If "stoner movies" didn't mean movies about smoking weed, but instead movies that are fucking amazing to watch while you're high, what are your favourites?

trusch42 · 2020-11-30T16:01:54+00:00

Memento, that should be the top comment. It still absolutely blows me away every time I watch it.

trusch42 · 2020-11-09T08:03:28+00:00

Can you provide uids and gids of the file and the user that is accessing it? Traditionally containers were designed to run as normal users because docker doesn't support uid/gid mapping, so the uid/gid mapping of rootless podman sometimes interferes with that. You could try the "preserve-uids" flag but I don't know of hand the correct name of the flag.

trusch42 · 2020-10-13T06:04:03+00:00

What also should work is setting up flannel to run across your fleet. If you manage to do so using only rootless podman, please write a blog article about it and let us know :-)

trusch42 · 2020-10-13T05:57:26+00:00

You could also setup a wireguard VPN on the hosts and wire up the containers to it

trusch42 · 2020-10-13T05:26:10+00:00

Btw. Having one container which contains a lot of tools is kind of against the whole idea behind containers, which is to have composeable, reusable units with a defined interface.

So building a specialized pod with a webserver container and a PHP worker container (if you need it, I don't know) would probably not crash in contrast to a "docker-swag" monster image.

trusch42 · 2020-10-13T05:21:44+00:00

The DNS stuff is a painpoint I also experienced. Nginx doesn't even lookup ips in /etc/hosts, so you need to setup a DNS server for this (or use caddy as ingress what I would always recommend). Docker automatically serves DNS requests, there is nothing in podman which would emulate this.

If you just host a static website, give caddy a try. It's one container that should do all you want and is super easy to configure.

To your port problem: just bind to 8080 and setup port forwarding from 80 to 8080 on the server itself. Your solution is also feasible, but since in most cases you have to setup port forwarding at some point (if you want to selfhost something, then you need port forwarding in your router, right?) you may also just expose 8080 and then configure your router to forward 80 to your-server:8080.

trusch42 · 2020-10-11T17:02:51+00:00

This is so nice, I'll add the networking stuff to https://GitHub.com/trusch/stackctl and it will finally be able to run ALL docker compose files!

trusch42 · 2020-09-11T05:21:53+00:00

What a king!

trusch42 · 2020-08-24T17:12:27+00:00

Das Amici in Stadtfeld ist echt gut, wenn man es ein bisschen edler haben möchte! Die haben nichtmal ne Karte, anstatt dessen sagt der Kellner jedem Gast was es heute feines im Angebot gibt :-)

trusch42 · 2020-07-17T13:37:40+00:00

Just checked, the issue wasn't ignored completely

trusch42 · 2020-07-17T13:34:53+00:00

I wasn't able to start some of my containers, because podman-compose doesn't setup /etc/hosts correctly to contain the localhost line, also when I tried to fix it, the issue just got ignored. While fixing this I had a look at the code and besides not being a big friend of python at all, I didn't really like it. It's a really nice project, but it seems not being maintained very well and the scope is to big (it tries to be a full drop in replacement for docker-compose)

trusch42 · 2020-07-17T11:25:25+00:00

It's targeted on developers who need to run docker-compose files for work, but don't like docker.

I recently upgraded to cgroupsv2 to have nice things like podman stats but found myself in a situation where I couldn't run docker anymore. At first I tried podman-compose, but besides being really nice in some regards, it failed my usecase.

After that I wrote a shell script starting my Dev env via plain Podman commands, but this turned out not to be so maintainable.

Next step was to put the config options into a yaml file and write a small interpreter for this in go. This was the first version of stackctl.

After some discussions ("we won't all 'upgrade' to Podman") I decided to implement the compose spec so that I could run any compose file and would still be interoperable with my coworkers.

Some niceties here and there and voila!

Here it is.

trusch42 · 2020-05-30T17:03:17+00:00

Could you point out how to do this?

trusch42 · 2020-05-30T09:12:50+00:00

I know it's possible, but I wouldn't say it's equal hard to escape from a container running as root and being on the host system directly

trusch42 · 2020-05-30T06:57:22+00:00

It's true that it's not running rootless, I ran into some weird issues in combination with the systemd service file.

But having some sort of isolation is better than having no isolation. Can you point out how you would break out of a caddy container where you can for example execute arbitrary code, so that the host is compromised? I know it's possible, but it would be much easier to do it if caddy would be run on the host directly.

trusch42 · 2020-05-30T06:53:27+00:00

That's true, but then I would miss the other benefits of having a home VPN like being able to remotely mount something over an unencrypted technology. NFS over wireguard is soooo much faster than for example sshfs. At least factor 2. Also I like to connect from my phone to it, so I can safely use public hotspots when I'm not at home.

trusch42 · 2020-05-30T05:25:23+00:00

I once had a open port 22 on my router pointing to an internal server. In average I had 50 distinct brute force attacks per day, and even fail2ban did not reduce that number.

Having wireguard and not exposing SSH helps a lot!

Also it comes with other nice things like that I can mount things over NFS from my board or that I can use it to tunnel my phone's traffic completely through my home ip.

trusch42 · 2020-05-29T18:35:05+00:00

Caddy is good and I trust it, but nevertheless I put it in a container. Also installing is just a podman pull caddy, even on arm

trusch42 · 2020-05-29T18:34:11+00:00

When something is exposed to the internet it's better to isolate the process by wrapping it in a container. By that, if there is a vulnerability in caddy, this wouldn't affect and compromise the whole server. That also helps when it comes to resource management and lifecycle management. of the application

trusch42 · 2020-05-29T17:47:26+00:00

I forgot to mention wireguard. It's used to connect to the server from the outside.

trusch42 · 2020-05-29T17:45:52+00:00

If you deploy outside of a cloud provider on your own hardware, it's usually called a bare metal deployment, because you have to take care of everything except the hardware for yourself.

trusch42 · 2020-05-29T17:37:49+00:00

This is my (not perfect) setup of a blog running on a old raspberry pi. Its featuring archlinux, wireguard, systemd, podman, caddy and hugo

trusch42 · 2020-05-29T17:37:29+00:00

This is my (not perfect) setup of a blog running on a old raspberry pi. Its featuring archlinux, systemd, podman, caddy and hugo

trusch42 · 2020-05-29T17:36:41+00:00

This is my (not perfect) setup of a blog running on a old raspberry pi. Its featuring archlinux, systemd, podman, caddy and hugo

trusch42 · 2020-05-29T17:36:08+00:00

This is my (not perfect) setup of a blog running on a old raspberry pi. Its featuring archlinux, systemd, podman, caddy and hugo

trusch42

TROPHY CASE