Blog
Thoughts on engineering, design, and building great products.
seccomp-bpf: Classic BPF Filtering Syscalls in Every Container
Before eBPF there was cBPF — classic BPF, the thing tcpdump uses. And it's still running: seccomp-bpf filters syscalls with cBPF, the foundational sandbox layer of containers. This article distinguishes cBPF from eBPF, inspects real seccomp on the cluster (pause containers and CSI sidecars restricted, privileged pods not), then writes a cBPF filter that blocks mkdir with EPERM — eight instructions on struct seccomp_data, installed with prctl, blocking for real while printf still runs.
What Is Kubernetes and Why Orchestration
Series opener: from a single container to running dozens of containers across multiple machines — the problem Kubernetes was built to solve. Why 'orchestration' and 'desired state' are the two most important ideas, what minikube is, and the roadmap for the whole series.
What Docker Is and Why You Should Use It
Series opener: what problem Docker solves, how it differs from a virtual machine, the core concepts (image, container, registry), and the learning path from the basics to Docker Swarm.
Installing Docker and Running Your First Container
Install Docker for your OS, then run your first container and master the full lifecycle: run, ps, logs, exec, stop, rm. With a container state diagram and a cleanup section.