Readit News logoReadit News
eriksjolund commented on Replacing Kubernetes with systemd (2024)   blog.yaakov.online/replac... · Posted by u/birdculture
chaz6 · 4 months ago
I really like rootless podman, but there is one quirk in that if you want to preserve the original source IP address (e.g. for web server logs), you have to use a workaround which has a performance penalty.

https://github.com/containers/podman/issues/10884

https://github.com/containers/podman/pull/9052

https://github.com/containers/podman/pull/11177

eriksjolund · 4 months ago
That workaround is not needed if the web server container supports socket activation. Due to the fork-exec architecture of Podman, the socket-activated socket is inherited by the container process. Network traffic sent over this socket-activated socket has native performance. https://github.com/containers/podman/blob/main/docs/tutorial...
eriksjolund commented on Getting forked by Microsoft   philiplaine.com/posts/get... · Posted by u/phillebaba
talkingtab · 4 months ago
My personal thought is that we need a new kind of license: community open source. No corporations, just community.

The problem this addresses is not that Microsoft forked this project. The problem is that when a corporation like Microsoft does this, they harm our community[0]. Open source thrives because a bunch of individuals and groups collaborate.

Microsoft, is built around the concept of profit for stock owners at any cost. They may collaborate as long as their interest in profit is served, but otherwise, it is back to "Embrace, Extend, Extinguish" [1].

This lack of community ethic is endemic in corporations. It is also an existential threat to our community. Profit at any cost is not collaboration. It is predatory.

And yes, I know, corpies and other greedist will vote this down, blah, blah, blah.

[0] https://en.wikipedia.org/wiki/United_States_v._Microsoft_Cor...

[1] https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis...

[edit clarity]

eriksjolund · 4 months ago
The license would no longer be open source if you limit use to only community.

See "6. No Discrimination Against Fields of Endeavor" in The Open Source Definition https://opensource.org/osd

eriksjolund commented on Podman Quadlets with Podman Desktop   podman-desktop.io/blog/po... · Posted by u/teleforce
rendaw · 4 months ago
What's the use case for that? Multitenant server web hosting where customers provide containers and you want to lock them down I guess? Mostly SaaS/PaaS?
eriksjolund · 4 months ago
I did it out of pure interest, just to explore ways of locking down a web server.
eriksjolund commented on Podman Quadlets with Podman Desktop   podman-desktop.io/blog/po... · Posted by u/teleforce
ratorx · 4 months ago
> the security aspect

It’s not a systemd-specific thing, but systemd makes it relatively easy to drop privileges (like network in this case), whilst also allowing socket-activated services to be configured easily. You can probably achieve the same thing with inetd + network namespaces (I think this is what systemd uses under the hood)

eriksjolund · 4 months ago
You can use the podman option `--network=none` together with the systemd directive `RestrictAddressFamilies=`

I wrote a demo: https://www.redhat.com/en/blog/podman-systemd-limit-access

Podman will then not have the privilege to pull the container image, but a web server container can still serve the internet with socket activation.

eriksjolund commented on Podman Quadlets with Podman Desktop   podman-desktop.io/blog/po... · Posted by u/teleforce
orthoxerox · 4 months ago
What is the killer feature that will make me want to switch from Docker Compose to Podman Quadlets?
eriksjolund · 4 months ago
Podman quadlet supports "Socket activation of containers" https://github.com/containers/podman/blob/main/docs/tutorial... This allows you to run a network server with `Network=none` (--network=none). If the server would be compromised, the intruder would not have the privileges to use the compromised server as a spam bot. There are other advantages, such as support for preserved source IP address and better performance when running a container with rootless Podman + Pasta in a custom network.

Deleted Comment

eriksjolund commented on Quadlet: Running Podman containers under systemd   mo8it.com/blog/quadlet/... · Posted by u/gjvc
eriksjolund · 5 months ago
Socket activation can be used with quadlets but not with docker-compose. That is a big advantage.

https://github.com/containers/podman/blob/main/docs/tutorial...

eriksjolund commented on Learning about Bootc   sean.thrailkill.cloud/pos... · Posted by u/nikodunk
eriksjolund · 5 months ago
If you want to know why bootc is needed check this list of goals: https://containers.github.io/bootable/

I found that URL by following the link in "bootc is the key component in a broader mission of bootable containers."

(https://bootc-dev.github.io/bootc/intro.html)

eriksjolund commented on Httptap: View HTTP/HTTPS requests made by any Linux program   github.com/monasticacadem... · Posted by u/alexflint
eriksjolund · 7 months ago
Another tool that can be used by an unprivileged user for analysing network traffic is rootless Podman with Pasta.

Just add the podman run option

--network=pasta:--pcap,myfile.pcap

Pasta then records the network traffic into a PCAP file that could later be analysed.

I wrote a simple example where I used tshark to analyse the recorded PCAP file https://github.com/eriksjolund/podman-networking-docs?tab=re...

eriksjolund commented on Zoomable Circles, a Svelte component for hierarchical data   npmjs.com/package/svelte-... · Posted by u/whb101
dchuk · a year ago
This is fantastic, really cool looking library.

Has anyone built something like this, or possible a normal rectangular tree map, where the actual nodes in each subsection include images? I’d love to build an interactive thing like this but have it include graphical nodes with some data attributes (let’s say name, price, etc) once zoomed in.

eriksjolund · a year ago
How to display circles on top of zoomable images without getting flickering is an interesting problem. (This comment does not refer specifically to displaying a tree map)

I noticed that painting the circles on top of an overlay with OpenSeadragon caused flickering [1]. However, when painting circles on top of the pyramid image tiles that OpenSeadragon loaded, there was no flickering.

This was my conclusion in 2016 when I created a web viewer that showed circles on top of a microscope photo [2]. Architecture: single file format containing an index, pyramid image tiles and measurement data for circles. To make this work, I intercepted the function call that OpenSeadragon usually uses to download an image tile. Instead, I provided OpenSeadragon with an image tile that already had the circle painted on it.

[1] https://openseadragon.github.io/examples/ui-overlays/ [2] demo: https://eriksjolund.github.io/osd-spot-viewer-webpack-build/... (The demo only worked on Linux. I'm not sure if it still works) source code: https://github.com/eriksjolund/osd-spot-viewer

e

u/eriksjolund

KarmaCake day123August 15, 2016View Original