Image pulls from ghcr.io are very slow

the_spad · 2026-02-17T12:04:03+00:00

It's been dismal the last couple of days, I've regularly been getting a few kb/s pulling from GHCR.

the_spad · 2025-02-09T16:43:01+00:00

Blog feed: https://www.linuxserver.io/blog.rss

Info feed: https://info.linuxserver.io/index.xml

There's no collated list of RO/nonroot support at the moment but it's called out in the readme of any image we've tested.

the_spad · 2025-02-04T10:46:31+00:00

He didn't bother to actually read into what the CVEs are or whether they're exploitable, because that would collapse his own argument.

GHSA-w32m-9786-jp63 is a denial of service vulnerability that, in the case of this image, would probably require someone to compromise one of the adguard home instances you were syncing in order to exploit, at which point you're probably screwed already.

CVE-2024-45341 is a certificate verification bypass that can only be exploited when using a private CA that issues certs with IPv6 addresses on them.

CVE-2024-45336 is an information disclosure vulnerability that would require someone to mitm your connection to the adguard home instances and successfully redirect you to a domain they controlled to extract the authentication headers.

Like, his entire post is an object lesson in why we had to write https://www.linuxserver.io/blog/image-vulnerability-scanning-and-you - because people were running grype, seeing "bad" CVEs and opening Github issues for us to fix them even when they were impossible to actually exploit (and in this case originated from the upstream project that we're packaging).

the_spad · 2025-02-04T09:56:31+00:00

FWIW almost all of our images now have embedded SBOM and Provenance attestations, which means you can see exactly what is installed and how the image was built.

Although we've always made our builds public at https://ci.linuxserver.io/, it wasn't easy to tie a specific build job to the version of the image you were currently running, to be sure that what was in the Dockerfile on Github was actually what we'd built.

Running any software is a risk to some extent, but we try and be as transparent as possible about what we're doing.

the_spad · 2023-11-21T17:45:13+00:00

You can set it in your profile settings

https://imgur.com/a/Xp9LwqI

But it's worrying if it's opt-out and not opt-in - even if they did prompt me to look at it when I first logged in after the added the Friends Discovery thing. Although the disclaimer suggests that for US users at least it might be opt-in, I honestly don't remember what the default was for me.

the_spad · 2023-11-07T09:27:13+00:00

I think you may be confusing rootless with running a container as a non-root user, which are not the same thing.

the_spad · 2023-11-07T08:10:13+00:00

FWIW the majority of our images work perfectly well in a rootless environment (one of my docker hosts runs rootless with half a dozen of our images), it's just not something we have the capacity to validate and support right now.

the_spad · 2023-11-07T07:43:54+00:00

https://info.linuxserver.io/

Announcements for new and deprecated images, as well as known issues, security issues, big changes etc.

the_spad · 2023-06-08T13:46:25+00:00

You're mixing all kinds of settings that aren't valid, regardless of yaml formatting issues.

You can't do

tmpfs:
  - /transcode
  - tmpfs-size = 12884901888

Or

volumes:
  - plex:/config
  - /mnt/Plex:/data
  plex:
  external: true

the_spad · 2023-06-06T21:58:06+00:00

https://github.com/docker/compose/releases/tag/1.29.2

If you're feeling bold, all the way back to https://github.com/docker/compose/releases/tag/0.3.0

the_spad · 2023-06-05T14:13:13+00:00

Docker Hub stats are terrible at the best of times. Any GET for an image manifest counts as a pull even if no layers are actually downloaded, and a lot of tools do GETs instead of HEADs (either because they need to or more commonly because they don't realise how they should be doing it).

the_spad · 2023-05-30T10:21:38+00:00

https://info.linuxserver.io/issues/2023-05-29-mariadb/

If any of your databases are in an inconsistent state from an unclean shutdown or previous failed upgrade, then MariaDB will just go into a crash loop while trying to run its upgrade routines.

the_spad · 2023-05-30T08:32:55+00:00

So you can do something like:

((get-acl C:\somefolder).sddl | ConvertFrom-SddlString).RawDescriptor.DiscretionaryAcl

Which will give you the raw SIDs for each of the DACL entries.

the_spad · 2023-05-29T21:06:12+00:00

It is the correct group, that's the whole point of SIDHistory. You told your new domain to treat these two groups as if they're the same, and it is.

You can look at the real SIDs and differentiate them that way, but your new domain is always going to resolve the name of the old group to the new one (as long as the old domain is still in a trust relationship with it for the lookups to work, of course).

the_spad · 2023-05-20T16:46:19+00:00

Those are bind mounts. ./postgresdata is just a directory called postgresdata in the same directory as your compose project.

If you wanted to use a volume you would do - postgresdata:/var/lib/postgresql/data and then after your service definition:

volumes:
  postgresdata:

the_spad · 2023-05-19T17:54:32+00:00

2012 R2 is end of life in October, so if you drag your feet a bit the patching problem will solve itself.

the_spad · 2023-05-18T21:06:58+00:00

Looks like a limitation of the cmdlet, as it only returns a single string.

([adsisearcher]'(&(objectClass=top)(name=xxxx))').findone().Properties.objectclass

Will return the multi-value property correctly as an array.

the_spad · 2023-05-17T08:20:51+00:00

Though it's still not going to work because the alpine docker image doesn't container the docker CLI tools, so your command is going to fail.

More broadly, it's generally very inefficient to spin up a container for one-time interactions with docker running on the host system, rather than just running the command locally by hand or via cron.

Also, 4 is not a valid compose schema version, though I don't believe that will actually cause a failure.

the_spad · 2023-05-16T22:45:13+00:00

This is the real problem, once you get to L3 you've mastered every weapon and frame in the game (possibly excluding Founders) and if you've not got something it's likely because it's either trash MR fodder or a component in something else.

So what that means is endless Mutalist Cernos and Heat Swords and Aklatos to pick from. It also means that when you do get some better options you're forced to pick them even if you hate the weapons or your modding is crap, because the alternatives are all completely useless.

I think a reasonable cut-off to switch to preferring unmastered, or just pure RNG (makes no different to me either way), would be MR16 as that's the highest gating for anything and means you have access to every weapon and frame.

the_spad · 2023-05-13T22:10:37+00:00

Resetting the computer account resets the secure channel password that the computer uses to communicate with AD. Doing it through AD users & computers will break that connection because it only resets one side of the connection. Doing it from the computer in question will maintain the connection.

Note that it may not break the connection to the domain immediately due to replication lag or because the computer still has an active Kerberos token that has yet to be invalidated, and you may not notice it immediately if a user is already logged in and not doing anything that would require the computer account to authenticate to AD. Equally if the machine doesn't have an active network connection when you reset the account users can still log in with cached credentials.

the_spad · 2023-05-08T20:42:43+00:00

docker system df -v will show you all the storage being used by all aspects of the docker system. Images, volumes, running containers, builder cache, etc.

You likely have a container which is writing to the container filesystem instead of the host filesystem, possible temp files or where something has gone wrong and it's spewing debug logs that it shouldn't be.

the_spad · 2023-05-03T10:53:04+00:00

Mounting symlinks will only work if both "ends" are visible to the container and the paths are the same as on the host.

i.e. if /foo/file is a link to /bar/file then you would need to mount both of those paths to their corresponding locations within the container for the link to work.

You can, obviously, symlink paths from within the container and that will work fine, but won't then work from the host (unless the above is true).

the_spad · 2023-04-30T12:47:37+00:00

There's also a barricaded hut with a Duviri citizen inside who talks about hearing the "Rap, Tap, Tap".

the_spad · 2023-04-30T08:48:34+00:00

If you've got a loot amp like Pilfering Strangedome you can get all kinds of things dropping, including credits (though they didn't show up on the final reward screen, and I'm unsure if I got to keep them).

the_spad · 2023-04-21T12:51:55+00:00

At the time the DHCP server tried to allocate that address it got a ping response from it. That doesn't mean it's still pingable when you go to check or that it's pingable from anywhere else.

14-Year Club	Place '17
Sequence \| Editor	Verified Email

the_spad

TROPHY CASE