|
the one thing I cannot figure out is how the rfuck k8s in the tayool 2022 still doesn't support swap (ok I just looked and it's an alpha feature)
|
# ¿ Dec 10, 2021 08:55 |
|
|
# ¿ Apr 20, 2024 02:01 |
|
I have no idea how they have convinced people that their product, which totally dumps decades of investment and research in memory management, is ready for prime time and I say this as someone who runs k8s in production
|
# ¿ Dec 10, 2021 09:00 |
|
Nomnom Cookie posted:it’s because linux is poo poo at managing swap so you are better off not having swap, eating the OOMs, and moving pods off the overloaded node to another one. distributed systems are designed around fail-stop and swap turns fail-stop into fail-slow. it doesn’t help for the scenarios k8s is deployed into. that’s why k8s didn’t support swap originally. idk why it’s starting to—demand from people like you maybe? I won’t be enabling it I don't think it's a matter of fail-stop vs fail-slow, not having swap is strictly worse in low-memory conditions. you're going to be paging to disk no matter what, you probably want it to be the memory a bunch of programs allocated at startup and never used again rather than hot items in the page cache or the executable sections of your programs if you don't want your programs to be able to overcommit memory, that's your choice. but my understanding is that in v2 cgroups the accounting is going to (correctly) include things outside of anonymous memory like pages and kernel allocations, so your users might try to allocate less than whatever their limit is and things will either be killed or "slow down" because you've reduced the number of pages they're allowed to have in the cache
|
# ¿ Dec 11, 2021 02:34 |
|
for VMs you can also use zram for the swap partition
|
# ¿ Dec 11, 2021 10:48 |
|
SYSV Fanfic posted:I've had to explain this to teenagers who are impressed that I use emacs by default when I do something quick. There are better ways now, don't waste ur life. as a computing professional you're going to want to learn some shortcuts for navigating around your code. you can choose to have those shortcuts exist on every machine and editor you'll ever use or not.
|
# ¿ Jan 4, 2022 14:30 |
|
it's a little endearing when someone is using vscode or sublime or notepad++. like watching an ant struggle to pull something 10x its size
|
# ¿ Jan 16, 2022 07:54 |
|
"awww, they're doing full text search on 'def pooFunction(' to find where the function is defined"
|
# ¿ Jan 16, 2022 07:55 |
|
mystes posted:Are you just complaining about your idea of what you imagine vscode is like without having actually used it? kind of, yes. this is what my coworkers who use vscode do when we are working together
|
# ¿ Jan 17, 2022 00:54 |
|
The_Franz posted:that's a case of people not knowing how to use their tools vs the tools being inadequate okay, does vscode provide "find implementation" for python code then?
|
# ¿ Jan 17, 2022 00:58 |
|
The_Franz posted:oh python? apparently not (yet) no, we give out intellij licenses like candy, but the vscode/sublime users don't think they need it
|
# ¿ Jan 17, 2022 01:54 |
|
Cybernetic Vermin posted:ebpf everything is the future. I can see the appeal, but I really don't understand how you're supposed to debug when things go wrong with your bytecode programs other than very carefully. For tracing and profiling it's a godsend of course, but xdp and such seems nuts to me
|
# ¿ Jan 27, 2022 01:04 |
|
mystes posted:You're a very generous grader
|
# ¿ Feb 1, 2022 11:38 |
|
The Wisest Moron posted:I want to browse the internet while pretending I'm elite hacker-man, what OS should I use for that? lynx in a tiling window manager on arch, op
|
# ¿ Feb 3, 2022 03:44 |
|
zfs on Linux is embarrassingly slow and bad, don’t use it
|
# ¿ Mar 4, 2022 09:38 |
|
yummycheese posted:Debian - hard core stallmanisim that prevents users from doing obvious tasks this is why Ubuntu server is the best of the pos
|
# ¿ Mar 24, 2022 00:39 |
|
A Bad King posted:Tinkering and distro hopping can be its own fun hobby on a spare machine, though. love too fight with my computer as a hobby
|
# ¿ Mar 24, 2022 00:40 |
|
most of the oh-my-zsh themes are awful, but if you use a simple one you can still get the vi key bindings and all the nice autocomplete plugins and not have a bunch of irrelevant garbage on your screen
|
# ¿ Mar 25, 2022 13:19 |
|
That loving Sned posted:It was posted before, but you can find ISOs of Debian that come with non-free drivers, a modern installer and a desktop environment that are pretty much perfect for me. yes, we all know about ubuntu, op
|
# ¿ Mar 30, 2022 01:07 |
|
why the gently caress did they build a dns server into it
|
# ¿ Apr 7, 2022 12:55 |
|
Lysidas posted:
what the gently caress is your server like?
|
# ¿ Apr 8, 2022 14:06 |
|
Lady Radia posted:well yes, sshing to containers is explicitly because you're debugging something went wrong, that's the whole point???? are you .,.. actually sshing to the container? as in it is running ssh? if you live in a normal world you exec into the container either from the host it’s running on or preferably remotely using kubectl
|
# ¿ Apr 11, 2022 00:24 |
|
carry on then posted:this is some "beep boop i am incapable of nuance or parsing context" level posting lmao I’m a goon and a yosposter, what do you expect but also I’ve seen this before on more than one occasion
|
# ¿ Apr 11, 2022 00:57 |
|
well yes, doing so requires root privileges
|
# ¿ Apr 11, 2022 14:00 |
|
I'm not sure I'm completely following you, but in 2022 Linux containers can be run by unprivileged users and thus "container escape" could only ever give you unprivileged access but it also seems kind of beside the point, because if you are able to escape a container you're already exploiting the kernel
|
# ¿ Apr 11, 2022 14:23 |
|
Cybernetic Vermin posted:in what way exactly is the container a container at the point where things casually stroll out of it? given how much you seem care about the security of the setup i do now imagine that the "unprivileged" level after container escape will be able to mess with everything of actual relevance on the machine, being precluded perhaps from changing the system clock. yeah, but what you’re describing is not the case if you’re holding it correctly admittedly people are mostly not doing that, but don’t blame Linux! BlankSystemDaemon posted:In the year 2022 you don't ever see a box rooted with a single exploit, though. look, I think a problem here is that containers is an imprecise term. largely you’re talking about some nice api on top of cgroups and namespaces, but there are also Linux container runtimes available that intercept and emulate system calls or use the in-kernel kvm machinery to run the process in what is essentially its own individual vm to your point, I agree that the primary container runtime that initially got traction on Linux, which was docker, traded usability for security in its initial implementation where required. they knew operators were going to run all their containers as root even though they explicitly said “do not do this!” and predictably users do exactly that and run root containers all day long. but! the major primitives docker relies on, namespaces and cgroups, are very much designed for strong isolation guarantees. as I mentioned, since 3.8, root is not required at all to use these tools, not even suid. and they’re pretty powerful, you can start a container within which a process is running as “root” with full capabilities, but that root will actually just map to the unprivileged user that started the container. as for why so many of these exploits pop up on Linux as opposed to FreeBSD, I’d imagine it’s because Linux has users
|
# ¿ Apr 12, 2022 01:44 |
|
nbsd come back, you are missed
|
# ¿ Apr 23, 2022 07:25 |
|
disallowing universe makes a lot of sense though. trying to make all of your poo poo work on system-provided python or java is a very bad idea imo, regardless of distribution. core just needs to provide enough to run basic system services and get a container runtime up
|
# ¿ Apr 23, 2022 07:30 |
|
is there a point to having a separate htpc when plex exists and you can run plex server on your main PC?
|
# ¿ Apr 25, 2022 04:24 |
|
I'm a little dim, is Nix just distribution-agnostic package isolation for non-containerized environments?
|
# ¿ Apr 26, 2022 11:27 |
|
why do I want my app in Nix instead of docker?
|
# ¿ Apr 26, 2022 11:27 |
|
this is the correct behavior, op.
|
# ¿ Apr 28, 2022 23:25 |
|
pseudorandom name posted:inventing a third configuration language that compiles to either NetworkManager or systemd-networkd seems pretty idiotic yeah, that one is definitely redacted, but that's been there since bionic
|
# ¿ Apr 29, 2022 09:18 |
|
BlankSystemDaemon posted:does docker run on windows and macos, or does windows and macos provide a hypervisor that can run linux as a virtual guest, which then runs docker? on windows it can run native, on osx it runs under hypervisor
|
# ¿ May 2, 2022 11:46 |
|
i barely know 'er!
|
# ¿ May 2, 2022 11:56 |
|
does windows server or whatever have wsl? it’s almost compelling as a platform if you can run both windows and Linux binaries natively
|
# ¿ May 2, 2022 15:26 |
|
answering my own question, holy poo poo it does. that’s awesome except for the main system being windows maybe we can get a LSW
|
# ¿ May 2, 2022 15:31 |
|
mystes posted:You realize that if you want a linux server you can just run linux, right? yeah, I do, but I can’t run the lovely third-party windows apps I need on them. would be nice to only have to janitor one kind of server
|
# ¿ May 2, 2022 15:56 |
|
nudgenudgetilt posted:https://github.com/Jeeaaasus/youtube-dl/blob/master/Dockerfile#L43 you should always use an init, you need something to reap zombies and handle signal propagation correctly and that poo poo does not belong in your app
|
# ¿ May 11, 2022 00:33 |
|
nudgenudgetilt posted:docker has provided a reaping init via --init for the better part of a decade. so you agree whenever your app actually runs, there needs to be an init and it should not be your application, that’s good. believe it or not, if your deployable unit is a container, there are legitimate use cases for needing more than one OS process inside of it. it’s why the deployable unit of orchestrators is explicitly not containers, but something higher level like pods
|
# ¿ May 11, 2022 04:05 |
|
|
# ¿ Apr 20, 2024 02:01 |
|
nudgenudgetilt posted:I'm saying all processes that spawn children should reap their children, but having --init is useful for when you're dealing with incompetently built applications lol do people really refer to systemd as s6, jesus christ anyway, I wouldn’t recommend running systemd in a container either, that’d be redacted. the point I’m trying to convey to you is sometimes a “service” may be composed of multiple OS processes working cooperatively and it’s not exactly uncommon. a trivial example is an application with something running alongside it that’s polling or listening for changes from an external system, writing to a file, and sending the application a sighup when that happens. the application itself should only have to know about what to do when it gets a sighup and how to serve farts so you need something there (I really like remco for this pattern specifically, but there are others) to monitor the processes and if they go down either restart them and keep going or kill itself so the container will die. and it should reap zombies as well, they are much easier to appear than you seem to think
|
# ¿ May 11, 2022 11:42 |