Blog
Practical writing on AI engineering, infrastructure, backend systems, and production lessons learned.
Category
154 posts found
Archive
Browse the archive page by page for a faster, cleaner reading experience.
147 posts total
Network Protocols: Service Interface, Peer Interface, and the Hourglass Model
•2 min read•Systems & NetworkingA protocol defines two interfaces: a service interface (how local objects use the protocol) and a peer interface (how the protocol communicates with its counterpart on a remote host). The internet's hourglass architecture places IP as the narrow waist — any transport can run over IP, and any application can run over IP, enabling independent evolution of link technologies and application protocols.
networkingprotocolsosi-modelOS Timer Internals: Clock Ticks, Min-Heaps, and Timer Coalescing
•1 min read•Systems & NetworkingOS timers use a hardware clock interrupt (typically 100-1000 Hz) as the base tick. Timer events are stored in a min-heap sorted by expiration time. On each tick, the OS checks only the heap minimum — O(1) per tick. Modern OSes coalesce timers with close expiration times to reduce wakeups and save power. Go, Java, and Python runtimes all build on this OS infrastructure.
operating-systemsschedulingCoroutines, Threads, and Goroutines: Concurrency Without the OS Overhead
•4 min read•Systems & NetworkingCoroutines yield control voluntarily. Threads get preempted. That one distinction explains the performance characteristics, failure modes, and appropriate use cases for each.
operating-systemsconcurrencygoroutinesasyncI/O Models: Blocking, Non-Blocking, Multiplexing, and Async
•2 min read•Systems & NetworkingFive I/O models exist in UNIX: blocking (wait until data ready), non-blocking (return immediately with EAGAIN), I/O multiplexing (select/poll/epoll wait on multiple FDs), signal-driven (SIGIO when data ready), and async (aio_read: kernel copies data, then notifies). Node.js and nginx use epoll-based multiplexing. Go uses runtime-managed goroutine scheduling over non-blocking syscalls.
iooperating-systemslinuxepollThreads at the OS Level: Kernel Threads, User Threads, and Scheduling
•2 min read•Systems & NetworkingA kernel thread is the OS scheduling unit — it gets CPU time directly. A user thread is managed by a runtime library and must be mapped to a kernel thread to run. M:N threading (Go goroutines, Java virtual threads) multiplexes M user threads onto N kernel threads, reducing context-switch cost. Thread scheduling is preemptive within a process — the OS can interrupt any thread at any quantum boundary.
operating-systemsthreadconcurrencyLinux Kernel Macros: SYSCALL_DEFINE, IS_ERR, and Why Macros Beat Functions Here
•2 min read•Systems & NetworkingThe Linux kernel uses macros for system call definitions, error pointer checking, and container_of lookups. SYSCALL_DEFINE3 generates platform-specific syscall wrappers and audit tracing hooks. IS_ERR/PTR_ERR use the high kernel address space (last 4KB of virtual memory) to encode error codes in pointers — a technique that's impossible with regular functions.
operating-systemsquestionscurl: HTTP Requests, Headers, Auth, and Debugging TLS
•1 min read•Systems & Networkingcurl sends HTTP requests from the command line. Key flags: -X for method, -H for headers, -d for request body, -o for output file, -v for verbose (shows request/response headers and TLS handshake), -k to skip certificate verification. curl is essential for testing APIs, debugging proxies, and understanding HTTP without a browser.
shellhttptlssecurityShell Scripting: Process Substitution, PIPESTATUS, and Test Expressions
•1 min read•Systems & NetworkingProcess substitution (<(cmd)) makes command output look like a file, enabling commands that require file arguments to accept streams. PIPESTATUS captures exit codes from each stage of a pipeline — $? only captures the last stage. The test command ([]) supports file, string, and arithmetic comparisons used in shell conditionals.
shellprocessoperating-systemsln: Hard Links vs Symbolic Links, and Avoiding Circular Symlinks
•1 min read•Systems & NetworkingHard links create a second directory entry pointing to the same inode — deleting either leaves the data accessible. Symbolic links store a path string to the target. Circular symlinks occur when a relative path resolves to itself: ln -s test static/test creates a symlink in static/ that points to static/test, not to the test in the current directory.
shellsymlinkfilesystemSSH: Remote Commands, ssh-keyscan, and Key-Based Auth
•1 min read•Systems & NetworkingSSH runs remote commands by passing them after the host argument. ssh-keyscan fetches a server's public host key without authenticating — used in CI/CD to pre-populate known_hosts and prevent the 'authenticity of host' prompt from blocking automation. Key-based auth replaces password prompts with public/private key cryptography.
shellsshsecuritygrep: Pattern Matching, Exit Codes, and Pipeline Pitfalls
•1 min read•Systems & Networkinggrep searches files or stdin for lines matching a regex and prints matches. Exit code 0=match found, 1=no match, 2=error. In CI pipelines with set -o pipefail, exit code 1 (no match) terminates the script. Fix with || true or capture PIPESTATUS separately. grep -c counts matches; grep -l lists matching filenames; grep -v inverts selection.
shelltext-processingCSRF: Why Cookies Are the Vulnerability and How to Eliminate It
•4 min read•Web DevelopmentCSRF exploits the browser's automatic cookie attachment. Understanding the attack mechanism explains why SameSite cookies largely solve it — and why APIs using Bearer tokens are immune by default.
securitycsrfcookiesauthenticationTLS: How the Handshake Works and What Goes Wrong in Production
•3 min read•Web DevelopmentTLS 1.3 cut the handshake to one round-trip and made forward secrecy mandatory. Understanding the mechanics — certificate chains, cipher negotiation, OCSP stapling — turns certificate errors from mysterious to diagnosable.
securitytlshttpscertificatesFile Upload Size Limits: nginx, PHP, API Gateway, and S3 Workarounds
•1 min read•Web DevelopmentFile upload limits exist at multiple layers independently: nginx client_max_body_size, PHP upload_max_filesize and post_max_size, AWS API Gateway (10MB max), and Lambda (6MB max). The tightest limit in the chain determines the actual maximum. For uploads above API Gateway's 10MB limit, presigned S3 URLs move the upload path out of the request chain.
file-uploadawss3api-gatewayOAuth Callback URLs: Redirect URIs, Authorization Code Flow, and Security
•1 min read•Web DevelopmentAn OAuth callback URL (redirect_uri) is where the authorization server sends the user after they grant or deny access. The authorization code is appended as a query parameter. The client must exchange it for a token via a back-channel request — never expose tokens in the URL. Callback URLs must be pre-registered with the OAuth provider to prevent open redirect attacks.
oauthauthenticationJWT: What It Solves, Where It Hurts, and How to Use It Safely
•3 min read•Web DevelopmentA practical guide to JSON Web Tokens, including token structure, signing, refresh patterns, and the tradeoffs teams often miss.
web-developmentfrontend-techsauthentication-and-authorizationJWTsecurityoauthSession-Based Authentication: Why It Still Works and When It Is the Better Choice
•3 min read•Web DevelopmentA practical guide to server-side sessions, including cookies, session stores, hijacking risks, and where session auth is stronger than token-heavy designs.
web-developmentfrontend-techsauthentication-and-authorizationsessionsecuritycookiesHTTP Cookies: Attributes, Storage Comparison, and XSS/CSRF Defenses
•1 min read•Web DevelopmentCookies are key-value pairs stored by the browser and sent automatically with matching requests. Security attributes: HttpOnly (no JS access), Secure (HTTPS only), SameSite (CSRF protection). Cookies, localStorage, and sessionStorage differ in persistence, scope, and automatic request inclusion. JWT in cookies is more secure than JWT in localStorage against XSS.
httpcookiescsrfsecurityCORS: What the Browser Enforces and What It Does Not
•3 min read•Web DevelopmentCORS is a browser policy, not a server security control. Understanding the Same-Origin Policy, preflight requests, and credential handling prevents both configuration mistakes and false security assumptions.
securitycorshttpbrowserSystem Design Alex Xu
•32 min read•Book NotesNotes from the book "System Design Interview by Alex Xu".
system-designbook-notesKubernetes Manifest Structure: apiVersion, kind, metadata, and spec
•1 min read•Cloud InfrastructureEvery Kubernetes resource is defined by four top-level fields: apiVersion, kind, metadata, and spec. apiVersion determines which API group and version handles the resource. kind specifies the resource type. metadata sets the name, namespace, labels, and annotations. spec describes the desired state. Getting any of these wrong produces obscure 'no matches for kind' or validation errors.
kuberneteseksDocker Compose Networking: How Service Name DNS Resolution Works
•1 min read•Cloud InfrastructureDocker Compose creates a default bridge network where each service's name is registered as a DNS hostname. Containers reach each other by service name, not by IP or localhost. Understanding how Docker's embedded DNS works — and when it doesn't — prevents the most common Docker Compose connectivity bugs.
dockercontainersdnsMakefile Layered Dependencies: Avoiding Unnecessary Rebuilds
•1 min read•Systems & NetworkingMakefile rebuild decisions use file timestamps. When a target is an output file, make compares the target's mtime against its prerequisites — skip if target is newer. When a target is a phony name with no output file, make always runs the recipe. Layered dependencies chain file targets to enable accurate change detection.
makefiledependencybuildNginx Reverse Proxy and Load Balancing: upstream, Algorithms, and Health Checks
•1 min read•Web Developmentnginx upstream blocks define backend server pools. proxy_pass routes traffic to them. Load balancing algorithms: round-robin (default), least_conn (best for long-lived connections), ip_hash (session affinity), weighted. upstream keepalive avoids per-request TCP handshakes. nginx does passive health checks by default — active checks require nginx Plus or a module.
nginxreverse-proxyload-balancing