shakedown.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A community for live music fans with roots in the jam scene. Shakedown Social is run by a team of volunteers (led by @clifff and @sethadam1) and funded by donations.

Administered by:

Server stats:

263
active users

#lxc

0 posts0 participants0 posts today

Apple just made #WSL a legacy technology.

news.itsfoss.com/macos-meets-l

Happy to recommend #macOS for container development. If performance and memory consumption against #Linux is negligible, then it will be my top recommendation for sure.

It's FOSS News · macOS Meets Linux with Open Source ContainerizationApple’s new open source Containerization project brings native Linux container support to macOS.

I think the next thing I plan to tackle is #HomeAssistant - most of my smart devices are now communicating on WiFi, and controlled using multiple proprietary apps.

I plan to deploy HA using
#Docker (so it's portable and easy to contain) - either on a #RaspberryPi, or on my #Proxmox #homelab server (perhaps on an #LXC container, assuming that's possible).

I also plan to replace some of these smart (WiFi) devices with
#Zigbee devices - I'm a commmmmpleeeeete noob when it comes to #SmartHome stuffs, but I think that's the recommended way of doing things...? There's a lot of talk about #Matter too from my search, no idea really what these jargons are.

Anyway, I just wanna grasp the concept first - assuming I deploy HA as planned i.e. on Pi 4 or LXC container (or VM), what is it that I need to purchase to make it work (i.e. be able to add these Zigbee or Matter-compatible home devices/appliances)? cos I assume the platform I'm hosting HA on would need some sort of hardware to be compatible with any of them that aren't communicating merely through WiFi/LAN?

Continued thread

what’s funny is that after using docker for a while, i hate it.

it’s a huge resource hog on any computer/server i’ve set it up. but what irks me, is that it was created by MS-dependent techbros to mimic linux containers.

so when the fuckers said, "oops! docker is now kinda sorta proprietary", i just said dahellwidat.

so taught myself to use LXD/LXC. as with everything #linux, THE UI/UX SUX cuz there’s none, but it’s FLOSS and it works.

so: YAY #LXC! boooooooooooo #docker!

Bruh, I might've wasted my time learning how to passthrough a GPU to an #LXC container on #Proxmox (as well as mount a SMB/CIFS share) and write up a guide (haven't been able to test yet, cept with the latter) - all by doing some seemingly magic #Linux fu with some user/group mappings and custom configs, if it turns out that you could actually achieve the same result just as easily graphically using a standard wizard on PVE.

It's 4am, I'll prolly try to find time later during the day, or rather evening (open house to attend at noon), and try using the wizard to 1) Add a device passthrough on an LXC container for my
#AMD iGPU (until my #Intel #ArcA380 GPU arrives) and see if the root user + service user on the container could access it/use it for transcoding on #Jellyfin/#ErsatzTV, and 2) Add a SMB/CIFS storage on the Proxmox Datacenter, tho my #NAS is also just a Proxmox VM in the same cluster (not sure if this is a bad idea?) and see if I could mount that storage to the LXC container that way.

#Homelab folks who have done this, feel free to give some tips or wtv if you've done this before!

After taking the nickle tour of #Qubes, my hasty conclusion is that it is anti-#KISS; there are seemingly many moving parts under the surface, and many scripts to grok to comprehend what is going on.

I plan to give it some more time, if only to unwrap how it launches programs in a VM and shares them with dom0's X server and audio and all that; perhaps it's easier than I think.

I also think #Xen is a bit overkill, as the claim is that it has a smaller kernel and therefore smaller attack surface than the seemingly superior alternative, #KVM. Doing some rudimentary searching out of identified / known VM escapes, there seem to be many more that impact Xen than KVM, in the first place.

Sure, the #Linux kernel may be considerably larger than the Xen kernel, but it does not need to be (a lot can be trimmed from the Linux kernel if you want a more secure hypervisor), and the Linux kernel is arguably more heavily audited than the Xen kernel.

My primary concern is compartmentalization of 'the web', which is the single greatest threat to my system's security, and while #firejail is a great soltion, I have run into issues maintaining my qutebrowser.local and firefox.local files tuned to work well, and it's not the simplest of solutions.

Qubes offers great solutions to the compartmentalization of data and so on, and for that, I really like it, but I think it's over-kill, even for people that desire and benefit from its potential security model, given what the threats are against modern workstations, regardless of threat actor -- most people (I HOPE) don't have numerous vulnerable services listening on random ports waiting to be compromised by a remote threat.

So I am working to refine my own security model, with the lessons I'm learning from Qubes.

Up to this point, my way of using a system is a bit different than most. I have 2 non-root users, neither has sudo access, so I do the criminal thing and use root directly in a virtual terminal.

One user is my admin user that has ssh keys to various other systems, and on those systems, that user has sudo access. My normal user has access to some hosts, but not all, and has no elevated privileges at all.

Both users occasionally need to use the web. When I first learned about javascript, years and years ago, it was a very benevolent tool. It could alter the web page a bit, and make popups and other "useful" things.

At some point, #javascript became a beast, a monster, something that was capable of scooping up your password database, your ssh keys, and probe your local networks with port scans.

In the name of convenience.

As a result, we have to take browser security more seriously, if we want to avoid compromise.

The path I'm exploring at the moment is to run a VM or two as a normal user, using KVM, and then using SSH X forwarding to run firefox from the VM which I can more easily firewall, and ensures if someone escapes my browser or abuses JS in a new and unique way, that no credentials are accessible, unless they are also capable of breaking out of the VM.

What else might I want to consider? I 'like' the concept of dom0 having zero network access, but I don't really see the threat actor that is stopping. Sure, if someone breaks from my VM, they can then call out to the internet, get a reverse shell, download some payloads or build tools, etc.

But if someone breaks out of a Qubes VM, they can basically do the same thing, right? Because they theoretically 'own' the hypervisor, and can restore network access to dom0 trivially, or otherwise get data onto it. Or am I mistaken?

Also, what would the #LXC / #LXD approach look like for something like this? What's its security record like, and would it provide an equivalent challenge to someone breaking out of a web browser (or other program I might use but am not thinking of at the moment)?

Replied in thread

@kde@floss.social @kde@lemmy.kde.social

Can you tell us what happens on the "sandbox all the things" goal?

I think this is a pretty crucial step forward, even though #sandbox technologies (most often through user namespaces) are more problematic than I initially thought.

(Basically, user #namespaces open up #privesc dangers to the monolithic #kernel, which is incredible. #Android and #ChromeOS use #LXC, mounts and #SELinux for #sandboxing)

NAH. am good
bleepingcomputer.com/news/soft

it's because of #VMWare that i finally learned to set up and use #LXD #LXC. you made me learn about #Linux containers, you can go pound sand now.

Broadcom bought a business built on digital sharecropping of "freeware" and then went out of their way to tell the users who made that product viable, fuck you got mine.

nah, Broadcom can go fuck themselves with their new and improved baitware.