Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
101010.pl is one of the many independent Mastodon servers you can use to participate in the fediverse.
101010.pl czyli najstarszy polski serwer Mastodon. Posiadamy wpisy do 2048 znaków.

Administered by:

Server stats:

517
active users

101010.pl: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.4.0-beta.1

#rootless

0 posts0 participants0 posts today
wiulinu<p>minix z100 + podman - <br><a href="https://23.social/tags/podman" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>podman</span></a> <a href="https://23.social/tags/podman_compose" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>podman_compose</span></a> <a href="https://23.social/tags/docker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>docker</span></a> <a href="https://23.social/tags/container" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>container</span></a> <a href="https://23.social/tags/n100" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>n100</span></a> <a href="https://23.social/tags/minix" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>minix</span></a> <a href="https://23.social/tags/z100" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>z100</span></a> <a href="https://23.social/tags/rootless" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rootless</span></a> <a href="https://23.social/tags/fedoraserver" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>fedoraserver</span></a> <a href="https://23.social/tags/server" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>server</span></a> <a href="https://23.social/tags/searxng" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>searxng</span></a></p><p><a href="https://log.wiuwiu.org/minix-z100-podman" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">log.wiuwiu.org/minix-z100-podm</span><span class="invisible">an</span></a></p>
Luca Di Maio<p>Hi! In case you missed, my <a href="https://fosstodon.org/tags/FOSDEM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FOSDEM</span></a> talk about creating a <a href="https://fosstodon.org/tags/rootless" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rootless</span></a> <a href="https://fosstodon.org/tags/container" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>container</span></a> manager from scratch is available!</p><p>We'll talk about the basic principles to build your own container manager, using <a href="https://fosstodon.org/tags/lilipod" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>lilipod</span></a> as an example project:</p><p><a href="https://fosdem.org/2025/schedule/event/fosdem-2025-5022-implementing-a-rootless-container-manager-from-scratch/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">fosdem.org/2025/schedule/event</span><span class="invisible">/fosdem-2025-5022-implementing-a-rootless-container-manager-from-scratch/</span></a></p><p><a href="https://fosstodon.org/tags/opensource" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>opensource</span></a> <a href="https://fosstodon.org/tags/linux" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>linux</span></a> <a href="https://fosstodon.org/tags/container" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>container</span></a> <a href="https://fosstodon.org/tags/distrobox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>distrobox</span></a></p>
𝘋𝘪𝘳𝘬<p><span class="h-card"><a href="https://social.wildeboer.net/@jwildeboer" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>jwildeboer</span></a></span> <span class="h-card"><a href="https://floss.social/@forgejo" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>forgejo</span></a></span> Can confirm using <a href="https://gts.0x7be.net/tags/portainer" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Portainer</span></a> and <a href="https://gts.0x7be.net/tags/docker" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Docker</span></a> (also using the <a href="https://gts.0x7be.net/tags/rootless" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>rootless</span></a> <a href="https://gts.0x7be.net/tags/container" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>container</span></a>). No issue at all during or after <a href="https://gts.0x7be.net/tags/update" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>update</span></a>.</p>
*
natxolg

Bueno, ya he eliminado todas las entradas del DNS con subdominios y solo he dejado dos wildcard, uno para lo expuesto y otro para lo interno

Para lo expuesto lo paso por npm (no me gusta que no tenga waf o mas opciones de seguridad), y para lo interno traefik tirando de las labels de los contendores

Por el camino he borrado todos los tunnels de cloudflare.

Siguiente paso, crear todos los usuarios y montar contenedores por tematica en usuarios aislados

#selfhosted#rootless#podman
Jan ☕🎼🎹☁️🏋️‍♂️

I had created a new #podman #rootless storage directory under /var/lib/containers/user/<name>, and _until now_ this worked without issue. Which was sheer luck it seems.

Now tried to start a container that uses musl, and it failed hard with

Error relocating /lib/ld-musl-x86_64.so.1: RELRO protection failed: No error

Some googling pointed me to #selinux again... adding the right context to the directories helps :D

Continued thread
*
Jan ☕🎼🎹☁️🏋️‍♂️

So

(block traefik
(blockinherit container)
(allow process user_tmp_t ( sock_file ( write )))
(allow process container_runtime_t ( unix_stream_socket ( connectto )))
(allow process http_port_t ( tcp_socket ( name_bind )))
(allow process node_t ( tcp_socket ( node_bind )))
(allow process self ( tcp_socket ( listen )))
)

allows both access to the socket, and access to port 80/443.

#podman#rootless#selinux
Continued thread
Jan ☕🎼🎹☁️🏋️‍♂️

Also, allowing a #rootless #podman #container to access to rootless #podman.sock file was fairly easy.

The following #selinux policy seems to allow that:

(block podman-socket
(blockinherit container)
(allow process user_tmp_t ( sock_file ( write )))
(allow process container_runtime_t ( unix_stream_socket ( connectto )))
)

Still half wondering why it needs write?

Aral Balkan

A little tip if you’re running in a rootless container on an immutable OS (like Fedora Silverblue) and have a tool (say Helix Editor – command: hx) installed in your “user” account but want to do, e.g.,

sudo hx /etc/hostname

Which would result in:

sudo: hx: command not found

Instead do:

(Fish) > sudo (which hx) /etc/hostname
(Bash) > sudo `which hx` /etc/hostname

Enjoy! :)

#FedoraSilverblue#sudo#container
ExploreLive feeds
About