Short version is this: Docker is offering official container images that are more locked down by default. Fewer packages, fewer attack surfaces, more secure defaults, and more focus on security overall out of the box.

These are not custom third party images. They are maintained by Docker and meant to be drop-in replacements for the images many of us are already using. Things like base OS images and popular runtimes.

A few things that stood out to me:

• Images are intentionally minimal. Less stuff is installed which means fewer vulnerabilities to worry about

• It also focuses on supply chain security, which is a big deal. Docker is clearly trying to make it easier to trust what you are pulling

• It is built for developers, not just security teams. You still get something usable without having to harden everything yourself

• It is designed to work with Docker Scout and vulnerability scanning workflows

From a home lab perspective this is great. A lot of us run containers exposed internally or even externally (hopefully not but sometimes it is needed), and we usually just grab the latest and move on. But having more secure base images by default helps to reduce the risk.

I also see this being useful for anyone publishing Compose stacks or example configs. If hardened images become common, it raises the baseline security level for everyone copying those examples.

This does not magically make containers secure in every way, but it does remove a bunch of low hanging fruit that normally gets ignored in terms of security.

Curious what others think. Would you switch your existing containers to hardened images? Do you care about this in a home lab, or only for production? Is this something Docker should have done a long time ago?

Here is a link to the official post from Docker: https://www.docker.com/blog/docker-hardened-images-for-every-developer/

A multilingual interface for global teams 

MSP Direct Connect simplifies remote management 

NAKIVO is also upgrading the experience for MSPs. There is a new Direct Connect feature that has been expanded so MSPs can use it to manage environments without the need to open ports on the firewall and other network hoops to jump through on client networks. This will also help to reduce the attack surface since firewall exceptions do not need to be made. Also, all communication between the MSP director solution and client transporters are encrypted. This will help to make sure security and compliance regulations can be met for audit purposes. 

The Direct Connect solutions supports Microsoft Hyper-V, VMware, Proxmox VE, and physical machines. All in all, this will be a good feature to give MSPs a way to manage different types of customer environments. 

Expanded backup capabilities for Proxmox VE 

Real-time replication for VMware environments

Granular backup options for physical servers

With the NAKIVO 11.1 release, physical server backups get an upgrade as well. You can now back up specific folders or volumes only if you choose. This can be on either Windows or Linux systems. So, no longer are you required to back up the entire server if you only need specific data. This will save a tremendous amount of time for the backup and storage space as well. 

Backups for physical servers can be stored in a local repository, in the cloud, or on deduplication appliances, and also tape. For ransomware protection, you get backup immutability, encryption and air-grapped storage. You can perform granular restores as well. You can target just specific SMB or NFS shares if you want. Smaller restores can also be sent through email or downloaded in a browser session.

Flexibility and performance

A worthy release for upgrade

The NAKIVO 11.1 release has some really good improvements underneath the hood. NAKIVO continues to evolve the functionality of the product with even more features that bring it on par with something like Veeam for lower cost. Proxmox support and features are continuing to get better with each release and that is great news for those that are looking for even more reasons to transition off VMware with the now much higher pricing under Broadcom.

The highlight of the release is the new Channel AI feature. It takes WiFi optimization to a whole new level. Let's face it, these are the types of tasks that we don't want to do by hand. AI is so much better at doing this kind of analysis and management by analyzing interference and automatically generating an efficient channel plan across your access points. Think about this possibility. Instead of you spending hours checking for overlap and tweaking settings, you can now visualize the RF environment, see neighboring APs, and let Channel AI apply optimizations. You can do all of this with a single click. What used to take days of testing can now be handled in minutes! That's pretty cool.

UniFi has also improved multicast handling and added service-forwarding controls. You can now assign specific services to specific APs. This will save airtime and improve performance in certain use cases. When you pair this with the new mDNS gateway settings, it will help to balance performance and compatibility across certain devices. These will include things like smart TVs, IoT sensors, and office equipment.

Another area that got attention in this 9.5 release is client roaming. The new version makes it faster and more stable when devices move between APs or switch frequency bands. Apple devices especially should see better reliability and fewer connection hiccups. These kinds of improvements will make noticeable differences end users.

On the wired side, there’s a new feature called Port Anomaly. It keeps an eye on your switch ports for flapping, loops, or other early signs of trouble and alerts you. It does this through the Alarm Manager. This proactive monitoring can help you identify issues before they cause downtime or performance problems. This will be a big win for maintaining your network, both in the enterprise and the home lab.

I think overall, UniFi Network 9.5 feels like a very strong release. It is applying AI in a way that will allow it to do the heavy lifting with configuration that has typically been complicated and time consuming to adjust when making channel adjustments.

You can read the full announcement and details on the official blog: https://blog.ui.com/article/releasing-unifi-network-9-5

What do you think about Channel AI and these new reliability tools? Have you already pulled the new Unifi Network 9.5 application container? Or are you planning to update soon?

This release updates the GNOME desktop experience, and refines moving to modern tech stacks. Under the hood, Ubuntu 25.10 ships with Linux kernel 6.11. It also has improved power efficiency for laptops and ARM-based systems, and better performance on Ryzen and Intel Core Ultra chips. Canonical has also been doing work with Snap updates to improve reliability and launch times.

One of the big quality-of-life updates with this release is improved Wayland session stability. Also it has enhanced support for NVIDIA and AMD GPUs. Many users who had to stick to Xorg for a long while will find Wayland much more usable now. This is the case even for multi-monitor and hybrid graphics setups. On the server side, Ubuntu 25.10 brings updated containers tools. These include with Podman, Docker, and LXD. All of these are getting the latest updates which will make it a great release for home labbers and those who are working with DevOps stacks.

The installer continues to change and evolve too. It now has a Flutter-based Ubuntu installer that is smoother and faster. It has better feedback during setup and Canonical seems like it is heads down on improving the user experience. These are improvements that have been a long while coming but are finally getting upgraded both in desktop and server builds.

For developers, Ubuntu 25.10 has updated Python 3.13, GCC 14, and OpenSSL 3.3 libraries. There are also newer base images for container builds. This makes it a good choice if you’re testing against the latest toolchains or building portable environments.

It’s also worth mentioning the Ubuntu flavors like Kubuntu, Xubuntu, and Ubuntu Server 25.10. These will all have their own updates, from Plasma 6 improvements in Kubuntu to newer desktop tweaks in Xubuntu.

If you’re on Ubuntu 24.04 LTS, there is definitely not a need to rush into upgrading. LTS versions will continue to receive updates and are still the best choice for production or long-term use in the home lab. But if you’re like me and enjoy experimenting and breaking things with the latest Linux builds, 25.10 looks to be a fun release to try out while we wait for 26.04 LTS next April.

You can check out the official release info and downloads here: https://ubuntu.com/download

The most obvious change you’ll notice is the new web admin interface. The old one always felt a bit dated and slow, but now it’s built on a modern React frontend and feels much smoother and more responsive. Navigation finally works as you would expect, and most of the CLI-only options we used to have to dig around for are now exposed directly in the UI. It’s one of those quality-of-life improvements that will save a lot of time managing the solution and cut down on mistakes.

The other big news is the expanded REST API. You can now automate far more of the VPN actions without having to script against the old sacli command. For those of us who want to automate our environments, this is a huge improvement. It makes it easier to integrate OpenVPN into automation pipelines. This could be with Ansible, Terraform, or your own in-house tools. OpenVPN even built in a way to test and document the API from the interface, which is a nice touch.

Security and identity management also got new improvements. The admin interface now supports SAML login and full SSO integration. This means you can tie admin access directly into providers like Azure AD or Okta. For the enterprise where centralized identity is a requirement, that’s a big improvement. Multi-factor authentication (MFA) is also easier to manage now. You can reset or enroll MFA for users directly from the UI instead of running obscure commands.

Another important update is the backend’s shift toward supporting nftables alongside iptables. It’s still listed as experimental, but this shows OpenVPN is preparing for the shift as more Linux distros move to nftables by default. There are also new optimizations under the hood that improve performance, compress assets, and make the whole system a bit leaner. They seem to be improving the backend as much as the frontend.

There’s a new “support report” feature built into the UI that lets you generate logs and diagnostic data to send to OpenVPN support. When you are troubleshooting production VPN issues, not having to manually collect a dozen files from different directories can save a ton of time.

Now, for the pros of the solution for IT admins.

• From an admin’s perspective, this update brings Access Server in line with modern expectations. Juggling web UI and CLI for basic configuration are mostly gone. The REST API support means it plays well with automation tools and can fit into infrastructure-as-code environments. And the move toward identity-based access for admins should make security teams breathe a little easier.

For home labbers, it is easier to get up and running.

• You can spin it up in a VM, Docker container, or cloud VM. And now you can manage almost everything without touching the terminal. The better UI and MFA integration make it more practical for personal or home lab setups. If you’ve avoided it before because it felt a little too “enterprisey,” 3.0 is I think the release that helps to fix that.

There are, of course, a few things to watch out for. This is a major overhaul, and like any "X.0" release, it’s bound to have some quirks. The patch to 3.0.1 already fixed a few early issues with SAML logins and API tokens, so I’d recommend testing it quite a bit in your lab environment before dropping it into production. I’d also be cautious with the nftables support until it’s out of experimental mode. The last thing you want is a firewall bug taking down your VPN.

Upgrading from an older version might not be totally seamless, especially if you’ve got custom firewall rules, clustering, or specific NATs. Make sure to back up everything and have a rollback plan in place before running the upgrade (snapshot your VM, etc). Also, the new interface may not expose every advanced option yet, so you might still need the CLI for a few things still yet.

In larger environments, I see the biggest win being around automation and identity. Since we are now able to tie VPN admin access into SSO and enforce MFA policies it will make compliance a lot easier. You can even start building self-service workflows where VPN accounts are provisioned and revoked automatically based on user status. For smaller environments or home labs, the benefit is really about simplicity. It will mean fewer steps, a cleaner UI, and less command-line pain.

The main trade-off with any major update with more APIs exposed is that you’re increasing the surface area. More APIs mean more things to secure. If you’re running Access Server exposed to the internet, it’s worth locking down those endpoints. I would carefully watch for updates as OpenVPN hardens the new version.

Overall, I think this is a great move for OpenVPN. It was starting to feel dated compared to some of the newer VPN and zero-trust solutions out there. I think this release has the promise to make it feel like a platform that can keep up at least for now. 

If anyone here has already upgraded to 3.0, I’d love to hear what your experience has been. Did the upgrade go smoothly, and how’s the new UI holding up under real-world use? I’m planning to test it next week in a small Docker deployment and see how it performs.

Read the full release notes from OpenVPN here: Access Server 3.0 Release Notes and Version Updates

This seems to be really just a natural progression of devices that they already have. Think about the devices in their lineup like their networking products, cameras, access control, and even EV chargers. Now they’re adding uninterruptible power to the mix. Most of us have been using third-party UPSs for years. I think the biggest draw here is that these new UPS units integrate directly into the UniFi Network application. This means you’ll be able to see power status, battery health, and runtime information. And this will be shown right along with your switches and access points.

There are two models launching out of the gate. The first is a rack-mounted UPS-2U, rated for 1.44 kVA. It has eight outlets, surge protection, and a field-replaceable 216 Wh battery. The second is a smaller UniFi UPS Tower. This is more of a desktop or compact unit meant for a single switch, access point, UniFi Dream Machine or your workstation. Both models will show up in the UniFi dashboard automatically and can pair with UniFi storage devices like the UNVR for coordinated shutdowns during power outages.

Ubiquiti also mentioned that these units will include built-in Network UPS Tools (NUT) server support. That means you can use them to send status data to other systems and not just UniFi gear. I think this is a nice touch for those running home labs, Linux servers, or NAS boxes outside of the UniFi ecosystem and who want to integrate with open-source tools they may already be running. According to the blog, this is just the beginning of a full lineup of UPS products. Higher-end models with pure sine wave output and lithium-ion batteries are in the worksa. These will be aimed at larger setups and enterprise environments.

The integration angle is what’s really interesting here. Most UPS units are standalone appliances with basic USB or SNMP monitoring. Having something that’s plug-and-play within the UniFi controller could be a big win for small business and home lab users who want visibility for their power protection. This will be possible without the complexity of managing separate power software, etc. You’ll be able to see which devices are running on backup, track remaining runtime, and monitor events like brownouts or surges in real time.

Of course, a few questions still remain in my mind. Runtime will depend heavily on the load and that 216 Wh battery doesn’t sound huge, so we’ll need to see a real-world test of the unit. It’s also not clear to me whether the output is pure sine or stepped approximation. This definitely makes a difference for sensitive equipment and much of our sensitive gear these days. 

Pricing for the units:

• UPS-2U: $279
• Unifi UPS Tower: $159

Still, it’s exciting to see Ubiquiti finally enter this space. Power protection is a natural fit for them. I think having a UPS that just “shows up” in UniFi Network could simplify things for ones running their gear in a rack or home lab setup. If they follow through with their roadmap for higher-capacity and lithium models, this could theoretically end up being one of their most useful new product lines.

You can read their official announcement that is now live on their blog here: https://blog.ui.com/article/introducing-uninterruptible-power

What do you all think? Is this something you’d add to your rack, or do you still prefer sticking with known UPS brands for now?

• 12 “prime” cores hitting 5 GHz boost
• 6 performance cores at 3.6 GHz

What Qualcomm is really hyping is performance per watt. They’re claiming up to 75% faster CPU perf at the same power vs competitors and over 2x perf/watt gains for the GPU compared to the last X Elite. In AI tests they’re saying it’s like 5.7x faster than Intel’s Core Ultra 9 285H. Whether that holds up in the real world we’ll see, but on paper this is looking like ARM is getting seriously competitive in high-end Windows laptops.

For the home lab side of things, this has me wondering if we’re going to see these chips filter down into mini PCs and maybe even server-style boards? They’ve already submitted Linux patches, so it’s not just Windows. If you could run Proxmox or even container-heavy workloads on something like this with crazy efficiency, it could be huge and really a paradigm shift in hardware configurations. Imagine an 18-core ARM box sipping power but handling AI inference, VMs, and containers with USB4 and PCIe Gen5 expansion.

It feels like we’re seeing the same kind of momentum Apple brought with M1/M2/M3, but now in the Windows/ARM world. If Qualcomm and Microsoft can keep software compatibility as a priority, this could finally push ARM as a real alternative. I am thinking it could be a game changer for both enterprise laptops and maybe even small lab servers. I’m pretty excited to see how the ecosystem reacts when first devices land in 2026.

Snapdragon X2 Elite | Qualcomm

Anyone else looking at these and thinking ARM is finally about to have its moment?

Helm is already the go-to tool for deploying apps into Kubernetes. But one of the biggest concerns has always been the security of the packages. With this update, Docker is providing charts that automatically reference their Hardened Images. That means you get secure, SLSA Level 3 builds, and quick CVE patching that is built right in. For enterprise environments that need to comply with regulatory requirements, this will help close some big gaps. For home labbers, it just means less worry about pulling sketchy charts or images from random repos on the Internet.

The timing is also pretty interesting to me given Broadcom’s changes to Bitnami. A lot of the free Bitnami charts and images are now locked behind commercial subscriptions (Like everything Broadcom is doing). This has left many folks scrambling for alternative sources. Docker is positioning this as a drop-in option. You can still use free Docker Official Images. But if you want the extra security and enterprise-grade compliance, the hardened images with Helm charts are there.

The beta is invite-only for now, but Docker says they want feedback from teams to help shape which charts get priority. If you are experimenting with Kubernetes in your lab, or if you are in the enterprise looking at migration paths post-Bitnami, this is worth checking out.

Full announcement here: https://www.docker.com/blog/docker-hardened-images-helm-charts-beta/

A few highlights that stood out to me:

• There’s a brand-new security advisory system (VSA) so you have one place to track vulnerabilities across the whole Vates stack. That is a big deal if you are running this in production or even just want to stay patched in the lab and I think this is pretty much a requirement these days for being serious about the enterprise

• XCP-ng 8.2 finally hit end of life, so if you are still on that you will want to move to 8.3 as soon as you can

• EasyVirt’s DC Scope and NetScope are now baked right into XO, which means you can deploy them straight from your appliance. That means you can do resource optimization and cost tracking without leaving the XO UI

• UI refinements and smoother backups are good quality of life improvements with this one

• The REST API keeps getting more love, which is good news for automation

On the enterprise side, Vates has also announced a partnership with Eviden. This partnership will mean they validate their big Bull Sequana SH server hardware with XCP-ng. This looks to have serious horsepower with up to 8 socket servers and up to 960 vCPUs. It shows they are going after the VMware exodus hard and heavy.

For home labbers, the neat part is that all these features land in the same product you can spin up at home. Better backups, better APIs, and easier integration with monitoring or optimization tools. This means a smoother lab environment. Also home labs benefit as well knowing when CVEs now drop, allowing you to be more proactive with patching.

Overall, 5.111 looks like another step forward both for the enterprise crowd, especially those dropping VMware. This gives Vates a much more serious solution for scale and compliance in the enterprise. And, for home lab folks who just want things to run reliably with modern features and use what they may be using in production.

Full details here: https://xen-orchestra.com/blog/xen-orchestra-5-111/

The big headline is Netdata AI. They’re calling it your “co-SRE” for troubleshooting. You can ask it plain English questions about your infra like “why are my pods crashing in us-east-1” and it will spit out a report with timelines and possible causes. You also get automated investigations and alert root cause analysis. You also have the ability to schedule reports like weekly health checks. Everyone gets a handful (10) of free AI sessions to play with.

Another nice addition is chart annotations. You can now drop notes right on the charts to mark deployments, incidents, or whatever else you want to have tracked. Makes it way easier when you’re collaborating or just trying to remember what happened at a certain spike.

They also added a quick data export option. Any chart or table can be exported out to CSV, PNG, or PDF. Perfect if you want to share stuff outside of Netdata.

For folks running more complex setups, there’s now an OpenTelemetry plugin (alpha) that ingests metrics via OTLP gRPC and maps them to Netdata charts.

Couple of solid improvements too:

• SNMP profiles are now stable and default with 15k entries for better device coverage

• Nodes show up as node name/IP by default which is super handy

• A bunch of stability fixes to squash crashes and memory issues

I already pulled the update in my lab and going to play around with the new AI features. Curious if anyone else here has kicked the tires on 2.7.0 yet? Let me know.