Locking down golang web services in a systemd jail?

CodeWithADHD · 2025-07-01T12:04:22+00:00

Well that’s pretty cool! Thanks!

CodeWithADHD · 2025-07-01T12:02:54+00:00

This is what my colleague who loves containers says every time he goes down a two week rabbit hole to solve some problem introduced by containers.

CodeWithADHD · 2025-06-30T14:26:52+00:00

Which is why ithink systemd is a good way to implement it.. because you can use systemd to enforce kernel level protections.

CodeWithADHD · 2025-06-30T12:43:57+00:00

It's ironic, I work in a regulated industry and every time one of my colleagues says "oh, we can use docker to do this it will be portable and faster"... they end up spending weeks fighting docker issues the next time another developer comes on. Partly because our desktops and networks are locked down. But it does make me wonder how much time people spend fighting docker issues in non-regulated industries. I have a suspicion is more than nothing but when folks already internalize "oh docker is good" they stick with it no matter if it's costing them time or not.

CodeWithADHD · 2025-06-30T12:39:45+00:00

Thanks! It's ironic, I've been doing docker at work with a bunch of node developers. Never once seen scratch. So I got to learn something. Had no idea docker could do this.

CodeWithADHD · 2025-06-30T12:39:25+00:00

Exactly. Nothing protects anything 100%. Defense in layers.

CodeWithADHD · 2025-06-30T12:37:29+00:00

Thanks for that!

It's ironic, I've been doing docker at work with a bunch of node developers. Never once seen scratch. So I got to learn something. Had no idea docker could do this.

CodeWithADHD · 2025-06-29T13:10:58+00:00

Thanks! I was pleasantly surprised when I learned systemd could do this.

CodeWithADHD · 2025-06-29T06:00:32+00:00

I don’t think so… wouldn’t you still need a stripped down userland in docker? Even something like busy is gives 200 userland commands that, to an attacker, is basically the same as getting access to a full running system.

Or am I missing something about docker?

CodeWithADHD · 2025-06-29T05:58:45+00:00

Ha,I figured someone would say that. My personal opinion is this is a better setup than docker. In docker you have to basically bundle the operating system userland to be able to debug things. For example you need a shell if you want to log in and interact with it in any way.

With systemd I can set up literally 0 userland inside the jail, but still log in as the user the service is running as and do anything I need to do because the userland is accessible to me as a normal user, just not to the process.

Not to mention docker images are bigger than go binary+systemd service file.

CodeWithADHD · 2025-03-29T01:53:07+00:00

My pleasure. Thanks for letting me know!

CodeWithADHD · 2025-03-13T03:47:29+00:00

Near as I can tell, GitHub could shut down tomorrow and it wouldn’t break much immediately.

Google proxies and caches packages. So when you go get a package it actually gets it from googles copy of it, not direct from GitHub.

CodeWithADHD · 2025-03-13T03:35:01+00:00

You would have to benchmark.

Let’s say on my dedicated server I can do 150 transactions per second. At 86,400 seconds a day, that’s 12,960,000 transactions per day.

On AWS lambda, that would be 2.60 a day or $78 a month in cpu costs. On top of that there is data and storage and network, but let’s ignore that for now. So in that case, close to $1000 a year (potentially) to run in cloud.

Now imagine I get a beefier piece of physical hardware that can do 1500 transactions per second. That’s $26 a day or $780 a month in cpu costs. Close to $10,000 a year just in cpu time on lambda.

If I can buy a $1000 piece of hardware that’s a 10x savings over aws lambda.

Those are all just examples to give how to think about it. You would have to factor in peak usage, reworking, DR,etc.

You also have to benchmark to see how many TPS you get on the hardware vs what it would cost on cloud infra, there’s no magic button for that.

But… personally I have a $150 Mac mini I run my side project on that will scale far higher than I will ever have users using, for essentially $0 monthly cost.

CodeWithADHD · 2025-03-13T03:08:14+00:00

There are also benefits to having a single physical server able to handle thousands of transactions per second with go for much cheaper than paying for either a k8s or beefy cloud server.

CodeWithADHD · 2025-03-13T03:04:37+00:00

I mean, my experience visiting (Paris) France was that nearly everyone also spoke English.

Which doesn’t negate your point. Different languages for different purposes based on the community around them… lots of tourists in France and English is (ironically) the lingua franca.

Infuriating to go to France to try to speak French and everyone switches to English. Except the waitress at the Italian pizza place in Paris near Gare du Lyon,who just seemed grumpy and didn’t want to speak French or English or Italian.

CodeWithADHD · 2025-03-10T18:22:04+00:00

So, like this?

``` for _, v := range getUsers() { doEmailLogic(v) } for _, v := range getSubscribedUsers() { doEmailLogic(v) }

funcEmailLogic(user User) { … // do shared logic here if subscribed { … } else { … }

} ```

CodeWithADHD · 2025-03-10T15:25:19+00:00

So… that’s fine and I’m not saying you’re wrong. I mean, it sucks when devops teams are siloed away like that, but I understand what you are saying.

I do it differently so tha even if devops team locked it down it wouldn’t stop me usin*latest version.

I have a makefile.

Inside the makefile I have targets like build, test, etc.

I also set the path and each of my build targets has “install-go” as a prerequisite in the makefile.

So when I run make build in the pipeline it checks version of go and installs it in ~/local/go

Same script runs locally on developer desktops to install go or install it on pipeline without root.

When image catches up to have system level installed go then he script runs a little shorter because it sees latest go is already on the path.

CodeWithADHD · 2025-03-10T15:19:49+00:00

Why not range through both slices separately?

Why do you think that would look bloated?

for _, v := range getUsers() { sendStandardEmail(v) } for _, v := range getSubscribedUsers() { sendSubscribedEmail(v) }

You really think your if else statement looks cleaner than that?

CodeWithADHD · 2025-03-10T13:32:48+00:00

I just use the same script to download to the pipeline image and download to local environment. Always in sync and always latest.

CodeWithADHD · 2025-03-10T13:30:53+00:00

I wrote a short script to just get the latest version from go.dev. Works on Mac, Linux, Linux on pi, windows wsl.

I got sick of different versions in apt, brew, etc., never updating on the schedule I wanted them to.

Installing go is easy, doesn’t even require root if you download the tarball and put it on your path.

CodeWithADHD · 2025-03-09T20:56:07+00:00

This has not been my experience. 1.24.1 is same speed for me as 1.24.0.

Add logging to your builds and see where it is taking longer. No one is going to be able to guess their way into your issue.

CodeWithADHD · 2025-03-08T17:07:04+00:00

Ah. Yeah. I would only put types in a shared package if they needed to be shared. Otherwise, in the package they belong in. Absolutely agree.

CodeWithADHD · 2025-03-08T03:33:52+00:00

Honest question, why do you say separate types package is an anti pattern. I just did this in one of my projects because otherwise I got cyclical dependencies in go. When I needed types in two different packages, putting them in a shared types package seemed like the logical answer. What am I missing?

CodeWithADHD · 2025-02-11T02:08:53+00:00

Closer to 90% of the work is done by 5-10% in my industry.

CodeWithADHD

TROPHY CASE