moonpiedumplings
@moonpiedumplings@programming.dev
- Comment on Nextcloud appreciation post 1 month ago:
What was it? I’m planning to do a nextcloud deployment via helm soon.
- Comment on If hot air rises, why is it colder at the top of a mountain? 2 months ago:
- Comment on Ubuntu will manually review Snap Store after crypto wallet scams 2 months ago:
One of the downsides to hardcoding snap to only be able to use a single repo/store is probably added difficulty in creating testing infra for testing if uploads/CI/CD work.
lol, one of the first one’s I click on: snapcraft.io/test-snapd-public (by Canonical)
A basic buildable snap that is expected to be published in public mode
Maybe if they didn’t insist on holding a monopoly over the store, they would be able to have an internal version of the store for testing, rather than cluttering the public one.
- Comment on We’re one step closer to a global cybersecurity standard for smart home devices 3 months ago:
It’s a huge step forward to have a global consumer IoT security certification. It’s so much better than not having one,” Steve Hanna, Infineon
- Comment on PSA: Docker nukes your firewall rules, and replaces them with its own. 3 months ago:
Dockers manipulation of nftables is pretty well defined in their documentation
Documentation people don’t read. People expect, that, like most other services, docker binds to ports/addresses behind the firewall. Literally no other container runtime/engine does this, including, notably, podman.
As to the usage of the docker socket that is widely advised against unless you really know what you’re doing.
Too bad people don’t read that advice. They just deploy the webtop docker compose, without understanding what any of it is. I like (hate?) linuxserver’s webtop, because it’s an example of the two of the worst footguns in docker in one
To include the rest of my comment that I linked to:
Do any of those poor saps on zoomeye expect that I can pwn them by literally opening a webpage?
No. They expect their firewall to protect them by not allowing remote traffic to those ports. You can argue semantics all you want, but not informing people of this gives them another footgun to shoot themselves with. Hence, docker “bypasses” the firewall.
On the other hand, podman respects your firewall rules. Yes, you have to edit the rules yourself. But that’s better than a footgun. The literal point of a firewall is to ensure that any services you accidentally have running aren’t exposed to the internet, and docker throws that out the window.
Your original point was:
I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.
And I’m trying to say that even if that was true, it would still be better than a footgun where people expose stuff that’s not supposed to be exposed.
But that isn’t the case for podman. A quick look through the github issues for podman, and I don’t see it inundated with newbies asking “how to expose services?” because they assume the firewall port needs to be opened, probably. Instead, there are bug reports in the opposite direction, like this one, where services are being exposed despite the firewall being up.
- Comment on PSA: Docker nukes your firewall rules, and replaces them with its own. 3 months ago:
Probably not an issue, but you should check. If the port opened is something like
127.0.0.1:portnumber
, then it’s only bound to localhost, and only that local machine can access it. If no address is specified, then anyone with access to the server can access that service.An easy way to see containers running is:
docker ps
, where you can look at forwarded ports.Alternatively, you can use the
nmap
tool to scan your own server for exposed ports.nmap -A serverip
does the slowest, but most indepth scan. - Comment on PSA: Docker nukes your firewall rules, and replaces them with its own. 3 months ago:
Yes it is a security risk, but if you don’t have all ports forwarded, someone would still have to breach your internal network IIRC, so you would have many many more problems than docker.
I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.
My problem with this, is that when running a public facing server, this ends up with people exposing containers that really, really shouldn’t be exposed.
Excerpt from another comment of mine:
It’s only docker where you have to deal with something like this:
--- services: webtop: image: lscr.io/linuxserver/webtop:latest container_name: webtop security_opt: - seccomp:unconfined #optional environment: - PUID=1000 - PGID=1000 - TZ=Etc/UTC - SUBFOLDER=/ #optional - TITLE=Webtop #optional volumes: - /path/to/data:/config - /var/run/docker.sock:/var/run/docker.sock #optional ports: - 3000:3000 - 3001:3001 restart: unless-stopped
Originally from here, edited for brevity.
Resulting in exposed services. Feel free to look at shodan or zoomeye, internet connected search engines, for exposed versions of this service. This service is highly dangerous to expose, as it gives people an in to your system via the docker socket.
- Comment on Cloudflare Alternative 3 months ago:
If you need public access:
github.com/anderspitman/awesome-tunneling
From this list, I use rathole. One rathole container runs on my vps, and another runs on my home server, and it exposes my reverse proxy (caddy), to the public.
- Comment on Ubicloud wants to build an open source alternative to AWS | TechCrunch 3 months ago:
Provision Management Software
Openstack skyline/horizon
Compute
Openstack nova
And so on. Openstack is also many, many components, that can be pieced together for your own cloud computing platform.
Although it won’t have the sheer number of services AWS has, many of them are redundant.
The core services I expect to see done first: compute, networking, storage (+ image storage), and a web UI/API
Next: S3 storage, Kubernetes as a service, and then either Databases as a service or containers as a service.
But you are right, many of the services that AWS offers are highly specialized (robotics, space communication), and people get locked in, and I don’t really expect to see those.
- Comment on Ubicloud wants to build an open source alternative to AWS | TechCrunch 3 months ago:
AWS is software. Just not something you can self host.
There already exist alternatives to AWS, like localstack, a local AWS for testing purposes, or the more mature openstack, which is designed for essentially running your own AWS at scale.
- Comment on Stacks for Simple Static Sites 4 months ago:
I use quarto.org
Pros: Markdown, easy to use. Docs are very good. Also, despite being a a static site, it comes with fulltext site searching, all done locally, enabled by default:
quarto.org/docs/websites/website-search.html
Cons: No support for any kind of templating beyond simple variable replacement, as far as I know.
- Comment on I’d rather stay up anyway 4 months ago:
Such a pattern is common in Spain, called “Siesta”.
I used to do this before my days got busier, now I aim for one 6-8 hour block at night.
You can also look into “polyphasic sleep” - which doesn’t actually work unless you get enough sleep though.
Siesta, and what you do is “biphasic sleep” - two phases.
- Comment on Broadcom yanks ESXi Free version, effective immediately 4 months ago:
Nothing that is more questionable than lxd, which now requires a contributor license agreement, allowing canonical to not open source their hosted versions, despite lxd being agpl.
Thankfully, it’s been forked as incus, and debian is encouraging users to migrate.
But yeah. They haven’t said what makes proxmox’s license questionable.
- Comment on What if an SQL Statement Returned a Database? 4 months ago:
You forgot “squeal”
- Comment on Tunnelling a port from a separate computer 4 months ago:
Someone recommended ssh, which is good, but it can’t do udp connections.
github.com/anderspitman/awesome-tunneling
From this list, I selected rathole since they claimed to be more performant than frp, the most popular solution.
- Comment on FLOSS communities right now 4 months ago:
Around 95+ here (100 is max for non nitro users),and I’m noticing a significant delay when loading.
I use the browser version of discord in firefox.
- Comment on Does Harry Potter only know fifth grade math? 4 months ago:
pretty much the only character with real, proactive agency in this story is Quirrell
I stopped reading it halfway through, and was too lazy to figure out why.
This explains it.
- Comment on Should i host LinguaCafe or are there better alternatives? 5 months ago:
your typical manga/light novel weebo
No chinese support :(
I read a ton of web novels translated from Chinese, and reading the untranslated versions would be a fun way to learn a language. Or Korean.
I don’t really like thr Japanese light novels as much.
- Comment on Recommendations on running GPTs on Asahi - M1 Ultra? 5 months ago:
The tldr as I understand it is that Mac M1/M2 devices are unique in that the vram (gpu ram) is the same as the normal ram. This sharing allows LLM models to run on the gpu of those chips, and in their “vram” as well.
Llama.cpp was the software that users do this. I can’t find the original guide/article I looked at, but here is a github gist, where the commenters have done benchmarks:
- Comment on Adding services to an existing Docker nginx container 5 months ago:
If I run two mysql containers, it won’t necessarily take twice the resources of a single mysql containers
It’s complicated, but essentially, no.
Docker images, are built in layers. Each layer is a step in the build process. Layers that are identical, are shared between containers to the point of it taking up the ram of only running the layer once.
Although, it should be noted that docker doesn’t load the whole container into memory, like a normal linux os. Unused stuff will just sit on your disk, just like normal. So rather, binaries or libraries loaded twice via two docker containers will only use up the ram of one instance. This is similar to how shared libraries reduce ram usage.
Docker only has these features, deduplication, if you are using overlayfs or aufs, but I think overlayfs is the default.
moonpiedumplings.github.io/…/setting-up-kasm/#tur…
Please just run two databases on your single mysql container. That is best practice, and probably best for your sanity.
- Comment on Why is Google allowed to remove purchases from our Play Store accounts without telling us? 5 months ago:
There exists stuff like this.
Virtualxposed. Sandvxposed.
The most popular one I heard about vmos, www.vmos.com
But that one was android 8 (I think?) closed source, and probably spyware inside and outside the thing.
Also, new changes by google may break these emulator type apps:
- Comment on Help with NGINX? so close... 5 months ago:
Nginx and nginx proxy manager are two different things, although nginx proxy manager uses nginx underneath the hodd.
Nginx is a lightweight reverse proxy and http(s) server configured via config files.
Nginx proxy manager is a docker container that runs nginx, but also had a webui on top of it to make it much, much easier to configure.
Sometimes abbreviated as NPM.
That’s why people keep asking you for your nginx config since when you just say nginx, people are expecting that you are using just nginx, and configuring it through text files.
- Comment on [deleted] 6 months ago:
I run languagetool locally, and it’s actually really good, but the browser extension is closed source even though I can point it at a local server, I don’t know if it’s logging what I type.
But libreoffice has built in support, which is great.
- Comment on Yes 7 months ago:
No I swear, I was gonna do more than that.
Maybe like, a static site as well. And a backup server. Y’know, things you need openstack for.
looks away guiltily
- Submitted 7 months ago to selfhosted@lemmy.world | 0 comments
- Comment on What would you use to remotely support a computer with "LAN" access? 7 months ago:
I use meshcentral to manage a few (like 6) computers and do remote assistance. Best solution for your usecase imo.
- Comment on FOSS Deep Packet Inspection software? 7 months ago:
I heard obfsproxy
Yeah, tor obs4 bridges.
But somehow, my high school managed to block those. My high school was literally more locked down than the great firewall of China.
I set up: github.com/cognetwork-dev/Metallic
At first, then I eventually switched to github.com/v2ray/v2ray-core as metallic struggled on some things. Both v2ray and xray are built for the great firewall of China, and iirc, they use the same tech.
- Comment on There once was a programmer 8 months ago:
Sometimes whatever you are working with will have outdated or really poor docs, so an advanced internet info aggregator is useful in that sense.
I started learning nix before chatgpt and it was a nightmare. I had to continually ask for help on discord, of all places, for things that should really be in the docs.
Chatgpt makes nix easier, except not really because it’s info is outdated a lot of the time.
- Comment on [IDEA] automatic advertisement software 8 months ago:
Somewhat related, there is a site I follow called royalroad. Royalroad is a site for web serials, which are basically books uploaded to the internet chapter by chapter.
Although royalroad used to be only google ads, at some point they started accepting user submitted ads. (Also, ads on that site have always been unobtrusive).
I like these ads much better because they are more privacy respecting (literally an a image and a link).
Also, they are really funny. User’s with no art skills will make memes, or doodle stick figures, and I clicked on that one anyways, and the story was soooo good.
- Comment on Linux Workspace for Browser 8 months ago:
You want webtop: docs.linuxserver.io/images/docker-webtop
But just like with kasm, not all software will work, although I think most will.
About kasm:
Not really. I don’t thing the default kasm images come with sudo or a root password, so you cant “sudo apt” or the like.
If you do create a software image with sudo, them yes, but only for a single session, if you keep it long running. Every time you destroy the session completely it will be reset.
Although, If you need software in your images, it’s better to just build your own docker images for use with kasm, that have everything you want.