How Containers Differ from VMs

A virtual machine runs a full guest operating system on top of a hypervisor. Each VM has its own kernel, its own memory allocation, and its own virtual hardware — which is why VMs take minutes to boot and consume gigabytes of RAM even before your application starts. Containers take a different approach: they share the host OS kernel and use Linux kernel features (namespaces for isolation, cgroups for resource limits) to create isolated process environments. A container starts in seconds and consumes only the memory your application actually needs.

The isolation a container provides is less complete than a VM’s — a kernel vulnerability could theoretically allow container escape. But for most workloads, the trade-off is worth it. The operational benefits — fast startup, small image sizes, easy replication, portable images that run the same everywhere — have made containers the dominant packaging format for modern applications. From a sysadmin perspective, think of containers as very lightweight, portable, and reproducible application packages.

The Dockerfile: Your Repeatable Build

A Dockerfile is a script that defines how to build a container image. It starts from a base image (typically an official image from Docker Hub — things like ubuntu:22.04, python:3.12-slim, or nginx:alpine), then layers on commands that install dependencies, copy application code, set environment variables, and configure the entry point. Each command in a Dockerfile creates a new layer in the image, and Docker caches these layers — only layers that change need to be rebuilt.

Image hygiene matters for security. Use minimal base images (Alpine or distroless images where possible), avoid running processes as root inside the container, use multi-stage builds to keep build tooling out of production images, and regularly rebuild images to pick up upstream security patches. A multi-stage Dockerfile compiles code in one stage and copies only the compiled artifact into a slim final stage, keeping the production image lean and attack-surface-minimal.

# Multi-stage Dockerfile for a Go application
# Stage 1: build
FROM golang:1.22-alpine AS builder
WORKDIR /app
COPY go.mod go.sum ./
RUN go mod download
COPY . .
RUN CGO_ENABLED=0 GOOS=linux go build -o /bin/server ./cmd/server

# Stage 2: minimal runtime image
FROM gcr.io/distroless/static:nonroot
COPY --from=builder /bin/server /server
USER 65532:65532
EXPOSE 8080
ENTRYPOINT ["/server"]

Docker Compose for Multi-Container Apps

Real applications rarely consist of a single container. A typical web stack might include an application container, a database, a cache (Redis), and a reverse proxy. Docker Compose lets you define and manage all of these as a single unit with a YAML file. With one command (docker compose up -d), Compose creates all containers, the networks between them, and any required volumes. It’s ideal for local development environments and small-scale production deployments.

Compose handles service dependencies (start the database before the app), environment variable injection, log aggregation, and scaling (spin up multiple app replicas behind a load balancer). For local development, Compose can bind-mount your source code directory into the container, so code changes are reflected immediately without rebuilding the image. This eliminates the “works on my machine” problem — everyone on the team uses the exact same environment defined in the Compose file.

# docker-compose.yml — Web app with PostgreSQL and Redis
services:
  app:
    build: .
    ports:
      - "8080:8080"
    environment:
      DATABASE_URL: postgres://appuser:secret@db:5432/appdb
      REDIS_URL: redis://cache:6379
    depends_on:
      db:
        condition: service_healthy
    restart: unless-stopped

  db:
    image: postgres:16-alpine
    environment:
      POSTGRES_USER: appuser
      POSTGRES_PASSWORD: secret
      POSTGRES_DB: appdb
    volumes:
      - pgdata:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U appuser -d appdb"]
      interval: 10s
      timeout: 5s
      retries: 5

  cache:
    image: redis:7-alpine
    volumes:
      - redisdata:/data

volumes:
  pgdata:
  redisdata:

Data Persistence with Volumes

Containers are ephemeral by default — when a container is removed, any data written inside it is lost. For stateful applications like databases, you need Docker volumes. Named volumes are managed by Docker and stored in a Docker-managed directory on the host. They survive container removal, can be backed up, and can be shared between containers. Named volumes are the recommended approach for production data.

Bind mounts map a specific path on the host filesystem directly into the container. They’re extremely useful during development (mount your source code in, see changes immediately) but less ideal for production because they create tight coupling between the container and the host filesystem layout. For production databases and stateful services, always use named volumes. For secrets and configuration, consider Docker secrets or environment variable injection rather than bind-mounting sensitive files from the host.

The post Docker for SysAdmins: Containers Without the Complexity appeared first on InfoTech Ninja.

No Agents, No Drama: The Ansible Model

Ansible’s architecture is deliberately simple. The control node (your workstation, a bastion host, or a CI/CD runner) connects to managed nodes over SSH (or WinRM for Windows), executes tasks, and disconnects. There’s no agent process running on managed nodes consuming resources or requiring updates. The only requirement on managed nodes is Python (which is present on virtually every Linux system) and a user account with appropriate sudo privileges.

Idempotency is Ansible’s most important design principle. Every built-in module is designed so that running a task multiple times produces the same result as running it once. If nginx is already installed and running, the package and service modules report “OK” rather than reinstalling or restarting. This means you can run your playbooks safely at any time — to enforce desired state, to verify compliance, or to bring a drifted system back in line — without worrying about destructive side effects.

Your Inventory File

Ansible’s inventory defines the hosts and groups your playbooks target. The simplest format is an INI-style text file. You can also use YAML format or dynamic inventory plugins that query cloud provider APIs (AWS EC2, Azure VMs, GCP instances) to build the inventory automatically from your actual running infrastructure — no manual list maintenance required.

Groups make targeting flexible. You might have a [webservers] group, a [dbservers] group, and a [production] group containing hosts from both. Group variables (stored in group_vars/ directories) let you define different settings per group — staging might use a self-signed certificate while production uses a real one, but the same playbook handles both.

# inventory/hosts.ini — Sample inventory file
[webservers]
web01.example.com ansible_user=ubuntu
web02.example.com ansible_user=ubuntu

[dbservers]
db01.example.com ansible_user=ubuntu ansible_port=2222

[production:children]
webservers
dbservers

[production:vars]
env=production
nginx_worker_processes=4

# Test connectivity to all hosts:
# ansible all -i inventory/hosts.ini -m ping

Writing Your First Playbook

A playbook is a YAML file containing one or more plays. Each play targets a group of hosts and defines a list of tasks to execute in order. Tasks use modules — the unit of work in Ansible. There are thousands of built-in modules covering package management, file operations, service management, cloud resources, network devices, and more. The module name is self-documenting: ansible.builtin.apt, ansible.builtin.copy, ansible.builtin.systemd.

The playbook below installs nginx, deploys a custom configuration, and ensures the service is running and enabled. Run it with ansible-playbook -i inventory/hosts.ini playbooks/nginx.yml. Add --check for a dry run that shows what would change without making any changes.

# playbooks/nginx.yml — Install and configure nginx
---
- name: Configure web servers
  hosts: webservers
  become: true

  vars:
    nginx_port: 80
    server_name: "{{ inventory_hostname }}"

  tasks:
    - name: Ensure nginx is installed
      ansible.builtin.package:
        name: nginx
        state: present

    - name: Deploy nginx configuration
      ansible.builtin.template:
        src: templates/nginx.conf.j2
        dest: /etc/nginx/sites-available/default
        owner: root
        group: root
        mode: "0644"
      notify: Reload nginx

    - name: Ensure nginx is started and enabled
      ansible.builtin.systemd:
        name: nginx
        state: started
        enabled: true

  handlers:
    - name: Reload nginx
      ansible.builtin.systemd:
        name: nginx
        state: reloaded

Variables, Templates, and Handlers

Variables in Ansible can be defined at multiple levels — in the playbook itself, in separate variable files, in the inventory, or passed on the command line with -e. Jinja2 templates (files ending in .j2) use double-brace syntax ({{ variable_name }}) to interpolate variables into configuration files. This is how one nginx template can produce correctly configured files for dozens of different servers, each with the right hostname, port, and SSL certificate path.

Handlers are tasks that only run when notified by another task. The classic use case: a task that updates a configuration file notifies the “Reload nginx” handler. If the configuration file didn’t change (because it was already correct), the handler never fires and nginx isn’t unnecessarily reloaded. If multiple tasks in a play all notify the same handler, the handler runs only once at the end of the play. This prevents redundant service restarts and makes your playbooks more efficient.

The post Getting Started with Ansible: Write Your First Playbook in 30 Minutes appeared first on InfoTech Ninja.

Variables, Input, and Output

Bash variables are untyped strings by default. Assign without spaces around the equals sign, and reference with a dollar sign prefix. Double-quote your variable references to prevent word splitting on values that contain spaces. Use $(command) syntax (command substitution) to capture command output into a variable. The readonly keyword makes a variable immutable — useful for constants in your scripts.

The read builtin captures user input interactively. For scripts that shouldn’t be interactive, pass values via positional parameters ($1, $2, etc.) or environment variables. Always validate input: check that required arguments were provided, that file paths exist before operating on them, and that numeric values are actually numeric. Failing fast with a clear error message is far better than letting a script proceed with bad input and silently corrupt data.

#!/usr/bin/env bash
# Variables and I/O basics
set -euo pipefail   # exit on error, undefined vars, pipe failures

# Variables
SCRIPT_NAME="$(basename "$0")"
LOG_DIR="/var/log/myscripts"
DATESTAMP="$(date +%Y%m%d_%H%M%S)"
readonly LOG_DIR

# Positional arguments with default
TARGET_HOST="${1:-localhost}"
PORT="${2:-80}"

# Validate numeric
if ! [[ "$PORT" =~ ^[0-9]+$ ]]; then
    echo "ERROR: PORT must be a number, got: $PORT" >&2
    exit 1
fi

# Read from user interactively
read -rp "Enter backup label: " LABEL
echo "Backing up $TARGET_HOST:$PORT labeled '$LABEL' at $DATESTAMP"

Conditionals and File Tests

Bash conditionals use the test command or its synonym [[ ]] (prefer the double-bracket form — it handles empty strings and special characters more safely). File tests are especially useful in sysadmin scripts: -f tests for a regular file, -d for a directory, -r for readable, -w for writable, -x for executable, and -s for non-empty. Combining tests with && and || inside [[ ]] avoids spawning subshells for each test.

Always check for file existence before operating on it, check for required commands before assuming they’re available, and check return codes after operations that can fail. The command -v pattern checks whether a command exists in PATH without executing it. Exit codes matter: 0 is success, anything else is failure. Functions should return meaningful exit codes so callers can react appropriately.

#!/usr/bin/env bash
# Conditionals and file tests

config_file="/etc/myapp/config.yaml"
backup_dir="/backup/$(date +%Y%m%d)"

# Check file exists and is readable
if [[ -f "$config_file" && -r "$config_file" ]]; then
    echo "Config found: $config_file"
elif [[ -e "$config_file" ]]; then
    echo "ERROR: Config exists but is not readable" >&2; exit 1
else
    echo "ERROR: Config not found at $config_file" >&2; exit 1
fi

# Create backup dir if missing
[[ -d "$backup_dir" ]] || mkdir -p "$backup_dir"

# Check required command exists
if ! command -v rsync &>/dev/null; then
    echo "ERROR: rsync not installed" >&2; exit 1
fi

# Numeric comparison
disk_used=$(df / | awk 'NR==2 {print $5}' | tr -d '%')
if (( disk_used > 90 )); then
    echo "WARNING: Root partition ${disk_used}% full"
fi

Loops: for, while, until

Bash provides three loop constructs. The for loop iterates over a list or glob expansion — invaluable for processing multiple files, hosts, or values. The while loop continues as long as a condition is true, commonly used with read to process file contents line by line. The until loop is the inverse: it continues until a condition becomes true, useful for polling until a service becomes available or a file appears.

Avoid the common pitfall of for file in $(ls /path/) — it breaks on filenames with spaces. Use glob expansion directly: for file in /path/*.log. When reading files line by line, use the while IFS= read -r line pattern — the IFS= prevents leading/trailing whitespace from being stripped, and -r prevents backslash interpretation. These small details matter when your scripts need to handle real-world filenames and content.

#!/usr/bin/env bash
# Loop examples

# for loop — process multiple servers
servers=("web01" "web02" "db01" "db02")
for server in "${servers[@]}"; do
    echo "Checking $server..."
    if ping -c1 -W2 "$server" &>/dev/null; then
        echo "  $server: ONLINE"
    else
        echo "  $server: OFFLINE" >&2
    fi
done

# Process log file line by line
while IFS= read -r line; do
    if [[ "$line" == *"ERROR"* ]]; then
        echo "Found error: $line"
    fi
done < /var/log/app/app.log

# until loop — wait for a service to respond
port=5432
until nc -z localhost "$port" 2>/dev/null; do
    echo "Waiting for port $port to open..."
    sleep 3
done
echo "Service on port $port is ready."

Building a Disk Monitoring Script

Putting the pieces together: a complete disk monitoring script that checks disk usage across specified mount points, logs warnings when thresholds are exceeded, and sends an email alert when a critical threshold is hit. Schedule it with cron to run every 15 minutes: */15 * * * * /usr/local/bin/disk-monitor.sh.

#!/usr/bin/env bash
# disk-monitor.sh — Check disk usage and alert on threshold breach
set -euo pipefail

# Configuration
WARN_THRESHOLD=80
CRIT_THRESHOLD=90
ALERT_EMAIL="admin@example.com"
LOG_FILE="/var/log/disk-monitor.log"
MOUNT_POINTS=("/" "/var" "/home" "/data")
HOSTNAME="$(hostname -f)"
TIMESTAMP="$(date '+%Y-%m-%d %H:%M:%S')"

# Function: log a message
log() { echo "[$TIMESTAMP] $*" | tee -a "$LOG_FILE"; }

# Function: send alert email
send_alert() {
    local mount="$1" used="$2"
    echo "CRITICAL: Disk usage on $HOSTNAME:$mount is at ${used}%" | \
        mail -s "[DISK ALERT] $HOSTNAME $mount at ${used}%" "$ALERT_EMAIL"
    log "ALERT sent for $mount at ${used}%"
}

alert_needed=false

for mp in "${MOUNT_POINTS[@]}"; do
    [[ -d "$mp" ]] || { log "SKIP: $mp not found"; continue; }
    used=$(df "$mp" | awk 'NR==2 {print $5}' | tr -d '%')

    if (( used >= CRIT_THRESHOLD )); then
        log "CRITICAL: $mp is at ${used}%"
        send_alert "$mp" "$used"
        alert_needed=true
    elif (( used >= WARN_THRESHOLD )); then
        log "WARNING: $mp is at ${used}%"
    else
        log "OK: $mp is at ${used}%"
    fi
done

$alert_needed && exit 2
exit 0

The post Bash Scripting for Linux SysAdmins: From Beginner to Dangerous appeared first on InfoTech Ninja.