There have been multiple accounts created with the sole purpose of posting advertisement posts or replies containing unsolicited advertising.

Accounts which solely post advertisements, or persistently post them may be terminated.

@TCB13@lemmy.world cover
@TCB13@lemmy.world avatar

TCB13

@[email protected]

This profile is from a federated server and may be incomplete. Browse more on the original instance.

TCB13 OP , (edited ) to linux in Debian 12 + LXD/LXC security.idmap.isolated fails
@TCB13@lemmy.world avatar

Apparently this is by design a feature of newer kernels. Here is a good explanation by Stéphane Graber, maintainer of LXC:

Prior to VFS idmap being available, we needed to work around file ownership by having LXD manually rewrite the owner of every single file on disk. That’s what you’re showing here on an older kernel.

On newer kernels, this is no longer needed as we can have the kernel keep the permissions on-disk unshifted and just shift in-kernel so the ownership looks correct inside of the container.

What you’re showing above looks like a perfectly working setup on a kernel that does support VFS idmap.

I could indeed config this on the host machine:


<span style="color:#323232;">root@vm-debian-12-cli:~# lxc info | grep 'shift|idmap'
</span><span style="color:#323232;">- storage_shifted
</span><span style="color:#323232;">    idmapped_mounts: "true"
</span><span style="color:#323232;">    shiftfs: "false"
</span><span style="color:#323232;">    idmapped_mounts_v2: "true"
</span>

And inside containers the root mount point also shows as idmapped (last line):


<span style="color:#323232;">root@debian:~# cat /proc/self/uid_map
</span><span style="color:#323232;">         0     231072      65536
</span><span style="color:#323232;">
</span><span style="color:#323232;">root@debian:~# cat /proc/self/gid_map
</span><span style="color:#323232;">         0     231072      65536
</span><span style="color:#323232;">
</span><span style="color:#323232;">root@debian:~# cat /proc/self/mountinfo
</span><span style="color:#323232;">490 460 0:24 /@rootfs/mnt/NVME1/lxd/containers/debian/rootfs / rw,relatime,idmapped shared:251 master:1 - btrfs /dev/sda1 rw,space_cache=v2,user_subvol_rm_allowed,subvolid=259,subvol=/@rootfs/mnt/NVME1/lxd/containers/debian
</span>

To disable this one might:

There is an environment variable that can be passed to LXD by adding an override in its systemd unit. LXD_IDMAPPED_MOUNTS_DISABLE=1

However, and according to Mr. Graber we shouldn’t do that:

Okay, so your system is operating perfectly normally and with the lowest overhead possible right now, nothing to be worried about.

The old pre-start shifting method was very slow and very risky as a crash or failure to shift a particular bit of metadata (ACL, xattr, …) could allow for a security issue with the container. It was also horrible for CoW filesystems as it effectively made it look like every single file in the container had been modified, potentially duplicating GBs of data.

shiftfs (which was an Ubuntu-specific hack) and now the proper VFS idmap shifting, simply have the kernel apply the reverse uidmap/gidmap on any filesystem operation to a mount that’s marked as idmapped. It’s an extremely trivial operation to perform, allows for dynamic changes to the container maps (very useful for isolated), allows for sharing data between containers and properly supports everything that can hold a uid/gid (ioctl, xattr, acl, …) so doing away with the risk of having missed something.

TCB13 , to linux in linux laptop
@TCB13@lemmy.world avatar

When I talked about EM shielding I wasn’t strictly talking about shielding metal plates inside your computer. Although certain components might be shielded with metallic plates most components are tested for EM compatibility with other devices (they have to by law) and there are different possible levels of EM interference resistance and hardening. What I’ve noticed with cheap brands is that their components usually tend to be cheaply built and very susceptible to EM interferences. This doesn’t happen in brands like HP or Asus, they take a lot of attention to that detail. And yes, that typical copper heat shielding sometimes doubles as EM shielding.

TCB13 OP , to selfhosted in Replicate Player / Self Host / Offline Usage
@TCB13@lemmy.world avatar

Doesn’t cut it. Their player mixes it randomly and has a ton of adjustments.

TCB13 , to selfhosted in How terrible is double NAT? really?
@TCB13@lemmy.world avatar

Can you tell us what ISP is, and what’s the router brand and model? Even better add pictures? Seems like some Altice owned ISP.

TCB13 , to selfhosted in How terrible is double NAT? really?
@TCB13@lemmy.world avatar

Yes.

TCB13 , to selfhosted in Network overview / documentation
@TCB13@lemmy.world avatar

excalidraw.com seems a like a nice tool for a home job.

TCB13 , to linux in SystemD not installing on manjaro (xfce)?
@TCB13@lemmy.world avatar

Time to Debian XD

TCB13 , to selfhosted in What do you prefer for a self hosted calendar?
@TCB13@lemmy.world avatar

I plan to someday look at the Baikal code seriously and fix the invite mess. It seems it simply isn’t evaluating every well changes and not sending the appropriate invites.

My experience with NextCloud is mostly JS errors and… lemmy.world/comment/346174 I can’t recommend it to anyone.

TCB13 , to selfhosted in What do you prefer for a self hosted calendar?
@TCB13@lemmy.world avatar

+1 on Baikal, way better than Nextcloud except for invites. There are some details that don’t work as expected with inviting people and changing invites afterwards.

TCB13 , to selfhosted in Thinking of a local mail storage with anti spam
@TCB13@lemmy.world avatar

Related: noted.lol/setup-gmail-smtp-sending-2023/

TCB13 , (edited ) to selfhosted in Thinking of a local mail storage with anti spam
@TCB13@lemmy.world avatar

Dovecot + Postfix + Rspamd can do it. Instead of pulling emails you can simply forward those providers to your homeserver account. You may also setup Postfix in a way that would allow you to use our @gmail @hotmail addresses as “from” addresses / aliases to your local account and it will automatically submit the email through the provider SMTP server when you send something.

If you really want to pull email instead of setting up forwards (have your server offline more time and whatnot) there are a few options:

To route the outgoing email through the right provider / external SMTP server based on the “from” address you may configured it like this:

main.cf:


<span style="color:#323232;">smtp_sasl_auth_enable = yes
</span><span style="color:#323232;">smtp_sender_dependent_authentication = yes
</span><span style="color:#323232;">smtp_sasl_password_maps = mysql:/etc/postfix/virtual/mysql-external-alias-credentials.cf
</span><span style="color:#323232;">sender_dependent_relayhost_maps = mysql:/etc/postfix/virtual/mysql-external-alias-relay-hosts.cf
</span><span style="color:#323232;">smtp_sasl_security_options = noanonymous
</span>

mysql-external-alias-credentials.cf:


<span style="color:#323232;">user = XXXXX
</span><span style="color:#323232;">password = XXXXXX
</span><span style="color:#323232;">hosts = 127.0.0.1
</span><span style="color:#323232;">dbname = mailserver
</span><span style="color:#323232;">query = SELECT concat(relay_user, ':', relay_passwd) AS credential FROM `Virtual_Alias_External` WHERE alias='%s' AND active = 1;
</span>

mysql-external-alias-relay-hosts.cf:


<span style="color:#323232;">user = XXXXX
</span><span style="color:#323232;">password = XXXXXX
</span><span style="color:#323232;">hosts = 127.0.0.1
</span><span style="color:#323232;">dbname = mailserver
</span><span style="color:#323232;">query = SELECT relay_host AS transport FROM `Virtual_Alias_External` WHERE alias='%s' AND active = 1;
</span>

MySQL table structure:


<span style="color:#323232;">CREATE TABLE `Virtual_Alias_External` (
</span><span style="color:#323232;">  `id` int(10) unsigned NOT NULL AUTO_INCREMENT,
</span><span style="color:#323232;">  `alias` varchar(70) NOT NULL,
</span><span style="color:#323232;">  `owner` varchar(255) CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci NOT NULL,
</span><span style="color:#323232;">  `active` tinyint(1) NOT NULL DEFAULT 0,
</span><span style="color:#323232;">  `relay_host` varchar(70) NOT NULL DEFAULT '',
</span><span style="color:#323232;">  `relay_user` varchar(70) NOT NULL,
</span><span style="color:#323232;">  `relay_passwd` varchar(70) NOT NULL,
</span><span style="color:#323232;">  PRIMARY KEY (`id`) USING BTREE
</span><span style="color:#323232;">) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_general_ci ROW_FORMAT=COMPACT;
</span>

Create an entry like this:


<span style="color:#323232;">alias: [email protected]
</span><span style="color:#323232;">owner: [email protected]
</span><span style="color:#323232;">active: 1
</span><span style="color:#323232;">relay_host: [smtp.gmail.com]:587
</span><span style="color:#323232;">relay_user:  [email protected]
</span><span style="color:#323232;">relay_passwd: your-gmail-password-or-app-password
</span>

Now when you send and email and the from is set as [email protected] Postfix will route the email through Gmail’s SMTP server with credential stored on that table. If done correctly (smtpd_sasl_authenticated_header = no) no references to [email protected] will show up on the email headers.

TCB13 , (edited ) to selfhosted in Home Assistant, Nextcloud and paperless ngx on a Pi 4
@TCB13@lemmy.world avatar

Well partial sync is the only thing you can say that is an advantage… but frankly you can emulate with in Syncthing with exclusion patterns. I “hate” Nextcloud because it eventually failed in all deploys I made with it. They don’t even get right a simple WYSIWYG editor. As I said before I re-try Nextcloud from time to time, and I would love very much to see it succeed and replace all the other tools I use, but it doesn’t deliver on the promise. At least not for the numbers of users I have.

What logic does it have to advertise your solution as an alternative to MS365 / Google Workplace if they can’t even deliver a properly working and useful webmail? The WYSIWYG is broken, you can’t resize the window to make it bigger and some other annoying details. And then there are always constant complaints of others about losing all data on upgrades (I haven’t experienced this but still).

TCB13 , to linux in Running NixOS from any Linux Distro in systemd-nspawn Containers
@TCB13@lemmy.world avatar

LXC is way more resource intensive and actually systemd had containers for a very long time… not to forget that if you use those you don’t need to install one more thing :)

TCB13 , to selfhosted in Home Assistant, Nextcloud and paperless ngx on a Pi 4
@TCB13@lemmy.world avatar

I tired bare metal and docker, it’s shit and I’m not the only one complaining so I’ll assume you’ve been lucky so far. Either way you can’t deny that the UI is a piece of crap and my “personal favorite” is the webmail UI that can’t even WYSIWYG properly.

TCB13 , to selfhosted in Home Assistant, Nextcloud and paperless ngx on a Pi 4
@TCB13@lemmy.world avatar

That’s normal

Ahaha. The current state of software development and what people accept as normal is just mind-boggling. And no, it’s not “normal” nor “ok”, it slows down things and the UI sometimes crashes with more data.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • random
  • lifeLocal
  • goranko
  • All magazines
    •