Security updates for Friday
Security updates have been issued by Debian (redis and valkey), Fedora (docker-buildkit, ibus-bamboo, pgadmin4, webkitgtk, and wordpress), Mageia (kernel-linus, kmod-virtualbox & kmod-xtables-addons, and microcode), Oracle (compat-libtiff3 and udisks2), Red Hat (rsync), Slackware (python3), SUSE (chromium, cJSON, digger-cli, glow, go1.24, go1.25, go1.25-openssl, grafana, libexslt0, libruby3_4-3_4, pgadmin4, python311-python-socketio, and squid), and Ubuntu (dpdk, libhtp, v … ⌘ Read more

Security updates for Thursday
Security updates have been issued by AlmaLinux (perl-JSON-XS), Debian (chromium and openssl), Fedora (bird, dnsdist, firefox, mapserver, ntpd-rs, python-nh3, rust-ammonia, skopeo, sqlite, thunderbird, and xen), Oracle (perl-JSON-XS), Red Hat (kernel, kernel-rt, and libvpx), SUSE (afterburn, cairo, docker-stable, firefox, nginx, python-Django, snpguest, and warewulf4), and Ubuntu (libmspack, libxslt, linux, linux-aws, linux-aws-5.15, linux-gcp, linux-gcp-5.15, linux-gkeop, linu … ⌘ Read more

Security updates for Wednesday
Security updates have been issued by AlmaLinux (git, krb5, perl-CPAN, and rsync), Debian (tcpdf), Fedora (libmodsecurity, lua-http, microcode_ctl, and nextcloud), Red Hat (osbuild-composer), SUSE (389-ds, avahi, ca-certificates-mozilla, docker, expat, freetype2, glib2, gnuplot, gnutls, golang-github-teddysun-v2ray-plugin, golang-github-v2fly-v2ray-core, govulncheck-vulndb, helm, iperf, kernel, kernel-livepatch-MICRO-6-0_Update_2, kernel-livepatch-MICRO-6-0_Update_4, krb5, libarc … ⌘ Read more

Security updates for Friday
Security updates have been issued by AlmaLinux (.NET 8.0, .NET 9.0, firefox, ghostscript, gstreamer1-plugins-bad-free, libsoup3, mingw-freetype, perl, ruby, sqlite, thunderbird, unbound, valkey, and xz), Debian (chromium, firefox-esr, libavif, linux-6.1, modsecurity-apache, mydumper, systemd, and thunderbird), Fedora (coreutils, dnsdist, docker-buildx, maturin, mingw-python-flask, mingw-python-flit-core, ruff, rust-hashlink, rust-rusqlite, and thunderbird), Red Hat (pcs), SUSE (augeas, … ⌘ Read more

@lyse@lyse.isobeef.org that’s alright haha! i don’t expect anyone to listen/watch in full or with full attention bc it’s so long lmao

the thing with PHP for me is that i… feel like it hits a kind of simplicity that i can understand? it’s so plain but can be very powerful. i quite like that. as much as i can learn something infinitely more powerful, PHP hits a comfortable thing where i can handle things like backend sqlite DBs AND how a page is rendered, without requiring a complex frontend with its own quirks (like ruby on rails, which as much as i know and love it, can be heavy).

but i totally get you! PHP security is very scary. i’m always worried that i’m messing something up. it’s why the PHP application i’m working on i have dockerized by default for a small but extra layer of protection

i’ll try to not get discouraged tysm for your advice

Golang 業務邏輯 WASM 化實踐指南
爲什麼選擇 WASM 邊緣計算？在物聯網和 5G 加速普及的當下，邊緣計算對低延遲和離線能力的需求暴增。傳統容器方案（如 Docker）在邊緣設備上面臨三大痛點：資源消耗大：x86 容器鏡像通常超過 100MB，ARM 設備運行效率低下 冷啓動慢：Node.js/Python 等解釋型語言啓動時間超過 500ms 安全風險：系統級隔離存在逃逸風險 WebAssembly（WASM ⌘ Read more

Golang 業務邏輯 WASM 化實踐指南
爲什麼選擇 WASM 邊緣計算？在物聯網和 5G 加速普及的當下，邊緣計算對低延遲和離線能力的需求暴增。傳統容器方案（如 Docker）在邊緣設備上面臨三大痛點：資源消耗大：x86 容器鏡像通常超過 100MB，ARM 設備運行效率低下 冷啓動慢：Node.js/Python 等解釋型語言啓動時間超過 500ms 安全風險：系統級隔離存在逃逸風險 WebAssembly（WASM ⌘ Read more

ALPHA-One Leverages RISC-V StarPro64 for Compact Local LLM Deployment
PINE64 has shared early details of the ALPHA-One, a compact generative AI agent powered by the RISC-V-based StarPro64 SBC. Priced at $329.99, the device is aimed at developers and testers, and comes preloaded with a 7 billion parameter LLM running in a Docker container. The ALPHA-One is built on the StarPro64 SBC, which features the […] ⌘ Read more

@bender@twtxt.net kinda sorta, it’s in a docker container so not a VM but like VM-ish?

Security updates for Friday
Security updates have been issued by Debian (chromium, nodejs, openjdk-17, and thunderbird), Fedora (firefox, golang-github-nvidia-container-toolkit, and thunderbird), Mageia (kernel), Oracle (ghostscript, glibc, kernel, libxslt, php:8.1, and thunderbird), SUSE (cmctl, firefox-esr, govulncheck-vulndb, java-21-openjdk, libxml2, poppler, python-h11, and redis), and Ubuntu (docker.io, ghostscript, linux-xilinx-zynqmp, and micropython). ⌘ Read more

I decided to use Imagor to optimise and transform the images into a stream. I am very happy with the results!
It is written in Go and is easy to run in Docker.
https://github.com/cshum/imagor
#selfhost

@kat@yarn.girlonthemoon.xyz At the core, you need an ngircd.conf like this:

[Global]
    Name = your.irc.server.com
    Password = yourfancypassword
    Listen = 0.0.0.0
    Ports = 6667

    AdminInfo1 = Well, me.
    AdminInfo2 = Over here!
    AdminEMail = forget.it@example.invalid

[Options]
    Ident = no
    PAM = no

[SSL]
    CertFile = /etc/ssl/acme/your.irc.server.com.fullchain.pem
    KeyFile = /etc/ssl/acme/private/your.irc.server.com.key
    DHFile = /etc/ngircd/dhparam.pem
    Ports = 6669

Start it and then you can connect on port 6667. (The SSL cert/key must be managed by an external tool, probably something like certbot or acme-client.)

I’m assuming OpenBSD here. Haven’t tried it on Linux lately, let alone Docker. 😅

i am writing a quick little guide on deploying soju/gamja all in docker. because i am bored

@prologic@twtxt.net oooh this looks interesting!!! maybe i could play around with it in docker and see how to integrate it with caddy layer4 for TLS + my existing web client and bouncer!!

hey everyone i’ve spent my whole day trying to set up soju + gamja in docker and now i am down a rabbit hole of building caddy with layer4 support and trying to get TLS for my IRC server and NOTHING IS WORKING

Security updates for Friday
Security updates have been issued by Debian (graphicsmagick and libapache2-mod-auth-openidc), Fedora (giflib, mod_auth_openidc, mysql8.0, perl, perl-Devel-Cover, perl-PAR-Packer, perl-String-Compare-ConstantTime, rust-openssl, rust-openssl-sys, trunk, and workrave), Mageia (chromium-browser-stable and rust), Oracle (java-1.8.0-openjdk, java-17-openjdk, java-21-openjdk, kernel, libreoffice, and webkit2gtk3), Red Hat (gvisor-tap-vsock), SUSE (containerd, docker, docker-stable, forge … ⌘ Read more

@bender@twtxt.net awww thank you :‘))) you all are too nice!!! i really wanted to share how i did this because i think i’m the first person to publicly attempt a production instance of dreamwidth code in docker, so i’m glad i did a good job at documenting it!!!!!!!

7k words of docs on deploying a livejournal folk. you absolutely want to read 7 thousand words of me forcing dreamwidth into production shape in docker https://stash.4-walls.net/selfhostdw/

We invent docker, we invent kubernetes, we invent portainer, why we still not invent solution to migrate data volumes between hosts? :(

Add support for skipping backup if data is unchagned · 0cf9514e9e - backup-docker-volumes - Mills 👈 I just discovered today, when running backups, that this commit is why my backups stopped working for the last 4 months. It wasn’t that I was forgetting to do them every month, I broke the fucking tool 🤣 Fuck 🤦‍♂️

Security updates for Thursday
Security updates have been issued by AlmaLinux (tomcat and webkit2gtk3), Debian (chromium), Fedora (ghostscript), Mageia (atop, docker-containerd, and xz), Red Hat (go-toolset:rhel8), SUSE (apache2-mod_auth_openidc, apparmor, etcd, expat, firefox, kernel, libmozjs-128-0, and libpoppler-cpp2), and Ubuntu (dino-im, linux, linux-aws, linux-aws-hwe, linux-azure, linux-azure-4.15, linux-gcp,
linux-gcp-4.15, linux-hwe, linux-kvm, linux-oracle, linux, linux-aws, linux-kvm, linux-l … ⌘ Read more

@prologic@twtxt.net been there done that with several of my docker volumes to the point of me just not doing docker volumes anymore and manually mounting folders now LMAO

So I re-write this shell alias that I used all the time alias dkv="docker rm" to be a much safer shell function:

dkv() {
  if [[ "$1" == "rm" && -n "$2" ]]; then
    read -r -p "Are you sure you want to delete volume '$2'? [Y/n] " confirm
    confirm=${confirm:-Y}
    if [[ "$confirm" =~ ^[Yy]$ ]]; then
      # Disable history
      set +o history

      # Delete the volume
      docker volume rm "$2"

      # Re-enable history
      set -o history
    else
      echo "Aborted."
    fi
  else
    docker volume "$@"
  fi
}

Security updates for Wednesday
Security updates have been issued by Debian (firefox-esr, jetty9, openjpeg2, and tomcat9), Fedora (dokuwiki, firefox, php-kissifrot-php-ixr, php-phpseclib3, and rust-zincati), Red Hat (kernel and pki-core), Slackware (mozilla), SUSE (apparmor, atop, docker, docker-stable, firefox, govulncheck-vulndb, libmodsecurity3, openvpn, upx, and warewulf4), and Ubuntu (inspircd, linux, linux-aws, linux-gcp, linux-gke, linux-gkeop, linux-ibm,
linux-lowlatency, linux-lowlatency-hwe-6.8, linu … ⌘ Read more

Security updates for Monday
Security updates have been issued by Debian (amd64-microcode, flatpak, intel-microcode, libdata-entropy-perl, librabbitmq, and vim), Fedora (augeas, containerd, crosswords-puzzle-sets-xword-dl, libssh2, libxml2, nodejs-nodemon, and webkitgtk), Red Hat (libreoffice and python-jinja2), SUSE (389-ds, apparmor, corosync, docker, docker-stable, erlang26, exim, ffmpeg-4, govulncheck-vulndb, istioctl, matrix-synapse, mercurial, openvpn, python3, rke2, and skopeo), and Ubuntu (ansible, linux, l … ⌘ Read more

Interesting.. so running into an issue where queries only return a partal set of rows if i run in a docker image built from scratch. i have to add the debian root image for it to work. I wonder what file is missing that the root has?

Security updates for Thursday
Security updates have been issued by Arch Linux (exim), Debian (exim4, ghostscript, and libcap2), Red Hat (container-tools:rhel8), SUSE (apache-commons-vfs2, argocd-cli, azure-cli-core, buildah, chromedriver, docker-stable, ed25519-java, kernel, kubernetes1.29-apiserver, kubernetes1.30-apiserver, kubernetes1.32-apiserver, libmbedcrypto7, microcode_ctl, php7, podman, proftpd, tomcat10, and webkit2gtk3), and Ubuntu (containerd, exim4, mariadb, opensaml, and org-mode). ⌘ Read more

Security updates for Tuesday
Security updates have been issued by Debian (ruby-rack), Fedora (chromium, golang-github-openprinting-ipp-usb, OpenIPMI, and python-jinja2), Mageia (kernel, kernel-linus, and wpa_supplicant, hostapd), Red Hat (fence-agents, kernel, kernel-rt, libxml2, libxslt, and pcs), SUSE (cadvisor, docker, freetype2, nodejs-electron, php8, rsync, u-boot, warewulf4, webkit2gtk3, and zvbi), and Ubuntu (elfutils, python3.5, python3.8, ruby-rack, smartdns, and zvbi). ⌘ Read more

New article: “E2E Testing with TestCafe on Docker.”
I’ll show you how to get started with TestCafe, a framework for performing E2E tests.
https://programadorwebvalencia.com/pruebas-e2e-con-testcafe-sobre-docker/
#docker #testcafe #e2e #testing #javascript #webdev

I’m sharing a short tutorial, in Spanish, for self-hosting #twtxt with Docker:
https://programadorwebvalencia.com/twtxt-desplegar-tu-feed-con-docker/

Testing the limits of our new 5G internet connection at home with pushing 1.5GB docker images into the cloud a bunch of times day…

I’m not a huge fan of docker. Sorry for the poor screen grab quality, but this is the funniest analogy for “no docker” vs “docker” I’ve come across: https://lyse.isobeef.org/tmp/no-docker-vs-docker-analogy.png :-D

Starting a couple of new projects (geez where do I find the time?!):

HomeTunnel:

HomeTunnel is a self-hosted solution that combines secure tunneling, proxying, and automation to create your own private cloud. Utilizing Wireguard for VPN, Caddy for reverse proxying, and Traefik for service routing, HomeTunnel allows you to securely expose your home network services (such as Gitea, Poste.io, etc.) to the Internet. With seamless automation and on-demand TLS, HomeTunnel gives you the power to manage your own cloud-like environment with the control and privacy of self-hosting.

CraneOps:

craneops is an open-source operator framework, written in Go, that allows self-hosters to automate the deployment and management of infrastructure and applications. Inspired by Kubernetes operators, CraneOps uses declarative YAML Custom Resource Definitions (CRDs) to manage Docker Swarm deployments on Proxmox VE clusters.

@prologic@twtxt.net Good to know. I must admit I’ve never actually used a Docker instance, probably as I just assumed the overhead might be a bit much for my usual very modest servers.

@bender@twtxt.net Is it so maxed out you couldn’t fit a pretty small program like Headscale on it? Headscale by itself and only personal home type use as far as amount of peers go, it really isn’t noticeable I don’t think resource-wise. The Docker version I guess could be a different story.

@xuu@txt.sour.is I have a theory as to why your pod was misbehaving too. I think because of the way you were building it docker build without any --build-arg VERSION= or --build-arg COMMIT= there was no version information in the built binary and bundled assets. Therefore cache busting would not work as expected. When introducing htmx and hyperscript to create a UI/UX SPA-like experience, this is when things fell apart a bit for you. I think….

萬字長文：Go 語言現代命令行框架 Cobra 詳解
Cobra 是一個 Go 語言開發的命令行（CLI）框架，它提供了簡潔、靈活且強大的方式來創建命令行程序。它包含一個用於創建命令行程序的庫（Cobra 庫），以及一個用於快速生成基於 Cobra 庫的命令行程序工具（Cobra 命令）。Cobra 是由 Go 團隊成員 spf13 爲 Hugo 項目創建的，並已被許多流行的 Go 項目所採用，如 Kubernetes、Helm、Docker (di ⌘ Read more

不可思議的快！加速 Docker 中構建 Golang 應用
這些天我在工作中正在進行一個 GoLang 項目。這與我們通常使用的 Java 和 Spring Boot 應用程序有很大不同, 感覺很不錯:)。和我們所有的其他組件一樣, 這個 GoLang 項目也需要被封裝在一個容器中, 才能在 Kubernetes 集羣中執行。所以我編寫了一個 Dockerfile:構建階段FROM golang:1.22.1-alpine AS buildWORKDIR ⌘ Read more

@mckinley@twtxt.net for me:

• a wall mount 6U rack which has:
  
  • 1U patch panel
    
  • 1U switch
    
  • 2U UPS
    
  • 1U server, intel atom 4G ram, debian (used to be main. now just has prometheus)
    
• a mini ryzon 16 core 64G ram, fedora (new main)
  
  • multiple docker services hosted.
    
• synology nas with 4 2TB drives
  
• turris omnia WRT router -> fiber uplink
  

network is a mix of wireguard, zerotier.

• wireguard to my external vms hosted in various global regions.
  
  • this allows me ingress since my ISP has me behind CG-NAT
    
• zerotier is more for devices for transparent vpn into my network
  

i use ssh and remote desktop to get in and about. typically via zerotier vpn. I have one of my VMs with ssh on a backup port for break glass to get back into the network if needed.

everything has ipv6 though my ISP does not provide it. I have to tunnel it in from my VMs.

QOTD: What do you host on your home server? How do you host it? Are you using containers? VMs? Did you install any management interface or do you just SSH in? What OS does it run?

Mine runs Arch (btw) and hosts a handful of things using Docker. Adguard Home, http://mckinley2nxomherwpsff5w37zrl6fqetvlfayk2qjnenifxmw5i4wyd.onion/, and some other things. NFS, Flexo, and Wireguard (peer and bounce server in my personal network) are outside Docker. I have a hotkey in my window manager that spawns a terminal on my server using SSH. It makes things very easy and I highly recommend it.

I am thinking about replacing Docker with Podman because the Common Wisdom seems to say it’s better. I don’t really know if it is or isn’t.

Also, how much of your personal infrastructure is on IPv6? I think all the software I use supports both, but I’ve mostly been using IPv4 because it’s easier to remember the addresses. I’ve been working for the last couple days on making it IPv6-only.

i am wondering if maybe i need a better heap like a btree backed one instead of just list sort on Dequeue.

I found a bug where i didnt include an open/closed list that seemed to shave off a little. right now it runs in about 70 seconds on my machine.. it takes over the 300s limit when it runs on the testrunner on the same box.. docker must be restricting resources for it.

I might come back to it after i work through improving my code for day 23. Its similar but looking for the longest path instead of shortest.

將 go 代碼打包成 docker 鏡像
概述–在本教程中，你將生成一個容器映像。該映像包括運行應用程序所需的一切：編譯的應用程序二進制文件、運行時、庫以及應用程序所需的所有其他資源。前置條件—-若要完成本教程，需要滿足以下條件：golang 1.19+ 本地安裝了 docker Git 客戶端 程序–該應用程序提供兩個 HTTP endpoint：/ 返回符號 < 3 /health 返回 {“Statu ⌘ Read more

Go 項目的簡單部署
概述–在上一篇筆記記錄了 Gin 實現簡單的註冊登錄和狀態管理。這一篇筆記來分享一下如何將上面的項目打包鏡像和部署，筆記分成三部分，分別是 Web 後端項目 Docker 鏡像的構建、使用 Docker 運行、使用 Docker Compose 和 k8s 部署容器。使用 Ingress 路由規則和 Web 前端的部署運行在下一篇筆記中記錄。構建 Docker 鏡像————概述構 ⌘ Read more

Run MacOS VM’s in Docker on Windows & Linux with Docker-OSX
If you use Docker and virtual machines often, you may be happy to know that you can run MacOS VM’s in Docker, at near native performance atop Windows or Linux, thanks to an open source project called Docker-OSX. Yes, that means you can run MacOS on a PC, whether that PC is running Windows or … Read More ⌘ Read more

Native MacOS Docker Containers are Now Possible
Have you ever wished you could run native macOS Docker containers on macOS? Well, now you can, thanks to a great free project called macOS Containers. If you’re in the developer world at nearly any level, you likely have experience with Docker containers, which are wildly popular because of their utility. Offering a lightweight and … Read More ⌘ Read more

Native MacOS Docker Containers are Now Possible
Have you ever wished you could run native macOS Docker containers on macOS? Well, now you can, thanks to a great free project called macOS Containers. If you’re in the developer world at nearly any level, you likely have experience with Docker containers, which are wildly popular because of their utility. Offering a lightweight and … Read More ⌘ Read more

fractalnetworksco/selfhosted-gateway: Route HTTPS traffic to local Docker containers through a cloud VPS over WireGuard. Ideal for self-hosting behind CGNAT.

Glad I got my test server that I can play around with. Been messing with docker today, and got nextcloud all set up the way I want, so now I can do the same on my VPS. Getting the hang of this now.

I have a fanless pc, with intel I7 (if I remember correct). Today Ill get it installed with latest alma linux, set up the things I want with docker (I usually do not use docker I just do not like it), but I see how useful it can be, so Im going to force my self to use it. Then when all services are running Ill use wireguard to hook it up to my VPS. I think this will be a great setup.

GoCN 每日新闻 (2021-12-31)

1. 快速了解 “小字端” 和 “大字端” 及 Go 语言中的使用https://developer.51cto.com/art/202112/697505.htm
   
2. Golang 与非对称加密https://www.ssgeek.com/post/golang-yu-fei-dui-cheng-jia-mi
   
3. 一文搞懂 Docker、Containerd、RunC 间的联系和区别https://mp.weixin.qq.com/s/kVh_EXGeMy_UI6qIgbmsGQ
   
4. Golang 项目的配置管理——Viper 简易入门配置[https://www.cnblogs.com/Mrxuexi/p/15750455.html](https://www.cnblogs.com … ⌘ Read more

Secure Docker Compose stacks with CrowdSec - The open-source & collaborative IPS
Testing this at the moment, quite happy with the results for one of my VPS running Funkwhale that came from a mix of Wordpress / Ampache, wordpress was being heavily probed for vulnerabilities, login attemps etc .. ⌘ Read more

GoCN 每日新闻 (2021-12-09)

1. Hugo v0.90.0 发布https://github.com/gohugoio/hugo/releases/tag/v0.90.0
   
2. Docker 容器中使用 GPUhttps://segmentfault.com/a/1190000041090167
   
3. 我好像发现了一个 Go 的 Bug？ https://www.cnblogs.com/zhuochongdashi/p/15660936.html
   
4. Go modules 基础精进，六大核心概念全解析� … ⌘ Read more

Safeguard your containers with new container signing capability in GitHub Actions
GitHub has partnered with the OpenSSF and Project Sigstore to add container image signing to our default “Publish Docker Container” workflow. ⌘ Read more

The Nice Way To Use Docker With VSCode | by Yash Prakash | ⌘ Read more…

@prologic@twtxt.net I am trying to cut costs, so I deleted all my Digital Ocean droplets. For a month I will be using a free s390x VPS, so I needed to adapt some of my Docker images, scripts and configurations for that architecture. Also took another chance with Traefik Proxy, I ditched it long ago for nginx-proxy, but this time I made it work. #h5nn5tq

@prologic@twtxt.net I am trying to cut costs, so I deleted all my Digital Ocean droplets. For a month I will be using a free s390x VPS, so I needed to adapt some of my Docker images, scripts and configurations for that architecture. Also took another chance with Traefik Proxy, I ditched it long ago for nginx-proxy, but this time I made it work. #h5nn5tq

Something in my main server, running Ubuntu 16.0.4 at Digital Ocean, broke the network for Docker. After a few hours of futzing around, editing configuration files and doing tests, bit the bullet and spun out a fresh Ubuntu-based Docker-ready droplet from the app Marketplace.

Something in my main server, running Ubuntu 16.0.4 at Digital Ocean, broke the network for Docker. After a few hours of futzing around, editing configuration files and doing tests, bit the bullet and spun out a fresh Ubuntu-based Docker-ready droplet from the app Marketplace.

ctop - Top-like Interface for Monitoring Docker Containers ⌘ https://www.tecmint.com/ctop-monitor-docker-containers/

Building docker image with name and tag …

Basic Docker Setup for HTTP Server (using docker-compose) ⌘ Read more…

Docker Considered Harmful http://catern.com/posts/docker.html