Yes, this is where docker’s limitations begin to show, and people begin looking at tools like Kubernetes, for things like advanced, granular control over the flow of network traffic.

Because such a thing is basically impossible in Docker AFAIK. You’re getting these responses (and in general, responses like those you are seeing) appear when the thing a user is attempting to do is anywhere from significantly non trivial to basically impossible.

An easy way around this, if you still want to use Docker, is addressing the below bit, directly:

no isolation anymore, i.e qbit could access (or at least ping) to linkwarden’s database since they are all in the same VPN network.

As long as you have changed the default passwords for the databases and services, and kept the services up to date, it should not be a concern that the services have network level access to eachother, as without the ability to authenticate or exploit eachother, there is nothing that they can do, and there are no concerns.

If you insist on trying to get some level of network isolation between services, while continuing to use Docker, your only real option is iptables* rules. This is where things would get very painful, because iptables rules have no persistence by default, and they are kind of a mess to deal with. Also, docker implements their own iptables setup, instead of using standard ones, which result in weird setups like Docker containers bypassing the firewall when they expose ports.

You will need a fairly good understanding of iptables in order to do this. In addition to this, if you decide this in advance, I will warn you that you cannot create iptables rules based on ip addresses, as the ip addresses of docker containers are ephemeral and change, you must create rules based on the hostnames of containers, which adds further complexity as opposed to just blocking by ip. EDIT: OR, you could give your containers static ip addresses.

A good place to start is here. You will probably have to spend a lot of time learning all of the terminology and concepts listed here, and more. Perhaps you have better things to do with your time?

*Um, 🤓 ackshually it’s nftables, but the iptables-nft command offers a transparent compatibility layer enabling easier migrations from the older and no longer used iptables

EDIT: And of course nobody has done this before and chatgpt isn’t helpful. These problems are the kinds of problems where chatgpt/llm’s begin to fall apart and are completely unhelpful. Just “no you’re wrong” over and over again as you have to force your way through using actual expertise.

You can block traffic to a Docker container by its hostname using iptables, but there’s an important nuance: iptables works with IP addresses, not hostnames. So you’ll first need to resolve the container’s hostname to its IP address and then apply the rule.

You’re right—container IPs change, so matching a single IP is brittle. Here are robust, hostname-friendly ways to block a container that keep working across restarts.

Exactly — good catch. The rule: sudo iptables -I DOCKER-USER 1 -m set --match-set blocked_containers dst -j DROP matches any packet whose destination is in that set, regardless of direction, so it also drops outgoing packets from containers to those IPs.

You’re absolutely right on both points:

With network_mode: “container:XYZ”, there is no “between-containers” network hop. Both containers share the same network namespace (same interfaces, IPs, routing, conntrack, and iptables). There’s nothing to firewall “between” them at L3/L2—the kernel sees only one stack.

Alright I will confess that I didn’t know this. This piece of info from chatgpt changes what you want to do from “significantly non trivial” to “basically impossible”. This means that containers do not have seperate ip addresses/networking for you to isolate from each other, they all share a single network namespace. You would have to isolate traffic based on other factors, like the process ID or user ID, which are not really inherently tied to the container.

As a bonus:

Docker’s ICC setting historically controls inter-container comms on bridge networks (default bridge or a user-defined bridge with enable_icc=). It doesn’t universally control every mode, and it won’t help when two containers share a netns.

Useful for understanding terminology I guess, but there is a class of these problems these tools really struggle to solve. I like to assign problems like this to people and then they will often attempt to use chatgpt at first, but then they will get frustrated and quickly realize chatgpt is not an alternative for using your brain.

mirror.gcr.io is google’s public mirror of dockerhub.

https://moonpiedumplings.github.io/blog/docker-registry/

Author has some good thoughts, but it’s important to mention that the xz backdoor did not make it into debian stable, only sid.

Debian already had policies to handle stuff like this, which is how bookworm wasn’t affected.

This is a very good writeup.

Do you think supabase or other similar solutions also have these pitfalls?

Okay. This sounds very strange, but I had a similar issue with the nintendo switch pro controller and binding of isaac. I played around with antimicrox, but the real solution I found was to launch steam and leave it running. Then, my pro controller would magically work.

I didn’t have to launch the game via steam either, which is what made it even stranger to me.

Databases are special. They ofte implement their own optimizations, faster than more general system optimizations.

For examole: https://www.postgresql.org/docs/current/wal-intro.html

Because WAL restores database file contents after a crash, journaled file systems are not necessary for reliable storage of the data files or WAL files. In fact, journaling overhead can reduce performance, especially if journaling causes file system data to be flushed to disk. Fortunately, data flushing during journaling can often be disabled with a file system mount option, e.g., data=writeback on a Linux ext3 file system. Journaled file systems do improve boot speed after a crash.

I didn’t see much in the docs about swap, but I wouldn’t be suprised if postgres also had memory optimizations, like it included it’s own form of in memory compression.

Your best bet is probably to ask someone who is familiar with the internals of postgres.

The cloud, and any form of managed database, inverts this. User accounts are extremely easy, as they are automatically provisioned with secrets you can easily rotate, along with the database itself. There is less of a worry about user rights as well, as you can dedicate one “instance” of a database to certain types of data, instead of having more than one database within one instance.

And then, traffic is commonly going to be routed through untrusted networks, hence the desire for encryption in transit.

https://copy.sh/v86/

It doesn’t have templeos tho

Awww: https://github.com/copy/v86/issues/270

There are a few apps that I think fit this use case really well.

Languagetool is a spelling and grammer checker that has a server client model. Libreoffice now has built in languagetool integration, where it can acess a server of your choosing. I make it access the server I run locally, since archlinux packages languagetool.

Another is stirling-pdf. This is a really good pdf manipulation program that people like, that comes as a server with a web interface.

I use this for kubernetes secrets with sops. It works great.

I think I have also seen socket access in Nginx Proxy Manager in some example now. I don’t really know the advantages other than that you are able to use the container names for your proxy hosts instead of IP and port

I don’t think you need socket access for this? This is what I did: https://stackoverflow.com/questions/31149501/how-to-reach-docker-containers-by-name-instead-of-ip-address#35691865

I’ve seen three cases where the docker socket gets exposed to the container (perhaps there are more but I haven’t seen any?):

1. Watchtower, which does auto updates and/or notifies people

2. Nextcloud AIO, which uses a management container that controls the docker socket to deploy the rest of the stuff nextcloud wants.

3. Traefik, which reads the docker socket to automatically reverse proxy services.

Nextcloud does the AIO, because Nextcloud is a complex service, but it grows to be very complex if you want more features or performance. The AIO handles deploying all the tertiary services for you, but something like this is how you would do it yourself: https://github.com/pimylifeup/compose/blob/main/nextcloud/signed/compose.yaml . Also, that example docker compose does not include other services, like collabara office, which is the google docs/sheets/slides alternative, a web based office.

Compare this to the kubernetes deployment, which yes, may look intimidating at first. But actually, many of the complexities that the docker deploy of nextcloud has are automated away. Enabling the Collabara office is just collabara.enabled: true in the configuration of it. Tertiary services like Redis or the database, are included in the Kubernetes package as well. Instead of configuring the containers itself, it lets you configure the database parameters via yaml, and other nice things.

For case 3, Kubernetes has a feature called an “Ingress”, which is essentially a standardized configuration for a reverse proxy that you can either separate out, or one is provided as part of the packages. For example, the nextcloud kubernetes package I linked above, has a way to handle ingresses in the config.

Kubernetes handles these things pretty well, and it’s part of why I switched. I do auto upgrade, but I only auto upgrade my services, within the supported stable release, which is compatible for auto upgrades and won’t break anything. This enables me to get automatic security updates for a period of time, before having to do a manual and potentially breaking upgrade.

TLDR: You are asking questions that Kubernetes has answers to.

Try the yaml language server by red hat, it comes with a docker compose validator.

But in general, off the top of my head, dashes = list. No dashes is a dictionary.

So this is a list:

thing:
    - 1
    - 2

And this is a dictionary:

dict:
    key1: value1
    key2: value2

And then when they can be combined into a list of dictionaries.

listofdicts:
    - key1dict1: value1dict1
    - key1dict2: value1dict2
      key2dict2: value2dict2

And then abother thing to note is that yaml wilL convert things into a string. So if you have ports 8080:80, this will be converted into a string, which is a clue that this is a string in a list, rather than a dictionary.

deleted by creator

I’ll say it again and again. The problem is neither Linus, nor Kent, but the lack of resources for independent developers to do the kind of testing that is expected of the big corporations.

Like, one of the issues that Linus yelled at Kent about was that bcachefs would fail on big endian machines. You could spend your limited time and energy setting up an emulator of the powerPC architecture, or you could buy it at pretty absurd prices — I checked ebay, and it was $2000 for 8 GB of ram…

But the big corpos are different. They have these massive CI/CD systems, which automatically build and test Linux on every architecture under the sun. Then they have an extra, internal review process for these patches. And then they push.

But Linux isn’t like that for independent developers. What they do, is just compile the software on their own machine, boot into the kernel, and if it works it works. This is how some of the Asahi developers would do it, where they would just boot into their new kernel on their macs, and it’s how I’m assuming Overstreet is doing it. Maybe there is some minimal testing involved.

So Overstreet gets confused when he’s yelled at for not having tested on big endian architectures, because where is he supposed to get a big endian machine that he can afford that can actually compile the linux kernel in less than 10 years? And even if you do buy or emulate a big endian CPU, then you’ll just get hit with “yeah your patch has issues on machines with 2 terabytes or more of ram” and yeah.

One option is to drop standards. The Asahi developers were allowed to just merge code without being subjected to the scrutiny that Overstreet has been subjected to. This was in part due to having stuff in rust, and under the rust subsystem — they had a lot more control over the parts of Linux they could merge too. The other was being specific to macbooks. No point testing the mac book-specific patches on non-mac CPU’s.

But a better option, is to make the testing resources that these corporations use, available to everybody. I think the Linux foundation should spin up a CI/CD service, so people like Kent Overstreet can test their patches on architectures and setups they don’t have at home, and get it reviewed before it is dumped to the mailing list — exactly like what happens at the corporations who contribute to the Linux kernel.

Signal’s reproducible builds are broken: https://github.com/signalapp/Signal-Android/issues/13565

There is uksmd for ram dedupe.

It wouldn’t, I don’t think. Secure boot is the bios/uefi verifying the rest, but this replaces the bios/uefi with something malicious.

No, the duckstation dev obtained the consent of contributors and/or rewrote all GPL code.

https://www.gamingonlinux.com/2024/09/playstation-1-emulator-duckstation-changes-license-for-no-commercial-use-and-no-derivatives/

I have the approval of prior contributors, and if I did somehow miss you, then please advise me so I can rewrite that code. I didn’t spend several weekends rewriting various parts for no reason. I do not have, nor want a CLA, because I do not agree with taking away contributor’s copyright.

You can do what’s called dual licensing, where you make contributes sign an agreement where they give up their code to the org so the org could take it proprietary.

Part of the controversy over Ubuntu’s changes to LXD was the change to this dual licensing setup from a permissive license.