Posts

Intro I’m running a local Gitea instance to, amongst other things, make use of their !Github Actions and build some docker images for my own consumption. To enable this, I run their rootless DIND actions runner container. After upgrading my host machine from Ubuntu Jammy (22.04) to Noble (24.04) I found that the container was in a fun crash loop and couldn’t immediately identify why. Bloody Security Improvements In 23.10, Ubuntu helpfully restricted unprivileged user namespaces. Rootlesskit needs unprivileged user namespaces, and indeed bundles an apparmor profile that allows them, but for some reason they weren’t working for Docker-in-Docker (DIND). I could see apparmor audit events that seemed to suggest it should be working already: ...

“The whole internet loves ChatGPT, a lovely chatbot that gives plausible-sounding answers to your questions” 5 seconds later “We regret to inform you that ChatGPT is stealing all your content” AI Scraper Bots Everyone and their mum is on the AI hype train right now, and that means they’re all desperate for training data. They don’t care whose data, they just need it, and that’s why they’ve all got bots scraping every corner of the internet. The good news is that most of them are at least pretending to be good internet citizens by obeying robots.txt. The TL;DR is that robots.txt gives instructions to bots about which bits of your site they are and aren’t allowed to scrape. The problem is, how do you know which bots to exclude, without tanking your search visibility or accidentally blocking the Internet Archive from accessing your site? ...

Introduction The Spamhaus Don’t Route Or Peer (DROP) Lists consist of netblocks that are leased or stolen by professional spam or cyber-crime operations, and used for dissemination of malware, trojan downloaders, botnet controllers, or other kinds of malicious activity. i.e. stuff you really don’t want to interact with. I used to consume the DROP list many years ago when my home firewall was Microsoft ISA/TMG (yes, really), but then completely forgot it existed until fairly recently. Having been reminded about it, I looked at options for ingesting it into my Unifi USG firewall and found that there basically aren’t any, which means it’s once again time to write something horrible. ...

Doing Who On What Now? Playwright is a Web Testing and Automation framework developed by Microsoft, it’s similar to Selenium or Puppeteer. The core project is written in nodejs and there are sub-projects offering the same framework in Python, .NET, and Java. It’s the Python project that I was specifically interested in due to its use in the changedetection.io container that I maintain for Linuxserver.io. The problem is that the container uses an Alpine base image whereas Microsoft only publish wheels for glibc, and they don’t publish the source to Pypi for pip to build, which means you can’t just do pip install playwright because it won’t be able to find a muslc wheel to install from. ...

Long ago, in the long-distant mists of time, I ran my blog on Wordpress. When I moved off it to Ghost a few years back it was frankly way too much effort to try and bring all the posts with me and maintain their URLs so I just left the old site up. However, as you may have seen, it looks like Automattic are going to start selling user data to AI companies for training their models on an opt-OUT basis and, even though I’m self-hosting, as I’m using plugins like Jetpack I don’t trust them not to harvest everything I’ve written to sell for their own benefit. ...

An updated guide to configuring Traefik with Docker, with explanations of why to do each step as well as how.

Intro I’ve not really used qemu much before but I found myself needing it last week for a particular project and discovered - to my shock and amazement - that the documentation (official and 3rd party) surrounding it is almost universally terrible. A mixture of overly-complex, out of date, incredibly niche, and just straight up poorly-written. I’ll be honest, I wasn’t after much, I had a single qemu VM and I wanted it to be routable on my LAN. For various reasons, PCI pass-through wasn’t an option (not that the docs there are any better) but I did have a NIC that wasn’t being used for anything else that I was hoping could be put to use here. ...

Introduction Did you know there are all kinds of interesting options that Docker supports but doesn’t necessarily expose, or document, very well? Most of them are very simple to configure and can have substantial benefits so it’s well worth investigating. Daemons All of these options are configured via the Docker daemon. You can pass arguments to dockerd via the systemd service file or, preferably, use a config file, which defaults to /etc/docker/daemon.json. Depending on the settings changed, editing the file will require a Reload or a Restart of the daemon to take effect. ...

A Further Update Since writing this post I’ve now moved from using the Traefik Crowdsec Bouncer container to using a plugin-based bouncer as it performs better and is actively maintained. Update To The Update The issue with upstream proxies and the Traefik bouncer has been resolved by the maintainer. I’ll leave my fork up in case I get some more free time to work on it. I got impatient waiting for the bug with the Traefik bouncer to get fixed so I forked it and fixed it myself, as well as added a couple of extra features. I’m a Go n00b so don’t expect rapid development but it works properly with Cloudflare et al. ...

As you may be aware, I’m part of linuxserver.io where I maintain a number of Docker containers such as grav and syslog-ng but there are times when I need a container that isn’t a suitable linuxserver candidate for any number of reasons so I just publish it myself. It occurred to me that I should probably make an effort to promote them given how difficult docker discovery is on places like Docker Hub where there are hundreds of containers for any given thing, almost all of which had one image push 3 years ago and haven’t been touched since. So, without further ado… ...