今日已更新 80 条资讯 | 累计 20052 条内容
关于我们

标签:#linux

找到 87 篇相关文章

AI 资讯

OS Architecture, Kernel, Shell & File System

🐧 Linux for DevOps — Session 2: Understanding the Kernel, Shell, OS Architecture & File System 📓 Learning in public — These are my personal notes from my Linux for DevOps & Cloud journey. I'm sharing them in a way that's easy to revisit later and hopefully useful for anyone else starting out. In the previous session, I got comfortable with Linux basics and terminal access. This session focused on understanding what actually happens behind the scenes when we run commands , how Linux is structured internally, and how files are organized on the system. These concepts might sound theoretical at first, but they're the foundation of everything you'll do in DevOps—from managing EC2 instances and Docker containers to troubleshooting production servers. The Linux Kernel: The Heart of the Operating System The kernel is the most important component of Linux. Think of it as a translator sitting between software and hardware. Applications can't directly talk to the CPU, RAM, disks, or network interfaces. Instead, every request goes through the kernel. When you run a command, open a browser, start a Docker container, or deploy an application, the kernel is responsible for making it happen. Its main responsibilities include: Responsibility Purpose Resource Management Decides which process gets CPU time Memory Management Allocates and releases RAM Process Management Creates, schedules, and terminates processes Device Management Communicates with hardware through drivers Without the kernel, Linux would simply be a collection of files with no way to interact with hardware. Types of Kernels Not every operating system uses the same kernel design. Monolithic Kernel (Linux) keeps most operating system services inside a single kernel space. This approach is extremely fast because components communicate directly. Microkernel keeps only essential functionality in kernel space and moves other services outside. This improves isolation and stability but introduces additional overhead. Hybrid K

2026-06-13 原文 →
AI 资讯

Rebuilding the Hull at Sea

The box that ran everything started dying in April. Not dramatically. Machines almost never die dramatically. It started with instability... the kind you explain away once, side-eye twice, and start losing sleep over the third time production goes down while you're in the middle of something else. The host under my entire stack... public site, analytics, security tooling, the AI crew's memory layer... was getting flaky. And flaky hardware only trends one direction. Here's the thing about a homelab that lives in a 40ft fifth wheel: there is no second team. No vendor escalation. No change advisory board. No maintenance window negotiated three weeks out. There's me, a crew of governed AI instances, and a reclaimed Dell T3600 about to get the biggest promotion of its second life. So we didn't try to heal the sick box. We built a new hull alongside it and started moving the ship... plank by plank... while it was still sailing. One ground rule, set day one: the old host stays untouched and keeps serving production until the new hull is proven. Not "mostly proven." Proven. Hold that thought, it matters at the end. Moving containers is the easy part. Docker made that boring years ago, and boring is a compliment in infrastructure. What's never boring is the inventory of everything you assumed and never wrote down. A migration doesn't test your stack. It tests your assumptions. Here's what mine were hiding. 01: The umbilical nobody documented Security stack went first. Suricata, Zeek, Wazuh, CrowdSec, Falco, the whole alphabet, up clean on the new hull. Then the MCP server, the piece that gives the AI crew its hands, refused to come up right. It was hard-wired over HTTP to the crew's memory backend. A live dependency, in production for months, documented exactly nowhere. The crew that documents every f*cking thing had never documented its own umbilical cord. Fix was trivial once we could see it: deploy the brain before the hands. Reorder, redeploy, done. But the lesson isn't

2026-06-13 原文 →
AI 资讯

Stop Hand-Editing Fragile APT Lines: Practical deb822 `.sources` Files for Debian and Ubuntu

If you still manage APT repositories as long one-line deb ... entries, you are working with a format APT now explicitly marks as deprecated. It still works, but it is harder to read, harder to automate safely, and easier to get wrong when you add options like arch= or signed-by= . The better option is deb822 style .sources files. This post shows how to: read the structure of a .sources file migrate a legacy .list entry safely use Signed-By without falling back to apt-key disable a repository cleanly without deleting it verify that APT accepts the new configuration I am focusing on practical host administration, not packaging theory. Why move to deb822 now? The sources.list(5) man page now says the traditional one-line .list format is deprecated and may eventually be removed, though not before 2029. More importantly, deb822 solves real operational annoyances: fields are explicit instead of positional one stanza can describe multiple suites or types Enabled: no is cleaner than commenting lines in and out machine parsing is much easier Signed-By is clearer and safer in structured form On a current Debian host, you may already be using it without noticing: find /etc/apt/sources.list.d -maxdepth 1 -type f -name '*.sources' On my test system, the default Debian repository is already stored as /etc/apt/sources.list.d/debian.sources . The old format vs the new format A traditional one-line entry looks like this: deb [arch=amd64 signed-by=/etc/apt/keyrings/example.gpg] https://packages.example.com/apt stable main The same source in deb822 format becomes: Types: deb URIs: https://packages.example.com/apt Suites: stable Components: main Architectures: amd64 Signed-By: /etc/apt/keyrings/example.gpg That is the core win. Instead of cramming everything into one line and hoping spacing stays correct, each field says exactly what it means. Example 1, a clean Debian .sources file Here is a practical example for Debian using separate stanzas for the main archive and the security arch

2026-06-12 原文 →
AI 资讯

Nix Series: Basic Nix Language

Pada series sebelumnya, kita sudah melakukan instalasi nix di VirtualBox dan setup SSH agar dapat diakses diluar VirtualBox. Sebelum kita lanjut untuk melakukan konfigurasi system lagi, kita butuh mengetahui bagaimana syntax dalam menulis program Nix dan di artikel ini kita akan mempelajari dasar syntax-nya. Nix Language Nix adalah purely functional language yang lazy-evaluated , digunakan untuk mengkonfigurasi Nix package manager dan NixOS. Karakteristik utama: Purely functional : sebuah function hanya bisa mengembalikan nilai berdasarkan inputnya, tidak bisa mengubah variabel di luar scope-nya (no side effects), dan tidak ada variabel yang bisa diubah setelah didefinisikan (no mutation). Kalau kamu familiar dengan const di beberapa bahasa pemrograman, semua variabel di Nix berperilaku seperti itu. Lazy evaluation : Nix tidak menghitung nilai suatu ekspresi sampai nilai itu benar-benar dibutuhkan. Ini artinya kamu bisa mendefinisikan ribuan package di nixpkgs tanpa semuanya dievaluasi sekaligus. Hanya yang kamu gunakan saja yang akan diproses. Semua adalah expression : tidak ada statement di Nix, setiap baris kode selalu menghasilkan sebuah nilai. if/else bukan statement seperti di bahasa pemrograman pada umumnya, melainkan expression yang harus mengembalikan nilai dari kedua cabangnya. Tidak ada loops : karena variabel tidak bisa diubah, loop seperti for atau while tidak ada artinya di Nix. Sebagai gantinya, kamu menggunakan fungsi seperti map dan filter , atau rekursi untuk mengolah kumpulan data. 1. Basic Data Type Konsep JavaScript Nix String "hello" "hello" Number 42 , 3.14 42 , 3.14 Boolean true , false true , false Null null null List [1, 2, 3] [ 1 2 3 ] Object { a: 1 } { a = 1; } ⚠️ Perbedaan Penting List di Nix menggunakan spasi sebagai pemisah, bukan koma Attribute set menggunakan = bukan : , dan setiap entry diakhiri dengan ; Nix let name = "Alice" ; age = 30 ; scores = [ 10 20 30 ]; person = { name = "Bob" ; age = 25 ; }; in person Javascript const name

2026-06-12 原文 →
AI 资讯

I Built a Git Sync Tool for My Obsidian Vault

I Built a Git Sync Tool for My Obsidian Vault You write notes, you save them, you forget to push to GitHub. Then your laptop dies, and your notes are gone. I built a single Bash script that automates the entire sync workflow, and it works with any Git repo. If you use Obsidian (or any plain-text note-taking system) and sync via Git, you know the drill: write notes, stage changes, commit, fetch, check status, pull, push. Every time. It's 6 repetitive commands that you will inevitably skip until disaster strikes. I got tired of this and built git-sync , a single Bash script that does everything in one go. What It Does git-sync is a terminal-based Git sync tool that: Auto-commits all changes with a timestamp Fetches remote state Detects divergence (ahead/behind) Shows you only the relevant sync options Executes your choice with safety guard rails How It Works Run it from inside any Git repo: ./git-sync Phase 1 - Auto-commit: Staged or unstaged changes are committed automatically with a message like "Last Sync: Jun-12 (Arch)" . The device name is configurable. Phase 2 - Fetch & Detect: It fetches from remote, counts how many commits ahead and behind you are, and categorises the state: ahead, behind, diverged, or in-sync. Phase 3 - Smart Menu: Only relevant options are shown: State Options Ahead only Upload, Sync, Force push, Cancel Behind only Download, Sync, Hard reset, Cancel Diverged All six options Phase 4 - Execute: The chosen action runs with a spinner and status messages. Destructive operations (force push, hard reset) require explicit confirmation. Why It's Useful for Notes Syncing Obsidian + Git is a powerful combo. Your notes are plain markdown, version-controlled, accessible from any device. The friction is the sync ritual. git-sync removes it. Multi-device workflows: I run this on my Arch desktop (DEVICE_NAME="Arch") and my work laptop (DEVICE_NAME="Laptop"). The auto-commit message tells me exactly which machine made each sync, so I can trace conflicts back

2026-06-12 原文 →
AI 资讯

Recovering data from a failed RAID array with ddrescue: a practical walkthrough

When a RAID array fails, the worst thing you can do is panic and start poking at it immediately. I've seen too many cases where an impatient rebuild attempt overwrote the only good copy of data. This walkthrough covers how to safely approach a degraded or failed RAID — with ddrescue as your best friend. Step 0: Stop. Don't touch the array yet. Before running mdadm --assemble , before doing anything, clone your physical disks . A RAID 5 with one failed drive can lose everything the moment a second drive throws a read error during rebuild. This isn't hypothetical — it's how most total RAID losses happen. The golden rule: image first, recover second . Step 1: Assess the damage # Check current RAID state cat /proc/mdstat # More detail mdadm --detail /dev/md0 Look for: [UUU_] — one drive failed (underscore = missing) [UU__] — two drives failed (catastrophic for RAID 5) State: degraded , recovering , or failed Do NOT run mdadm --manage /dev/md0 --add /dev/sdX yet. Stop the array instead: mdadm --stop /dev/md0 Step 2: Clone each disk with ddrescue ddrescue is the right tool because it handles read errors gracefully: it maps bad sectors, retries them, and lets you resume interrupted sessions. Never use dd for a failing disk. Install it: # Debian/Ubuntu sudo apt install gddrescue # RHEL/CentOS sudo dnf install ddrescue Clone each RAID member to a separate image file (you need enough storage — same total size as all disks combined): # First pass: copy everything readable, skip bad sectors fast sudo ddrescue -d -r0 /dev/sda /mnt/backup/sda.img /mnt/backup/sda.log # Second pass: retry bad sectors up to 3 times sudo ddrescue -d -r3 /dev/sda /mnt/backup/sda.img /mnt/backup/sda.log Key flags: -d — direct disk access (bypass kernel cache) -r0 / -r3 — retry bad sectors 0 or 3 times The .log mapfile is critical: it lets you resume if the clone is interrupted Repeat for every disk in the array ( sdb , sdc , etc.). Step 3: Work from the images Once you have image files, assemble a soft

2026-06-11 原文 →
AI 资讯

Learning DevOps from First Principles: What an EC2 Instance Actually Is

One of the first cloud concepts many people encounter while learning AWS is EC2 . The name sounds technical. The documentation is extensive. And the number of configuration options can make it feel like something fundamentally different from a regular computer. But while trying to understand cloud computing, I found myself repeatedly coming back to a simple thought: At the end of the day, an EC2 instance is just another computer. That realization helped me understand cloud infrastructure much more clearly. The Intimidation Factor When people first open the AWS console, they encounter terms such as: EC2 VPC Security Groups Elastic IPs Auto Scaling It is easy to feel that cloud computing is an entirely different world. But before diving into those concepts, it helps to ask a simpler question: What is an EC2 instance actually providing? Starting with the Name EC2 stands for: Elastic Compute Cloud The important word here is: Compute AWS is essentially renting computing resources. When you launch an EC2 instance, AWS allocates: CPU Memory (RAM) Storage Networking to a virtual machine that you can access. In other words: You are renting a computer that lives inside AWS's infrastructure. Comparing It to a Personal Computer Consider a typical laptop. It contains: A processor RAM Storage An operating system Network connectivity Now consider an EC2 instance. It also contains: Virtual CPUs RAM Storage An operating system Network connectivity The location is different. The concepts are the same. The Main Difference: Ownership The biggest difference is not technical. It is operational. With a personal computer: You own the hardware. The machine sits near you. You maintain it. With EC2: AWS owns the hardware. The machine runs in a data center. AWS manages the physical infrastructure. You only manage the virtual machine running on top of it. Why Linux Knowledge Transfers This was one of the most interesting observations during my learning. If an EC2 instance runs Linux, many of th

2026-06-08 原文 →
AI 资讯

Same Hardware, Different Experience: Why Linux Feels Faster

A few weeks after switching from Windows to Linux, I noticed something interesting. The hardware had not changed. The processor was the same. The RAM was the same. The SSD was the same. And yet, the laptop felt noticeably faster. Not necessarily because applications were completing tasks dramatically quicker, but because the entire system felt more responsive. Keyboard input felt immediate. Windows opened faster. Terminal commands appeared instantly. The desktop experience felt smoother. This raised a question: How can the same hardware feel different simply because the operating system changed? While I'm still learning, this is the mental model I've built so far. The Hardware Didn't Change Consider a laptop with: AMD Ryzen processor 16 GB DDR5 RAM NVMe SSD Modern integrated graphics When switching operating systems, none of these components change. The CPU does not suddenly become faster. The RAM does not magically increase. The SSD remains identical. From a hardware perspective: ```text id="u3m9xd" Before → Same Hardware After → Same Hardware So the difference must come from somewhere else. --- ## An Operating System Is Not Just a User Interface Many people think of an operating system primarily as the desktop they see. But an operating system does far more than display windows and icons. It manages: * Memory * CPU scheduling * Processes * Storage * Networking * Device drivers * Background services In other words: > The operating system decides how hardware resources are used. Two operating systems can therefore create very different experiences using the same hardware. --- ## Perceived Performance vs Raw Performance One thing I have learned is that performance is not always about benchmarks. A system can have excellent benchmark scores and still feel sluggish. Why? Because users experience responsiveness, not benchmark numbers. Examples include: * How quickly a window opens * How fast a menu appears * How responsive typing feels * How quickly applications launch

2026-06-08 原文 →
AI 资讯

Learning DevOps from First Principles: MAC Addresses vs IP Addresses — The Difference Finally Clicked

One of the first networking concepts that confused me was this: Why does a computer need both a MAC address and an IP address? At first glance, they seem to solve the same problem. Both appear to identify a device. Both show up in networking tools. Both appear in packet captures. So why do we need two different addresses? While exploring Linux networking tools and Wireshark, the distinction finally started making sense. This article summarizes the mental model that helped me understand the difference. Looking Inside the Machine Before discussing addresses, it helps to understand where they come from. If you open a typical laptop, you will usually find components such as: Battery RAM Storage Processor Cooling system Network interfaces One of those network interfaces is typically: A Wi-Fi card An Ethernet controller These components are responsible for network communication. They are the parts of the machine that actually send and receive data across a network. Every Network Interface Has an Identity A network interface needs a way to identify itself. This is where the MAC address comes in. A MAC address is associated with a network interface card (NIC). Example: ```text id="q3d9nm" 2C:9C:58:8B:2D:7B Think of it as the identity of the network interface itself. Not the operating system. Not the browser. Not the application. The network hardware. --- ## What Is a MAC Address? MAC stands for: **Media Access Control** A MAC address operates at the **Data Link Layer** of the OSI model. Its primary purpose is to help devices communicate within a local network. Examples include: * Laptop to router * Router to switch * Switch to printer In other words: > MAC addresses help devices find each other on the same local network. --- ## What Is an IP Address? An IP address serves a different purpose. Example: ```text id="g8x4tc" 192.168.1.20 or ```text id="v6u7mz" 2405:201:8000::1 IP addresses operate at the **Network Layer**. Their job is to identify where a device exists within a

2026-06-08 原文 →
AI 资讯

Run Gemma-4 12B on WSL2 with llama.cpp

1. update WSL environment sudo apt update && sudo apt upgrade -y 2. install dependencies If you don't use -hf option, you don't need to install libssl-dev in this step. sudo apt install build-essential cmake git libssl-dev -y If nvidia-smi shows a GPU/GPUs on your terminal, you will need to install the tooklit. This will take some time. sudo apt install nvidia-cuda-toolkit -y 3. clone the repo Build llama-cli and llama-server. This step also will take some time. If you don't plan to use -hf option, you don't need to use -DLLAMA_OPENSSL=ON . git clone https://github.com/ggerganov/llama.cpp cd llama.cpp cmake -B build -DGGML_CUDA = ON -DLLAMA_OPENSSL = ON cmake --build build --config Release # no GPU git clone https://github.com/ggerganov/llama.cpp cd llama.cpp cmake -B build cmake --build build --config Release 4. run the model Run gemma-4-12b-it with cli and server. unsloth/gemma-4-12b-it-GGUF · Hugging Face We’re on a journey to advance and democratize artificial intelligence through open source and open science. huggingface.co ./build/bin/llama-cli -hf unsloth/gemma-4-12b-it-GGUF:UD-Q4_K_XL > hello [ Start thinking] The user said "hello" . The user is initiating a conversation. Respond politely and offer assistance. * "Hello! How can I help you today?" * "Hi there! What's on your mind?" * "Hello! Is there anything I can assist you with?" [ End thinking] Hello! How can I help you today? [ Prompt: 19.5 t/s | Generation: 11.8 t/s ] or run web-ui ./build/bin/llama-server -hf unsloth/gemma-4-12b-it-GGUF:UD-Q4_K_XL --port 8080 optional download model from huggingface mkdir -p models wget -O models/gemma-4-12b-it-UD-Q4_K_XL.gguf https://huggingface.co/unsloth/gemma-4-12b-it-GGUF/resolve/main/gemma-4-12b-it-UD-Q4_K_XL.gguf

2026-06-06 原文 →
AI 资讯

Install PHP 8.5 with ASDF on Arch Linux

This quick tutorial shows how to install ASDF Version Manager on Arch Linux and use it to install PHP 8.5. Install Required Dependencies First, install the required packages and build dependencies: yay -S base-devel libpng postgresql-libs re2c gd oniguruma libzip libsodium You may also want to install additional common dependencies: yay -S curl git openssl zlib libxml2 sqlite Install ASDF Clone the ASDF repository: git clone https://github.com/asdf-vm/asdf.git ~/.asdf --branch v0.18.0 Add ASDF to your shell configuration. Bash echo '. "$HOME/.asdf/asdf.sh"' >> ~/.bashrc echo '. "$HOME/.asdf/completions/asdf.bash"' >> ~/.bashrc source ~/.bashrc ZSH echo '. "$HOME/.asdf/asdf.sh"' >> ~/.zshrc echo '. "$HOME/.asdf/completions/asdf.bash"' >> ~/.zshrc source ~/.zshrc Verify installation: asdf --version Add the PHP Plugin Install the PHP plugin for ASDF: asdf plugin add php https://github.com/asdf-community/asdf-php.git Install PHP 8.5 List available PHP versions: asdf list all php Install PHP 8.5: asdf install php 8.5.0 Set PHP 8.5 as the global default: asdf global php 8.5.0 Reload your shell: exec $SHELL Verify the installation: php -v Expected output: PHP 8.5.x ( cli ) Useful ASDF Commands List installed PHP versions: asdf list php Install another PHP version: asdf install php 8.4.0 Switch globally: asdf global php 8.4.0 Switch locally for a project: asdf local php 8.5.0 Optional: Install Composer After installing PHP, install Composer globally: php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" php composer-setup.php sudo mv composer.phar /usr/local/bin/composer rm composer-setup.php Verify: composer --version

2026-06-05 原文 →
AI 资讯

Docker on Proxmox LXC: What Actually Works (and Why Unprivileged Doesn't)

The Setup I run a Proxmox 9 homelab (pve-manager/9.0.5, kernel 6.14.8-2-pve) and I needed to run Docker inside an LXC container — not a VM — to test a customer-style "bring-your-own-VPS" deployment path for a PaaS I'm building. The container had to act like a standard Ubuntu cloud VM: Docker, systemd, the works. LXC over a full VM gets me near-bare-metal performance, a fraction of the RAM overhead, and instant boots. The catch: the "Docker on LXC" recipes you'll find on most blog posts and Proxmox forum threads are out of date . They assume kernel 5.x and runc 1.1.x. On a modern Proxmox (kernel 6.14 + runc 1.2+ shipped with Docker 29) those recipes fail in two new and confusing ways before you even reach the workarounds we used to know about. This article walks through exactly what fails, why it fails, and the config that actually works in 2026 — plus an honest look at the security tradeoffs, because spoiler: the working config is privileged , and that matters. The Goal A Proxmox LXC container that can: Run docker run hello-world cleanly Pull and build complex images (multi-stage builds, overlay2 storage driver) Run nested containers with their own systemd Use systemd --user for per-service lingering processes Attempt 1: Unprivileged LXC (the path you "should" take) Conventional wisdom says: use unprivileged LXC. The container's root is mapped to an unprivileged UID on the host (typically 100000 ), so even a full container compromise can't escape to host root. Modern Proxmox makes this the default and recommended mode. I started with an unprivileged Ubuntu 25.04 container, added the now-standard features: pct set <vmid> -features nesting = 1,keyctl = 1,fuse = 1 Then inside the container, installed Docker from the official download.docker.com repo and ran: docker run --rm hello-world Here's what happened: docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start

2026-06-03 原文 →
开发者

WSL 2: Die wichtigsten Befehle für deinen Entwickler-Alltag (Cheatsheet)

Wer täglich in anspruchsvollen Agenturprojekten arbeitet und zwischen Windows-Host und Linux-Umgebung wechselt, weiß: WSL 2 ist ein Gamechanger. Doch selbst wenn man das perfekte Setup einmal konfiguriert hat, kommt unweigerlich der Moment, in dem eine Distribution hängt, RAM freigegeben werden muss oder man ein Backup ziehen will. Anstatt jedes Mal Stack Overflow zu durchsuchen, habe ich mir angewöhnt, die essenziellen Konsolen-Befehle immer griffbereit zu haben. Hier sind die 5 WSL-Befehle, die ich in meinem Setup am häufigsten brauche: Wer täglich in anspruchsvollen Agenturprojekten arbeitet und zwischen Windows-Host und Linux-Umgebung wechselt, weiß: WSL 2 ist ein Gamechanger. Doch selbst wenn man das perfekte Setup einmal konfiguriert hat, kommt unweigerlich der Moment, in dem eine Distribution hängt, RAM freigegeben werden muss oder man ein Backup ziehen will. Anstatt jedes Mal Stack Overflow zu durchsuchen, habe ich mir angewöhnt, die essenziellen Konsolen-Befehle immer griffbereit zu haben. Hier sind die 5 WSL-Befehle, die ich in meinem Setup am häufigsten brauche: 1. Den Status aller Distributionen prüfen Der absolute Standard-Befehl, um zu sehen, welche Linux-Instanzen laufen und welche WSL-Version sie nutzen. wsl --list --verbose # oder kurz: wsl -l -v 2. Der Notaus-Schalter (RAM freigeben) Wenn Docker oder ein Node-Prozess im Hintergrund den gesamten Arbeitsspeicher blockieren, fährt dieser Befehl alle WSL 2 Instanzen sauber herunter. wsl --shutdown 3. Eine bestimmte Distribution als Standard setzen Wichtig, wenn man beispielsweise neben Ubuntu noch Debian installiert hat und festlegen will, was sich beim reinen Befehl wsl öffnet. wsl --set-default <Distributionsname> 4. Die WSL-Umgebung neustarten Es gibt keinen direkten "Restart"-Befehl. Die sauberste Lösung ist das Beenden (Terminate) der spezifischen Instanz. Beim nächsten Aufruf startet sie frisch. wsl --terminate <Distributionsname> 5. IP-Adresse der WSL-Instanz herausfinden Extrem hilfreich für be

2026-06-03 原文 →
AI 资讯

Creating Robust systemd Services for Embedded Applications

There is a moment every embedded Linux developer hits eventually. You have spent days building something that works beautifully — a sensor pipeline, a streaming server, an MQTT client — and then you reboot the device and everything is silent. Nothing started. You SSH in, manually run your script, and it all comes back to life. The hardware is fine. Your code is fine. You just have no way of automatically running it. That is the gap systemd fills. It is the init system on virtually every modern Linux distribution, and on embedded Linux systems like the Raspberry Pi it is what decides what runs at boot, what gets restarted if it crashes, and where all the logs go. Once you understand how to write a service file, your applications stop being fragile scripts you need to babysit and start being first-class system services that survive reboots, network drops, and unexpected crashes. This tutorial builds up from the simplest possible service file to a production-ready configuration, explaining every line along the way. By the end you will have a service running your own Python application, logging to the system journal, and automatically restarting itself after failures. See Complete Tutorial in Github: Systemd Services Tutorial What systemd Actually Does Before writing any configuration, it helps to understand what problem systemd is solving, because the design of service files makes much more sense once you see the underlying model. When your Raspberry Pi boots, the Linux kernel starts and immediately hands control to process ID 1 — the very first user-space process. On modern systems, that process is systemd . Everything that happens next — mounting filesystems, bringing up the network, starting your application — is orchestrated by systemd. It reads configuration files called unit files that describe what should be started, when, in what order, and what to do if something goes wrong. A service file is just one type of unit file (there are also unit files for timers, so

2026-06-03 原文 →
AI 资讯

CIFSwitch - CVE-2026-46243

Just released an open-source bash checker for CIFSwitch (CVE-2026-46243) — the 19-year-old Linux kernel LPE disclosed last week that lets any unprivileged local user get root by abusing the CIFS/SPNEGO upcall path. The script runs on bare-metal, VMs, and inside containers, and is CI/CD-friendly with JSON output and clean exit codes. It checks: ✅ Kernel version against patched thresholds (6.18.22 / 6.19.12 / 7.0+) ✅ cifs-utils presence and exploitable version ✅ CIFS kernel module load state and blacklist status ✅ Unprivileged user namespace sysctl (the pivot point for the exploit) ✅ Active request-key cifs.spnego rules ✅ SELinux / AppArmor enforcement ✅ Container capabilities (CAP_SYS_ADMIN) ✅ Kernel symbol verification for the fix commit Outputs human-readable or JSON for SIEM ingestion. Exit 0 = safe, exit 1 = action needed — drop it straight into a pipeline. CIFSwitch is the fourth Linux LPE in under six weeks (after Copy Fail, Dirty Frag, and Fragnesia). If you're running multi-tenant Linux, CI runners, or container build farms, now is a good time to audit. I have also updated the cve_checks.conf in my my K8s-container_escape_audit toolkit to detect this issue.

2026-06-03 原文 →
AI 资讯

How I Wrote a SOC-Grade Endpoint Investigation Playbook Without Being a Security Engineer

My father worked in IT for over thirty years, and growing up around that shaped how I thought about computers. The earliest memory I have is sitting in my father's lap as he does something on his computer. One of the oldest photos I have is of me sitting on a chair in front of a computer. I grew up idolizing him. I switched to Linux when I was 12, by myself. I taught myself scripting, picked up programming basics, and spent more time in a terminal than most adults I knew. I have memories of sitting on the roof at 13 with my laptop, trying to crack my neighbor's WiFi with aircrack-ng (they were aware of my endeavors). However, growing up in a politically volatile neighborhood (Lyari) also made me politically aware and literate from a young age. With that, I developed an interest in political science and philosophy. I sat my A levels in economics and sociology, and I did not look back. For the next few years, the technical side of my life became just a habit rather than a professional direction. Then I realized I do not have to choose one or the other. I can carry on doing both. Today, I am an academic and technical editor. The social sciences gave me the writing skills: reading long blocks of dense theory, explaining abstract concepts in plain language, writing long analytical essays. And I understand technical concepts well enough to work with them seriously. I thought of synthesizing both. When I started building a technical writing portfolio, cybersecurity documentation felt like a natural place to go. Not because I had operational experience, but because I had grown up adjacent to that world. I understood the culture, the tooling, and the mindset, even if I had never worked a SOC shift. I knew I wanted to cover security documentation. Security teams produce some of the most consequential written work in any organization, and most of it is poorly structured, inconsistently formatted, or written for the person who already knows the answer rather than the person who

2026-06-03 原文 →
AI 资讯

Scaling User Management on Linux: Moving Beyond the Manual Script

The Scenario: The Help Desk Bottleneck From 2019 to 2021, while serving as Lead Backend Software Engineer at a fast-growing company, I occasionally support our Linux System Administration tasks. When the DevOps team encountered a critical bottleneck during an initiative to scale dozens of new server deployments, I stepped in to streamline the infrastructure processes. The DevOps team was being hampered by constant, fragmented requests from the help desk to manually create new Linux accounts for recruits testing the latest application. These interruptions were not only time-consuming but were directly preventing the team from focusing on the high-priority infrastructure deployments that define their core responsibilities. I realized that we weren't just struggling with a task; we were struggling with a scaling bottleneck. To regain the team's focus and ensure we hit our project deadlines, I decided to automate this workflow. The First Step: The Interactive Script My first objective was to develop a robust, automated shell script to efficiently create new Linux user accounts. I started with an interactive Bash script (create-user-interactive.sh) that prompted for input. This was a good educational exercise for learning the fundamentals of Bash—like useradd, passwd, and shell variables. However, I quickly learned that while interactive scripts are great for learning, they are rarely used in professional DevOps environments. Why Manual Scripts Don’t Scale As I transitioned into a more infrastructure-focused role, I realized that manual scripts fail for three key reasons: Lack of Automation: DevOps is about "Infrastructure as Code" (IaC). Asking an engineer to sit at a terminal and type prompts is slow, error-prone, and destroys the ability to automate. Lack of Centralization: In a real team, we aren't creating users on individual local machines. We manage identity across hundreds of servers. Security Risks: Hardcoding passwords or piping them through echo is a major red

2026-06-02 原文 →
AI 资讯

chroma-vs-qdrant-vs-weaviate-2026

This article was originally published on aifoss.dev --- title: 'Chroma vs Qdrant vs Weaviate 2026: RAG Database Compared' description: 'Compare Chroma, Qdrant, and Weaviate for local RAG in 2026: version snapshots, filtering tradeoffs, hybrid search, quantization, and a clear pick by use case.' pubDate: 'May 27 2026' tags: ["vectordb", "ai", "rag", "python", "opensource"] The three most commonly recommended open-source vector databases for RAG — Chroma, Qdrant, and Weaviate — are not interchangeable. Chroma is a prototyping tool that grew into a real product. Qdrant is a production workhorse written in Rust with the best filtering performance of the three. Weaviate is an enterprise-grade platform with hybrid search and the most built-in integrations. Using Weaviate when you need Chroma adds unnecessary ops overhead. Using Chroma when you need Qdrant means migrating under pressure when your collection outgrows it. Versions covered: ChromaDB v1.5.9 (May 2026), Qdrant v1.17.1 (March 2026), Weaviate v1.37 (May 2026). The quick answer Situation Best choice Local prototyping, notebooks, under 100K vectors Chroma Embedded in a Python process — no separate service Chroma Production RAG with filtering-heavy queries Qdrant Multi-user deployment, concurrent queries Qdrant Memory-constrained deployment at millions of vectors Qdrant Hybrid search (BM25 + vector in one query) Weaviate Multi-modal retrieval (text + images + audio) Weaviate Built-in re-ranking or generative AI modules Weaviate Kubernetes, team-operated, agentic MCP workflows Weaviate Getting from zero to working RAG in 10 minutes Chroma What each tool actually is ChromaDB (Apache 2.0, chroma-core/chroma ) started as a pure-Python embedded database and was rebuilt in Rust for the v1.0 release. The Rust core eliminates Python's GIL bottlenecks and delivers roughly 4× faster writes and queries compared to the pre-1.0 implementation — write throughput went from ~10K to ~40K+ vectors/second in server mode. Chroma's des

2026-06-02 原文 →