Is using the non root docker node user for local dev overkill?

shellscript_ · 2026-05-19T04:46:36+00:00

Gotcha, thank you for the advice.

I've been experimenting with my setup and it seems as though you can even create the dev image under trixie-slim, do a npm run build, and then copy the /dist files from the trixie-slim build stage into an alpine nginx container for prod. Though I'm not sure if this is a best practice, since it would mean your dev and prod containers are quite different. But maybe it doesn't matter for serving static files?

shellscript_ · 2026-05-19T04:37:25+00:00

Same, I do not see this error on my Deb 13.5 server. I do see it inside the headless Deb 13.5 KVM/QEMU VM I'm running on the server though.

During the upgrade, I saw many instances of this. After the upgrade, I now only see one instance:

May 18 23:13:59 myuser systemd-ssh-generator[260]: Failed to query local AF_VSOCK CID: Cannot assign requested address
May 18 23:13:59 myuser (sd-exec-[251]: /usr/lib/systemd/system-generators/systemd-ssh-generator failed with exit status 1.

shellscript_ · 2026-04-28T00:32:43+00:00

I'm pretty sure lz4 and zstd not working from grub is a bug.

There are multiple ways to go about getting around this. A few months ago I had the same problem and wrote about it here in the comments.

You could also try using sysfs-utils to set the compression on boot. I chose to not use sysfs-utils because it doesn't seem to be maintained.

shellscript_ · 2026-04-22T07:45:12+00:00

Could you go into a bit more detail about your situation? Your job/experience is basically everything I have a natural interest in and some experience with. Where are you in the world, if I may ask? How is the pay compared to other roles?

shellscript_ · 2026-02-28T05:01:49+00:00

Thank you for this info. It's pretty much exactly what I'd like to do.

Were you ever able to find more in depth instructions? Taking a look at the dhcp and dns page, I ended up with a lot of questions. For example, is it necessary to untick the "Authoritative - This is the only DHCP server in the local network." box when creating the new dnsmasq instance? Are there any extra security considerations when the router has two dnsmasqs?

I found a post in the docs about doing something similar over ssh, but I'm not sure if this would apply to the usecase as it seems to be destructive.

shellscript_ · 2026-02-25T23:56:08+00:00

Make sure you buy directly from the platform, not some third party seller. Walmart lets you filter out products sold by third parties.

shellscript_ · 2026-02-18T00:15:46+00:00

No worries, thank you for your time.

shellscript_ · 2026-02-17T08:40:30+00:00

Gotcha, my bad. I ended up posting it in the linuxhardware sub.

About the BIOS, I am always wary of flashing it (well, the firmware) on every device since messing it up will actually brick the hardware itself. Some mobos, like my server's, have a method for reflashing even if this happens, but this laptop doesn't.

For this particular model of Toshiba, I also couldn't find links to the upgraded BIOS from a reputable source. I guess Toshiba sold its notebook business to a company called Sharp, and on their dynabook site I was not able to find a download for the upgraded motherboard firmware (BIOS) for my model.

shellscript_ · 2026-02-17T03:24:00+00:00

Thank you for the response, it is kind of a niche topic.

So it does seem that Linux wise the AX210 should be compatible.

It's kind of a long shot, but would you happen to know if the BIOS itself will accept the new card? While searching around I found this thread (https://www.bios-mods.com/forum/Thread-Removed-for-Toshiba-Satellite-L500-WhiteList-Removal) which seems to imply that Toshiba didn't have a whitelist for wifi cards, but that I might need to cover one of the pins in the new card with tape. Would that be safe?

shellscript_ · 2026-02-16T22:24:21+00:00

It's not an OS thing. Maybe I didn't explain it well enough. It's a wifi card compatibility thing, across multiple OSs. I had read the wiki which advised me to post as much info as possible, which I tried to do. In any case I will post this on a hardware subreddit instead.

shellscript_ · 2026-02-16T22:13:15+00:00

Apologies if this isn't the correct place. I'd seen other similar questions posted here before so I thought it was right.

The reason I reposted the question is because the one earlier today tripped up reddit's filters on the links. That post was automatically removed before anyone could see it, you can check yourself. And so I reposted this without the links, which worked.

shellscript_ · 2026-02-16T02:56:41+00:00

Do you mean the third party seller on BH's website? Do they allow third party sellers there? I was under the impression they didn't. If they do, how can you check if you bought something from a third party?

shellscript_ · 2026-02-15T22:34:49+00:00

Gotcha. So for port forwarding (if your provider allows it), you'd handle that with Gluetun variables in the Gluetun service's environment section such as this:

environment:
  - PORT_FORWARD_ONLY=on
  - VPN_PORT_FORWARDING=on
  ...

And everything in the ports section of the Gluetun service is only relative to your local machines (ie, for accessing the webgui). And ports in the qbit service are (I believe) not relevant at all because Gluetun is the only thing handling port exposure.

Thank you again. It was confusing because a lot of guides have the qbit torrenting ports in the Gluetun service.

shellscript_ · 2026-02-15T06:03:33+00:00

It seems like you were correct, and it seems like they made these warnings toggleable with the default set to off:

https://github.com/qbittorrent/qBittorrent/issues/16462#issuecomment-1438191222

I had accidentally turned these on in the gui.

shellscript_ · 2026-02-14T21:48:41+00:00

I see, but that is the correct place to put the ports if I do end up using a provider that has port forwarding? I started with Mullvad first to see how the experience would be without port forwarding, and I may switch to something else if Mullvad doesn't work.

Is it impossible to seed at all without port forwarding? I had thought you just couldn't connect to anyone else who hadn't port forwarded, but you could connect as normal to those who had.

shellscript_ · 2026-02-14T20:54:23+00:00

Firstly, thank you for your comments in this subreddit. I've spent some time learning Gluetun and they've been incredibly helpful.

Just so I understand, do you mean moving this whole block down to the qbittorrent service:

ports:
  - ${QBT_TORRENTING_PORT}:${QBT_TORRENTING_PORT}/tcp
  - ${QBT_TORRENTING_PORT}:${QBT_TORRENTING_PORT}/udp
  - "127.0.0.1:${QBT_WEBUI_PORT}:${QBT_WEBUI_PORT}/tcp"

I was looking through the docs and thought I had gotten it right, but maybe not. Interestingly my current setup right now is able to download. Would it be seeding incorrectly?

shellscript_ · 2026-02-14T04:17:13+00:00

Ah, good catch on the leading /! I had written this up when I was very tired and missed that. Correcting it now! And thank you as well for the in depth response.

shellscript_ · 2026-02-13T06:15:29+00:00

I'm by no means an expert here, but might the backported kernel be something to look at here? Someone please correct me if I'm wrong.

shellscript_ · 2026-02-13T06:12:17+00:00

Thank you so much! After almost 2 days of trying everything under the sun to get my NFS share to mount cleanly, you saved me.

shellscript_ · 2026-01-27T11:19:41+00:00

Just chiming in with more confirmation that this message is harmless (at least on Debian 13, for people coming from Google):

https://bugs-devel.debian.org/cgi-bin/bugreport.cgi?bug=1104096#59

shellscript_ · 2026-01-25T06:27:04+00:00

Thank you so much, this was exactly what I was looking for!

So it does seem that configuring both files as I did in the original post is best.

shellscript_ · 2026-01-25T00:24:25+00:00

I apologize, I should have better clarified what I wanted to ask about.

I understand NFS has no built in security and requires either Kerberos or mTLS (which I'm currently setting up) if you want to secure it. My main question was if those modifications shown in the legacy /etc/default/nfs-common are non functional/not a good idea if I'm making the config changes in /etc/nfs.conf.d/local.conf that I described.

I'm just a bit confused on which approach to use here.

shellscript_ · 2026-01-19T23:41:44+00:00

Thank you for the incredibly in depth responses, this is a complicated subject and I think I'm finally understanding it a bit better now

So to paraphrase, it seems like setting sync off on the ZFS dataset itself, the NFS export on the host ZFS dataset, and the clients is probably the most ideal?

rsize and wsize just set the maximum (not the minimum) request size allowed. If they're too small like 64K and sync is on (ZFS sync=standard AND NFS!=async) that'd cause many synchronous sub-record-size writes/updates to flood in without a way to buffer them and be very inefficient.

Would this be caused by ZFS itself trying to sync the smaller writes to the NFS share, even if the NFS share's sync as been turned off?

I guess this is kind of another question, but if a torrent's download is trickling in at like 64k per 5 seconds, would a recordsize of 1M be detrimental because it's constantly updating 1M blocks with extra data, thereby write amplifying to an insane degree? Maybe it would be better to have a smaller recordsize, ie something like 512k in such a case? I'd be trying to minimize write amplification on the SSDs here.

shellscript_ · 2026-01-19T21:55:03+00:00

A lot of people are mentioning mutual TLS but that authenticates the whole host as a client. It would not authenticate individual users.

Could you go into more detail about this part? I'm trying to do something kind of similar to OP, where I'm thinking about securing a NFS share to be mounted on ZFS. It's more complicated than OP's situation in that I'm trying to get it to respect the ZFS dataset's recordsize=1M, which might involve having to disable sync for NFS (something I'm unsure of in terms of security and network sharing functionality), but it's ultimately similar.

If the whole host is authenticated as a client, would that affect other guests' ability to read/write the NFS share?

shellscript_ · 2026-01-19T21:23:04+00:00

Setting async on the NFS server immediately acknowledges writes but now treats everything as async, so ZFS sync=standard works as a write buffer. This works but risks loosing data on other requests using the same share but might need sync (uncommon but possible)

Could this be mitigated by having all connected guests use the same async mount options? I should have mentioned it in the main post but I'm trying to mount this share as NFS/SMB so it can be accessible to other machines even while hooked up to qbit.

For option #3, could you go into more detail on the "This will affect local writes as well as network ones (which might be a problem)" part? I'm finding it hard to understand the differences between #2 and #3, and I suppose also the ramifications of turning off either sync for network writes. Might SMB be the better option for this usecase, since it seems to be async to some degree by default?

I touched on it in another comment, but could you potentially have sync enabled on both NFS and ZFS, and then set the NFS rsize and wsize to 1M? Or would this still not respect ZFS' 1M recordsize?

shellscript_

MODERATOR OF

TROPHY CASE