. , . , . , . , . , . , . , . , . , . , . , . , . , . , . , . , . , . , . , . , . , . , . , . , . , . , . , . , . ,

$ sudowheel

Linux articles, guides, and deep dives

Featured
DevOps

Container Networking Conflicts: Subnet Overlaps, Port Collisions, and DNS Failures on Linux

Container runtimes claim IP ranges, manipulate routing tables, and override DNS configuration without announcing it. When those decisions conflict with your existing infrastructure the symptoms are maddening -- a VPN that drops the moment Compose starts, a service that resolves hostnames intermittently, a port collision that persists after every container is stopped. This guide covers every major conflict category with kernel-level precision: daemon.json address pool mechanics, the userland-proxy CPU trap and the hidden route_localnet sysctl it sets, Docker Engine 28's raw-PREROUTING unpublished-port fix, MTU mismatches on cloud hosts, the default-gateway rerouting trap when connecting a container to a second network, the ndots and glibc three-nameserver ceiling edge cases, and why internal: true networks do not isolate containers from the Docker host itself.

32 min read Apr 2026
sudowheel ~ welcome
$ cat /etc/motd
Welcome to sudowheel.com
Practical Linux knowledge. No fluff. No filler.
Written by people who understand Linux servers.
$ ls ./latest-articles/
systemd-guide.md iptables-deep-dive.md btrfs-snapshots.md selinux-policies.md
Latest Articles
Sysadmin

Understanding systemd: A Comprehensive Guide to Modern Linux Init Systems

From unit files to timers, targets to journal logging -- everything you need to master the init system that runs your servers. Service management, dependency resolution, and advanced patterns for production environments.

12 min Feb 14, 2026
DevOps

Docker's iptables Compatibility Layer: How Container Networking Actually Touches Netfilter

When Docker publishes a port it quietly rewrites firewall rules before your own take effect. This guide covers every chain Docker creates, why DOCKER-USER is the only safe place for custom filtering, how iptables-nft silently translates those rules into nftables on modern distros, and what changes when you switch to Docker 29's experimental native nftables backend.

18 min Apr 2026
DevOps

Docker Bypassing nftables Rules: Why Your Firewall Is Not Filtering Container Traffic

Your nftables drop rule is syntactically correct, logically sound, and completely ineffective against Docker-published ports. This guide explains exactly why -- DNAT rewrites packet headers before your forward-hook chain evaluates them -- and provides four tested solutions: priority -200 chains that preempt Docker, conntrack original-destination matching that references pre-DNAT ports, firewall mark integration with --bridge-accept-fwmark, and a complete default-drop ruleset that coexists with Docker's networking.

37 min Apr 2026
DevOps

Configuring nftables with Docker

Docker Engine 29 introduced experimental native nftables support, replacing the long-standing iptables dependency. This guide covers enabling the nftables backend, understanding how Docker creates and owns its tables, migrating DOCKER-USER rules, managing chain priorities, and writing custom firewall rules that coexist with Docker's networking without breaking container connectivity.

18 min Apr 2026
DevOps

Ansible Roles That Actually Scale

Patterns for writing reusable, testable Ansible roles. Includes molecule testing, variable precedence traps, and handler strategies.

12 min Feb 3, 2026