• 1 Post
  • 6 Comments
Joined 1 year ago
cake
Cake day: June 11th, 2023

help-circle

  • glizzyguzzler@lemmy.blahaj.zonetoSelfhosted@lemmy.worldPodman or rootless docker?
    link
    fedilink
    English
    arrow-up
    11
    arrow-down
    1
    ·
    edit-2
    8 days ago

    Hey bigdickdonkey, I recently tried and wasn’t able to shit my way through podman, there just wasn’t enough chatter and guides about it. I plan to revisit it when Debian 13 comes out, which will include podman quadlets. I also tried to get podman quadlets to work on Ubuntu 24 and got closer, but still didn’t manage and Ubuntu is squicky.

    I read about true user rootless Docker and decided that was too finicky to keep up to date. It needs some annoying stuff to update, from what I could tell. I was planning on many users having their own containers, and that would have gotten annoying to manage. Maybe a single user would be an OK burden.

    The podman people make a good argument for running podman as root and using userns to divvy out UIDs to achieve rootless https://www.redhat.com/en/blog/rootless-podman-user-namespace-modes but since podman is on the back burner till there’s more community and Debian 13, I applied that idea to Docker.

    So I went with root Docker with the goals of:

    • read only
    • set user to different UID:GID for each container
    • silo containers in individual Docker networks
    • nothing gets /var/run/docker.sock
    • cap_drop: all
    • security-opt=no-new-privileges
    • volumes all get tagged with :rw,noexec,nosuid,nodev,Z

    Basically it’s the security best practices from this list https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html

    This still has risk of the Docker daemon being hacked from the container itself somehow, which podman eliminates, but it’s as close to the podman ideal I can get within my knowledge now.

    Most things will run as rootless+read-only+cap_drop with minor messing. Automatic ripping machine would not, but that project is a wild ride of required permissions. Everything else has succumbed, but I’ve needed to sometimes have a “pre launch container” to do permission changes or make somewhere like /opt writable.

    I would transition one app stack at a time to the best security practices, and it’s easier since you don’t need to change container managers. Hope this helps!


  • It’s confusing because you’re advocating for not voting in the US election while not having the ability to vote in the US election. You’re literally doing foreign interference by not being straightforward with your non-US citizen background. State that so people understand the context you’re speaking from, we have a fuckton of foreign election interference from Russia and Israel and more already.

    I have interacted with so many people from outside the US who really want to advocate for our election yet don’t understand the shitass limited choices we have to make to try to make the future better.

    I lay out that ethically anyone who supports ending the genocide should vote to reduce harm elsewhere since both options continue the genocide. Not voting dem is also sacrificing trans people and Hispanic people and women which is ethically wrong. Sucks ass, but voting anything other than dem is way worse. So the small effort to tick the box is easily worth that effort.

    Be ready for your next UK election, you may need to choose labor instead of green in a tight race so that tory or reform doesn’t take your local seat. Sucks ass, but one less conservative is one more not conservative. With so many parties I can’t believe yous don’t have ranked choice.

    Again the only ethical thing is to enable harm reduction. Because voting isn’t a direct extension of your values, but a tiny push for not-fascism. The media may make it a 24/7 thing, but it’s really a 20 minute trip once every 6-12 months if you’re nudging for local change. Once every 4 years if you can’t be arsed to vote local for some reason.


  • This is a very confusing stance, you’re advocating for not voting while not being a US citizen so you can’t vote??

    And you completely misunderstand first past the post voting. You have it in the UK too. It’s how labor got elected, your far right party split the conservative vote. The risk here is that due to the US’ electoral college system a select few states (incl. TX, NC, GA, FL, VA, NV, ME not just the rust belt strip) will decide the election. Thus for those states, someone who could vote must vote for the Dems.

    Any possible vote not for the Dems will help the Repubs get closer to clinching those close states, whether it’s no-vote or one of the virtue-signaling 3rd party candidates. (Yes, they only split the vote and are worthless for reducing harm, build 3rd party from local up)

    Only one of two candidates will win thanks to FPTP. Both candidates will continue to enable genocide. But one candidate - Trump - will target trans people and will target women and will target minorities at home. So if you are a US citizen who can vote, you do the proper ethical thing: you vote for harm reduction via voting for the Democrats.

    A vote is not an endorsement, you don’t have to feel tied to it; it’s an infinitesimal push to a better atmosphere to advocate for the end of the genocide. If Trump is in power left-leaning people will be split putting out fires: trying to keep trans people alive, trying to get women proper healthcare, trying to keep minorities from being rounded up. There will be less bandwidth for stopping the genocide, much less pushing for more progressive change.

    In short, the only ethical move is to vote if you’re a US citizen to mitigate harm and improve the progressive landscape to be able to maximalize effort towards ending the genocide. The only ethical move if you’re not a US citizen is to not advocate for not voting for the democrats; might as well be a Russian bot at that point.


  • Here is a nice summary from https://www.reddit.com/r/firefox/comments/o28yi4/comment/h26mguk/?context=3 :

    Privacy Badger is also redundant. It’s useless at best and can do a disservice:

    Its local learning is disabled by default. Since they turned off the heuristic, PB just blocks third-party cookies from the yellowlist. Keeping a separate extension to block cookies from ≈800 domains makes no sense when you have uBlock Origin with tens of thousands of domains in filter lists. It’s detectable, that is, it adds extra info to your fingerprint. Even despite the disabled local learning, some of its methods of work are still detectable (function code: API tampering detected). And if you enable local learning, PB can become even more detectable.

    Also it sends Global Privacy Control and Do Not Track headers (which even one of its creators called “a failed experiment”) by default, which is useless and only gives an extra bits for fingerprinting.

    Basically how privacy badger works is noticeable, but you can turn on local learning to get bespoke ad blocking at the cost of your device being much more easily identifiable. Maybe half-n-half and have privacy badger off on private browsing so you can shop in that mode without Amazon knowing your life’s history as easily



  • Your budget is really near a https://store.ui.com/us/en/collections/unifi-dream-router/products/udr Unifi dream router. Your family is gonna be way happier with you (0 downtime) and it’ll give you extender options if you ever need it. Unifi is good enough and they update regularly, just disable cloud access stuff and you’re good.

    Otherwise you want Opnsense instead of Openwrt. The upgrade process for Openwrt is not automatic, while Opnsense is. Worth it not to have to dote on your router.

    And you should get an access point (Unifi something or Tplink Omsomething), wifi is problematic with openwrt and I’m not sure if opensense even lets you do it (haven’t tried).

    And you’ll need a switch, dumb or managed, up to you if you want VLANs. The Opnsense box will have just one LAN port, so it requires a switch if you want to plug more than one thing into it. A switch with PoE+ can power the access point directly.

    Opnsense needs x64 arch (Intel or AMD CPUs), get a small thin client like a Dell Wyse 5070 extended or HP T730 or that mentioned Fujitsu Futro S720 (its CPU is old tho, you can do better). There may be newer thinclients, you just want a mini PCIe slot to install some Intel gigabit card from eBay with 2 ports. Google power efficient gigabit mini PCIe card - there’s an older model that sucks power and a newer one that doesn’t suck; if you go more than gigabit skip 2.5 on Intel unless you google hard and expect extra power draw. Very limited point to 4 port cards, just go higher gigabit speeds don’t think about multiplexing ports or whatever it is called; and switches switch better than the router can and remove CPU overhead for more actual routing work - 2 port card is the way.

    Slap Incus (superior but newer, less guides, LXD is previous name if googling stuff) or Proxmox (good enough, more guides for this) on it, make a VM and pass through the 2 ports of the PCIe cards, slap Opnsense in the VM. Make an LXC container and slap Debian on it and spin up the Unifi controller for your AP. Another container for adguard home or pi hole and you’ve got a box that does the basic nets all in one. The built-in port on the thin client is how you will access the underlying OS, it gets plugged into the switch you’ll have to get. If you got something with 2 gigs of RAM and an AMD Geode/GX or aged Intel Atom CPU I’d just only do Opnsense no hypervisor stuff.

    Sorry for the info dump but there’s a lot of angles!

    But really, the Unifi dream router is much easier and solves it all-in-one. You need 3 pieces (router, wifi access point, Ethernet switch) for a good experience otherwise.