The Only Claude Skill Every DevOps Engineer Needs | DevOpsLinks

🔗 View in your browser. | ✍️ Publish on FAUN.dev | 🦄 Become a sponsor

DevOpsLinks

#DevOps #SRE #PlatformEngineering

📝 A Few Words

Most engineers think about deploying, few think about rolling back.
MinIO just proved that rollback isn't just for code.

Across hundreds of engineers I've trained, one pattern keeps repeating. When I ask:

"You're building a production deployment platform. What are the most important things to put in place?"

The answers are predictable: "CI/CD, DevSecOps security scanning, signatures, automated post-deploy tests, monitoring, alerting, and on-call rotations"..

No one says: "We need a rollback mechanism."

But rollback is the difference between confidence and paralysis.

You can have the most beautiful deployment pipeline in the world. If something goes wrong and you cannot revert quickly, you're blocked.

I usually use this example to explain "Production wisdom" during my training sessions. The goal is to explain why production wisdom is not about automation, but about optionality.

In reality, this wisdom applies far beyond deployments to platforms: If you adopt a storage platform, a CI system, a SaaS tool, or an AI vendor, and you don't think about an exit strategy before deployment, you are repeating the same mistake.

This week, MinIO officially marked its open source repository as "no longer maintained" and redirected users toward its commercial AIStor platform. Companies without an exit strategy are now scrambling to find alternatives.

(You can read more about the situation here.)

This is a textbook example of why you need to design for exit at all levels of your system.

The 12-Factor App still matters.

Factor IV says: "Treat backing services as attached resources". This is a fundamental principle of software design: your app should not care whether the database is local MySQL or Amazon RDS. When you need to change, you should be able to swap out the database without changing your app code.

But that idea is bigger than databases & SMTP servers. It should become a principle for every critical decision in your architecture.

Again, production wisdom is not about automation. It's about optionality.

Side note: If you're interested in building resilient cloud native systems, you need to check out my course "Cloud-Native Microservices With Kubernetes". There's a running discount of 20% off for the next days!

Have a great week,
Aymen

🔍 Inside this Issue

Security and automation are having a messy, fascinating moment: agents want root, crawlers want your bandwidth, and container images want to be both minimal and provable. If you have to ship fast without lighting up your threat model, these links will give you sharper tools and better instincts.

🛡️ Building a Least-Privilege AI Agent Gateway for Infrastructure Automation with MCP, OPA, and Ephemeral Runners
🕵️ Chinese Vulnerability Database: CNVD vs CNNVD Analysis
🪶 OpenClaw Lightweight Alternative Launches: A 10MB AI Assistant That Runs on $10 Hardware
😤 Please stop externalizing your costs directly into my face
📦 The hunt for truly zero-CVE container images
🧱 The Only Claude Skill Every DevOps Engineer Needs
🧬 VillageSQL Launches: A Drop-In MySQL Fork Bringing Extensions and AI to the Core

Steal the ideas, dodge the footguns, ship the thing.

Take care!
FAUN.dev() Team

⭐ Patrons

docs.google.com

Call for Presenters: IaCConf 2026 | Real-World Infrastructure as Code & Platform Engineering Talks

If you’ve managed Infrastructure as Code in production, scaled platforms under pressure, or built guardrails that held up at speed, we want to hear from you. IaCConf 2026 is seeking practitioners to present 40-min sessions on May 14 (virtual). Submit your proposal by April 7.

👉 Spread the word and help developers find you by promoting your projects on FAUN. Get in touch for more information.

ℹ️ News, Updates & Announcements

faun.dev

OpenClaw Lightweight Alternative Launches: A 10MB AI Assistant That Runs on $10 Hardware

PicoClaw, written in Go, shrinks an AI assistant to under 10MB RAM. Boots in ~1s on a 0.6GHz CPU across RISC-V, ARM, and x86.

Agents generated 95% of the core code. It produces a single portable binary with no runtime deps, a sandboxed workspace, and safety guards. Supports Telegram, Discord, CLI, scheduled tasks via a heartbeat, local JSON config, and multiple LLM providers. MIT-licensed on GitHub.

faun.dev

VillageSQL Launches: A Drop-In MySQL Fork Bringing Extensions and AI to the Core

VillageSQL drops as a tracking fork of MySQL, but with brains: it bakes in an extension framework for custom data types, functions, and (soon) indexes.

The alpha already speaks fluent plugin, via external or dynamic libraries. That means things like UUIDs, IP types, crypto helpers, and even AI-flavored SQL show up without hacking the core.

👉 Enjoyed this?Read more news on FAUN.dev/news

⭐ Sponsors

faun.dev

Three Events. One Week. The Heart of SoCal Tech.

This March, Pasadena becomes a rare convergence point for security, open source, and DevOps practitioners. As a media partner, FAUN.dev() is proud to support three community-driven events that are deeply practitioner-focused and unapologetically real.

👉 SCALE anchors the week as North America's largest community-run open source conference, spanning 4 days of hands-on sessions across open source, cloud native, DevOps, and security.

👉DevOpsDayLA closes the loop with a focus on DevOps in an AI world, grounded in real stories from the uniquely diverse Southern California tech ecosystem.

👉SunSecCon brings together application, infrastructure, cloud, and corporate security professionals to break silos and focus on how defense actually works in practice.

What these events share is simple: they are built by practitioners, for practitioners. You don't just consume talks. You learn from real implementations, share hard-earned lessons, and connect with people facing the same constraints and trade-offs you are.

If you'll be anywhere near Southern California in early March, this is a week worth planning around.

Explore SCALE 23x: https://www.socallinuxexpo.org/scale/23x
Join DevOpsDayLA 2026: https://devopsdays.org/events/2026-los-angeles/welcome/
Learn more about SunSecCon: https://www.sunseccon.org/2026/

If you care about how systems are really built, secured, and operated, you'll want to be there.

👉 Spread the word and help developers find you by promoting your projects on FAUN. Get in touch for more information.

🔗 Stories, Tutorials & Articles

drewdevault.com

Please stop externalizing your costs directly into my face

SourceHut spent 20–100% of weekly time mitigating hyper‑aggressive LLM crawlers. That work caused dozens of short outages and delayed core projects.

The crawlers ignore robots.txt. They hit costly endpoints like git blame. They scan full git logs and commits. They rotate random User‑Agents and thousands of residential IPs to blend in and evade mitigations.

Trend to watch: Large LLM crawlers that disregard robots.txt and mimic user traffic are shifting scraping tactics. That shift piles ongoing costs onto small forges.

infoq.com

Building a Least-Privilege AI Agent Gateway for Infrastructure Automation with MCP, OPA, and Ephemeral Runners

Introduces an AI Agent Gateway. It mediates agent requests, validates intent, enforces policy-as-code, and isolates execution in ephemeral runners.

Agents discover tools via MCP. They submit JSON-RPC calls and receive OPA decisions. Jobs queue and run in short-lived namespaces. Each run carries plan hashes, traces, and SLOs.

thenewstack.io

The hunt for truly zero-CVE container images

Chainguard's Factory 2.0 and DriftlessAF rebuild images from source on upstream changes. They produce 2,000+ minimal zero‑CVE images. Each image includes an SBOM and a cryptographic signature.

Docker's DHI builds on Debian and Alpine. It mirrors Debian's no‑DSA triage into VEX. It also suppresses real CVEs until Debian patches and rebuilds.

awsfundamentals.com

The Only Claude Skill Every DevOps Engineer Needs

The Terraform Claude Skill turns Claude Code into a Terraform expert. It enforces modularity, strict naming, and consistent tagging. It treats the state file as the single source of truth.

It wires in external tools: linting, security checks, and cost estimates. It forces real-doc validation and blocks insecure IAM policies and monolithic Terraform files.

bitsight.com

Chinese Vulnerability Database: CNVD vs CNNVD Analysis

Investigation profiles CNNVD and CNVD echo CVE. They reveal manual errors and poor machine-readability.

China’s July 2021 RMSV mandates 48-hour reporting and bans pre-patch disclosure. Mapping gaps exist. The databases published about 1.4k entries ahead of CVE, with lead times measured in months.

👉 Got something to share? Create your FAUN Page and start publishing your blog posts, tools, and updates. Grow your audience, and get discovered by the developer community.

⚙️ Tools, Apps & Software

github.com

JamesWoolfenden/pike

Pike is a tool for determining the permissions or policy required for IAC code

github.com

zeroclaw-labs/zeroclaw

Fast, small, and fully autonomous AI assistant infrastructure — deploy anywhere, swap anything

github.com

twilligon/git-lfs-s3-proxy

Store Git LFS files on any service with an S3 API

github.com

hexagonal-sun/moss-kernel

Rust Linux-compatible kernel

github.com

standardagents/dmux

A dev agent multiplexer for git worktrees and claude code (or other agents).

👉 Spread the word and help developers find and follow your Open Source project by promoting it on FAUN. Get in touch for more information.

🤔 Did you know?

Did you know that running kubectl delete pod does not guarantee the container stops immediately? Kubernetes is a desired-state system - the kubelet on the node sends a SIGTERM signal and waits up to 30 seconds before force-killing with SIGKILL, but if the node is unreachable, the kubelet never receives the delete signal and the workload keeps running. This is why SREs doing incident containment rely on node-level controls like cloud security groups or CNI network policies rather than treating kubectl delete as an instant kill switch.

🤖 Once, SenseiOne Said

"In cloud and SRE, the more you automate away your decisions, the more your defaults become your architecture. When the pager goes off, you don't debug code, you debug the assumptions you stopped noticing."
— SenseiOne

(*) SenseiOne is FAUN.dev’s work-in-progress AI agent

⚡Growth Notes

In incident follow-ups, write and merge the smallest durable guardrail: a runbook step, an SLO and alert bound to user impact, or a safe automation with a rollback, never an essay. Treat reproducibility as a requirement by capturing exact commands, inputs, and expected outputs in the ticket so anyone can rerun the failure path months later without asking you.

Each week, we share a practical move to grow faster and work smarter

😂 Meme of the week

❤️ Thanks for reading

👋 Keep in touch and follow us on social media:
- 💼LinkedIn
- 📝Medium
- 🐦Twitter
- 👥Facebook
- 📰Reddit
- 📸Instagram

👌 Was this newsletter helpful?
We'd really appreciate it if you could forward it to your friends!

🙏 Never miss an issue!
To receive our future emails in your inbox, don't forget to add community@faun.dev to your contacts.

🤩 Want to sponsor our newsletter?
Reach out to us at sponsors@faun.dev and we'll get back to you as soon as possible.

DevOpsLinks #517: The Only Claude Skill Every DevOps Engineer Needs
Legend: ✅ = Editor's Choice / ♻️ = Old but Gold / ⭐ = Promoted / 🔰 = Beginner Friendly

You received this email because you are subscribed to FAUN.dev.
We (🐾) help developers (👣) learn and grow by keeping them up with what matters.

You can manage your subscription options here (recommended) or use the old way here (legacy). If you have any problem, read this or reply to this email.