Nextcloud in container user IDs The nextcloud process running in the container runs as the www-data user which in fact is the user id 82: $ podman exec -it nextcloud-app /bin/sh /var/www/html # ps auxww | grep php-fpm 1 root 0:10 php-fpm: master process (/usr/local/etc/php-fpm.conf) 74 www-data 0:16 php-fpm: pool www 75 www-data 0:15 php-fpm: pool www 76 www-data 0:07 php-fpm: pool www 84 root 0:00 grep php-fpm /var/www/html # grep www-data /etc/passwd www-data:x:82:82:Linux User,,,:/home/www-data:/sbin/nologin NFS and user IDs NFS exports can be configured to have a forced uid/gid using the anonuid, anongid and all_squash parameters.…

Introducing bunkerized-nginx I heard about bunkerized-nginx a while ago and I thought it would be nice to use it as a reverse proxy so I can expose my internal services to the internet ‘safely’. A non-exhaustive list of features (copy & paste from the README): HTTPS support with transparent Let’s Encrypt automation State-of-the-art web security : HTTP security headers, prevent leaks, TLS hardening, … Integrated ModSecurity WAF with the OWASP Core Rule Set Automatic ban of strange behaviors with fail2ban Antibot challenge through cookie, javascript, captcha or recaptcha v3 Block TOR, proxies, bad user-agents, countries, … Block known bad IP with DNSBL and CrowdSec Prevent bruteforce attacks with rate limiting Detect bad files with ClamAV Easy to configure with environment variables or web UI Automatic configuration with container labels A must have for me was having support for Let’s Encrypt and having an easy way to configure it.…

podman play kube One of the cool things about podman is that is not just a docker replacement, it can do so much more! The feature I’m talking about is being able to run Kubernetes YAML pod definitions! How cool is that? You can read more about this feature in the podman-play-kube man, but essentially, you just need a proper pod yaml definition and podman play kube /path/to/my/pod.yaml will run it for you.…

Introduction Inspektor Gadget is a collection of tools (or gadgets) to debug and inspect Kubernetes applications. Inspektor Gadget is deployed to each node as a privileged DaemonSet. It uses in-kernel BPF helper programs to monitor events mainly related to syscalls from userspace programs in a pod. The BPF programs are run by the kernel and gather the log data. Inspektor Gadget’s userspace utilities fetch the log data from ring buffers and display it.…

Preparation Ensure your workers have the virtualization flag enabled: for node in $(oc get nodes -o name | grep kni1-worker); do oc debug ${node} -- grep -c -E 'vmx|svm' /host/proc/cpuinfo done That snippet should return the number of cpu cores with virtualization enabled (it should be all of them). Subscription cat <<EOF | oc apply -f - apiVersion: v1 kind: Namespace metadata: name: openshift-cnv --- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: name: kubevirt-hyperconverged-group namespace: openshift-cnv spec: targetNamespaces: - openshift-cnv --- apiVersion: operators.…

Preparation Label the nodes you want to use for OCS, in my case: for node in $(oc get nodes -o name | grep kni1-worker); do oc label ${node} cluster.ocs.openshift.io/openshift-storage='' done Local storage operator Deploy the local storage operator cat <<EOF | oc apply -f - apiVersion: v1 kind: Namespace metadata: name: local-storage spec: {} --- apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: annotations: olm.providedAPIs: LocalVolume.v1.local.storage.openshift.io name: local-storage namespace: local-storage spec: targetNamespaces: - local-storage --- apiVersion: operators.…

SCCs There are tons of information out there about SCCs, but in this post we will be focused on how to create and use a custom SCC only. See the OpenShift official documentation on Managing Security Context Constraints for more details. Custom SCC In the event of requiring a custom SCC, there are a few steps that need to be done to be able to use the SCC properly. Minimal capabilities The best way to create a custom SCC would be to build it based on the most restricted one (hint: its name is restricted) and then start adding capabilities and permissions depending on the application requisites.…

I wanted to easily switch between my regular desktop configuration: All the external displays: To a single external display: Or just the laptop screen: This usually required to open gnome-control-center, then click displays, etc. So I thought it would be nice to look for a extension in the Gnome Extensions site… but I couldn’t find any that worked as I wanted… so let’s try to do our own method! :)…

Quick howto to make podman rootless containers work in RHEL7: sudo yum clean all sudo yum update -y sudo yum install slirp4netns podman -y echo "user.max_user_namespaces=28633" | sudo tee -a /etc/sysctl.d/userns.conf sudo sysctl -p /etc/sysctl.d/userns.conf sudo usermod --add-subuids 200000-300000 --add-subgids 200000-300000 $(whoami) podman system migrate Then, logout and log-in again. Easy peasy!…

Introduction NetApp filers can be used to provide dynamic storage to OCP4/k8s using NetApp’s Trident storage orchestrator. In order to be able to use it, you need to have a real NetApp hardware to play with. It is also true that NetApp offers a simulator to play with. NOTE: The Simulator is not publicly available and you can only access to it if you are a customer or partner. It is required for you to have a proper NFS license.…