non_burglar
@non_burglar@lemmy.world
- Comment on Virtual Machines vs LXC vs Docker: What’s the Real Difference? 1 day ago:
Cgroups is not a really a security feature (from what I understand). It is about controlling process priority, hierarchy, and resources limiting (among other things).
With respect, I think you misunderstand what gvisor does and containerization in general. cgroups2 is the isolation mechanism used by most modern Linux containers, including docker and lxc both. It is similar to the jail concept in BSD, and loosely to chroot. It limits child process access to files, devices, memory, and is the basis for how subprocesses are secured against accessing host resources without the permission to do so.
Gvisor adds more layers of control over this system by adding a syscall control plane to prevent a container from accessing functions in the host’s kernel that might not be protected by cgroups2 policy. This lessens the security risk of the host running a cutting-edge or custom kernel with more predictable results, but it comes with caveats.
Gvisor is not a universally “better” option, especially for homelab, where environment workloads vary a lot. Gvisor comes with an IO performance penalty, incompatibility with selinux, and its very strength can prevent containers from accessing newer syscalls on a cutting edge host kernel.
My original comment was that ultimately, there is no blanket answer for “how secure is my virtualization stack”, because such a decision should be made on a case-by-case basis. And any choice made by a homelabber or anyone else should involve some understanding of the differences between each type.
- Comment on Virtual Machines vs LXC vs Docker: What’s the Real Difference? 2 days ago:
Subjective to security practice. There are more appropriate factors than blanket statements on a technology’s inherent “security” when deciding the format and shape of virtual software spaces.
in a memory safe language
Ultimately, the implementation is more important than the underlying code when it comes to containers. cgroups2 works the same for gvisor as it does for LXC.
- Comment on (XMPP Setup Guide) Discord Was Never the End Game - TonyBTW 2 days ago:
I’ve tried it. It performs poorly.
- Comment on Raid Z2 help 2 days ago:
For context, I’ve also been using ZFS since Solaris.
I was wrong about compression on datasets vs pools, my apologies.
By “almost no impact” (for compression), I meant well under 1% penalty for zstd, and almost unmeasurable for lz4 fast, with compression efficiency being roughly the same for both lz4 and zstd. Here is some data on that.
Lz4 compression on modern (post-haswell) CPUs is actually so fast, that lz4 can beat non-compressed writes in some workloads (see this). And that is from 2015.
Today, there is no reason to turn off compression.
I will definitely look into the NFS integrations for ZFS, I use NFS (exports and mounts) extensively, I wonder what I’ve been missing.
Anyway, thanks for this.
- Comment on Raid Z2 help 3 days ago:
With respect, most of this comment is wrong.
- Both lz4 and zstd have almost no performance impact on modern hardware.
- compression acts on blocks in ZFS, therefore it is enabled at the pool level
- ZFS does indeed need to allocate some space at the front and end of a pool for slop, metaslab, and metadata. I think you are confusing filesystem and datasets.
Also remember that many permissions like nfs export settings are done on a per filesystem basis
- I’m not sure what you’re trying to say about NFS and ZFS, here but this is completely false, even if you mean datasets.
- Comment on Network Security Audit 4 days ago:
OK, well it’s not harming anything, so if you’re game to learn, by all means.
When you look at traffic on a public interface, besides learning what to filter out that is just normal (probes, crawls, etc from legit sources), but you also will run into badly-formed TCP traffic:
Martian packets: en.wikipedia.org/wiki/Martian_packet IP spoofing: en.wikipedia.org/wiki/IP_address_spoofing (I used to have a better resource for this,I’ll try to find it) How RPC works: pentest.co.uk/…/researching-remote-procedure-call…
That should help clarify a lot of what you’ll see in traffic on your segment.
You may also want to briefly read about how CDNs work, you’ll see a lot of akamai and cloudflare traffic too.
- Comment on Network Security Audit 4 days ago:
Running suricata on your wan interface is just generating a ton of noise and will be really confusing for you if you haven’t reviewed packet inspection alerts before. Not a lot of value in it unless you have many users “phoning home”.
Just run it on the lan interface.
- Comment on Network Security Audit 4 days ago:
Op is running suricata
- Comment on Readarr Forks/Replacements 4 days ago:
??
Caliber web isn’t two separate applications, it’s a calibre-compatible database served via http. There is no desktop “calibre” involved.
There is integrated koreader sync, though.
- Comment on Raid Z2 help 5 days ago:
That’s still true, but performance has changed a lot since Jim Salter wrote that. There was a time When 2x mirrored vdevs (the equivalent to raid 10) would have been preferable to raidz2, but performance of both ZFS and disks themselves has improved enough that there wouldn’t be much of a difference in performance between these two in a home lab.
Personally, I agree with you in that mirrors are preferable, mostly because I don’t really need high availability as much as I want an easier time restoring if a disk fails.
- Comment on Mini PC to replace fiber modem and wifi router. How to proceed? 5 days ago:
Most fiber services register the sfp/sfp+ module. it is much cheaper, easier and usually not against the terms of service to just use the isp-provided sfp in your own routing device instead of messing with OLT settingw and custom firmware on a $160 WAS.
- Comment on iDeck - yet another start/home page 6 days ago:
The logo is bad. “Dogshit” is appropriate here.
- Comment on Tailscale Services GA: App-aware connectivity with more control 1 week ago:
Enshitification happens.
I don’t think that’s a given necessarily, I think it’s a common pattern under the vc funding -> IPO model.
But companies like Steam and Patagonia show that companies don’t all have to follow the same predictable enshittification arc.
- Comment on OpenWrt & fail2ban 1 week ago:
Wow, there’s a lot going on in there.
- Comment on Heaper, new tools to organize docs, photos [YouTube] 1 week ago:
Yes, that’s what I get from that as well.
I guess as long as users get some options for import/export/backup then it isn’t that bad. I’m reading over the docs again and I don’t think it’s as bad as I initially read into it.
This project would benefit from some documentation curation.
- Comment on Heaper, new tools to organize docs, photos [YouTube] 1 week ago:
Sigh…
That stupid way of explaining the license plan aside, are we again having to explain that we don’t want our data locked into yet another db format?
- Comment on I wrote a blog post on selfhostesd software to be more organzed 1 week ago:
So I just use it by authorizing my wife a and kids to use fmd commands, which means I just tell my wife to send me a text with “fmd ring” and it will start ringing until I find and stop it.
Also, it will message my wife and kids if the phone gets below 5%
- Comment on I wrote a blog post on selfhostesd software to be more organzed 1 week ago:
Nice article, and a fresh practical take on FOSS.
FMD is great, I use it frequently.
- Comment on 1 week ago:
Let them read the documentation so I don’t have to.
Exactly why the article promotes stupidity. Why in the world would you put those words down proudly?
- Comment on 1 week ago:
You do not need a VPS, proxy, or wireguard for letsencrypt.
- Comment on home system setup advice 2 weeks ago:
Setting it up with zero experience with how it works or how ZFS works was quite intimidating for me.
But you got through it, and ZFS isn’t a walk in the park for most. I think you’re selling yourself short.
As someone else mentioned, leaving truenas on the asustor and using a container orchestrator or a hypervisor on the Xeon machine sounds like a good plan to me.
- Comment on In light of changes coming to discord: Sharkord 2 weeks ago:
I fully agree.
- Comment on In light of changes coming to discord: Sharkord 2 weeks ago:
The whole reason everyone moved to Discord was because it was a centralized place and since Discord needed to pay for it’s servers, it had to find a way to finance that, and enshittification naturally happened.
No! Stop perpetuating this “they have bills to pay” bullshit. Discord has more than enough money to run itself and be profitable.
The enshitification happens in services like Discord when shareholders gain control of the product.
- Comment on How to use Radicale with iOS 2 weeks ago:
Yes.
- Comment on How to use Radicale with iOS 2 weeks ago:
That’s actually easier than on android, we need a caldav sync provider app.
- Comment on Simple utility to rename folders/files in a format Jellyfin expects 2 weeks ago:
I don’t have any specific recommendations for a discrete tool for this, but radarr and sonarr can do this automatically if you enable it.
- Comment on Question: Is there a Self Hosted Discord like app? 2 weeks ago:
I’ve always found the Discord ui on desktop and mobile to be really bad, just very busy and unintuitive.
- Comment on How to Use Local IP for Services when at Home? 2 weeks ago:
WG Tunnel. It does exactly this.
When I leave my WiFi, tunnel turns on. When I rejoin my WiFi, tunnel turns off.
- Comment on Am I doing this (networking) safely? 2 weeks ago:
Didn’t you say you have whitelist of allowed ips? Why don’t you just drop any other inbound traffic?
- Comment on Am I doing this (networking) safely? 2 weeks ago:
This is a waste of time and your router’s CPU. You already have a whitelist and know your safe TCP sources, just drop all wan traffic and only allow new input from whitelist. Your chain input rule is just creating a pretty list of bots you’re dropping anyway.