<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>Security Archives - OVHcloud Blog</title>
	<atom:link href="https://blog.ovhcloud.com/tag/security/feed/" rel="self" type="application/rss+xml" />
	<link>https://blog.ovhcloud.com/tag/security/</link>
	<description>Innovation for Freedom</description>
	<lastBuildDate>Thu, 02 Jul 2026 15:04:27 +0000</lastBuildDate>
	<language>en-GB</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=7.0</generator>

<image>
	<url>https://blog.ovhcloud.com/wp-content/uploads/2019/07/cropped-cropped-nouveau-logo-ovh-rebranding-32x32.gif</url>
	<title>Security Archives - OVHcloud Blog</title>
	<link>https://blog.ovhcloud.com/tag/security/</link>
	<width>32</width>
	<height>32</height>
</image> 
	<item>
		<title>How AI cybersecurity training and OVHcloud are helping to prepare the next generation of SecDevOps engineers</title>
		<link>https://blog.ovhcloud.com/ai-cybersecurity-training-secdevops/</link>
		
		<dc:creator><![CDATA[Elena Luoto&nbsp;and&nbsp;Charles Denechere]]></dc:creator>
		<pubDate>Thu, 02 Jul 2026 13:42:19 +0000</pubDate>
				<category><![CDATA[Education]]></category>
		<category><![CDATA[OVHcloud]]></category>
		<category><![CDATA[Security]]></category>
		<guid isPermaLink="false">https://blog.ovhcloud.com/?p=32662</guid>

					<description><![CDATA[As both the cyberattack cause and cure, ever-expanding AI has been transforming cybersecurity from both sides of the battlefield. Organizations [&#8230;]<img src="//blog.ovhcloud.com/wp-content/plugins/matomo/app/matomo.php?idsite=1&amp;rec=1&amp;url=https%3A%2F%2Fblog.ovhcloud.com%2Fai-cybersecurity-training-secdevops%2F&amp;action_name=How%20AI%20cybersecurity%20training%20and%20OVHcloud%20are%20helping%20to%20prepare%20the%20next%20generation%20of%20SecDevOps%20engineers&amp;urlref=https%3A%2F%2Fblog.ovhcloud.com%2Ffeed%2F" style="border:0;width:0;height:0" width="0" height="0" alt="" />]]></description>
										<content:encoded><![CDATA[
<figure class="wp-block-image size-full"><img fetchpriority="high" decoding="async" width="948" height="533" src="https://blog.ovhcloud.com/wp-content/uploads/2026/07/ovhcloud-epita-secdevops-hackathon.jpeg" alt="Students collaborate during the OVHcloud x EPITA Rennes SecDevOps hackathon." class="wp-image-32664" srcset="https://blog.ovhcloud.com/wp-content/uploads/2026/07/ovhcloud-epita-secdevops-hackathon.jpeg 948w, https://blog.ovhcloud.com/wp-content/uploads/2026/07/ovhcloud-epita-secdevops-hackathon-300x169.jpeg 300w, https://blog.ovhcloud.com/wp-content/uploads/2026/07/ovhcloud-epita-secdevops-hackathon-768x432.jpeg 768w" sizes="(max-width: 948px) 100vw, 948px" /></figure>



<p class="wp-block-paragraph">As both the cyberattack cause and cure, ever-expanding AI has been transforming cybersecurity from both sides of the battlefield. Organizations increasingly use AI to detect threats and automate security operations, but just as rapidly, attackers are also adopting AI to generate malware, accelerate phishing campaigns, and probe systems at scale.</p>



<p class="wp-block-paragraph"><em>As cyber threa</em><em>ts evolve, cybersecurity education must evolve with them. Accordingly, future security engineers need more than theoretical knowledge — they need hands-on experience building and defending modern cloud environments against increasingly intelligent attacks.</em></p>



<p class="wp-block-paragraph">This was the exact goal of the recent OVHcloud x EPITA Rennes SecDevOps Hackathon. Students spent three days developing cloud-native security solutions designed for an AI-driven threat landscape, helping train the next generation of tech talent.</p>



<h2 class="wp-block-heading">Why AI is changing cybersecurity education</h2>



<p class="wp-block-paragraph">Traditional cybersecurity education often focuses on known attack patterns or defensive tools in isolation. But today&#8217;s security teams are operating in a very different reality.</p>



<p class="wp-block-paragraph">Analysts now work across AI-assisted detection systems, cloud-native infrastructure, threat intelligence platforms, and automated incident response workflows. At the same time, attackers are using AI to automate reconnaissance, generate convincing phishing content, and adapt their techniques faster.</p>



<p class="wp-block-paragraph">Preparing students for this environment means moving beyond classroom theory. They need realistic infrastructure, collaborative development, and hands-on security engineering under real technical constraints.</p>



<p class="wp-block-paragraph">That is where hackathons can make the difference: they push students to solve practical cybersecurity problems in conditions much closer to the ones they will face in the field.</p>



<h2 class="wp-block-heading">Building cloud-native security solutions</h2>



<p class="wp-block-paragraph">As part of the OVHcloud Education program, students from EPITA Rennes&#8217; SecDevOps major were given access to OVHcloud Public Cloud infrastructure alongside AI credits and development resources. Working in teams, they designed, tested, and deployed solutions capable of addressing emerging cybersecurity challenges while operating in production-like cloud environments. Rather than focusing on theoretical concepts, every project tackled practical problems security teams increasingly encounter today.</p>



<h2 class="wp-block-heading">Rethinking cyberdefense in the age of AI</h2>



<p class="wp-block-paragraph"><em>Several projects reflected how defensive security is evolving alongside AI:</em></p>



<h3 class="wp-block-heading">MIR[AI]GE: turning AI attackers against themselves</h3>



<p class="wp-block-paragraph">Awarded Best Technical Project, MIR[AI]GE explored a proactive approach to defending against autonomous AI attacks.</p>



<p class="wp-block-paragraph">Instead of simply blocking malicious activity, the platform detects offensive AI agents and redirects them into isolated honeypot containers filled with realistic — but entirely fake — data.</p>



<p class="wp-block-paragraph">The objective is not only to stop the attack but also to waste the attacker&#8217;s computing resources while gathering valuable behavioral information.</p>



<p class="wp-block-paragraph">As AI-generated attacks become more sophisticated, deception technologies like honeypots are becoming increasingly valuable components of modern cyberdefense strategies.</p>



<p class="wp-block-paragraph">Find out more:<a href="https://miraige.vercel.app/" type="link" id="https://miraige.vercel.app/" data-wpel-link="external" target="_blank" rel="nofollow external noopener noreferrer"> <a href="https://miraige.vercel.app/" type="link" id="https://miraige.vercel.app/">miraige.vercel.app</a></a></p>



<h3 class="wp-block-heading">Honeymind: threat intelligence from attacker behavior</h3>



<p class="wp-block-paragraph">Winner of the Best Presentation Award, Honeymind focused on generating actionable threat intelligence.</p>



<p class="wp-block-paragraph">The team developed an internet-facing honeypot capable of analyzing attacker requests before enriching the collected data with AI, improving deception techniques and producing insights that security operations teams could use during incident response.</p>



<p class="wp-block-paragraph">Projects like this demonstrate how AI can support defenders — not only by automating analysis but by making security systems themselves more adaptive.</p>



<p class="wp-block-paragraph">Discover the repository: <a href="https://github.com/al2al85/HoneyMind" type="link" id="https://github.com/al2al85/HoneyMind" data-wpel-link="external" target="_blank" rel="nofollow external noopener noreferrer">github.com/al2al85/</a><a href="https://github.com/al2al85/HoneyMind" type="link" id="https://github.com/al2al85/HoneyMind" target="_blank" rel="noreferrer noopener nofollow external" data-wpel-link="external">HoneyMind</a></p>



<h3 class="wp-block-heading">Other innovative approaches</h3>



<p class="wp-block-paragraph"><em>Other teams explored complementary security challenges:</em></p>



<p class="wp-block-paragraph">Winnie developed a bounce honeypot that guides attackers through AI-generated environments inspired by the MITRE ATT&amp;CK framework.</p>



<p class="wp-block-paragraph">Meanwhile, SRE-squad created an assistant designed for SOC analysts, helping correlate logs with operational runbooks and prioritize alerts in environments increasingly flooded with AI-generated attack traffic.</p>



<p class="wp-block-paragraph">Together, these projects illustrate how future security professionals are beginning to combine cloud infrastructure, automation, and AI into practical defensive workflows.</p>



<h2 class="wp-block-heading">What organizations can learn</h2>



<p class="wp-block-paragraph">While the hackathon centered on students, the technologies they explored mirror challenges many organizations already face.</p>



<p class="wp-block-paragraph">Modern cybersecurity increasingly relies on:</p>



<ul class="wp-block-list">
<li>Cloud-native security architectures</li>



<li>Threat intelligence pipelines</li>



<li>AI-assisted analysis</li>



<li>Deception technologies such as honeypots</li>



<li>Automated security operations</li>
</ul>



<p class="wp-block-paragraph">As these capabilities become mainstream, organizations will need engineers who understand both software development and security engineering — the core principles behind SecDevOps.</p>



<p class="wp-block-paragraph">Providing students with opportunities to build these systems today helps the next generation of cybersecurity professionals prepare for tomorrow&#8217;s threats.</p>



<h2 class="wp-block-heading">Supporting the next generation of security engineers</h2>



<p class="wp-block-paragraph">The OVHcloud Education program aims to bridge academic learning with real-world cloud engineering by giving students access to production-grade infrastructure and practical technical challenges.</p>



<p class="wp-block-paragraph">The hackathon also offered members of the winning teams a fast-track interview with OVHcloud&#8217;s technical recruitment teams for their end-of-studies internships.</p>



<p class="wp-block-paragraph"><em>A special thank you goes to Gabin, Lucas, and Magali, whose mentorship and expertise helped make this year&#8217;s event a success.</em></p>



<p class="wp-block-paragraph"><strong>If you&#8217;re ready to turn AI cybersecurity training into a career, explore opportunities on the <a href="https://careers.ovhcloud.com/en/" type="link" id="https://careers.ovhcloud.com/en/" data-wpel-link="external" target="_blank" rel="nofollow external noopener noreferrer">OVHcloud Careers site.</a> And if your institution would like to organize a hackathon with the OVHcloud Education program, we&#8217;d love to hear from you.</strong></p>



<p class="wp-block-paragraph"></p>
<img decoding="async" src="//blog.ovhcloud.com/wp-content/plugins/matomo/app/matomo.php?idsite=1&amp;rec=1&amp;url=https%3A%2F%2Fblog.ovhcloud.com%2Fai-cybersecurity-training-secdevops%2F&amp;action_name=How%20AI%20cybersecurity%20training%20and%20OVHcloud%20are%20helping%20to%20prepare%20the%20next%20generation%20of%20SecDevOps%20engineers&amp;urlref=https%3A%2F%2Fblog.ovhcloud.com%2Ffeed%2F" style="border:0;width:0;height:0" width="0" height="0" alt="" />]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Secure Image Signing with Cosign and OVHcloud KMS</title>
		<link>https://blog.ovhcloud.com/secure-image-signing-cosign-ovhcloud-kms/</link>
		
		<dc:creator><![CDATA[Aurélie Vache]]></dc:creator>
		<pubDate>Mon, 22 Jun 2026 06:52:50 +0000</pubDate>
				<category><![CDATA[OVHcloud Engineering]]></category>
		<category><![CDATA[Cosign OVHcloud KMS]]></category>
		<category><![CDATA[Open Source]]></category>
		<category><![CDATA[OVHcloud]]></category>
		<category><![CDATA[Public Cloud]]></category>
		<category><![CDATA[Security]]></category>
		<guid isPermaLink="false">https://blog.ovhcloud.com/?p=31702</guid>

					<description><![CDATA[Software supply chains have become more complex and increasingly targeted, making container image security a fundamental requirement for building trust [&#8230;]<img src="//blog.ovhcloud.com/wp-content/plugins/matomo/app/matomo.php?idsite=1&amp;rec=1&amp;url=https%3A%2F%2Fblog.ovhcloud.com%2Fsecure-image-signing-cosign-ovhcloud-kms%2F&amp;action_name=Secure%20Image%20Signing%20with%20Cosign%20and%20OVHcloud%20KMS&amp;urlref=https%3A%2F%2Fblog.ovhcloud.com%2Ffeed%2F" style="border:0;width:0;height:0" width="0" height="0" alt="" />]]></description>
										<content:encoded><![CDATA[
<figure class="wp-block-image aligncenter size-large is-resized"><img decoding="async" width="1018" height="1024" src="https://blog.ovhcloud.com/wp-content/uploads/2026/05/Gribouillis-2026-05-07-14.00.13.759-1018x1024.png" alt="" class="wp-image-31768" style="aspect-ratio:0.9941455602881566;width:456px;height:auto" srcset="https://blog.ovhcloud.com/wp-content/uploads/2026/05/Gribouillis-2026-05-07-14.00.13.759-1018x1024.png 1018w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/Gribouillis-2026-05-07-14.00.13.759-298x300.png 298w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/Gribouillis-2026-05-07-14.00.13.759-150x150.png 150w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/Gribouillis-2026-05-07-14.00.13.759-768x772.png 768w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/Gribouillis-2026-05-07-14.00.13.759-70x70.png 70w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/Gribouillis-2026-05-07-14.00.13.759.png 1244w" sizes="(max-width: 1018px) 100vw, 1018px" /></figure>



<p class="wp-block-paragraph">Software supply chains have become more complex and increasingly targeted, making container image security a fundamental requirement for building trust in modern delivery pipelines.</p>



<p class="wp-block-paragraph">By signing images with Cosign and protecting signing keys in OVHcloud KMS, teams can keep cryptographic material out of local environments and CI/CD variables, all while making image signing easier to control, audit and integrate into delivery pipelines.</p>



<p class="wp-block-paragraph">In this blog post, you will learn how to use the OVHcloud KMS plugin for Cosign to generate a key, sign a container image with this key and verify that the OCI image has been correctly signed.</p>



<h3 class="wp-block-heading">Cosign</h3>



<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="399" height="126" src="https://blog.ovhcloud.com/wp-content/uploads/2026/05/image-5.png" alt="" class="wp-image-31741" srcset="https://blog.ovhcloud.com/wp-content/uploads/2026/05/image-5.png 399w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/image-5-300x95.png 300w" sizes="auto, (max-width: 399px) 100vw, 399px" /></figure>



<p class="wp-block-paragraph"><a href="https://github.com/sigstore/cosign" data-wpel-link="external" target="_blank" rel="nofollow external noopener noreferrer">Cosign</a> is a tool from the <strong>Sigstore</strong> project used to <strong>sign, verify, and attest</strong> OCI container images and software artifacts.</p>



<p class="wp-block-paragraph">Cosign supports several signing modes, including <strong>keyless</strong> signing through Sigstore, where short-lived certificates are generated at signing time based on your identity (via GitHub, Google or another OIDC provider), as well as ephemeral key generation, hardware and <strong>KMS</strong>-backed signing and custom PKI integration.</p>



<p class="wp-block-paragraph"><code>Cosign</code> supports <a href="https://docs.sigstore.dev/cosign/key_management/overview/" data-wpel-link="external" target="_blank" rel="nofollow external noopener noreferrer">multiple KMS providers</a> to generate and sign keys. Several external KMS providers are supported, including HashiCorp Vault, AWS KMS, GCP KMS and Azure Key Vault.<br>Cosign can now also be integrated with OVHcloud KMS through the <a href="https://github.com/ovh/sigstore-kms-ovhcloud" data-wpel-link="external" target="_blank" rel="nofollow external noopener noreferrer">Sigstore Cosign OVHcloud KMS plugin</a> 💪.</p>



<h3 class="wp-block-heading">OVHcloud Key Management Service (KMS)</h3>



<figure class="wp-block-image aligncenter size-full"><img loading="lazy" decoding="async" width="100" height="101" src="https://blog.ovhcloud.com/wp-content/uploads/2026/05/Key-Management-Service-KMS@2x.png" alt="" class="wp-image-31711" srcset="https://blog.ovhcloud.com/wp-content/uploads/2026/05/Key-Management-Service-KMS@2x.png 100w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/Key-Management-Service-KMS@2x-70x70.png 70w" sizes="auto, (max-width: 100px) 100vw, 100px" /></figure>



<p class="wp-block-paragraph"><a href="https://www.ovhcloud.com/en/identity-security-operations/key-management-service/" data-wpel-link="external" target="_blank" rel="nofollow external noopener noreferrer">OVHcloud KMS</a>, often called <strong>OKMS</strong>, is a managed service that centralizes the creation, storage, and management of encryption keys. Its main goal is to help businesses secure data and control cryptographic operations from a single platform.</p>



<p class="wp-block-paragraph">Each KMS is associated with a region, so the keys stored in that region are guaranteed to stay in that region. You can order multiple KMSs, either in different regions or in the same region.</p>



<h3 class="wp-block-heading">Prerequisites</h3>



<p class="wp-block-paragraph">To be able to use the Sigstore KMS OVHcloud provider, you need to follow some prerequisites:</p>



<ul class="wp-block-list">
<li>Have an OVHcloud account</li>



<li>Have created an <a href="https://www.ovhcloud.com/en/identity-security-operations/key-management-service/" target="_blank" rel="noreferrer noopener nofollow external" data-wpel-link="external">OKMS</a> domain (“<em><code class="">305db938-1234-5678-9012-3a0a29291661</code></em>” for example in this blog post)</li>



<li><a href="https://github.com/ovh/public-cloud-examples/tree/main/iam/create-user-and-generate-pat-token-with-cli" target="_blank" rel="noreferrer noopener nofollow external" data-wpel-link="external">Have created an IAM local user</a> (“<em>cosign-</em><code class="">305db938-1234-5678-9012-3a0a29291661</code>” for example in this blog post)</li>



<li>Have installed the <a href="https://github.com/ovh/ovhcloud-cli/?tab=readme-ov-file#installation" target="_blank" rel="noreferrer noopener nofollow external" data-wpel-link="external">OVHcloud CLI</a></li>



<li>Have <a href="https://man7.org/linux/man-pages/man1/uuidgen.1.html" data-wpel-link="external" target="_blank" rel="nofollow external noopener noreferrer">uuidgen</a> CLI installed</li>
</ul>



<p class="wp-block-paragraph">💡The cosign OVHcloud plugin supports both <code>token</code> and <code>mTLS</code> authentication. For the purposes of this blog post, we will use the token authentication mode. Please follow the <a href="https://external-secrets.io/latest/provider/ovhcloud/" target="_blank" rel="noreferrer noopener nofollow external" data-wpel-link="external">Sigstore Cosign KMS plugin for OVHcloud</a> guide if you wish to use mTLS authentication mode.</p>



<h4 class="wp-block-heading">Generate a PAT token (for token authentication only)</h4>



<p class="wp-block-paragraph">List the OKMS domains:</p>



<pre class="wp-block-code"><code class="">$ ovhcloud okms list<br>┌──────────────────────────────────────┬─────────────┐<br>│                  id                  │   region    │<br>├──────────────────────────────────────┼─────────────┤<br>│ 305db938-1234-5678-9012-3a0a29291661 │ eu-west-par │<br>│ xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx │ eu-west-par │<br>└──────────────────────────────────────┴─────────────┘</code></pre>



<p class="wp-block-paragraph">Save the OKMS ID in an environment variable:</p>



<pre class="wp-block-code"><code class="">export KMS_RESTAPI_OKMSID="305db938-1234-5678-9012-3a0a29291661"</code></pre>



<p class="wp-block-paragraph">The cosign OVHcloud plugin needs the permission to create and fetch keys from the OVHcloud KMS.</p>



<p class="wp-block-paragraph">If you want to use token autentication, you’ll need a token (PAT). You can use the <strong>ovhcloud CLI </strong>to do that:</p>



<pre class="wp-block-code"><code class="">PAT_TOKEN=$(ovhcloud iam user token create &lt;iam-local-user-name&gt; --name pat-&lt;iam-local-user-name&gt; --description "PAT cosign for domain $KMS_RESTAPI_OKMSID" -o json  | jq .details.token |  tr -d '"')<br><br>echo $PAT_TOKEN</code></pre>



<p class="wp-block-paragraph">You should have a result like this:</p>



<pre class="wp-block-code"><code class="">$ PAT_TOKEN=$(ovhcloud iam user token create cosign-305db938-1234-5678-9012-3a0a29291661 --name pat-cosign-305db938-1234-5678-9012-3a0a29291661 --description "PAT cosign for domain 305db938-1234-5678-9012-3a0a29291661" -o json  | jq .details.token |  tr -d '"')<br>2026/05/07 08:48:34 Final parameters:<br>{<br> "description": "PAT cosign for domain 305db938-1234-5678-9012-3a0a29291661",<br> "name": "pat-cosign-305db938-1234-5678-9012-3a0a29291661"<br>}<br><br>$ echo $PAT_TOKEN<br>eyJhbGciOiJFZE...ASgXy55_DDFHdy4Z5uSq8lww-Bw</code></pre>



<h4 class="wp-block-heading">Save the KMS information</h4>



<p class="wp-block-paragraph">Save the KMS information in environment variables. For example:</p>



<pre class="wp-block-code"><code class="">export KMS_RESTAPI_ENDPOINT=$(ovhcloud okms get $KMS_RESTAPI_OKMSID -o json | jq .restEndpoint | xargs)<br>export KMS_RESTAPI_TYPE="token"<br>export KMS_RESTAPI_TOKEN=$PAT_TOKEN</code></pre>



<p class="wp-block-paragraph">Display the saved information:</p>



<pre class="wp-block-code"><code class="">$ echo $KMS_RESTAPI_ENDPOINT<br>https://eu-west-par.okms.ovh.net<br><br>$ echo $KMS_RESTAPI_OKMSID<br>305db938-1234-5678-9012-3a0a29291661<br><br>$ echo $KMS_RESTAPI_TYPE<br>token<br><br>$ echo $KMS_RESTAPI_TOKEN<br>eyJ...BIoHCA</code></pre>



<h4 class="wp-block-heading">Cosign KMS plugin installation</h4>



<p class="wp-block-paragraph">Install the plugin locally:</p>



<pre class="wp-block-code"><code class="">curl -fsSL https://raw.githubusercontent.com/ovh/sigstore-kms-ovhcloud/main/install.sh | sh</code></pre>



<p class="wp-block-paragraph">⚠️ The binary is installed in <code>$HOME/.local/bin</code> by default (created if it does not exist). Make sure this directory is in your <code>PATH</code>.</p>



<p class="wp-block-paragraph">Or follow the other <a href="https://github.com/ovh/sigstore-kms-ovhcloud#installation" data-wpel-link="external" target="_blank" rel="nofollow external noopener noreferrer">installation methods.</a></p>



<p class="wp-block-paragraph">Now you can use the OVHcloud KMS plugin directly in the cosign command 🎉.</p>



<h3 class="wp-block-heading">Let&#8217;s use Cosign with the OVHcloud KMS!</h3>



<h4 class="wp-block-heading">Generate a key</h4>



<p class="wp-block-paragraph">First, to sign an image, we need to generate a key pair. To do that we need to generate a UUID and use it in the <code>cosign generate-key-pair</code> command.</p>



<pre class="wp-block-code"><code class="">export KEY_ID=$(uuidgen)<br>cosign generate-key-pair --kms ovhcloud://$KEY_ID</code></pre>



<p class="wp-block-paragraph">The signing key is created in OVHcloud KMS, and the public key is written locally.</p>



<p class="wp-block-paragraph">You should see an output like this:</p>



<pre class="wp-block-code"><code class="">$ export KEY_ID=$(uuidgen)<br>$ cosign generate-key-pair --kms ovhcloud://$KEY_ID<br><br>Public key written to cosign.pub</code></pre>



<p class="wp-block-paragraph">The command generates a key pair using the ECDSA algorithm and writes the public key to <code>cosign.pub</code>.</p>



<p class="wp-block-paragraph">Check the keys have been created:</p>



<pre class="wp-block-code"><code class="">$ ls -l cosign.pub<br>-rw-------  1 avache  staff  178 18 juin  16:06 cosign.pub<br><br>$ cat cosign.pub<br><br>-----BEGIN PUBLIC KEY-----<br>MFkw...QgwA==<br>-----END PUBLIC KEY-----<br></code></pre>



<p class="wp-block-paragraph"><br>Once the key pair has been generated, use the corresponding OVHcloud KMS key ID in the <code>ovhcloud://$KEY_ID</code> URI when signing and verifying images.</p>



<h4 class="wp-block-heading">Or get an existing public key (optional)</h4>



<p class="wp-block-paragraph">Instead of creating a new public key, you can retrieve an existing one with the following command:</p>



<pre class="wp-block-code"><code class="">cosign public-key --key ovhcloud://$KEY_ID --outfile cosign-ovhcloud.pub</code></pre>



<h4 class="wp-block-heading">Sign an image</h4>



<p class="wp-block-paragraph">Replace the <code>$IMAGE@sha256:$HASH</code> parameter with the URI to your image and the hash to your image and execute this command:</p>



<pre class="wp-block-code"><code class="">cosign sign --key ovhcloud://$KEY_ID $IMAGE@sha256:$HASH</code></pre>



<p class="wp-block-paragraph">You should see an output like this:</p>



<pre class="wp-block-code"><code class="">$ cosign sign --key ovhcloud://$KEY_ID 12345678.c1.de1.container-registry.ovh.net/my-project/my-image@sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx</code></pre>



<figure class="wp-block-image aligncenter size-full is-resized"><img loading="lazy" decoding="async" width="278" height="282" src="https://blog.ovhcloud.com/wp-content/uploads/2026/05/image-6.png" alt="" class="wp-image-31773" style="width:114px;height:auto" srcset="https://blog.ovhcloud.com/wp-content/uploads/2026/05/image-6.png 278w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/image-6-70x70.png 70w" sizes="auto, (max-width: 278px) 100vw, 278px" /></figure>



<h4 class="wp-block-heading">Verify the image has been signed</h4>



<pre class="wp-block-code"><code class="">cosign verify --key ovhcloud://$KEY_ID $IMAGE@sha256:$HASH</code></pre>



<p class="wp-block-paragraph">You should see an output like this:</p>



<pre class="wp-block-code"><code class="">$ cosign verify --key ovhcloud://$KEY_ID 12345678.c1.de1.container-registry.ovh.net/my-project/my-image@sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx<br><br>Verification for 12345678.c1.de1.container-registry.ovh.net/my-project/my-image@sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx --<br>The following checks were performed on each of these signatures:<br>  - The cosign claims were validated<br>  - Existence of the claims in the transparency log was verified offline<br>  - The signatures were verified against the specified public key<br><br>[{"critical":{"identity":{"docker-reference":"12345678.c1.de1.container-registry.ovh.net/my-project/my-image@sha256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"},"image":{"docker-manifest-digest":"sha256:b1202...2334e2"},"type":"https://sigstore.dev/cosign/sign/v1"},"optional":{}}]</code></pre>



<h3 class="wp-block-heading">Conclusion</h3>



<p class="wp-block-paragraph">In this blog post, we have shown how to use Cosign with the OVHcloud KMS plugin to generate a key pair, sign a container image and verify its signature.</p>



<p class="wp-block-paragraph">By keeping signing keys in a managed KMS, teams can reduce secret sprawl, protect sensitive cryptographic material and make image signing easier to integrate into secure CI/CD workflows.</p>



<p class="wp-block-paragraph">Feel free to take a look at our <a href="https://github.com/orgs/ovh/projects/16" target="_blank" rel="noreferrer noopener nofollow external" data-wpel-link="external">Cloud Roadmap &amp; Changelog</a> to follow the latest features coming to OVHcloud Public Cloud products.</p>
<img loading="lazy" decoding="async" src="//blog.ovhcloud.com/wp-content/plugins/matomo/app/matomo.php?idsite=1&amp;rec=1&amp;url=https%3A%2F%2Fblog.ovhcloud.com%2Fsecure-image-signing-cosign-ovhcloud-kms%2F&amp;action_name=Secure%20Image%20Signing%20with%20Cosign%20and%20OVHcloud%20KMS&amp;urlref=https%3A%2F%2Fblog.ovhcloud.com%2Ffeed%2F" style="border:0;width:0;height:0" width="0" height="0" alt="" />]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Développement à distance #3 &#8211; Industrialisation et automatisation</title>
		<link>https://blog.ovhcloud.com/developpement-distance-3-industrialisation-automatisation/</link>
		
		<dc:creator><![CDATA[Rémy Vandepoel]]></dc:creator>
		<pubDate>Wed, 13 May 2026 08:06:26 +0000</pubDate>
				<category><![CDATA[OVHcloud en Français]]></category>
		<category><![CDATA[Security]]></category>
		<guid isPermaLink="false">https://blog.ovhcloud.com/?p=31558</guid>

					<description><![CDATA[Après avoir configuré votre serveur manuellement, pas à pas, il est temps d’automatiser tout le processus. L’idée est simple&#160;: décrire [&#8230;]<img src="//blog.ovhcloud.com/wp-content/plugins/matomo/app/matomo.php?idsite=1&amp;rec=1&amp;url=https%3A%2F%2Fblog.ovhcloud.com%2Fdeveloppement-distance-3-industrialisation-automatisation%2F&amp;action_name=D%C3%A9veloppement%20%C3%A0%20distance%20%233%20%26%238211%3B%20Industrialisation%20et%20automatisation&amp;urlref=https%3A%2F%2Fblog.ovhcloud.com%2Ffeed%2F" style="border:0;width:0;height:0" width="0" height="0" alt="" />]]></description>
										<content:encoded><![CDATA[
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1536" height="1024" src="https://blog.ovhcloud.com/wp-content/uploads/2026/05/3-1024x683.jpg" alt="" class="wp-image-31559" srcset="https://blog.ovhcloud.com/wp-content/uploads/2026/05/3-1024x683.jpg 1024w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/3-300x200.jpg 300w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/3-768x512.jpg 768w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/3.jpg 1536w" sizes="auto, (max-width: 1536px) 100vw, 1536px" /></figure>



<p class="wp-block-paragraph">Après avoir <a href="https://blog.ovhcloud.com/developpement-distance-2-securisation-performance/" target="_blank" rel="noreferrer noopener" data-wpel-link="internal">configuré votre serveur manuellement</a>, pas à pas, il est temps d’automatiser tout le processus.</p>



<p class="wp-block-paragraph">L’idée est simple&nbsp;: décrire votre infrastructure dans des fichiers de configuration et laisser <strong>Terraform</strong> s’occuper de commander les ressources chez <strong>OVHcloud</strong>.<br><br>Voici un guide d’introduction à Terraform, avec de nombreuses informations utiles&nbsp;: <a href="https://support.us.ovhcloud.com/hc/en-us/articles/22648864003219-Using-Terraform-with-OVHcloud" target="_blank" rel="noreferrer noopener nofollow external" data-wpel-link="external">https://support.us.ovhcloud.com/hc/en-us/articles/22648864003219-Using-Terraform-with-OVHcloud</a>.<br>Ainsi que le lien vers le fournisseur officiel Terraform d’OVHcloud&nbsp;: <a href="https://registry.terraform.io/providers/ovh/ovh/latest" target="_blank" rel="noreferrer noopener nofollow external" data-wpel-link="external">https://registry.terraform.io/providers/ovh/ovh/latest</a><br><br>Il existe deux étapes à l’automatisation du déploiement&nbsp;:</p>



<ul class="wp-block-list">
<li>déploiement de l’instance Public Cloud&nbsp;;</li>



<li>déploiement de la partie applicative (vscode-server) et sa configuration.</li>
</ul>



<h2 class="wp-block-heading">1. Le cœur de l’automatisation&nbsp;: le script Cloud-init</h2>



<p class="wp-block-paragraph">Avant de parler de Terraform, il est nécessaire de comprendre comment le serveur s’auto-configure lors de son initialisation.<br>Pour cela, utilisez <code>cloud-init</code>, un standard qui permet d’exécuter des scripts dès le premier démarrage de l’instance.</p>



<p class="wp-block-paragraph"><strong>Ce que vous allez automatiser dans ce script&nbsp;:</strong></p>



<ul class="wp-block-list">
<li>la mise à jour du système (<code>apt update/upgrade</code>)&nbsp;;</li>



<li>l’installation de <code>code-server</code> via le script officiel&nbsp;;</li>



<li>l’installation et la configuration de <strong>Caddy</strong> (pour le SSL automatique)&nbsp;;</li>



<li>la configuration du pare-feu <strong>UFW</strong>.</li>
</ul>



<p class="wp-block-paragraph">Ce type de fichier possède une syntaxe bien particulière, le cloud-config.yaml sera à disposition plus bas.</p>



<p class="wp-block-paragraph">Toutefois, l’important à retenir est&nbsp;: pourquoi utiliser ce format&nbsp;?</p>



<ul class="wp-block-list">
<li><strong>Idempotence&nbsp;:</strong> le <code>cloud-init</code> s’assure que tout est prêt dès le premier boot.</li>



<li><strong>Sécurité dès la naissance&nbsp;:</strong> le pare-feu <code>ufw</code> est activé immédiatement, réduisant la fenêtre d’exposition.</li>



<li><strong>Intégration Terraform&nbsp;:</strong> une seule ligne est nécessaire pour l’inclure&nbsp;: <code>user_data = file("cloud-config.yaml")</code></li>
</ul>



<h2 class="wp-block-heading">2. Utilisation de Terraform pour le déploiement</h2>



<p class="wp-block-paragraph">Terraform permet d’obtenir un démarrage de l’instance bien plus aisé et rapide.<br>Sa configuration, quant à elle, comporte plusieurs avantages&nbsp;:</p>



<ul class="wp-block-list">
<li><strong>persistance des données.</strong> Un <code>terraform destroy</code> de l’instance pourra conserver le volume de données (but fixé dans le chapitre 2)&nbsp;;</li>



<li><strong>évolutivité.</strong> Si le projet grossit, la taille du volume et/ou la flavor peuvent être modulées&nbsp;;</li>



<li><strong>portabilité.</strong> Le volume de données peut être démonté et remonté sur une autre machine.</li>
</ul>



<p class="wp-block-paragraph">Pour garder ce billet court, pas de copier-coller de code, mais un lien vers un repository GitHub avec tout le nécessaire pour déployer ceci en quelques minutes&nbsp;:<br><a href="https://github.com/RemyAtOVH/blogpost-dev-server" target="_blank" rel="noreferrer noopener nofollow external" data-wpel-link="external">https://github.com/RemyAtOVH/blogpost-dev-server</a></p>



<p class="wp-block-paragraph">Son utilisation&nbsp;:</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><strong>ubuntu@vscode-server:~$ source openrc.production.sh<br>ubuntu@vscode-server:~$ terraform init<br>ubuntu@vscode-server:~$ terraform plan<br>ubuntu@vscode-server:~$ terraform apply<br>[…]<br>Apply complete! Resources: 4 added, 0 changed, 0 destroyed.<br>Outputs:instance_ip = &#8220;XXX.XXX.XXX.XXX&#8221;</strong></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">Avant l’application du cloud-init (ou sans), on constate bien un volume secondaire <strong>/dev/sdb</strong>, de taille correspondant aux spécifications de Terraform&nbsp;:</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><strong><strong>ubuntu@vscode-server-automated:~$ lsblk</strong></strong><br><strong><strong>NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS<br>[&#8230;]<br>sda       8:0    0   25G  0 disk <br>[&#8230;]<br>sdb       8:16   0   10G  0 disk </strong></strong></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">C’est lui qui assurera la persistance des données.</p>



<p class="wp-block-paragraph">Vous pourriez tout à fait effectuer manuellement la suppression de l’instance et des autres composants, sans toutefois le supprimer lui.<br>Pour éviter toute suppression en cas de «&nbsp;terraform destroy&nbsp;», un paramètre a été ajouté&nbsp;:</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><strong>lifecycle { prevent_destroy = true }</strong><strong></strong></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">Lors du premier démarrage, les différents scripts d’installation pouvant prendre du temps, vous pouvez en vérifier les étapes d’un simple <em>tail&nbsp;</em>:</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><strong>ubuntu@vscode-server-automated:<strong>~</strong>$ tail -f /var/log/cloud-init-output.log</strong></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">Une fois le cloud-init exécuté automatiquement, tout ce qui a pu être mis en place manuellement dans les chapitres précédents a été fait. Et ce, de façon automatique et reproductible&nbsp;!</p>



<p class="wp-block-paragraph">Il sera donc possible, sous réserve de quelques minutes d’exécution, de déployer cet environnement de développement distant personnalisé si besoin et potentiellement le supprimer après quelques heures ou jours d’utilisation.</p>



<p class="wp-block-paragraph">Dans cette série de chapitres, nous avons transformé une simple idée, disposer de son VS Code partout, en une infrastructure de niveau professionnel, automatisée et résiliente.<br>Retrouvez ci-dessous les étapes et le chemin parcouru.</p>



<ul class="wp-block-list">
<li><strong><a href="https://blog.ovhcloud.com/developpement-distance-1-premier-deploiement/" target="_blank" rel="noreferrer noopener" data-wpel-link="internal">Chapitre 1</a>&nbsp;:</strong> premiers pas en installation manuelle pour comprendre la mécanique de&nbsp;<code>code-server</code>.</li>



<li><strong><a href="https://blog.ovhcloud.com/developpement-distance-2-securisation-performance/" target="_blank" rel="noreferrer noopener" data-wpel-link="internal">Chapitre 2</a>&nbsp;:</strong> sécurisation, avec utilisation d’un Reverse Proxy (Caddy) et d’un pare-feu (UFW) pour naviguer sereinement en HTTPS.</li>



<li><strong>Chapitre 3&nbsp;:</strong> cet article, utilisant Terraform et OpenStack, pour une meilleure reproductibilité.</li>
</ul>



<p class="wp-block-paragraph">L’automatisation que nous avons mise en place avec un déploiement chez OVHcloud en utilisant Public Cloud reposant sur OpenStack, constitue une base solide.</p>



<p class="wp-block-paragraph">À partir d’ici, il est possible d’aller encore plus loin&nbsp;: ajouter une sauvegarde automatique de vos volumes (snapshotting), coupler cela à un pipeline CI/CD ou même explorer le déploiement de cet environnement via docker-compose, ou même Kubernetes.</p>



<p class="wp-block-paragraph">Retrouvez prochainement une version vidéo de ces billets de blog, étape par étape, sur notre <a href="https://www.youtube.com/@ovhgroup" target="_blank" rel="noreferrer noopener nofollow external" data-wpel-link="external">chaîne YouTube</a>. Restez à l’écoute&nbsp;!</p>
<img loading="lazy" decoding="async" src="//blog.ovhcloud.com/wp-content/plugins/matomo/app/matomo.php?idsite=1&amp;rec=1&amp;url=https%3A%2F%2Fblog.ovhcloud.com%2Fdeveloppement-distance-3-industrialisation-automatisation%2F&amp;action_name=D%C3%A9veloppement%20%C3%A0%20distance%20%233%20%26%238211%3B%20Industrialisation%20et%20automatisation&amp;urlref=https%3A%2F%2Fblog.ovhcloud.com%2Ffeed%2F" style="border:0;width:0;height:0" width="0" height="0" alt="" />]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Remote development #3 &#8211; Industrialisation and Automation</title>
		<link>https://blog.ovhcloud.com/remote-development-3-industrialisation-automation/</link>
		
		<dc:creator><![CDATA[Rémy Vandepoel]]></dc:creator>
		<pubDate>Wed, 13 May 2026 08:05:05 +0000</pubDate>
				<category><![CDATA[OVHcloud Engineering]]></category>
		<category><![CDATA[Security]]></category>
		<guid isPermaLink="false">https://blog.ovhcloud.com/?p=31565</guid>

					<description><![CDATA[After manually configuring your server step by step, it’s time to automate the entire process. The idea is simple: describe [&#8230;]<img src="//blog.ovhcloud.com/wp-content/plugins/matomo/app/matomo.php?idsite=1&amp;rec=1&amp;url=https%3A%2F%2Fblog.ovhcloud.com%2Fremote-development-3-industrialisation-automation%2F&amp;action_name=Remote%20development%20%233%20%26%238211%3B%20Industrialisation%20and%20Automation&amp;urlref=https%3A%2F%2Fblog.ovhcloud.com%2Ffeed%2F" style="border:0;width:0;height:0" width="0" height="0" alt="" />]]></description>
										<content:encoded><![CDATA[
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1536" height="1024" src="https://blog.ovhcloud.com/wp-content/uploads/2026/05/3-1024x683.jpg" alt="" class="wp-image-31559" srcset="https://blog.ovhcloud.com/wp-content/uploads/2026/05/3-1024x683.jpg 1024w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/3-300x200.jpg 300w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/3-768x512.jpg 768w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/3.jpg 1536w" sizes="auto, (max-width: 1536px) 100vw, 1536px" /></figure>



<p class="wp-block-paragraph">After <a href="https://blog.ovhcloud.com/remote-development-2-security-performance/" target="_blank" rel="noreferrer noopener" data-wpel-link="internal">manually configuring your server</a> step by step, it’s time to automate the entire process.</p>



<p class="wp-block-paragraph">The idea is simple: describe your infrastructure in configuration files and let <strong>Terraform</strong> take care of managing the resources at <strong>OVHcloud</strong>.<br><br>Here is an introductory guide to Terraform, with plenty of useful information: <a href="https://support.us.ovhcloud.com/hc/en-us/articles/22648864003219-Using-Terraform-with-OVHcloud" target="_blank" rel="noreferrer noopener nofollow external" data-wpel-link="external">https://support.us.ovhcloud.com/hc/en-us/articles/22648864003219-Using-Terraform-with-OVHcloud</a>.<br>As well as the link to OVHcloud’s official Terraform provider: <a href="https://registry.terraform.io/providers/ovh/ovh/latest" target="_blank" rel="noreferrer noopener nofollow external" data-wpel-link="external">https://registry.terraform.io/providers/ovh/ovh/latest</a><br><br>There are two steps to automating the deployment:</p>



<ul class="wp-block-list">
<li>Deployment of the Public Cloud instance</li>



<li>Deployment of the application part (vscode-server) and its configuration</li>
</ul>



<h2 class="wp-block-heading">1. The heart of the automation: the Cloud-init script</h2>



<p class="wp-block-paragraph">Before we move onto Terraform, we need to understand how the server self-configures during its initialisation.<br>To do this, use <code>cloud-init</code>, a standard that allows scripts to be executed from the first boot of the instance.</p>



<p class="wp-block-paragraph"><strong>What you will automate in this script:</strong></p>



<ul class="wp-block-list">
<li>The system update (<code>apt update/upgrade</code>)</li>



<li>The installation of <code>code-server</code> via the official script</li>



<li>The installation and configuration of <strong>Caddy</strong> (for automatic SSL)</li>



<li>The configuration of the Uncomplicated Firewall (<strong>UFW</strong>)</li>
</ul>



<p class="wp-block-paragraph">This type of file has a very particular syntax; the cloud-config.yaml will be available further down.</p>



<p class="wp-block-paragraph">However, the important point to remember is: why use this format?</p>



<ul class="wp-block-list">
<li><strong>Idempotence:</strong> <code>cloud-init</code> ensures that everything is ready from the first boot.</li>



<li><strong>Security from the outset:</strong> the <code>UFW</code> is activated immediately, reducing the exposure window.</li>



<li><strong>Terraform Integration:</strong> a single line is required to include this: <code>user_data = file("cloud-config.yaml")</code></li>
</ul>



<h2 class="wp-block-heading">2. Using Terraform for deployment</h2>



<p class="wp-block-paragraph">Terraform allows for a much easier and quicker instance startup.<br>Its configuration also has several advantages:</p>



<ul class="wp-block-list">
<li><strong>Persistent data:</strong> a <code>terraform destroy</code> of the instance can retain the data volume (goal set in chapter 2)</li>



<li><strong>Scalability:</strong> if the project grows, the size of the volume and/or the flavour can be adjusted</li>



<li><strong>Portability:</strong> the data volume can be unmounted and remounted on another machine.</li>
</ul>



<p class="wp-block-paragraph">To keep this post brief we won’t copy-paste the code here, but this link to a GitHub repository contains everything needed to deploy this in a few minutes:<br><a href="https://github.com/RemyAtOVH/blogpost-dev-server" target="_blank" rel="noreferrer noopener nofollow external" data-wpel-link="external">https://github.com/RemyAtOVH/blogpost-dev-server</a></p>



<p class="wp-block-paragraph">Its usage:</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><strong>u</strong><code><strong>ubuntu@vscode-server:~$ source openrc.production.sh<br>ubuntu@vscode-server:~$ terraform init<br>ubuntu@vscode-server:~$ terraform plan<br>ubuntu@vscode-server:~$ terraform apply<br>[...]<br>Apply complete! Resources: 4 added, 0 changed, 0 destroyed.</strong></code></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">Before applying cloud-init (or without it), there is a secondary volume <strong>/dev/sdb</strong>, sized according to Terraform specifications:</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><strong>ubuntu@vscode-server-automated:~$ lsblk</strong><br><strong>NAME    MAJ:MIN RM  SIZE RO TYPE MOUNTPOINTS<br>[&#8230;]<br>sda       8:0    0   25G  0 disk <br>[&#8230;]<br>sdb       8:16   0   10G  0 disk </strong></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">This is what will ensure data persistence.</p>



<p class="wp-block-paragraph">You could manually delete the instance and other components, without deleting it.<br>To prevent any deletion in the event of “terraform destroy”, a parameter has been added:</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><strong>lifecycle { prevent_destroy = true }</strong><strong></strong></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">During the first startup, the various installation scripts may take time. You can check their steps with a simple tail:</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><strong><strong>ubuntu@vscode-server-automated:<strong>~</strong>$ tail -f /var/log/cloud-init-output.log</strong></strong></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">Once cloud-init has been executed automatically, everything that could have been set up manually in the previous chapters has been done automatically, in a way that can be reproduced!</p>



<p class="wp-block-paragraph">It will therefore be possible to deploy this customised remote development environment if needed (with a few minutes of execution) and potentially delete it after a few hours or days of use.</p>



<p class="wp-block-paragraph">In this series of chapters, we have transformed a simple idea – having access to VS Code wherever you are – into a professional-grade, automated and resilient infrastructure.<br>Below are the steps involved and the progress so far.</p>



<ul class="wp-block-list">
<li><strong><a href="https://blog.ovhcloud.com/remote-development-1-first-deployment/" target="_blank" rel="noreferrer noopener" data-wpel-link="internal">Chapter 1</a>:</strong> first steps in manual installation to understand the mechanics of <code>code-server</code>.</li>



<li><strong><a href="https://blog.ovhcloud.com/remote-development-2-security-performance/" target="_blank" rel="noreferrer noopener" data-wpel-link="internal">Chapter 2</a>:</strong> making it secure, using a Reverse Proxy (Caddy) and a firewall (UFW) to navigate smoothly in HTTPS.</li>



<li><strong>Chapter 3:</strong> this article, in which we’ll use Terraform and OpenStack for better reproducibility.</li>
</ul>



<p class="wp-block-paragraph">The automation we have implemented with an OVHcloud deployment using an OpenStack-based Public Cloud provides a solid foundation.</p>



<p class="wp-block-paragraph">From here, you can go even further: add automatic backups of your volumes (snapshotting), couple this with a CI/CD pipeline, or even explore deploying this environment via docker-compose or even Kubernetes.</p>



<p class="wp-block-paragraph">A step-by-step video version of these blog posts will soon be available on our <a href="https://youtube.com/@ovhgroup" target="_blank" rel="noreferrer noopener nofollow external" data-wpel-link="external">YouTube channel</a>. Stay tuned!</p>
<img loading="lazy" decoding="async" src="//blog.ovhcloud.com/wp-content/plugins/matomo/app/matomo.php?idsite=1&amp;rec=1&amp;url=https%3A%2F%2Fblog.ovhcloud.com%2Fremote-development-3-industrialisation-automation%2F&amp;action_name=Remote%20development%20%233%20%26%238211%3B%20Industrialisation%20and%20Automation&amp;urlref=https%3A%2F%2Fblog.ovhcloud.com%2Ffeed%2F" style="border:0;width:0;height:0" width="0" height="0" alt="" />]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Remote development #2 &#8211; Security and Performance</title>
		<link>https://blog.ovhcloud.com/remote-development-2-security-performance/</link>
		
		<dc:creator><![CDATA[Rémy Vandepoel]]></dc:creator>
		<pubDate>Mon, 11 May 2026 16:00:02 +0000</pubDate>
				<category><![CDATA[OVHcloud Engineering]]></category>
		<category><![CDATA[Security]]></category>
		<guid isPermaLink="false">https://blog.ovhcloud.com/?p=31546</guid>

					<description><![CDATA[In the previous chapter, we started the VSCode Server on a remote instance. That’s a win. However, as it stands, [&#8230;]<img src="//blog.ovhcloud.com/wp-content/plugins/matomo/app/matomo.php?idsite=1&amp;rec=1&amp;url=https%3A%2F%2Fblog.ovhcloud.com%2Fremote-development-2-security-performance%2F&amp;action_name=Remote%20development%20%232%20%26%238211%3B%20Security%20and%20Performance&amp;urlref=https%3A%2F%2Fblog.ovhcloud.com%2Ffeed%2F" style="border:0;width:0;height:0" width="0" height="0" alt="" />]]></description>
										<content:encoded><![CDATA[
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="683" src="https://blog.ovhcloud.com/wp-content/uploads/2026/05/2-1-1024x683.jpg" alt="" class="wp-image-31555" srcset="https://blog.ovhcloud.com/wp-content/uploads/2026/05/2-1-1024x683.jpg 1024w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/2-1-300x200.jpg 300w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/2-1-768x512.jpg 768w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/2-1.jpg 1536w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">In the <a href="https://blog.ovhcloud.com/remote-development-1-first-deployment/" target="_blank" rel="noreferrer noopener" data-wpel-link="internal">previous chapter</a>, we started the VSCode Server on a remote instance.</p>



<p class="wp-block-paragraph">That’s a win. However, as it stands, your installation is vulnerable, or at least not optimally secured. Traffic is being sent in clear (HTTP) and port 8080 is exposed to anyone scanning our IP address.</p>



<p class="wp-block-paragraph">To transform this prototype into a daily working tool, we need to set up a Reverse Proxy.<br>Its role is simple: to intercept secure connections (HTTPS) on the standard port 443 and redirect them locally to our service.</p>



<h2 class="wp-block-heading">1. Prerequisites: securing the network part</h2>



<p class="wp-block-paragraph">First and foremost, we need to instruct code-server to no longer listen for connections from outside, but only to those coming from the machine itself (the proxy).</p>



<p class="wp-block-paragraph">Modify your configuration file: nano ~/.config/code-server/config.yaml</p>



<p class="wp-block-paragraph">Change the line &#8220;bind-addr&#8221; as follows:&nbsp;</p>



<p class="wp-block-paragraph"><code>bind-addr: 127.0.0.1:8080</code></p>



<p class="wp-block-paragraph">Then restart the service.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ sudo systemctl restart code-server@$USER</strong></code></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">This will ensure that vscode-server will indeed only “listen” locally and cannot be contacted directly from outside.</p>



<h2 class="wp-block-heading">2. Implement the reverse proxy</h2>



<p class="wp-block-paragraph">Here, you have two choices:</p>



<ul class="wp-block-list">
<li>NGINX, which has been the standard choice for many years</li>



<li>Caddy, which has a more simplistic (but comprehensive) and newer approach.</li>
</ul>



<p class="wp-block-paragraph">For this blog post, we have selected Caddy for the example and to familiarise ourselves if we have not already!</p>



<p class="wp-block-paragraph">Caddy natively manages SSL certificate renewal – which can be done through OVHcloud!</p>



<p class="wp-block-paragraph"><strong>Installation (Debian/Ubuntu)</strong></p>



<p class="wp-block-paragraph">You will find more comprehensive documentation for other systems or installation methods in the official documentation: <a href="https://caddyserver.com/docs/install" target="_blank" rel="noreferrer noopener nofollow external" data-wpel-link="external">https://caddyserver.com/docs/install</a>.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https</strong></code><br><code><strong>ubuntu@vscode-server:~$ curl -1sLf </strong></code><strong>&#8216;https://dl.cloudsmith.io/public/caddy/stable/gpg.key&#8217;</strong><code><strong>| sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg</strong></code><br><code><strong>ubuntu@vscode-server:~$ curl -1sLf </strong></code><strong>&#8216;https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt&#8217;</strong><code><strong>| sudo tee /etc/apt/sources.list.d/caddy-stable.list</strong></code><br><code><strong>ubuntu@vscode-server:~$ sudo apt update &amp;&amp; sudo apt install caddy -y</strong></code></td></tr></tbody></table></figure>



<p class="wp-block-paragraph"><strong>Configuration: </strong>modify the file <code>/etc/caddy/Caddyfile</code> (clear it and replace it with this):</p>



<p class="wp-block-paragraph"><em>Replace “<strong>dev.your-domain.uk</strong>” with your own domain name, with the subdomain of your choice pointing to the IP of the instance.</em></p>



<ul class="wp-block-list">
<li>Simple configuration only on HTTP port (80)</li>
</ul>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><strong><strong>dev.your-domain.uk {<br>    reverse_proxy 127.0.0.1:8080<br>}</strong></strong></td></tr></tbody></table></figure>



<ul class="wp-block-list">
<li>Recommended configuration on HTTPS port (443), using a domain hosted with OVHcloud.</li>
</ul>



<p class="wp-block-paragraph">For creating OVHcloud API tokens, you can refer to this page: <a href="https://eu.api.ovh.com/createToken/" target="_blank" rel="noreferrer noopener" data-wpel-link="exclude">https://eu.api.ovh.com/createToken/</a>.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>dev.your-domain.uk </strong></code><strong>{<br>&nbsp; &nbsp; tls {<br>&nbsp; &nbsp; &nbsp; &nbsp; dns ovh {<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; endpoint &#8220;ovh-eu&#8221;<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; application_key {$OVH_APPLICATION_KEY}<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; application_secret {$OVH_APPLICATION_SECRET}<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; consumer_key {$OVH_CONSUMER_KEY}<br>&nbsp; &nbsp; &nbsp; &nbsp; }<br>&nbsp; &nbsp; }<br>&nbsp;&nbsp;&nbsp; reverse_proxy&nbsp;<code>127.0.0.1:8080</code><br>}</strong></td></tr></tbody></table></figure>



<p class="wp-block-paragraph"><em>For further details regarding SSL certificate management, consult the official Caddy documentation.<br>Application:</em></p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ sudo systemctl reload caddy</strong></code><strong></strong></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">If you have opted for the recommended configuration in HTTPS, your environment is now protected by robust SSL encryption.</p>



<p class="wp-block-paragraph">You are no longer at risk of having your password intercepted on public Wi-Fi, which is a considerable step towards our goal.</p>



<h2 class="wp-block-heading">3. Network and firewall</h2>



<p class="wp-block-paragraph">Now that the access point is unique via the HTTPS URL configured just above, the rest of the ports, except for SSH, can be closed.</p>



<p class="wp-block-paragraph">Now, implement the basic rules in the firewall. On Ubuntu, the standard tool is <strong>UFW</strong> (Uncomplicated Firewall).</p>



<p class="wp-block-paragraph">Start by opening the ports related to the functional services.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ sudo ufw allow ssh<br>ubuntu@vscode-server:~$ sudo ufw allow http<br>ubuntu@vscode-server:~$ sudo ufw allow https</strong></code><strong></strong></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">Activate the firewall:</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ sudo ufw enable</strong></code><strong></strong></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">Check the implementation of the rules.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ sudo ufw status<br>Status: active</strong></code><br><code><strong>To &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Action &nbsp; &nbsp; &nbsp;From<br>-- &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ------ &nbsp; &nbsp; &nbsp;----<br>22/tcp &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ALLOW &nbsp; &nbsp; &nbsp; Anywhere<br>80/tcp &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ALLOW &nbsp; &nbsp; &nbsp; Anywhere<br>443 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ALLOW &nbsp; &nbsp; &nbsp; Anywhere<br>45876 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ALLOW &nbsp; &nbsp; &nbsp; Anywhere<br>22/tcp (v6) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ALLOW &nbsp; &nbsp; &nbsp; Anywhere (v6)<br>80/tcp (v6) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ALLOW &nbsp; &nbsp; &nbsp; Anywhere (v6)<br>443 (v6) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ALLOW &nbsp; &nbsp; &nbsp; Anywhere (v6)<br>45876 (v6) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ALLOW &nbsp; &nbsp; &nbsp; Anywhere (v6)</strong></code></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">You can also add stricter rules to explicitly reject anything unauthorised in incoming traffic while generally authorising outgoing traffic.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ sudo ufw default deny incoming<br>ubuntu@vscode-server:~$ sudo ufw default allow outgoing</strong></code><strong></strong></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">From now on, if someone attempts to access the IP on port <code>8080</code>, the connection will be outright rejected.</p>



<p class="wp-block-paragraph">Only the domain name in HTTPS is the legitimate entry point.<br>This handy little development server now feels more like a fortress.&nbsp;<br><br>But what happens if you decide to delete this instance to move to a more powerful one and/or stop it for an indefinite period, as your project is on hold?</p>



<p class="wp-block-paragraph">This is what you will find out in the next part: how to <strong>isolate your data and configurations</strong> on a persistent storage volume to make your environment completely interchangeable, but also how to <strong>automate the deploymen</strong> of this development environment!</p>



<p class="wp-block-paragraph">The ultimate goal is for a simple <code>terraform apply</code> command to to be enough to generate a development environment that’s ready to use in under two minutes.</p>
<img loading="lazy" decoding="async" src="//blog.ovhcloud.com/wp-content/plugins/matomo/app/matomo.php?idsite=1&amp;rec=1&amp;url=https%3A%2F%2Fblog.ovhcloud.com%2Fremote-development-2-security-performance%2F&amp;action_name=Remote%20development%20%232%20%26%238211%3B%20Security%20and%20Performance&amp;urlref=https%3A%2F%2Fblog.ovhcloud.com%2Ffeed%2F" style="border:0;width:0;height:0" width="0" height="0" alt="" />]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Développement à distance #2 &#8211; Sécurisation et performance</title>
		<link>https://blog.ovhcloud.com/developpement-distance-2-securisation-performance/</link>
		
		<dc:creator><![CDATA[Rémy Vandepoel]]></dc:creator>
		<pubDate>Mon, 11 May 2026 15:58:04 +0000</pubDate>
				<category><![CDATA[OVHcloud en Français]]></category>
		<category><![CDATA[Security]]></category>
		<guid isPermaLink="false">https://blog.ovhcloud.com/?p=31371</guid>

					<description><![CDATA[Dans le chapitre précédent, nous avons démarré VSCode Server sur une instance distante. C’est une victoire. Mais en l’état, votre [&#8230;]<img src="//blog.ovhcloud.com/wp-content/plugins/matomo/app/matomo.php?idsite=1&amp;rec=1&amp;url=https%3A%2F%2Fblog.ovhcloud.com%2Fdeveloppement-distance-2-securisation-performance%2F&amp;action_name=D%C3%A9veloppement%20%C3%A0%20distance%20%232%20%26%238211%3B%20S%C3%A9curisation%20et%20performance&amp;urlref=https%3A%2F%2Fblog.ovhcloud.com%2Ffeed%2F" style="border:0;width:0;height:0" width="0" height="0" alt="" />]]></description>
										<content:encoded><![CDATA[
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="683" src="https://blog.ovhcloud.com/wp-content/uploads/2026/05/2-1024x683.jpg" alt="" class="wp-image-31554" srcset="https://blog.ovhcloud.com/wp-content/uploads/2026/05/2-1024x683.jpg 1024w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/2-300x200.jpg 300w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/2-768x512.jpg 768w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/2.jpg 1536w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Dans le <a href="https://blog.ovhcloud.com/developpement-distance-1-premier-deploiement/" target="_blank" rel="noreferrer noopener" data-wpel-link="internal">chapitre précédent</a>, nous avons démarré VSCode Server sur une instance distante.</p>



<p class="wp-block-paragraph">C’est une victoire. Mais en l’état, votre installation est vulnérable, ou du moins non sécurisée de façon optimale. Le trafic circule donc en clair (HTTP) et le port 8080 est exposé à quiconque scanne notre adresse IP.</p>



<p class="wp-block-paragraph">Pour transformer ce prototype en un outil de travail quotidien, il est indispensable de mettre en place un Reverse Proxy.</p>



<p class="wp-block-paragraph">Son rôle est simple : intercepter les connexions sécurisées (HTTPS) sur le port standard 443 et les rediriger localement vers notre service.</p>



<h2 class="wp-block-heading">1. Prérequis&nbsp;: verrouiller la partie réseau</h2>



<p class="wp-block-paragraph">Avant toute chose, il est nécessaire de demander à code-server de ne plus écouter les connexions venant de l’extérieur, mais uniquement celles venant de la machine elle-même (le proxy).</p>



<p class="wp-block-paragraph">Modifiez votre fichier de configuration : nano ~/.config/code-server/config.yaml</p>



<p class="wp-block-paragraph">Modifiez la ligne « bind-addr » comme suit :</p>



<p class="wp-block-paragraph"><code>bind-addr: 127.0.0.1:8080</code></p>



<p class="wp-block-paragraph">Puis redémarrez le service.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ sudo systemctl restart code-server@$USER</strong></code><strong></strong></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">Ceci aura pour effet d’avoir la certitude que vscode-server «&nbsp;écoutera&nbsp;» bien uniquement en local et ne pourra pas être contacté directement de l’extérieur</p>



<h2 class="wp-block-heading">2. Implémenter le reverse proxy</h2>



<p class="wp-block-paragraph">Ici, vous avez deux choix&nbsp;:</p>



<ul class="wp-block-list">
<li>nginx constitue le choix standard depuis de nombreuses années&nbsp;;</li>



<li>Caddy, avec une approche plus simpliste (mais complète) et récente.</li>
</ul>



<p class="wp-block-paragraph">Pour ce billet de blog, nous avons sélectionné Caddy pour l’exemple et se familiariser si ce n’est pas déjà le cas !</p>



<p class="wp-block-paragraph">Caddy sait nativement gérer l’implémentation du renouvellement de certificats SSL. Le tout, avec OVHcloud !</p>



<p class="wp-block-paragraph"><strong>Installation (Debian/Ubuntu</strong></p>



<p class="wp-block-paragraph">Vous pourrez trouver une documentation plus complète pour d’autres systèmes, ou méthodes d’installation dans la documentation officielle : <a href="https://caddyserver.com/docs/install" target="_blank" rel="noreferrer noopener nofollow external" data-wpel-link="external">https://caddyserver.com/docs/install</a>.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ sudo apt install -y debian-keyring debian-archive-keyring apt-transport-https</strong></code><br><code><strong>ubuntu@vscode-server:~$ curl -1sLf </strong></code><strong>&#8216;https://dl.cloudsmith.io/public/caddy/stable/gpg.key&#8217;</strong><code><strong>| sudo gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg</strong></code><br><code><strong>ubuntu@vscode-server:~$ curl -1sLf </strong></code><strong>&#8216;https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt&#8217;</strong><code><strong>| sudo tee /etc/apt/sources.list.d/caddy-stable.list</strong></code><br><code><strong>ubuntu@vscode-server:~$ sudo apt update &amp;&amp; sudo apt install caddy -y</strong></code></td></tr></tbody></table></figure>



<p class="wp-block-paragraph"><strong>Configuration :</strong> modifiez le fichier <code>/etc/caddy/Caddyfile</code> (videz-le et remplacez par ceci)&nbsp;:</p>



<p class="wp-block-paragraph"><em>Remplacez «&nbsp;<strong>dev.votre-domaine.fr</strong>&nbsp;» par votre propre nom de domaine avec le sous-domaine de votre choix pointant vers l’IP de l’instance.</em></p>



<ul class="wp-block-list">
<li>Configuration simple uniquement sur le port HTTP (80)</li>
</ul>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>dev.your-domain.uk {</strong></code><code><strong>&nbsp;&nbsp;&nbsp; reverse_proxy 127.0.0.1:8080</strong></code><code><strong>}</strong></code><strong></strong></td></tr></tbody></table></figure>



<ul class="wp-block-list">
<li>Configuration recommandée sur le port HTTPS (443), en utilisant un domaine hébergé chez OVHcloud.</li>
</ul>



<p class="wp-block-paragraph">Pour la création des tokens API OVHcloud, vous pouvez vous référer à cette page : <a href="https://eu.api.ovh.com/createToken/" target="_blank" rel="noreferrer noopener" data-wpel-link="exclude">https://eu.api.ovh.com/createToken/</a>.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong><code><strong>dev.your-domain.fr </strong></code><strong>{<br>&nbsp; &nbsp; tls {<br>&nbsp; &nbsp; &nbsp; &nbsp; dns ovh {<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; endpoint "ovh-eu"<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; application_key {$OVH_APPLICATION_KEY}<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; application_secret {$OVH_APPLICATION_SECRET}<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; consumer_key {$OVH_CONSUMER_KEY}<br>&nbsp; &nbsp; &nbsp; &nbsp; }<br>&nbsp; &nbsp; }<br>&nbsp;&nbsp;&nbsp; reverse_proxy&nbsp;<code>127.0.0.1:8080</code><br>}</strong></strong></code></td></tr></tbody></table></figure>



<p class="wp-block-paragraph"><em>Pour davantage de détails concernant la gestion des certificats SSL, vous pouvez consulter la documentation officielle de Caddy.<br>Application</em>:</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ sudo systemctl reload caddy</strong></code></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">Désormais, si vous avez opté pour la configuration recommandée en HTTPS, votre environnement est protégé par un chiffrement SSL robuste.</p>



<p class="wp-block-paragraph">Vous ne risquez plus de voir votre mot de passe intercepté sur un Wi-Fi public, ce qui est un pas en avant non négligeable vers notre but.</p>



<h2 class="wp-block-heading">3. Réseau et pare-feu</h2>



<p class="wp-block-paragraph">Maintenant que le point d’accès est unique via l’URL en HTTPS configuré juste au-dessus, le reste des ports, sauf le SSH, évidemment, peut être coupé.</p>



<p class="wp-block-paragraph">Implémentez maintenant les règles basiques, dans le pare-feu. Sur Ubuntu, l’outil standard est <strong>UFW </strong>(Uncomplicated Firewall).</p>



<p class="wp-block-paragraph">Commencez par ouvrir les ports relatifs aux services fonctionnels.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ sudo ufw allow ssh<br>ubuntu@vscode-server:~$ sudo ufw allow http<br>ubuntu@vscode-server:~$ sudo ufw allow https</strong></code><strong></strong></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">Activez le firewall&nbsp;:</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ sudo ufw enable</strong></code><strong></strong></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">Vérification de la prise en compte des règles.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ sudo ufw status<br>Status: active</strong></code><br><code><strong>To &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Action &nbsp; &nbsp; &nbsp;From<br>-- &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ------ &nbsp; &nbsp; &nbsp;----<br>22/tcp &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ALLOW &nbsp; &nbsp; &nbsp; Anywhere<br>80/tcp &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ALLOW &nbsp; &nbsp; &nbsp; Anywhere<br>443 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ALLOW &nbsp; &nbsp; &nbsp; Anywhere<br>45876 &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ALLOW &nbsp; &nbsp; &nbsp; Anywhere<br>22/tcp (v6) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ALLOW &nbsp; &nbsp; &nbsp; Anywhere (v6)<br>80/tcp (v6) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;ALLOW &nbsp; &nbsp; &nbsp; Anywhere (v6)<br>443 (v6) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ALLOW &nbsp; &nbsp; &nbsp; Anywhere (v6)<br>45876 (v6) &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; ALLOW &nbsp; &nbsp; &nbsp; Anywhere (v6)</strong></code></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">Vous pouvez également ajouter des règles plus strictes pour rejeter explicitement tout ce qui n’est pas autorisé en entrée et laisser la sortie globalement autorisée.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ sudo ufw default deny incoming<br>ubuntu@vscode-server:~$ sudo ufw default allow outgoing</strong></code><strong></strong></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">Désormais, si quelqu’un tente d’accéder à l’IP sur le port&nbsp;<code>8080</code>, la connexion sera purement et simplement rejetée.</p>



<p class="wp-block-paragraph">Seul le nom de domaine en HTTPS constitue la porte d’entrée légitime.<br>Ce petit serveur de développement, bien pratique, ressemble désormais davantage à une forteresse.&nbsp;</p>



<p class="wp-block-paragraph">Mais que se passe-t-il si vous décidez de supprimer cette instance pour en prendre une plus puissante et/ou la stopper pour une durée indéterminée, car votre projet est en pause&nbsp;?</p>



<p class="wp-block-paragraph">C’est ce que vous découvrirez dans la prochaine partie&nbsp;: comment <strong>isoler vos données et vos configurations</strong> sur un volume de stockage persistant pour rendre votre environnement totalement interchangeable, mais également comment <strong>automatiser le déploiement</strong> de cet environnement de développement&nbsp;!</p>



<p class="wp-block-paragraph">L’objectif final&nbsp;: qu’une simple commande <code>terraform apply</code> suffise à faire surgir un environnement de développement, prêt à l’emploi en moins de deux minutes.</p>
<img loading="lazy" decoding="async" src="//blog.ovhcloud.com/wp-content/plugins/matomo/app/matomo.php?idsite=1&amp;rec=1&amp;url=https%3A%2F%2Fblog.ovhcloud.com%2Fdeveloppement-distance-2-securisation-performance%2F&amp;action_name=D%C3%A9veloppement%20%C3%A0%20distance%20%232%20%26%238211%3B%20S%C3%A9curisation%20et%20performance&amp;urlref=https%3A%2F%2Fblog.ovhcloud.com%2Ffeed%2F" style="border:0;width:0;height:0" width="0" height="0" alt="" />]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Développement à distance #1 &#8211; Premier déploiement</title>
		<link>https://blog.ovhcloud.com/developpement-distance-1-premier-deploiement/</link>
		
		<dc:creator><![CDATA[Rémy Vandepoel]]></dc:creator>
		<pubDate>Mon, 11 May 2026 15:24:02 +0000</pubDate>
				<category><![CDATA[OVHcloud en Français]]></category>
		<category><![CDATA[Security]]></category>
		<guid isPermaLink="false">https://blog.ovhcloud.com/?p=31679</guid>

					<description><![CDATA[Un environnement de développement est indispensable au quotidien, mais il peut vite devenir complexe à gérer. Nous allons voir ensemble, [&#8230;]<img src="//blog.ovhcloud.com/wp-content/plugins/matomo/app/matomo.php?idsite=1&amp;rec=1&amp;url=https%3A%2F%2Fblog.ovhcloud.com%2Fdeveloppement-distance-1-premier-deploiement%2F&amp;action_name=D%C3%A9veloppement%20%C3%A0%20distance%20%231%20%26%238211%3B%20Premier%20d%C3%A9ploiement&amp;urlref=https%3A%2F%2Fblog.ovhcloud.com%2Ffeed%2F" style="border:0;width:0;height:0" width="0" height="0" alt="" />]]></description>
										<content:encoded><![CDATA[
<figure class="wp-block-image aligncenter size-large"><img loading="lazy" decoding="async" width="1024" height="683" src="https://blog.ovhcloud.com/wp-content/uploads/2026/05/1-1024x683.jpg" alt="" class="wp-image-31613" srcset="https://blog.ovhcloud.com/wp-content/uploads/2026/05/1-1024x683.jpg 1024w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/1-300x200.jpg 300w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/1-768x512.jpg 768w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/1.jpg 1536w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">Un environnement de développement est indispensable au quotidien, mais il peut vite devenir complexe à gérer. Nous allons voir ensemble, dans un billet de blog en 3 parties, comment améliorer son confort et sa productivité !</p>



<p class="wp-block-paragraph">Réunions incessantes, environnements Docker différant légèrement sur chaque machine, mises à jour système intempestives : garder un poste de développement fiable et cohérent devient vite un combat quotidien.</p>



<p class="wp-block-paragraph">À chaque nouveau projet, il faut ré-installer les mêmes outils, les mêmes CLI, reconfigurer les mêmes SDK ou frameworks. Et surtout, espérer que la machine locale tienne la charge quand les tests, le linter et la base de données fonctionnent en même temps. Le tout, avec des situations de télétravail ou de mobilité dans lesquelles les personnes se retrouvent à développer depuis un ordinateur portable parfois proche de l’obsolescence, derrière un VPN capricieux.</p>



<p class="wp-block-paragraph">Dans cette série d’articles, l’objectif est de transformer cette réalité en s’appuyant sur un environnement de développement complet hébergé dans le cloud et accessible depuis n’importe quel navigateur grâce à VS Code Server.</p>



<p class="wp-block-paragraph">L’idée est de disposer d’une « station de travail » distante, puissante et, si besoin, reproductible et indépendante.</p>



<p class="wp-block-paragraph">Ce premier chapitre montre comment déployer simplement et manuellement une instance Public Cloud et y installer VS Code Server. Les chapitres suivants traiteront de sa sécurisation et de son automatisation. &nbsp;</p>



<h2 class="wp-block-heading"><strong>1. Déploiement de l’instance</strong></h2>



<p class="wp-block-paragraph">Pour les premiers tests, afin de prendre en main l’environnement et de le tester, il peut s’avérer judicieux d’opter pour une instance assez modeste, de type Discovery. Une instance d2-2 sera ici utilisée. 1vCPU et 2&nbsp;Go de RAM peuvent être suffisants.</p>



<h2 class="wp-block-heading"><strong>2. Installation de la partie applicative</strong></h2>



<p class="wp-block-paragraph">La source de vérité pour les étapes suivantes est le GitHub du projet vscode-server : <a href="https://github.com/coder/code-server" target="_blank" rel="noreferrer noopener nofollow external" data-wpel-link="external">https://github.com/coder/code-server</a></p>



<p class="wp-block-paragraph">Plusieurs possibilités existent pour l’installation. Dans ce chapitre, pour simplifier le déploiement et pour les personnes peu habituées à Docker, l’installation se fera via le script d’installation «&nbsp;natif&nbsp;», sans utiliser de conteneurs.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ sudo apt update &amp;&amp; sudo apt upgrade<br>ubuntu@vscode-server:~$ curl -fsSL&nbsp;</strong></code><a href="https://code-server.dev/install.sh" data-wpel-link="external" target="_blank" rel="nofollow external noopener noreferrer"><strong>https://code-server.dev/install.sh</strong></a><code><strong> | sh</strong></code></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">Cette étape suffit à installer le nécessaire. Activez maintenant le service et vérifiez son bon fonctionnement.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ sudo systemctl enable --now code-server@$USER<br>ubuntu@vscode-server:~$ sudo systemctl status code-server@$USER<br></strong>● </code><strong>code-server@ubuntu.servic</strong><code><strong>e</strong> -<strong> code-server<br>&nbsp; &nbsp; &nbsp;Loaded: loaded (/usr/lib/systemd/system/code-server@.service; enabled; preset: enabled)<br>&nbsp; &nbsp; &nbsp;Active: active (running) since Wed 2025-12-03 14:55:37 UTC; 15min ago<br>&nbsp;Invocation: 1b393d84bebe415cbb770a17a0c8d399<br>&nbsp; &nbsp;Main PID: 893 (node)<br>&nbsp; &nbsp; &nbsp; Tasks: 22 (limit: 4532)<br>&nbsp; &nbsp; &nbsp;Memory: 95.1M (peak: 112.1M)<br>&nbsp; &nbsp; &nbsp; &nbsp; CPU: 1.868s<br>&nbsp; &nbsp; &nbsp;CGroup: /system.slice/system-code\x2dserver.slice/code-server@ubuntu.service<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;├─ 893 /usr/lib/code-server/lib/node /usr/lib/code-server<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;└─1130 /usr/lib/code-server/lib/node /usr/lib/code-server/out/node/entry</strong></code></td></tr></tbody></table></figure>



<h2 class="wp-block-heading"><strong>3. Validation de la configuration</strong></h2>



<p class="wp-block-paragraph">À ce stade, le service est opérationnel, il reste à en finaliser la configuration, notamment la création du dossier qui contiendra le code ainsi que l’authentification.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ mkdir workspace </strong></code><strong><br></strong><code><strong>ubuntu@vscode-server:~$&nbsp;cat ~/.config/code-server/config.yaml<br>bind-addr: 127.0.0.1:8080<br>auth: password<br>password:&lt;secure_password&gt;<br>cert: false</strong></code><strong></strong></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">Il est ici nécessaire de placer un mot de passe sécurisé et de vérifier que la <code>bind-addr</code> correspond à la configuration souhaitée.</p>



<p class="wp-block-paragraph">Si vous souhaitez tester directement le service en l’état, utilisez <code>0.0.0.0:8080</code>. Relancez ensuite le service et accédez à l’interface via <code>http://&lt;IP_PUBLIQUE&gt;:8080</code>.</p>



<p class="wp-block-paragraph">Après avoir fourni dans la fenêtre d’authentification le mot de passe présent dans le <code>config.yaml</code>,&nbsp;vous accédez directement à VS Code dans le navigateur.</p>



<p class="wp-block-paragraph">Partant de ce déploiement, vous pouvez donc ici répondre, partiellement en l’état, à la problématique d’un environnement de développement stable.</p>



<p class="wp-block-paragraph">À ce stade, il est possible de cloner directement vos repositories GitHub ou d’utiliser le dossier <code>workspace</code> pour les cloner.</p>



<p class="wp-block-paragraph">C’est d’ailleurs ce qui est recommandé pour davantage de pérennité, comme vous pourrez le voir dans le second chapitre.</p>



<p class="wp-block-paragraph">Pour réaliser un commit de test via l’interface vscode-server, vous devez configurer git en local (juste une fois) pour que l’authentification du remote repository s’effectue correctement.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ git config user.email </strong></code><strong>&#8220;mail@foo.bar&#8221;</strong><br><code><strong>ubuntu@vscode-server:~$ git config --global </strong></code><strong>user.name</strong><code><strong>"John Doe"</strong></code></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">Dès cette étape, vous pouvez utiliser l’environnement de développement distant avec vscode-server. Et ce, en profitant de quasiment toutes les fonctionnalités dont vous pourriez disposer en local, mais avec les avantages d’un environnement dédié à cet usage.</p>



<p class="wp-block-paragraph">⚠️ Rappel&nbsp;: en l’état, le déploiement fait ici n’est pas en statut «&nbsp;production ready&nbsp;»&nbsp;!</p>



<p class="wp-block-paragraph">Le but de ce premier chapitre est de découvrir le service, les manipulations vous étant proposées pour vous permettre de vous familiariser avec l’environnement. Ainsi, veillez à ne pas opérer le service tel que déployé ici plus que quelques heures&nbsp;!</p>



<p class="wp-block-paragraph">Il sera nécessaire de sécuriser l’environnement, puisqu’il est exposé directement sur Internet. C’est l’objet des <a href="https://blog.ovhcloud.com/developpement-distance-2-securisation-performance/" type="link" id="https://blog.ovhcloud.com/chapter-2-security-and-performance" target="_blank" rel="noreferrer noopener" data-wpel-link="internal">chapitres suivants</a>.</p>



<p class="wp-block-paragraph">Ce premier chapitre se termine avec un environnement de développement opérationnel, déjà capable de supporter un vrai projet applicatif&nbsp;!</p>



<p class="wp-block-paragraph">L’instance est en ligne, VS Code Server répond dans le navigateur, l’espace de travail est prêt et le premier dépôt a été cloné et ouvert comme sur un poste local. Cette base montre qu’il est possible de s’abstraire du matériel pour gagner en portabilité et partager plus facilement une configuration commune au sein d’une équipe ou d’un poste de développement nomade.</p>



<p class="wp-block-paragraph">Dans les prochains chapitres, cet environnement au minimum viable sera progressivement renforcé avec du stockage persistant, des mécanismes de sauvegarde ainsi qu’un accès sécurisé en HTTPS. Il sera ensuite entièrement automatisé via de l’Infrastructure as Code, afin de passer d’un simple test technique à une véritable plateforme de développement prête pour la production interne.</p>
<img loading="lazy" decoding="async" src="//blog.ovhcloud.com/wp-content/plugins/matomo/app/matomo.php?idsite=1&amp;rec=1&amp;url=https%3A%2F%2Fblog.ovhcloud.com%2Fdeveloppement-distance-1-premier-deploiement%2F&amp;action_name=D%C3%A9veloppement%20%C3%A0%20distance%20%231%20%26%238211%3B%20Premier%20d%C3%A9ploiement&amp;urlref=https%3A%2F%2Fblog.ovhcloud.com%2Ffeed%2F" style="border:0;width:0;height:0" width="0" height="0" alt="" />]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Remote development #1 &#8211; First Deployment</title>
		<link>https://blog.ovhcloud.com/remote-development-1-first-deployment/</link>
		
		<dc:creator><![CDATA[Rémy Vandepoel]]></dc:creator>
		<pubDate>Thu, 07 May 2026 16:00:42 +0000</pubDate>
				<category><![CDATA[OVHcloud Engineering]]></category>
		<category><![CDATA[Security]]></category>
		<guid isPermaLink="false">https://blog.ovhcloud.com/?p=31612</guid>

					<description><![CDATA[A development environment is an essential day-to-day system, but it can quickly become complex to manage. In this three-part blog [&#8230;]<img src="//blog.ovhcloud.com/wp-content/plugins/matomo/app/matomo.php?idsite=1&amp;rec=1&amp;url=https%3A%2F%2Fblog.ovhcloud.com%2Fremote-development-1-first-deployment%2F&amp;action_name=Remote%20development%20%231%20%26%238211%3B%20First%20Deployment&amp;urlref=https%3A%2F%2Fblog.ovhcloud.com%2Ffeed%2F" style="border:0;width:0;height:0" width="0" height="0" alt="" />]]></description>
										<content:encoded><![CDATA[
<figure class="wp-block-image size-large"><img loading="lazy" decoding="async" width="1024" height="683" src="https://blog.ovhcloud.com/wp-content/uploads/2026/05/1-1024x683.jpg" alt="" class="wp-image-31613" srcset="https://blog.ovhcloud.com/wp-content/uploads/2026/05/1-1024x683.jpg 1024w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/1-300x200.jpg 300w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/1-768x512.jpg 768w, https://blog.ovhcloud.com/wp-content/uploads/2026/05/1.jpg 1536w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">A development environment is an essential day-to-day system, but it can quickly become complex to manage. In this three-part blog post, we will explore how to become more comfortable and productive with it!</p>



<p class="wp-block-paragraph">Endless meetings, slightly differing Docker environments on each machine, and untimely system updates: maintaining a reliable and consistent development workstation can quickly become a daily struggle.</p>



<p class="wp-block-paragraph">With each new project, you have to reinstall the same tools, the same CLIs, and reconfigure the same SDKs or frameworks. And above all, hope that the local machine can handle the load when tests, the linter, and the database are all running simultaneously. Meanwhile, with remote work or working while travelling, individuals find themselves developing with a temperamental VPN, from a laptop that is sometimes close to obsolescence.</p>



<p class="wp-block-paragraph">In this series of articles, we aim to transform this reality by building on a complete development environment hosted in the cloud and accessible from any browser via VS Code Server.</p>



<p class="wp-block-paragraph"><strong>The idea is to have a remote, powerful, and, if necessary, reproducible and independent “workstation”.</strong></p>



<p class="wp-block-paragraph">This first chapter demonstrates how to easily deploy a Public Cloud instance manually and install VS Code Server on it. The following chapters will improve its security and automation. &nbsp;</p>



<h2 class="wp-block-heading"><strong>1. Deploying the instance</strong></h2>



<p class="wp-block-paragraph">For the initial tests it may be wise to opt for a smaller, Discovery-type instance so that you can familiarise yourself with the environment and test it. A d2-2 instance will be used here. 1 vCPU and 2 GB of RAM should be enough.</p>



<h2 class="wp-block-heading"><strong>2. Installing the application element</strong></h2>



<p class="wp-block-paragraph">The fountain of knowledge for the following steps is the GitHub for the vscode-server project: <a href="https://github.com/coder/code-server" target="_blank" rel="noreferrer noopener nofollow external" data-wpel-link="external">https://github.com/coder/code-server</a></p>



<p class="wp-block-paragraph">There are several options for the installation. In this chapter, to simplify the deployment and for those who are not very familiar with Docker, the installation will be done via the “native” installation script, without using containers.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ sudo apt update &amp;&amp; sudo apt upgrade<br>ubuntu@vscode-server:~$ curl -fsSL&nbsp;</strong></code><a href="https://code-server.dev/install.sh" data-wpel-link="external" target="_blank" rel="nofollow external noopener noreferrer"><strong>https://code-server.dev/install.sh</strong></a> <code><strong>| sh</strong></code></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">This step is enough to install the essentials. Activate the service now and check that it is running correctly.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ sudo systemctl enable --now code-server@$USER<br>ubuntu@vscode-server:~$ sudo systemctl status code-server@$USER<br>● </strong></code><a href="mailto:code-server@ubuntu.servic"><strong>code-server@ubuntu.servic</strong></a><code><strong>e - code-server<br>&nbsp; &nbsp; &nbsp;Loaded: loaded (/usr/lib/systemd/system/code-server@.service; enabled; preset: enabled)<br>&nbsp; &nbsp; &nbsp;Active: active (running) since Wed 2025-12-03 14:55:37 UTC; 15min ago<br>&nbsp;Invocation: 1b393d84bebe415cbb770a17a0c8d399<br>&nbsp; &nbsp;Main PID: 893 (node)<br>&nbsp; &nbsp; &nbsp; Tasks: 22 (limit: 4532)<br>&nbsp; &nbsp; &nbsp;Memory: 95.1M (peak: 112.1M)<br>&nbsp; &nbsp; &nbsp; &nbsp; CPU: 1.868s<br>&nbsp; &nbsp; &nbsp;CGroup: /system.slice/system-code\x2dserver.slice/code-server@ubuntu.service<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;├─ 893 /usr/lib/code-server/lib/node /usr/lib/code-server<br>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;└─1130 /usr/lib/code-server/lib/node /usr/lib/code-server/out/node/entry</strong></code><strong></strong></td></tr></tbody></table></figure>



<h2 class="wp-block-heading"><strong>3. Validate the configuration</strong></h2>



<p class="wp-block-paragraph">At this stage, the service is operational; the configuration still needs to be finalised, particularly creating the folder that will contain the code as well as the authentication.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ mkdir workspace </strong></code><strong><br></strong><code><strong>ubuntu@vscode-server:~$ cat ~/.config/code-server/config.yaml<br>bind-addr: 127.0.0.1:8080<br>auth: password<br>password:&lt;secure_password&gt;<br>cert: false</strong></code><strong></strong></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">You need to set a secure password here and verify that the <code>bind-addr</code> corresponds to your desired configuration.</p>



<p class="wp-block-paragraph">If you wish to directly test the service in its current state, use <code>0.0.0.0:8080</code>. Then restart the service and access the interface via <code>http://&lt;IP_PUBLIQUE&gt;:8080</code>.</p>



<p class="wp-block-paragraph">After providing the password found in the <code>config.yaml</code> in the authentication window, you will gain direct access to VS Code in the browser.</p>



<p class="wp-block-paragraph">From this deployment, you can then partially address the issue of getting a stable development environment.</p>



<p class="wp-block-paragraph">At this stage, it is possible to directly clone your GitHub repositories or to use the <code>workspace</code> folder to clone them.<br>This is recommended for greater longevity, as you will see in the second chapter.</p>



<p class="wp-block-paragraph">To perform a test commit via the vscode-server interface, you must configure git locally (just once) so that the authentication of the remote repository runs correctly.</p>



<figure class="wp-block-table"><table class="has-fixed-layout"><tbody><tr><td><code><strong>ubuntu@vscode-server:~$ git config user.email </strong></code><strong>&#8220;mail@foo.bar&#8221;</strong><br><code><strong>ubuntu@vscode-server:~$ git config --global </strong></code><a href="http://user.name" data-wpel-link="external" target="_blank" rel="nofollow external noopener noreferrer"><strong>user.name</strong></a><code><strong>"John Doe"</strong></code></td></tr></tbody></table></figure>



<p class="wp-block-paragraph">From this step onwards, you can use the remote development environment with vscode-server, while enjoying nearly all the features you might have locally, but with the advantages of having an environment dedicated to this use.</p>



<p class="wp-block-paragraph">⚠️ <strong>Reminder: in its current state, the deployment made here is not “production ready”!</strong></p>



<p class="wp-block-paragraph">The aim of this first chapter is to introduce the service, with the instructions here to help you familiarize yourself with the environment. Therefore, please ensure that you do not operate the service as deployed here for more than a few hours!</p>



<p class="wp-block-paragraph">The environment will need to be secured, as it is directly exposed on the Internet. We’ll talk about this in the <a href="https://blog.ovhcloud.com/remote-development-2-security-performance/" target="_blank" rel="noreferrer noopener" data-wpel-link="internal">following chapters</a>.</p>



<p class="wp-block-paragraph">By now, you have an operational development environment that is already capable of supporting a real application project!</p>



<p class="wp-block-paragraph">The instance is online, VS Code Server is responding in the browser, the workspace is ready, and the first repository has been cloned and opened as if on a local machine. This foundation demonstrates that it is possible to abstract from the hardware to gain portability and more easily share a common configuration within a team or a remote development workstation.</p>



<p class="wp-block-paragraph"><strong>In the upcoming chapters</strong>, this minimum viable environment will be gradually enhanced with persistent storage, backup mechanisms, and secure access via HTTPS. It will then be fully automated through Infrastructure as Code, in order to transition from a simple technical test to a genuine development platform ready for internal production.</p>
<img loading="lazy" decoding="async" src="//blog.ovhcloud.com/wp-content/plugins/matomo/app/matomo.php?idsite=1&amp;rec=1&amp;url=https%3A%2F%2Fblog.ovhcloud.com%2Fremote-development-1-first-deployment%2F&amp;action_name=Remote%20development%20%231%20%26%238211%3B%20First%20Deployment&amp;urlref=https%3A%2F%2Fblog.ovhcloud.com%2Ffeed%2F" style="border:0;width:0;height:0" width="0" height="0" alt="" />]]></content:encoded>
					
		
		
			</item>
		<item>
		<title>Copy.Fail (CVE-2026-31431): How to Rapidly Protect OVHcloud MKS Clusters from the Linux Kernel Zero-Day</title>
		<link>https://blog.ovhcloud.com/copy-fail-cve-2026-31431-how-to-rapidly-protect-ovhcloud-mks-clusters-from-the-linux-kernel-zero-day/</link>
		
		<dc:creator><![CDATA[Aurélie Vache]]></dc:creator>
		<pubDate>Thu, 30 Apr 2026 13:42:17 +0000</pubDate>
				<category><![CDATA[OVHcloud Engineering]]></category>
		<category><![CDATA[Tranches de Tech & Co — Tech bites]]></category>
		<category><![CDATA[OVHcloud]]></category>
		<category><![CDATA[Security]]></category>
		<guid isPermaLink="false">https://blog.ovhcloud.com/?p=31485</guid>

					<description><![CDATA[A newly disclosed Linux kernel zero-day, CVE-2026-31431, &#8220;Copy.Fail&#8221;, is one of the most serious privilege-escalation vulnerabilities in recent years. Discovered [&#8230;]<img src="//blog.ovhcloud.com/wp-content/plugins/matomo/app/matomo.php?idsite=1&amp;rec=1&amp;url=https%3A%2F%2Fblog.ovhcloud.com%2Fcopy-fail-cve-2026-31431-how-to-rapidly-protect-ovhcloud-mks-clusters-from-the-linux-kernel-zero-day%2F&amp;action_name=Copy.Fail%20%28CVE-2026-31431%29%3A%20How%20to%20Rapidly%20Protect%20OVHcloud%20MKS%20Clusters%20from%20the%20Linux%20Kernel%20Zero-Day&amp;urlref=https%3A%2F%2Fblog.ovhcloud.com%2Ffeed%2F" style="border:0;width:0;height:0" width="0" height="0" alt="" />]]></description>
										<content:encoded><![CDATA[
<figure class="wp-block-image aligncenter size-large is-resized"><img loading="lazy" decoding="async" width="1024" height="683" src="https://blog.ovhcloud.com/wp-content/uploads/2026/04/ChatGPT-Image-30-avr.-2026-15_38_36-1024x683.png" alt="" class="wp-image-31492" style="aspect-ratio:1.4992503748125936;width:406px;height:auto" srcset="https://blog.ovhcloud.com/wp-content/uploads/2026/04/ChatGPT-Image-30-avr.-2026-15_38_36-1024x683.png 1024w, https://blog.ovhcloud.com/wp-content/uploads/2026/04/ChatGPT-Image-30-avr.-2026-15_38_36-300x200.png 300w, https://blog.ovhcloud.com/wp-content/uploads/2026/04/ChatGPT-Image-30-avr.-2026-15_38_36-768x512.png 768w, https://blog.ovhcloud.com/wp-content/uploads/2026/04/ChatGPT-Image-30-avr.-2026-15_38_36.png 1536w" sizes="auto, (max-width: 1024px) 100vw, 1024px" /></figure>



<p class="wp-block-paragraph">A newly disclosed Linux kernel zero-day, <a href="https://app.opencve.io/cve/CVE-2026-31431" data-wpel-link="external" target="_blank" rel="nofollow external noopener noreferrer">CVE-2026-31431</a>, &#8220;<strong>Copy.Fail&#8221;,</strong> is one of the most serious privilege-escalation vulnerabilities in recent years.</p>



<p class="wp-block-paragraph">Discovered by Theori and publicly disclosed on April 29, 2026, <a href="https://copy.fail/" data-wpel-link="external" target="_blank" rel="nofollow external noopener noreferrer">Copy.Fail</a> is a Linux kernel zero-day that roots every distribution since 2017. Unlike many local privilege-escalation flaws that depend on race conditions, kernel address leaks, or distribution-specific behavior, Copy.Fail is alarmingly reliable: it works consistently across mainstream Linux distributions with only a standard user account.</p>



<h3 class="wp-block-heading">Why the CVE-2026-31431 is dangerous?</h3>



<p class="wp-block-paragraph">Copy.Fail abuses a logic flaw in the Linux kernel’s<strong> <code>algif_aead</code></strong> crypto module, introduced through a 2017 optimization. By manipulating the kernel’s AF_ALG crypto interface, an attacker can write controlled data into the Linux page cache (the in-memory representation of trusted system binaries).</p>



<p class="wp-block-paragraph">This allows attackers to temporarily hijack binaries like <code>/usr/bin/su</code> <strong>without modifying the file on disk</strong>.</p>



<p class="wp-block-paragraph">In practical terms:</p>



<ul class="wp-block-list">
<li>A normal user can become root</li>



<li>A compromised container can escape to the host</li>



<li>A malicious CI job can root its runner</li>



<li>Shared infrastructure becomes vulnerable across tenants</li>



<li>Disk forensics may show no file tampering because only RAM is altered</li>
</ul>



<p class="wp-block-paragraph">This makes Copy.Fail especially dangerous for:</p>



<ul class="wp-block-list">
<li>Kubernetes clusters</li>



<li>CI/CD systems</li>



<li>Shared development environments</li>



<li>Cloud notebook platforms</li>



<li>Multi-tenant container infrastructure</li>
</ul>



<h3 class="wp-block-heading">How to patch it easily in your MKS clusters?</h3>



<p class="wp-block-paragraph">OVHcloud is preparing patched MKS versions including the upstream kernel fix. Patched versions are expected to be available <strong>30 April 2026</strong>, at <strong>16:00 UTC+2</strong>.</p>



<p class="wp-block-paragraph">While waiting for the next MKS release, here is a <strong>DaemonSet</strong> manifest that you can apply in your MKS clusters in order to mitigate the vulnerability.</p>



<p class="wp-block-paragraph">Create a <strong>patch-copy-fail-cve </strong>file with the following content:</p>



<pre class="wp-block-code"><code class="">apiVersion: apps/v1<br>kind: DaemonSet<br>metadata:<br>  name: patch-copy-fail-cve<br>  labels:<br>    app: patch-copy-fail-cve<br>  namespace: default<br>spec:<br>  selector:<br>    matchLabels:<br>      app: patch-copy-fail-cve<br>  updateStrategy:<br>    type: RollingUpdate<br>    rollingUpdate:<br>      maxSurge: 0<br>      maxUnavailable: 100%<br>  template:<br>    metadata:<br>      labels:<br>        app: patch-copy-fail-cve<br>    spec:<br>      hostPID: true<br>      priorityClassName: system-node-critical<br>      volumes:<br>        - name: root-mount<br>          hostPath:<br>            path: /<br>            type: Directory<br>      initContainers:<br>        - image: mks.kubernatine.ovh/docker.io/library/busybox:1.36.1<br>          name: patch-copy-fail-cve<br>          command: ["/bin/bash", "-c"]<br>          args:<br>            - |<br>              tee /etc/modprobe.d/disable-algif-aead.conf &lt;&lt;&lt;'install algif_aead /bin/false'<br>              rmmod algif_aead 2&gt;/dev/null<br>              update-initramfs -u<br>          securityContext:<br>            privileged: true<br>            runAsUser: 0<br>          volumeMounts:<br>            - name: root-mount<br>              mountPath: /<br>      containers:<br>        - image: "mks.kubernatine.ovh/registry.k8s.io/pause:3.10.1"<br>          name: pause     </code></pre>



<p class="wp-block-paragraph">Apply it:</p>



<pre class="wp-block-code"><code class="">kubectl apply -f patch-copy-fail-cve.yaml</code></pre>



<p class="wp-block-paragraph">⚠️ This mitigation has been tested on OVHcloud internal test clusters. Applying it to your own service remains under your responsibility.</p>



<p class="wp-block-paragraph">If the vulnerability has already been exploited on your cluster, this mitigation will not remediate any pre-existing compromise.<br>The recommended remediation remains the official security release, which will be made available as soon as possible.</p>



<p class="wp-block-paragraph">Read more about the mitigation: <a href="https://github.com/rootsecdev/cve_2026_31431#mitigation" data-wpel-link="external" target="_blank" rel="nofollow external noopener noreferrer">https://github.com/rootsecdev/cve_2026_31431#mitigation</a></p>



<p class="wp-block-paragraph"></p>



<p class="wp-block-paragraph"></p>
<img loading="lazy" decoding="async" src="//blog.ovhcloud.com/wp-content/plugins/matomo/app/matomo.php?idsite=1&amp;rec=1&amp;url=https%3A%2F%2Fblog.ovhcloud.com%2Fcopy-fail-cve-2026-31431-how-to-rapidly-protect-ovhcloud-mks-clusters-from-the-linux-kernel-zero-day%2F&amp;action_name=Copy.Fail%20%28CVE-2026-31431%29%3A%20How%20to%20Rapidly%20Protect%20OVHcloud%20MKS%20Clusters%20from%20the%20Linux%20Kernel%20Zero-Day&amp;urlref=https%3A%2F%2Fblog.ovhcloud.com%2Ffeed%2F" style="border:0;width:0;height:0" width="0" height="0" alt="" />]]></content:encoded>
					
		
		
			</item>
	</channel>
</rss>
