A newly disclosed Linux kernel zero-day, CVE-2026-31431, “Copy.Fail”, is one of the most serious privilege-escalation vulnerabilities in recent years.

Discovered by Theori and publicly disclosed on April 29, 2026, Copy.Fail is a Linux kernel zero-day that roots every distribution since 2017. Unlike many local privilege-escalation flaws that depend on race conditions, kernel address leaks, or distribution-specific behavior, Copy.Fail is alarmingly reliable: it works consistently across mainstream Linux distributions with only a standard user account.

Why the CVE-2026-31431 is dangerous?

Copy.Fail abuses a logic flaw in the Linux kernel’s algif_aead crypto module, introduced through a 2017 optimization. By manipulating the kernel’s AF_ALG crypto interface, an attacker can write controlled data into the Linux page cache (the in-memory representation of trusted system binaries).

This allows attackers to temporarily hijack binaries like /usr/bin/su without modifying the file on disk.

In practical terms:

• A normal user can become root
• A compromised container can escape to the host
• A malicious CI job can root its runner
• Shared infrastructure becomes vulnerable across tenants
• Disk forensics may show no file tampering because only RAM is altered

This makes Copy.Fail especially dangerous for:

• Kubernetes clusters
• CI/CD systems
• Shared development environments
• Cloud notebook platforms
• Multi-tenant container infrastructure

How to patch it easily in your MKS clusters?

OVHcloud is preparing patched MKS versions including the upstream kernel fix. Patched versions are expected to be available 30 April 2026, at 16:00 UTC+2.

While waiting for the next MKS release, here is a DaemonSet manifest that you can apply in your MKS clusters in order to mitigate the vulnerability.

Create a patch-copy-fail-cve file with the following content:

apiVersion: apps/v1
kind: DaemonSet
metadata:
  name: patch-copy-fail-cve
  labels:
    app: patch-copy-fail-cve
  namespace: default
spec:
  selector:
    matchLabels:
      app: patch-copy-fail-cve
  updateStrategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 0
      maxUnavailable: 100%
  template:
    metadata:
      labels:
        app: patch-copy-fail-cve
    spec:
      hostPID: true
      priorityClassName: system-node-critical
      volumes:
        - name: root-mount
          hostPath:
            path: /
            type: Directory
      initContainers:
        - image: mks.kubernatine.ovh/docker.io/library/busybox:1.36.1
          name: patch-copy-fail-cve
          command: ["/bin/bash", "-c"]
          args:
            - |
              tee /etc/modprobe.d/disable-algif-aead.conf <<<'install algif_aead /bin/false'
              rmmod algif_aead 2>/dev/null
              update-initramfs -u
          securityContext:
            privileged: true
            runAsUser: 0
          volumeMounts:
            - name: root-mount
              mountPath: /
      containers:
        - image: "mks.kubernatine.ovh/registry.k8s.io/pause:3.10.1"
          name: pause     

Apply it:

kubectl apply -f patch-copy-fail-cve.yaml

⚠️ This mitigation has been tested on OVHcloud internal test clusters. Applying it to your own service remains under your responsibility.

If the vulnerability has already been exploited on your cluster, this mitigation will not remediate any pre-existing compromise.
The recommended remediation remains the official security release, which will be made available as soon as possible.

Read more about the mitigation: https://github.com/rootsecdev/cve_2026_31431#mitigation

Every month, the OVHcloud Developer Advocate team creates content, shares knowledge, and connects with the tech community. Here’s a look at what we did in April 2026. 🚀

🎙️ “Tranches de Tech” – Our monthly podcast

A new episode of our French-language podcast Tranches de Tech 🥑 just dropped!

🎧 Episode 27: Tranches de Tech 26 – Poppy au service des autres

This episode of Tranches de Tech features Annabelle Koster, who shares her journey from tech recruiter to community ambassador, highlighting how she overcame impostor syndrome by actively learning and engaging with developers. She emphasizes the importance of community, conferences, and volunteering in building meaningful connections and personal growth. The discussion also explores the evolving role of AI as a productivity tool in her daily work. Ultimately, the episode underlines that, despite technological advances, human interaction, sharing, and mutual support remain at the heart of the tech ecosystem.

📺 Live on Twitch

We streamed live on Twitch this month! Here’s what we covered:
🎥 Rémy Vandepoel discussed with Antonin Anchisi and Aurélie Vache about our Manages Kubernetes Service (MKS) and some feedbacks about the KubeCon Europe 2026.
Catch the replay on YouTube ▶️.

🎤 Conference Talks

The team hit the road (and the stage) at several conferences this month:

🇫🇷 MiXiT – Lyon, France 🇫🇷

Aurélie Vache gave a talk: Comprendre Kubernetes de manière visuelle

Stéphane Philippart gave a workshop: Développer avec l’IA : et si c’était aussi simple qu’ajouter une librairie ?

🇫🇷 Devoxx France – Paris, France 🇫🇷

Aurélie Vache gave a talk: Question pour un cluster Kubernetes : Quiz sur Kubernetes & ses concepts

Stéphane Philippart gave a talk and a workshop (with Mathieu Busquet):
– 🤖 Apprendre à notre IA à … apprendre 🧠
– Développer avec l’IA : et si c’était aussi simple qu’ajouter une librairie ?

📝 Our latest blog posts

Here are the articles our team published on the OVHcloud Blog this month.

📝 Extract Text from Images with OCR using Python and OVHcloud AI Endpoints — by Stéphane Philippart

This blog post explains how to perform OCR (Optical Character Recognition) using a vision-capable language model via AI Endpoints and Python. It shows that, instead of traditional OCR tools, developers can send images directly to a multimodal model using the OpenAI-compatible API to extract text while preserving layout. The tutorial walks through a simple Python script, including environment setup, image encoding in base64, and API calls. Overall, it highlights how modern vision LLMs simplify OCR workflows, making text extraction more flexible and easier to implement.

📝 Discover the External Secret Operator (ESO) OVHcloud Provider to manage your Kubernetes secrets 🎉 – by Aurélie Vache

This blog post introduces a new provider for the External Secrets Operator (ESO) that integrates directly with OVHcloud Secret Manager, simplifying how secrets are handled in Kubernetes. It explains how ESO works by synchronizing secrets from external systems into Kubernetes and automatically updating them when changes occur. The tutorial walks through the full setup, including creating a secret in OVHcloud, configuring authentication, and deploying resources like ClusterSecretStore and ExternalSecret. Overall, the article highlights how this new provider streamlines secret management and improves integration between OVHcloud services and Kubernetes environments.

📝 KubeCon + CloudNativeCon Europe 2026 in Amsterdam: feedback and highlights by Aurélie Vache and Rémy Vandepoel

The post highlights KubeCon + CloudNativeCon Europe 2026 as strongly shaped by the rise of AI, pushing cloud-native toward an “AI-native” paradigm. OVHcloud emphasizes sovereign cloud principles, focusing on openness, reversibility, and performance. The event featured rich technical discussions, demos, and exchanges around Kubernetes and demanding workloads. It also underscored the importance of open-source collaboration within the CNCF ecosystem. Finally, OVHcloud’s booth and activities aimed to make these topics more accessible and tangible.

🗓️ Coming up next

Here’s a sneak peek at what’s coming next.

🗓️ – May, 6 & 7 – Devoxx UK, in London

🎤 Stéphane Philippart is giving one talk (Wednesday the 6th at 6PM): 🧰 Dev Containers: the ultimate toolbox for developers?

🗓️ – May, 13 – 1h PM CET – Very Tech Talk Twitch about Human Resources

📺 OVHcloud Twitch channel

🗓️ – May, 19 & 20 – Kubernetes Community Days in Helsinki

🎤 Aurélie Vache is giving one talk (Wednesday the 20th at 2h30 PM): The Ultimate Kubernetes Challenge: An Interactive Trivia Game on concepts, components, usage…

🗓️ – May, 21 & 22 – Devops days in Geneva

🎤 Stéphane Philippart is giving one workshop (Thursday the 21th at 2h55 PM): Développer avec l’IA : et si c’était aussi simple qu’ajouter une librairie ?

🗓️ New “Tranches de Tech” podcast episode

🎧 All episodes are available on Ausha and all your favorite podcast applications!

💬 Stay in Touch

Want to chat with us, share your thoughts, or just say hi? Here’s how to get in touch with the Developer Advocate team:

• 🟣 Discord: OVHcloud Discord server
• 🐦 X / Twitter: @OVHcloud
• 💼 LinkedIn: OVHcloud LinkedIn
• 🐙 GitHub: github.com/ovh

See you next month! 👋

Aurélie Vache and Rémy Vandepoel attended alongside 26 other OVHcloud employees. In this blog, they share their thoughts about this second KubeCon set in the land of tulips.

KubeCon Europe 2026: the maturity milestone

Back from Amsterdam, the buzz of the RAI halls still echoes in our ears. This 2026 edition of KubeCon + CloudNativeCon Europe wasn’t just another Kubernetes conference. It marked a turning point for this event: the point of maturity. And this is evident just by looking at the numbers: 13,500 attendees for this edition! The largest attendance ever recorded!

While previous years were about exploration and expansion, 2026 was the year of massive industrialization, with one non-negotiable pre-requirement: digital sovereignty.

Key figures from the 2026 edition:

• 13,500+ attendees (46% first-time attendees)
• 100 countries represented
• 3,474 unique organizations/companies
• 891 sessions
• 230 projects in the CNCF landscape with 19.9 million contributors

CNCF Contributors by Geography (Last 12 Months)

• Europe: 38.8% of contributions (ahead of the United States)
• United States: 36.29%
• Germany: 9.82% (leading in Europe)
• France: 4.68%
• Switzerland: 2.49%
• Strong signals for digital sovereignty, a key theme of this year’s keynotes 💪

Colocated events

KubeCon + CloudNativeCon Europe 2026 traditionally kicks off with a full day dedicated to co-located events. This year was no exception, with an impressive lineup of 16 events, including well-known favorites such as ArgoCon, BackstageCon, CiliumCon, Platform Engineering Day, Kubernetes on Edge Day, and Observability Day.

Among the newcomer events, Open Sovereign Cloud Day was a stand out, as it highlighted the growing importance of cloud sovereignty in Europe.

During CiliumCon, we were proud to see the spotlight on our MKS Standard offer 🚀.

OVHcloud Presence

OVHcloud had a strong presence at the event, with two different booths serving two different purposes.

One was located in the Activation Zone, designed as an interactive space to engage with attendees through a video game “Gaming Camp: Beat Cloud Villains!”, described as “Join the fight against the villains of the cloud. Take on Hidden Cost, Jailor Stack, and Autonomous Zero, and prove yourself as a true Guardian of the Cloud.”

Players were welcomed to step into a two-player fighting game inspired by the style of Street Fighter, where strategy and skill are your best weapons. Winners won exclusive t-shirts.

The second booth had a more corporate focus, highlighting OVHcloud’s broader portfolio, strategic positioning, and enterprise offerings. It provided a space for deeper conversations around demos, use cases, and cloud strategies.

The opportunity was too good to pass up, so we took the chance to interview key players in the ecosystem, as well as customers of our solutions.

We conducted five interviews and had many discussions, and we can’t wait to share them with you soon!

Here’s a sneak peek featuring Sudeep Goswami, CEO of Traefik Labs:

These interviews will soon be available on YouTube, so stay tuned!

Aurélie Vache’s talk

Getting accepted to KubeCon is not easy, and Aurélie, our Developer Advocate and CNCF Ambassador, rose to the challenge by once again presenting a new talk.

“The Ultimate Kubernetes Challenge: An Interactive Trivia Game”:

“Kubernetes has become the de facto standard for deploying and operating containerized applications. We use it, as well as its ecosystem, on a daily basis, but do we know them as well as we think we do?

With a mix of quiz and live demos, come learn and/or improve your knowledge. You will discover (or rediscover) the key concepts of Kubernetes (pods, secrets, services…), internal components but also best practices.

In this fun and dynamic talk, come compete throughout the quiz and explore the wonderful world of Kubernetes.

Icing on the cake: the first will win some swags.“

During this talk, attendees tested their Kubernetes knowledge through an interactive quiz, with results presented via illustrated slides and live, hands-on demos.

Giving a talk at 5 p.m., during the final session of the second day, was an ambitious way to finish up. But thanks to the interactive format of her talk, attendees were able to enjoy testing their knowledge while discovering tips about Kubernetes and its concepts and features.

Three OVHcloud MKS clusters were created especially for the occasion, one with 3 nodes, one with zero nodes, and one with 3 nodes across 3 Availability Zones:

Watch the talk here:

Keynotes: Toward “Agent-Based” and Autonomous AI

Plenary sessions at the event were dominated by a convergence of Kubernetes and Artificial Intelligence. This term, already ubiquitous in tech news, was bound to be a major focus here. Jonathan Bryce, the Executive Director of Cloud & Infrastructure at the Linux Foundation and an iconic figure in the ecosystem, made a strong point by reminding the audience that while Kubernetes is everywhere (82% adoption rate), AI in production remains a major challenge.

In November, during the latest KubeCon + CoudNativeCon NA at Atlanta, the CNCF launched the “Certified Kubernetes AI Conformance Program to Standardize AI Workloads on Kubernetes“.  5 months later, several companies including the OVHcloud Managed Kubernetes Services (MKS) platform, succeeded this new program with their own certified Kubernetes AI platform.

During the keynotes we even saw a real plane!

And to top it off, seeing Michelin present the Top End User Award to SNCF was a real highlight for us. Cocoricoooo! 🇫🇷

Key Trends

Find below the most frequently discussed technical pillars that will remain prominent in the coming months and years:

* Agent-based AI: The focus is shifting from training to inference. The announcement of Dapr Agents 1.0 shows that Kubernetes will now orchestrate agents capable of making real-time decisions on the infrastructure.

* GPU Standardization (DRA): Thanks to NVIDIA’s widespread adoption of Dynamic Resource Allocation (DRA) drivers, GPU scheduling is becoming as simple and granular as CPU scheduling. A boon for cost optimization.

* Sovereignty: Sovereignty is no longer a legal concept; it is an architecture. We have seen a rise in encryption tools for data in transit and at rest (Confidential Computing) natively integrated into CNIs such as Cilium.

* FinOps 2.0: With 67% of AI compute dedicated to inference by the end of 2026, precise monitoring of GPU consumption via projects like Kepler has become essential for the economic viability of projects.

The Gateway API is becoming the standard

As we announced in our blog post “Moving Beyond Ingress: Why should OVHcloud Managed Kubernetes Service (MKS) users start looking at the Gateway API?”, the ingress-nginx controller, the most widely used ingress controller, has now been archived.

Now, after 8 years of development, 275 released versions, and nearly 20k GitHub stars, the maintainers of the Kubernetes Gateway API introduced ingress2gateway v1.0, a tool designed to simplify migration. It automatically converts Ingress resources including annotations into Gateway API resources. The recommended approach remains pragmatic: first migrate the controller while keeping existing Ingress objects, then gradually transition to the Gateway API. Attempting a full migration in a single step is considered risky and unnecessary.

Additionally, Gateway API version 1.5 represents a major milestone: five features have moved from experimental status to the Standard channel in a single release.

Amongst them:

• ListenerSet: delegates TLS listener management outside of the Gateway 
• TLSRoute: SNI-based routing in either termination or passthrough mode
• Client certificate validation for mTLS at the ingress layer
• Native CORS filter for HTTPRoute

The Kubernetes Gateway API is now establishing itself as much more than just a successor to Ingress: it is evolving into Kubernetes’ unified network control plane.

Favorite talk

As usual, Aurélie wasn’t able to attend many talks, but among the 2-3 she did see, there was one that really had a “wow” effect on her:

« An immersive and visual journey into kubernetes networking ».

Benoit, a DevSecOps engineer at Feesh in Switzerland with extensive expertise in Kubernetes networking, created a video game using Godot with four levels: “pod-to-pod basics”, “pod-to-pod advanced”, “service mesh sidecar”, and “service mesh with ambient mode”.

Across these four levels, he explains Kubernetes networking in a vanilla setup, then with Cilium and Istio, all from the perspective of a TCP packet, represented as a fish.

Networking and I don’t exactly get along, and I’ll admit I’ve always struggled with it. Even now, although I’ve had no choice but to work with Kubernetes and service mesh, I still find it challenging. But seeing the fish swim from frontend to backend, enter a building underwater (the node), interact with an eBPF program… it really makes things more visual and intuitive.

On Thursday morning, after the keynote, the room with 2000 seats was packed!

Explaining networking by building a 3D game from scratch specifically for the occasion: hats off to you!

Benoit had an issue on stage, because he had built the game in 4K and it didn’t display properly on the projection screen. Luckily, about 30 seconds before showtime, the production team and he managed to fix it. He went on stage without showing any of that stress 💪.

Replay:

KubeCon in 45 seconds

To keep memories of these 3-4 amazing days, we created a “KubeCon Europe 2026 in 45 seconds movie:

Conclusion

KubeCon Amsterdam proved once again that the strength of open source lies in its community.

From the halls of the RAI to the technical sessions, the excitement was palpable. We’re leaving with our heads full of ideas, but above all with the certainty that collaboration remains the key to solving the complex challenges of modern IT. This was particularly evident in the packed conference rooms and the crowded aisles of the exhibition hall.

One thing is certain: the future of Cloud Native is being written together, and we at OVHcloud look forward to contributing to it with you by helping you get the most out of Kubernetes through our managed platform. Because we’re convinced that for businesses in 2026, the challenge will no longer be how to run Kubernetes, but how to use it to innovate faster and better than the competition.

With the OVHcloud Startup Program, you can enhance your cloud expertise and accelerate your growth. How?

The Startup Program provides you with access to dedicated cloud resources, including technical consultation sessions with our engineers. These sessions can help you navigate the complexities of cloud infrastructure and optimize your cloud strategy.

Now you can also get access to dedicated cloud training. As a Startup Program member, you can obtain cloud solutions certifications which will make you stand out from the crowd and, also, be better prepared to navigate your cloud strategy.

We’ve opted for a flexible training model because we trust our customers. This means that you can train independently through e-learning, whenever you want, choosing the courses that are relevant to your business and the people who need to be trained, according to their role. This saves you time and money and, thanks to the expertise you’ll gain through training, you’ll be able to deploy more cost-effective and efficient cloud solutions.

Our training courses and certifications give you a more qualified workforce.

In addition to validating your technical skills, our certifications can help you develop your expertise. Plus, you can demonstrate this with our certification badges, which help you gain recognition.

Finally, OVHcloud offers a wide range of solutions. Our training courses will help you discover the scope of these solutions and when and how to use them. Each course is designed to help you deliver a great experience for your customers. Simply by having the right knowledge to effectively identify the best solution to meet their needs.

Once trained, you are also likely to have ideas for new projects.

Get certified and give your expertise a headstart.

Discover our Training Portal’s catalog to boost your expertise.

https://startup.ovhcloud.com/Get started with the OVHcloud Startup Program and accelerate your growth today. Apply now and discover how our program can help you achieve your goals: https://startup.ovhcloud.com/

Mia Experts is a new generation medical software platform designed by a physician, for physicians. From the very beginning, the product was built to integrate artificial intelligence in a way that is useful, secure, and aligned with the realities of medical practice.

Today, many doctors spend a significant part of their day dealing with administrative tasks rather than focusing on patient care and clinical decision-making. Existing medical software is often outdated, poorly designed, and disconnected from how physicians actually work.

Mia Experts aims to change that. By leveraging artificial intelligence, the platform automates repetitive tasks and structures medical data in a meaningful and usable way. The goal is simple: give physicians back their time.

The solution primarily targets private practitioners, particularly in general medicine and surgical specialties, where efficient data management, reliability, and time savings are critical.

Built from Real Medical Experience

The idea behind Mia Experts originated from the daily experience of Vincent Salabi, a surgeon who repeatedly encountered the same issue: medical software that was slow, repetitive, and time-consuming.

Instead of helping doctors, these tools often added friction to their workflow.

At the same time, a major technological shift was occurring: artificial intelligence was becoming accessible in a way that could be deployed securely and within a sovereign regulatory framework.

Mia Experts was born from the collaboration of three co-founders with complementary expertise — medical, technical, and entrepreneurial — united by a shared ambition: to fundamentally rethink the physician’s digital workspace.

Early Milestones and Key Achievements

From the earliest stages, several key milestones helped shape the development of Mia Experts.

One of the first successes was designing the software architecture. The team built a simple, modular, and scalable architecture capable of intelligently interacting with both patient and physician data.

The objective was clear: eliminate unnecessary repetition, ensure every piece of data has meaning, and enable reliable data usage — whether for prescription generation or reducing medical errors.

Operating in the highly regulated healthcare sector also required building an infrastructure compliant with Health Data Hosting (HDS) regulations. Mia Experts chose OVHcloud, ensuring health data sovereignty and providing a robust and secure cloud foundation.

Infrastructure management is handled in partnership with Lecpac Consulting, allowing the team to meet regulatory requirements while focusing on product development and innovation.

Another major milestone came through early presentations at medical conferences, particularly in orthopedic and urological surgery. The response from physicians was extremely positive. The software’s usability and clinical logic quickly generated word-of-mouth interest — even among doctors who had not been directly approached.

Mia Experts also achieved several regulatory and technological milestones:

• LAP certification for prescription software, obtained in collaboration with healthtech company Posos
• INSi compliance, enabling integration with national health identity standards

Even before official product launch, the startup received around 50 pre-orders purely through demonstrations and conference discussions.

The platform is now entering its beta testing phase, with the first deployments planned soon.

Core Values Driving the Product

The development of Mia Experts is guided by a set of strong principles:

• Simplicity – intuitive interfaces designed for real medical workflows
• Pragmatism – AI must deliver measurable time savings
• Data sovereignty – full control over hosting and infrastructure
• Health data security – non-negotiable protection standards
• Intelligent data structuring – ensuring reliable and actionable medical information

Business, Technical and Regulatory Complexity

Building a medical software platform involves navigating a unique combination of business, technological, and regulatory challenges.

From a business perspective, the first hurdle was securing funding while preserving technological independence. Mia Experts achieved this through an initial funding round involving physician investors, complemented by support from Bpifrance and the French Tech Grant program.

On the technical side, the strict healthcare regulatory environment posed significant challenges. Compliance with HDS standards required implementing strong guarantees around security, traceability, service availability, and access governance from the very beginning.

Another critical challenge involved health data interoperability. Medical data must follow standardized national frameworks and coding systems. Mia Experts needed to structure and transform this data so it could interact seamlessly with national health services such as secure messaging systems and health data platforms.

Yet the biggest challenge was balancing all these constraints with a smooth user experience.

The ambition was never to create software that was simply compliant but difficult to use. Instead, the goal was to design a platform that remains intuitive, efficient, and truly supportive of physicians’ daily work.

Why Mia Experts Chose the Cloud

Cloud infrastructure quickly became a natural choice for the project.

First, artificial intelligence requires scalable computing resources. Running AI endpoints, fine-tuning models, and processing medical voice data demand infrastructure that can scale dynamically while protecting sensitive data.

Second, the cloud offers strong advantages for security and regulatory compliance. As a medical software publisher, Mia Experts needed an infrastructure capable of guaranteeing both data sovereignty and regulatory compliance within the European framework.

Finally, the cloud enables a much more agile product strategy. Unlike traditional locally installed medical software, cloud-based architecture allows centralized updates and continuous product improvement without disrupting physicians’ workflows.

For a fast-growing startup, this flexibility is essential.

Leveraging OVHcloud to Build a Sovereign Health Infrastructure

Choosing OVHcloud was a strategic decision for Mia Experts, especially in a context where health data sovereignty is a critical issue.

Many solutions rely on non-European cloud providers. OVHcloud allowed the startup to build its infrastructure on a secure, sovereign European cloud, fully compliant with French and EU regulations.

This has become a strong differentiator — both from a regulatory standpoint and in terms of trust with physicians.

The OVHcloud Startup Program also played a key role during the early development phase by helping offset the high technical costs associated with innovation.

Mia Experts relies heavily on speech-to-text and AI models for generating medical reports. Fine-tuning these models to understand medical vocabulary requires substantial computing power. The program allowed the team to train and test these models without immediate financial pressure.

The Infrastructure Behind Mia Experts

Today, the platform runs on a robust cloud architecture built on OVHcloud services, including:

• Managed Kubernetes for Dev, Pre-production, and Production environments
• S3-compatible object storage for medical documents and AI models
• GPU instances supporting real-time medical speech transcription
• AI Endpoints for LLMs such as Mistral, Llama, and GPT-OSS
• Dedicated Public Cloud instances hosting GitHub CI/CD runners

All infrastructure is hosted in France, ensuring compliance with GDPR and HDS requirements.

One major advantage of OVHcloud AI endpoints is transparency: customer data is not used to train external models, a key concern in healthcare environments.

Tangible Results and Impact

The collaboration with OVHcloud has enabled several concrete achievements.

First, Mia Experts successfully deployed an infrastructure fully compliant with HDS health data hosting standards, guaranteeing high levels of security, availability, and traceability.

Second, the startup has been able to build and control its own AI capabilities, particularly around speech recognition and medical text generation. The voice recognition system has already been adapted to medical vocabulary, delivering strong accuracy in clinical contexts.

Another key outcome is AI sovereignty. By hosting AI inference within a controlled European environment, Mia Experts retains full control over its data, models, and algorithms.

Finally, the cloud infrastructure provides significant operational agility. The team can deploy updates quickly, iterate on AI models, and continuously improve application performance.

Accelerating Product Adoption

These technological choices have significantly strengthened Mia Experts’ positioning within the medical software ecosystem.

The cloud infrastructure makes the solution eligible for Ségur V2 standards, a key regulatory benchmark for healthcare software interoperability in France.

This strengthens credibility with physicians and facilitates integration into the national digital health ecosystem.

By maintaining full control over its AI pipeline — from hosting to model fine-tuning — Mia Experts can guarantee both data confidentiality and high-quality performance tailored to medical language.

What’s Next for Mia Experts

The next step is the progressive onboarding of the first users, with around 50 pre-registrations already secured before the official launch.

In the medium term, the startup aims to reach:

• 300 users within two years
• 500 users within three years

At the same time, Mia Experts plans to expand beyond surgical specialties with the launch of Mia Experts for General Practice, followed by extensions into additional medical disciplines.

The long-term vision is to build a modular medical platform adaptable to multiple specialties while sharing a unified technological foundation.

Advice for Other Startups

For startups building AI-driven products, the Mia Experts team highlights three key lessons.

First, anticipate your data strategy early. AI models are only as good as the data used to train them. Structuring and preparing datasets before accessing cloud resources can provide a major competitive advantage.

Second, do not underestimate regulatory complexity, especially in sectors like healthcare. Partnering with an experienced infrastructure manager can significantly accelerate deployment.

Finally, think of the cloud not only as hosting infrastructure but as a strategic platform for innovation and scalability.

Conclusion

The journey of Mia Experts shows that innovation in healthcare requires a careful balance between technological ambition, regulatory rigor, and practical usability.

By building on a sovereign and compliant cloud infrastructure from the outset, the startup has laid strong foundations for developing a medical platform that genuinely supports physicians.

The collaboration with OVHcloud has enabled Mia Experts to deploy a secure, scalable, and AI-ready infrastructure, ensuring full control over both health data and AI models.

For startups operating in highly regulated sectors, choosing the right cloud ecosystem can make all the difference — enabling innovation, accelerating growth, and building trust from day one.

Don’t let infrastructure costs limit your growth. We strongly urge other startups to join the OVHcloud Startup Program. Contact their team to build your own foundation for sustainable success.

If you’re a startup looking to transform your business, we encourage you to join the OVHcloud Startup Program or contact OVHcloud to discover how our solutions can support your journey!

You never see it, but without the DNS, no website would be accessible, no email could be delivered, and no online service would work correctly.

At the heart of this system are DNS records, which structure how services are exposed on the Internet. These records evolve alongside modern web architectures, and at OVHcloud, this has resulted in support for SVCB and HTTPS records.

To better understand these innovations, let’s look at the main types of DNS records and their roles.

The DNS in a few words

The Domain Name System (DNS) translates a domain name into an IP address that is understandable by machines. When a user enters a web address (such as “www.example.com”), a request is sent to identify the corresponding server.

This phase, known as DNS resolution, uses different types of records that each fulfil a specific role.

The most common DNS records

Some records are essential when configuring a domain. Here are the main types present in a DNS zone.

A and AAAA: make a website accessible

For a website to be reachable, its domain name must be associated with an IP address. This is where A (IPv4) and AAAA (IPv6) records come in.

They form the basis of DNS resolution and allow browsers to reach the server hosting the site.

CNAME: creates an alias between two domain names

A CNAME record allows one domain name to point to another, without directly associating it with an IP address. For example, “blog.example.com” can link to “example.com”, which avoids duplicating the configuration.

⚠️ Note: a CNAME cannot be configured at the root of a domain (e.g. “example.com”). It is only used on subdomains, such as “blog.example.com”.

MX: manages the receipt of emails

MX (Mail Exchange) records indicate which servers should handle emails being sent to a domain. They play a central role in distributing messages and in the reliability of messaging.

TXT: verifies a domain and enhances security

TXT records allow additional information to be linked to a domain. They are particularly used to prove ownership to external services and to secure emails.

Mechanisms such as SPF, DKIM, or DMARC rely on TXT records to limit identity theft and spam.

SVCB and HTTPS: what are these new DNS records for?

During DNS resolution, the browser obtains the information needed to contact a server.

SVCB (Service Binding) and HTTPS records enrich this step by indicating more precisely how to access the service.

They may mention the supported protocols (HTTP/2 or HTTP/3), the preferred server, or certain technical parameters intended to optimise the connection.

By transmitting this information during the resolution, they limit certain intermediate exchanges between the browser and the server. This mechanism helps to improve the performance and loading speed of websites.

A key use case: the alias at the root of the domain

As mentioned, a CNAME record cannot be configured at the root of a domain (such as “example.com”). This constraint of the DNS required the use of alternative solutions when it was necessary to point a main domain to an external service.

HTTPS and SVCB records remove this limitation. They offer the option to indicate that a web service located at the root of the domain is provided by another name, similar to a CNAME, while adhering to DNS rules.

Here’s an example: a company broadcasts its site via a CDN accessible at the address “example.cdn-provider.net”, while retaining “example.com” as the access point. Thanks to a HTTPS record, the browser can be directed to the CDN service without a visible redirection for the user or a complex DNS configuration.

⚠️ However, these mechanisms rely on newer features, so their support may vary depending on the browsers and operating systems, particularly in older environments.

What benefits do these new records offer?

By enriching the DNS resolution phase, SVCB and HTTPS records can direct clients more accurately towards suitable services.

This helps to reduce latency, improve perceived performance, and strengthen consistency across browsers, protocols, and infrastructures.

These records also provide greater flexibility in DNS configuration, particularly for environments integrating CDNs, external platforms, or distributed cloud architectures.

How can I configure my SVCB and HTTPS records with OVHcloud?

SVCB and HTTPS records are available from your OVHcloud control panel.

To configure them:

1. Go to the “Domain Names” section
2. Select the relevant domain
3. Access the “DNS Zone” tab
4. Add a new SVCB or HTTPS record

Depending on your situation, you may need to adjust the associated settings (priority, target, service-specific options). For detailed information on managing DNS records, please consult our dedicated guide.

In summary: a more flexible and effective DNS

The DNS remains an essential pillar of the internet and continues to evolve to adapt to newer architectures.

With SVCB and HTTPS records, it is now possible to optimise service exposure, simplify certain configurations (particularly at the root of the domain), and improve performance from the resolution stage.This is a discreet yet strategic technical development in response to the growing demands for speed, security, and flexibility.

On ne le voit jamais. Pourtant, sans le DNS, aucun site web ne serait accessible, aucun e-mail ne pourrait être distribué, aucun service en ligne ne fonctionnerait correctement.

Au cœur de ce système se trouvent les enregistrements DNS, qui structurent la manière dont les services sont exposés sur Internet. Ils évoluent avec les architectures web modernes. Chez OVHcloud, cela se traduit notamment par la prise en charge des enregistrements SVCB et HTTPS.

Pour mieux comprendre ces nouveautés, revenons sur les principaux enregistrements DNS et leur rôle.

Le DNS en quelques mots

Le Domain Name System (DNS) traduit un nom de domaine en adresse IP compréhensible par les machines. Lorsqu’un internaute saisit une adresse web (telle que « www.exemple.com »), une requête est ainsi envoyée pour identifier le serveur correspondant.

Cette phase, appelée résolution DNS, s’appuie sur différents types d’enregistrements, chacun remplissant un rôle précis.

Les enregistrements DNS les plus courants

Certains enregistrements sont incontournables dans la configuration d’un domaine. Voici les principaux types présents dans une zone DNS.

A et AAAA : rendre un site accessible

Pour qu’un site soit joignable, son nom de domaine doit être associé à une adresse IP. C’est le rôle des enregistrements A (IPv4) et AAAA (IPv6).

Ils constituent la base de la résolution DNS et permettent aux navigateurs d’atteindre le serveur qui héberge le site.

CNAME : créer un alias entre deux noms de domaine

Un enregistrement CNAME permet de faire pointer un nom de domaine vers un autre, sans l’associer directement à une adresse IP. Par exemple, « blog.exemple.com » peut renvoyer vers « exemple.com », ce qui évite de dupliquer la configuration.

⚠️ À noter : un CNAME ne peut pas être configuré à la racine d’un domaine (« exemple.com »). Il ne s’utilise que sur des sous-domaines, comme « blog.exemple.com ».

MX : gérer la réception des e-mails

Les enregistrements MX (Mail Exchange) indiquent quels serveurs doivent traiter les e-mails destinés à un domaine. Ils jouent un rôle central dans la distribution des messages et dans la fiabilité de la messagerie.

TXT : vérifier un domaine et renforcer la sécurité

Les enregistrements TXT permettent d’associer des informations supplémentaires à un domaine. Ils sont notamment utilisés pour prouver sa propriété auprès de services externes et pour sécuriser les e-mails.

Des mécanismes comme SPF, DKIM ou DMARC reposent sur des enregistrements TXT afin de limiter l’usurpation d’identité et le spam.

SVCB et HTTPS : à quoi servent ces nouveaux enregistrements DNS ?

Lors de la résolution DNS, le navigateur obtient les informations nécessaires pour contacter un serveur.

Les enregistrements SVCB (Service Binding) et HTTPS enrichissent cette étape en indiquant plus précisément comment accéder au service.

Ils peuvent notamment mentionner les protocoles pris en charge (HTTP/2 ou HTTP/3), le serveur à privilégier ou encore certains paramètres techniques destinés à optimiser la connexion.

En transmettant ces informations dès la résolution, ils limitent certains échanges intermédiaires entre le navigateur et le serveur. Ce mécanisme contribue à améliorer la performance et la rapidité de chargement des sites web.

Un cas d’usage clé : l’alias à la racine du domaine

Comme vu précédemment, un enregistrement CNAME ne peut pas être configuré à la racine d’un domaine (comme « exemple.com »). Cette contrainte historique du DNS obligeait à utiliser des solutions alternatives lorsqu’il fallait faire pointer un domaine principal vers un service externe.

Les enregistrements HTTPS et SVCB permettent de lever cette limitation. Ils offrent la possibilité d’indiquer qu’un service web situé à la racine du domaine est fourni par un autre nom, de manière similaire à un CNAME, tout en respectant les règles du DNS.

Prenons un exemple : une entreprise diffuse son site via un CDN accessible à l’adresse « exemple.cdn-provider.net », en conservant « exemple.com » comme point d’accès. Grâce à un enregistrement HTTPS, le navigateur peut être orienté vers le service du CDN sans redirection visible pour l’internaute ni configuration DNS complexe.

⚠️ Ces mécanismes reposent toutefois sur des fonctionnalités récentes. Leur prise en charge peut donc varier selon les navigateurs et les systèmes d’exploitation, en particulier dans des environnements plus anciens.

Quels bénéfices pour ces nouveaux enregistrements ?

En enrichissant la phase de résolution DNS, les enregistrements SVCB et HTTPS permettent une orientation plus précise des clients vers les services adaptés.

Ils contribuent ainsi à réduire la latence, à améliorer la performance perçue, ainsi qu’à renforcer la cohérence entre navigateurs, protocoles et infrastructures.

Ils offrent également davantage de souplesse dans la configuration DNS, notamment pour les environnements intégrant des CDN, des plateformes externes ou des architectures cloud distribuées.

Comment les configurer chez OVHcloud ?

Les enregistrements SVCB et HTTPS sont disponibles depuis votre espace client.

Pour les configurer :

1. rendez-vous dans la section « Noms de domaine » ;
2. sélectionnez le domaine concerné ;
3. accédez à l’onglet « Zone DNS » ;
4. ajoutez un nouvel enregistrement de type SVCB ou HTTPS.

Selon votre situation, il peut être nécessaire d’adapter les paramètres associés (priorité, cible, options spécifiques au service). Pour des informations détaillées sur la gestion des enregistrements DNS, consultez notre guide dédié.

En résumé : un DNS plus flexible et performant

Le DNS reste un pilier essentiel d’Internet et continue d’évoluer pour s’adapter aux architectures récentes.

Avec les enregistrements SVCB et HTTPS, il devient possible d’optimiser l’exposition des services, de simplifier certaines configurations (notamment à la racine du domaine) et d’améliorer la performance dès la phase de résolution.Il s’agit d’une évolution technique discrète, mais stratégique, face aux exigences croissantes de rapidité, de sécurité et de flexibilité.

Several months ago, we released the Beta version of the OVHcloud Secret Manager and we guided you how to manage your secrets thanks to the existing External Secret Operator (ESO) Hashicorp Vault provider.

As our Secret Manager is now in General Availability, our teams worked on the development of an OVHcloud ESO Provider now available in the ESO v2.3.0 new release 🎉.

In this blog post, you will learn how to create a new secret in the OVHcloud Secret Manager and how to manage it within your Kubernetes clusters through the OVHcloud ESO provider.

External Secrets Operator (ESO)

The External Secrets Operator (ESO), a CNCF sanbox project since 2022, is a Kubernetes operator that integrates external secret management systems.

The operator reads the information from an external APIs and automatically injects the values into a Kubernetes Secret. If the secret changes in the external API, the operator updates the secret in the Kubernetes cluster.

The ESO connects to an external Secret Manager, such as OVHcloud, Vault, AWS, or GCP, via a provider configured in a (Cluster)SecretStore. An ExternalSecret resource then specifies which secrets to retrieve. ESO fetches those values and creates a corresponding Kubernetes Secret within the cluster.

For more details, read the ESO official documentation.

Prerequisites

To be able to use the ESO OVHcloud provider, you need to follow some prerequisites:

• Have an OVHcloud account
• Created an OKMS domain (“305db938-331f-454d-83a7-3a0a29291661” for example in this blog post)
• Created an IAM local user (“secretmanager-305db938-331f-454d-83a7-3a0a29291661” for example in this blog post)
• Installed the OVHcloud CLI
• Have a Kubernetes cluster

The ESO OVH provider supports both token and mTLS authentication. In this blog post, we will use the token authentication mode. Please follow the OVHcloud ESO provider guide if you wish to use mTLS authentication mode.

Generate a PAT token (For token authentication only)

The ESO (Cluster)SecretStore needs the permission to fetch secrets from Secret Manager.

If you want to use token autentication, you’ll need a token (PAT). You can use the ovhcloud CLI to do that:

PAT_TOKEN=$(ovhcloud iam user token create <iam-local-user-name> --name pat-<iam-local-user-name> --description "PAT secret manager for domain <okms-id>" -o json  | jq .details.token |  tr -d '"')

echo $PAT_TOKEN
<your-token>

You should have a result like this:

$ PAT_TOKEN=$(ovhcloud iam user token create secretmanager-305db938-331f-454d-83a7-3a0a29291661 --name pat-secretmanager-305db938-331f-454d-83a7-3a0a29291661 --description "PAT secret manager for domain 305db938-331f-454d-83a7-3a0a29291661" -o json  | jq .details.token |  tr -d '"')
2026/04/07 14:07:45 Final parameters:
{
 "description": "PAT secret manager for domain 305db938-331f-454d-83a7-3a0a29291661",
 "name": "pat-secretmanager-305db938-331f-454d-83a7-3a0a29291661"
}

$ echo $PAT_TOKEN
eyJhbGciOiJFZERTQSIsImtpZCI6IjgzMkFGNUE5ODg3MzFCMDNGM0EzMTRFMDJFRUJFRjBGNDE5MUY0Q0YiLCJraW5kIjoicGF0IiwidHlwIjoiSldUIn0.eyJ0b2tlbiI6InBBSFh1WE5JdVNHYVpmV3F2OUFzVmJrU3UwR2UySTJrdFU0OGdTZkwyZ1k9In0.-VDbiUf4vNm1KB9qSv7i4sGMCvxs_EuZFAETB-eaOFf3IX8-9m7akN800--ASgXy55_DDFHdy4Z5uSq8lww-Bw

Encode the PAT token in base 64 and save it in an environment variable:

export PAT_TOKEN_B64=$(echo -n $PAT_TOKEN | base64)
echo $PAT_TOKEN_B64

Retrieve and save the KMS information

List the OKMS domains:

$ ovhcloud okms list
┌──────────────────────────────────────┬─────────────┐
│                  id                  │   region    │
├──────────────────────────────────────┼─────────────┤
│ 305db938-331f-454d-83a7-3a0a29291661 │ eu-west-par │
│ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx │ eu-west-par │
└──────────────────────────────────────┴─────────────┘

Save the KMS endpoint and the OKMS ID in two environment variables. For example:

export OKMS_ID="305db938-331f-454d-83a7-3a0a29291661"
export KMS_ENDPOINT=$(ovhcloud okms get 305db938-331f-454d-83a7-3a0a29291661 -o json | jq .restEndpoint | xargs)

Create a secret in the Secret Manager

In the OVHcloud Control Panel (UI), go to ‘Secret Manager’ section and click on the Create a secret button.

Then in order to create a secret ‘prod/eu-west-par/dockerconfigjson’, in the Europe region (France – Paris) eu-west-par, choose this region:

Then, choose the OKMS domain and create”prod/eu-west-par/dockerconfigjson” in the path and fill the content:

Finally, click on the Create button to finalise the creation of the new secret.

Install or update the ESO

If you’d never installed ESO in your Kubernetes cluster, you can install it via Helm:

helm repo add external-secrets https://charts.external-secrets.io
helm repo update

helm install external-secrets \
   external-secrets/external-secrets \
    -n external-secrets \
    --create-namespace \
    --set installCRDs=true

If you already installed it, now you should update it in order to use this new provider:

helm upgrade external-secrets external-secrets/external-secrets -n external-secrets

⚠️ In order to use the OVHcloud provider, you need to have a running instance of ESO equals to version 2.3.0 or more.

$ helm list -n external-secrets

NAME            	NAMESPACE       	REVISION	UPDATED                              	STATUS  	CHART                 	APP VERSION
external-secrets	external-secrets	1       	2026-04-13 13:56:29.071329 +0200 CEST	deployed	external-secrets-2.3.0	v2.3.0

Let’s deploy a Secret in Kubernetes using the ESO provider!

Deploy a ClusterSecretStore to connect ESO to Secret Manager

Set up a ClusterSecretStore to manage synchronization with Secret Manager.
It will use the OVHcloud provider with token authorization mode, and the OKMS endpoint as the backend.

Create a clustersecretstore.yaml.template file with the content below:

apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
  name: secret-store-ovh
spec:
  provider:
    ovh:
      server: "$KMS_ENDPOINT" # for example: "https://eu-west-rbx.okms.ovh.net"
      okmsid: "$OKMS_ID" # for example: "734b9b45-8b1a-469c-b140-b10bd6540017"
      auth:
        token:
          tokenSecretRef:
            name: ovh-token
            namespace: external-secrets
            key: token
---
apiVersion: v1
kind: Secret
metadata:
  name: ovh-token
  namespace: external-secrets
data:
  token: $PAT_TOKEN_B64

Generate the clustersecretstore.yaml file from the environment variables you defined:

envsubst < clustersecretstore.yaml.template > clustersecretstore.yaml

You should obtain a file filled with the OVHcloud KMS information:

apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
  name: secret-store-ovh
spec:
  provider:
    ovh:
      server: "https://eu-west-par.okms.ovh.net" # for example: "https://eu-west-rbx.okms.ovh.net"
      okmsid: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # for example: "734b9b45-8b1a-469c-b140-b10bd6540017"
      auth:
        token:
          tokenSecretRef:
            name: ovh-token
            namespace: external-secrets
            key: token
---
apiVersion: v1
kind: Secret
metadata:
  name: ovh-token
  namespace: external-secrets
data:
  token: ZXlK...UJ3

Apply it in your Kubernetes cluster:

kubectl apply -f clustersecretstore.yaml

Check:

$ kubectl get clustersecretstore.external-secrets.io/secret-store-ovh

NAME               AGE   STATUS   CAPABILITIES   READY
secret-store-ovh   7s    Valid    ReadWrite      True

Create an ExternalSecret

Create an externalsecret.yaml file with the content below:

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: docker-config-secret
  namespace: external-secrets
spec:
  refreshInterval: 30m
  secretStoreRef:
    name: secret-store-ovh
    kind: ClusterSecretStore
  target:
    template:
      type: kubernetes.io/dockerconfigjson
      data:
        .dockerconfigjson: "{{ .mysecret | toString }}"
    name: ovhregistrycred
    creationPolicy: Owner
  data:
  - secretKey: ovhregistrycred
    remoteRef:
      key: prod/eu-west-par/dockerconfigjson

Apply it:

$ kubectl apply -f externalsecret.yaml

externalsecret.external-secrets.io/docker-config-secret created

Check:

$ kubectl get externalsecret.external-secrets.io/docker-config-secret -n external-secrets 

NAME                   STORETYPE            STORE              REFRESH INTERVAL   STATUS         READY   LAST SYNC
docker-config-secret   ClusterSecretStore   secret-store-ovh   30m                SecretSynced   True    4s

After applying this command, it will create a Kubernetes Secret object.

$ kubectl get secret ovhregistrycred -n external-secrets

NAME              TYPE                             DATA   AGE
ovhregistrycred   kubernetes.io/dockerconfigjson   1      49s

The Kubernetes Secret have been created 🎉

We created a Secret directly from the key, but the OVHcloud ESO provider allows you to fetch the original secret from different parameters (fetch the whole secret, fetch nested values, fetch multiple secrets…), according to your needs.

Conclusion

In this blog, we’ve explained how to create secrets in the OVHcloud Secret Manager and then integrate them directly in your Kubernetes clusters using the new ESO OVHcloud provider.

With this brand new OVHcloud provider, you will have a smoother integration between the Secret Manager and your Kubernetes clusters with ESO.

Our team are working on several other integrations, so stay tuned, and please share your thoughts with us!

As Linux Sys Admins, we are sometimes faced with dilemmas regarding what we can or cannot allow on machines.

Some functionalities are very important to users for their daily tasks and overall better use of their devices, but they sometimes also come with security concerns.
We came up with a way to still allow most of these functionalities, while having more control over them, but also their outcome.

While the Linux user community is technical, their missions are still quite heterogeneous. They can range from developers, sysadmins, network engineers and more…
And they all work with very different workflows (from front-end web to the low-level driver). Sometimes on the laptop, on a docker, on a local VM or remotely on a development VM. Some may even need to hook up via a specific hardware.

Which leaves us users who are very much used to having access to every aspect of their personal computers rather frustrated when they are too limited.

Combining Usability and Security

Wrappers are usually used for abstraction and convenience; they often are relied on to simplify command-line workflows, enforce consistent parameters, or adapt legacy tools to modern environments.
In the case at hand, they are used a bit more like “guardrails.”

Take, as example, package management. Tools like apt are powerful but inherently risky when misused (or maliciously used), and capable of altering a system’s status by removing critical dependencies, etc…
Instead of exposing these tools directly (or completely removing access to them), our team provides a wrapped version that preserves essential functionality, while explicitly blocking operations that could compromise the system’s integrity.

Why would our user base need access to apt? Why not just completely remove that option?

Since our user base is rather technical, and knows their operating system rather well in general, they should be able to install authorized packages, or to update or remove them whenever they like (even though we also have a daily, automatic updates running too).
Plus, if they encounter any basic dpkg/apt issue, it makes sense for them to be able to resolve them autonomously.

Here is the list of options we made available:

Usage:
ovh-apt <install|reinstall|remove|purge> [OPTIONS] <package|package=version> [package...]
ovh-apt <update|autoclean|clean>
ovh-apt <fix> (this executes apt-get install -f)
ovh-apt <fix-dpkg> (this executes dpkg --configure -a)
Examples:
ovh-apt update
ovh-apt install vim
ovh-apt install vim=2:8.1.2269-1ubuntu5.17
ovh-apt install --only-upgrade bash
ovh-apt fix

We also have a list of protected packages, to avoid having very useful ones deleted; firewall configuration, systemd, sudo, etc…
Basically, this includes everything that could have an impact on security or system integrity. As well, this wrapper in specific is non-interactive – in order to make sure a root shell is never offered – as can be the case natively with dpkg.

How to prevent specific packages from being uninstalled?

We have a .txt file containing a bunch of package names (one per line).
In our ovh-apt script, we look into that file, and if we find a corresponding package, we exit the script.

re="^(Purg|Remv) ([^ ]+) "
IFS="
"
protected="$(cat /etc/ovh/ovh-apt/protected.txt)"
apt_output=$(cat nohup.out)
for line in $apt_output ; do
if [[ "$line" =~ $re ]]; then
package="${BASH_REMATCH[2]}"
if [[ " ${protected[*]} " =~ [[:space:]]${package}[[:space:]] ]]; then
echo "Error: Package $package is protected, won't do."
cancel=1
fi
fi
done
unset IFS

There is more

By default, you would need root access on unix systems to be able to change the keyboard layout. We decided to make a wrapper to allow for some users to set the layout of their choice.
This implementation was also heavily requested by Linux users, and very understandably so.

Here’s how it works:

Usage: ovh-keyboard <command> [options]
Commands:
show -> Show current keyboard configuration.
set <layout> -> Update keyboard configuration.
Valid options: fr, us, gb, ca, es, it, de, pt

Just for funsies, here is the list of other wrappers we use:

ovh_backlightctl Allows user to control the backlight options of their monitors.
ovh_snap Allows users to manage a list of snap packages on their device protected
ovh_swapclean Obviously.
ovh-systemctl Allows specific and unharmful systemctl commands.
nmcli_wrapper Blocks the –show-secrets options with nmcli. ‘Cause we don’t want secrets to be seen (that’s why they’re secret).

We definitely will keep on using wrappers, whether it is for user or security needs, when the use case allows it. We find this way of handling the accessibility / security compromise fits quite well with how we manage the Linux parc so far.

1) We are introducing three new Web Hosting ranges

Our offers will be organized into three distinct ranges, each designed to match different needs and usage profiles. Whether you are launching a simple website, running a growing business, or managing multiple client projects, you can now more easily find the plan that fits your situation.

Eco range: affordable and straightforward hosting

This range is designed for professionals looking for a cost-effective solution. It focuses on essential features to get a website online quickly and easily, without unnecessary complexity. All plans include the core services: disk space, email accounts, a domain name, and built-in security.

It is ideal for simple websites, first projects, portfolios, or small business sites that need to be reliable and easy to manage from day one. You get everything you need to launch and run your site, at a price that stays accessible over time.

In short, we provide a straightforward, dependable hosting solution that covers the essentials, so you can focus on your project, not on technical setup.

If you already own a domain name with OVHcloud, you can activate your free hosting right away. Every domain includes 100 MB of hosting, so you can get your first web pages online at no additional cost. This free plan comes with one email account, the performance of our infrastructure, and the same high level of security as all our other products.

Business range: performance and flexibility

The Business range is built for professionals who need more performance, flexibility, and resources to support their growth.

As your website evolves, so do your requirements: more traffic, more content, more integrations. This range provides faster loading times, more generous resources (databases, storage, email accounts), and additional technical capabilities to adapt your environment to your needs.

Whether you are running a business website, an e-commerce platform, or multiple projects, you benefit from a hosting solution designed to keep up with your growth while giving you more control.

For more demanding use cases, our Pro and Performance plans provide higher CPU and RAM allocations designed to handle traffic spikes smoothly, ensuring your websites remain responsive even during peak activity.

In short, this is the right balance between performance, flexibility, and cost-efficiency for growing projects.

Agencies range: built for managing multiple clients efficiently

The Agencies range is designed for professionals managing several websites across multiple clients.

When you operate multiple projects, efficiency becomes key. This range allows you to host, manage, and scale multiple websites within a single environment, helping you centralize operations and reduce costs.

It is particularly suited for agencies, freelancers, and service providers who need to deploy, maintain, and monitor many sites while keeping their workflow simple and scalable.

In short: a solution built to help you manage more projects and clients, more efficiently, while saving both time and costs, without multiplying hosting plans.

2) More capacity to grow your projects

After a full renewal of our compute infrastructure in 2025, our Web Hosting plans are now up to 3x faster, with 2x more compute power allocated.

In 2026, we are upgrading our storage technology. All our Web Hosting plans are progressively moving to SSD storage to ensure faster access times and better resilience during incidents or maintenance operations. The result: improved service quality and higher availability for your websites.

In addition, we are increasing both the number of databases and the storage capacity per database included in our Web Hosting plans.

What’s changing

Many customers begin with a single website, then expand to additional projects such as blogs, landing pages, test environments, or client websites. Because our Web Hosting plans are designed to be multi-site, you can host multiple projects within a single plan. As your projects grow, database requirements naturally increase due to additional content, users, plugins, and data.

Our goal is simple: instead of requiring an immediate upgrade to a higher plan, we are including additional resources directly in your existing plan. This allows you to group multiple websites under the same hosting account, each with its own database. In practice, this reduces costs, simplifies management, and gives you the flexibility to scale your projects without unnecessary complexity.

What this means for you

Run multiple websites without additional hosting plans
You can create and manage several websites under the same account, each with its own database, without needing to upgrade immediately.

Install multiple CMS environments easily
Whether you use WordPress, Joomla!, PrestaShop, or another CMS, you can deploy separate projects independently, without database limitations.

Create staging and test environments
You can duplicate websites to safely test updates, themes, or plugins before deploying them to production.

Support long-term website growth
As your traffic and content increase, larger databases provide additional capacity without the risk of quickly reaching storage limits.

By expanding both database capacity and quantity, we are providing more room for your projects to grow without requiring an immediate plan upgrade.

3) Pricing update: lower entry price and long-term savings

As part of this evolution, our pricing structure is also changing. It has been designed with two clear objectives: maintain a very accessible entry price for new projects and deliver stronger overall value for customers choosing longer durations.

A highly competitive first year for new subscriptions

For any new subscription, the first-year price is intentionally kept very low.

For example, the Pro plan now starts at €1.99/month for the first year.

This approach makes it easier to launch a new idea, test a concept, or start a business without significant upfront costs. Customers launching new projects benefit from one of the most competitive entry prices available.

All core hosting features remain included: generous email accounts, a domain name included during the first year, multi-site capability, expanded database resources, and enhanced support services. In short, you keep everything that makes your hosting complete, with additional resources and improved assistance.

Better pricing with longer durations

We are introducing 24- and 48-month prepaid plans to help you secure the best possible rate! Most websites are long-term projects that grow in visibility, traffic, and business value, and we want your hosting plan to support that long-term development.

By selecting a longer duration, you can benefit from significant savings:

• Choosing 24 months can represent savings equivalent to 5 to 6 months compared to annual renewals.
• Choosing 48 months can represent savings equivalent to 16 to 18 months compared to annual renewals.

This approach is simple: the longer your duration, the lower your monthly price and the more predictable your hosting budget becomes.

4) Renew now and keep your current price

If you are already a customer, we want to ensure your loyalty continues to be rewarded. Many of you have trusted us to host your projects for years, and we want to give you the opportunity to maintain your current pricing conditions.

If you wish to retain your existing pricing, you can renew your hosting plan before 1st June 2026. This allows you to secure your current rate while continuing to benefit from all plan improvements. Renewal can be completed in just a few clicks from your Control Panel.

By renewing in advance, you can:

• Lock in your current rate for the duration you choose
• Extend your subscription for up to 4 additional years
• Continue benefiting from upgraded features, including additional databases and improved support

For long-term projects, renewing now provides cost stability and better visibility on future hosting expenses.

5) A redesigned and strengthened support experience

For many of you, running a website is more than a hobby. It can generate revenue, support clients, or represent your business online. When an issue occurs, you do not want to simply open a ticket. You expect clear guidance and fast resolution. We have listened to this feedback and are strengthening our support services to be easier to reach, faster to respond, and more helpful when you need expert advice.

Here is how your day-to-day support experience will evolve:

Support whenever you need it
We are progressively rolling out 24/7 availability, with expanded contact channels so you can reach us at any time, whether you are launching a new site, managing an urgent issue, or looking for guidance.

Faster responses
An improved live chat experience will allow you to connect quickly with our teams and receive clear answers with reduced waiting times.

Simplified human interaction
You will be able to call us directly from your browser and request a callback from one of our agents, allowing you to receive assistance in the way that suits you best.

Stronger guidance and follow-up
We are adopting a more proactive support approach, focused not only on resolving issues but also on advising you and helping you move your projects forward with confidence.

Our objective is straightforward: make it easier and faster for you to get help when you need it. Whether you are launching a new website, managing updates, or troubleshooting an issue, we are continuously investing to deliver a smoother customer experience.

These improvements reflect our commitment to supporting both beginners and advanced users with reliable and accessible assistance. They are currently being prepared and will be progressively deployed to ensure quality and stability.

6) Dedicated offers for Partners and Agencies (coming soon)

Some customers go beyond managing their own websites. They design, deploy, and resell complete web environments for their clients, including hosting, domain names, email services, and other solutions, sometimes under their own brand. Resellers and agencies often operate across the entire OVHcloud ecosystem and require solutions adapted to multi-client and multi-service environments.

Managing a Web Cloud portfolio typically involves:

• Coordinating updates across multiple customer environments
• Ensuring availability and performance across all hosted projects
• Responding quickly when customer services are impacted
• Optimizing costs and margins across service portfolios

We are preparing a dedicated offer designed specifically for these use cases.
This upcoming partner offering will include:

• Premium and prioritized support with clearer escalation paths for business-critical situations
• Preferential pricing tailored to multi-product portfolios
• Management tools designed for agencies to simplify deployment, monitoring, and maintenance across multiple services for your multiple customers. 

More details will be shared soon. We look forward to developing this offer in collaboration with our partner ecosystem.

7) New features

We are continuously improving our Web Hosting platform, and several major enhancements are already underway.

We have recently completed a full renewal of our compute infrastructure to deliver improved performance and reliability across all hosted websites. Read more about it on our dedicated blog article.

We are also currently replacing our storage infrastructure with the same objective: delivering improved performance, resilience, and long-term data reliability.

These infrastructure upgrades are part of a broader and transparent product roadmap. We openly share our development priorities so you can track ongoing and upcoming improvements.

Beyond infrastructure, upcoming enhancements include:

• Simplified WordPress management through Managed Hosting for WordPress (currently available in beta), providing increased automation and easier daily administration.
• Our new video hosting solution designed to deliver media content without relying on third-party platforms. Discover the Video Center!
• New AI-powered features to help manage, optimize, and secure your websites

Our commitment to you

Whether you are running a personal website, launching a business, or managing multiple projects, our objective remains unchanged: deliver a powerful, reliable, and cost-efficient platform that supports your growth over time and continuously improve your hosting experience with practical features that simplify daily management while strengthening performance and reliability.