DevOps on Antonio Cortés (DrZippie)

Analizando el aislamiento de filesystems en contenedores para cargas multi-tenant

Fri, 13 Feb 2026 00:00:00 +0000

Recientemente me encontré con un análisis técnico excepcionalmente denso sobre seguridad de contenedores que merece la pena ser compartido. El autor empezó con una hipótesis simple: el aislamiento de filesystems de los contenedores debería ser suficiente para cargas de trabajo multi-tenant sin necesidad de máquinas virtuales, si se entiende suficientemente bien qué está pasando a nivel de syscall.

Después de una investigación exhaustiva, la conclusión es más incómoda de lo que esperaba: los valores por defecto te protegen bien, pero en el momento que empiezas a usar características “avanzadas” como la propagación de montajes bidireccional o el reetiquetado de SELinux, estás a un paso de entregarle las llaves de tu host a un atacante.

Analyzing Container Filesystem Isolation for Multi-Tenant Workloads

Fri, 13 Feb 2026 00:00:00 +0000

I recently came across an exceptionally dense technical analysis about container security that’s worth sharing. The author started with a simple hypothesis: container filesystem isolation should be sufficient for multi-tenant workloads without virtual machines, if you sufficiently understand what’s happening at the syscall level.

After thorough investigation, the conclusion is more uncomfortable than expected: the defaults protect you well, but the moment you reach for “advanced” features like bidirectional mount propagation or SELinux relabeling, you’re one misconfiguration away from handing an attacker the keys to your host.

Vercel Sandbox: ¿Ejecutar código PHP, Node y Go de forma segura?

Mon, 02 Feb 2026 00:00:00 +0000

Vercel ha anunciado la disponibilidad general de Vercel Sandbox, una capa de ejecución diseñada específicamente para agentes de IA. Pero más allá del hype de los agentes, hay una pregunta interesante: ¿puede servirnos para ejecutar código de forma segura en diferentes lenguajes como PHP, Node o Go?

¿Qué es Vercel Sandbox?

Vercel Sandbox proporciona microVMs Linux bajo demanda. Cada sandbox está aislado, con su propio sistema de archivos, red y espacio de procesos. Obtienes acceso sudo, gestores de paquetes y la capacidad de ejecutar los mismos comandos que ejecutarías en una máquina Linux.

Vercel Sandbox: Running PHP, Node and Go Code Safely?

Mon, 02 Feb 2026 00:00:00 +0000

Vercel has announced the general availability of Vercel Sandbox, an execution layer designed specifically for AI agents. But beyond the AI agent hype, there’s an interesting question: can it be useful for running code safely in different languages like PHP, Node, or Go?

What is Vercel Sandbox?

Vercel Sandbox provides on-demand Linux microVMs. Each sandbox is isolated, with its own filesystem, network, and process space. You get sudo access, package managers, and the ability to run the same commands you’d run on a Linux machine.

Moley: el tool que hace que Cloudflare Tunnels sea finalmente usable (y por qué lo necesitábamos)

Thu, 03 Jul 2025 00:00:00 +0000

El problema que todos tenemos (pero solucionamos mal)

Como DevOps Manager, paso más tiempo del que debería configurando formas para que el equipo pueda mostrar su trabajo en desarrollo. Demos para clientes, webhooks para testing, APIs temporales para integraciones… siempre necesitamos exponer localhost al mundo.

Las opciones tradicionales son un dolor:

ngrok: Funciona, pero URLs feas, límites en el plan gratuito, y cada reinicio genera una URL nueva
localtunnel: Inestable, URLs que expiran, y a menudo bloqueado por firewalls corporativos
SSH tunneling: Requiere servidores propios, configuración manual, y conocimiento de redes
Cloudflare Tunnels manuales: Potente pero… Dios, la configuración manual es infernal

Y entonces descubrí Moley.

Moley: The Tool That Makes Cloudflare Tunnels Finally Usable (and Why We Needed It)

Thu, 03 Jul 2025 00:00:00 +0000

The Problem We All Have (But Solve Poorly)

As a DevOps Manager, I spend more time than I should configuring ways for the team to show their development work. Client demos, webhooks for testing, temporary APIs for integrations… we always need to expose localhost to the world.

Traditional options are a pain:

ngrok: Works, but ugly URLs, limits on free plan, and every restart generates a new URL
localtunnel: Unstable, URLs that expire, and often blocked by corporate firewalls
SSH tunneling: Requires your own servers, manual configuration, and networking knowledge
Manual Cloudflare Tunnels: Powerful but… God, the manual configuration is hellish

And then I discovered Moley.

Why I'm Fascinated by Distributed Sorting (and Why You Should Be Too)

Tue, 01 Jul 2025 00:00:00 +0000

A Revelation in Algorithm Form

Thanks to an article from System Design Academy that came my way this week, I’ve been reflecting on something I find curious and simple at the same time: how to sort massive datasets in a distributed manner. And you know what? These patterns are so elegant that they can be applied to so many other problems we face day to day.

As a developer who has gone from JavaScript to PHP, then Python, and is now fully immersed in Golang, I’m struck by how certain patterns transcend languages and frameworks. Distributed sorting is one of those cases where architecture matters more than implementation.

Migration to Netlify

Mon, 13 May 2019 10:35:41 +0200

In a new phase of this website, and as a PoC, it has been migrated to Netlify and the repo has been updated for Hugo 0.5.5, removing the theme as an external element.

This means that we may have some errors or temporary issues with visualization, certificates, or similar.

Certbot and nginx - renewal and setup without service downtime

Fri, 29 Jun 2018 00:00:00 +0000

When installing/renewing let’s encrypt on a web server with nginx, we have to decide whether to do it with a temporary server, which means we must temporarily stop the web service, or indicate what the DocumentRoot of the web server is for the domain.

The latter implies that the website or service has a “public” DocumentRoot, and that’s not always easy when we’re using, for example, a Python, Java, or Go application and nginx as a proxy.

Getting back to the blog

Wed, 28 Jun 2017 00:00:00 +0000

Daily life has kept me from doing many things, including keeping this blog updated, but there’s no time for everything, and in the end fatigue forces me to reorganize priorities.

In recent months, I’ve been working on implementing RedHat CloudForms, Ansible Tower, and more, so I’ve had to work much more with Ansible. It was already a habit, but lately it’s been much more intensive.

So I’ve earned a few RedHat “certifications”: