|
RFC2324 posted:Like the post above me said its fine for bash. its superficially identical to a minimal install of the distro you are installing, the only differences are internal stuff. Some syscalls don't work, for instance, which breaks some tools(mtr doesn't work on the opensuse implentation, for instance) Thanks, folks. I’m not completely turned on enough to declare Linux4Lyfe yet (I had a dual boot Ubuntu 12.xx a long time ago), but these minimal installs seem perfect. I didn’t really have the bandwidth to constantly dl new packages or programs’ patches, and got burned one time by dl’ing Ubuntu Kylin overnight and it installed like 3/4 of my metered connection before I realized it was in Chinese. I haven’t used it since then 🤪. I have heard that Linux is fine for gaming these days, and most of my software has Linux versions so thought to give it a fresh look! Thanks again!
|
# ? Mar 25, 2021 00:12 |
|
|
# ? Apr 20, 2024 02:32 |
|
Furism posted:Not sure if that's the most appropriate thread for this but here goes. Does Docker have problems with applications escaping containers? I’m asking because I don’t know.
|
# ? Mar 25, 2021 00:14 |
|
I think most of the exploits revolve around running containers with too many privileges but yes it can happen. And even if they can't, if they exploit the service inside the container and turn it into part of a botnet or something it doesn't really matter, you still got owned (and any persistent storage mounted in the container is too so your server is effectively garbage now).
|
# ? Mar 25, 2021 00:24 |
|
RFC2324 posted:this is how I ended up getting paid as a computer toucher, so be careful Actions have consequences 🤩!
|
# ? Mar 25, 2021 01:05 |
|
Furism posted:Not sure if that's the most appropriate thread for this but here goes. Containers are not a magical tool, if anything they're a magical tool for shooting yourself in the foot. They're great when used properly but if you don't know anything about them I wouldn't throw them in a public VPS unless you just don't give a poo poo about anything on it. You're probably better off just running everything off the host and using SELinux. For starters containers are notorious for having out of date software, your host package manager makes it easy to keep up to date, hiding everything in a container means you now have to have a plan for updating your containers packages as well. Absolutely play around with them and absolutely figure out how to harden them, but don't make your first foray into them something open to the internet that you care about.
|
# ? Mar 25, 2021 02:31 |
Bob Morales posted:Does Docker have problems with applications escaping containers? I’m asking because I don’t know. Docker is for orchestration, not isolation. The creators readily point this out, but few people seem to have picked up on it. There are things which I've heard are supposed to add isolation, but I've yet to see any of them in production at scale, and conversely, whenever docker (or kubernetes) is run in production at scale, it's typically with KVM, Xen, ESXi or bhyve providing the isolation.
|
|
# ? Mar 25, 2021 02:45 |
|
Mr. Crow posted:Containers are not a magical tool, if anything they're a magical tool for shooting yourself in the foot. They're great when used properly but if you don't know anything about them I wouldn't throw them in a public VPS unless you just don't give a poo poo about anything on it. You're probably better off just running everything off the host and using SELinux. Oh I've played with Docker in the past, and I'm aware of the security concerns around containers - that's why I want an IPS in the first place. I also intend to use only official images because those are scanned for vulnerabilities on a regular basis.
|
# ? Mar 25, 2021 13:07 |
What's an IPS going to do to help isolate containers?
|
|
# ? Mar 25, 2021 13:28 |
|
BlankSystemDaemon posted:What's an IPS going to do to help isolate containers? Assuming it will detect and block malicious traffic?
|
# ? Mar 25, 2021 13:36 |
BlankSystemDaemon posted:Apparently my post was eaten, so I have to try again? What about Podman? As I understand it that supports rootless containers which should prevent them from escaping their containers I would think. And even if it didn't it would limit the potential damage to just that user's permissions.
|
|
# ? Mar 25, 2021 13:57 |
|
That's potentially still a fair bit of damage, though; most botnets just want your cpu time and bandwidth, not your files.
|
# ? Mar 25, 2021 16:04 |
Bob Morales posted:Assuming it will detect and block malicious traffic? Nitrousoxide posted:What about Podman? As I understand it that supports rootless containers which should prevent them from escaping their containers I would think. And even if it didn't it would limit the potential damage to just that user's permissions. As far as I know there are no instances where uid=0 is hardcoded as the only way to accomplish something (ie. being in the wheel group on FreeBSD gives you access to su, by which you can substitute to a user with whatever privilege you want, assuming you have their password). EDIT: It sounds like rootless, in this context, means starting as root and dropping privileges, which is a standard feature of daemon(8), and ought to be a core functionality of any well-designed daemon. I'm talking about an isolation like the one offered by, for example, FreeBSD jails, which are designed explicitly to confine root by since it's the kernel that's enforcing the isolation. BlankSystemDaemon fucked around with this message at 16:17 on Mar 25, 2021 |
|
# ? Mar 25, 2021 16:12 |
|
BlankSystemDaemon posted:What's an IPS going to do to help isolate containers? An IPS is an Intrusion Prevention System that you put inline in front of network services (usually HTTP-based) that will scan incoming traffic for known vulnerabilities and block them so they are not forwarded to your vulnerable server. They are very common in production because sometimes you can't patch your server as quickly as you'd like, so you need to rely on a network device to protect you. It has nothing to do with container isolation. Anyway, I think I'll just use Suricata as a stand-alone IPS, there doesn't seem to be any nginx module for this.
|
# ? Mar 25, 2021 16:19 |
|
Rootless containers in podman are containers run by an unprivileged user with zero root privileges. These containers get their own namespace and podman does some magic to map any root owned files/processes in the container to an unprivileged effective uid. This is a big change from docker where you had to add users to the docker group, allowing them to control the docker daemon (which runs as root). The main justifications for this is to allow people to run containers without su/sudo and prevent the host system from getting owned if the services inside the container are compromised. This does impose some limits on what you can do with the containers though.. networking in particular (as you can't do things like set up network interfaces without root privileges).
|
# ? Mar 25, 2021 16:24 |
Furism posted:An IPS is an Intrusion Prevention System that you put inline in front of network services (usually HTTP-based) that will scan incoming traffic for known vulnerabilities and block them so they are not forwarded to your vulnerable server. They are very common in production because sometimes you can't patch your server as quickly as you'd like, so you need to rely on a network device to protect you. It has nothing to do with container isolation. In the almost quarter century I've worked as a network admin, it's possible I might've used an IPS a fair few times. xzzy posted:Rootless containers in podman are containers run by an unprivileged user with zero root privileges. These containers get their own namespace and podman does some magic to map any root owned files/processes in the container to an unprivileged effective uid. This is a big change from docker where you had to add users to the docker group, allowing them to control the docker daemon (which runs as root). So the major difference is that there's no controlling daemon running as root, and everything is configured to drop privileges.
|
|
# ? Mar 25, 2021 16:45 |
|
BlankSystemDaemon posted:Gotcha, it's relying on cgroup namespaces for isolation, which is what docker uses too - that's unfortunate, I thought there'd be something better. I'm fuzzy on the details of exactly how it works since it's still very much alpha/beta quality (the rootless side, anyway); but afaik it's not actually "dropping privileges", it's completely in the scope of the user process and namespaces. It's still using cgroups and namespaces because, well, that's what the linux kernel has; but the crux of it come from https://github.com/rootless-containers/slirp4netns which piggy backs off the kernel to handle user networking. Last time I tried to use it (a year or ago or so) it was still pretty limited and by necessity will never have a lot of networking related features you might expect but still a pretty cool idea if it will fit within the scope of what you need it to do. FreeBSD question: Does FreshPorts or a similar site post build status of ports? I've setup poudriere to build my ports nightly and llvm has been surprisingly failing for a week or so and I want to just save myself the time troubleshooting if it's just failing upstream.
|
# ? Mar 25, 2021 17:35 |
|
It helps that podman sees itself as primarily a container development tool to help users create their images. Then they run a command that exports it as a kubernetes config and they ship it off to the production side. You can run it as a service as a feature-equal replacement to docker but I've seen some bugs in trying to do that that I haven't sorted out yet (every once in a while I get "filehandles are in use" errors when a container exits and I'm trying to restart it).
|
# ? Mar 25, 2021 17:44 |
Mr. Crow posted:I'm fuzzy on the details of exactly how it works since it's still very much alpha/beta quality (the rootless side, anyway); but afaik it's not actually "dropping privileges", it's completely in the scope of the user process and namespaces. It's still using cgroups and namespaces because, well, that's what the linux kernel has; but the crux of it come from https://github.com/rootless-containers/slirp4netns which piggy backs off the kernel to handle user networking. Last time I tried to use it (a year or ago or so) it was still pretty limited and by necessity will never have a lot of networking related features you might expect but still a pretty cool idea if it will fit within the scope of what you need it to do. The podman GUI that red hat is working on, cockpit, has built-in virtual networking controls to allow you to do a lot of what you would need to do with Docker for the virtual networks using the built-in kernel control of the networks. It's also supposed to be able to provide basic hypervisor control as well using the built-in kernel support for virtual machines. It's a cool project. I assume they built it in such a way that it's more secure than the docker implementation of it. But understanding how cockpit works is beyond my capabilities.
|
|
# ? Mar 25, 2021 19:00 |
|
cockpit is a fancy web frontend for managing a server. it also happens to have a plugin for podman. https://cockpit-project.org
|
# ? Mar 25, 2021 22:54 |
|
other people posted:cockpit is a fancy web frontend for managing a server. it also happens to have a plugin for podman. Can you add vhosts, automatically get Let's Encrypt certificates and stuff? Can I tell it "I want that Docker image behind this reverse proxy here, by the way configure this as the FQDN and use port xyz for the forwarding to the backend", that sort of things?
|
# ? Mar 26, 2021 11:57 |
|
Furism posted:Can you add vhosts, automatically get Let's Encrypt certificates and stuff? Can I tell it "I want that Docker image behind this reverse proxy here, by the way configure this as the FQDN and use port xyz for the forwarding to the backend", that sort of things? You can log into a terminal from it so yeah I guess you can do all that one way or another. I don't know if it has a docker plugin; it may be a podman only thing.
|
# ? Mar 26, 2021 12:51 |
|
I just installed it and, yeah, it's ridiculously easy. I installed it on my CentOS server at home, added my private key (the GUI read it from the /home/user/.ssh directory really), provided the password, and in literally one click I can now remotely connect to my VPS server. But it seems to be aimed mostly at monitoring, not so much configuration of services (you still need to use the terminal as you pointed out). And I must say the GUI is amazing and top-notch quality, very professional I love it!
|
# ? Mar 26, 2021 14:23 |
Furism posted:I just installed it and, yeah, it's ridiculously easy. I installed it on my CentOS server at home, added my private key (the GUI read it from the /home/user/.ssh directory really), provided the password, and in literally one click I can now remotely connect to my VPS server. But it seems to be aimed mostly at monitoring, not so much configuration of services (you still need to use the terminal as you pointed out). And I must say the GUI is amazing and top-notch quality, very professional I love it! Can't you do virtual networking in the "networking" tab and then point your containers to your vnetwork that you've created, which say NGINX is on and managing inside of a podman container?
|
|
# ? Mar 26, 2021 14:45 |
|
Furism posted:I just installed it and, yeah, it's ridiculously easy. I installed it on my CentOS server at home, added my private key (the GUI read it from the /home/user/.ssh directory really), provided the password, and in literally one click I can now remotely connect to my VPS server. But it seems to be aimed mostly at monitoring, not so much configuration of services (you still need to use the terminal as you pointed out). And I must say the GUI is amazing and top-notch quality, very professional I love it! I’m not too much of a Linux guy, but I’m getting there. Agreed that cockpit is really good and so is podman. You can install a podman-docker package that provides a cli just like docker, so you can run, ps, inspect, etc. Using the UI, you can grab images from a registry and start a container giving it most of the options you can in docker: set volumes, environment variables, expose ports, etc. it works great, but I still use cli often because it’s just easier. Haven’t tried more advanced networking like macvlan or other drivers yet, but it’s running deepstack and deepstack-ui images and they’re talking to each other and via the hosts network just fine. CentOS8 is the bare metal o/s, but the podman stuff is running inside a vm I imported running RHEL8.3. So two instances of cockpit lol It’s pretty slick so far
|
# ? Mar 26, 2021 15:14 |
|
Furism posted:Can you add vhosts, automatically get Let's Encrypt certificates and stuff? Can I tell it "I want that Docker image behind this reverse proxy here, by the way configure this as the FQDN and use port xyz for the forwarding to the backend", that sort of things? Have you looked into Traefik at all? Its what I use and I can revers proxy based on labels. It even handles subdomain routing for me, and LE renewal/reloading. I just pointed a wildcard domain at my IP and Traefik/labels handle the rest.
|
# ? Mar 26, 2021 15:47 |
|
Podman v3 also supports the bits needed for docker-compose, and it's been working pretty well for me. There's also podman-compose which works alright for creating/starting containers but falls down pretty quickly for anything else, no reason to mess with it anymore. Opinions on traefik/nginx proxy manager/SWAG? I just need to handle a couple domains/subdomains for the handful of stuff I expose. I'd been using a caddy container because that was the easiest at the time a few years ago and I meant to replace it shortly thereafter but never did whoops
|
# ? Mar 26, 2021 16:17 |
|
I tried getting traefik to work for some web services in our OKD cluster and was unable to get it to do anything useful. It's very possible I am a giant idiot though. I got a static config file with nginx working in an hour.
|
# ? Mar 26, 2021 16:33 |
|
Well I got down the Dokku rabbit hole and it's an amazingly good project. Wordpress is giving me grief because when you turn HTTPS on, the dynamic pages are served over that but the static content (like the CSS and stuff) is served over HTTP so the browser blocks those because it considers them as "cross origin." I'm not mad at Firefox nor at Dokku, more at the Wordpress developer who hard-coded this bullshit. I have some .NET Core websites somewhere, I'll add a dockerfile to them and see how it goes. Dokku is pretty drat sweet, it uses nginx as a front-end and you don't have to configure anything really. Just add an "app" (a container) and it'll take care of the vhost, Let's Encrypt certs and all that! I used to do this the old way (manually or through a few bash scripts) but having this streamlined through Dokku just saves me time. When the web app is properly coded, that is.
|
# ? Mar 27, 2021 00:16 |
|
So I managed to gently caress up the GUI on a Centos 8 in an interesting way. I don’t know exactly what I did, but for some reason I cannot boot into either GNOME, KDE or XFCE despite graphical.target being set. The machine have two GPUs, one for the display and one for CUDA. I have removed and reinstalled NVIDIA drivers and the various desktops and whatever I do, I still boot into the CLI. If I run startx from the CLI, the screen goes black and then crashes back to CLI. Except if I do it from root. Interestingly, the VNC servers work great with GNOME and have no issues. For various reasons, I cannot just do a fresh install of Centos since there are some critical software on the machine. Or can I? Is there an easy way to start with default Centos GUI settings without breaking everything?
|
# ? Mar 27, 2021 18:38 |
|
There's nothing helpful in /var/log/Xorg.0.log ? Someone must know why it fails to start, even provide a simple twm.
|
# ? Mar 27, 2021 19:28 |
|
Cardiac posted:So I managed to gently caress up the GUI on a Centos 8 in an interesting way. I don’t know exactly what I did, but for some reason I cannot boot into either GNOME, KDE or XFCE despite graphical.target being set. A stupid question - have you tried with a different user? Just in case you goofed something local to your user. After that, it’s probably either rolling back driver versions or double checking that the Xorg conf file is sane.
|
# ? Mar 27, 2021 19:33 |
|
Cardiac posted:So I managed to gently caress up the GUI on a Centos 8 in an interesting way. I don’t know exactly what I did, but for some reason I cannot boot into either GNOME, KDE or XFCE despite graphical.target being set. You should check if you can get the logs of the login manager. gdm, probably. And perhaps remove the Nvidia garbage card and see if that helps. Comedy option: .Xauthority not owned by the user supposed to run X.
|
# ? Mar 27, 2021 20:01 |
|
xzzy posted:I tried getting traefik to work for some web services in our OKD cluster and was unable to get it to do anything useful. It's very possible I am a giant idiot though. traefik has(had?) a documentation problem where there was a ton of poorly labeled v1 docs littering up everywhere and they did a lot breaking changes to config for v2, so even if you were reading good looking stuff you might have just been lead astray of valid configs
|
# ? Mar 28, 2021 06:45 |
|
I think I suck at git and I'm having a hard time wrapping my head around this. Googling for it is hard because everything assumes you're using Git{Hub,Lab}. So I have a repo whose origin is on GitLab. We'll say its git@gitlab.com:nobody/reallygreatproject.git. This is cloned to my server. Thing is I want to clone to my desktop and push directly to the server for the sake of swift deployment, essentially turning the GitLab origin into a mirror, so I am running git clone nobody@server:/srv/reallygreatproject When I then commit and push I get: code:
So basically, how the hell do I clone a clone and then push into it? What am I not understanding? e: So remote is receieving the new objects but they're showing as deleted/staged??? Nobody Interesting fucked around with this message at 07:13 on Mar 28, 2021 |
# ? Mar 28, 2021 06:58 |
|
It says right there in the message, you can't push to a non-bare repo. Typically what is hosted on GitHub etc is the bare repo (just the .git folder). It's assumed this is what your pushing to normally as the complexity and room for error increases if you're trying to update somebody else's working tree. You can disable this behavior and get what your trying to do via the config options in the message output. To be honest though your just giving yourself a hard time with .git, just rsync the folder if that's the workflow you want, git isn't doing anything for you in this situation. Edit: to be clear the error is because your trying to push to another cloned (non-bare) repo.
|
# ? Mar 28, 2021 08:17 |
|
I would keep using git instead of rsync, it sounds like the problem is simply that you created a repo on the server that isn't bare. Move or delete the repo on the server, make a new one with git init --bare and push to there. It should end with dot git.
|
# ? Mar 28, 2021 14:32 |
|
xtal posted:I would keep using git instead of rsync, it sounds like the problem is simply that you created a repo on the server that isn't bare. Move or delete the repo on the server, make a new one with git init --bare and push to there. It should end with dot git. I assumed he's using the server repo for *something* and needs the working tree, hence the theatrics. If you're just trying to have redundant mirrors then ya, do this.
|
# ? Mar 28, 2021 15:26 |
|
It's a super duper business critical (not really) Hugo website, so the point in git was to have a post-receive hook that rebuilds the site. THAT makes more sense though. I don't know why I was having such trouble comprehending what was right in front of me. So I guess the repo on the server needs to be re-initialised as bare and we go from there, probably. I'll see what happens, but at least I grasp the concept a bit better now. Thanks for holding my hand, I think I needed it.
|
# ? Mar 28, 2021 17:02 |
|
If you need to keep what’s on the remote, you could just clone it to a new folder and copy what you have locally into it and commit. Or do that and just delete what’s in the fresh clone first, that’s fewer steps than reinitializing or whatever
|
# ? Mar 28, 2021 22:13 |
|
|
# ? Apr 20, 2024 02:32 |
|
It turns out Gitlab's webhooks feature is a better solution for what I want, but example scripts are sparse and I'm poo poo with python. Eventually I'll figure it out, just not today! There are plenty of example PHP webhooks, but enabling PHP in this container would defeat the point of using a static site generator.
|
# ? Mar 28, 2021 22:54 |