![](/static/66c60d9f/assets/icons/icon-96x96.png)
![](https://lemmy.world/pictrs/image/ca9b0de3-205f-47ca-a620-5fbddb680695.png)
I just use termux + the simple http server built into python
I just use termux + the simple http server built into python
Yeah, I read that manual but it didn’t answer my question.
The big problem is that the arch wiki describes a setup with nested subvolumes first (in a subvolume below @ or whatever your root subvolume is), but then suggests in a tip to use a subvolume directly below the top level subvolume. The limitations mentioned in that manual don’t seem to apply to either setup, as they would prevent swap from working, which is not the case. I have tested both setups and they work fine — or so it seems. I’m worried there is some hidden gotcha I’m missing.
in addition to that, some of those limitations simply don’t apply to my setup, as I only have a single device.
https://tryhackme.com/games/koth
There is also overthewire warzone, a private network simulating the entire ipv4 internet, where any device is fair game for hacking.
Xplore file browser
It’s trivial to replace the independent pieces of xplore, but it has so many features in one app that I just can’t let it go. It’s got dual pane file browsing, disk usage chart, smb, ftp, and many other cloud storage connections. It also handles many types of compression.
It’s become my main offline music player as well, because it has the simple ability to shuffle a folder of music, which is all I really need.
It can also view installed apps, export them to apk, and view and modify appdata (as non root!).
However, freshtomato is another router firmware, that isn’t as feature rich or well supported as opwnwrt, but is focused on supporting broadcom chipsets.
https://wiki.freshtomato.org/doku.php/hardware_compatibility
I flashed it to my netgear router with a broadcom chipset, it works wonderfully!
After Twitter went to shit, where else do customers have to go for customer support like this?
Admittedly, I didn’t read the article, but I have seen plenty of other cases woth cloudfare or other big providers where people have only been able to set things right by kicking up a fuss on social media — like that recent one with amazon aws.
When syncthing is configured to go both ways (the default), it also syncs any deletions. You can somewhat get around this by something like one way sync, but it’s not really a proper “backup” software.
Personally, I like to treat data synced by syncthing, even between multiple machines, as one copy of the data when I am following the 3-2-1 backup rule*, because syncthing won’t save me from a buggy program deleting all my files or user error, or anything like that.
*See wikipedia for info about the 3-2-1 backup rule.
Discord is adding ads soon. Currently, they don’t enforce the TOS violation of custom clients, but maybe after they add ads, they will begin to do so. I would be very careful with any of this.
Dockers manipulation of nftables is pretty well defined in their documentation
Documentation people don’t read. People expect, that, like most other services, docker binds to ports/addresses behind the firewall. Literally no other container runtime/engine does this, including, notably, podman.
As to the usage of the docker socket that is widely advised against unless you really know what you’re doing.
Too bad people don’t read that advice. They just deploy the webtop docker compose, without understanding what any of it is. I like (hate?) linuxserver’s webtop, because it’s an example of the two of the worst footguns in docker in one
To include the rest of my comment that I linked to:
Do any of those poor saps on zoomeye expect that I can pwn them by literally opening a webpage?
No. They expect their firewall to protect them by not allowing remote traffic to those ports. You can argue semantics all you want, but not informing people of this gives them another footgun to shoot themselves with. Hence, docker “bypasses” the firewall.
On the other hand, podman respects your firewall rules. Yes, you have to edit the rules yourself. But that’s better than a footgun. The literal point of a firewall is to ensure that any services you accidentally have running aren’t exposed to the internet, and docker throws that out the window.
You originally stated:
I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.
And I’m trying to say that even if that was true, it would still be better than a footgun where people expose stuff that’s not supposed to be exposed.
But that isn’t the case for podman. A quick look through the github issues for podman, and I don’t see it inundated with newbies asking “how to expose services?” because they assume the firewall port needs to be opened, probably. Instead, there are bug reports in the opposite direction, like this one, where services are being exposed despite the firewall being up.
(I don’t have anything against you, I just really hate the way docker does things.)
Yes it is a security risk, but if you don’t have all ports forwarded, someone would still have to breach your internal network IIRC, so you would have many many more problems than docker.
I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.
My problem with this, is that when running a public facing server, this ends up with people exposing containers that really, really shouldn’t be exposed.
Excerpt from another comment of mine:
It’s only docker where you have to deal with something like this:
---
services:
webtop:
image: lscr.io/linuxserver/webtop:latest
container_name: webtop
security_opt:
- seccomp:unconfined #optional
environment:
- PUID=1000
- PGID=1000
- TZ=Etc/UTC
- SUBFOLDER=/ #optional
- TITLE=Webtop #optional
volumes:
- /path/to/data:/config
- /var/run/docker.sock:/var/run/docker.sock #optional
ports:
- 3000:3000
- 3001:3001
restart: unless-stopped
Originally from here, edited for brevity.
Resulting in exposed services. Feel free to look at shodan or zoomeye, internet connected search engines, for exposed versions of this service. This service is highly dangerous to expose, as it gives people an in to your system via the docker socket.
https://rclone.org/drive/
https://rclone.org/crypt/
No way to protect emails, google chats, or many other things AFAIK. Yeah, I hate it too.