Hi! 👋 my name is Andrea Manzini. I’m an Unix System Administrator and a developer. As you can see, I enjoy minimalism and pragmatic solutions for a problem. I am focused on delivery, curious and enjoy learning new things. If you are interested, you can find my resume following this link or contact me using social links on this page. If you appreciate my work, you can buy me a book from my Amazon Wishlist. Thanks!
How much code are you testing ? (4)
🧭 Where we left off Welcome back to our ongoing series on measuring test coverage for binary programs! In part 1 we used Go’s built-in -cover flag — clean and accurate, but only works if you own the source and can recompile. In part 2 we used valgrind and gdb to trace gzip without touching its source. In part 3 we explored Intel PIN, a proper dynamic binary instrumentation framework — powerful, but it came with a ~100MB proprietary C++ SDK and was limited to x86_64. ...
Flatpak: unboxing the sandbox
📦 That new package smell We’ve all been there: you see a shiny new app on GitHub and you want to “unwrap” it immediately. But in the traditional Linux world, opening a package often feels like opening a box of glitter in your living room—before you know it, dependencies are scattered everywhere, and you’re still finding weird library versions in /usr/lib three months later. This is why I’ve started reaching for the Flatpak. It’s like an unboxing experience where the box stays a box. You get all the “goodies” inside, but the mess stays contained. Let’s see what happens when we tear off the shrink-wrap. ...
Landlock idiomatic sandboxing in Nim
👋 Intro If you have ever spent time hardening Linux applications, you probably know the frustration of the all-or-nothing permission model. In the standard Linux environment, once a process starts running, it usually has far more filesystem access than it actually needs. While we have tools like seccomp, chroot, or heavy-duty modules like SELinux and AppArmor, they often feel too complex for simple, application-level sandboxing. Landlock changes this. Since its merge into the Linux kernel in version 5.13, it has become a game-changer for developers. It allows a process to restrict itself without requiring root privileges, moving security away from global system policies and directly into your application code. ...
Rootless Podman as a Salt Lab Environment
🧂 Salt without the sudo Follow-up from the previous post, today we are going to put our systemd-managed containers to work and use them for some useful tasks. The idea is to set up an environment to learn how the configuration management Salt works, and play/hack around with it, without even needing root or sudo rights. After all, in the infra-world, the Salt must flow! So we will setup two containers, one as a salt server and the other as a salt “minion” (representing the machine that will be configured via salt). ...