Anyone running #PaperlessNGX#rootless using #Podman and #PodmanCompose under #Debian12? The volumes I'm mapping to the host always get chowned to 100999:100999, and that's with USERMAP_UID=1000 and USERMAP_GID=1000 in docker-compose.env.
Playing around with PODMAN_USERNS mainly leads to the container not starting at all (in at least one case because it can't install packages).
Did you miss the Podman Community Cabal meeting this week? No worries, the video is now up on YouTube! We talked about data production appliances and backups, encapsulation, and a bit more. #opensource#podmanhttps://youtu.be/aLKET_3loWw
I, again, am thinking about combining Silverblue as my base system with a more complex Nix setup to replace toolbox (which is effectively a separate whole Linux to maintain or throw away regularly, or build a CI for to create new images, etc. -- nah).
Now, Nix works fine, but it needs to store things under /nix because most binaries are prefix dependent and not portable in their location. But what if I download the nix store to $HOME/.nix instead and then launch a light-weight throw-away container/namespace that simply maps $HOME/.nix to /nix but keeps everything else identical?
Would that work? Did someone already build that stuff?
what is a good based image for build my own container image for a #rustlang project? currently using docker.io/library/rust:slim-bookworm right now. my proj is running on rust nightly though. idk if it's gonna work.
currently waiting for the build to finish... #docker#podman
The next Podman Community Cabal meeting is this Tuesday, April 16, 2024, at 11:00am EDT (UTC-5). At the moment we only have a topic about backup appliances and would love to have another topic or two! Agenda with video link: https://hackmd.io/gQCfskDuRLm7iOsWgH2yrg?both#podman#opensource
TIL #Distrobox and #Podman are both pre-installed on the #SteamDeck since the last #SteamOS 3.5 update - never seen that mentioned in the changelog or any news of said update before, so that's cool!
The video is up from yesterday's Podman Community meeting. We had a demo/update on new Podman Desktop features, a demo on LLM and Podman, a demo on artifact support in the podman manifest command, a Podman v5.01 update, and more! #podman#opensourcehttps://youtu.be/-8l3vGcT3fo
I have just posted a patch updating #podman (to 5.0.0) and #buildah in #guix. It involves somewhat large changes to the build process, so if there are any Guix users of podman and/or buildah here, it would be cool if you could test that it works fine for you.
There's a huge backdoor (#CVE -2024-3094) allowing remote SSH access (as far as I can tell at this moment) caused by a util called #xz affecting a ton of systems (#Linux and #macOS, well not really) and it's causing quite a huge panic. I honestly don't know much about it just yet, but just sharing some pieces to read about the huge vulnerability.
The person who had maliciously planted this vulnerability into xz-utils, Jia Tan, has made at least 750 contributions to the project over the past 2 years. They even have direct push access to the code repo, allowing them to have pushed commits with forged authors. Being "free" from this vulnerability is not as simple as reverting to a previous version due to just how much and how long they've contributed to the project, and people are rightfully suspicious that this person might have hidden other backdoors in xz.
Unlike most other vulnerabilities, it's a lot harder to pinpoint versions affected by this but the most likely case is most systems out there have xz installed on their system that are impacted - which at this moment, the info being thrown around is any version past 5.3.1, 5.4.6, or 5.6.0 (latest is 5.6.1).
As far as I can tell, you're only impacted by this vulnerability only if:
Your distro sources/packages xz from their release tarballs rather than through the Git source directly.
The payload was only included for the #RPM or #DEB packaging, so unless your distro uses these - you're probably safe.
As far as I can tell, it also only affects x86 systems so #ARM based systems should be fine.
As far as I can tell, your system needs to be running #systemd to be impacted by this, so #Docker/#Podman#containers should mostly if not entirely be fine....? maybe.
In other news, people are currently investigating and evaluating other projects also actively contributed by the compromised developer, Jia Tan, including #libarchive.
People are also analysing the dev's commit history to deduce their background from their activity lol. They've been found to push commits during office hours Mon-Fri, every other Saturdays, presumably Public Holidays that seem to align with China's PH, and seems to be on GMT +8 locale.
The video from the Podman Community Cabal meeting is now up. It was a short meeting as 2 of the 3 speakers could not make it at the last moment. We talked a bit about reverse dependency tests, rootless population of IPs, and V5.0. https://www.youtube.com/watch?v=XW43y97V6kU&t=194s#opensource#podman