Lingolol

0 posts0 participants0 posts today

stfn :raspberrypi: :python:New blog post!In which I talk in detail how I deployed Nextcloud locally in my homelab using LXD and NextcloudPi.I go through the whole process of setting up LXD, importing the NCP image, installing, configuring, and scheduling backups for my own personal cloud.<a href="https://stfn.pl/blog/67-deploying-nextcloud-locally-with-lxd/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://stfn.pl/blog/67-deploying-nextcloud-locally-with-lxd/</a><a href="https://fosstodon.org/tags/blog" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#blog</a> <a href="https://fosstodon.org/tags/HomeLab" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#HomeLab</a> <a href="https://fosstodon.org/tags/lxd" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lxd</a> <a href="https://fosstodon.org/tags/Nextcloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Nextcloud</a> <a href="https://fosstodon.org/tags/virtualization" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#virtualization</a> <a href="https://fosstodon.org/tags/Degoogle" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Degoogle</a>

Pope Bob the UnsaneAfter taking the nickle tour of <a href="https://kolektiva.social/tags/Qubes" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Qubes</a>, my hasty conclusion is that it is anti-<a href="https://kolektiva.social/tags/KISS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#KISS</a>; there are seemingly many moving parts under the surface, and many scripts to grok to comprehend what is going on.I plan to give it some more time, if only to unwrap how it launches programs in a VM and shares them with dom0's X server and audio and all that; perhaps it's easier than I think.I also think <a href="https://kolektiva.social/tags/Xen" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Xen</a> is a bit overkill, as the claim is that it has a smaller kernel and therefore smaller attack surface than the seemingly superior alternative, <a href="https://kolektiva.social/tags/KVM" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#KVM</a>. Doing some rudimentary searching out of identified / known VM escapes, there seem to be many more that impact Xen than KVM, in the first place.Sure, the <a href="https://kolektiva.social/tags/Linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Linux</a> kernel may be considerably larger than the Xen kernel, but it does not need to be (a lot can be trimmed from the Linux kernel if you want a more secure hypervisor), and the Linux kernel is arguably more heavily audited than the Xen kernel.My primary concern is compartmentalization of 'the web', which is the single greatest threat to my system's security, and while <a href="https://kolektiva.social/tags/firejail" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#firejail</a> is a great soltion, I have run into issues maintaining my qutebrowser.local and firefox.local files tuned to work well, and it's not the simplest of solutions.Qubes offers great solutions to the compartmentalization of data and so on, and for that, I really like it, but I think it's over-kill, even for people that desire and benefit from its potential security model, given what the threats are against modern workstations, regardless of threat actor -- most people (I HOPE) don't have numerous vulnerable services listening on random ports waiting to be compromised by a remote threat.So I am working to refine my own security model, with the lessons I'm learning from Qubes.Up to this point, my way of using a system is a bit different than most. I have 2 non-root users, neither has sudo access, so I do the criminal thing and use root directly in a virtual terminal.One user is my admin user that has ssh keys to various other systems, and on those systems, that user has sudo access. My normal user has access to some hosts, but not all, and has no elevated privileges at all.Both users occasionally need to use the web. When I first learned about javascript, years and years ago, it was a very benevolent tool. It could alter the web page a bit, and make popups and other "useful" things.At some point, <a href="https://kolektiva.social/tags/javascript" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#javascript</a> became a beast, a monster, something that was capable of scooping up your password database, your ssh keys, and probe your local networks with port scans.In the name of convenience.As a result, we have to take browser security more seriously, if we want to avoid compromise.The path I'm exploring at the moment is to run a VM or two as a normal user, using KVM, and then using SSH X forwarding to run firefox from the VM which I can more easily firewall, and ensures if someone escapes my browser or abuses JS in a new and unique way, that no credentials are accessible, unless they are also capable of breaking out of the VM.What else might I want to consider? I 'like' the concept of dom0 having zero network access, but I don't really see the threat actor that is stopping. Sure, if someone breaks from my VM, they can then call out to the internet, get a reverse shell, download some payloads or build tools, etc.But if someone breaks out of a Qubes VM, they can basically do the same thing, right? Because they theoretically 'own' the hypervisor, and can restore network access to dom0 trivially, or otherwise get data onto it. Or am I mistaken?Also, what would the <a href="https://kolektiva.social/tags/LXC" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LXC</a> / <a href="https://kolektiva.social/tags/LXD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LXD</a> approach look like for something like this? What's its security record like, and would it provide an equivalent challenge to someone breaking out of a web browser (or other program I might use but am not thinking of at the moment)?

dmartukShowcasing some recent work here<a href="https://dribbble.com/shots/24622412-Lessons-Chapters-Streaks-and-User-Profiles" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://dribbble.com/shots/24622412-Lessons-Chapters-Streaks-and-User-Profiles</a><a href="https://mastodon.social/tags/ui" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ui</a> <a href="https://mastodon.social/tags/uiux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#uiux</a> <a href="https://mastodon.social/tags/productdesign" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#productdesign</a> <a href="https://mastodon.social/tags/app" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#app</a> <a href="https://mastodon.social/tags/appdesign" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#appdesign</a> <a href="https://mastodon.social/tags/figma" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#figma</a> <a href="https://mastodon.social/tags/edtech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#edtech</a> <a href="https://mastodon.social/tags/education" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#education</a> <a href="https://mastodon.social/tags/lxd" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lxd</a> <a href="https://mastodon.social/tags/mobile" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#mobile</a> <a href="https://mastodon.social/tags/creative" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#creative</a> <a href="https://mastodon.social/tags/inspiration" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#inspiration</a> <a href="https://mastodon.social/tags/ai" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ai</a> <a href="https://mastodon.social/tags/tech" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#tech</a> <a href="https://mastodon.social/tags/learningexperiencedesign" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#learningexperiencedesign</a>

Jon SeagerI wrote a blog about how I use <a href="https://hachyderm.io/tags/LXD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LXD</a> and <a href="https://hachyderm.io/tags/Multipass" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Multipass</a> during my every day workflows. A bit of a crossover between my work life at <a href="https://hachyderm.io/tags/Canonical" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Canonical</a>, and my personal interest in <a href="https://hachyderm.io/tags/nixos" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#nixos</a> <a href="https://jnsgr.uk/2024/06/desktop-vms-lxd-multipass/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://jnsgr.uk/2024/06/desktop-vms-lxd-multipass/</a>

nullagent<a href="https://social.polotek.net/@polotek" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@polotek</a> Totally agree, super important tooling!I've been accomplishing this using LXD & cloud-init right now. It was fairly easy to write lxd profiles that deploy mastodon.I really should make an interactive setup script bc once you have your variables set stock mastodon deploys very well as a cloud-init.This repo is a little out of date but is a great starting point if you're wanting to run mastodon using LXD & cloud-init.<a href="https://github.com/datapartyjs/partyon-lxd" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/datapartyjs/partyon-lxd</a><a href="https://partyon.xyz/tags/mastodev" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#mastodev</a> <a href="https://partyon.xyz/tags/mastoadmin" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#mastoadmin</a> <a href="https://partyon.xyz/tags/lxd" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lxd</a>

Stéphane GraberAnd so it begins... Canonical just merged a pull request into <a href="https://hachyderm.io/tags/LXD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LXD</a> including 3 of my changes from <a href="https://hachyderm.io/tags/Incus" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Incus</a> with me clearly listed as the author despite me having specifically declined to sign the CLA that's supposedly required for all contributions to their project... <a href="https://github.com/canonical/lxd/pull/12709" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://github.com/canonical/lxd/pull/12709</a>

Diogo ConstantinoThere are a few technologies that come from @ubuntu /@canonical that are really useful to me : <a href="https://masto.pt/tags/LXD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LXD</a>, and <a href="https://masto.pt/tags/Multipass" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Multipass</a> are two, but <a href="https://masto.pt/tags/uvtool" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#uvtool</a> is the one that "almost nobody" heard about.uvtool allows to create Ubuntu VM's (KVM via libvirt) based on the <a href="https://masto.pt/tags/Ubuntu" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Ubuntu</a> cloud image.

popeyAn unfortunate development in the <a href="https://ubuntu.social/tags/LXD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LXD</a> / <a href="https://ubuntu.social/tags/Incus" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Incus</a> story. I do hope this friction can be smoothed out so users and developers of both projects are unaffected. <a href="https://discuss.linuxcontainers.org/t/important-notice-for-lxd-users-image-server/18479?u=popey" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://discuss.linuxcontainers.org/t/important-notice-for-lxd-users-image-server/18479?u=popey</a>

Stéphane GraberSo Canonical has now gone ahead and relicensed <a href="https://hachyderm.io/tags/LXD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LXD</a> to AGPLv3 (kinda) and added a CLA! <a href="https://stgraber.org/2023/12/12/lxd-now-re-licensed-and-under-a-cla/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://stgraber.org/2023/12/12/lxd-now-re-licensed-and-under-a-cla/</a>

Jason NucciaroneGreat news for anyone who wants to do <a href="https://mast.hpc.social/tags/riscv" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#riscv</a> enablement for their packages/software!<a href="https://mast.hpc.social/tags/Ubuntu" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Ubuntu</a> Launchpad - after fixing some bugs in <a href="https://mast.hpc.social/tags/LXD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LXD</a> and OpenStack's Nova - now has generally available riscv64 builders that you can use for both PPAs and snap remote builds. Here the full blog post! <a href="https://blog.launchpad.net/ppa/self-service-riscv64-builds" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://blog.launchpad.net/ppa/self-service-riscv64-builds</a>Now it's time to start enabling all the snaps I use on the daily to run on RISC-V! No more suffering with my underpowered riscv64 emulators 😅

Benjamin Carr, Ph.D. 👨🏻‍💻🧬<a href="https://hachyderm.io/tags/Canonical" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Canonical</a> intros <a href="https://hachyderm.io/tags/Microcloud" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Microcloud</a>: Simple, free, <a href="https://hachyderm.io/tags/onpremises" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#onpremises</a> <a href="https://hachyderm.io/tags/Linux" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Linux</a> clustering As <a href="https://hachyderm.io/tags/Ubuntu" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Ubuntu</a> approaches its 20th anniversary, some more of its pieces may be Snapping together It uses its own <a href="https://hachyderm.io/tags/LXD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LXD</a> containervisor to manage nodes and workloads, <a href="https://hachyderm.io/tags/Ceph" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Ceph</a> for distributed storage, <a href="https://hachyderm.io/tags/OpenZFS" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OpenZFS</a> for local storage, and <a href="https://hachyderm.io/tags/OVN" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#OVN</a> to virtualize the cluster interconnect. All the tools are packaged as snaps. It supports both x86-64 and Arm64 nodes, including <a href="https://hachyderm.io/tags/RaspberryPi" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#RaspberryPi</a>, and you can mix architectures! <a href="https://www.theregister.com/2023/11/16/canonical_microcloud/" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://www.theregister.com/2023/11/16/canonical_microcloud/</a>

AmolithLXD: Containers for Human Beings <a href="https://secluded.site/lxd-containers-for-human-beings/" rel="nofollow noopener noreferrer" target="_blank">https://secluded.site/lxd-containers-for-human-beings/</a> This is a blog post version of a talk I presented at both Ubuntu Summit 2022 and SouthEast LinuxFest 2023. I cover why one might want to use VMs, application containers, or system containers, I talk specifics about VM hypervisor types, how application and system containers work, and when I think it's appropriate to use each technology. <a class="hashtag" href="https://nixnet.social/tag/sysadmin" rel="nofollow noopener noreferrer" target="_blank">#Sysadmin</a> <a class="hashtag" href="https://nixnet.social/tag/containers" rel="nofollow noopener noreferrer" target="_blank">#Containers</a> <a class="hashtag" href="https://nixnet.social/tag/vms" rel="nofollow noopener noreferrer" target="_blank">#VMs</a> <a class="hashtag" href="https://nixnet.social/tag/docker" rel="nofollow noopener noreferrer" target="_blank">#Docker</a> <a class="hashtag" href="https://nixnet.social/tag/lxd" rel="nofollow noopener noreferrer" target="_blank">#LXD</a> <a class="hashtag" href="https://nixnet.social/tag/incus" rel="nofollow noopener noreferrer" target="_blank">#Incus</a>

ItzTrainWell Well Well!! I was wondering when this was going to happen and I'm glad it did!! Fork of <a href="https://hachyderm.io/tags/LXD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LXD</a> on it's way... I'm hoping it attracts contributors from lxd to it. <a href="https://github.com/cyphar/incus" rel="nofollow noopener noreferrer" target="_blank">https://github.com/cyphar/incus</a><a href="https://hachyderm.io/tags/lxd" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lxd</a> <a href="https://hachyderm.io/tags/homelab" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#homelab</a> <a href="https://hachyderm.io/tags/virtualization" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#virtualization</a> <a href="https://hachyderm.io/tags/selfhosted" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#selfhosted</a> <a href="https://hachyderm.io/tags/selfhosting" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#selfhosting</a>

GeneBeanYou called it <a href="https://techhub.social/@ironicbadger" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@ironicbadger</a> - <a href="https://fosstodon.org/tags/LXD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LXD</a> has been forked. <a href="https://ubuntu.social/@popey" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@popey</a>

Christian Brauner 🦊🐺Apparently I'm not a maintainer of <a href="https://mastodon.social/tags/LXD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LXD</a> anymore and neither is <a href="https://hachyderm.io/@stgraber" class="u-url mention" rel="nofollow noopener noreferrer" target="_blank">@stgraber</a>. So it seems from now on it's Canonical employees only.I'd like to point out that before Canonical moved LXD into github.com/canonical/lxd maintainership was completely independent of the company. If you went to work somewhere else you still were a maintainer. As it should be with any well-functioning OSS project.

James CuffIs it finally time to flip over to <a href="https://mastodon.mit.edu/tags/proxmox" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#proxmox</a> for the home lab, or continue to tough it out with trusty <a href="https://mastodon.mit.edu/tags/lxc" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lxc</a> / <a href="https://mastodon.mit.edu/tags/lxd" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lxd</a> on <a href="https://mastodon.mit.edu/tags/ubuntu" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#ubuntu</a> that’s worked for years? I fear I’m probably going to end up swearing at a UI, and then find myself back in the terminal but with a new set of weird “pve” commands to configure stuff. The HA and backup stuff really does look compelling though, and may even beat out my assorted artisanal and handcrafted snapshot.sh and rsync.sh scripts... 🤣

Benjamin Carr, Ph.D. 👨🏻‍💻🧬<a href="https://hachyderm.io/tags/LXD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LXD</a> container-management system is no longer a part of the <a href="https://linuxcontainers.org/" rel="nofollow noopener noreferrer" target="_blank">https://linuxcontainers.org/</a> project:<a href="https://hachyderm.io/tags/Canonical" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#Canonical</a>, the creator and main contributor of the LXD project has decided that after over 8 years as part of the Linux Containers community, the project would now be better served directly under Canonical’s own set of projects. <a href="https://lwn.net/Articles/937369/" rel="nofollow noopener noreferrer" target="_blank">https://lwn.net/Articles/937369/</a>

omg! ubuntuCanonical Take Control of LXD – But Stress It Won't Become Snap-Only <a href="https://www.omgubuntu.co.uk/2023/07/canonical-takes-full-control-of-lxd" rel="nofollow noopener noreferrer" target="_blank">https://www.omgubuntu.co.uk/2023/07/canonical-takes-full-control-of-lxd</a> <a href="https://floss.social/tags/lxd" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#lxd</a> <a href="https://floss.social/tags/containers" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#containers</a>

Stéphane Graber<a href="https://hachyderm.io/tags/LXD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LXD</a> is no longer part of the Linux Containers project. <a href="https://linuxcontainers.org/lxd/" rel="nofollow noopener noreferrer" target="_blank">https://linuxcontainers.org/lxd/</a>

Christian Brauner 🦊🐺As of yesterday, the <a href="https://mastodon.social/tags/LXD" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#LXD</a> project is no longer part of the Linux Containers project but can now instead be found directly under Canonical's control.Please read our official statement on: <a href="https://linuxcontainers.org/lxd" rel="nofollow noopener noreferrer" translate="no" target="_blank">https://linuxcontainers.org/lxd</a>I personally consider Canonical's move to be a hostile act and as far as I'm concerned the decision was unilateral. It may be legally sound but it leaves a very bad taste behind.I've been involved with this project independent of what company I moved to. To see this happening is sad.

Recent searches

Search options

Administered by:

Server stats:

#LXD