diff --git a/categories/index.html b/categories/index.html index 0517747..8181a17 100644 --- a/categories/index.html +++ b/categories/index.html @@ -1 +1,2 @@ -Categories · Zentria Blog

Categories

\ No newline at end of file +Categories · Zentria Blog +

Categories

\ No newline at end of file diff --git a/categories/index.xml b/categories/index.xml index c094ed4..a354468 100644 --- a/categories/index.xml +++ b/categories/index.xml @@ -1 +1 @@ -Categories on Zentria Bloghttps://blog.zentria.company/categories/Recent content in Categories on Zentria BlogHugo -- gohugo.ioen-us \ No newline at end of file +Categories on Zentria Bloghttps://blog.zentria.company/categories/Recent content in Categories on Zentria BlogHugoen-us \ No newline at end of file diff --git a/categories/page/1/index.html b/categories/page/1/index.html index b232a24..0acaa95 100644 --- a/categories/page/1/index.html +++ b/categories/page/1/index.html @@ -1 +1,2 @@ -https://blog.zentria.company/categories/ \ No newline at end of file +https://blog.zentria.company/categories/ + \ No newline at end of file diff --git a/css/style.css b/css/style.css index cf4abca..fbfff52 100644 --- a/css/style.css +++ b/css/style.css @@ -1 +1 @@ -*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;line-height:1.5}html,body{color:#555;background-color:#fff;margin:0;padding:0}html{font-family:"Libre Baskerville","Times New Roman",Times,serif;font-size:14px;overflow-y:scroll}@media (min-width: 600px){html{font-size:16px}}body{-webkit-text-size-adjust:100%}h1,h2,h3,h4,h5,h6{color:#353535;font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,sans-serif;line-height:normal}a{color:#4a9ae1;text-decoration:none}blockquote{border-left:0.25rem solid #e5e5e5;color:#979797;margin:.8rem 0;padding:.5rem 1rem}blockquote p:last-child{margin-bottom:0}@media (min-width: 600px){blockquote{padding:0 5rem 0 1.25rem}}img{display:block;margin:0 0 1rem;max-width:100%}td{vertical-align:top}pre,code{font-family:Menlo,Monaco,monospace}code{background-color:#f9f9f9;border-radius:3px;color:#bf616a;font-size:85%;padding:.25em .5em;white-space:pre-wrap}pre{margin:0 0 1rem}pre code{background-color:transparent;color:inherit;font-size:100%;padding:0}.highlight{background-color:#f9f9f9;border-radius:3px;line-height:1.4;margin:0 0 1rem;padding:1rem}.highlight pre{margin-bottom:0;overflow-x:auto}.highlight .lineno{color:#aaa;display:inline-block;padding:0 .75rem 0 .25rem;-webkit-user-select:none;-moz-user-select:none;user-select:none}.post{padding:3rem 0}.post-info{color:#aaa;font-family:Palatino,"Palatino LT STD","Palatino Linotype","Book Antiqua","Georgia",serif;letter-spacing:0.5px;text-align:center}.post-info span{font-style:italic}.post-title{color:#353535;font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,sans-serif;font-size:4rem;margin:1rem 0;text-align:center}.post-line{border-top:0.4rem solid #353535;display:block;margin:0 auto 3rem;width:4rem}.post p{margin:0 0 1rem;text-align:justify}.post a:hover{text-decoration:underline}.post img{margin:0 auto 0.5rem}.post img+em{color:#aaa;display:block;font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,sans-serif;font-size:0.9rem;font-style:normal;text-align:center}.post img.emoji{display:inline-block;left:0;transform:none;width:1rem;height:1rem;vertical-align:text-top;padding:0;margin:0}.highlight .hll{background-color:#ffc}.highlight .c{color:#999}.highlight .err{color:#a00;background-color:#faa}.highlight .k{color:#069}.highlight .o{color:#555}.highlight .cm{color:#09f;font-style:italic}.highlight .cp{color:#099}.highlight .c1{color:#999}.highlight .cs{color:#999}.highlight .gd{background-color:#fcc;border:1px solid #c00}.highlight .ge{font-style:italic}.highlight .gr{color:#f00}.highlight .gh{color:#030}.highlight .gi{background-color:#cfc;border:1px solid #0c0}.highlight .go{color:#aaa}.highlight .gp{color:#009}.highlight .gu{color:#030}.highlight .gt{color:#9c6}.highlight .kc{color:#069}.highlight .kd{color:#069}.highlight .kn{color:#069}.highlight .kp{color:#069}.highlight .kr{color:#069}.highlight .kt{color:#078}.highlight .m{color:#f60}.highlight .s{color:#d44950}.highlight .na{color:#4f9fcf}.highlight .nb{color:#366}.highlight .nc{color:#0a8}.highlight .no{color:#360}.highlight .nd{color:#99f}.highlight .ni{color:#999}.highlight .ne{color:#c00}.highlight .nf{color:#c0f}.highlight .nl{color:#99f}.highlight .nn{color:#0cf}.highlight .nt{color:#2f6f9f}.highlight .nv{color:#033}.highlight .ow{color:#000}.highlight .w{color:#bbb}.highlight .mf{color:#f60}.highlight .mh{color:#f60}.highlight .mi{color:#f60}.highlight .mo{color:#f60}.highlight .sb{color:#c30}.highlight .sc{color:#c30}.highlight .sd{color:#c30;font-style:italic}.highlight .s2{color:#c30}.highlight .se{color:#c30}.highlight .sh{color:#c30}.highlight .si{color:#a00}.highlight .sx{color:#c30}.highlight .sr{color:#3aa}.highlight .s1{color:#c30}.highlight .ss{color:#fc3}.highlight .bp{color:#366}.highlight .vc{color:#033}.highlight .vg{color:#033}.highlight .vi{color:#033}.highlight .il{color:#f60}.css .o,.css .o+.nt,.css .nt+.nt{color:#999}.container{margin:0 auto;max-width:800px;width:80%}main,footer,.nav-container{display:block;margin:0 auto;max-width:800px;width:80%}.nav{box-shadow:0 2px 2px -2px rgba(0,0,0,0.2);overflow:auto}.nav-container{margin:1rem auto;position:relative;text-align:center}.nav-title{-webkit-transition:all 0.2s ease-out;-moz-transition:all 0.2s ease-out;transition:all 0.2s ease-out;color:#555;display:inline-block;margin:0;padding-right:.2rem}.nav-title:hover,.nav-title:focus{opacity:.6}.nav ul{list-style-type:none;margin:1rem 0 0;padding:0;text-align:center}.nav li{-webkit-transition:all 0.2s ease-out;-moz-transition:all 0.2s ease-out;transition:all 0.2s ease-out;color:#555;display:inline-block;opacity:.6;padding:0 2rem 0 0}.nav li:last-child{padding-right:0}.nav li:hover,.nav li:focus{opacity:1}.nav a{color:#555;font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,sans-serif}@media (min-width: 600px){.nav-container{text-align:left}.nav ul{bottom:0;position:absolute;right:0}}footer{font-family:Palatino,"Palatino LT STD","Palatino Linotype","Book Antiqua","Georgia",serif;padding:2rem 0;text-align:center}footer span{color:#555;font-size:.8rem}.pagination{border-top:0.5px solid #e5e5e5;font-family:Palatino,"Palatino LT STD","Palatino Linotype","Book Antiqua","Georgia",serif;padding-top:2rem;position:relative;text-align:center}.pagination span{color:#353535;font-size:1.1rem}.pagination .top{-webkit-transition:all 0.3s ease-out;-moz-transition:all 0.3s ease-out;transition:all 0.3s ease-out;color:#555;font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,sans-serif;font-size:1.1rem;opacity:.6}.pagination .top:hover{opacity:1}.pagination .arrow{-webkit-transition:all 0.3s ease-out;-moz-transition:all 0.3s ease-out;transition:all 0.3s ease-out;color:#555;position:absolute}.pagination .arrow:hover,.pagination .arrow:focus{opacity:.6;text-decoration:none}.pagination .left{left:0}.pagination .right{right:0}.catalogue-item{border-bottom:1px solid #e5e5e5;color:#555;display:block;padding:2rem 0}.catalogue-item:hover .catalogue-line,.catalogue-item:focus .catalogue-line{width:5rem}.catalogue-item:last-child{border:0}.catalogue-time{color:#aaa;font-family:Palatino,"Palatino LT STD","Palatino Linotype","Book Antiqua","Georgia",serif;letter-spacing:.5px}.catalogue-title{color:#353535;display:block;font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,sans-serif;font-size:2rem;font-weight:700;margin:.5rem 0}.catalogue-line{-webkit-transition:all 0.3s ease-out;-moz-transition:all 0.3s ease-out;transition:all 0.3s ease-out;border-top:0.2rem solid #353535;display:block;width:2rem} +:root:not(.dark){--default-color: #555;--background-color: #fff;--default-shade: #353535;--default-tint: #aaa;--grey-1: #979797;--grey-2: #e5e5e5;--grey-3: #f0f0f0;--grey-4: #f9f9f9;--white: #fff;--blue: #4a9ae1;--shadow-color: rgba(0, 0, 0, .2);--code-color: #bf616a;--code-filter: }:root.dark{--default-color: #888;--background-color: #000;--default-shade: #989898;--default-tint: #555;--grey-1: #606060;--grey-2: #404040;--grey-3: #202020;--grey-4: #181818;--white: #fff;--blue: #1d6baf;--shadow-color: rgba(0, 0, 0, .2);--code-color: #a3434c;--code-filter: contrast(0.4) brightness(0.9)}*{-webkit-box-sizing:border-box;-moz-box-sizing:border-box;box-sizing:border-box;line-height:1.5}html,body{color:var(--default-color);background-color:var(--background-color);margin:0;padding:0}html{font-family:"Libre Baskerville","Times New Roman",Times,serif;font-size:14px;overflow-y:scroll}@media (min-width: 600px){html{font-size:16px}}body{-webkit-text-size-adjust:100%}h1,h2,h3,h4,h5,h6{color:var(--default-shade);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,sans-serif;line-height:normal}a{color:var(--blue);text-decoration:none}blockquote{border-left:0.25rem solid var(--grey-2);color:var(--grey-1);margin:.8rem 0;padding:.5rem 1rem}blockquote p:last-child{margin-bottom:0}@media (min-width: 600px){blockquote{padding:0 5rem 0 1.25rem}}img{display:block;margin:0 0 1rem;max-width:100%}td{vertical-align:top}pre,code{font-family:Menlo,Monaco,monospace}code{background-color:var(--grey-4);border-radius:3px;color:var(--code-color);font-size:85%;padding:.25em .5em;white-space:pre-wrap}pre{margin:0 0 1rem}pre code{background-color:transparent;color:inherit;font-size:100%;padding:0}pre code>span{filter:var(--code-filter)}.highlight{background-color:var(--grey-4);border-radius:3px;line-height:1.4;margin:0 0 1rem;padding:1rem}.highlight pre{margin-bottom:0;overflow-x:auto}.highlight .lineno{color:var(--default-tint);display:inline-block;padding:0 .75rem 0 .25rem;-webkit-user-select:none;-moz-user-select:none;user-select:none}.post{padding:3rem 0}.post-info{color:var(--default-tint);font-family:Palatino,"Palatino LT STD","Palatino Linotype","Book Antiqua","Georgia",serif;letter-spacing:0.5px;text-align:center}.post-info span{font-style:italic}.post-title{color:var(--default-shade);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,sans-serif;font-size:4rem;margin:1rem 0;text-align:center}.post-line{border-top:0.4rem solid var(--default-shade);display:block;margin:0 auto 3rem;width:4rem}.post p{margin:0 0 1rem;text-align:justify}.post a:hover{text-decoration:underline}.post img{margin:0 auto 0.5rem}.post img+em{color:var(--default-tint);display:block;font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,sans-serif;font-size:0.9rem;font-style:normal;text-align:center}.post img.emoji{display:inline-block;left:0;transform:none;width:1rem;height:1rem;vertical-align:text-top;padding:0;margin:0}.post-read-time{text-align:center}.highlight .hll{background-color:#ffc}.highlight .c{color:#999}.highlight .err{color:#a00;background-color:#faa}.highlight .k{color:#069}.highlight .o{color:#555}.highlight .cm{color:#09f;font-style:italic}.highlight .cp{color:#099}.highlight .c1{color:#999}.highlight .cs{color:#999}.highlight .gd{background-color:#fcc;border:1px solid #c00}.highlight .ge{font-style:italic}.highlight .gr{color:#f00}.highlight .gh{color:#030}.highlight .gi{background-color:#cfc;border:1px solid #0c0}.highlight .go{color:#aaa}.highlight .gp{color:#009}.highlight .gu{color:#030}.highlight .gt{color:#9c6}.highlight .kc{color:#069}.highlight .kd{color:#069}.highlight .kn{color:#069}.highlight .kp{color:#069}.highlight .kr{color:#069}.highlight .kt{color:#078}.highlight .m{color:#f60}.highlight .s{color:#d44950}.highlight .na{color:#4f9fcf}.highlight .nb{color:#366}.highlight .nc{color:#0a8}.highlight .no{color:#360}.highlight .nd{color:#99f}.highlight .ni{color:#999}.highlight .ne{color:#c00}.highlight .nf{color:#c0f}.highlight .nl{color:#99f}.highlight .nn{color:#0cf}.highlight .nt{color:#2f6f9f}.highlight .nv{color:#033}.highlight .ow{color:#000}.highlight .w{color:#bbb}.highlight .mf{color:#f60}.highlight .mh{color:#f60}.highlight .mi{color:#f60}.highlight .mo{color:#f60}.highlight .sb{color:#c30}.highlight .sc{color:#c30}.highlight .sd{color:#c30;font-style:italic}.highlight .s2{color:#c30}.highlight .se{color:#c30}.highlight .sh{color:#c30}.highlight .si{color:#a00}.highlight .sx{color:#c30}.highlight .sr{color:#3aa}.highlight .s1{color:#c30}.highlight .ss{color:#fc3}.highlight .bp{color:#366}.highlight .vc{color:#033}.highlight .vg{color:#033}.highlight .vi{color:#033}.highlight .il{color:#f60}.css .o,.css .o+.nt,.css .nt+.nt{color:#999}.container{margin:0 auto;max-width:800px;width:80%}main>*,footer,.nav-container{display:block;margin:0 auto;max-width:800px;width:80%}.nav{box-shadow:0 2px 2px -2px var(--shadow-color);overflow:auto}.nav-container{margin:1rem auto;position:relative;text-align:center}.nav-title{color:var(--default-color);display:inline-block;margin:0;padding-right:.2rem}.nav-title:hover,.nav-title:focus{opacity:.6}.nav ul{list-style-type:none;margin:1rem 0 0;padding:0;text-align:center}.nav li{color:var(--default-color);display:inline-block;opacity:.6;padding:0 2rem 0 0}.nav li:last-child{padding-right:0}.nav li:hover,.nav li:focus{opacity:1}.nav a{color:var(--default-color);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,sans-serif}@media (min-width: 600px){.nav-container{text-align:left}.nav ul{bottom:0;position:absolute;right:0}}footer{font-family:Palatino,"Palatino LT STD","Palatino Linotype","Book Antiqua","Georgia",serif;padding:2rem 0;text-align:center}footer span{color:var(--default-color);font-size:.8rem}aside.toc{position:sticky;top:0;max-width:30%;float:left;height:0;overflow:display;z-index:1}#tocTitle{width:fit-content}#tocContainer:hover{width:calc(2rem + var(--measured-expanded-width))}#tocContainer:hover div#tocCollapsible{height:var(--measured-height);width:var(--measured-expanded-width)}#tocContainer{background-color:var(--grey-3);border-radius:1rem;margin:2rem;padding:1rem;display:flex;flex-direction:column;overflow:hidden;width:calc(2rem + var(--measured-title-width));--measured-title-width: 2.4rem;-webkit-transition:background-color 0.4s ease-out,color 0.4s ease-out,border-color 0.4s ease-out,box-shadow 0.4s ease-out,width 0.1s ease-out,height 0.1s ease-out;-moz-transition:background-color 0.4s ease-out,color 0.4s ease-out,border-color 0.4s ease-out,box-shadow 0.4s ease-out,width 0.1s ease-out,height 0.1s ease-out;transition:background-color 0.4s ease-out,color 0.4s ease-out,border-color 0.4s ease-out,box-shadow 0.4s ease-out,width 0.1s ease-out,height 0.1s ease-out}#tocContainer>div{border-left:0.4rem solid var(--default-shade);padding-left:1rem}#tocContainer div#tocCollapsible{height:0;width:var(--measured-expanded-width);-webkit-transition:background-color 0.4s ease-out,color 0.4s ease-out,border-color 0.4s ease-out,box-shadow 0.4s ease-out,height 0.1s ease-out;-moz-transition:background-color 0.4s ease-out,color 0.4s ease-out,border-color 0.4s ease-out,box-shadow 0.4s ease-out,height 0.1s ease-out;transition:background-color 0.4s ease-out,color 0.4s ease-out,border-color 0.4s ease-out,box-shadow 0.4s ease-out,height 0.1s ease-out}nav#TableOfContents ul{list-style-type:none;padding-inline-start:1rem}nav#TableOfContents>ul{padding-inline-start:0}nav#TableOfContents li{margin-top:0.4rem}.pagination{border-top:0.5px solid var(--grey-2);font-family:Palatino,"Palatino LT STD","Palatino Linotype","Book Antiqua","Georgia",serif;padding-top:2rem;position:relative;text-align:center}.pagination span{color:var(--default-shade);font-size:1.1rem}.pagination .top{-webkit-transition:background-color 0.4s ease-out,color 0.4s ease-out,border-color 0.4s ease-out,box-shadow 0.4s ease-out,opacity 0.3s ease-out;-moz-transition:background-color 0.4s ease-out,color 0.4s ease-out,border-color 0.4s ease-out,box-shadow 0.4s ease-out,opacity 0.3s ease-out;transition:background-color 0.4s ease-out,color 0.4s ease-out,border-color 0.4s ease-out,box-shadow 0.4s ease-out,opacity 0.3s ease-out;color:var(--default-color);font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,sans-serif;font-size:1.1rem;opacity:.6}.pagination .top:hover{opacity:1}.pagination .arrow{-webkit-transition:background-color 0.4s ease-out,color 0.4s ease-out,border-color 0.4s ease-out,box-shadow 0.4s ease-out,opacity 0.3s ease-out;-moz-transition:background-color 0.4s ease-out,color 0.4s ease-out,border-color 0.4s ease-out,box-shadow 0.4s ease-out,opacity 0.3s ease-out;transition:background-color 0.4s ease-out,color 0.4s ease-out,border-color 0.4s ease-out,box-shadow 0.4s ease-out,opacity 0.3s ease-out;color:var(--default-color);position:absolute}.pagination .arrow:hover,.pagination .arrow:focus{opacity:.6;text-decoration:none}.pagination .left{left:0}.pagination .right{right:0}.catalogue-item{border-bottom:1px solid var(--grey-2);color:var(--default-color);display:block;padding:2rem 0}.catalogue-item:hover .catalogue-line,.catalogue-item:focus .catalogue-line{width:5rem}.catalogue-item:last-child{border:0}.catalogue-time{color:var(--default-tint);font-family:Palatino,"Palatino LT STD","Palatino Linotype","Book Antiqua","Georgia",serif;letter-spacing:.5px}.catalogue-title{color:var(--default-shade);display:block;font-family:"Helvetica Neue","Segoe UI",Helvetica,Arial,sans-serif;font-size:2rem;font-weight:700;margin:.5rem 0}.catalogue-line{-webkit-transition:background-color 0.4s ease-out,color 0.4s ease-out,border-color 0.4s ease-out,box-shadow 0.4s ease-out,width 0.3s ease-out;-moz-transition:background-color 0.4s ease-out,color 0.4s ease-out,border-color 0.4s ease-out,box-shadow 0.4s ease-out,width 0.3s ease-out;transition:background-color 0.4s ease-out,color 0.4s ease-out,border-color 0.4s ease-out,box-shadow 0.4s ease-out,width 0.3s ease-out;border-top:0.2rem solid var(--default-shade);display:block;width:2rem}.article-discussion{margin:0} diff --git a/favicon.png b/favicon.png new file mode 100644 index 0000000..171d2de Binary files /dev/null and b/favicon.png differ diff --git a/index.html b/index.html index c5c5b74..8ee6c53 100644 --- a/index.html +++ b/index.html @@ -1,17 +1,10 @@ -Zentria Blog
+Zentria Blog +
🕒 2 minutes

It's 2022: nftables kind of integrates now

This is a follow up to the It’s 2021: nftables still does not integrate. -The good: What works compared to 2021? Pretty much everything is still revolving around the iptables-nft compatibility layer, but it has improved a lot so things seem to work just fine now. -libvirt Everything works. Seems to implicitly use compatibility layer very likely (assuming from libvirt Network Filters). -Docker Everything works out of the box, without having to write own rules or handle wiring with own Docker event handler.

+The good: What works compared to 2021? Pretty much everything is still revolving around the iptables-nft compatibility layer, but it has improved a lot so things seem to work just fine now.

🕒 1 minutes

Flakes and little convenient impurity escape hatch

Started using flakes recently? But then you found that: -You need per-machine configuration for experimentation/secrets (well, e.g firewall config), but don’t want to publish them. Your configuration is against your usual quality standards, so it’d be shame to show them to the world. Here’s one solution to that - works similarly to how current NixOS deployments are still done. -flake.nix { inputs = { impure-local.url = "path:./impure-local"; impure-local.flake = false; }; outputs = { nixpkgs, impure-local }: { nixosConfigurations.

-🕒 5 minutes

Container bind mount pitfalls: DNS

It's not DNS. There's no way it's DNS. It was DNS. Story time? Story time. I had this very old deployment of Clojure app around, orchestrating quite many Docker containers and their data volumes. It was set up to connect to a PostgreSQL database and Redis running on the container host, implying no magical DNS solutions nor any convenience at all (manual /24 subnet configuration and firewalling). 1 -It also bound whole /var/run into the container to access Docker API socket (it’s still sitting at /var/run/docker.

+You need per-machine configuration for experimentation/secrets (well, e.g firewall config), but don’t want to publish them. Your configuration is against your usual quality standards, so it’d be shame to show them to the world. Here’s one solution to that - works similarly to how current NixOS deployments are still done.

+🕒 5 minutes

Container bind mount pitfalls: DNS

It’s not DNS. There’s no way it’s DNS. It was DNS.

🕒 2 minutes

It's 2021: nftables still does not integrate

You probably have seen it around somewhere already, for example Debian trying hard to replace iptables with it. -Debian 10 (buster) shipped with it already, Arch Linux wiki provided (usable) examples for the adventurous back in 2014 etc. -(nftables is quite promising, don’t get me wrong - I quite like it, because how much easier it is to use and integrate. This is rather a rant towards other projects.) -HOWEVER, integrating it into existing solutions turns out to be VERY painful:

-🕒 6 minutes

An adventure of getting Docker on NixOS running only with cgroups v2

After discovering Linux’s wonderful Pressure Stall Information (PSI for short) subsystem, I’ve been trying to set up monitoring on Docker containers where I run very memory, CPU and I/O hungry game servers (not hard to guess - it’s Minecraft). -Since I monitor pretty much everything using Prometheus, then finding Cloudflare’s psi_exporter project made my life a lot easier - I didn’t have to write an exporter myself. -Why do cgroups v2 matter?

© . Made with Hugo using the Tale theme.
\ No newline at end of file +Debian 10 (buster) shipped with it already, Arch Linux wiki provided (usable) examples for the adventurous back in 2014 etc.

+🕒 6 minutes

An adventure of getting Docker on NixOS running only with cgroups v2

After discovering Linux’s wonderful Pressure Stall Information (PSI for short) subsystem, I’ve been trying to set up monitoring on Docker containers where I run very memory, CPU and I/O hungry game servers (not hard to guess - it’s Minecraft).

\ No newline at end of file diff --git a/index.xml b/index.xml index 9a073a4..17ec572 100644 --- a/index.xml +++ b/index.xml @@ -1,12 +1,11 @@ -Zentria Bloghttps://blog.zentria.company/Recent content on Zentria BlogHugo -- gohugo.ioen-usSat, 03 Sep 2022 22:38:50 +0300It's 2022: nftables kind of integrates nowhttps://blog.zentria.company/posts/its-2022-nftables-kind-of-integrates-now/Sat, 03 Sep 2022 22:38:50 +0300https://blog.zentria.company/posts/its-2022-nftables-kind-of-integrates-now/This is a follow up to the It&rsquo;s 2021: nftables still does not integrate. -The good: What works compared to 2021? Pretty much everything is still revolving around the iptables-nft compatibility layer, but it has improved a lot so things seem to work just fine now. -libvirt Everything works. Seems to implicitly use compatibility layer very likely (assuming from libvirt Network Filters). -Docker Everything works out of the box, without having to write own rules or handle wiring with own Docker event handler.Flakes and little convenient impurity escape hatchhttps://blog.zentria.company/posts/flakes-and-little-convenient-impurity-escape-hatch/Sun, 20 Mar 2022 23:20:00 +0200https://blog.zentria.company/posts/flakes-and-little-convenient-impurity-escape-hatch/Started using flakes recently? But then you found that: -You need per-machine configuration for experimentation/secrets (well, e.g firewall config), but don&rsquo;t want to publish them. Your configuration is against your usual quality standards, so it&rsquo;d be shame to show them to the world. Here&rsquo;s one solution to that - works similarly to how current NixOS deployments are still done. -flake.nix { inputs = { impure-local.url = &#34;path:./impure-local&#34;; impure-local.flake = false; }; outputs = { nixpkgs, impure-local }: { nixosConfigurations.Container bind mount pitfalls: DNShttps://blog.zentria.company/posts/container-bind-mount-pitfalls-dns/Sun, 06 Jun 2021 19:56:22 +0300https://blog.zentria.company/posts/container-bind-mount-pitfalls-dns/It&#39;s not DNS. There&#39;s no way it&#39;s DNS. It was DNS. Story time? Story time. I had this very old deployment of Clojure app around, orchestrating quite many Docker containers and their data volumes. It was set up to connect to a PostgreSQL database and Redis running on the container host, implying no magical DNS solutions nor any convenience at all (manual /24 subnet configuration and firewalling). 1 -It also bound whole /var/run into the container to access Docker API socket (it&rsquo;s still sitting at /var/run/docker.It's 2021: nftables still does not integratehttps://blog.zentria.company/posts/its-2021-nftables-still-does-not-integrate/Sat, 29 May 2021 19:25:17 +0300https://blog.zentria.company/posts/its-2021-nftables-still-does-not-integrate/You probably have seen it around somewhere already, for example Debian trying hard to replace iptables with it. -Debian 10 (buster) shipped with it already, Arch Linux wiki provided (usable) examples for the adventurous back in 2014 etc. -(nftables is quite promising, don&rsquo;t get me wrong - I quite like it, because how much easier it is to use and integrate. This is rather a rant towards other projects.) -HOWEVER, integrating it into existing solutions turns out to be VERY painful:An adventure of getting Docker on NixOS running only with cgroups v2https://blog.zentria.company/posts/nixos-cgroupsv2/Sat, 24 Oct 2020 14:46:00 +0300https://blog.zentria.company/posts/nixos-cgroupsv2/After discovering Linux&rsquo;s wonderful Pressure Stall Information (PSI for short) subsystem, I&rsquo;ve been trying to set up monitoring on Docker containers where I run very memory, CPU and I/O hungry game servers (not hard to guess - it&rsquo;s Minecraft). -Since I monitor pretty much everything using Prometheus, then finding Cloudflare&rsquo;s psi_exporter project made my life a lot easier - I didn&rsquo;t have to write an exporter myself. -Why do cgroups v2 matter? \ No newline at end of file +Zentria Bloghttps://blog.zentria.company/Recent content on Zentria BlogHugoen-usSat, 03 Sep 2022 22:38:50 +0300It's 2022: nftables kind of integrates nowhttps://blog.zentria.company/posts/its-2022-nftables-kind-of-integrates-now/Sat, 03 Sep 2022 22:38:50 +0300https://blog.zentria.company/posts/its-2022-nftables-kind-of-integrates-now/<p>This is a follow up to the <a href="https://blog.zentria.company/posts/its-2021-nftables-still-does-not-integrate/">It&rsquo;s 2021: nftables still does not integrate</a>.</p> +<h1 id="the-good-what-works-compared-to-2021">The good: What works compared to 2021?</h1> +<p>Pretty much everything is still revolving around the iptables-nft compatibility layer, but it has improved a lot so +things seem to work just fine now.</p>Flakes and little convenient impurity escape hatchhttps://blog.zentria.company/posts/flakes-and-little-convenient-impurity-escape-hatch/Sun, 20 Mar 2022 23:20:00 +0200https://blog.zentria.company/posts/flakes-and-little-convenient-impurity-escape-hatch/<p>Started using flakes recently? But then you found that:</p> +<ol> +<li>You need per-machine configuration for experimentation/secrets (well, e.g firewall config), but don&rsquo;t want to publish them.</li> +<li>Your configuration is against your usual quality standards, so it&rsquo;d be shame to show them to the world.</li> +</ol> +<p>Here&rsquo;s one solution to that - works similarly to how current NixOS deployments are still done.</p>Container bind mount pitfalls: DNShttps://blog.zentria.company/posts/container-bind-mount-pitfalls-dns/Sun, 06 Jun 2021 19:56:22 +0300https://blog.zentria.company/posts/container-bind-mount-pitfalls-dns/<em>It&rsquo;s not DNS. There&rsquo;s no way it&rsquo;s DNS. It was DNS.</em>It's 2021: nftables still does not integratehttps://blog.zentria.company/posts/its-2021-nftables-still-does-not-integrate/Sat, 29 May 2021 19:25:17 +0300https://blog.zentria.company/posts/its-2021-nftables-still-does-not-integrate/<p>You probably have <a href="https://wiki.nftables.org/">seen it around</a> somewhere already, for example <a href="https://archive.is/Xeyqv">Debian trying hard to replace iptables</a> with it.<br> +Debian 10 (buster) shipped with it already, <a href="https://wiki.archlinux.org/title/nftables">Arch Linux wiki</a> provided (usable) examples for the adventurous back in 2014 etc.</p>An adventure of getting Docker on NixOS running only with cgroups v2https://blog.zentria.company/posts/nixos-cgroupsv2/Sat, 24 Oct 2020 14:46:00 +0300https://blog.zentria.company/posts/nixos-cgroupsv2/<p>After discovering Linux&rsquo;s wonderful <a href="https://www.kernel.org/doc/html/latest/accounting/psi.html">Pressure Stall Information</a> (PSI for short) subsystem, I&rsquo;ve been trying to set up monitoring on +Docker containers where I run very memory, CPU and I/O hungry game servers (not hard to guess - it&rsquo;s <a href="https://minecraft.net">Minecraft</a>).</p> \ No newline at end of file diff --git a/page/1/index.html b/page/1/index.html index c3d8cac..6fbb0c1 100644 --- a/page/1/index.html +++ b/page/1/index.html @@ -1 +1,2 @@ -https://blog.zentria.company/ \ No newline at end of file +https://blog.zentria.company/ + \ No newline at end of file diff --git a/posts/container-bind-mount-pitfalls-dns/index.html b/posts/container-bind-mount-pitfalls-dns/index.html index da4ce9d..83eb156 100644 --- a/posts/container-bind-mount-pitfalls-dns/index.html +++ b/posts/container-bind-mount-pitfalls-dns/index.html @@ -1,5 +1,5 @@ -Container bind mount pitfalls: DNS · Zentria Blog
Written by +Container bind mount pitfalls: DNS · Zentria Blog +
Written by Mark V.
on 

Container bind mount pitfalls: DNS

🕒 5 minutes

DNS Haiku

It's not DNS. There's no way it's DNS. It was DNS.

Story time? Story time.

I had this very old deployment of Clojure app around, orchestrating quite many Docker containers and their data volumes. It was set up to connect to a PostgreSQL database and Redis running on the container host, implying no magical DNS solutions nor any convenience at all (manual /24 subnet configuration and firewalling). 1

It also bound whole /var/run into the container to access Docker API socket (it’s still sitting at /var/run/docker.sock at the time of writing). @@ -16,9 +16,9 @@ #include <arpa/inet.h> #include <netdb.h> -main(int argc, char **argv) { - struct hostent *lh = gethostbyname(argv[1]); - printf("res: %s\n", (lh ? inet_ntoa(*((struct in_addr*) lh->h_addr_list[0])) : "(failed)")); +main(int argc, char **argv) { + struct hostent *lh = gethostbyname(argv[1]); + printf("res: %s\n", (lh ? inet_ntoa(*((struct in_addr*) lh->h_addr_list[0])) : "(failed)")); }

…and the one-liner copypasteable version:

echo -e '#include<stdio.h>\n#include<arpa/inet.h>\n#include<netdb.h>\nmain(int argc,char **argv){struct hostent *lh=gethostbyname(argv[1]); printf("res: %s\\n",(lh?inet_ntoa(*((struct in_addr*)lh->h_addr_list[0])):"(failed)"));}' | gcc -x c - -o /dns

Compiled and ran it on Ubuntu container, I saw this: 2

stat("/etc/resolv.conf", {st_mode=S_IFREG|0444, st_size=36, ...}) = 0
@@ -57,4 +57,4 @@
 /var/lib/zentria into the container.
Option 2: mount tmpfs over /var/run/nscd
That’s rather a temporary solution.
Option 3: mount /var/run somewhere else, like /host/var/run
That’ll work too, but you’ll also very likely expose unwanted files into the container. Less access the better it is.
You should consider picking Option 1 instead.
Option 4: access Docker API over TCP+TLS
That’s the most secure way, as this allows more fine grained control. Besides PKI based auth, you are able
 to set up an authorization plugin to apply limits to the API - making Docker API access less equal to root access on host ;)
TL;DR
Linux DNS is not broken. Do not mount /var/run into container’s /var/run blindly - especially if you have nscd running on host.
  1. I think Docker on Linux still does not have this host.docker.internal DNS address set up. ↩︎
  2. Well this strace output is from my current NixOS installation. Only had poor quality pictures around from the real environment. ↩︎
\ No newline at end of file +Top \ No newline at end of file diff --git a/posts/flakes-and-little-convenient-impurity-escape-hatch/index.html b/posts/flakes-and-little-convenient-impurity-escape-hatch/index.html index a8aa5a4..fba160c 100644 --- a/posts/flakes-and-little-convenient-impurity-escape-hatch/index.html +++ b/posts/flakes-and-little-convenient-impurity-escape-hatch/index.html @@ -1,6 +1,7 @@ -Flakes and little convenient impurity escape hatch · Zentria Blog
Written by +Flakes and little convenient impurity escape hatch · Zentria Blog +
Written by Mark V.
on 

Flakes and little convenient impurity escape hatch

🕒 1 minutes

Started using flakes recently? But then you found that:

  1. You need per-machine configuration for experimentation/secrets (well, e.g firewall config), but don’t want to publish them.
  2. Your configuration is against your usual quality standards, so it’d be shame to show them to the world.

Here’s one solution to that - works similarly to how current NixOS deployments are still done.

flake.nix

{
   inputs = {
     impure-local.url = "path:./impure-local";
@@ -29,4 +30,4 @@
 error: getting status of '/nix/store/pjc26z765hj1gqhs2cac81g58fk5gvgr-source/default.nix': No such file or directory

Pros

  • Impure - restores /etc/nixos/configuration.nix-like solution, allows to be lazy.
    • However you cannot reference configurations outside the override path (good)
    • e.g /etc/nixos/default.nix imports ./foo.nix => this works
    • e.g /etc/nixos/default.nix imports /home/mark/foo.nix => this will not, Nix will require --impure flag (to access files outside the store)
  • You can experiment with system changes more easily, and then refactor them into your flake
  • Don’t have to deal with encrypting configuration when publishing flake publicly
  • Per-machine configuration (firewall rules etc.)

Cons

  • Impure, since configuration is machine-local, then deploying same flake to new machine wouldn’t yield same end result (duh).
  • Whole configuration is copied into the store, secrets will be world-readable (if you declare them there)

Example configurations using this

© . Made with Hugo using the Tale theme.
\ No newline at end of file +Top
\ No newline at end of file diff --git a/posts/index.html b/posts/index.html index a3d4caf..6f549d2 100644 --- a/posts/index.html +++ b/posts/index.html @@ -1,17 +1,10 @@ -Posts · Zentria Blog
+Posts · Zentria Blog +
🕒 2 minutes

It's 2022: nftables kind of integrates now

This is a follow up to the It’s 2021: nftables still does not integrate. -The good: What works compared to 2021? Pretty much everything is still revolving around the iptables-nft compatibility layer, but it has improved a lot so things seem to work just fine now. -libvirt Everything works. Seems to implicitly use compatibility layer very likely (assuming from libvirt Network Filters). -Docker Everything works out of the box, without having to write own rules or handle wiring with own Docker event handler.

+The good: What works compared to 2021? Pretty much everything is still revolving around the iptables-nft compatibility layer, but it has improved a lot so things seem to work just fine now.

🕒 1 minutes

Flakes and little convenient impurity escape hatch

Started using flakes recently? But then you found that: -You need per-machine configuration for experimentation/secrets (well, e.g firewall config), but don’t want to publish them. Your configuration is against your usual quality standards, so it’d be shame to show them to the world. Here’s one solution to that - works similarly to how current NixOS deployments are still done. -flake.nix { inputs = { impure-local.url = "path:./impure-local"; impure-local.flake = false; }; outputs = { nixpkgs, impure-local }: { nixosConfigurations.

-🕒 5 minutes

Container bind mount pitfalls: DNS

It's not DNS. There's no way it's DNS. It was DNS. Story time? Story time. I had this very old deployment of Clojure app around, orchestrating quite many Docker containers and their data volumes. It was set up to connect to a PostgreSQL database and Redis running on the container host, implying no magical DNS solutions nor any convenience at all (manual /24 subnet configuration and firewalling). 1 -It also bound whole /var/run into the container to access Docker API socket (it’s still sitting at /var/run/docker.

+You need per-machine configuration for experimentation/secrets (well, e.g firewall config), but don’t want to publish them. Your configuration is against your usual quality standards, so it’d be shame to show them to the world. Here’s one solution to that - works similarly to how current NixOS deployments are still done.

+🕒 5 minutes

Container bind mount pitfalls: DNS

It’s not DNS. There’s no way it’s DNS. It was DNS.

🕒 2 minutes

It's 2021: nftables still does not integrate

You probably have seen it around somewhere already, for example Debian trying hard to replace iptables with it. -Debian 10 (buster) shipped with it already, Arch Linux wiki provided (usable) examples for the adventurous back in 2014 etc. -(nftables is quite promising, don’t get me wrong - I quite like it, because how much easier it is to use and integrate. This is rather a rant towards other projects.) -HOWEVER, integrating it into existing solutions turns out to be VERY painful:

-🕒 6 minutes

An adventure of getting Docker on NixOS running only with cgroups v2

After discovering Linux’s wonderful Pressure Stall Information (PSI for short) subsystem, I’ve been trying to set up monitoring on Docker containers where I run very memory, CPU and I/O hungry game servers (not hard to guess - it’s Minecraft). -Since I monitor pretty much everything using Prometheus, then finding Cloudflare’s psi_exporter project made my life a lot easier - I didn’t have to write an exporter myself. -Why do cgroups v2 matter?

© . Made with Hugo using the Tale theme.
\ No newline at end of file +Debian 10 (buster) shipped with it already, Arch Linux wiki provided (usable) examples for the adventurous back in 2014 etc.

+🕒 6 minutes

An adventure of getting Docker on NixOS running only with cgroups v2

After discovering Linux’s wonderful Pressure Stall Information (PSI for short) subsystem, I’ve been trying to set up monitoring on Docker containers where I run very memory, CPU and I/O hungry game servers (not hard to guess - it’s Minecraft).

\ No newline at end of file diff --git a/posts/index.xml b/posts/index.xml index 67883da..126c792 100644 --- a/posts/index.xml +++ b/posts/index.xml @@ -1,12 +1,11 @@ -Posts on Zentria Bloghttps://blog.zentria.company/posts/Recent content in Posts on Zentria BlogHugo -- gohugo.ioen-usSat, 03 Sep 2022 22:38:50 +0300It's 2022: nftables kind of integrates nowhttps://blog.zentria.company/posts/its-2022-nftables-kind-of-integrates-now/Sat, 03 Sep 2022 22:38:50 +0300https://blog.zentria.company/posts/its-2022-nftables-kind-of-integrates-now/This is a follow up to the It&rsquo;s 2021: nftables still does not integrate. -The good: What works compared to 2021? Pretty much everything is still revolving around the iptables-nft compatibility layer, but it has improved a lot so things seem to work just fine now. -libvirt Everything works. Seems to implicitly use compatibility layer very likely (assuming from libvirt Network Filters). -Docker Everything works out of the box, without having to write own rules or handle wiring with own Docker event handler.Flakes and little convenient impurity escape hatchhttps://blog.zentria.company/posts/flakes-and-little-convenient-impurity-escape-hatch/Sun, 20 Mar 2022 23:20:00 +0200https://blog.zentria.company/posts/flakes-and-little-convenient-impurity-escape-hatch/Started using flakes recently? But then you found that: -You need per-machine configuration for experimentation/secrets (well, e.g firewall config), but don&rsquo;t want to publish them. Your configuration is against your usual quality standards, so it&rsquo;d be shame to show them to the world. Here&rsquo;s one solution to that - works similarly to how current NixOS deployments are still done. -flake.nix { inputs = { impure-local.url = &#34;path:./impure-local&#34;; impure-local.flake = false; }; outputs = { nixpkgs, impure-local }: { nixosConfigurations.Container bind mount pitfalls: DNShttps://blog.zentria.company/posts/container-bind-mount-pitfalls-dns/Sun, 06 Jun 2021 19:56:22 +0300https://blog.zentria.company/posts/container-bind-mount-pitfalls-dns/It&#39;s not DNS. There&#39;s no way it&#39;s DNS. It was DNS. Story time? Story time. I had this very old deployment of Clojure app around, orchestrating quite many Docker containers and their data volumes. It was set up to connect to a PostgreSQL database and Redis running on the container host, implying no magical DNS solutions nor any convenience at all (manual /24 subnet configuration and firewalling). 1 -It also bound whole /var/run into the container to access Docker API socket (it&rsquo;s still sitting at /var/run/docker.It's 2021: nftables still does not integratehttps://blog.zentria.company/posts/its-2021-nftables-still-does-not-integrate/Sat, 29 May 2021 19:25:17 +0300https://blog.zentria.company/posts/its-2021-nftables-still-does-not-integrate/You probably have seen it around somewhere already, for example Debian trying hard to replace iptables with it. -Debian 10 (buster) shipped with it already, Arch Linux wiki provided (usable) examples for the adventurous back in 2014 etc. -(nftables is quite promising, don&rsquo;t get me wrong - I quite like it, because how much easier it is to use and integrate. This is rather a rant towards other projects.) -HOWEVER, integrating it into existing solutions turns out to be VERY painful:An adventure of getting Docker on NixOS running only with cgroups v2https://blog.zentria.company/posts/nixos-cgroupsv2/Sat, 24 Oct 2020 14:46:00 +0300https://blog.zentria.company/posts/nixos-cgroupsv2/After discovering Linux&rsquo;s wonderful Pressure Stall Information (PSI for short) subsystem, I&rsquo;ve been trying to set up monitoring on Docker containers where I run very memory, CPU and I/O hungry game servers (not hard to guess - it&rsquo;s Minecraft). -Since I monitor pretty much everything using Prometheus, then finding Cloudflare&rsquo;s psi_exporter project made my life a lot easier - I didn&rsquo;t have to write an exporter myself. -Why do cgroups v2 matter? \ No newline at end of file +Posts on Zentria Bloghttps://blog.zentria.company/posts/Recent content in Posts on Zentria BlogHugoen-usSat, 03 Sep 2022 22:38:50 +0300It's 2022: nftables kind of integrates nowhttps://blog.zentria.company/posts/its-2022-nftables-kind-of-integrates-now/Sat, 03 Sep 2022 22:38:50 +0300https://blog.zentria.company/posts/its-2022-nftables-kind-of-integrates-now/<p>This is a follow up to the <a href="https://blog.zentria.company/posts/its-2021-nftables-still-does-not-integrate/">It&rsquo;s 2021: nftables still does not integrate</a>.</p> +<h1 id="the-good-what-works-compared-to-2021">The good: What works compared to 2021?</h1> +<p>Pretty much everything is still revolving around the iptables-nft compatibility layer, but it has improved a lot so +things seem to work just fine now.</p>Flakes and little convenient impurity escape hatchhttps://blog.zentria.company/posts/flakes-and-little-convenient-impurity-escape-hatch/Sun, 20 Mar 2022 23:20:00 +0200https://blog.zentria.company/posts/flakes-and-little-convenient-impurity-escape-hatch/<p>Started using flakes recently? But then you found that:</p> +<ol> +<li>You need per-machine configuration for experimentation/secrets (well, e.g firewall config), but don&rsquo;t want to publish them.</li> +<li>Your configuration is against your usual quality standards, so it&rsquo;d be shame to show them to the world.</li> +</ol> +<p>Here&rsquo;s one solution to that - works similarly to how current NixOS deployments are still done.</p>Container bind mount pitfalls: DNShttps://blog.zentria.company/posts/container-bind-mount-pitfalls-dns/Sun, 06 Jun 2021 19:56:22 +0300https://blog.zentria.company/posts/container-bind-mount-pitfalls-dns/<em>It&rsquo;s not DNS. There&rsquo;s no way it&rsquo;s DNS. It was DNS.</em>It's 2021: nftables still does not integratehttps://blog.zentria.company/posts/its-2021-nftables-still-does-not-integrate/Sat, 29 May 2021 19:25:17 +0300https://blog.zentria.company/posts/its-2021-nftables-still-does-not-integrate/<p>You probably have <a href="https://wiki.nftables.org/">seen it around</a> somewhere already, for example <a href="https://archive.is/Xeyqv">Debian trying hard to replace iptables</a> with it.<br> +Debian 10 (buster) shipped with it already, <a href="https://wiki.archlinux.org/title/nftables">Arch Linux wiki</a> provided (usable) examples for the adventurous back in 2014 etc.</p>An adventure of getting Docker on NixOS running only with cgroups v2https://blog.zentria.company/posts/nixos-cgroupsv2/Sat, 24 Oct 2020 14:46:00 +0300https://blog.zentria.company/posts/nixos-cgroupsv2/<p>After discovering Linux&rsquo;s wonderful <a href="https://www.kernel.org/doc/html/latest/accounting/psi.html">Pressure Stall Information</a> (PSI for short) subsystem, I&rsquo;ve been trying to set up monitoring on +Docker containers where I run very memory, CPU and I/O hungry game servers (not hard to guess - it&rsquo;s <a href="https://minecraft.net">Minecraft</a>).</p> \ No newline at end of file diff --git a/posts/its-2021-nftables-still-does-not-integrate/index.html b/posts/its-2021-nftables-still-does-not-integrate/index.html index ea40f6f..4756c1a 100644 --- a/posts/its-2021-nftables-still-does-not-integrate/index.html +++ b/posts/its-2021-nftables-still-does-not-integrate/index.html @@ -1,7 +1,7 @@ -It's 2021: nftables still does not integrate · Zentria Blog
Written by +It's 2021: nftables still does not integrate · Zentria Blog +
Written by Mark V.
on 

It's 2021: nftables still does not integrate

🕒 2 minutes

You probably have seen it around somewhere already, for example Debian trying hard to replace iptables with it.
Debian 10 (buster) shipped with it already, Arch Linux wiki provided (usable) examples for the adventurous back in 2014 etc.

(nftables is quite promising, don’t get me wrong - I quite like it, because how much easier it is to use and integrate. This is rather a rant towards other projects.)

HOWEVER, integrating it into existing solutions turns out to be VERY painful:

  1. Docker does not support it - issue is still open
  2. Kubernetes does not seem to support it. 1
  3. CNI does not support it yet (https://github.com/containernetworking/plugins/issues/519)
  4. Unofficial CNI plugins for nftables are poor quality at best. 2
  5. libvirt does not support nftables (directly)

iptables-nft compatibility layer problems

iptables-nft does not support all features what legacy iptables does. Few examples:

libvirt:

Error starting network 'default': internal error: Failed to apply firewall rules /usr/bin/iptables -w --table filter --insert LIBVIRT_INP --in-interface virbr0 --protocol tcp --destination-port 67 --jump ACCEPT:
 iptables v1.8.7 (nf_tables): unknown option "--destination-port"
@@ -10,4 +10,4 @@

Workarounds

Libvirt:

Use firewalld perhaps? I could not get it working with default network though (NAT, 192.168.122.0/24 - see compatibility layer problems section).

Docker:

There are few solutions around, like https://archive.is/MHBu3 and https://archive.is/bqKHl, but this involves disabling Docker’s iptables integration, making use of managed networks (docker network create <name>) painful.

Technically could work this around by writing a events listener for Docker or using a plugin (probably?)

Note that using firewalld won’t save you with Docker - it wants to insert custom rules via the --direct interface

In conclusion

nftables works, but integrating it into existing solutions is still painful / impossible. Let’s revisit this topic in 2022 perhaps?

  1. I’m not entirely sure. It isn’t like written into stone or something, but there are discussions around the internet which imply that it does not:

     ↩︎

  2. Inserting identical jump rule multiple times. See this gist ↩︎

© . Made with Hugo using the Tale theme.
\ No newline at end of file +Top
\ No newline at end of file diff --git a/posts/its-2022-nftables-kind-of-integrates-now/index.html b/posts/its-2022-nftables-kind-of-integrates-now/index.html index 4dba06b..27ab5aa 100644 --- a/posts/its-2022-nftables-kind-of-integrates-now/index.html +++ b/posts/its-2022-nftables-kind-of-integrates-now/index.html @@ -1,7 +1,7 @@ -It's 2022: nftables kind of integrates now · Zentria Blog
Written by +It's 2022: nftables kind of integrates now · Zentria Blog +
Written by Mark V.
on 

It's 2022: nftables kind of integrates now

🕒 2 minutes

This is a follow up to the It’s 2021: nftables still does not integrate.

The good: What works compared to 2021?

Pretty much everything is still revolving around the iptables-nft compatibility layer, but it has improved a lot so things seem to work just fine now.

libvirt

Everything works. Seems to implicitly use compatibility layer very likely (assuming from libvirt Network Filters).

Docker

Everything works out of the box, without having to write own rules or handle wiring with own Docker event handler. Implicitly uses compatibility layer.

CNI firewall plugin

Also uses compatibility layer. This was worth mentioning because podman, Kubernetes, containerd etc. rely on CNI.

The bad

Scripting/firewall management by shelling out to iptables

Pretty much all open & popular solutions mentioning firewall management on Linux simply shell out to iptables commands.

I’ve seen one edge case with iptables-nft - if you try to list rules in nonexistent chain, it fails with unrelated error:

$ iptables-nft -t filter -X SWDFW-INPUT || true
 $ iptables-nft -t filter -S SWDFW-INPUT 1
@@ -13,4 +13,4 @@
 ip6tables -A INPUT -p icmpv6 --icmpv6-type 139 -j DROP

Get Extension icmpv6 revision 0 not supported, missing kernel module?, why?

modinfo ip6_tables shows alias: ip6t_icmp6, loading it gets it working, therefore icmpv6 filtering is provided by that, even though nftables support icmp natively…

Legacy iptables is using /proc/net/ip_tables_names for table names, but that’s unsurprisingly empty on a system which doesn’t use legacy framework.

Future

RHEL 9 deprecated ipset & iptables-nft
OpenWRT 22.03.0 is using nftables for its firewall management. It’s doing rule templating instead of using JSON though.

I hope legacy iptables and its compatibility layer is going to be replaced on other distributions as well in next following years.

Until then, enjoy iptables and its compatibility cruft.

© . Made with Hugo using the Tale theme.
\ No newline at end of file +Top
\ No newline at end of file diff --git a/posts/nixos-cgroupsv2/index.html b/posts/nixos-cgroupsv2/index.html index 87f2830..9d22276 100644 --- a/posts/nixos-cgroupsv2/index.html +++ b/posts/nixos-cgroupsv2/index.html @@ -1,6 +1,5 @@ -An adventure of getting Docker on NixOS running only with cgroups v2 · Zentria Blog
Written by +An adventure of getting Docker on NixOS running only with cgroups v2 · Zentria Blog +
Written by Mark V.
on 

An adventure of getting Docker on NixOS running only with cgroups v2

🕒 6 minutes

After discovering Linux’s wonderful Pressure Stall Information (PSI for short) subsystem, I’ve been trying to set up monitoring on Docker containers where I run very memory, CPU and I/O hungry game servers (not hard to guess - it’s Minecraft).

Since I monitor pretty much everything using Prometheus, then finding Cloudflare’s psi_exporter project made my life a lot easier - I didn’t have to write an exporter myself.

Why do cgroups v2 matter? Why isn’t v1 sufficient?

But wait, hold up. Docker v19.03.13 does not support cgroups v2 yet, and only uses cgroups v1 to do its things! @@ -103,4 +102,4 @@ some avg10=0.00 avg60=0.00 avg300=0.00 total=0 full avg10=0.00 avg60=0.00 avg300=0.00 total=0

That’s all for today.

© . Made with Hugo using the Tale theme.
\ No newline at end of file +Top
\ No newline at end of file diff --git a/posts/page/1/index.html b/posts/page/1/index.html index 466ccc0..ee13d77 100644 --- a/posts/page/1/index.html +++ b/posts/page/1/index.html @@ -1 +1,2 @@ -https://blog.zentria.company/posts/ \ No newline at end of file +https://blog.zentria.company/posts/ + \ No newline at end of file diff --git a/tags/index.html b/tags/index.html index 7fb1730..8cc0d89 100644 --- a/tags/index.html +++ b/tags/index.html @@ -1 +1,2 @@ -Tags · Zentria Blog

Tags

\ No newline at end of file +Tags · Zentria Blog +

Tags

\ No newline at end of file diff --git a/tags/index.xml b/tags/index.xml index c8d6cd9..bf3a2df 100644 --- a/tags/index.xml +++ b/tags/index.xml @@ -1 +1 @@ -Tags on Zentria Bloghttps://blog.zentria.company/tags/Recent content in Tags on Zentria BlogHugo -- gohugo.ioen-us \ No newline at end of file +Tags on Zentria Bloghttps://blog.zentria.company/tags/Recent content in Tags on Zentria BlogHugoen-us \ No newline at end of file diff --git a/tags/page/1/index.html b/tags/page/1/index.html index 438a5d1..b14c9b1 100644 --- a/tags/page/1/index.html +++ b/tags/page/1/index.html @@ -1 +1,2 @@ -https://blog.zentria.company/tags/ \ No newline at end of file +https://blog.zentria.company/tags/ + \ No newline at end of file