A new issue of the CatOps Digest is here!

https://newsletter.catops.dev/p/catops-digest-2026-05-09

Happy Europe Day! 🇪🇺

#digest #newsletter

​​For today’s Donations Monday, I would like to remind you about one of the smaller fundraisers from the recent digest.

- Radio-electronic equipment for the 25th Brigade.

It’s more than 80% complete, and I’m sure that with your help, we can close it this week.

#donations #Ukraine

​​Enabling horizontal autoscaling with co-operative distributed rate limiting is an old article from Monzo that describes, how they built their internal distributed rate limiting solution.

The interesting part is the reasoning about whether a system works in an adversary environment (public facing) or not (internal system). The main question here: can you trust a client? The answer to this question influences the design a lot!

#system_design

Consistent Hashing in 1 diagram and 198 words is a nice primer on the consistent hashing technique. Obviously, it doesn't go deep on the implementation or examples.

That Substack has some other nice primers as well. Some are good, others are not so much, but all of them could be a good start for a new topic.

#programming #primer

A (now) regular Thursday security advisory rubric.

"Fragnesia" is a newly discovered local privilege escalation kernel CVE from the same family of CopyFail and DirtyFrag.

It looks like the Dirty Frag mitigation (disabling the kernel modules esp4, esp6, and rxrpc) should help here as well.

#security

Continuing with security advisory.

NGINX ngx_http_rewrite_module vulnerability CVE-2026-42945.

~
NGINX Plus and NGINX Open Source have a vulnerability in the *ngx_http_rewrite_module* module. This vulnerability exists when the *rewrite* directive is followed by a *rewrite*, *if*, or *set* directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). An unauthenticated attacker along with conditions beyond its control can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible. (CVE-2026-42945)

Don't confuse the F5's NGINX Ingress Controller with the community-led ingress-nginx, that is deprecated now.

In any case, though, if you're using the ngx_http_rewrite_module (and it's widely used!), you are likely vulnerable.


#security

An interesting point of view on reliability through the prism of everyday work and experience from other industries.

The normal work of creating reliability is an article by Lorin Hochstein, that asks: what instead of thinking of how an incident could have been prevented, we ask: what do we do daily to avoid having incidents constantly.

P.S. "Invert, always invert" - Carl Jacobi

#sre #reliability #culture

​​What’s the difference between picking up litter after yourself and donating to the AFU's pickup trucks?

You're right — donating is easier, as you don't need to spend energy producing waste beforehand!

So, here's the link: ​​https://send.monobank.ua/jar/3U1hBa5WPp

More info: https://www.instagram.com/p/DXpgaaWgH00

#donations #Ukraine

A nice article about chaos engineering that was shared in our chat.

The author uses some overly fluffy sentences, but the core of the article holds strong: in many cases, you don't need chaos engineering, and there are things that have better ROI, unless you have them already.

Personally, I'd also like to add that chaos engineering is not simply about breaking things - it's about experimentation. You don't just randomly switch off things, you build hypotheses and validate them. This is the boring, yet crucial part, that many oversee.

#chaos

​​Today CatOps became 9 years old 🎉

You can send us a birthday present by donating to our current fundraiser!

https://send.monobank.ua/jar/3U1hBa5WPp

​​For today’s Donations Monday, let’s finally close the fundraiser for two trucks that’s been going on for some time already.

​​​​https://send.monobank.ua/jar/3U1hBa5WPp

More info: https://www.instagram.com/p/DXpgaaWgH00

#donations #Ukraine

Finding zombies in our systems: A real-world story of CPU bottlenecks is an interesting debugging story for those, who like technical detective tales.

P.S. I find Pinterest's technical blog quite interesting. It has many interesting articles out there.

#debug #aws #performance #kubernetes

I Don’t Care if AI Wrote the Code. You Own It. is a reminder that you cannot call AI an idiot, if something goes wrong - you still bear the responsibility of what it does.

This short article just reiterates this statement, and points out that in this day an age, tests and validations are more important as ever before.

#ai #sre

A new issue of the CatOps Digest is here!

https://newsletter.catops.dev/p/catops-digest-2026-05-29

#newsletter #digest

Unless you're super diligent with deprecation, you may be in a situation right now, when you need to migrate away from NGINX ingress.

Here's a great article that explains new Kubernetes API objects related to the GatewayAPI project that is here to replace Ingress.

Ingress API is not deprecated itself, but it won't be further developed either.

This article confuses the names for the community-led Ingress Nginx and the F5 NGINX ingress controller, but so do many of us: there are way too many nginx's in this world.

#kubernetes #networking #nginx

​​A case study from Amazon, how science solves actual engineering problems that later translate in money savings (likely millions on the Amazon scale).

How a Slack shout-out, a dusted-off academic theory, and a spaghetti monster led an AWS team to crack an elusive code—and deliver greater reliability and performance for customers is a story about AWS realigning their network around the random graph theory.

P.S. I always feel excited about the networking stories, because I studied them in the university. Even though I haven’t worked closely with them since many years ago, and forgot almost everything about them.

#aws #networking

​​How Do You Fit a Trillion-Parameter Model Into a Kubernetes Cluster? is an interesting article about how one should change their perspective when reasoning about running LLMs in Kubernetes compared to usual web apps.

It’s an interesting read, especially, if you don’t work with this stuff every day. The biggest takeaway here is that in the case of models, a “replica” doesn’t mean a pod in most of the cases, it’s a distributed system on its own that should behave as one. This article also explains, how exactly things are distributed within a replica, and what are the low level system parameters to pay attention to.

#kubernetes #ai #llm

​​For today's Donations Monday, I'd like to share with you requisites of a friend of mine, who volunteers for AFU since the beginning of the full-scale invasion.

Here's a page with all the possible ways to donate. You can also find links to the current goals, and reports for previous fundraises there.

Here's their Monobank jar that supports Apple Pay, if you'd better have a direct link:

https://send.monobank.ua/jar/BQjWbpver

#donations #Ukraine

An explainer for the Backend-for-Frontend pattern. The article provides some high-level overview of what it is, and when to use it.

#architecture #design

​​How much do amd64 microarchitecture levels help in Go? is a benchmarking article that shows the compute time improvements you can get if you'd build your apps for modern x64 processors only. You likely use modern processors already and do not plan to run your apps on the decade old hardware.

Still, it's important to remember that while such articles are nice; your real applications probably don't just calculate bit vectors all day. It's much more likely your real performance bottleneck is I/O and not the fact that your apps are built with the support for old hardware. Still, you can get some easy wins here by just adding a compilation flag, if you're using Go.

#performance #go #programming