tomviner

The Iranians called his bluff. It’s just a fact that denial of commercial transit is far, far easier than securing navigation. It cannot be done without disarming Iran. This little episode reinforces Iranian control of Hormuz. There was also ‘a threat that leaves something to chance’ in his stratagem. He was daring the Iranians to run the risk of war to enforce their control of Hormuz. The Iranians did not flinch. Where does this episode leave us? First, Hormuz will not reopen until at least a preliminary deal is reached with Iran. And that still requires lifting the blockade and ordering the Israelis to stand down in Lebanon. Second, he tried this cheap trick because the fundamental reality is that the US is out of real alternatives to actual two-sided negotiations. Frozen conflict with Hormuz closed continuously tightens the noose around his neck. Going back to war will not only run down the US magazine, likely lead to the closure of the Red Sea as well, and cause massive destruction in UAE and Israel at least. It also runs the risk of further unrecoverable losses for the US military itself, including the destruction of the surviving bases. Even if he is prepared to pay the full price, as the hasbara commissars are demanding, it is highly improbable that the US can defeat Iran, since the only way to defeat Iran is to disarm it, and by now it is beyond reasonable doubt that the US does not have the capability to do that. No one said losing the empire was going to be cake walk. It’s humiliating. It requires a fundamental reconsideration of the picture of the world in their heads. It’s going to be a drawn-out, violent process. But gaps between discourse and reality can only close in one direction.

unpopular dockerfile takes (that actually work) 1 - stop using alpine — yes, it's tiny. but musl libc ≠ glibc. your python/node app will rebuild native deps from scratch or just... silently be slower. use -slim (debian-slim) instead. same size win, zero grief. 2 - layer order is your cache strategy. COPY your lockfile first, run install, then copy source. invalidating the install layer on every code change is a skill issue ngl 3 - multi-stage builds aren't just "best practice" — they're the actual reason your prod image doesn't ship gcc and 400mb of build tools. builder stage = bloat zone. final stage = lean mean container. 4 - COPY . . is fine actually — if your .dockerignore is correct. most pain here is from forgetting to ignore node_modules/, .git, *.log. fix the ignore file, not the COPY. 5 - one process per container is a vibe, not a law. if your app needs nginx + app server and you're not at k8s scale — just use supervisord. the "one process" dogma costs more complexity than it saves sometimes. 6 - pin your base image by digest, not tag. node:20 today ≠ node:20 in 6 months. prod broke because of a tag? that's a you problem tbh. 7 - BuildKit cache mounts (--mount=type=cache) will change your life. pip/apt/cargo cache between builds without it ending up in the final layer. nobody talks about this enough fr there's no "best practice" in a vacuum. alpine is great for Go binaries. slim is great for Python. scratch is great for static bins. know your workload, then choose. btw if you want something to catch all this stuff automatically - check out dockerfile-roast — a linter written in Rust that literally roasts your Dockerfile. 63 rules, brutally honest output (but it can also provide just dry facts, no roast), runs on any OS or as a docker container https://t.co/NVYpe8iD65 #docker #devops #kubernetes #backend #linux #rust #sre #containers