Stop Paying a Streaming Bus to Carry Bytes That Live for Ninety Seconds

How a shared filesystem became the cheapest, fastest outbox I've ever built — and why FSx for OpenZFS is the version of that idea that finally scales I was staring at an AWS bill last quarter where a single Kinesis Data Streams line item was costing more than the entire S3 footprint sitting behind it. The events on that stream had a useful lifetime of about ninety seconds. They were written by one service, read by another, processed, and dropped. We were paying full streaming-bus price for bytes that barely outlived a TCP timeout. That bill is what got me thinking about transitional data as a category that deserves its own architecture, and about why every "use the right tool" instinct I had — Kinesis, Kafka, MSK — was the wrong tool for this particular shape of work. The right tool, it turns out, is a filesystem. Specifically, AWS FSx for OpenZFS, used as an outbox between producers and consumers, with only a tiny pointer message traveling through whatever messaging bus you already have. This article is the case for that pattern. It's also the design, the failure modes, the code, the cost math, and the honest list of when not to do it. I'll walk you through the architecture from first principles, show you the safe-write protocol that makes it correct under crashes and concurrent retries, compare the cost against Kinesis, MSK and EFS at a realistic petabyte-class workload, and explain why the recent addition of FSx Intelligent-Tiering changes the cost story in a way that makes the pattern attractive even for teams that don't ingest petabytes. If you've ever felt the queasy sensation of paying twice for the same bytes — once to land on a stream, again to land in storage — this is for you. What "transitional data" actually means Most data falls into one of two cleanly shaped buckets. Durable data is the stuff you keep — user records, orders, financial events, audit trails. It needs to live for years; you pay storage costs for those years and you get value over those y

2026-05-30 原文 →
AI 资讯

I Tested Every Web Scraping Tool Against Lazada — Here's What Actually Works (May 2026)

I came across Scrapling through a recommendation on X and decided to put it through its paces — not against a demo page, but against Lazada Singapore, a production site with Google reCAPTCHA and a custom slider verification. The setup: a single 4GB VPS, no residential proxies, no credits, just open-source tools. Here's the full journey: installation pitfalls, wiring it into an AI agent, choosing the right browser for the job, and the real-world benchmarks that followed. What Is Scrapling? Scrapling is an adaptive web scraping framework for Python (BSD-3, v0.4.8). It handles everything from single HTTP requests to full-scale concurrent crawls. What sets it apart from the BeautifulSoup/Scrapy world: Adaptive element tracking — saves fingerprints of targeted elements and relocates them after site redesigns using similarity scoring. Your scrapers survive CSS changes without maintenance. Three fetchers, one API — HTTP ( Fetcher , curl_cffi), browser ( DynamicFetcher , Playwright Chromium), and stealth ( StealthyFetcher , Chromium + anti-bot patches). Swap with one line. Spider framework — Scrapy-like API with async, concurrent crawling, Ctrl+C pause/resume via checkpoint persistence, multi-session support. MCP server — 14 tools exposed natively for AI coding agents. Your agent can call mcp_scrapling_get , mcp_scrapling_fetch , mcp_scrapling_stealthy_fetch directly. It's open source, pip-installable, and designed to be the backbone of a scraping stack — not just another tool in the toolbox. Installation on a 4GB VPS This is where the real story starts. The VPS has 4GB RAM, 2 vCPUs, 77GB disk, and runs an AI agent gateway (615MB baseline). Every browser installation decision matters. What we installed pip install scrapling[fetchers,ai] # HTTP + Chromium + MCP server scrapling install # Downloads Playwright browsers This pulls in Playwright Chromium, Firefox, and WebKit (~1.3GB disk), plus curl_cffi for HTTP requests and patchright (Playwright fork) for browser automation.

2026-05-30 原文 →
AI 资讯

AI Code Drift in the Wild: A Scarab Diagnostic Repair Pass

Scarab Field Test: Repairing an AI-Generated App Without Guessing Its Intended Baseline I’ve been building Scarab Diagnostic Suite around a problem I keep seeing in AI-assisted development: the app may look close, the code may be mostly there, and some checks may even pass — but the repo still isn’t in a trustworthy state. So I tested Scarab against a public GitHub repo that was explicitly asking for help with an AI-generated web app. The app had been created through a generated/vibe-coded workflow and the owner was looking for help cleaning it up, fixing broken behavior, and making it more stable. The interesting part wasn’t just “can the code be fixed?” The interesting part was: what does fixed mean for this repo? Scarab’s repair pass surfaced that there were actually two valid repair postures: TypeScript intended — treat npm run typecheck as a real acceptance gate. Build/lint only — treat the app as a generated JavaScript React export, where build + lint are the intended acceptance boundary. That distinction matters because a diagnostic suite should not blindly impose a standard the repo never chose. Sometimes the repair is not just technical. Sometimes the repair is clarifying the repo’s actual operating baseline. Both repaired versions now: build successfully lint successfully run locally in the browser render the app correctly include saved runtime evidence/screenshots pass browser smoke checks across key routes One of the more useful findings was that static checks were not enough. A governance/static pass could look clean while the browser runtime still revealed real problems: stray generated stub text, React not mounting meaningful app content, and missing local Base44 helper behavior outside the hosted runtime. That is exactly the kind of failure I’m interested in. Not just “does the code pass a command?” But: does the app actually render? does the local runtime behave? did the repair preserve the app’s intent? did the repo become more coherent afterward?

2026-05-30 原文 →
AI 资讯

Stop Running psql Commands by Hand — Build a REST API for PostgreSQL User Management

If you manage PostgreSQL databases across multiple environments, you've probably done this: SSH to the DB host (or connect via psql ) Run CREATE USER jsmith CONNECTION LIMIT 20 PASSWORD '...' Slack the password to the developer Forget to log it anywhere Repeat for every environment, every onboarding, every access request It's tedious, error-prone, and leaves zero audit trail. Here's a better way. What I Built pg-user-api is a lightweight Flask REST API that wraps PostgreSQL user provisioning in clean HTTP endpoints. You register your databases once in a SQLite inventory, then any tooling — CI pipelines, internal portals, Ansible playbooks, or a plain curl — can create and manage users across environments without ever touching psql . GitHub: pcraavi/PostgreSQL-user-creation-API The Problem It Solves In teams that span dev, QA, UAT, and prod, you end up with different patterns of users: App service accounts — named after the host/port combo ( web01_8080 ) Kubernetes workload accounts — named after env prefix + farm ( dv_gearservice ) Individual dev/QA accounts — low connection limits, scoped to non-prod Read-only analyst accounts — prod only, no DDL DBA accounts — CREATEDB CREATEROLE LOGIN , rarely provisioned Each type has different CONNECTION LIMIT values, privilege levels, and naming conventions. Encoding these patterns in an API means the rules are consistent, repeatable, and auditable. Architecture The project is intentionally small — five Python files and a requirements list: pg_user_api/ ├── app.py # Flask app — all endpoints ├── auth.py # HTTP Basic Auth (constant-time compare) ├── database.py # SQLite registry + audit log ├── notifications.py # Notification stubs (Webex / Slack / Email) ├── seed_db.py # One-time setup: creates DB + sample records └── requirements.txt Two credential pairs, clearly separated: PG_API_USER / PG_API_PASS — who can call this API (your team/tooling) PG_ADMIN_USER / PG_ADMIN_PASS — the PostgreSQL DBA role that executes DDL The DBA cr

2026-05-30 原文 →
AI 资讯

Renovate & Dependabot: The New Malware Delivery System

Supply chain attacks every other morning Unless you've lived under a rock for the last few months, you probably noticed that software supply chain attacks are getting trendy among threat actor groups. Over the last 12 months, we've seen more of those than ever before, to name only a few of them: tj-actions/changed-files : In March 2025, a popular reusable GitHub application workflow was compromised to dump secrets from CI/CD pipelines. Salesloft Drift : In August 2025, threat actors stole OAuth credentials from the compromised Drift chatbot application. Shai-Hulud : In September and November 2025, a wormed attack propagated through npm packages and collected secrets. The common thread among those incidents is that they all revolved around secrets, one way or another. Some used secrets as an initial access vector, and others were focused on collecting secrets from victim environments. March 2026 did not change the state of things, with two new severe attacks added to our dreadful collection: trivy-action & LiteLLM campaign by Team PCP. The most popular Axios package compromise. Both those attacks followed a now-classical pattern, spreading through compromised open-source dependencies to maximise the impact in the shortest possible time. Your all-time classic, now with added internal threats Open-source supply chain attacks are not new. Ever since we started using centralized open-source package registries, the risk has existed. Threat actors understood this and started exploiting it. What has changed since 2015 is how we have improved software development productivity through automation. And now, this very same automation that lets you test and build your projects without typing a single command is amplifying the supply-chain threat and the velocity of attacks. Let's see how. Keeping your malware up to date A very concerning pattern we've observed in the trivy-action and Axios campaigns is that automation can become the source of your compromise. One thing no develop

2026-05-29 原文 →
AI 资讯

Git Rebase vs Reset vs Revert | When to use What ?

The Scenario: "Oops, I Made a Messy Commit History" Imagine you're working on a feature branch called feature/login-page . You’ve made a few commits, but now : One of the commits has a bug . Another commit has a wrong commit message . Your commit history looks like a jumbled mess compared to main . Time to clean it up! But… should you rebase , reset , or revert ? First, Let’s Understand the Core Idea of Each: Command What it Does Safe for Shared Branches? rebase Rewrites commit history to make it linear and clean No , unless used carefully reset Moves the HEAD and branch pointer to a different commit No , dangerous on shared branches revert Creates a new commit that undoes a previous commit Yes , safe to fix public history 1. Git Rebase : "Let’s Rewrite History Neatly" What is it? git rebase allows you to move or "replay" your commits onto another branch or rearrange them to make a clean, linear history. When to Use? You want to clean up messy commit history before merging. You want to squash commits . You want to change commit messages . Example: You have these commits in feature/login-page : A — B — C — D (feature/login-page) ↑ Buggy commit (C) You want to fix commit C and clean up the message in D . Solution: Interactive Rebase git rebase -i HEAD~3 You’ll see something like this: pick abc123 B pick def456 C pick ghi789 D You can now: Change "pick" to "edit" for C to fix the bug. Change "pick" to "reword" for D to fix the commit message. Squash commits if needed. Important: This rewrites commit hashes. If your branch is pushed and shared , rebasing can mess up others' history. Use with care! 2. Git Reset : "Let’s Go Back in Time (Dangerously Powerful)" What is it? git reset moves your branch pointer ( HEAD ) to a previous commit. It can unstage files , remove commits , or even delete code changes . Types of Reset: Command What happens? git reset --soft Keeps your changes staged. git reset --mixed Unstages changes but keeps them in the working directory. git reset

2026-05-29 原文 →
AI 资讯

I Deployed My Go Backend to a Real VPS. Here's Exactly What Happened.

In Part 14 , I finished HMAC webhook signing. The backend was complete — JWT auth, PostgreSQL, Redis caching, rate limiting, circuit breaker, worker pool, webhook delivery, migrations, Docker. All running locally. But "runs on my machine" isn't a portfolio project. It's a homework assignment. Time to ship it. The Stack Being Deployed Go backend — ~15MB Docker image (multi-stage build, CGO_ENABLED=0) PostgreSQL 16 — with golang-migrate running schema migrations on startup Redis — for caching, rate limiting, and refresh token storage Oracle Cloud Free Tier — 1GB RAM, 45GB disk, already provisioned Everything wired together with docker-compose.yml . One command to start the entire stack. Step 1: The VM Was Fine, Actually I was worried about the free tier specs. Turned out the "1GB" in the tier name refers to RAM, not disk. The actual disk is 45GB — plenty. free -h # 954MB RAM, 552MB available df -h # 45GB disk, 41GB free The real constraint: no swap . Go's compiler is memory-hungry. Without swap, building the Docker image on the VM would exhaust RAM and kill the process. More on this in a moment. Step 2: Install Docker curl -fsSL https://get.docker.com | sudo sh sudo usermod -aG docker ubuntu newgrp docker The official install script handles everything — Docker Engine, containerd, Docker Compose plugin. One command, done. Step 3: Clone the Repo The repo is private. Created a fine-grained GitHub personal access token with Contents: Read-only permission. Used it to clone: git clone https://TOKEN@github.com/absep98/Go_learn.git Security note: never paste tokens in chat, email, or anywhere visible. Type them directly into the terminal. Tokens in chat history are compromised tokens. Step 4: Create the .env File The .env from my local machine needed two changes for Docker: # LOCAL (wrong for Docker): DB_HOST = localhost REDIS_HOST = localhost # DOCKER (correct): DB_HOST = postgres # ← service name in docker-compose.yml REDIS_HOST = redis # ← service name in docker-compose.ym

2026-05-29 原文 →
AI 资讯

The problem with security scanners isn't the scanning

At a previous job I worked at as a Dev we had someone who ran Semgrep on our codebase for the first time. It came back with 180 findings. We had no security engineer. The developer who ran it looked at the output, closed the terminal, and we never ran it again. That's not a story about a careless team. That's a story about a tool that produced output most teams in small companies with no expertise knew what to do with. I've seen this exact moment happen more times than I can count working with small dev teams. And it's the reason I spent the last year building SecOpsium. But before I get to that let me explain the actual problem, because I think it's misunderstood. The problem isn't the scanning Semgrep and Gitleaks are excellent tools. They're free, actively maintained, and genuinely powerful. If you're not using them you should be. The problem is what happens 10 minutes after you run them. You get 200 findings. Some are critical. Some are test files. Some are commented-out code from 2021. Some are legitimate secrets. Some are variable names that pattern match against a rule but contain nothing sensitive. They all look the same in the output. Now you're a developer who also does DevOps, also reviews PRs, also handles incidents, and you're staring at 200 items with no clear indication of which three actually matter this week. So you close the terminal. Or you create a Jira ticket labeled "security findings" that lives in the backlog forever. Or you spend two days triaging manually and burn out before you fix anything. This is the real problem. The scanning was never the hard part. Why rule based scanners produce so much noise It helps to understand technically why this happens. Semgrep and Gitleaks are rule-based. They match patterns. A variable named api_key_example in a test file flags the same way as a live Stripe key in an active production config. Gitleaks scans for entropy and known credential patterns but can't distinguish between a key that was rotated and r

2026-05-29 原文 →
开发者

Appendix: Live System Output

Appendix: Live System Output — Real Pipeline in Production All output below was captured live from the running pipeline on 2026-03-08. These are not mock outputs — they come from actual AWS infrastructure and Kubernetes clusters. ArgoCD — All 50 Applications Across 6 Clusters The following is the live output of argocd app list from the hub cluster ( myapp-production-use1 ). Every component of the pipeline is represented — security, logging, monitoring, backups, and the application itself. $ argocd app list --output wide NAME CLUSTER NAMESPACE PROJECT STATUS HEALTH argocd/argo-rollouts-myapp-production-use1 myapp-production-use1 argo-rollouts production Synced Healthy argocd/argo-rollouts-myapp-production-usw2 myapp-production-usw2 argo-rollouts production Synced Healthy argocd/aws-lbc-myapp-production-use1 myapp-production-use1 kube-system production Synced Healthy argocd/eso-myapp-production-use1 myapp-production-use1 external-secrets production OutOfSync Healthy ← known false positive argocd/eso-myapp-production-usw2 myapp-production-usw2 external-secrets production OutOfSync Healthy ← known false positive argocd/falco-myapp-dev-use1 myapp-dev-use1 falco production Synced Healthy argocd/falco-myapp-dev-usw2 myapp-dev-usw2 falco production Synced Healthy argocd/falco-myapp-production-use1 myapp-production-use1 falco production Synced Healthy argocd/falco-myapp-production-usw2 myapp-production-usw2 falco production Synced Healthy argocd/falco-myapp-staging-use1 myapp-staging-use1 falco production Synced Healthy argocd/falco-myapp-staging-usw2 myapp-staging-usw2 falco production Synced Healthy argocd/fluent-bit-myapp-dev-use1 myapp-dev-use1 logging production Synced Healthy argocd/fluent-bit-myapp-dev-usw2 myapp-dev-usw2 logging production Synced Healthy argocd/fluent-bit-myapp-production-use1 myapp-production-use1 logging production Synced Healthy argocd/fluent-bit-myapp-production-usw2 myapp-production-usw2 logging production Synced Healthy argocd/fluent-bit-myapp-

2026-05-29 原文 →
AI 资讯

Production DevSecOps Pipeline — The Complete Day-2 Operations Runbook

DevSecOps Pipeline — Completion Runbook All code is written and pushed to GitHub. This runbook covers the remaining operational steps: Terraform applies, GitOps ARN updates, and ArgoCD deployment. Prerequisites Install these tools if not already present: # AWS CLI v2 winget install Amazon.AWSCLI # Terraform 1.6+ winget install HashiCorp.Terraform # Terragrunt # Download from https://github.com/gruntwork-io/terragrunt/releases # Place in C:\Windows\System32\ or add to PATH # kubectl winget install Kubernetes.kubectl # ArgoCD CLI winget install argoproj.argocd AWS Profile Setup The root terragrunt.hcl uses profiles named myapp-{env}-{region_alias} . Configure them in ~/.aws/config : [profile myapp-production-use1] region = us-east-1 role_arn = arn:aws:iam::591120834781:role/AdministratorAccess source_profile = default [profile myapp-production-usw2] region = us-west-2 role_arn = arn:aws:iam::591120834781:role/AdministratorAccess source_profile = default [profile myapp-staging-use1] region = us-east-1 role_arn = arn:aws:iam::690687753178:role/AdministratorAccess source_profile = default [profile myapp-staging-usw2] region = us-west-2 role_arn = arn:aws:iam::690687753178:role/AdministratorAccess source_profile = default [profile myapp-dev-use1] region = us-east-1 role_arn = arn:aws:iam::557702566877:role/AdministratorAccess source_profile = default [profile myapp-dev-usw2] region = us-west-2 role_arn = arn:aws:iam::557702566877:role/AdministratorAccess source_profile = default PHASE 1 — Terraform Applies Work from the myapp-infra/ directory. Run in the order shown — capture outputs for updating GitOps files in Phase 2. 1.1 WAF (production + staging) # Production us-east-1 terragrunt apply --terragrunt-working-dir live/production/us-east-1/waf # Output → webacl_arn (copy this value) # Production us-west-2 terragrunt apply --terragrunt-working-dir live/production/us-west-2/waf # Output → webacl_arn (copy this value) # Staging (no GitOps ARN needed, but good to have) terra

2026-05-29 原文 →
AI 资讯

Leaked Kubernetes Secrets: Impact Assessment and Mitigation Strategies

Threat-intel reports from recent years document campaigns in which attackers obtain AWS IAM credentials from developer workstations, use them to enumerate cloud accounts and access Kubernetes clusters. From there, attackers deploy poisoned container images to move laterally and harvest secrets. The MITRE ATT&CK chain maps to: T1552.001 ( Credentials in Files ) → T1078.004 ( Valid Accounts: Cloud Accounts ) → T1610 ( Deploy Container ) → T1496 ( Resource Hijacking ). This is not an isolated case. The Shai-Hulud supply chain attack harvested Kubernetes credentials from CI and developer workstations, feeding exactly this kind of attack chain. This research started with a short list of questions: What are Kubernetes secrets, exactly? What can an attacker do with them? How can defenders harden their clusters? So before we look at what we found in the wild, and how to harden clusters to mitigate impacts, let's define what Kubernetes secrets are. Three Surfaces, Three Secret Formats A simplified view of the cluster has three sides that matter for this post: A developer, or automation pipeline, talks to the Kubernetes API server with credentials. That is the canonical front door. On every node, the kubelet exposes its own HTTPS API. The same credentials can authenticate to it directly when it is reachable on the network. The cluster's nodes pull images from container registries (Docker Hub, GitHub Container Registry, ECR, Quay, GitLab, ACR…) using a second set of credentials. Kubernetes Architecture These are the attack surfaces where leaked secrets have the most impact, and three secret formats unlock them: TLS client certificates are used by humans through a kubeconfig file with the kubectl command to connect to a Kubernetes cluster. JSON Web Tokens, or Service Accounts, are non-human identities (NHI) used to automate cluster operations from CI/CD jobs, controllers, and integrations. By default, JWTs have no expiration date — which is why a JWT leaked years ago can still

2026-05-28 原文 →
AI 资讯

Article: Stragglers, Not Failures: How Adaptive Hedged Requests Reduce p99 Latency by 74 Percent

n fan-out microservice architectures, slow-but-completing requests accumulate across services and drive p99 latency far higher than per-service metrics suggest. This article presents an adaptive hedging mechanism that uses DDSketch for real-time quantile estimation, windowed rotation to handle distribution drift, and a token-bucket budget to prevent load amplification. By Prathamesh Bhope

2026-05-28 原文 →
AI 资讯

Azure Container Apps Express: The Agent-First Platform You've Been Waiting For

I've been running AI workloads on Azure Container Apps for over a year. Every time I spin up a new agent backend, the ritual is the same: create an environment, configure networking, set scaling rules, wire up health probes, then deploy the actual container. For a prototype agent that might live for a week, that's too much ceremony for what you get. ACA Express, which hit public preview in May 2026, kills most of that ceremony. And a separate but related announcement, Docker Compose for Agents, brings MCP gateways and model serving to standard ACA environments. They solve different problems and run on different infrastructure, but together they cover the full spectrum of agent deployment on Azure. Let me break down both. ACA Express: What It Actually Is Express is a new environment tier within Azure Container Apps. You bring a container image. Express handles provisioning, HTTPS, scaling (including scale-from-zero with subsecond cold starts), and resource allocation. No environment to manually provision through the portal. No networking to configure. No scaling rules to write. Under the hood, Express is built on ACA Sandboxes, a platform primitive that uses prewarmed pools to deliver that subsecond startup. This isn't the standard ACA cold-start experience with a fresh coat of paint. It's a different architecture. The tradeoffs are real. Express is HTTP workloads only, consumption CPU only. No GPU. No VNet integration. No Dapr. No service discovery between apps. No managed identity at runtime. No health probes. If you need any of those, standard ACA environments are still there. But for stateless HTTP agent backends, Express is dramatically faster to deploy and cheaper to run. Here's what it takes to get a container running: # Create an express environment az containerapp env create \ --name my-express-env \ --resource-group rg-my-agents \ --environment-mode express \ --logs-destination none # Deploy your app az containerapp create \ --name my-agent-api \ --resource

2026-05-28 原文 →
AI 资讯

NVIDIA CUTLASS: High-Performance CUDA Templates for AI Linear Algebra

If you've trained a transformer in the last three years, your GPU spent most of its wall-clock time inside a matrix multiplication. The kernels doing that work were probably written by cuBLAS, generated by a compiler stack like Triton, or hand-assembled on top of NVIDIA's CUTLASS templates. CUTLASS is the one most people don't see directly, but it sits underneath a surprising amount of modern AI infrastructure — from FlashAttention to vLLM to several internal kernels inside PyTorch. What CUTLASS actually is CUTLASS — CUDA Templates for Linear Algebra Subroutines — is a header-only C++ template library NVIDIA publishes on GitHub under Apache 2.0. It is not a drop-in replacement for cuBLAS. cuBLAS gives you a closed-source binary with a stable API: you call cublasGemmEx and you get a tuned kernel. CUTLASS gives you the building blocks to write your own kernel, with control over tile sizes, data layouts, epilogues, and how the kernel decomposes work across the GPU's memory hierarchy. That control is the point. If you're building a custom inference engine and your projection layer needs to fuse a GEMM with a SiLU activation and a residual add, cuBLAS can't fuse the epilogue for you — you'd launch the GEMM, then a separate elementwise kernel, paying twice for global memory traffic. With CUTLASS, the epilogue is a template parameter. You write the fusion once, instantiate the template, and the compiler emits a single kernel. This is why CUTLASS shows up wherever standard cuBLAS shapes don't fit — unusual data types like FP8, custom epilogues, sparse or grouped GEMMs, attention-shaped matrix products. Anywhere the stock library doesn't have what someone needs and the performance ceiling matters, you tend to find a CUTLASS kernel. CUTLASS is not a productivity library. It is a kernel-author's library. If you're writing PyTorch model code, you'll never import cutlass directly — you'll consume kernels that were built on top of it. The audience here is people who write the ker

2026-05-28 原文 →
AI 资讯

JaisCloud — A Free, Single-Binary AWS Emulator in Go

Why We Built JaisCloud — A Free, Single-Binary AWS Emulator in Go If you've ever tried to test AWS-dependent code locally, you've probably reached for LocalStack. It works — but it comes with baggage: Python runtime, Docker dependency, and the features most teams actually need locked behind a Pro subscription. JaisCloud is our answer to that problem. What is JaisCloud? JaisCloud is a free, open-source local AWS cloud emulator written entirely in Go. It implements the exact AWS wire protocols — Query/XML, JSON/Target, REST — so your existing SDK code points at JaisCloud and works unmodified. No shims, no proxy rewrites, no SDK patches. # Start it jaiscloud-aws start # Point your SDK at it export AWS_ENDPOINT_URL = http://localhost:4566 export AWS_ACCESS_KEY_ID = test export AWS_SECRET_ACCESS_KEY = test export AWS_REGION = us-east-1 # Your existing code works — no changes needed aws s3 mb s3://my-bucket aws sqs create-queue --queue-name my-queue The Problem With Existing Solutions JaisCloud LocalStack Community Moto Single static binary Yes No - Python + Docker No - Python library Zero runtime deps Yes No No Postgres persistence Yes Pro only No Real Spark/EMR execution Yes No No Apache Iceberg Yes No No Prometheus metrics Yes Pro only No State export / import Yes No No Deterministic time control Yes No No Written in Go Yes No No License Apache-2.0 Apache-2.0 Apache-2.0 Key Features Single Static Binary JaisCloud ships as a single Go binary per cloud. No Python, no Docker, no Node — just download and run. Works on laptop, CI runner, or Kubernetes pod. # Download and run — that is it ./jaiscloud-aws start # Or with Docker docker run --rm -p 4566:4566 rjaisval/jaiscloud-aws:latest Portable State Snapshots Export the complete emulator state — every resource, every account, every region to a single gzip tarball and restore it anywhere in milliseconds. # Capture a baseline jaiscloud-aws export -o baseline.tar.gz # Restore on a teammate's machine or CI runner jaiscloud-aws i

2026-05-28 原文 →