Location: Tbilisi, Georgia (UTC+4)

Remote: yes (working exclusively remotely for the past 20 years)

Willing to relocate: yes

Technologies: AWS, Kubernetes, Nomad, Docker, podman, Hashicorp Consul, Vault, Packer, Terraform, Ansible, Chef, Puppet, Grafana, Loki, Prometheus, ELK stack, Jenkins, GitHub Actions, Flux, GitLab, Postfix, HAProxy, MySQL, MariaDB, PostgreSQL, Ruby, Python, bash, C

Résumé/CV: https://alexeydemidov.com/cv

Email: in the resume

GitHub: https://github.com/AlexeyDemidov

LinkedIn: https://www.linkedin.com/in/alekseydemidov/

ServerFault: https://serverfault.com/users/23022/alexd

Codex for some reason sometimes runs Perl instead of Python to work with local files

Grype, Clair

More details here: https://www.stepsecurity.io/blog/trivy-compromised-a-second-...

Current GitHub discussion (the old discussion was removed by the attacker): https://github.com/aquasecurity/trivy/discussions/10420

There are some mistakes in these blog posts, especially the one about overcommit.

systemd allows setting cgroup memory limits.

Just tune the kernel watermarks - vm.min_free_kbytes and vm.watermark_scale_factor

I do wish I had documented what I tried better! There might be a magic combo that could have helped but I tried tweaking a lot of the vm settings.

One day I will probably see if I can still reproduce the original problem and be more methodical about it. More likely on list of things I might not ever get around to.

3. vm.oom_kill_allocating_task is a footgun. It kills the last task that asked for memory and it could be any random task in the system.

4. disabling overcommit is another footgun, it makes malloc fail long before the memory is exhausted. See for a detailed explanation https://unix.stackexchange.com/a/797888/1027

It seems to be a persistent myth. The Linux kernel explicitly excludes active VM_EXEC pages from reclaim.

Just discovered that Debian still has ifmail and binkd packages.