Linux system administration, network programming, server management, and DevOps practices
DPDK bypasses the Linux network stack and can push tens of millions of packets per second from userspace. The NIC pinning, hugepage configuration, and CPU isolation it requires are not trivial.
ProtectSystem, PrivateTmp, NoNewPrivileges, CapabilityBoundingSet — which options meaningfully constrain a service and which are theater for the audit report.
The CIS benchmark for SSH is a solid starting point. Several of its recommendations create operational problems that outweigh the security benefit in specific architectures.
A missing ip_forward sysctl in a nested network namespace wasted an afternoon. A systematic checklist for namespaced routing failures.
Separating IoT devices, lab equipment, and personal computers onto different VLANs costs $60 in hardware and an afternoon of configuration. The firewall rules that make it meaningful.
Default Linux TCP buffer sizes were designed for 100 Mbps LANs. On 10G links with high concurrency, the defaults leave performance on the table. The parameters that matter.
Writing a character device driver for a custom PCIe card exposed every assumption I had about kernel locking. A walkthrough of the mistakes and the fixes.