今日已更新 412 条资讯 | 累计 19972 条内容
关于我们

标签:#linux

找到 87 篇相关文章

AI 资讯

linux lab

Lab 1 – Linux Navigation & Files (20 points) Task 1 Create the following structure. /home/student/ ├── project │ ├── logs │ ├── scripts │ └── backup Requirements create all directories create app.log error.log install.sh inside correct folders. Task 2 Move app.log into backup Task 3 Delete error.log Task 4 Find install.sh using only one command. Lab 2 – Permissions (20 points) Create secret.txt Requirements Owner read/write Group read Others no access Verify permissions. Create a new user developer Switch to that user. Can the user read secret.txt Explain why. Lab 3 – Processes (20 points) Start a process Example sleep 500 Questions Find PID Kill the process Verify it stopped. Bonus Find the top five processes using the most memory. Lab 4 – Disk Space (20 points) Create a directory practice Generate a file about 100 MB. Questions How much disk space is used? How much free disk space remains? Which command shows directory size? Lab 5 – Networking (30 points) Find Your hostname private IP default gateway DNS server Ping 8.8.8.8 Questions Did it work? Ping google.com If this fails but 8.8.8.8 works, what is the problem? Display All listening ports. What service is listening on port 22? Lab 6 – Troubleshooting (40 points) Scenario 1 A user says "Internet is not working." Show the commands you would run. Expected ideas ip addr ping 8.8.8.8 ping google.com ip route cat /etc/resolv.conf Explain each step. Scenario 2 A website is down. Questions How do you verify server is running? nginx is running? port 80 is listening? firewall issue? logs? Commands should include systemctl status nginx journalctl -u nginx ss -tuln curl localhost systemctl restart nginx Scenario 3 SSH stopped working. How would you troubleshoot? Expected ping server ssh localhost systemctl status ssh ss -tulpn journalctl -xe systemctl restart ssh Lab 7 – Mixed Practical (Best Assessment) Tell students: You are the new Junior DevOps Engineer. The manager asks you to prepare a server. Complete all tasks. Ta

2026-06-26 原文 →
AI 资讯

From Root CA to User Authorization in nginx+apache. Part 2: Certificate Revocation, CRL and OCSP

A follow-up to Part 1 ( EN on LinkedIn · RU on Habr ), where we stood up a two-tier PKI: a Root CA and three intermediate CAs — Person, Server and Code. At the end of Part 1 I promised we'd learn to revoke certificates and run OCSP. That's what we'll do here. Like Part 1, this article is meant as a hands-on manual : for every command and extension we touch, there's an extended reference of the parameters you can actually use — with syntax, allowed values, defaults and gotchas. If you don't need a given option right now, just skim past the table; it's there so you don't have to dig through man later. Each section has the same shape: first the working commands for the common case, then the full parameter reference. Tested on versions. Flag names, defaults and extension syntax were verified against the official documentation of OpenSSL master , plus nginx and Apache mod_ssl. OpenSSL evolves per branch: anything marked "OpenSSL 4.0 / master" (for example the nonss qualifier on authorityKeyIdentifier ) is not yet available in the stable 3.x line. If you're on OpenSSL 3.0–3.6, double-check the disputed options with openssl <cmd> --help or your version's man before copy-pasting config. The numeric openssl verify error codes above 40 also shifted between branches — confirm them against your version's header. In this part: How a revoked certificate differs from an expired one, and why we need two mechanisms — CRL and OCSP. Adding the distribution points (CDP) and AIA to the config so issued certificates "tell" verifiers where to check them. Revoking a certificate and working with the CA database. Generating a CRL and inspecting it with openssl crl . Checking revocation with openssl verify . Running an OCSP responder: issuing its certificate, starting the daemon, querying status. Publishing the CRL and OCSP over HTTP (nginx), configuring OCSP stapling and revocation checking on the web server. All paths, file names and config sections are the same as in Part 1. Where you name

2026-06-25 原文 →
开源项目

Fixing RPM Database Desynchronization on RHEL

Recently, we encountered a case on a RHEL 9 machine where an RPM query did not show any information about installed package even though the package files were present in the filesystem. Although RPM reported that the package was not installed, I was still able to run tcpdumpcommand and use it without any issues. The binary was present there in the filesystem and I was able to run it successfully. Fixing RPM Database Desynchronization on RHEL - bidhankhatri.com.np Recently, we encountered a case on a RHEL 9 machine where an RPM query did not show any information about installed package even though the package files were present in the filesystem. bidhankhatri.com.np

2026-06-25 原文 →
AI 资讯

You Don't Need Kubernetes to Monitor 20 Linux VMs

If you've ever tried to set up Prometheus by following the official getting-started path, you're likely to find a path that does not follow your infrastructure model. Out of the gate, page one mentions kube-prometheus-stack. Page two wants you to install a Helm chart, and page three assumes you already have a cluster running. The documentation for monitoring plain Linux servers is in there somewhere, but you have to dig for it. When you do find it, the tone suggests you are doing something slightly old-fashioned. If that sounds like your setup, the tooling is making this harder than it actually is. Monitoring a fleet of Linux VMs is fairly simple and has been for years. It is just obscured behind documentation that would prefer to sell you something bigger. Modern infrastructure tooling has quietly decided everyone runs Kubernetes. If you don't, the assumption is that you eventually will. Meanwhile, most real-world infrastructure still runs on VMs. TL;DR: Modern observability documentation often assumes you're running Kubernetes. Most small teams aren't. If you're managing a fleet of Linux VMs, node_exporter plus Prometheus gives you everything you need for infrastructure monitoring with a single lightweight agent and a straightforward deployment model. No cluster required. VMs are often the answer For most small businesses, running VMs instead of Kubernetes does not mean you failed to evolve. Most workloads under a certain scale perform better on VMs: One process per box, predictable resource limits, and the ability to ssh in and look at what's happening, which makes it easier to keep track of the infrastructure as a whole. They're cheaper, both financially and in the mental overhead of running them. Backups and snapshots are straightforward in a way stateful Kubernetes still isn't. There's no control plane that itself needs monitoring and upgrades and care. Kubernetes solves problems that mostly pertain to companies with dozens of engineers and hundreds of service

2026-06-23 原文 →
AI 资讯

Why Your Ubuntu Laptop Lags, and How to Fix It for Free

My main work laptop is a Dell from 2017 with 8 GB of RAM. For weeks it had been crawling, freezing for whole seconds while I worked, and every so often it would simply switch itself off in the middle of a task. If you have ever lost unsaved work to a laptop that powers down on its own, you know exactly how frustrating that is. So I sat down and fixed it properly. The first thing I learned is worth saying up front: a slow, crashing laptop is usually two different problems wearing the same costume . Treat them as one and you will chase your tail. Separate them, and both become fixable. Everything below is free and copy-paste ready. It was tested on Ubuntu 24.04 LTS, and it applies to almost any older Linux machine. The honest disclaimer: Nobody can promise an old laptop will never lag. Software cannot add cores or memory that are not physically there. But you can absolutely stop the freezes and shutdowns completely and make everyday work feel smooth. That is the realistic, achievable goal. 0. Diagnose first, do not guess The biggest mistake is blindly applying "speed up Ubuntu" tweaks before knowing what is actually wrong. Spend five minutes measuring. Your lag has one of four common causes: heat, memory, disk, or a dying battery . Check temperature (the usual cause of random shutdowns): sudo apt install lm-sensors -y sudo sensors-detect --auto sensors Watch the Core temperatures while you work. If they spike past 90 to 100 °C right before a crash, you have a thermal problem, not a software one. Check memory (the usual cause of freezing): free -h sudo apt install htop -y htop In htop , watch the Mem and Swp bars during normal use. If memory pins near your limit and swap fills up, that thrashing is your freeze. Check disk space (a quiet killer): df -h / A root partition above 90% full makes Linux lag and turn unstable. Small SSDs fill up fast. Read the crash logs and battery health: # What went wrong during the previous (crashed) session journalctl -b -1 -p err --no-pa

2026-06-23 原文 →
AI 资讯

A Cron Job Took Our Server to Load 41 by Attacking Itself

A */1 rsync took our staging box to a load average of 41 one afternoon, and it took me longer than I want to admit to work out why. The sync normally finished in about twenty seconds. That day the backup target's NFS mount went sluggish, the sync started taking ninety seconds, and cron — which does not know or care whether the last run is still going — launched a fresh copy every single minute on top of it. Inside ten minutes there were a half-dozen rsyncs all reading the same tree off the same slow disk, each one making the disk slower, each new minute adding another. The box wasn't under attack. It was attacking itself, one polite copy at a time. The thing that stung was that nothing was broken — every individual rsync was correct, the disk eventually recovered on its own, and the only reason it became an outage is that cron has no concept of "the last one is still running." That's the trap with scheduled jobs: a command that's perfectly fine when you run it by hand can take down a server the first time it runs longer than its interval with nobody watching. The fix everyone reaches for first is the wrong one The instinct is a PID file: write $$ to /var/run/job.pid on start, check whether that file exists on the next run, bail if it does. It almost works. Then one run gets kill -9 'd, or the box reboots mid-job, and the PID file is left behind pointing at a process that died on Tuesday. Now every future run sees a "lock" owned by a PID that no longer exists, and the job never runs again — the opposite failure, just as silent. There's also a race between the check and the write, and the times you most need the lock to be clean are exactly the times cleanup didn't happen, because the process died before it could clean up. flock has none of that. The lock isn't a file you create and delete — it's a lock the kernel holds on an open file descriptor , and the kernel releases it automatically the instant that descriptor closes. The process exiting closes it. So does crash

2026-06-23 原文 →
AI 资讯

Meet mytuis: A Sleek Terminal Application Manager Built with Bash and Gum

Having spent over 25 years in software development and managing countless Linux environments, I've accumulated a vast collection of custom bash scripts, containers, and CLI tools. Remembering their exact paths and managing them efficiently directly from the terminal is a common challenge. To solve this, I built mytuis . mytuis is a small, attractive terminal UI for managing a personal catalogue of applications. It is built with gum and plain bash, with persistent storage in a human-readable YAML file. GITHUB REPO : https://github.com/horaciod/mytuis Why mytuis? I wanted a tool that didn't require heavy dependencies or a complex setup, but still looked great and provided a smooth user experience. Here is what mytuis brings to the terminal: CRUD operations: You can create, read, update, and delete application entries from a single menu. Quick launch: Pick an app from the filterable list and it is launched immediately. It replaces the manager process via exec, meaning no extra shell window is left behind. Smart path handling: It accepts absolute paths (like /usr/bin/firefox), relative paths (./scripts/myscript.sh), tilde paths (~/bin/foo), or plain command names looked up in your $PATH (firefox). Persistent metadata: Every entry stores its name, description, absolute path, creation date, and last-used date. Friendly TUI: You get clear menus, color-coded messages, and clean borders, all powered by gum. Under the Hood: Plain Text and Standard Utils Simplicity and standard compliance were key goals. mytuis requires bash ≥ 4 and standard Unix utilities like awk, sed, grep, date, and tput. Your catalogue is stored at ~/.mytuis.yaml. Because it is a standard YAML file, it can be inspected, edited, or backed up with any text editor. It is also completely safe to sync with a dotfiles repository or version-control. To ensure data integrity, all file operations are performed atomically by rewriting the YAML file from scratch on every change, so there is no risk of leaving the fi

2026-06-21 原文 →
AI 资讯

100 Days of DevOps, Day 1: Linux User Management and AWS Key Pairs

Doing the work and being able to explain the work are two different skills. I've had the first one for 8 years. I'm building the second one now. I'm a Cloud Platform Engineer. AWS, Kubernetes, Terraform, Linux. Regulated environments, healthcare, production systems. Real experience. Almost zero public documentation of it. That's the gap I'm closing, starting from Day 1. The platform is KodeKloud. Each session gives you tasks across multiple tools. I'm posting the Linux and AWS tasks here. Here's what I built and what actually matters about each one. Task 1 (Linux): Create a User with a Non-Interactive Shell The task was to create a system user that can own processes but cannot log in interactively. This is what you do for service accounts. bash ssh user@hostname sudo su - useradd username -s /sbin/nologin cat /etc/passwd | grep username The /sbin/nologin shell is the important part. The user exists in the system, can own files and run processes, but cannot open a shell session. You verify by checking /etc/passwd because the last field in each line is the assigned shell. I've been doing this in production environments for years. I still verify every time. Not because I'm unsure. Because in a regulated environment, you don't assume, you confirm. Task 2 (AWS): Create an EC2 Key Pair via CLI aws ec2 create-key-pair \ --key-name my-key-pair \ --key-type rsa \ --key-format pem \ --query "KeyMaterial" \ --output text > my-key-pair.pem aws ec2 describe-key-pairs --key-names my-key-pair The private key is returned exactly once at creation. AWS does not store it. If you lose it, you generate a new one and replace it everywhere it was used. I've seen this cause real problems in production environments where the key wasn't backed up properly. Always run chmod 400 my-key-pair.pem after saving it. SSH will refuse to use a key file with open permissions. It won't tell you that's the reason straight away. What Day 1 Taught Me That 8 Years Didn't Nothing here was technically new to

2026-06-21 原文 →
AI 资讯

Cử chỉ Trackpad trong Workflow Code: ROG Zephyrus G14 hay MSI Creator 16 AI?

Đối với một developer, trackpad không chỉ là thiết bị điều hướng mà còn là công cụ tối ưu hóa workflow. Khi làm việc với các IDE nặng như VS Code hay IntelliJ, khả năng phản hồi của trackpad quyết định tốc độ xử lý tác vụ. Trong bài so sánh giữa ROG Zephyrus G14 GA403 hay MSI Creator 16 AI? Đâu là lựa chọn cho sáng tạo chuyên nghiệp? , trải nghiệm trackpad là một điểm nhấn quan trọng. Trải nghiệm cử chỉ và độ chính xác trong lập trình Khi làm việc với code, các cử chỉ như chuyển đổi desktop ảo (Virtual Desktops) là cực kỳ quan trọng để tách biệt môi trường chạy Docker, trình duyệt và editor. Vuốt 3-4 ngón: Cả hai dòng máy đều hỗ trợ tốt, nhưng trên MSI Creator 16 với diện tích lớn hơn, việc nhận diện cử chỉ vuốt ngang giữa các workspace mượt mà hơn đáng kể. Độ chính xác chọn văn bản: Với một developer, việc bôi đen một đoạn code dài hoặc chọn chính xác một ký tự nhỏ là yếu tố sống còn. Trackpad trên G14 có độ nhạy cao nhờ kích thước gọn nhẹ, trong khi Creator 16 cho cảm giác vững chãi, ít bị trượt hơn khi thao tác nhanh. Độ trễ (Latency): Cả hai đều đạt chuẩn cao, tuy nhiên trên Windows, trải nghiệm đôi khi không mượt bằng macOS. Để khắc phục, việc sử dụng driver tùy chỉnh là cần thiết. So sánh hệ điều hành và mẹo cấu hình cho Developer Trải nghiệm trackpad thay đổi rõ rệt giữa Windows và Linux : Windows: Hỗ trợ tốt Precision Drivers. Bạn nên vào Settings > Bluetooth & devices > Touchpad để tinh chỉnh độ nhạy.\n- Linux: Nếu bạn dùng Ubuntu hay Fedora, hãy cài đặt libinput . Để tối ưu hóa cho workflow code, bạn có thể cấu hình file .wslconfig nếu chạy môi trường Windows Subsystem for Linux nhằm đảm bảo tài nguyên không bị nghẽn khi thao tác giao diện.\n Thông số kỹ thuật tóm tắt: ROG Zephyrus G14 GA403: Ryzen 9 8945HS, RTX 4070, 32GB LPDDR5X, OLED 14" 120Hz, nặng 1,5 kg. MSI Creator 16 AI Studio: Core Ultra 9 185H, RTX 4080/4090, lên đến 64GB DDR5, Mini LED 16" 120Hz, nặng 2,1-2,5 kg. Bài viết này là bản tóm tắt kỹ thuật. Xem chi tiết tại bài gốc.

2026-06-20 原文 →
开发者

Memory Profiling: Valgrind & Heaptrack trên WSL2 vs Native Linux

Là một developer thường xuyên đối mặt với các lỗi memory leak trong hệ thống C++/Rust, việc chọn môi trường profiling là yếu tố sống còn. Nếu bạn đang cân nhắc giữa việc chạy Valgrind hay Heaptrack trên WSL2 so với Native Linux (hoặc máy trạm có RAM SO-DIMM nâng cấp được), đây là những trải nghiệm thực tế từ quá trình debugging. Hiệu năng Valgrind và Heaptrack: Sự khác biệt rõ rệt Khi sử dụng valgrind --tool=memcheck , tốc độ thực thi thường giảm xuống còn 10-50 lần so với bình thường. Trên Native Linux , việc quản lý bộ nhớ diễn ra trực tiếp trên kernel, giúp các công cụ này hoạt động ổn định nhất. Ngược lại, trên WSL2 , do lớp ảo hóa và cơ chế quản lý memory của Microsoft, bạn sẽ thấy overhead đáng kể hơn. Đặc biệt là khi tạo Heaptrack flame graph , việc phân tích bộ nhớ lớn có thể khiến WSL2 bị giới hạn bởi file .wslconfig nếu không cấu hình đủ RAM.\n Lệnh thực thi nhanh: # Chạy Valgrind trên hệ thống của bạn valgrind --leak-check = full --show-leak-kinds = all ./your_app # Sử dụng Heaptrack để lấy flame graph chi tiết hơn heaptrack ./your_app WSL2 Overhead và bài toán phần cứng (Onboard vs SO-DIMM) Một vấn đề thực tế là khi profiling các ứng dụng nặng, bộ nhớ hệ thống bị chiếm dụng cực nhanh. Nếu bạn đang dùng laptop với RAM onboard 16GB , việc chạy đồng thời Docker + IDE + Valgrind trên WSL2 dễ dàng dẫn đến tình trạng swap liên tục do giới hạn cứng của phần cứng. Từ kinh nghiệm thực tế, nếu công việc yêu cầu profiling chuyên sâu thường xuyên, một chiếc máy có RAM SO-DIMM cho phép nâng cấp lên 32GB hoặc 64GB sẽ là cứu cánh tuyệt vời. Bạn có thể tham khảo thêm về sự khác biệt giữa ReviewLaptop để hiểu rõ tại sao việc chọn đúng loại RAM lại quan trọng cho workflow của một developer. Bảng so sánh nhanh: | Đặc điểm | Native Linux | WSL2 (Ubuntu) | --- | --- | --- | | Speed Overhead | Thấp hơn (Direct Kernel) | Memory Management | Trực tiếp, ổn định | Có lớp ảo hóa, dễ bị giới hạn bởi .wslconfig | | Flame Graph Rendering | Mượt mà | Đôi khi chậm do I/O file qua hệ th

2026-06-19 原文 →
AI 资讯

Most AI dev tools assume you have a repo. Ops engineers have a broken node and a 3am page.

Most AI coding tools assume you're sitting in front of a repo. There's a working directory, some source files, tests, maybe a CI pipeline. The AI reads your code, suggests changes, ru****ns tests. Great model — if you're a developer writing code on a Tuesday afternoon. Now picture the other scenario. It's 2am. PagerDuty fires. You SSH into a box you haven't touched in three months. Something is broken, you're not sure what, and the runbook was last updated by someone who left the company in 2022. You're not thinking about repos. You're thinking: what OS is this thing running? What just failed? Is it safe to restart that service or will I make it worse? These are two fundamentally different workflows. But almost every AI terminal tool I've seen is built for the first one. The 30 minutes nobody builds for There's a ton of tooling for the world before you log into the box: Prometheus, Grafana, PagerDuty, incident.io, runbooks, dashboards. All useful. No complaints. But there's this practical 30-minute window after you SSH in where you're basically doing archaeology with journalctl and grep. You check systemd. You look at disk. You read logs that were clearly written by someone who hated future-you. You copy-paste terminal output into Slack so your teammate can squint at it from a different timezone. This is where I think AI could actually help. Not by replacing Grafana. Not by building another dashboard. Just by being present in the shell while you're debugging. Please, for the love of uptime, don't replace my shell I've seen a few AI terminal projects that basically build an entire new terminal experience from scratch. New keybindings, new UI, new everything. Here's the thing: ops people have muscle memory. We have aliases we wrote in 2019 and forgot about. We have tmux configs we'd defend with our lives. We SSH through jump hosts with key forwarding chains that barely work but have worked for years so nobody touches them. If your AI tool requires me to abandon all of

2026-06-19 原文 →
AI 资讯

Linux 7.1, tRPC's Query Overhaul, and Biome 2.0 Beta: What Developers Need to Know

This week's tooling landscape is quieter on the AI-native side but dense with infrastructure moves that affect how AI-driven workloads actually run in production. Cloudflare's Workflows scaling overhaul is the clearest signal: agent-triggered execution is now an assumed pattern, not a novelty, and platforms are rearchitecting accordingly. The rest of the week rounds out with a kernel maintenance drop, a meaningful abstraction removal in tRPC, and a Biome beta that's finally making ESLint replacement feel plausible. Linux 7.1 Released with Driver and Networking Fixes 7.1 is a maintenance release. No architectural changes, no new subsystems—just patches you should care about if you're running affected hardware or kernel-adjacent tooling. The two fixes worth flagging are heap overflows in the USB serial io_ti driver ( get_manuf_info() and build_i2c_fw_hdr() ), plus memory leak corrections scattered across drivers and networking subsystems. Trace tooling also gets updates, which matters if you're doing kernel-level performance analysis on production systems. One operational note: Torvalds is traveling, so merge window latency may be irregular. If you're tracking pull request timelines for custom kernel builds, plan for slippage. Verdict: Ship — if you're on 7.0 and running USB serial hardware or affected networking paths, upgrade on your normal kernel cycle. No breaking changes, no new dependencies, nothing to validate beyond your existing regression suite. tRPC Drops Abstraction Layer for React Query This is the kind of change that looks small in a changelog and feels large in daily development. The new tRPC client exposes native TanStack Query interfaces— QueryOptions and MutationOptions —directly, rather than wrapping them in tRPC-specific hooks. The practical effect: if you're already using TanStack Query elsewhere in your app, you stop context-switching between two similar-but-different mental models. You call .queryOptions() and .mutationOptions() factories and pa

2026-06-19 原文 →
AI 资讯

Use the Telegram Bot API in OpenClaw via Cloudflare WARP (1.1.1.1)

You run a Telegram bot through OpenClaw on your own Linux server. One day it goes quiet. The bot can't send or receive. But the server itself is fine — SSH works, apt works, other sites load. The reason: your server can't reach api.telegram.org . Some networks block or throttle it, so every call times out while everything else is fine. The clean fix: route only OpenClaw's Telegram traffic through Cloudflare WARP (1.1.1.1) . Everything else on the box stays direct and fast — including your SSH login. Here is the full setup, step by step. First, confirm it's a Telegram-only problem curl --max-time 8 https://api.telegram.org/ # hangs / times out curl --max-time 8 https://www.google.com/ # works instantly If Telegram times out but other sites are quick, this guide is for you. How it works We chain three small tools: OpenClaw ──▶ iptables ──▶ redsocks ──▶ WARP (SOCKS5) ──▶ Cloudflare ──▶ api.telegram.org WARP gives us a local proxy that exits through Cloudflare's network (which can reach Telegram). redsocks turns normal connections into proxy connections (so the app needs no proxy support — OpenClaw has none). iptables picks only OpenClaw's Telegram traffic and sends it to redsocks. The trick is in that last step. We match by the app's user and Telegram's IP ranges, so nothing else is touched. Step 1: Install WARP in proxy mode # Add Cloudflare's package repo curl -fsSL https://pkg.cloudflareclient.com/pubkey.gpg \ | gpg --yes --dearmor -o /usr/share/keyrings/cloudflare-warp-archive-keyring.gpg echo "deb [signed-by=/usr/share/keyrings/cloudflare-warp-archive-keyring.gpg] \ https://pkg.cloudflareclient.com/ $( lsb_release -cs ) main" \ > /etc/apt/sources.list.d/cloudflare-client.list apt-get update && apt-get install -y cloudflare-warp # Sign up (free) and switch to proxy mode warp-cli --accept-tos registration new warp-cli --accept-tos mode proxy # opens a SOCKS5 proxy on 127.0.0.1:40000 warp-cli --accept-tos connect Now check that WARP can reach Telegram: curl --socks5-

2026-06-17 原文 →
AI 资讯

The Hidden Linux Routing Issue That Broke My Deployment

The deployment should have taken a few minutes. The application was running, DNS was configured correctly, and the domain was already pointing to the server's public IP. Caddy was configured as a reverse proxy and was listening on ports 80 and 443. Every item on my deployment checklist appeared healthy. Yet every Let's Encrypt validation attempt kept failing. The error looked simple enough: authorization failed timeout during connect likely firewall problem At first, I believed it. I checked DNS resolution, verified firewall rules, confirmed that Caddy was listening on the expected ports, and made sure the application itself was reachable. Every check came back clean. That was the first clue that the problem might not be where the logs were pointing. The Obvious Things The first assumption was DNS. I verified that the domain resolved to the correct public IP. dig +short my-domain.com Everything looked correct. Next came the firewall. sudo ufw status Ports 80 and 443 were open. There were no unexpected deny rules, and nothing suggested inbound traffic was being blocked. Then I checked whether Caddy was actually listening. sudo ss -tulpn | grep -E ':80|:443' Again, everything looked normal. The application itself was healthy too. curl http://localhost:3001 returned a valid response. At this point I had checked most of the things engineers typically check when certificate validation fails. DNS looked good, the firewall looked good, the reverse proxy was healthy, and the application was running. Yet the validation errors continued. The Part That Sent Me In The Wrong Direction The error messages kept mentioning connectivity problems and possible firewall issues. That wording influenced my thinking more than it should have. I spent time investigating firewall rules, reverse proxy configuration, TLS settings, and domain configuration. Every new hypothesis felt reasonable, but none of them explained why local tests consistently succeeded while external validation continued

2026-06-17 原文 →
AI 资讯

How to Use Claude to Troubleshoot Linux Servers

Claude is genuinely useful for production Linux troubleshooting — when you use it right. Here's the workflow that works, after a year of using it on real incidents across Ubuntu, RHEL, and Rocky. The mental model: Claude is a senior pair, not an oracle The mistake most engineers make on day one: they paste a 5-line error message and expect a fix. Claude can do better than that — but only if you give it the same context you'd give a senior engineer joining your incident bridge. A senior engineer would want: What OS and version? What does this server do? What changed recently? What's the actual symptom? What command output have you already gathered? Give Claude that, and the quality of analysis changes completely. The workflow Step 1: Establish context with a system prompt Use our Linux Server Troubleshooting Prompt as your system prompt, or paraphrase: "You are a senior Linux sysadmin. Rank root-cause hypotheses by probability. Recommend safe diagnostics first. Label destructive commands as DANGEROUS." Step 2: Paste structured context, not noise Good: OS: Ubuntu 22.04, kernel 5.15 Role: production MySQL replica, 64GB RAM, 16 cores Recent changes: kernel upgrade 6 hours ago Symptom: server load average 40+, MySQL replication lag growing, queries timing out $ uptime 14:22:01 up 6:02, 4 users, load average: 41.23, 38.51, 35.04 $ free -h total used free shared buff/cache available Mem: 62Gi 58Gi 1.2Gi 128Mi 3.1Gi 1.8Gi $ iostat -xz 2 3 [...] Bad: my server is slow can you help Step 3: Let it ask follow-up questions The good prompts in our library tell Claude to ask for missing data before guessing. When it asks "can you share dmesg | tail -50 and vmstat 1 5 ?" — that's a feature, not a flaw. Give it the data. Step 4: Validate suggested commands before running Claude will sometimes suggest a command with subtly wrong syntax, a destructive flag, or a path that doesn't exist on your distro. Read every suggestion before running. Never paste straight into a root shell. Step 5

2026-06-15 原文 →
AI 资讯

From Mint to NixOS: Why a Long-Time Linux User Made the Switch

Background I started daily driving Linux back in 2019. The start of that journey was rough, and I still deeply appreciate the help I received in those early days from the old guard who kept me moving forward. Early on, I quickly found my home with Linux Mint and its Cinnamon desktop. As the saying goes, "You don't choose a Linux desktop; the desktop chooses you." Built on top of a stable foundation with a rich package infrastructure, Cinnamon provided a familiar experience that bridged the gap from Windows. It also afforded me excellent customization options right out of the box, such as configuring custom keyboard shortcuts or setting up auto-login startup scripts, while always getting out of my way. No adverts, no pop-ups, just a fast and efficient desktop environment. I won't lie, though: I distro-hopped multiple times just to see if the grass was greener. Through those escapades, I quickly realized I am definitely not a GNOME person; I do not like polyfilling my desktop experience with a suite of extensions. And as much as I appreciate KDE Plasma, I learned that with great customization comes great responsibility because it was far too easy for me to break my environment with just a few theme toggles. This is not a dig at those desktop environments; it just means I am not wired for that kind of experience. As I continued my Linux journey, my priorities shifted. I wanted a predictable operating system that could act as a trusted companion, both for my daily life as a software developer and as a casual user wanting to watch Netflix on the weekends. This is what made me appreciate Linux Mint even more. It featured a predictable release cycle, a stable package base built on Ubuntu LTS, and Timeshift to guard against system breakage during upgrades. However, two major friction points always bothered me: Stable but Stale Packages: Linux Mint's software is incredibly stable, but it is rarely fresh. For example, the okular package is consistently several versions behind

2026-06-15 原文 →
AI 资讯

The Only Productivity Hack That Actually Worked for Me

The Only Productivity Hack That Actually Worked for Me I've tried every website blocker in existence. They all have the same flaw: one click and they're off. That settings toggle might as well not exist when the urge to procrastinate hits. I needed something I couldn't override. So I built the opposite. The Problem Every blocker follows the same pattern: it blocks, you unblock, you procrastinate. The issue isn't discipline — it's that your future self and your present self want different things. And that future self will happily undo anything you set up. What I needed was a system where both selves agreed on the rules upfront and then neither could break them. The Solution kblocker is a Linux kernel module that hooks into netfilter and drops TCP connections to whatever sites I configure. The key feature isn't the blocking — it's how you turn it off. When blocking is enabled, kblocker generates a 128-bit key. With PGP mode, it automatically encrypts that key to people I trust and then erases it from kernel memory. The raw key no longer exists anywhere on my system. To disable the blocker, one of those people has to decrypt it and send it back to me. I outsourced my willpower. When I want to focus, I run: sudo kblockerctl enable 120 Two hours of blocked distractions. If I feel the urge to procrastinate, I can't — I'd have to text a friend, explain why, wait for them to decrypt it, and paste the result. By then the urge is gone. The Result I've gone from losing entire afternoons to YouTube to actually finishing things. The blocker has caught me mid-reflex to type youtube.com more times than I can count. It's free if anyone wants it: github.com/Dan-J-D/kblocker If you keep breaking your own focus tools, this is for you.

2026-06-14 原文 →