DEV Community: Jakson Tate

Deploy Supabase on Bare Metal: Secure Self-Hosted Firebase

Jakson Tate — Thu, 28 May 2026 12:26:41 +0000

Supabase is a magnificent open-source backend alternative providing a massive relational database, robust authentication, and real-time subscription capabilities. However, deploying this architecture securely requires profound engineering knowledge.

Countless online tutorials instruct developers to clone the repository and execute the start command blindly. This practice is extremely dangerous. The default configurations expose your raw database port directly to the public internet and misconfigure critical API routing endpoints. In this masterclass, we will deploy Supabase on a high-performance bare metal server, locking down every microservice with enterprise-grade security architectures.

Phase 1: Clone the Supabase Architecture

First, authenticate into your ServerMO bare metal machine via secure shell. We will clone only the latest release depth of the official repository to save bandwidth and initialize our configuration files perfectly.

# Clone the repository minimizing git history
git clone --depth 1 [https://github.com/supabase/supabase](https://github.com/supabase/supabase)
cd supabase/docker

# Duplicate the template environment file
cp .env.example .env

Phase 2: Generate Cryptographic Secrets

The most critical security failure developers make is ignoring the placeholder secrets. If you deploy using the default JSON Web Token (JWT) keys, anyone on the internet can forge an administrative token and commandeer your infrastructure. We must generate mathematically secure cryptographic keys immediately.

Critical Security Warning

Never reuse keys across different environments. The Service Role Key bypasses all database Row Level Security (RLS) policies automatically. Treat this string with the exact same reverence as your primary database password.

# Execute the official secret generation script
sh utils/generate-keys.sh

# Inject the newly minted asymmetric keys into your environment
sh utils/add-new-auth-keys.sh

After generating these keys, open your environment file and update the public domain parameters so authentication callbacks route correctly back to your users.

# Edit your environment configuration
nano .env

# Modify these specific lines matching your final production domain
SITE_URL=[https://supabase.yourdomain.com](https://supabase.yourdomain.com)
API_EXTERNAL_URL=[https://supabase.yourdomain.com](https://supabase.yourdomain.com)

Phase 3: Fix the Docker Firewall Bypass

Docker automatically alters Linux iptables networking rules to route traffic into containers. This means if you use a standard firewall (like UFW) to block port 5432, but the docker-compose.yml file exposes it globally, the port remains wide open to global attackers. You must explicitly instruct the service to bind these critical ports strictly to your local machine loopback interface.

# Open the main compose configuration
# nano docker-compose.yml

# Find the Kong API gateway service and modify the ports
  kong:
    ports:
      # SECURE: Bound exclusively to localhost
      - 127.0.0.1:${KONG_HTTP_PORT}:8000
      - 127.0.0.1:${KONG_HTTPS_PORT}:8443

# Find the Studio dashboard service and secure it
  studio:
    ports:
      - 127.0.0.1:${STUDIO_PORT}:3000

# Find the Database service and ensure it is not globally exposed
  db:
    ports:
      - 127.0.0.1:${POSTGRES_PORT}:5432

Phase 4: Initialize the Supabase Stack

With your cryptographic secrets secured and your container networking safely bound to localhost, you can now pull the massive microservice architecture. This stack includes the Realtime engine, GoTrue authentication, and the robust PostgREST server.

# Pull the latest container images from the registry
docker compose pull

# Execute the entire infrastructure stack in detached mode
docker compose up -d

# Verify all fifteen containers achieved a healthy operational state
docker compose ps

Phase 5: Configure Exact Nginx Routing

Since we securely locked all containers to localhost, external users cannot access your platform yet. We must deploy an Nginx reverse proxy to intercept public traffic.

Many amateur tutorials incorrectly route all API requests through an arbitrary sub-directory structure, causing instant 404 failures because the official client SDKs expect exact root-level endpoints. Furthermore, failing to inject WebSocket upgrade headers directly into the Kong gateway block will instantly murder your Realtime database connections.

# Install the web server and certificate provisioning tools
sudo apt install nginx certbot python3-certbot-nginx -y

# Create the proxy configuration file
sudo nano /etc/nginx/sites-available/supabase

Paste the following enterprise routing configuration, ensuring WebSockets upgrade properly and client IP addresses forward accurately for rate limiting.

server {
    listen 80;
    server_name supabase.yourdomain.com;

    # Route Studio Dashboard
    location / {
        proxy_pass [http://127.0.0.1:3000](http://127.0.0.1:3000);
        proxy_set_header Host $host;
    }

    # CRITICAL: Route exactly how the Client SDK expects utilizing regular expressions
    location ~ ^/(rest|auth|realtime|storage)/v1/ {
        proxy_pass [http://127.0.0.1:8000](http://127.0.0.1:8000);
        proxy_set_header Host $host;

        # Forward true client identity for secure rate limiting
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        # CRITICAL: Prevent the Realtime WebSocket from dropping
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";

        # Maintain persistent idle connections for live database subscriptions
        proxy_read_timeout 86400;
    }
}

# Enable the configuration and acquire encrypted certificates
sudo ln -s /etc/nginx/sites-available/supabase /etc/nginx/sites-enabled/
sudo nginx -t && sudo systemctl reload nginx
sudo certbot --nginx -d supabase.yourdomain.com

Phase 6: Eradicating Bad Gateway Errors

Many developers complain about encountering sudden 502 Bad Gateway errors after deploying their infrastructure. They mistakenly blame their web server configuration.

The brutal reality is that this architecture requires immense hardware capabilities. When fifteen heavy containers compete for resources on a cheap, shared virtual server, the operating system runs out of memory. The Linux kernel's Out-Of-Memory (OOM) killer responds by silently assassinating the API gateway or database, generating massive connection drops. Furthermore, the Realtime subscription engine requires tremendous disk IOPS to broadcast database changes rapidly.

Technical Architecture Overview: Baseline vs. Enterprise SRE

Architectural Layer	Vulnerable Baseline Cloud Setup	Enterprise Bare Metal Standard (ServerMO)
Port Exposure	Exposing `5432` globally due to Docker `iptables` overrides.	Strict `127.0.0.1` binding for Postgres and Kong.
Authentication	Using default placeholder JWT keys from `.env.example`.	Generating cryptographically secure runtime secrets.
Proxy Routing	Arbitrary nested `/api/` paths causing SDK 404s.	Exact Regex root-level endpoints (`/rest/v1/`).
WebSockets	Standard HTTP forwarding (drops Realtime events).	Explicit `Upgrade` & `Connection` proxy headers.
Uptime Stability	502 Bad Gateway crashes due to shared VPS OOM killing.	Unthrottled memory & NVMe on Dedicated Bare Metal.

Secure Deployment FAQ

Why is my Supabase Postgres port exposed to the internet?
By default, Docker dynamically alters your Linux iptables to route network traffic, bypassing standard firewalls (like UFW) completely. If you map a port without specifying an IP address, it becomes globally accessible. You must explicitly bind the database to 127.0.0.1 in your compose file to secure it.

Why does my Supabase Realtime subscription drop instantly?
If your reverse proxy lacks WebSocket upgrade headers or implements a strict timeout limit, your Realtime connections will terminate abruptly. You must configure Nginx to forward HTTP upgrade requests to the Kong gateway and drastically extend the proxy read timeout limits (proxy_read_timeout 86400;).

Why am I getting 404 errors from my Supabase client SDK?
The official client libraries execute requests strictly to root-level endpoints like /rest/v1/ and /auth/v1/. If you configured your proxy to nest these endpoints under an arbitrary /api/ directory, the SDK cannot resolve the pathways, resulting in permanent 404 routing failures.

What causes the Supabase 502 Bad Gateway error?
A 502 error occurs when the Nginx proxy cannot reach the Supabase Kong gateway. This usually happens on underpowered virtual servers where the Linux Out-Of-Memory (OOM) killer terminates the Kong or Realtime containers due to RAM exhaustion.

The ServerMO Enterprise Advantage

You cannot run a heavy production database platform on throttled shared infrastructure. By hosting your stack on ServerMO Dedicated Servers, you gain exclusive access to enterprise Non-Volatile Memory Express (NVMe) storage arrays and unthrottled processor cores. This guarantees your backend scales flawlessly without ever triggering memory panics or gateway timeouts.

🔗 Deploy Your Dedicated Supabase Fleet at ServerMO: ServerMO Enterprise Bare Metal

How to Optimize MongoDB on Bare Metal Servers: SRE Playbook

Jakson Tate — Thu, 28 May 2026 11:20:58 +0000

The explosion of artificial intelligence retrieval applications has transformed the way enterprises deploy document databases. However, transitioning from managed cloud platforms to massive bare metal infrastructure introduces terrifying engineering complexities.

Most tutorials assume standard desktop environments, leading organizations into catastrophic production traps. Maintaining true enterprise performance requires overriding deep kernel parameters, mastering memory architecture, and exposing legacy security misconceptions.

Phase 1: Escaping the NUMA and AVX Hardware Traps

Before writing a single byte to the disk, infrastructure administrators must secure processor compatibility. The database engine utilizes highly optimized mathematics to execute complex aggregation pipelines. This architecture strictly requires a processor supporting Advanced Vector Extensions (AVX). Deploying on legacy silicon guarantees instant core dump crashes.

The Bare Metal NUMA Trap

Massive servers utilizing dual-socket AMD or Intel processors operate on Non-Uniform Memory Access (NUMA) architectures. If you launch the database natively, the engine exhausts the memory strictly assigned to a single processor socket, generating massive, sudden latency spikes. You must utilize an execution wrapper to interleave memory requests symmetrically across all available hardware pools.

Phase 2: Defusing the Transparent Huge Pages Timebomb

The Linux operating system attempts to optimize standard operations by enabling Transparent Huge Pages (THP), allocating system memory in massive 2MB blocks. This creates a catastrophic conflict with document stores.

The WiredTiger storage engine operates efficiently using extremely tiny, granular memory allocations. Forcing it to interact with massive kernel blocks causes severe memory bloat and rapid fragmentation. Eventually, the operating system and the database fight violently for allocation resources, causing the entire server to freeze permanently. You must defuse this timebomb immediately using a systemd initialization daemon.

# Create a persistent systemd service to disable the memory feature on boot
sudo nano /etc/systemd/system/disable-thp.service

[Unit]
Description=Disable Transparent Huge Pages
After=sysinit.target local-fs.target

[Service]
Type=oneshot
ExecStart=/bin/sh -c 'echo never > /sys/kernel/mm/transparent_hugepage/enabled'
ExecStart=/bin/sh -c 'echo never > /sys/kernel/mm/transparent_hugepage/defrag'

[Install]
WantedBy=basic.target

# Enable and execute the service permanently protecting your memory
sudo systemctl daemon-reload
sudo systemctl enable --now disable-thp.service

Phase 3: High-Speed NVMe File System Tuning

When an enterprise deployment suffers from extremely slow aggregation pipelines, the performance bottleneck usually resides directly within the disk layer. Standard Linux distributions format hardware storage utilizing the EXT4 protocol by default. The WiredTiger engine performs heavy internal checkpoints every 60 seconds, causing EXT4 to struggle violently and freeze active database operations under heavy write concurrency.

The absolute best operating system configuration requires formatting your enterprise NVMe storage utilizing the XFS file system, which provides the extreme sequential write tracking required.

# Format the drive using the XFS file system
sudo mkfs.xfs /dev/nvme1n1

# Mount the drive permanently disabling access time updates to reduce write fatigue
sudo mount -o noatime /dev/nvme1n1 /var/lib/mongodb

Phase 4: Future-Proof Daemon Architecture

High-performance database applications generate thousands of simultaneous network requests. By default, the operating system restricts running processes to exactly 1,000 open file connections. This causes catastrophic connection refused exceptions during peak read/write traffic. Furthermore, idle network connections drop silently, disrupting geographical replica sets.

We must intercept the native service controller, increasing connection descriptor allocation limits, dropping the kernel network timeout thresholds, and injecting the critical NUMA wrapper directly into the execution pathway.

# Install the memory management utility
sudo apt-get install numactl

# Create an override directory for the database daemon securely
sudo systemctl edit mongod

[Service]
# Overwrite the execution string injecting the NUMA interleave wrapper
ExecStart=
ExecStart=/usr/bin/numactl --interleave=all /usr/bin/mongod --config /etc/mongod.conf

# Grant the database an enterprise grade open files limit
LimitNOFILE=64000
LimitNPROC=64000

# Defeat firewall timeouts by reducing the network keepalive threshold to two minutes
echo "net.ipv4.tcp_keepalive_time = 120" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Phase 5: Exposing the Plaintext Security Lie

Optimizing raw input/output performance is completely meaningless if your infrastructure remains vulnerable to catastrophic extraction exploitation. Countless industry tutorials claim that utilizing a replication key file establishes a hardened zero-trust cluster environment. This is a massive engineering lie.

The Plaintext Network Trap

A cluster key file only acts as an identity badge between cluster nodes. It does not provide cryptographic network encryption. If you deploy a cluster relying solely on identity keys, your corporate document data and structural user passwords travel across the local network switches in highly vulnerable plaintext. True zero-trust architecture mandates activating Transport Layer Security (TLS) immediately.

# Edit the main configuration file enforcing strict transport encryption
net:
  port: 27017
  bindIp: 127.0.0.1,10.114.0.10
  tls:
    # Reject all unencrypted plaintext connections flawlessly
    mode: requireTLS
    certificateKeyFile: /etc/ssl/mongodb_secure.pem
    CAFile: /etc/ssl/ca_chain.pem

security:
  authorization: "enabled"
  # Utilize identity authentication alongside strong transport encryption
  keyFile: /var/lib/mongodb/secure_cluster_key.pem

Technical Architecture Overview: Baseline vs. Enterprise SRE

Layer / Feature	Vulnerable Baseline Cloud Setup	Enterprise Bare Metal Standard (ServerMO)
Processor Mapping	Single-socket mapping or localized CPU starvation	Strict `numactl --interleave=all` memory allocation
Kernel Block Size	Active Transparent Huge Pages (Causes 2MB fragmentation)	Explicitly disabled THP via systemd boot daemons
File System Layer	Default EXT4 format (Freezes during 60s checkpoints)	High-speed XFS partition mounted with `noatime` parameters
Connection Capacity	Restrictive 1,000 file descriptor ulimit thresholds	Enterprise-grade 64,000 `LimitNOFILE` thread ceiling
Cluster Network Wire	Plaintext node transport using replica key validation only	Strict Cryptographic `requireTLS` packet handling

Database Infrastructure FAQ

Why is my dual-socket bare metal server experiencing extreme latency spikes?
Modern enterprise processors utilize Non-Uniform Memory Access (NUMA). If you start the database normally, the engine traps its memory pool inside a single processor socket. You must use the numactl wrapper to interleave memory requests evenly across all available hardware.

Why does the Linux operating system freeze completely when MongoDB scales?
Linux enables Transparent Huge Pages by default, allocating memory in massive blocks. The database storage engine requires tiny allocations, causing severe memory bloating and fragmentation. You must disable this kernel feature permanently.

Does utilizing a replica key file encrypt my database traffic?
No. This is a massive security misconception. The key file only proves node identity. Without explicit transport layer security enabled, all your queries and sensitive user data travel across the network in highly vulnerable plaintext.

Why am I getting "too many open files" errors during peak traffic?
Default Linux limits restrict applications to 1,000 simultaneous open files or connections. High-performance databases require tens of thousands of descriptors. You must create a systemd override file granting the database an enterprise-grade connection limit.

The ServerMO Bare Metal Verdict

By migrating your heavy database workloads to ServerMO Dedicated MongoDB Servers and applying these intense bare-metal optimizations, you secure an unthrottled environment. Your memory interleaves flawlessly, your network descriptor queues remain active perpetually, and your internal network traffic operates under absolute cryptographic safety.

🔗 Deploy Your Dedicated Database Fleet at ServerMO: ServerMO Dedicated GPU & Database Bare Metal Cluster

How to Safely Manage Linux Servers via CtrlOps: SRE Playbook

Jakson Tate — Thu, 28 May 2026 10:53:07 +0000

Provisioning a powerful bare metal machine represents only the initial phase of deploying successful web infrastructure. Managing a decentralized fleet historically required installing heavy monitoring agents that consume local hardware resources.

CtrlOps solves this by operating as a fully local desktop application running an intelligent terminal. However, securing this environment requires understanding severe architectural realities regarding data leaks and the absolute danger of unauthorized network exposure.

Phase 1: Zero-Trust Artificial Intelligence Privacy

While the platform securely isolates your cryptographic access keys on your local hard drive, its default diagnostic engine often routes system logs to commercial cloud providers. To establish absolute data sovereignty, you must utilize a local language model like Ollama.

However, attempting to run an 8B parameter model perpetually on a standard corporate laptop will completely exhaust your system memory, causing severe thermal throttling. SREs solve this by deploying a dedicated internal Management Bastion Server to offload the computational burden entirely away from your personal workstation.

The Unauthenticated Hijack Trap

Local machine learning engines lack native password authentication. Modifying the system daemon to expose the service across all network interfaces (0.0.0.0) transforms your private infrastructure into a public, free intelligence endpoint for malicious exploitation. You must maintain the local binding and utilize secure shell (SSH) local port forwarding to establish an encrypted tunnel.

# 1. SSH into your dedicated Management Bastion Server
ssh admin@management_bastion_ip

# 2. Install the diagnostic engine securely (binds to localhost safely)
curl -fsSL [https://ollama.com/install.sh](https://ollama.com/install.sh) | sh

# 3. Pull a highly capable local intelligence model for private log analysis
ollama run llama3

# 4. Disconnect and establish a strict Zero-Trust encrypted tunnel from your laptop
ssh -N -L 11434:localhost:11434 admin@management_bastion_ip

With the tunnel active, your desktop application can now communicate flawlessly with the remote intelligence engine as if it were running natively on your personal device, preserving absolute security.

Phase 2: Secure Agentless Connection and Sudo Hardening

The most catastrophic mistake an administrator can make is connecting an intelligent terminal directly to the root user account. While the terminal requires explicit human approval before executing scripts, an exhausted engineer might accidentally approve a hallucinated command, instantly destroying the entire operating system.

You must enforce the Principle of Least Privilege by creating a restricted administrative user (ai_admin).

Resolving the Background Prompt Freeze

When an automated terminal executes administrative maintenance, the operating system triggers a background password request. Because the agentless engine operates without manual keyboard inputs, this prompt instantly freezes the deployment pipeline indefinitely. You must configure the system directory securely, granting password-free execution specifically to the exact binaries required.

# Create a restricted user on your target production server
sudo adduser --disabled-password --gecos "" ai_admin

# Prevent terminal freezes by granting password-free execution specifically for system services
echo 'ai_admin ALL=(ALL) NOPASSWD: /usr/bin/systemctl' | sudo tee /etc/sudoers.d/ai_admin_systemctl

# Generate a resilient cryptographic key pair on your local machine
ssh-keygen -t ed25519 -C "admin@your_workstation"

# Securely transmit the public token strictly to the restricted user account
ssh-copy-id -i ~/.ssh/id_ed25519.pub ai_admin@your_production_ip

Once completed, input your server address into the local desktop interface mapping it exclusively to your restricted identity. The software initializes a permanent encrypted tunnel, bypassing vulnerable password authentication entirely.

⚡ Phase 3: Automated Error Resolution

Application failures generate massive walls of confusing error text that can take hours to decipher manually. The true power of an intelligent terminal lies in bridging the gap between human intent and machine execution, perfectly translating natural language requests into exact remediation scripts.

A classic infrastructure failure occurs when an administrator attempts to launch Nginx, but the service crashes immediately due to an undetected background process illegally occupying port 80. The terminal analyzes the system controller outputs instantaneously, generating the optimal uninstallation framework:

# The AI terminal detects the failure automatically
systemctl status nginx
# Active: failed (Result: exit-code)

# The agent autonomously checks for conflicting services holding port eighty
lsof -i :80
# COMMAND   PID   USER   TYPE
# apache2   1847  root   IPv6 *:80

# The terminal generates the exact remediation script utilizing your password-free permissions
sudo systemctl stop apache2 && sudo systemctl start nginx

Phase 4: Preventing Configuration Drift

As your infrastructure grows, operational discipline becomes paramount. Integrating powerful diagnostic tools requires understanding engineering boundaries to prevent catastrophic fleet inconsistencies.

Unmasking the Configuration Drift Danger

Many review platforms erroneously market intelligent terminals as direct alternatives to advanced deployment frameworks like Ansible, Chef, or Terraform. This is a severe engineering misconception.

Infrastructure-as-Code (IaC) platforms operate on strict declarative logic, ensuring uniform states across hundreds of machines simultaneously. Utilizing an imperative terminal tool to execute widespread configuration changes manually across massive enterprise fleets will cause severe operational drift. You must restrict terminal intelligence strictly to isolated debugging, rapid file management, and localized log analysis.

📋 Technical Architecture Overview: Baseline vs. Enterprise SRE

Layer / Feature	Vulnerable Baseline Setup	Enterprise SRE Standard (ServerMO)
Connection Method	Direct `root` login over standard SSH connection.	Restricted `ai_admin` identity mapped exclusively via secure cryptographic keys.
AI Privacy Path	Leaking system diagnostic logs to public cloud endpoints (like OpenAI API).	Private local Ollama instance running securely on a dedicated Management Bastion.
Network Security	Exposing open Ollama network ports (`0.0.0.0`) globally without password protection.	Enforcing strict localhost binding coupled with encrypted SSH local port forwarding.
Automation Flow	Standard `sudo` layer that instantly freezes automated pipelines on background password prompts.	Hardened and targeted `NOPASSWD` binary whitelisting inside the system directory.
Fleet-Scale Role	Making manual, imperative structural adjustments across massive enterprise fleets (causes configuration drift).	Restricting terminal intelligence strictly to isolated debugging, rapid file edits, and localized log analysis.

AI Infrastructure FAQ

Why shouldn't I expose the Ollama network port publicly?
Local machine learning engines lack native password authentication. Exposing the port across all interfaces transforms your private infrastructure into a public, free intelligence endpoint allowing immediate exploitation. You must use secure shell local port forwarding to connect safely.

Why does the automated agent freeze when repairing background services?
Because the platform operates completely agentless, it functions without manual keyboard inputs. When the script executes restricted commands, the server triggers a background password prompt, causing the entire pipeline to freeze indefinitely. You must configure specific commands securely inside the sudoers directory preventing these background halts.

Is this artificial intelligence terminal a complete replacement for Ansible or Terraform?
No. While review sites often confuse the two, they serve entirely different purposes. AI terminals execute imperative commands perfect for rapid debugging. Ansible and Terraform utilize declarative code necessary to prevent massive configuration drift across large enterprise fleets.

Why is it dangerous to connect the terminal using the root user account?
While the terminal requires explicit human approval before executing any command, an exhausted engineer might accidentally approve a hallucinated or injected destructive script. Enforcing a limited user account provides a vital permission barrier preventing accidental server destruction.

The ServerMO SRE Verdict

Combining the raw, unshared processing power of dedicated hardware with the intuitive agentless management capabilities of modern intelligent terminals creates the ultimate deployment ecosystem. You secure complete system control over your applications without deploying resource-heavy web dashboards or sacrificing operational privacy.

Stop settling for underpowered virtual instances and sinking your corporate resources into rigid shared cloud architectures that freeze your development pipelines. Take total control over your system performance, memory layouts, and data sovereignty rules.

Explore ServerMO Bare Metal Dedicated Servers: ServerMO AI Infrastructure

Virtualize Game Development with NVIDIA RTX PRO 6000 Blackwell Servers

Jakson Tate — Thu, 21 May 2026 07:38:14 +0000

The game development ecosystem is scaling at an unprecedented rate. Modern studio teams are engineering massive, interconnected virtual worlds operating across highly complex asset pipelines, shifting rapidly toward heavily distributed remote workforces.

Despite these advanced structural transitions, a significant portion of global game studios continue to anchor their production infrastructure to fixed, desk-bound hardware workstations situated directly under local office tables.

This decentralized architecture creates severe operational inefficiencies. Million-dollar corporate graphics assets sit completely idle during overnight hours, while remote engineers across separate time zones suffer from severe processing bottlenecks. Resolving this friction mandates migrating away from desktop sprawl toward centralized server architectures.

However, deploying virtual workstations requires stripping away vendor marketing illusions and confronting brutal engineering realities regarding memory mathematics, licensing taxes, compute noise parameters, and physical distance limitations.

Corporate Intellectual Property Security Threat

Virtualizing game development requires strict network discipline. If your central server graphics provisioning interface connects directly to the public internet, malicious actors can hijack active rendering sessions—stealing unreleased game assets and proprietary engine source code directly from memory.

Site Reliability Engineers must enforce rigorous management network isolation, mandating secure tunneling protocols and multi-factor authentication (MFA) gateways before permitting remote developers to access the graphics environment.

The 48-User VRAM Marketing Illusion

Hardware vendors frequently market the 96GB NVIDIA RTX PRO 6000 Blackwell Server Edition as capable of supporting up to 48 concurrent virtual developers. For professional 3D game development, this calculation is an absolute technical fallacy.

Dividing 96GB across 48 users leaves precisely 2GB of video memory (VRAM) per session. Modern development platforms like Unreal Engine 5 require an absolute minimum of 12 to 16 Gigabytes merely to launch a blank project without triggering fatal out-of-memory software exceptions. Realistically, a single Blackwell rendering server optimally supports a maximum of 6 to 8 elite artists engineering massive, high-fidelity geometric scenes.

The Broadcom License Tax and Open Source Salvation

To centralize studio hardware resources safely, many traditional systems architects advocate for deploying proprietary virtualization stacks. While migrating away from public clouds successfully eliminates catastrophic data egress network charges, implementing corporate hypervisors introduces an equally hazardous financial trap: the massive Broadcom software subscription tax. Proprietary virtual desktop infrastructures (VDI) demand aggressive annual renewal fees per activated user profile, completely destroying your infrastructure return on investment (ROI) projections.

Modern enterprise SREs avoid this corporate tax trap by anchoring their graphics clusters entirely on open-source hypervisor architectures. Deploying your server using Proxmox VE (KVM) or integrating bare-metal clusters with Red Hat OpenShift (KubeVirt) delivers raw, uninhibited access to physical graphics compute paths. This open-source framework unlocks advanced graphics execution capabilities and coordinates user profiles flawlessly without forcing your business into expensive, multi-year software licensing dependencies.

The Unreal Engine Viewport Streaming Paradox

Another devastating error occurs when infrastructure engineers deploy consumer-grade open-source streaming software to transmit isolated user sessions over remote connections. Inside enterprise-level virtualization layouts, consumer applications encounter critical virtual monitor errors.

Because consumer tools are built entirely around physical display outputs and standard desktop driver architectures, they fail to map virtual layouts properly. This causes immediate display initialization exceptions and crashes the viewport editor environment instantly.

Elite architectures completely avoid consumer utilities, mandating the use of certified enterprise display protocols like HP Anyware (Teradici PCoIP) or Citrix HDX. These professional systems are engineered specifically to communicate with enterprise grid drivers, handling complex display allocations flawlessly. This infrastructure guarantees that remote digital artists experience absolute visual accuracy, exact peripheral input response, and perfect mouse precision directly within their virtual edit pipelines.

Defeating the "Noisy Neighbor" Shader Compilation Crisis

The most destructive obstacle within shared graphics infrastructure is compute noise management. Game rendering loops rely heavily on massive system memory speeds and multi-thread processor operations. When an individual software developer triggers a massive asset migration or initiates a 10,000-item shader compilation sequence, that specific action can instantly consume the entire host central processing cache.

Without rigorous orchestration isolation, this massive compute spike starves every adjacent slice on the physical hardware. Nearby designers experience immediate viewport decay, dropping from a fluid performance straight down to a lagging 5 frames per second interface.

To prevent this severe disruption, you must enforce strict NUMA node pinning and hard core-isolation protocols within the hypervisor layer, locking each development profile to dedicated, unshared processor silicon boundaries. Attempting this pinning routine on low-core budget processors causes massive CPU starvation because the server lacks the physical thread density required to separate concurrent multi-user workloads cleanly.

The Physical Distance Trap and Viewport Latency

Many infrastructure engineers fall into the technical trap of evaluating server virtualization setups purely based on network bandwidth capacity. Proclaimers brag about provisioning massive pipelines to transmit data allocations across global distances. In the engineering reality of real-time interactive streaming, this represents a critical misconception.

High-capacity network channels merely dictate data volume limits. Delivering responsive, low-latency viewports depends entirely on physical distance and network jitter control. If a software modeler situated in the United States attempts to interact with an active development workspace hosted inside an overseas datacenter, they will face a devastating 100ms round-trip latency anomaly. This physical delay generates immense input lag, rendering precise 3D positioning tasks completely unviable. Studio deployments must physically match hardware hosting hubs to the immediate regional location of their remote workforce footprints.

Studio Infrastructure Technical Matrix

Metric / Feature	Legacy Desktop Sprawl	Proprietary Cloud / VDI	ServerMO Open SRE Architecture
Hardware Efficiency	Low (Idle overnight)	High (Shared compute)	Maximum (Custom dedicated density)
Licensing Overhead	None	High (Broadcom/VDI tax)	Zero (Proxmox VE / KubeVirt)
Viewport Performance	Local raw speed	Variable latency / Egress costs	Low latency (Regionally matched hubs)
Compute Protection	Inherent isolation	Software boundaries	Strict NUMA Node Core Pinning
Streaming Protocol	Direct Display output	Variable / Consumer tools	HP Anyware / Teradici PCoIP

Bespoke Enterprise ServerMO Bare Metal Infrastructure

ServerMO completely eliminates rigid template limitations and regional latency barriers by offering a fully custom, scalable bare-metal provisioning pipeline. We understand that your multi-user graphics factory demands massive core density and localized positioning to guarantee smooth viewport performance.

Our expert distributed systems engineering team works hand-in-hand with your studio architecture staff to analyze your specific workforce distribution, compilation load, and concurrent user maps to build your hardware layout from the ground up inside your preferred target datacenter region.

Studio Infrastructure FAQ

Why can I not run 48 concurrent developers on a single 96GB Blackwell GPU?
Dividing 96GB across 48 users leaves precisely 2GB of video memory per session. Modern game engines require an absolute minimum of 12 to 16 Gigabytes merely to launch a blank project without triggering fatal out-of-memory exceptions. A single Blackwell card realistically supports a maximum of 6 to 8 elite developers.

Why should studios avoid proprietary hypervisors like VMware for graphics virtualization?
Proprietary virtualization stacks impose severe annual licensing inflation and corporate subscription taxes per user session. Deploying open-source platforms like Proxmox VE KVM or Red Hat OpenShift KubeVirt delivers identical raw performance and robust hardware access while completely eliminating expensive corporate licensing overhead.

Why does a high-bandwidth port fail to solve remote viewport input lag?
Bandwidth merely dictates data volume capacity while interactive viewport streaming relies entirely on network round-trip latency and physical distance. Connecting to an overseas data center introduces physical ping delays and jitter that cause severe input latency during 3D modeling. You must deploy servers in a region immediately adjacent to your remote design workforce.

Why is a budget low-core processor dangerous for multi-user game development servers?
Budget processors lacking high core density will suffer massive compute starvation when multiple developers execute parallel shader compilation pipelines simultaneously. Without adequate physical cores, you cannot implement strict NUMA node pinning, causing a single heavy task to freeze the active viewports of every adjacent developer on the server.

🔗 Connect with ServerMO Engineers to Build Your Bespoke Hardware Setup: ServerMO GPU Dedicated Servers Fleet

How to Safely Run Claude Code on Ubuntu 24.04: The SRE Playbook

Jakson Tate — Thu, 21 May 2026 07:09:41 +0000

Claude Code is an extraordinary terminal agent, but a massive industry misconception assumes it operates entirely free from commercial fees or acts like a fixed-price monthly subscription.

In reality, the agent utilizes external APIs to process intelligence dynamically. Because it operates autonomously, it repeatedly reads your entire project repository, continuously consuming millions of tokens based on repository size.

Before migrating your workspace to a ServerMO Dedicated Server for its massive compilation speed, you must address the financial risk. A rogue agent analyzing an unoptimized directory can exhaust hundreds of dollars rapidly. You must log into your developer console and establish hard billing limits to prevent catastrophic cloud shock invoices.

Phase 1: True API Economics and DBus-Safe Host Persistency

To build a secure remote environment, we utilize Rootless Podman, entirely abandoning dangerous root-level daemons. However, Linux kernels terminate rootless background services the exact moment you disconnect your SSH session.

You must enable user linger to ensure your artificial intelligence agent remains active continuously. Finally, you must avoid the DBus session trap by initiating a pure SSH connection.

# Establish a strictly isolated developer environment
sudo adduser --gecos "" ai_developer

# Grant the user persistent execution rights preventing SSH disconnect crashes
sudo loginctl enable-linger ai_developer

# Install Podman for daemonless rootless container execution
sudo apt-get update && sudo apt-get install -y podman

# DO NOT switch users locally (e.g., su ai_developer). This destroys the DBus session variables.
# Log out of your current session completely.

# Reconnect directly as the developer to initialize the DBus session perfectly
ssh ai_developer@your_server_ip
mkdir -p ~/claude_podman && cd ~/claude_podman

Phase 2: The Omni Toolchain Containerfile

Executing background containers without standard terminal input causes the shell to exit instantly, generating a dead zombie container. We utilize an infinite sleep loop to maintain continuous execution.

Crucially, we are building a dedicated development box which acts as an omni-toolchain container. We must embed all Model Context Protocol (MCP) dependencies, like the Python uv package manager, directly into the build eliminating "command not found" crashes seamlessly.

Create your Containerfile:

FROM docker.io/ubuntu:24.04

# Install prerequisite tools and certificates securely
RUN apt-get update && apt-get install -y git curl sudo ca-certificates

# Establish NodeSource repository for modern environment compatibility
RUN curl -fsSL [https://deb.nodesource.com/setup_22.x](https://deb.nodesource.com/setup_22.x) | bash - && \
    apt-get install -y nodejs

# Create Developer User directly
RUN useradd -m -s /bin/bash aideveloper

# Switch to the synchronized account mapping user-scoped NPM paths
USER aideveloper
RUN mkdir -p /home/aideveloper/.npm_global
ENV NPM_CONFIG_PREFIX=/home/aideveloper/.npm_global
ENV PATH="/home/aideveloper/.npm_global/bin:${PATH}"

# Embed the Python uv package manager permanently preventing MCP server crashes
RUN curl -LsSf [https://astral.sh/uv/install.sh](https://astral.sh/uv/install.sh) | sh
ENV PATH="/home/aideveloper/.local/bin:${PATH}"

# Install the agent securely preventing legacy permission crashes
RUN npm install -g @anthropic-ai/claude-code

WORKDIR /workspace

# Maintain continuous execution preventing zombie container termination
CMD ["sleep", "infinity"]

Compile the image safely within your standard user permissions:

podman build -t claude-secure-agent ~/claude_podman/

Phase 3: Pristine Quadlet Systemd Integration

Enterprise SRE teams utilize Quadlet to define containers as native Linux services. This automates volume mapping effortlessly resolving all complex permission issues.

However, many legacy guides hallucinate volume mount security flags intended for SELinux environments. Ubuntu utilizes AppArmor, making those specific security anomalies completely irrelevant. Our configuration remains pristine and mathematically accurate for Ubuntu deployments.

# Create the required Quadlet configuration directory
mkdir -p ~/.config/containers/systemd/

# Pre-create host directories avoiding permission drift
mkdir -p ~/my_project ~/.anthropic ~/.config/claude-code

Define the native container service file (~/.config/containers/systemd/claude-agent.container):

[Container]
Image=localhost/claude-secure-agent:latest

# Pure volume mapping executed safely for AppArmor
Volume=%h/my_project:/workspace
Volume=%h/.anthropic:/home/aideveloper/.anthropic
Volume=%h/.config/claude-code:/home/aideveloper/.config/claude-code
Terminal=true

[Install]
WantedBy=default.target

Phase 4: Zero-Amnesia Headless Authorization

With the Quadlet file positioned, you simply instruct the system daemon to recognize your new service. We then initiate the container and execute the headless authentication sequence across your secure shell connection.

# Reload the system daemon to recognize the Quadlet configuration flawlessly
systemctl --user daemon-reload

# Start the artificial intelligence container gracefully in the background
systemctl --user start claude-agent

# Enter the isolated environment securely to authenticate the agent
podman exec -it claude-agent claude login

The command-line interface will output a unique OAuth authorization URL. Carefully copy this exact link and paste it into the web browser on your personal laptop. After you verify your credentials, the remote terminal will instantly detect the successful handshake. Your tokens write flawlessly to the persistent host directory, maintaining absolute zero-amnesia status permanently.

Phase 5: Deploying MCP Integration Servers

A terminal agent isolated from current documentation inevitably hallucinates deprecated functions, destroying developer productivity. Elite architectures leverage Model Context Protocol (MCP) servers to grant the agent live operational intelligence. Execute these commands directly inside your running container.

# Integrate Context7 for real-time official documentation retrieval
claude mcp add context7 --scope user -- npx -y @upstash/context7-mcp@latest

# Integrate Serena utilizing the permanently embedded uv package manager
claude mcp add serena -- uvx --from git+[https://github.com/oraios/serena](https://github.com/oraios/serena) \
  serena start-mcp-server --context ide-assistant --project $(pwd)

By connecting Context7, the agent pulls live framework specifications directly into its memory buffer. Integrating Serena elevates the agent from simple text parsing to structural semantic comprehension, allowing it to navigate class hierarchies with absolute precision.

You have eliminated legacy operational flaws completely. By anchoring your deployment on ServerMO Dedicated Servers, combining Rootless Podman isolation with pristine Quadlet systemd architecture, your organization commands an absolute DevSecOps masterpiece ensuring unmatched compilation performance and uncompromising safety.

AI Infrastructure FAQ

Why does systemctl return a "failed to connect to bus" error?
If you switch users using basic commands (su), the Linux environment fails to initialize the DBus session variables required for user-level systemd services. You must establish a fresh SSH connection as the target user to initialize the execution environment flawlessly.

Why does my background container die immediately after starting?
If your container command is set to a standard shell like bash, it will exit instantly because systemd runs it in the background without keyboard input. You must use the sleep infinity command in your Containerfile to keep the process alive perpetually.

Why remove the security flags from the Quadlet configuration?
Many legacy guides hallucinate volume mount flags intended for SELinux environments on Red Hat systems. Ubuntu utilizes AppArmor, making those specific security flags irrelevant. A pristine configuration avoids these unnecessary anomalies.

Will running Claude Code locally eliminate commercial API costs?
No. The agent operates autonomously, reading massive repositories and routing intelligence through the commercial Anthropic API. Unlike fixed-price assistants, this generates dynamic pay-as-you-go costs. You must establish strict billing limits in your developer console to prevent cloud shock invoices.

🔗 Deploy your Enterprise AI Infrastructure today at: ServerMO.com

Acronis vs JetBackup: The Brutal SRE Infrastructure Review

Jakson Tate — Thu, 21 May 2026 06:27:54 +0000

The cybersecurity ecosystem has evolved drastically. In 2026, malicious actors utilize advanced large language models to generate polymorphic ransomware code that evades traditional signature-based antivirus software entirely.

Once a bare-metal server is breached, these intelligent scripts silently encrypt critical databases and systematically target your local backup agents before operations teams even trigger an alert.

Many engineering teams mistakenly believe routing daily archives to external cloud storage guarantees safety. This is a fatal assumption. If your backup software stores cloud API keys locally, the ransomware will simply authenticate to your remote bucket and permanently delete your offsite archives.

Comparing the two leading backup solutions for ServerMO Dedicated Servers requires stripping away marketing illusions and confronting brutal engineering realities.

The Active Directory Credential Trap

Never join your dedicated backup server to your primary Active Directory domain.

If malicious actors compromise your primary domain controller, they will instantly wipe your backup repositories using standard inherited administrative privileges. You must deploy your backup infrastructure in a completely isolated network segment, enforcing strict Multi-Factor Authentication (MFA) globally.

JetBackup: The Web Hosting Heavyweight

JetBackup is the undisputed champion within the web hosting industry, engineered primarily for multi-tenant control panels like cPanel, DirectAdmin, and Plesk. It operates on a file-level architecture, executing incremental synchronization flawlessly.

The Engineering Strengths: The primary advantage is granular account restoration. If a single web hosting client accidentally deletes their WordPress database, they can log into their interface and restore it independently without root administrator intervention.
The Bare Metal Recovery Illusion: Many legacy tutorials claim JetBackup provides bare metal restores. This is an engineering illusion. True bare metal recovery means restoring a sector-by-sector image instantaneously. JetBackup requires system administrators to manually reinstall the Linux OS, reconfigure the control panel, and then synchronize files over the network—causing massive operational downtime.

Acronis Cyber Protect: The Enterprise Reality

Acronis Cyber Protect abandons traditional file synchronization and operates entirely on a block-level architecture. It captures identical sector-by-sector images of your entire bare metal storage drive, including the bootloader, kernel modules, and filesystem states.

The Bandwidth Physics of Bare Metal Restores

Marketing materials frequently promise "instant" bare metal recoveries. Site Reliability Engineers know this violates the laws of physics.

While Acronis allows you to boot a rescue ISO directly, recovering 4 Terabytes of disk image data from an offsite cloud repository over a standard Gigabit connection will take several hours. ServerMO minimizes this latency by providing unmetered 10-Gigabit ports, but you must calculate your true Recovery Time Objective (RTO) based on sheer bandwidth reality.

The Zero-Day Ransomware Illusion

Acronis integrates advanced AI heuristics directly into the kernel-level agent to terminate malicious encryption processes. However, active heuristics merely mitigate your risk profile. Strict immutable storage vaults remain the only mathematical guarantee that your archives will survive an unprecedented attack.

The 3-2-1-1-0 Enterprise Architecture

Modern SRE dictates abandoning outdated methodologies and adopting the strict 3-2-1-1-0 framework to guarantee data survival:

Three Copies: Maintain 1 primary production copy and 2 secondary backups.
Two Media Types: Store copies across different storage protocols to prevent singular hardware failures.
One Offsite Location: Keep at least one copy in a geographically distant ServerMO facility.
One Immutable Vault: Ensure one backup resides in an air-gapped or mathematically immutable cloud repository that cannot be altered or deleted.
Zero Errors: Utilize automated boot verification to ensure zero restoration errors exist during a live disaster scenario.

SRE Technical Comparison Matrix

Comparing these two solutions directly is effectively analyzing apples and oranges regarding budget and scope. Here are the brutal engineering facts:

Metric	JetBackup Architecture	Acronis Cyber Protect
Backup Methodology	File-level incremental sync	Block-level bare metal imaging
Disaster Recovery	Slow (Requires manual OS install)	ISO restore bounded by bandwidth
Multi-Tenant Restore	Excellent native cPanel integration	Complex (Requires root execution)
Ransomware Defense	None (Relies on external software)	Active kernel heuristic termination
Cloud Immutability	Vulnerable if API keys are stolen	Native immutable cloud locking
Licensing Economics	Flat-rate budget utility	Usage-based enterprise pricing

The ServerMO Engineering Verdict

The ultimate architectural decision depends entirely on your workload classification.

If you operate a shared web hosting business managing thousands of individual WordPress websites, JetBackup is your absolute best choice. It empowers clients to restore their own files while maintaining predictable operational costs.

If you are deploying mission-critical databases, AI inference nodes, or handling sensitive financial data, Acronis Cyber Protect is practically mandatory. The ability to stream a block-level recovery and utilize active threat mitigation ensures corporate survival during an inevitable breach.

Secure your digital assets before a catastrophic incident occurs. Many elite system administrators deploy a hybrid architecture—using Acronis for daily bare metal disaster recovery and JetBackup for granular client-level restorations.

🔗 Consult with our deployment engineers at ServerMO: https://www.servermo.com/blogs/acronis-vs-jetbackup-bare-metal/

Self-Hosting DeepSeek V4 on Bare Metal: Stop Paying the API Tax

Jakson Tate — Thu, 21 May 2026 06:01:57 +0000

The introduction of the 1-million-token context window changed how we build AI applications. We can now inject entire codebases and database schemas directly into a single prompt.

But there is a catch: feeding millions of tokens through commercial endpoints generates catastrophic monthly invoices. We call this the API Tax.

By shifting that exact workload to a ServerMO Bare Metal GPU Server, your operational costs become significantly cheaper at scale, and you guarantee strict data sovereignty. Here is the SRE architecture blueprint to deploy DeepSeek V4 (Mixture-of-Experts) securely in production.

1. Hardware Sizing and Exact VRAM Math

Many outdated guides suggest using legacy A100 GPUs. Don't do this. The A100 lacks the Hopper Transformer Engine required for native FP8 mathematical acceleration.

DeepSeek V4 requires precise VRAM calculations encompassing both the model weights and the vast KV Cache memory footprint.

Memory Arithmetic (DeepSeek V4 Flash)

Component	VRAM Requirement	Notes
FP8 Weights	158 GB	Base parameters
KV Cache	10 GB	1M tokens (Batch Size 1)
Total Required	168 GB	Minimum for a single user

A ServerMO cluster of 4x NVIDIA L40S (48GB) provides 192 GB of VRAM, leaving perfect headroom.

OOM Warning: If 10 concurrent users request a 1M token context simultaneously, your KV Cache requirement balloons to 100GB. High concurrency requires horizontal scaling.

2. Bypassing the Storage Bottleneck

Downloading 158GB models onto the local disk of every GPU node is an engineering flaw. Standard network file systems (NFS) will also choke.

You must implement a high-performance Parallel File System like WekaFS. It utilizes RDMA to bypass the CPU, loading massive AI weights directly into GPU memory instantaneously across the cluster.

# Mount the Weka Parallel File System on every GPU node
sudo mkdir -p /mnt/shared_ai_storage
sudo mount -t wekafs backend01.internal/ai_models /mnt/shared_ai_storage

# Download the model exactly once to the shared volume
pip3 install huggingface_hub
huggingface-cli download deepseek-ai/DeepSeek-V4-Flash \
  --local-dir /mnt/shared_ai_storage/deepseek_v4_flash \
  --resume-download

3. vLLM and MoE Disaggregation

vLLM is the industry standard for production inference. Because DeepSeek relies on a sparse MoE architecture, you must activate both Tensor Parallelism and Expert Parallelism.

# Launch the inference server reading directly from shared storage
python3 -m vllm.entrypoints.openai.api_server \
  --model /mnt/shared_ai_storage/deepseek_v4_flash \
  --tensor-parallel-size 4 \
  --enable-expert-parallel \
  --dtype fp8 \
  --max-model-len 32768 \
  --gpu-memory-utilization 0.90 \
  --port 8080

When scaling further, you need vLLM prefill-decode disaggregation. ServerMO prevents ethernet bottlenecks here by providing 400G InfiniBand and RoCEv2 RDMA networking.

4. Kong API Gateway & Zero-Trust Security

Exposing the raw vLLM process directly to the internet is a massive security vulnerability. Deploy Kong API Gateway to enforce strict TLS and JWT validation.

# Deploy Kong Gateway enforcing strict TLS
sudo docker run -d --name kong_gateway \
  --network host \
  -e "KONG_DATABASE=off" \
  -e "KONG_DECLARATIVE_CONFIG=/kong/kong.yml" \
  -e "KONG_PROXY_LISTEN=0.0.0.0:443 ssl" \
  -e "KONG_SSL_CERT=/certs/fullchain.pem" \
  -e "KONG_SSL_CERT_KEY=/certs/privkey.pem" \
  -v /etc/kong/kong.yml:/kong/kong.yml \
  -v /etc/letsencrypt/live/[api.yourdomain.com/:/certs/](https://api.yourdomain.com/:/certs/) \
  kong:latest

The Drop-In Replacement

vLLM perfectly mimics the OpenAI spec. Migrating your app requires zero code rewrites—just swap the base URL.

from openai import OpenAI

client = OpenAI(
    base_url="[https://api.yourdomain.com/v1](https://api.yourdomain.com/v1)",
    api_key="YOUR_SECURE_JWT_TOKEN" 
)

response = client.chat.completions.create(
    model="deepseek_v4_flash",
    messages=[{"role": "user", "content": "Analyze our secure architecture."}]
)

Reclaim Your Infrastructure

Stop hosting intensive AI workloads on volatile cloud spot instances that destroy your SLA guarantees. Deploy directly on dedicated bare metal to secure unshared access to elite computational silicon.

🔗 Read the full SRE deployment playbook here: ServerMO - Self-Host DeepSeek V4 on Bare Metal GPUs

Migrating Redis to Valkey on Ubuntu 24.04: A FAANG-Level SRE Runbook

Jakson Tate — Fri, 08 May 2026 11:14:49 +0000

By ServerMO Engineering

With recent licensing changes, Site Reliability Engineers are rapidly migrating enterprise caching workloads from Redis to Valkey. While Valkey maintains high parity with the Redis OSS 7.2 core, assuming absolute compatibility without an audit is a catastrophic operational failure.

If your legacy instance relies on proprietary modules (such as RedisJSON or RedisBloom), Valkey will fail to ingest the data entirely.

Executing this migration on ServerMO Bare Metal NVMe infrastructure ensures your caching layer receives maximum memory bandwidth, completely bypassing the "noisy neighbor" latency common in public cloud VMs.

Here is the professional SRE blueprint.

Phase 1: Pre-Migration Backup & Module Audit

Before establishing any replication pipelines, you must secure the current state of your cache. Replication can fail catastrophically under heavy write loads due to backlog overflows.

Freeze AOF: Temporarily halt Append-Only File rewrites.
Manual RDB Snapshot: Trigger a manual snapshot and explicitly verify the file checksum.
Module Audit: Confirm no proprietary Redis modules are altering your RDB persistence structures.

Phase 2: Environment Prep & Safe Binding

Target servers running Ubuntu 24.04 LTS include Valkey natively within the primary repositories.

sudo apt update -y && sudo apt upgrade -y
sudo apt install -y valkey valkey-tools

Safe Binding

Binding exclusively to a single internal IP breaks local health checks and container probes. You must bind to both the loopback interface and your designated private subnet.

# /etc/valkey/valkey.conf
bind 127.0.0.1 10.0.0.8

Phase 3: Deep TLS Enforcement

Basic port configurations are insufficient for enterprise compliance. In-transit payloads must be cryptographically secured using rigorous TLS parameters at the application layer.

# Disable plaintext completely
port 0
tls-port 6380

# Enforce strict encryption protocols
tls-cert-file /etc/ssl/valkey/server.crt
tls-key-file /etc/ssl/valkey/server.key
tls-ca-cert-file /etc/ssl/valkey/ca.crt

tls-auth-clients yes
tls-protocols "TLSv1.2 TLSv1.3"
tls-prefer-server-ciphers yes
tls-replication yes

Phase 4: Active Replication & Failure Handling

Initiate Valkey as a replica of the legacy Redis primary utilizing explicit TLS flags.

valkey-cli -h 127.0.0.1 -p 6380 --tls

127.0.0.1:6380> REPLICAOF 10.0.0.5 6380

Critical SRE Warning

Do not rely solely on byte offset matching. You must verify that the master_last_io_seconds_ago metric remains minimal and confirm repl_backlog_active is stable before declaring synchronization successful.

Phase 5: Observability & Memory Tuning

Deploy the Prometheus Valkey exporter to stream metrics into Grafana. Monitoring p99 tail latency in real-time allows you to detect silent failures before they cascade.

Tuning Caution

While enabling active defragmentation cleans fragmented memory sectors, it forces the CPU to relocate keys dynamically. This process blocks the single-threaded execution loop, causing devastating tail latency spikes during heavy AOF rewrite scenarios.

maxmemory 5gb
maxmemory-policy volatile-lru

# Proceed with extreme caution on low-core environments
activedefrag no

Phase 6: The HAProxy Cutover Pattern

Modifying application configurations directly generates severe cache-miss spikes. Use reverse proxies like HAProxy or Envoy to shift traffic seamlessly at the network edge.

Write Quiesce

Execute a brief application write freeze to empty pending pipeline buffers completely.

Promote Valkey

Enter the CLI and execute the following command to sever replication safely:

REPLICAOF NO ONE

Shift Traffic

Update your HAProxy backend weights to route incoming requests exclusively to the new Valkey TLS endpoint.

Always maintain the legacy Redis instance concurrently for at least 24 hours as an emergency rollback path.

✅ Conclusion

By orchestrating this rigorous SRE protocol on ServerMO Unmetered Bare Metal, you ensure your caching layers operate with absolute resilience—completely isolated from proprietary licensing traps and cloud network jitter.

How to Install CyberPanel on Ubuntu 24.04 LTS: A Senior Architecture Guide

Jakson Tate — Fri, 08 May 2026 10:24:17 +0000

Many tutorials market CyberPanel as a magical, effortless replacement for cPanel that can run millions of requests on a tiny virtual server. We must establish engineering reality. CyberPanel is an outstanding platform for developers and digital agencies, but if you do not tune your database operations manually, heavy applications will crash under load.

Deploying on ServerMO NVMe Bare Metal grants you massive CPU performance and eliminates public cloud egress fees. However, you must implement robust OS hardening and offsite backups.

Here is the professional blueprint.

Phase 1: DNS Propagation & Infrastructure Reality

Do not skip this step. Log into your domain registrar and point your chosen hostname A record directly to your new server IP address. If you attempt to install the panel before global DNS propagation completes, the Let's Encrypt verification challenge will fail permanently.

Operating System: A fresh installation of Ubuntu 24.04 LTS.
Hardware Reality: Ignore guides claiming 1GB RAM is sufficient. For a stable stack running OpenLiteSpeed, MySQL, and PHP-FPM, you need an absolute minimum of 4GB RAM (8GB highly recommended).

Phase 2: System Preparation

Log into your server via SSH as the root user. Ensure your OS packages are entirely updated to prevent missing dependency errors during compilation.

apt update -y && apt upgrade -y
apt install -y curl wget lsb-release ufw fail2ban nano

Set your Fully Qualified Domain Name matching the exact domain you configured in your DNS registrar.

hostnamectl set-hostname panel.yourdomain.com

Phase 3: Executing the Installation Script

Running shell scripts blindly is a terrible security practice. Download the script first, inspect it, and then execute.

wget -O install.sh https://cyberpanel.net/install.sh
chmod +x install.sh
sh install.sh

Interactive Menu Choices for Max Stability:

Web Server: Select 1 for OpenLiteSpeed (extreme WordPress caching without enterprise costs).
Remote MySQL: Type N to install a local database instance.
PHP Extensions: Type Y to install Memcached and Redis.
Watchdog: Type Y to enable automated service recovery.

Phase 4: Strict Firewall and OS Hardening

A firewall alone is not enough. We will configure a strict UFW policy and then harden the SSH service.

# Standard HTTP/HTTPS
ufw allow 80/tcp
ufw allow 443/tcp

# CyberPanel Admin Interface
ufw allow 8090/tcp

# Enable Firewall
ufw enable
ufw reload

Enforcing SSH Key Authentication
Passwords can be guessed. Cryptographic keys cannot.

Critical Warning: Open a secondary terminal window and verify your SSH key login works before restarting the SSH service. Otherwise, you will lock yourself out!

nano /etc/ssh/sshd_config

Modify the following lines:

PermitRootLogin prohibit-password
PasswordAuthentication no

Restart SSH:

systemctl restart sshd

Phase 5: Secure Dashboard Access & 2FA

Navigate to https://YOUR_SERVER_IP:8090. Bypass the self-signed certificate warning (normal for the initial setup).

Immediately go to the Users section and enable Two-Factor Authentication (2FA). This prevents unauthorized panel access even if your password is compromised.

Phase 6: The Database Bottleneck Tuning

The control panel interface does not dictate how fast your website loads; the database engine does. Leaving MySQL on default configurations limits memory usage and causes severe disk I/O spikes.

Allocate roughly 60% of your available system RAM to the innodb_buffer_pool_size.

nano /etc/mysql/mariadb.conf.d/50-server.cnf

Example for an 8GB RAM ServerMO Bare Metal node:

innodb_buffer_pool_size = 4G
innodb_log_file_size = 1G

Restart MariaDB:

systemctl restart mariadb

Phase 7: Disaster Recovery

A server without offsite backups is a ticking time bomb.

Navigate to the Backups section in CyberPanel, select Remote Backups, and input your Amazon S3 or compatible API credentials. Schedule daily automated database dumps and weekly full-site archives.

Conclusion

You have successfully engineered a hardened, highly optimized web hosting architecture. To extract the absolute highest possible performance, deploy your applications natively on the ServerMO Unmetered Bare Metal Inventory.

10 Best UK Dedicated Server Providers in 2026: A Technical Deep Dive

Jakson Tate — Fri, 08 May 2026 09:45:01 +0000

In 2026, deploying infrastructure in the United Kingdom requires more than just picking a brand name. With strict UK GDPR laws demanding absolute data sovereignty and hyper-competitive markets requiring sub-15ms latency, choosing a local bare metal node is a technical necessity.

Whether you are targeting the London financial hubs or scaling a regional UK enterprise, here is the definitive deep dive into the top providers of 2026.

Executive Comparison: UK Bare Metal Leaders

ServerMO

UK Edge Hubs: 10+ Locations (Regional Supremacy)
Unmetered Bandwidth: Up to 100Gbps Available
Support Type: Both Managed and Unmanaged Options
Verdict: Most affordable enterprise tier with the best localized performance.

OVHcloud

UK Edge Hubs: London Only
Unmetered Bandwidth: Strict Limitations / Metered
Support Type: Unmanaged by Default
Verdict: Robust DDoS protection but lacks regional UK presence and hands-on support.

Hetzner

UK Edge Hubs: None (Physically Germany-based)
Unmetered Bandwidth: No
Support Type: Unmanaged
Verdict: Budget-focused for non-UK traffic, but fails UK GDPR and latency requirements for local users.

AWS (London)

UK Edge Hubs: London Availability Zones Only
Unmetered Bandwidth: No (Heavy Egress Fees)
Support Type: Paid Enterprise Support
Verdict: Premium pricing with astronomical bandwidth costs for high-traffic applications.

1. ServerMO (The Undisputed UK Champion)

Best For: Enterprise databases, high-frequency gaming servers, and intensive AI rendering workloads.

ServerMO secures the top spot by fundamentally changing how bare metal is delivered in the UK. While legacy providers crowd into a single London facility, ServerMO operates across 10+ distinct edge locations, including Edinburgh, Manchester, Glasgow, Birmingham, Slough, and Portsmouth.

Regional Edge Supremacy
Geographic proximity is the only true way to defeat network latency. By collocating servers across diverse regional hubs, ServerMO guarantees end-users experience local sub-15ms latency.

The Hardware Fleet
For developers, hardware flexibility is non-negotiable. ServerMO provides direct access to:

AI Accelerators: NVIDIA L4 24GB Tensor Cores, RTX A4000, and NVIDIA A100.
Network Backbone: Transit via premium carriers including NTT, Orange, BT, and Cogent.
Network Power: Unmetered 10Gbps to 100Gbps lines with Zero hidden egress fees.

2. OVHcloud

Best For: Massive scale unmanaged deployments.
OVH is respected for its proprietary VAC DDoS mitigation.

The Engineering Drawback: It is "Unmanaged" by design. If you hit a hardware fault or a complex routing issue, getting rapid human assistance requires an expensive premium support contract.

3. Hetzner

Best For: Hobbyists and non-production testing.

The Engineering Drawback: No UK Data Centers. Hosting with Hetzner means your data resides in Germany or Finland. This is a dealbreaker for businesses requiring strict UK GDPR compliance and local latency.

4. AWS (London Region)
Best For: Highly integrated cloud-native logic.

The Engineering Drawback: The Egress Trap. AWS charges astronomical fees for outbound data. For bandwidth-intensive applications like video streaming or high-traffic e-commerce, the monthly bandwidth bills can eclipse the cost of the computing hardware itself.

5. Liquid Web
Best For: Organizations needing fully managed "white-glove" assistance.

The Engineering Drawback: High premium pricing. You are paying for the support staff rather than securing cutting-edge hardware (often running older Xeon generations).

The Final Verdict: The Technical "Sweet Spot"

If you have an infinite budget and rely on cloud orchestration, AWS is powerful. If you are on a shoestring budget and don't care about data location, Hetzner is fine.

However, for production-grade enterprise infrastructure that demands localized UK performance and 100Gbps unmetered bandwidth, ServerMO is the undisputed engineering champion.

Install and Optimize ClickHouse on Ubuntu 26.04 Bare Metal

Jakson Tate — Fri, 01 May 2026 06:44:34 +0000

Achieve extreme analytics at scale. Master the 2026 production setup covering Tiered Storage, NVMe routing, Async Inserts, and Vector Search.

Executive Summary: The 2026 Analytical Standard

ClickHouse is an open-source columnar database management system that processes billions of rows in milliseconds. However, almost every tutorial on the internet uses outdated Ubuntu 20.04 or 22.04 commands that completely fail on modern systems. Furthermore, they treat ClickHouse like a basic application, ignoring its true potential on dedicated hardware.

In this advanced 2026 guide, we will install ClickHouse on the latest Ubuntu 26.04 (Resolute Raccoon). These modern security commands will also work perfectly on Ubuntu 24.04 and 22.04. We will then dive deep into ServerMO Bare Metal optimizations, replacing theoretical cloud setups with raw hardware configurations like Tiered Storage and ClickHouse Keeper.

Data Cluster Blueprint

Phase 1: Modern Repository Installation
Phase 2: Bare Metal Tiered Storage (NVMe and HDD)
Phase 3: Network Security Binding
Phase 4: Fixing the "Too Many Parts" Error
Phase 5: AI Vector Search Realities
Phase 6: Replacing ZooKeeper
Phase 7: Memory Limits and OOM Prevention

Phase 1: Modern Repository Setup

Old tutorials instruct you to use the apt-key command and Yandex repositories. That approach is a massive security failure and will throw immediate errors on Ubuntu 26.04. You must use the modern keyring method to securely fetch the official packages.

# Install core dependencies for secure repository management
sudo apt update
sudo apt install -y apt-transport-https ca-certificates curl gnupg

# Securely download the official GPG key into the correct keyring directory
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL 'https://packages.clickhouse.com/rpm/lts/repodata/repomd.xml.key' | sudo gpg --dearmor -o /etc/apt/keyrings/clickhouse.gpg

# Add the official repository enforcing the "signed-by" security check
echo "deb [signed-by=/etc/apt/keyrings/clickhouse.gpg arch=$(dpkg --print-architecture)] https://packages.clickhouse.com/deb stable main" | sudo tee /etc/apt/sources.list.d/clickhouse.list > /dev/null

# Update the package index and install the server and client
sudo apt update
sudo apt install -y clickhouse-server clickhouse-client

During the installation, you will be prompted to create a password for the default user. Ensure you store this securely. Once complete, start the service to verify the installation.

sudo systemctl enable clickhouse-server
sudo systemctl start clickhouse-server
clickhouse-client --password

Phase 2: Production Tiered Storage

This is where Bare Metal completely destroys public cloud pricing. If you rent cloud storage, you pay a flat, massive premium for fast disks. On a ServerMO dedicated server, you can architect a hybrid setup mixing ultra-fast NVMe drives with massive 18TB Enterprise HDDs.

We will configure a production-grade storage policy. It keeps the default system files on the boot drive, routes active analytical queries to the NVMe disk, and automatically moves merged data parts larger than 10GB to the cold HDD archive.

<clickhouse>
    <storage_configuration>
        <disks>
            <default>
                <path>/var/lib/clickhouse/</path>
            </default>
            <nvme_disk>
                <path>/mnt/nvme/clickhouse/</path>
            </nvme_disk>
            <hdd_disk>
                <path>/mnt/hdd/clickhouse/</path>
            </hdd_disk>
        </disks>
        <policies>
            <tiered_policy>
                <volumes>
                    <hot_volume>
                        <disk>nvme_disk</disk>
                        <max_data_part_size_bytes>10737418240</max_data_part_size_bytes>
                    </hot_volume>
                    <cold_volume>
                        <disk>hdd_disk</disk>
                    </cold_volume>
                </volumes>
                <move_factor>0.2</move_factor>
            </tiered_policy>
        </policies>
    </storage_configuration>
</clickhouse>

Phase 3: Network Security Binding

By default, ClickHouse listens on localhost, securing it from the outside world. However, many administrators modify the config.xml to listen on ::, which broadly exposes ports 8123 and 9000 to the entire public internet. This invites severe automated brute-force attacks.

If you are running a multi-node cluster or remote applications, you must bind the listener strictly to your internal VPC IP address and use the UFW firewall to whitelist specific communication nodes. Never leave the database ports completely open.

Phase 4: Fixing the "Too Many Parts" Error

The most common mistake new data engineers make is sending millions of individual insert statements per second. ClickHouse creates a physical file part on the disk for every insert. Doing this creates thousands of tiny files, crashing the background merge process, resulting in the dreaded "Too many parts" error.

The enterprise solution is to enable Async Inserts. This tells ClickHouse to hold all small incoming queries in RAM, buffer them together, and flush them to the disk as one large, highly compressed chunk.

<profiles>
    <default>
        <async_insert>1</async_insert>
        <wait_for_async_insert>1</wait_for_async_insert>
    </default>
</profiles>

Phase 5: AI Vector Search Realities

As we move deeper into 2026, the line between traditional data analytics and Artificial Intelligence is vanishing. ClickHouse now supports Vector Search via HNSW indexes, allowing you to store AI embeddings alongside relational data.

The Hardware Truth:
Beware of marketing myths suggesting you need GPU servers for ClickHouse. ClickHouse is fundamentally optimized for CPU processing. For vector search, it relies heavily on SIMD and AVX-512 instructions. To get maximum vector search performance, you should deploy your cluster on High-Frequency Bare Metal CPUs like Intel Xeon Scalable or AMD EPYC processors. GPUs should only be used externally for generating the embeddings.

-- Example 2026 Vector Index Table Creation
CREATE TABLE ai_documents(
    id UInt64,
    content String,
    embedding Array(Float32),
    INDEX vec_idx embedding TYPE vector_similarity('cosineDistance', 'f32')
) ENGINE = MergeTree
ORDER BY id;

Phase 6: Replacing ZooKeeper

For years, running a distributed cluster required installing Apache ZooKeeper. ZooKeeper is a heavy Java application that consumes enormous amounts of RAM and requires constant garbage collection tuning.

The modern approach is to install ClickHouse Keeper. It is a drop-in replacement written purely in C++, offering vastly superior performance and stability. When deploying a large-scale architecture across multiple bare metal nodes, you can install it seamlessly using the official package.

# Install the standalone native keeper on your dedicated management nodes
sudo apt install -y clickhouse-keeper
sudo systemctl enable clickhouse-keeper

Phase 7: Memory Limits and OOM Prevention

ClickHouse is brutally aggressive. By default, a single heavy analytical query will attempt to consume 100 percent of your physical RAM. On a shared node, this will trigger the Linux Out-of-Memory (OOM) Killer, resulting in a complete database crash.

To ensure production stability, you must enforce strict memory quotas in your users.xml configuration file.

<profiles>
    <default>
        <max_memory_usage>17179869184</max_memory_usage>

        <max_server_memory_usage_to_ram_ratio>0.9</max_server_memory_usage_to_ram_ratio>
    </default>
</profiles>

ClickHouse Production Setup FAQ

Why do older installation guides fail on Ubuntu 26.04?
Most older guides use the apt-key command to add the repository. This method is completely deprecated and disabled for security reasons in modern Ubuntu distributions. You must use the new gpg --dearmor and keyring directory method to install software securely.

Why am I getting the "Too many parts" error in ClickHouse?
ClickHouse is designed for massive bulk inserts. If your application sends thousands of tiny individual insert queries every second, it creates too many small data parts on the disk, crashing the merge process. You must enable async inserts in your configuration to batch these queries automatically in memory.

Do I still need ZooKeeper for a ClickHouse cluster?
No. In 2026, the industry standard is to use ClickHouse Keeper. It is a native C++ replacement that consumes significantly less RAM and CPU compared to the old Java-based ZooKeeper, ensuring a much faster and stable high-availability cluster.

Why is ClickHouse on Bare Metal better than AWS Redshift?
Public cloud platforms charge you massive fees based on the amount of data scanned per query and network egress. With a ServerMO bare metal server, you pay a flat, predictable rate while utilizing unthrottled NVMe drives to execute complex analytical queries significantly faster and cheaper.

Do I need a GPU server for ClickHouse Vector Search?
No. While Vector Databases often evoke GPU requirements, ClickHouse is heavily CPU-bound. Its vector search capabilities rely on AVX-512 and SIMD instructions. You should invest in ServerMO Bare Metal instances with high-frequency CPUs rather than expensive GPU nodes for the database tier.

Build a Production-Grade Live Streaming Origin Server

Jakson Tate — Fri, 01 May 2026 05:42:08 +0000

Escape the myths. Deploy a brutally honest self-hosted streaming engine using strict security and optimized GPU transcoding.

When it comes to video infrastructure, there is a massive engineering exaggeration often found in generic tutorials: the claim that you can build a global Twitch clone on a single server.

In reality, a single node, no matter how powerful, will bottleneck on network interface limits long before reaching ten thousand concurrent viewers. What you are actually building is a High-Performance Origin Server.

By deploying on ServerMO Dedicated Bare Metal Servers, you secure unmetered uplink ports, avoiding public cloud egress fees entirely. Your bare metal node handles the heavy ingest and encoding, while you offload the final viewer delivery to an edge caching layer (CDN) like Cloudflare.

Server Build Blueprint

Phase 1: The Cloud Tax and Scaling Reality
Phase 2: Compiling Nginx from Source
Phase 3: The Truth About GPU Limits
Phase 4: Optimized Filter Complex Transcoding
Phase 5: Smart Security and Strict CORS
Phase 6: The Low Latency HLS Reality

Phase 1: The Cloud Tax and Scaling Reality

In the public cloud, streaming is a financial nightmare. Every gigabyte sent to a viewer carries an "egress tax." For high-traffic streams, these costs scale exponentially.

Building on Bare Metal allows you to leverage raw hardware power without virtualization overhead. The goal is to maximize the throughput between the ingest point and the transcoding engine.

Phase 2: Compiling Nginx from Source

Do not trust default apt packages. While Ubuntu provides Nginx natively, it does not include the RTMP core by default. For production stability, you must compile Nginx manually from source to include the required modules.

sudo apt update
sudo apt install -y build-essential libpcre3-dev libssl-dev zlib1g-dev git ffmpeg

# Download source
wget http://nginx.org/download/nginx-1.25.3.tar.gz
git clone https://github.com/arut/nginx-rtmp-module.git
tar -xzf nginx-1.25.3.tar.gz
cd nginx-1.25.3

# Compile with secure modules
./configure \
  --with-http_ssl_module \
  --with-http_v2_module \
  --add-module=../nginx-rtmp-module

make -j$(nproc)
sudo make install

Phase 3: The Truth About GPU Limits

Consumer series cards like the RTX 4090 have a driver-enforced limit, typically allowing only around 8 concurrent NVENC sessions.

The Open Source Patch vs. Enterprise Hardware:
While community scripts exist to bypass this lock, running driver hacks in production is a massive risk. For stable, high-density workloads, you must provision Enterprise GPUs like the NVIDIA L4 or A100, which possess massive concurrency capabilities officially.

Phase 4: Optimized Filter Complex Transcoding

Common tutorials chain multiple video filters inefficiently. The professional approach utilizes the filter_complex directive. This splits the stream directly within the GPU memory, preventing expensive data copying between the CPU and GPU.

rtmp {
    server {
        listen 1935;
        chunk_size 4096;

        application live {
            live on;
            record off;

            # Optimized NVENC pipeline
            exec_push ffmpeg -hwaccel cuda -hwaccel_output_format cuda \
            -i rtmp://localhost/live/$name \
            -filter_complex "[0:v]split=3[v1][v2][v3]; \
            [v1]scale_cuda=1920:1080[v1out]; \
            [v2]scale_cuda=1280:720[v2out]; \
            [v3]scale_cuda=854:480[v3out]" \
            -map "[v1out]" -c:v:0 h264_nvenc -b:v:0 5M -preset p5 \
            -map "[v2out]" -c:v:1 h264_nvenc -b:v:1 3M -preset p5 \
            -map "[v3out]" -c:v:2 h264_nvenc -b:v:2 1M -preset p5 \
            -f flv rtmp://localhost/hls/$name;
        }
    }
}

Phase 5: Smart Security and Strict CORS

The Wildcard CORS Flaw:
Never use Access-Control-Allow-Origin: *. This allows any website to embed your player and steal your bandwidth. Always specify your exact approved domains.

server {
    listen 80;
    server_name origin.yourdomain.com;

    location /hls {
        root /var/www/html;
        add_header Cache-Control no-cache;

        # CORRECT SECURITY: Hardcode approved domains
        add_header Access-Control-Allow-Origin "https://www.yourdomain.com";
    }
}

Phase 6: The Low Latency HLS Reality

Tuning fragments to one second brings delay down to 4-8 seconds (LL-HLS). However, if your platform requires sub-second interaction (e.g., gambling/auctions), you must graduate to WebRTC.

Pro Tip: Use a RAM Disk
Writing live chunks directly to SSDs will kill them. Use tmpfs to store active segments in RAM for speed and zero hardware wear.

sudo mount -t tmpfs -o size=2G tmpfs /var/www/html/hls

Streaming Engineering FAQ

Can one server handle 10,000 viewers?
No. A single node cannot handle ten thousand viewers reliably. Use your bare metal server as the Origin and a CDN like Cloudflare for the Edge delivery.

Why is a wildcard CORS header dangerous?
It allows unauthorized "hotlinking," leading to massive bandwidth theft. You must explicitly define only your approved website domains.

Does Nginx-RTMP provide true real-time streaming?
No. Even when tuned for low latency, HLS has a 4-8 second delay. True real-time requires WebRTC.