Hacker News: eriksjolund

New comment by eriksjolund in "I ditched Docker for Podman"

eriksjolund — Sat, 06 Sep 2025 06:46:11 +0000

Sometimes it's possible to not use the Podman API at all. Convert the compose file to quadlet files with the command-line tool podlet and start the container with "systemctl --user start myapp.service". Due to the fork/exec architecture of podman, the container can then be started without using the Podman API.

New comment by eriksjolund in "Replacing Kubernetes with systemd (2024)"

eriksjolund — Tue, 06 May 2025 17:35:12 +0000

That workaround is not needed if the web server container supports socket activation. Due to the fork-exec architecture of Podman, the socket-activated socket is inherited by the container process. Network traffic sent over this socket-activated socket has native performance. https://github.com/containers/podman/blob/main/docs/tutorial...

New comment by eriksjolund in "Getting forked by Microsoft"

eriksjolund — Mon, 21 Apr 2025 12:51:19 +0000

The license would no longer be open source if you limit use to only community.

See "6. No Discrimination Against Fields of Endeavor" in The Open Source Definition https://opensource.org/osd

New comment by eriksjolund in "Podman Quadlets with Podman Desktop"

eriksjolund — Tue, 15 Apr 2025 12:36:56 +0000

I did it out of pure interest, just to explore ways of locking down a web server.

New comment by eriksjolund in "Podman Quadlets with Podman Desktop"

eriksjolund — Tue, 15 Apr 2025 07:41:57 +0000

You can use the podman option `--network=none` together with the systemd directive `RestrictAddressFamilies=`

I wrote a demo: https://www.redhat.com/en/blog/podman-systemd-limit-access

Podman will then not have the privilege to pull the container image, but a web server container can still serve the internet with socket activation.

New comment by eriksjolund in "Podman Quadlets with Podman Desktop"

eriksjolund — Mon, 14 Apr 2025 20:32:35 +0000

Podman quadlet supports "Socket activation of containers" https://github.com/containers/podman/blob/main/docs/tutorial... This allows you to run a network server with `Network=none` (--network=none). If the server would be compromised, the intruder would not have the privileges to use the compromised server as a spam bot. There are other advantages, such as support for preserved source IP address and better performance when running a container with rootless Podman + Pasta in a custom network.

New comment by eriksjolund in "Quadlet: Running Podman containers under systemd"

eriksjolund — Mon, 24 Mar 2025 10:32:59 +0000

Socket activation can be used with quadlets but not with docker-compose. That is a big advantage.

https://github.com/containers/podman/blob/main/docs/tutorial...

New comment by eriksjolund in "Learning about Bootc"

eriksjolund — Mon, 24 Mar 2025 09:20:40 +0000

If you want to know why bootc is needed check this list of goals: https://containers.github.io/bootable/

I found that URL by following the link in "bootc is the key component in a broader mission of bootable containers."

(https://bootc-dev.github.io/bootc/intro.html)

New comment by eriksjolund in "Httptap: View HTTP/HTTPS requests made by any Linux program"

eriksjolund — Mon, 03 Feb 2025 19:25:29 +0000

Another tool that can be used by an unprivileged user for analysing network traffic is rootless Podman with Pasta.

Just add the podman run option

--network=pasta:--pcap,myfile.pcap

Pasta then records the network traffic into a PCAP file that could later be analysed.

I wrote a simple example where I used tshark to analyse the recorded PCAP file https://github.com/eriksjolund/podman-networking-docs?tab=re...

New comment by eriksjolund in "Zoomable Circles, a Svelte component for hierarchical data"

eriksjolund — Sun, 31 Mar 2024 18:12:49 +0000

How to display circles on top of zoomable images without getting flickering is an interesting problem. (This comment does not refer specifically to displaying a tree map)

I noticed that painting the circles on top of an overlay with OpenSeadragon caused flickering [1]. However, when painting circles on top of the pyramid image tiles that OpenSeadragon loaded, there was no flickering.

This was my conclusion in 2016 when I created a web viewer that showed circles on top of a microscope photo [2]. Architecture: single file format containing an index, pyramid image tiles and measurement data for circles. To make this work, I intercepted the function call that OpenSeadragon usually uses to download an image tile. Instead, I provided OpenSeadragon with an image tile that already had the circle painted on it.

[1] https://openseadragon.github.io/examples/ui-overlays/ [2] demo: https://eriksjolund.github.io/osd-spot-viewer-webpack-build/... (The demo only worked on Linux. I'm not sure if it still works) source code: https://github.com/eriksjolund/osd-spot-viewer

New comment by eriksjolund in "Show HN: Obligator – An OpenID Connect server for self-hosters"

eriksjolund — Thu, 12 Oct 2023 21:29:16 +0000

Here are some documentation and demos from me and others if you're interested:

https://github.com/eriksjolund/podman-networking-docs https://github.com/eriksjolund/podman-nginx-socket-activatio... https://github.com/eriksjolund/socket-activate-httpd https://github.com/eriksjolund/mariadb-podman-socket-activat... https://github.com/PhracturedBlue/podman-socket-activated-se...

New comment by eriksjolund in "Show HN: Obligator – An OpenID Connect server for self-hosters"

eriksjolund — Thu, 12 Oct 2023 20:14:32 +0000

Rootless Podman uses slirp4netns by default. The default will soon change to pasta. Pasta has better performance than slirp4netns. For best performance if your container supports it, use systemd socket activation because the traffic over the activated socket will have native network performance.

New comment by eriksjolund in "Podman Desktop 1.2 Released: Compose and Kubernetes Support"

eriksjolund — Fri, 14 Jul 2023 17:21:12 +0000

Podman can run a socket-activated network server (such as docker.io/library/nginx) with the "--network=none" option. This improves security.

New comment by eriksjolund in "I can't recommend serious use of an all-in-one local Grafana Loki setup"

eriksjolund — Fri, 28 Apr 2023 15:42:35 +0000

It seems Red Hat believes in Loki

Red Hat logging product manager says: "We made the decision to move to Loki and Vector" https://www.youtube.com/watch?v=QZ4Hv85lEJ0&t=938s

New comment by eriksjolund in "How to use Podman inside of a container (2021)"

eriksjolund — Wed, 26 Apr 2023 19:37:23 +0000

I just tried this out. The new systemd directive OpenFile= opens up the possibility to pass the file descriptor of a file from the host to a container running in a container. (using rootless Podman running rootless Podman)

sudo systemd-run --property User=test --property OpenFile=/etc/secretfile.txt --collect --pipe --wait --quiet podman run --security-opt label=disable --user podman --device /dev/fuse quay.io/podman/stable podman run -q alpine sh -c "cat <&3"

New comment by eriksjolund in "Podman vs. Docker: Comparing the two containerization tools"

eriksjolund — Thu, 09 Feb 2023 18:29:26 +0000

I wrote a mini tutorial (as a Reddit comment) about how to deal with UID/GID mappings when you run rootless podman and you want a specific container user to write to a bind-mounted directory:

https://www.reddit.com/r/podman/comments/103ut7z/comment/j31...

Short summary: My best tip is to see if either "--user $uid:$gid" or "--user 0:0" works together with this command:

podman run --rm --user $uid:$gid --volume ./dir:/dir:Z --userns keep-id:uid=$uid,gid=$gid IMAGE

(requires podman > 4.3.0)

New comment by eriksjolund in "Show HN: Run Nginx with Podman and socket activation"

eriksjolund — Thu, 17 Nov 2022 13:07:06 +0000

Podman has a feature that Docker does not yet have: Socket activation of containers. I created a proof-of-concept demo of how to run an nginx container with rootless Podman and socket activation.

Using socket activation has some security and performance advantages:

- Native network performance over the socket-activated socket

- Possibility to restrict the network in the container

- Possibility to at the same time restrict the network in Podman and the OCI runtime

- The source IP address is preserved

- Podman installation size can be reduced

Show HN: Run Nginx with Podman and socket activation

eriksjolund — Thu, 17 Nov 2022 13:06:22 +0000

Article URL: https://github.com/eriksjolund/podman-nginx-socket-activation

Comments URL: https://news.ycombinator.com/item?id=33638326

Points: 4

# Comments: 1

New comment by eriksjolund in "Podman 4.2.0"

eriksjolund — Sun, 14 Aug 2022 09:03:11 +0000

Ok, I understand your concern about Slirp.

Regarding the other idea: I've now tested it and verified that it works. The remote address is available when running a socket-activated container with rootless Podman.

New comment by eriksjolund in "Podman 4.2.0"

eriksjolund — Sun, 14 Aug 2022 08:57:46 +0000

The remote address is available when running a socket-activated container with rootless Podman. I verified it in a test.