Category: Devops

Recientemente me encontré con un análisis técnico excepcionalmente denso sobre seguridad de contenedores que merece la pena ser compartido. El autor empezó con una hipótesis simple: el aislamiento de filesystems de los contenedores debería ser suficiente para cargas de trabajo multi-tenant sin necesidad de máquinas virtuales, si se entiende suficientemente bien qué está pasando a nivel de syscall.

Después de una investigación exhaustiva, la conclusión es más incómoda de lo que esperaba: los valores por defecto te protegen bien, pero en el momento que empiezas a usar características “avanzadas” como la propagación de montajes bidireccional o el reetiquetado de SELinux, estás a un paso de entregarle las llaves de tu host a un atacante.

I recently came across an exceptionally dense technical analysis about container security that’s worth sharing. The author started with a simple hypothesis: container filesystem isolation should be sufficient for multi-tenant workloads without virtual machines, if you sufficiently understand what’s happening at the syscall level.

After thorough investigation, the conclusion is more uncomfortable than expected: the defaults protect you well, but the moment you reach for “advanced” features like bidirectional mount propagation or SELinux relabeling, you’re one misconfiguration away from handing an attacker the keys to your host.

Vercel ha anunciado la disponibilidad general de Vercel Sandbox, una capa de ejecución diseñada específicamente para agentes de IA. Pero más allá del hype de los agentes, hay una pregunta interesante: ¿puede servirnos para ejecutar código de forma segura en diferentes lenguajes como PHP, Node o Go?

¿Qué es Vercel Sandbox?

Vercel Sandbox proporciona microVMs Linux bajo demanda. Cada sandbox está aislado, con su propio sistema de archivos, red y espacio de procesos. Obtienes acceso sudo, gestores de paquetes y la capacidad de ejecutar los mismos comandos que ejecutarías en una máquina Linux.

Vercel has announced the general availability of Vercel Sandbox, an execution layer designed specifically for AI agents. But beyond the AI agent hype, there’s an interesting question: can it be useful for running code safely in different languages like PHP, Node, or Go?

What is Vercel Sandbox?

Vercel Sandbox provides on-demand Linux microVMs. Each sandbox is isolated, with its own filesystem, network, and process space. You get sudo access, package managers, and the ability to run the same commands you’d run on a Linux machine.

El problema que todos tenemos (pero solucionamos mal)

Como DevOps Manager, paso más tiempo del que debería configurando formas para que el equipo pueda mostrar su trabajo en desarrollo. Demos para clientes, webhooks para testing, APIs temporales para integraciones… siempre necesitamos exponer localhost al mundo.

Las opciones tradicionales son un dolor:

• ngrok: Funciona, pero URLs feas, límites en el plan gratuito, y cada reinicio genera una URL nueva
• localtunnel: Inestable, URLs que expiran, y a menudo bloqueado por firewalls corporativos
• SSH tunneling: Requiere servidores propios, configuración manual, y conocimiento de redes
• Cloudflare Tunnels manuales: Potente pero… Dios, la configuración manual es infernal

Y entonces descubrí Moley.

The Problem We All Have (But Solve Poorly)

As a DevOps Manager, I spend more time than I should configuring ways for the team to show their development work. Client demos, webhooks for testing, temporary APIs for integrations… we always need to expose localhost to the world.

Traditional options are a pain:

• ngrok: Works, but ugly URLs, limits on free plan, and every restart generates a new URL
• localtunnel: Unstable, URLs that expire, and often blocked by corporate firewalls
• SSH tunneling: Requires your own servers, manual configuration, and networking knowledge
• Manual Cloudflare Tunnels: Powerful but… God, the manual configuration is hellish

And then I discovered Moley.

A Revelation in Algorithm Form

Thanks to an article from System Design Academy that came my way this week, I’ve been reflecting on something I find curious and simple at the same time: how to sort massive datasets in a distributed manner. And you know what? These patterns are so elegant that they can be applied to so many other problems we face day to day.

As a developer who has gone from JavaScript to PHP, then Python, and is now fully immersed in Golang, I’m struck by how certain patterns transcend languages and frameworks. Distributed sorting is one of those cases where architecture matters more than implementation.

In a new phase of this website, and as a PoC, it has been migrated to Netlify and the repo has been updated for Hugo 0.5.5, removing the theme as an external element.

This means that we may have some errors or temporary issues with visualization, certificates, or similar.

When installing/renewing let’s encrypt on a web server with nginx, we have to decide whether to do it with a temporary server, which means we must temporarily stop the web service, or indicate what the DocumentRoot of the web server is for the domain.

The latter implies that the website or service has a “public” DocumentRoot, and that’s not always easy when we’re using, for example, a Python, Java, or Go application and nginx as a proxy.

Daily life has kept me from doing many things, including keeping this blog updated, but there’s no time for everything, and in the end fatigue forces me to reorganize priorities.

In recent months, I’ve been working on implementing RedHat CloudForms, Ansible Tower, and more, so I’ve had to work much more with Ansible. It was already a habit, but lately it’s been much more intensive.

So I’ve earned a few RedHat “certifications”: