Author’s avatar
Thomas Ptacek
Author
Thomas Ptacek
By Thomas Ptacek
39 min Read

API Tokens: A Tedious Survey

This is not really a post about Fly.io, though I'll talk about us a little up front to set the scene. The last several weeks of my life have been about API security. I'm working on a new permissions system for Fly.io, and did a bunch of resea...

Read more 

Read more
By Thomas Ptacek
20 min Read

Hooking Up Fly Metrics

We’ve written a bit, for a general audience, about how Fly collects and manages metrics. If you’re just sort of generally interested in metrics and observability, go read that first. Meanwhile, if you’re a Fly user, or considering becoming such a...

Read more 

Read more
By Thomas Ptacek
19 min Read

Fly's Prometheus Metrics

We should talk a bit about metrics and measurement and stuff, because they’re how we all know what’s going on. There’s two reasons we’ve written this post. The first is just that we think this stuff is interesting, and that the world can always us...

Read more 

Read more
By Thomas Ptacek
23 min Read

Docker without Docker

Even though most of our users deliver software to us as Docker containers, we don’t use Docker to run them. Docker is great, but we’re high-density multitenant, and despite strides, Docker’s isolation isn’t strong enough for that. So, instead, we...

Read more 

Read more
By Thomas Ptacek
16 min Read

SSH and User-mode IP WireGuard

But Fly is kind of an odd duck. We run hardware in data centers around the world, connected to the Internet via Anycast and to each other with a WireGuard mesh. We take Docker-type containers from users and transmogrify them into Firecracker micro...

Read more 

Read more
By Thomas Ptacek
26 min Read

You should know about Server-Side Request Forgery

This is a post about the most dangerous vulnerability most web applications face, one step that we took at Fly to mitigate it, and how you can do the same. Server-side request forgery (SSRF) is application security jargon for “attackers can get ...

Read more 

Read more
By Thomas Ptacek
28 min Read

Building clusters with serf, my new favorite thing

Assume for a second we’d like to see what happens when a web page loads in a browser in Singapore. Easy enough; Fly.io will take a container image you throw at it, transform it into a Firecracker VM, and run it in Singapore. Getting Up And Runnin...

Read more 

Read more
By Thomas Ptacek
16 min Read

IPv6 WireGuard Peering

They say that when you’re starting a product company, it’s a better plan to chase down something a bunch of people will really love a lot than it is to try to build something that everyone will just like a little bit. So when Fly.io launched, it h...

Read more 

Read more
By Thomas Ptacek
15 min Read

Incoming! 6PN Private Networks

More often than not, modern applications are really ensembles of cooperating services, running independently and transacting with each other over the network. At Fly.io, we’d like it to be not just possible to express these kinds of applications, ...

Read more 

Read more
By Thomas Ptacek
20 min Read

BPF, XDP, Packet Filters and UDP

Imagine for a moment that you run a content distribution network for Docker containers. You take arbitrary applications, unmodified, and get them to run on servers close to their users around the world, knitting those servers together with WireGua...

Read more 

Read more
By Thomas Ptacek
25 min Read

Sandboxing and Workload Isolation

Workload isolation makes it harder for a vulnerability in one service to compromise every other part of the platform. It has a long history going back to 1990s qmail, and we generally agree that it’s a good, useful thing. Despite a plethora of iso...

Read more 

Read more
By Thomas Ptacek
18 min Read

How CDNs Generate Certificates

It’s been a hectic first couple of weeks at Fly, and I’m writing things up as I go along, because if I have to learn, so do you. This is going to be a bit of a meander; you’ll have to deal. Let’s start with “what’s Fly?” Briefly: Fly is a content ...

Read more 

Read more