Linux

A Few Shell Surprises

Apr 22, 2025 · 3 min read · Linux Shell ·

Share on:

Shell scripts are infamous for security issues and surprising behavior. So when possible, it's better to avoid using shell. For instance, we built a container platform using the Bottlerocket OS and we didn't even install shell. If someone needs to run shell, the shell must be run inside a container. That said, shell is …

x509: certificate signed by unknown authority? Maybe the cert pool is empty

Apr 15, 2025 · 6 min read · Linux Container SELinux Bottlerocket ·

Share on:

I recently worked on getting amazon-ssm-agent to run inside containers on Bottlerocket. During that process, I ran into a TLS issue connecting to amazonaws.com. The root cause turned out be interesting and we'll walk through it in this post. Running amazon-ssm-agent in a container: why and how? To enable sessions …

GPG is still in use to verify downloads

Feb 23, 2025 · 2 min read · Linux Cryptography ·

Share on:

This week, I needed to install the Amazon SSM Agent and was surprised to find that GPG (GNU Privacy Guard) was the only way to verify the download. I had assumed that software downloads verification had largely transitioned to PKI (Public Key Infrastructure). This short post is a refresh on GPG. OpenPGP is an open …

Why does GOMEMLIMIT take up significant physical memory for unused virtual memory?

Jan 19, 2025 · 4 min read · Go Linux ·

Share on:

While debugging memory bloat in a Go application recently, I found that removing the GOMEMLIMIT soft memory limit and disabling transparent huge pages partially mitigated the issue. However, I couldn't fully explain why these changes worked. So I thought why not ask the internet about it. A simplified memory bloat …

AL2023 vs. AL2: less disk space with ext4?

Nov 17, 2024 · 7 min read · Linux ·

Share on:

We started migrating from Amazon Linux 2 (AL2) to Amazon Linux 2023 (AL2023) a month ago. While testing workloads on AL2023 in the pre-production environment, I noticed slightly higher disk usage compared to the same workload on AL2. In this post, I'll share my investigation. AL2023 has less free disk space with ext4, …

Missing Container Disk I/O Stats with cgroup v1 on Kernel 6.1

Nov 9, 2024 · 4 min read · Linux Container ·

Share on:

As the Amazon Linux 2 (AL2) approaches its End of Life on 2025-06-30, we have started migrating our container platform from AL2 to Amazon Linux 2023 (AL2023). The migration encountered a few speed bumps. In this post, we'll look at one of them: missing container disk I/O stats. Why are container I/O dashboards blank? …

Mind ordering cycles in systemd: how systemd breaks them can brick the server start up

Oct 16, 2024 · 3 min read · Linux ·

Share on:

I've been building a service for a month and the day finally arrived when I had the artifact - an EC2 AMI. The AMI passed my "rigourous" manual tests, and I felt confident on a Ruby Tuesday, so I launched 100 EC2 instances using the AMI. Surprise! around 28 instances failed to launch. What is going on? All …