Welcome to Incremental Social! Learn more about this project here!
Check out lemmyverse to find more communities to join from here!

moonpiedumplings

@moonpiedumplings@programming.dev

This profile is from a federated server and may be incomplete. Browse more on the original instance.

moonpiedumplings , to Technology in Outlook (new)

Edge WebView2

I'm like 90% sure this requires edge to be installed, even though the EU mandated that they make edge uninstallable. So that might be their game here.

moonpiedumplings , to Selfhosted in PSA: Docker nukes your firewall rules and replaces them with its own.

Dockers manipulation of nftables is pretty well defined in their documentation

Documentation people don't read. People expect, that, like most other services, docker binds to ports/addresses behind the firewall. Literally no other container runtime/engine does this, including, notably, podman.

As to the usage of the docker socket that is widely advised against unless you really know what you’re doing.

Too bad people don't read that advice. They just deploy the webtop docker compose, without understanding what any of it is. I like (hate?) linuxserver's webtop, because it's an example of the two of the worst footguns in docker in one

To include the rest of my comment that I linked to:

Do any of those poor saps on zoomeye expect that I can pwn them by literally opening a webpage?

No. They expect their firewall to protect them by not allowing remote traffic to those ports. You can argue semantics all you want, but not informing people of this gives them another footgun to shoot themselves with. Hence, docker “bypasses” the firewall.

On the other hand, podman respects your firewall rules. Yes, you have to edit the rules yourself. But that’s better than a footgun. The literal point of a firewall is to ensure that any services you accidentally have running aren’t exposed to the internet, and docker throws that out the window.

You originally stated:

I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.

And I'm trying to say that even if that was true, it would still be better than a footgun where people expose stuff that's not supposed to be exposed.

But that isn't the case for podman. A quick look through the github issues for podman, and I don't see it inundated with newbies asking "how to expose services?" because they assume the firewall port needs to be opened, probably. Instead, there are bug reports in the opposite direction, like this one, where services are being exposed despite the firewall being up.

(I don't have anything against you, I just really hate the way docker does things.)

moonpiedumplings , to Selfhosted in PSA: Docker nukes your firewall rules and replaces them with its own.

Probably not an issue, but you should check. If the port opened is something like 127.0.0.1:portnumber, then it's only bound to localhost, and only that local machine can access it. If no address is specified, then anyone with access to the server can access that service.

An easy way to see containers running is: docker ps, where you can look at forwarded ports.

Alternatively, you can use the nmap tool to scan your own server for exposed ports. nmap -A serverip does the slowest, but most indepth scan.

moonpiedumplings , to Selfhosted in PSA: Docker nukes your firewall rules and replaces them with its own.

Yes it is a security risk, but if you don’t have all ports forwarded, someone would still have to breach your internal network IIRC, so you would have many many more problems than docker.

I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.

My problem with this, is that when running a public facing server, this ends up with people exposing containers that really, really shouldn't be exposed.

Excerpt from another comment of mine:

It’s only docker where you have to deal with something like this:

---
services:
  webtop:
    image: lscr.io/linuxserver/webtop:latest
    container_name: webtop
    security_opt:
      - seccomp:unconfined #optional
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - SUBFOLDER=/ #optional
      - TITLE=Webtop #optional
    volumes:
      - /path/to/data:/config
      - /var/run/docker.sock:/var/run/docker.sock #optional
    ports:
      - 3000:3000
      - 3001:3001
    restart: unless-stopped

Originally from here, edited for brevity.

Resulting in exposed services. Feel free to look at shodan or zoomeye, internet connected search engines, for exposed versions of this service. This service is highly dangerous to expose, as it gives people an in to your system via the docker socket.

moonpiedumplings , to Selfhosted in Cloudflare Alternative

If you need public access:

https://github.com/anderspitman/awesome-tunneling

From this list, I use rathole. One rathole container runs on my vps, and another runs on my home server, and it exposes my reverse proxy (caddy), to the public.

moonpiedumplings , to Free and Open Source Software in zoom alternatives

I recently noticed that it's now integrated into Canvas, a FOSS online learning management software which my college (and my high school, and my middle school) have used.

To bad no one bothers with it, forcing everyone to use zoom instead. Which sucks, because the first day of online classes, zoom permissions weren't set up properly, meaning no one could join the meeting. Probably wouldn't have happened with BigBlueButton.

moonpiedumplings , to Technology in Ubicloud wants to build an open source alternative to AWS | TechCrunch

Provision Management Software

Openstack skyline/horizon

Compute

Openstack nova

And so on. Openstack is also many, many components, that can be pieced together for your own cloud computing platform.

Although it won't have the sheer number of services AWS has, many of them are redundant.

The core services I expect to see done first: compute, networking, storage (+ image storage), and a web UI/API

Next: S3 storage, Kubernetes as a service, and then either Databases as a service or containers as a service.

But you are right, many of the services that AWS offers are highly specialized (robotics, space communication), and people get locked in, and I don't really expect to see those.

moonpiedumplings , to Technology in Ubicloud wants to build an open source alternative to AWS | TechCrunch

AWS is software. Just not something you can self host.

There already exist alternatives to AWS, like localstack, a local AWS for testing purposes, or the more mature openstack, which is designed for essentially running your own AWS at scale.

moonpiedumplings , to Selfhosted in Broadcom yanks ESXi Free version, effective immediately

Nothing that is more questionable than lxd, which now requires a contributor license agreement, allowing canonical to not open source their hosted versions, despite lxd being agpl.

Thankfully, it's been forked as incus, and debian is encouraging users to migrate.

But yeah. They haven't said what makes proxmox's license questionable.

moonpiedumplings , to Selfhosted in Tunnelling a port from a separate computer

Someone recommended ssh, which is good, but it can't do udp connections.

https://github.com/anderspitman/awesome-tunneling

From this list, I selected rathole since they claimed to be more performant than frp, the most popular solution.

moonpiedumplings , (edited ) to Selfhosted in Creating First Server with Inspiron 3421

Don’t do unattended upgrades. Neither host nor containers. Do blind or automated updates if you want but check up on them and be ready to roll back if something is wrong.

Those issues are only common on rolling releases. On stable distros, they put tape between breaking changes, test that tape, and then roll out updates.

Debian, and many other distros support it officially: https://wiki.debian.org/UnattendedUpgrades. It's not just a cronjob running "apt install", but an actual process, including automated checks. You can configure it to not upgrade specific packages, or stick to security updates.

As for containers, it is trivial to rollback versions, which is why unattended upgrades are ok. Although, if data or configuration is corrupted by a bug, then you probably would have to restore from backup (probably something I should have suggested in my initial reply).

It should be noted that unattended upgrade doesn't always mean "upgrade to the latest version". For docker/podman containers, you can pin them to a stable release, and then it will do unattended upgrades within that release, preventing any major breaking changes.

Similarly, on many distros, you can configure them to only do the minimum security updates, while leaving other packages untouched.

People should use what distro they know best. A rolling distro they know how to handle is much better than a non-rolling one they don’t.

I don't really feel like reinstalling the bootloader over ssh, to a machine that doesn't have a monitor, but you do you. There are real significant differences between stable and rolling release distros, that make a stable release more suited for a server, especially one you don't want to baby remotely.

I use arch. But the only reason I can afford to baby a rolling release distro is because I have two laptops (both running arch). I can feel confident that if one breaks, I can use the other. All my data is replicated to each laptop, and backed up to a remote server running syncthing, so I can even reinstall and not lose anything. But I still panicked when I saw that message suggesting that I should reinstall grub.

That remote server? Ubuntu with unattended upgrades, by the way. Most VPS providers will give you a linux distro image with unattended security upgrades enabled because it removes a footgun from the customer. On Contabo with Rocky 9, it even seems to do automatic reboots. This ensures that their customers don't have insecure, outdated binaries or libraries.

Docker doesn’t “bypass” the firewall. It manages rules so the ports that you pass to host will work. Because there’s no point in mapping blocked ports. You want to add and remove firewall rules by hand every time a container starts or stops, and look up container interfaces yourself? Be my guest.

Docker is a way for me to run services on my server. Literally every other service application respects the firewall. Sometimes I want services to be exposed on my home network, but not on a public wifi, something docker isn't capable of doing, but the firewall is. Sometimes I may want to configure a service while keeping it running. Or maybe I want to test it locally. Or maybe I want to use it locally

It's only docker where you have to deal with something like this:

---
services:
  webtop:
    image: lscr.io/linuxserver/webtop:latest
    container_name: webtop
    security_opt:
      - seccomp:unconfined #optional
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - SUBFOLDER=/ #optional
      - TITLE=Webtop #optional
    volumes:
      - /path/to/data:/config
      - /var/run/docker.sock:/var/run/docker.sock #optional
    ports:
      - 3000:3000
      - 3001:3001
    restart: unless-stopped

Originally from here, edited for brevity.

Resulting in exposed services. Feel free to look at shodan or zoomeye, internet connected search engines, for exposed versions of this service. This service is highly dangerous to expose, as it gives people an in to your system via the docker socket.

Do any of those poor saps on zoomeye expect that I can pwn them by literally opening a webpage?

No. They expect their firewall to protect them by not allowing remote traffic to those ports. You can argue semantics all you want, but not informing people of this gives them another footgun to shoot themselves with. Hence, docker "bypasses" the firewall.

On the other hand, podman respects your firewall rules. Yes, you have to edit the rules yourself. But that's better than a footgun. The literal point of a firewall is to ensure that any services you accidentally have running aren't exposed to the internet, and docker throws that out the window.

moonpiedumplings , to Selfhosted in Creating First Server with Inspiron 3421

A tip I have is to move away from manjaro.

When you use a rolling release, you lose one of the main features of stable release distros: Automatic, unattended upgrades. AFAIK, every stable release distro has those, and none of the rolling releases do (except maybe opensuses's new slowroll and centos rolling, but I wouldn't recommend or use them).

Manjaro has other issues too, but that's the big one.

Although I use arch on my laptop, I run debian on my server because I don't want to have to baby it, especially since I primarily access it remotely. Automatic upgrades are one less complication removed, allowing me to focus on my server itself.

As for application deployment itself, I recommend using application containers, either via docker or podman. There are many premade containers for those platforms, for apps like jellyfin, or the various music streaming apps people use to replace spotify (I can't remember any of the top of my head, but I know you have lots of options).

However, there are two caveats to docker (not podman) people should know:

  • Docker containers don't auto update. Although you can use something like watchtower to automatically update them. As for podman, podman has an auto update command you can probably configure to run regularly.
  • Docker bypasses your firewall. If you forward port 80, docker will go around the firewall and publish it. The reason for this is that most linux firewalls work by using iptables or nftables behind the hood, but docker also edits those directly... this has security implications, I've seen many container services people didn't intend to put on the public internet, on there.

Podman, however, respects your firewall rules. Podman isn't perfect though, there are some apps that won't run in podman containers, although my use case is a little more niche (greenbone service and vulnerability scanner).

As for where to start, projects like linuxserver provide podman/docker containers, which you can use to deploy many apps fairly easily, once you learn how to launch apps with the compose file. Check out this nextcloud dockerized, they provide. Nextcloud is a google drive alternative, although sometimes people complain about it being slow.. I don't know about the quality of linuxserver's nextcloud, so you'd have to do some research for that, and find a good docker container.

moonpiedumplings , to Privacy in Mozilla says Apple’s new browser rules are “as painful as possible” for Firefox

Because much of mozilla's funding is from a deal with google, that's why.

US$300 million annually. Approximately 90% of Mozilla's royalties revenue for 2014 was derived from this contract

From https://en.wikipedia.org/wiki/Mozilla_Foundation

A lot of money, but not enough to actually to actually do a lot. They keep cutting features their "customers" like. Why?

Because development is expensive.

Google props mozilla up to pretend they don't have a monopoly on the internet. Just enough money to barely keep up, not enough to truly stay competitive.

Mozilla wants to not rely on google money, so they are trying to expand their products. AI is overhyped, but still useful, and something worth investing in.

moonpiedumplings , to Privacy in Mozilla says Apple’s new browser rules are “as painful as possible” for Firefox

Mozilla: ignores years of customer complaints and requests

Are these customers donating, or purchasing mozilla products or services so that mozilla doesn't have to rely on google's donations?

Mozilla: creates new product nobody asked for

https://github.com/Mozilla-Ocho

Nearly 10k and 400 stars on those respective repos.

A way to run a large language model on any operating system, in any OS, in a simple, local, and privacy respecting manner?

For linux we have docker, but Windows users were starving for a good way to do this, and even on linux, removing the step of configuring docker (or other container runtimes) to work with nvidia, is nice.

And it's still FOSS stuff they aren't being paid for, currently. But there are plenty of ways to monetize this.

Here's an easy one: tie in the the vpn service they have to allow you to access the web ui of the computer running the llamafile remotely. Configure something like end to end encryption or or nat traversal (so not even mozilla can sniff the traffic), and you end up with a private LLM you can access remotely.

With this, maybe they can afford some actual development on firefox, without having to rely on google money.

moonpiedumplings , (edited ) to linuxmemes in Ansible casually administering hundreds or thousands of devices

It appeals to me for management of a windows machine for a few things:

  • Lots of machines at once, over winrm. Although ssh is the default, as ansible is linux first.
  • I don't have to learn powershell - the shared language means the windows teams and the linux team don't have to learn eachother's language. In ansible, it's very easy to avoid the footguns that come with something like bash, especially after you install the red hat linter, ansible-lint, which warns of ansible's own footguns.
  • easy to version control it
  • premade stuff: the official "modules" are massive and do a lot. There are also community packages: https://galaxy.ansible.com - of course, you should probably check any stuff you run first. But ansible is very easy to read.
  • built in secret management. Encrypt secrets, but still be able to use them smoothly with the automation framework.

For just one machine? Task scheduler is probably good enough. 2-3 machines, managed remotely? Ansible is at least worth looking at.

Edit: also, really good docs. Like, check out this active directory module with examples: https://docs.ansible.com/ansible/latest/collections/microsoft/ad/object_info_module.html#ansible-collections-microsoft-ad-object-info-module

The examples are very helpful, with things like getting a list of ad users. I used that to create a ansible script to shuffle all ad user passwords - while being a a linux lover who hates windows and has literally never touched ad before this.

https://github.com/CSUN-CCDC/CCDC-2023/blob/main/windows/ansible/testing/users.yml

https://github.com/CSUN-CCDC/CCDC-2023/blob/main/windows/ansible/roles/domain/tasks/main.yml

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • incremental_games
  • meta
  • All magazines
    •