Categories

Jacar categories — explore the topics A rocket whose eyes follow your cursor.
Technology

Falco: Runtime Threat Detection with eBPF

Falco is a graduated CNCF project that hooks the Linux kernel via eBPF and detects syscall anomalies in real time without instrumenting applications. Deployed as a DaemonSet on Kubernetes, it emits JSON events and requires a triage process to deliver value. In production, alert fatigue is the most common operational pitfall.

Methodologies

Practical DevSecOps with Sigstore and cosign

Signing images and artifacts with Sigstore has stopped being a rare experiment: projects like Kubernetes already use it. The keyless model in cosign, Fulcio, and Rekor removes private-key management, but it only protects you if deployment verifies who signed, not just whether a signature exists.

How to Install

How to Install Docker on Debian 12 Step by Step

Installing Docker on Debian 12 means replacing the Debian docker.io package with the official repository: import the GPG key into /etc/apt/keyrings, install the five packages docker-ce, docker-ce-cli, containerd.io, docker-buildx-plugin and docker-compose-plugin, then set log rotation and live-restore in daemon.json before exposing the server to production.

Technology

Zero Trust: Principles to Stop Trusting the Network

Zero Trust is not a product but a security architecture. It discards the assumption that the internal network is trusted and verifies every access explicitly, with least privilege, assuming breach is already active. The five principles: verify explicitly, least privilege, assume compromise, validate the device, and continuous visibility.

Architecture

containerd: The Runtime Underpinning Kubernetes

containerd is the runtime that runs containers in most modern Kubernetes clusters, and almost nobody notices. It manages the full container lifecycle: pulling the image, starting it, networking, and mounting the filesystem. It became the default runtime after Kubernetes 1.24 removed dockershim in May 2022.

Software Development

WASI 0.2: The New Standard Interface for WebAssembly

WASI Preview 2 redefines how WebAssembly interacts with the operating system. It introduces the Component Model with typed WIT interfaces and granular capabilities, enabling modules written in different languages to compose without manual serialisation. The full standard arrives in 2024 with direct impact on edge functions, plugins, and serverless.

Architecture

eBPF: Kernel Observability Without Recompiling

eBPF is a Linux kernel technology that lets you load and run verified, high-performance programs without recompiling the kernel or rebooting the system. It runs safely inside a virtual machine in the kernel and underpins tools such as Cilium, Pixie, Falco, and Tetragon for real-time tracing, networking, and security.

Industry 4.0

Digital Twins: When the Factory Has a Software Replica

A digital twin is a software replica of a physical asset (machine, production line, or whole plant) synchronised in real time with IoT sensors. It enables failure prediction, energy optimisation, and operator training without risk. It returns real value when the asset is critical, the data is reliable, and the team can maintain the model long-term.

Architecture

PostgreSQL 16: Changes That Affect Day-to-Day Work

PostgreSQL 16, released in September 2023, adds logical replication from a standby, the pg_stat_io view for breaking down I/O by operation type and context, and parallel FULL OUTER JOIN support. Upgrading from 15 is straightforward; 13 loses support in November 2025, so plan the update soon.

Software Development

Rust in the Linux Kernel: First Steps and Controversies

Rust has been in the Linux kernel since version 6.1, though adoption is measured and deliberate. The Apple AGX GPU driver for Asahi Linux is the most prominent real upstream example. The goal is to eliminate an entire class of memory-safety bugs in new drivers without rewriting existing C code.

Technology

Terraform’s License Change and Its Implications

On 10 August 2023, HashiCorp changed Terraform from MPL 2.0 to Business Source License v1.1, which prohibits building competing products. For 95% of teams using Terraform internally, the practical impact is nil. Teams building SaaS products on top of Terraform need to review their situation or consider OpenTofu.

Technology

OpenTofu: The Open Response to Terraform’s License Change

OpenTofu is the community fork of Terraform, born in 2023 after HashiCorp switched to the Business Source License. With full file compatibility and Linux Foundation governance, it is the legally safe alternative for organisations with strict open-source policies or for those building products on Terraform.

Technology

Trivy and Grype: Container Image Scanning in CI

Trivy and Grype are the two leading open-source tools for container image scanning in CI/CD pipelines. Both detect CVEs in OS packages and language dependencies with less than 5% coverage difference. Trivy stands out for IaC scanning; Grype natively integrates the SBOM workflow with Syft.

Architecture

Kubernetes 1.27: The Changes That Matter to Operators

Kubernetes 1.27 ("Chill Vibes"), released in April 2023, makes SeccompDefault stable so pods get safer syscall defaults automatically, moves KMS v2 to beta with rotatable encryption keys for etcd secrets, and stabilises scheduling gates. It also removes PodSecurityPolicy for good: without migrating to Pod Security Admission first, the upgrade is blocked entirely.

Technology

Supply-Chain Attacks: Lessons from 2023

In 2023, software supply chains became attackers' favourite target: MOVEit exposed data from hundreds of organisations through a zero-day flaw, 3CX shipped a trojanised installer to millions of users, and npm and PyPI kept receiving malicious typosquatted packages. The practical defence combines SBOM, artefact signing with Sigstore, SLSA maturity levels, and continuous dependency scanning.

Technology

The Grafana Stack: Loki, Tempo, and Mimir for Open Observability

The Grafana stack combines three open source projects: Loki for logs, Tempo for traces, and Mimir for metrics. All three keep data in object storage (S3/GCS) with a minimal index instead of indexing everything like Elasticsearch, which cuts cost sharply at high volume and lets you correlate metric, log, and trace from a single Grafana panel.

Architecture

OpenTelemetry: Unifying Logs, Metrics, and Traces

OpenTelemetry is the CNCF project, graduated in May 2026, that unifies logs, metrics, and traces under one SDK and the OTLP protocol, without locking you into a single backend. Traces have been stable since 2021 and metrics since 2023; logs are still maturing, but already worth adopting on new projects.

Software Development

WebAssembly: The Component Model as the Next Frontier

WebAssembly is moving beyond the browser through WASI, the standard system interface, and the component model, which defines declarative WIT interfaces so modules written in different languages can compose with each other. Cold start lands around 1 ms versus roughly 500 ms for a container, a key difference for serverless and edge computing teams.

Architecture

Cilium and the Future of Container Networking with eBPF

Cilium replaces iptables with eBPF programs loaded directly into the Linux kernel, substituting O(n) linear chains with O(1) hash lookups. Documented benchmarks show up to 50% lower p95 latency, 2-3x more throughput, and 70% less kernel CPU in large Kubernetes clusters.

Artificial Intelligence

LLaMA 2 and the New Wave of Open Language Models

Meta released LLaMA 2 on July 18, 2023 with a royalty-free commercial licence, in three sizes (7B, 13B, 70B parameters). The 70B model matches or beats GPT-3.5 on standard benchmarks. For 99.9% of organisations the licence allows download, modification, and production use with full data privacy and no fine-tuning restrictions.

Technology

nerdctl: A Lightweight Docker Alternative Over containerd

nerdctl is a Docker-compatible CLI that talks directly to containerd, the standard Kubernetes runtime since dockershim was removed in 2022. It adds rootless support by default, encrypted images with ocicrypt, lazy-pulling, and native CNI. It fits best where containerd already runs, though Docker Engine still wins on advanced Compose and Swarm.