lucavallinThe blog
Long-form notes on platform engineering, cloud-native infrastructure, the Linux kernel and the messy reality of running AI workloads. Written in the open, occasionally opinionated.
More writing
Containers Are Not Automatically Secure
Containers changed how we package and ship software, but they did not rewrite the basic security rules. Trust boundaries, privilege, and attack surface are all still there. That was probably the main thing I learned while digging into container security, partly from Liz Rice's Container Security and partly from spending time with the Linux pieces underneath.
A Tour of eBPF in the Linux Kernel: Observability, Security and Networking
eBPF lets you run small, verified programs inside the Linux kernel, enabling fast observability, security, and networking without changing application code. This practical tour explains why eBPF matters now, how programs are compiled, verified, JITed, and attached to events, and how maps and ring-3 buffers move data. You'll leave with simple demos and a clear mental model to start experimenting.
Kubernetes Networking from Packets to Pods
Kubernetes networking doesn't have to be a black box. This guide breaks it down, starting from the fundamentals of Linux networking and container isolation. We then dive into the complete Kubernetes model, explaining everything from Pod IPs and CNI plugins to Services, NetworkPolicy, and Ingress, providing a clear end-to-end map of how connectivity works in your cluster.
A Quick Journey Into the Linux Kernel
I recently took a deep dive into the Linux kernel to understand how it handles processes, scheduling, memory, and more. While I had some OS knowledge from school, it always felt too abstract - so I wanted to see how things actually work. This post covers what I learned, from system calls to interrupts, and how kernel development differs from userspace.
I'm on the KubeFM Podcast Talking About "Linux Containers From Scratch"
KubeFM recently invited me to talk about my project "barco: Linux Containers From Scratch in C". In this episode, I talk about why Linux containers don't exist, how to use cgroups and namespaces to isolate a process, how to secure the container with seccomp and capabilities, and how to make the right syscall from C to build your own container engine. Thank you, KubeFM, for having me!
Crafting a Clean, Maintainable, and Understandable Makefile for a C Project.
Discover how a well-planned Makefile can make building C projects easier. By using clear variables, wildcards, automatic variables, and phony targets, see how the Makefile for the gnaro project is easy to understand and use, serving as a simple guide for other developers.
barco: Linux Containers From Scratch in C.
A straightforward C implementation of a container runtime, built from the ground up to explore containers and the Linux Kernel.