1. 3

    Centos 6? Tha’s EOL already…

    1. 2

      At the bottom, it says the roadmap was derived from a Reddit comment which was posted… 7 years ago

      1. 1

        I thought this looked familiar, I recall seeing this on Reddit many years ago

        1. 1

          Yes, on r/sysadmin and r/homelab!

    1. 6

      It seems to me that if one is going to go that far off the beaten path (i.e. not just running “docker build”), then it would also be worth looking into Buildah, a flexible image build tool from the same group as Podman. Have you looked into Buildah yet? I haven’t yet used it in anger, but it looks interesting.

      1. 6

        +1000 for Buildah.

        No more dind crap in your CI.

        Lets you export your image in OCI format for, among other useful purposes, security scanning before pushing, etc.

        Overall much better than Docker’s build. Highly recommend you try it.

        1. 3

          Added looking into it to my todo list, thanks for the suggestion @mwcampbell and @ricardbejarano.

          1. 2

            Im intrigued, what do you use for security scanning the image?

            1. 4

              My (GitLab) CI for building container images is as follows:

              • Stage 1: lint Dockerfile with Hadolint.
              • Stage 2: perform static Dockerfile analysis with Trivy (in config mode) and TerraScan.
              • Stage 3: build with Buildah, export to a directory in the OCI format (buildah push myimage oci:./build, last time I checked, you can’t do this with the Docker CLI), pass that as an artifact for the following stages.
              • Stage 4a: look for known vulns within the contents of the image using Trivy (this time in image mode) and Grype.
              • Stage 4b: I also use Syft to generate the list of software in the image, along with their version numbers. This has been useful more times than I can remember, for filing bug reports, comparing a working and a broken image, etc.
              • Stage 5: if all the above passed, grab the image back into Buildah (buildah pull oci:./build, can’t do this with Docker’s CLI either) and push it to a couple of registries.

              The tools in stage 2 pick up most of the “security bad practices”. The tools in stage 4 give me the of known vulnerabilities in the image’s contents, along with their CVE, severity and whether there’s a fix in a newer release or not.

              Having two tools in both stages is useful because it increases coverage, as some tools pick up vulns that others don’t.

              Scanning before pushing lets me decide whether I want the new, surely vulnerable image over the old (which may or may not be vulnerable as well). I only perform this manual intervention on severities high and critical, though.

              1. 1

                Thanks for the response. What are your thoughts on https://github.com/quay/clair which seem to replace both Gripe and Trivy?

                1. 1

                  I haven’t used it, can’t judge.

                  Thanks for showing it to me.

            2. 1

              I’ve never used dind, but have only used Jenkins and GitHub Actions. Is that a common thing?

              1. 1

                IIRC GitHub Actions already has a Docker daemon accessible from within the CI container. So you’re already using Docker in Whatever on your builds.

                There are many problems with running the Docker daemon within the build container, and IMO it’s not “correct”.

                A container image is just a filesystem bundle. There’s no reason you need a daemon for building one.

            3. 4

              I have not looked at it, but my understanding is that Podman’s podman build is a wrapper around Buildah. So as a first pass I assume podman build has similar features. It does actually have at least one feature that docker build doesn’t, namely volume mounts during builds.

              1. 2

                If I remember correctly, the Buildah documents specify that while yes - podman build is basically a wrapper around Buildah - it doesn’t expose the full functionality of Buildah, trying to be more of a simple wrapper for people coming from Docker. I can’t recall what specific functionality was hidden from the user, but it was listed in the docs.

            1. 10

              This is a great article, with very valid points and well researched decisions. That said:

              Cloud Agnostic

              This is cheating. Just because you switched from hosted Kubernetes (GKE) to self-managed Nomad doesn’t mean you can’t have self-managed K8s.

              Everything else is fine, I liked the article.

              1. 1

                Thats’s useful, well done. Thanks!

                1. 23

                  I just bought domain and use it. It also allows me to setup TLS via Let’s Encrypt without need to adding root cert everywhere. IMHO perfect solution, and not that expensive or troublesome. I have also 100% guarantee, that there will be no conflicts.

                  1. 3

                    Only drawback some people may raise is the risk of domain name enumeration, where a would be attacker could enumerate all devices and services on your network just by looking at public DNS.

                    That said, I don’t think that’s really a problem.

                    1. 12

                      Only drawback some people may raise is the risk of domain name enumeration, where a would be attacker could enumerate all devices and services on your network just by looking at public DNS.

                      How? Just do local DNS resolution on the network using that domian. For example, you might have a public DNS entry for foobar.com, but you might have DNS for me.foobar.com, bazz.foobar.com, etc on your local network. So requests for those on your local network are serviced by your local network, and you have no mention of them in the public DNS. Am I missing something?

                      1. 3

                        That requires you to have a split-horizon DNS configuration. It’s pretty easy if you’re running your own DNS resolver but most ISP-provided consumer routers don’t support it and so you’ll also need to be running your own DHCP server. You might be able to put an SOA record in that points to a LAN IP but that will only work for devices running their own caching resolver.

                        1. 2

                          I have to have that anyway because my modem/router does not support connecting to the WAN IP from the LAN. I can specify the DNS server I want to use through the modem, which i have avoided up to now because i’ve had trouble with dnsmasq (and/or the wifi drivers for the EEEPC laptopserver it’s running from. Especially from the iphone, but sporadically from the rest of the network too. I’ve actively intended to fix that soon for about a year now.

                          1. 1

                            I use a combination of split-horizon and hidden-primary DNS. No need for private IP ranges to be public.

                          2. 2

                            The context here is let’s encrypt TLS. If you don’t resolve the name externally, how do you pass ACME validation? Plus there’s the certificate transparency log.

                            1. 1

                              You can do ACME validation via DNS as well, so you get the ease of using an externally valid SSL certs but can restrict internal domains with split-horizon DNS

                              https://letsencrypt.org/docs/challenge-types/

                              1. 1

                                But that just moves the enumeration from foo.bar to _acme-challenge.foo.bar, right? Or an I missing something?

                                1. 1

                                  No, thinking about it more I think you’re correct, you’d be subject to DNS enumeration either from your DNS provider or the certificate transparency logs, at least for the existing of the domains themselves. The information about which IPs are pointing to which domain would remain within the internal network though.

                                  The exception here could be to use a wildcard certificate which let’s encrypt just started supporting last year.

                      1. 5

                        Welcome to lobsters! A couple of community etiquette notes:

                        • You don’t need to tell us you’re the author, it says “authored by” under the link 🙂
                        • New users (accounts under 90 days) can’t use the ask tag. This case is a little fuzzy because you’re also submitting a story, but that story is basically an ask, so I think it falls slightly under the “wait until you’re past 90 days before doing” bin.
                        1. 4

                          For as long as people respond in comments here (instead of private email only OP can see) I think this can spark an insightful conversation. So I vote to keep it.

                          1. 2

                            I’m new here too. Is there anywhere I can see a full list of things like “you can use the ask tag after 90 days”?

                            1. 1

                              The only way I know of is to look through the source code.

                              1. 1

                                Thanks, found the relevant code: looks like I need 50 karma to invite other people https://github.com/lobsters/lobsters/blob/6faa5d37d2fdf8e4d1accbdcd4ffbe28c1db7088/app/models/user.rb#L137

                            2. 1

                              You don’t need to tell us you’re the author, it says “authored by” under the link 🙂

                              Oh, I wasn’t aware of the meaning of authored vs via. I’m pretty new here, and wasn’t paying attention to it before.

                              so I think it falls slightly under the “wait until you’re past 90 days before doing” bin.

                              Oh, OK, fair enough. Do I delete it? Or it just gets removed?

                            1. 3

                              This is an excellent article. Thanks for sharing!

                              1. 4

                                Just to offer an alternative, I use “Dark Reader” [1] for Chrome which tries to automatically apply a dark theme to websites. It’s not great for most websites (so I keep it as a opt-in per site), but does a really good job with simple sites like lobsters.

                                [1] https://chrome.google.com/webstore/detail/dark-reader/eimadpbcbfnmbkopoojfekhnkhdbieeh?hl=en-US

                                1. 2

                                  Just be aware that these kind of extensions get full access to all you see and do on your browser, because they need it in order to function.

                                  Is dark mode a reasonable tradeoff? That’s for you to decide.

                                  1. 3

                                    For this specific extension, Dark Reader is recommended by Mozilla on AMO. This means it has passed an additional level of security / privacy review beyond what a typical extension receives.

                                    Of course your point is still valid. But if you are a Firefox user who trusts Mozilla more than the Dark Reader dev(s), this may sway your decision.

                                    1. 2

                                      A workable (IMO) middleground is to just grab (and ideally audit) the source and then load the unpacked extension on individual devices. This dodges the “I made an extension with justifiably broad permissions and am selling it to a party that will do Bad Things with those permissions for a shitload of money” threat.

                                      1. 2

                                        Yup, but not many people do that.

                                        I know how to do it but I didn’t. Used to use 2-3 extensions with this kind of access. Now I no longer use them, and simply accept that the web is not as comfortable as I’d like it to be.

                                    2. 1

                                      Dark reader also lets you apply custom styling. So you can take the CSS in this post and copy it in the Dev Tools panel in Dark reader to use it.

                                    1. 2

                                      Thanks OP for posting, I’m interviewing people at work these weeks and this is a great way of getting insight into what people expect, like, feel uncomfortable with…

                                      Personally I’ve only had/given around 20 interviews, and I don’t remember anyone in particular, so I guess I haven’t had a “wow” one yet.

                                      1. 8

                                        I’d love to work with this guy

                                        1. 7

                                          I’ve been lucky enough to have and highly recommend it if you get the chance!

                                        1. 4

                                          Has anyone seen it in the wild? Other than Apple?

                                          1. 3

                                            Many people. Check the HN thread.

                                            1. 3

                                              I’m guessing not, because their goal is a lower level “building blocks” interface

                                              FoundationDB (FDB) [5] was created in 2009 and gets its name from the focus on providing what we saw as the foundational set of building blocks required to build higher-level distributed systems.It is an ordered, transactional, key-value store natively supporting multi-key strictly serializable transactions across its entire key-space. Unlike most databases, which bundle together a storage engine, data model, and query language, forcing users to choose all three or none, FDB takes a modular approach: it provides a highly scalable, transactional storage engine with a minimal yet carefully chosen set of features. It provides no structured semantics, no query language, data model or schema management, secondary indices or many other features one normally finds in a transactional database. Offering these would benefit some applications but others that do not require them (or do so in a slightly different form) would need to work around. Instead, the NoSQL model leaves application developers with great flexibility. While FDB defaults to strictly serializable transactions, it allows relaxing these semantics for applications that don’t require them with flexible, fine-grained controls over conflicts.

                                            1. 28

                                              I have no side project. No real hobby. I’m bored out of my mind. I feel burned out. Empty. I have no idea what I am doing this weekend and the worst part is that I don’t even feel like doing anything.

                                              Have a good weekend everyone.

                                              1. 9

                                                So what? It’s okay to “do nothing”.

                                                The best ideas I’ve had always came from seemingly wasting time. Or even if nothing comes out of it. You rested. That’s the reason we have weekends!

                                                Take a walk. Call someone you haven’t talked to for a long while. Write a custom Hugo theme for your website. Binge/rewatch some show.

                                                Have a nice weekend!

                                                1. 2

                                                  I know that doing nothing is OK. But, I believe I am addicted to being busy. I believe many of us are. Maybe it is the stress. Or maybe it’s the hormone response of it. Maybe my mind and body is so used to being overloaded that when it isn’t, that excess energy is just flooding over. Maybe it’s the fact that having too much to do, makes it easy to not do the things that I don’t want to do. I can always prioritise other, more important, things. Whatever it is, I am addicted to it. But it’s over. For now. 12 years of stress and being overworked is coming to and end and this weekend seems to be the very first days of getting clean.

                                                2. 5

                                                  Have you considered sleeping in?

                                                  1. 4

                                                    Let’s trade goods. I got some Swedish licorice from a guy I met through work, he works in Vasteras. Can’t find that good stuff here in the US. Before he left I gave him some locally made mustard, lol.

                                                    1. 3

                                                      This hit home a little more than I thought it would.

                                                      I hope you get a chance to relax, regardless.

                                                    1. 1

                                                      I remember doing something waaay simpler on a PIC18F4550 for a uni project.

                                                      As cool as it may be, I found it one of the most frustrating projects I’ve ever built.

                                                      1. 1

                                                        Was that in assembly?

                                                        All these bank selections a PIC needs seem to be not very convenient for both humans and compilers…

                                                        1. 1

                                                          Yes it was.

                                                          Inconvenient indeed.

                                                      1. 2

                                                        Thanks for the library and the exporter :-)

                                                        1. 1

                                                          Thank you! Feel free to drop feedback on issues!

                                                        1. 3

                                                          I like the idea of this page. It’d be great to have one for DNS or HTTP.

                                                          1. 8

                                                            “The DNS protocol has a field in the header called ‘Number of Questions’.”

                                                            Yeah.

                                                            “So that would imply you can ask multiple questions in one request.”

                                                            Makes sense to me.

                                                            “Here’s a packet with multiple questions.”

                                                            DNS format error: too many questions.

                                                            1. 2

                                                              This is not what you’re asking for, but I found this site to explain DNS for non-geeks pretty well: https://howdns.works/

                                                            1. 19

                                                              Automatically closing stale issues is a useful signal that the project follows the CADT development model. https://www.jwz.org/doc/cadt.html

                                                              1. 12

                                                                That seems a bit harsh. People posting random non-issues can be a genuine issue for larger projects. People posting on long-since solved issues is also an issue, which tends to be >95% generic support or outright nonsense, and <5% useful.

                                                                I don’t care much for auto-close bots, but I understand why people use them. Managing all of this requires a significant amount of time.

                                                                I bet Angular had this exact problem; JavaScript tends to attract a lot of beginners and you’re forever cluttering the bug list with non-bugs unless you’re really diligent about maintaining this, and I can’t blame the maintainers on wanting to focus on actually maintaining the Angular project instead of guiding the endless stream of new users unfamiliar with Angular, JavaScript, etiquette, etc. It’s essentially the “Eternal September” problem.

                                                                1. 4

                                                                  Can’t both of those issues be solved, well, closing the issues manually?

                                                                  I’d assume long-since solved issues should be closed because solved. For “junk” issues, generic support and whatnot, is it really better to just let them sit open for a week or two (or however long the bot takes) rather than just manually marking them as “offtopic/support/wtfisgoingonhere” and closing them?

                                                                  1. 11

                                                                    I’d assume long-since solved issues should be closed because solved.

                                                                    Yeah but people will comment on them. With this I meant the “lock bots” that lock issues after being closed for n days which prevents adding new comments.

                                                                    As for manual closing/locking, sure, but that’s not “free” time-wise, and it can be emotionally draining. I don’t really want to tell people to ask their question somewhere else or that they’re making zero sense, but I also don’t necessarily want to provide mentoring to random newcomers as I got a life to lead and stuff to do. People can also get angry or even abusive about, no matter how nicely and gentle you phrase it (I’ve had that even with random strangers emailing me out of the blue because they saw me on Lobsters, Stack Overflow, GitHub, or wherever). It’s not super-common, but it sucks when it happens.

                                                                    A bot just makes all of this easier and avoids the emotional drain. Is it the “chicken way out”? I suppose it is, like I said I don’t use it myself and generally just manually lock old issues and such if they attract a lot of comments, but I also never maintained a project the size of Angular, and I can see the reasons why people would use it.

                                                                    I think the “emotional cost” of maintaining larger open source projects is often underestimated. Everyone is different and some people struggle with this more than others, but personally I find it hard. I want to be helpful, but that’s just not feasible or realistic beyond a certain scale so there’s some amount of (internal) tension there. It also leads to situations where you feel obligated to do things that you don’t really want to do, and this is how maintainers burn out.

                                                                    In Bristol there are many homeless people asking you for money; walking to the city centre or Tesco’s (~2km) can easily mean you’ll be asked 3 or 4 times. Sitting out on the harbourside for dinner or a drink will net you about one homeless person every 30 mins or so on average. Before I lived there I never hesitated to give some change if I had any, because these kind of things are a fairly rare event in Eindhoven. But if you’re asked multiple times every day it just becomes unrealistic. I found it difficult, because I don’t want to say “no”, but I also can’t say “yes” all the time. One of the many reasons I was happy to leave that place.

                                                                2. 2

                                                                  I’m curious, which projects do you maintain?

                                                                  1. 1

                                                                    I see this is the ops world too. Not just devs.

                                                                  1. 5

                                                                    Writing a conference talk that I’m supposed to give next week.

                                                                    I, uhhh, procrastinated a bit. :(

                                                                    1. 2

                                                                      Good luck :)

                                                                      1. 1

                                                                        Thanks!

                                                                      2. 2

                                                                        You’re starting one week ahead? That’s like crazy early! :o)

                                                                        (I’m notorious for pulling all nighters to get them ready in time)

                                                                        1. 3

                                                                          Don’t we all?

                                                                          1. 2

                                                                            It takes a while to make some sick memes with pictures I can 100% say I either own or are totally free for use. ;)

                                                                            1. 2

                                                                              Can confirm I still was finishing up slides and rehearsing an hour before. ;)

                                                                          1. 1

                                                                            Any thoughts on Exoscale vs Vultr vs others?

                                                                            1. 2

                                                                              Exoscale is cheap and yet it’s perfect. The only drawback is they’re available only in Europe and I live in Québec so I have some unavoidable latency crossing the ocean.

                                                                              Vultr is quite good. I recently setup some BGP with them (https://www.vultr.com/features/bgp/) and while the support was reactive on a Friday evening (which I didn’t expect because I pay less than 10$/month) the work was far from perfect. Other than that I think they’re a pretty good deal.

                                                                              But I mostly picked both because they officially support OpenBSD. While OpenBSD works fine on KVM virtualization, I don’t want to deal with the support blaming the OS for something unrelated, just because they don’t officially support the OS.

                                                                              1. 3

                                                                                There’s no such thing as perfect until you try Hetzner Cloud.

                                                                                Trust me, never looking back.

                                                                                1. 1

                                                                                  I assume for BGP you have ipv6 prefix? Curious what it was like getting one for yourself. As far as I’ve read it’s quite expensive and annoying to do it personally now.

                                                                                  1. 1

                                                                                    Yes my ASN is IPv6 only. I plan to write about that in my next article, but it may be a few weeks/months until I publish it!

                                                                                    1. 1

                                                                                      Good to know, I look forward to reading it!

                                                                              1. 12

                                                                                I grew tired of always looking up the magic invocation to add, remove, upgrade dependencies, so I assembled all the concepts you need to know to use Go modules effectively on a single page. Hopefully it’s helpful to others.

                                                                                1. 3

                                                                                  You did a great job at keeping it brief while still being usable.

                                                                                  Thanks!