bigdickdonkey

joined 2 months ago
[–] bigdickdonkey@lemmy.ca 2 points 6 days ago* (last edited 6 days ago) (1 children)

Yeah the remote ip is always local. This comes from a podman configuration, not a caddy one. Setting the podman network mode to pasta or slirp4netns will show the proper remote ips

 

I have rootless podman containers all connected a network with caddy that proxies them by their hostname. It seems that the default networking mode doesn't preserve the source ip and instead shows all traffic coming internally from 10.89.1.98. Preserving that ip requires pasta/slirp4netns which is incompatible with adding the container to a network. I've found a few solutions but I'm having trouble deciding what is the right way to move forward.

Using the host network or running caddy with host loopback abilites

Would require exposing all the ports on all my containers which means I would lost the ability to access containers by the DNS inside the podman network. I have a lot of containers and manually managing ports is not something I want to do again.

socket activation + libsdsock with caddy

Socket forwarding done using systemd. I've tested it and it works but it requires systemd on the container, and caddy is built on alpine which uses a different boot system. There are ways to get the systemd libs on alpine but it would be quite hacky.

socket activation + libsdsock with another os

Caddy provides ways to build with extensions on debian but it seems tricky to do in a Containerfile because systemd init issues.

Has anyone experienced this issue before? What direction did you take?

[–] bigdickdonkey@lemmy.ca 2 points 1 week ago (1 children)

I’m using this right now but I’m switching to having all my services under one domain and blocking non internal ips. Technically someone can access your site by providing the host manually, althought it’s unlikely since they would need to know it

[–] bigdickdonkey@lemmy.ca 12 points 1 week ago

I use ddclient but in a docker container. Works great with minimal config

[–] bigdickdonkey@lemmy.ca 3 points 2 weeks ago

This was the fix! Thank you so much

[–] bigdickdonkey@lemmy.ca 1 points 2 weeks ago

It seems like those posts are about freezing or crashes. This is more of a degradation I would say.

[–] bigdickdonkey@lemmy.ca 1 points 2 weeks ago (3 children)

I've got 565.77 so I think it can't be that

 

I play a few native games and ones using proton. After playing for about 30 minutes in any of them suddenly my frame times skyrocket from 6ms to ~60ms. Restarting the game always fixes this. Any ideas what to look for? nvtop seems to show normal usage and I don't see anything abnormal in journald.

Some info about my setup: Arch/endeavourOS, KDE wayland, nvidia 3060ti with proprietary drivers, 3 monitors (1440 165hz, 1080 165hz, 1080 75hz). Games I play are CS2, Marvel Rivals, Overwatch 2, Lethal Company.

[–] bigdickdonkey@lemmy.ca 3 points 4 weeks ago

I just bind mount volumes I want to keep and use duplicati to backup the contents of my containers folder. Another idea if you are committed to docker volumes, is to also mount them to your backup solution.

[–] bigdickdonkey@lemmy.ca 3 points 1 month ago (2 children)

Interesting my ip shows up with a plex logo and a port that I've never opened. I have never used any plex services

 

I noticed nothing I have setup shows up in shodan by ip or domain. I'm not complaining, I'd rather not have it show up but I'm curious why. Could it be because of hosting behind a reverse proxy?

[–] bigdickdonkey@lemmy.ca 4 points 1 month ago

keep up the good work boys

[–] bigdickdonkey@lemmy.ca 2 points 1 month ago

Thanks for sharing this! It also took me a while to understand the difference between the Expose dockerfile command and the --publish cli command

[–] bigdickdonkey@lemmy.ca 1 points 1 month ago

Do you run anything like fail2ban with that compatibility?

[–] bigdickdonkey@lemmy.ca 1 points 1 month ago* (last edited 1 month ago) (1 children)

Can you expand on why you chose uCore? I was considering CoreOS until just now ~~and the idea of setting up ignition config serving seems overkill for running only one server at home.~~ ignition is still required the same way as CoreOS

 

I’m moving to a new machine soon and want to re-evaluate some security practices while I’m doing it. My current server is debian with all apps containerized in docker with root. I’d like to harden some stuff, especially vaultwarden but I’m concerned about transitioning to podman while using complex docker setups like nextcloud-aio. Do you have experience hardening your containers by switching? Is it worth it? How long is a piece of string?

 

Nothing on the vinnie site. IIRC it has one or two sister sites?

view more: next ›