jacob

joined 1 year ago
[–] jacob@lemmy.dork.lol 3 points 1 year ago* (last edited 1 year ago) (2 children)

This is a consequence of user namespaces, which tripped me up until I read this article from Red Hat about running rootless containers as a non-root user. At that point I got that (the default options) map UID 0 in the container to my UID (i.e. 1000), but the other mappings were confusing.

The short version of the useful part (for me) of that article was podman unshare (man podman-unshare), which launches a shell in a user namespace, like when you start a container. You can run the following command to see how the UIDs are mapped inside of the namespace:

$ podman unshare cat /proc/self/uid_map
         0       1000          1
         1     100000      65536

This is read (for this purpose, see man user_namespaces for a more detailed explanation of this) as "inside this namespace, the UIDs in column 1 map to the UID in column 2 on the caller process, for (column 3) IDs". There is also gid_map which works the same way, but for groups.

The snippet above is from my machine, so in a podman container, UID 0 maps to UID 1000 on the "host", which is me, and this is "good" for only 1 user. Then, starting with UID 1, the container maps to UID 100000 in the container, and is good for 65536 UIDs. This is why when you set the PUID and GUID environment variables, on your filesystem you see the files are owned by 100999:100999 - you can use the mapping to figure the math out: 100000+1000-1=100999.

Since podman unshare puts you in a shell that has the same (? terminology might not be totally right here) user namesapce as your containers, you can use it for lots of stuff -- like in your comment you mentioned using chown to change the permissions to 100999:100999. Instead, you could have used podman unshare chown 1000:1000 which have correctly set the permissions for your volume mount, and on your filesystem outside the container, the permissions would be 100999:100999.

[–] jacob@lemmy.dork.lol 4 points 1 year ago

Maybe take a look into Cloudflare Tunnels, which sounds like will do what you want (maybe not VPN though).

The short version is you run a daemon on your local network that Cloudflare talks to. So, outside requests only see Cloudflare, and communication from your network only goes to Cloudflare. Your IP is not exposed to consumers. This is free! Though you are not supposed to send video/pictures though the tunnel and have them cache it without using one of their (paid) services, but it's simple to disable caching for a host. I do use their DNS, though I cannot recall if that's a requirement for Tunnels, though.

Keep in mind you should still set up some sort of firewall, as people can and do just scan the entire IPv4 address range looking for open ports.

[–] jacob@lemmy.dork.lol 2 points 1 year ago

I would probably not do what I do.

I have two machines that host everything I use, a Thinkpad x220 (i5-2540M, 8GB RAM) which lives on the floor near my router, and an RPI4 (4GB) which lives next to my router on the table. Which one does what usually is dictated by what machine I happen to SSH into. The RPI4 is attached to an 8TB Easystore I originally bought to shuck but didn't, and wears a NAS hat. Soon-ish I'll probably get some extra drives and set up a "proper" server which is less trepidatious.

I run almost everything I use in containers, and Podman is my container engine of choice. Originally it was because Fedora made me, but now I am a big Podman fan.

Logging and updates are not something I like to talk about because I handle both poorly, and normally just let her rip. I do updates weekly or so whenever I get around to it, but logs are a wasteland. I'd like to get a good monitoring system set up, but for me it feels like way more work than running the things I actually want and use, so I usually end up just letting them accumulate on the disk and grep them whenever I need to.