Exiled in France since 1986, Mahmoud Moradkhani is a doctor and an opponent of the Iranian regime. The nephew of Iran's ayatollah tells Euronews that the security crackdown will not end the demonstrations.
Exiled in France since 1986, Mahmoud Moradkhani is a doctor and an opponent of the Iranian regime. The nephew of Iran's ayatollah tells Euronews that the security crackdown will not end the demonstrations.
Horoscope Today News: The moon is in the fourth Tithi, part of Shukla Paksha, and is further along in the waxing crescent phase today. This period is particularly supportiv.
Horoscope Today News: The moon is in the fourth Tithi, part of Shukla Paksha, and is further along in the waxing crescent phase today. This period is particularly supportiv.
L'incidenza della spesa privata delle famiglie per la sanità sui bilanci familiari si è più che raddoppiata, dalla nascita del Ssn nel 1978 ad oggi, raggiungendo in media il 4,3%, e toccando il 6,8% per le famiglie meno istruite, ed il prezzo più alt…
"L'Europa preferisce il dialogo e le soluzioni, ma siamo pienamente preparati ad agire, se necessario, con unità, urgenza e determinazione. Al di là di questo, abbiamo bisogno di un nostro approccio strategico. (ANSA)
L'incidenza della spesa privata delle famiglie per la sanità sui bilanci familiari si è più che raddoppiata, dalla nascita del Ssn nel 1978 ad oggi, raggiungendo in media il 4,3%, e toccando il 6,8% per le famiglie meno istruite, ed il prezzo più alt…
La presidente della Commissione Ue Ursula von der Leyen, contrariamente a quanto ventilato nei giorni scorsi, dopo il suo intervento alla Plenaria a Strasburgo sta rientrando a Bruxelles e non tornerà a Davos, dove Donald Trump atterrerà nelle prossi…
Proseguire la terapia endocrina adiuvante oltre i cinque anni standard nelle pazienti in premenopausa con carcinoma mammario dimezza il rischio di metastasi a distanza e riduce di circa il 40% quello di recidive. (ANSA)
Proseguire la terapia endocrina adiuvante oltre i cinque anni standard nelle pazienti in premenopausa con carcinoma mammario dimezza il rischio di metastasi a distanza e riduce di circa il 40% quello di recidive. (ANSA)
E' stato trovato a Milano, in buone condizioni, Diego Baroni, il 14enne di San Giovanni Lupatoto di cui si erano perse le tracce il 12 gennaio. Lo ha riferito il sindaco della città veronese, Attilio Gastaldello. (ANSA)
L'inviato statunitense Steve Witkoff ha dichiarato che domani incontrerà il presidente russo Vladimir Putin. Lo ha detto Witkoff in un'intervista alla Cnbc, come riporta Reuters sul sito. (ANSA)
Entführung Maduros: Chinas stille, harte Antwort auf Washington de.rt.com/international/267700… China reagiert auf die Entführung des venezolanischen Präsidenten Maduro nicht mit Worten, sondern mit Macht: Finanz-, Energie- und Lieferketten werden binnen Stunden neu justiert. Der Schlag trifft die USA wirtschaftlich – und markiert einen Wendepunkt auf dem Weg zur multipolaren Weltordnung. #news #press
Frustpost: Alle mit einem Onlineshop tröten ja immer davon, was deren #Bestseller sind. Ich glaube ich muss heute mal vom Gegenteil erzählen, dass unsere beiden BUNTEN Modelle noch nie bestellt wurden🫤 . Wäre das nicht ein schönes Mitbringsel für Ostern? Der Feger kostet aktuell nur 2,87 €!
(Heute ist der Post nur für mich... bitte um Verzeihung ... denn ich kann meine zwei bunten Handfeger auch erst kaufen, wenn diese produziert werden - und nur wegen mir wird der nicht hergestellt 🥹)
Keine Info nur am Rand, ehe ich in den Feierabend gehe - es sind tatsächlich vier Bestellungen eingegangen und dafür möchte ich euch ganz ❤️lich danken! Die Handfeger wird es jetzt also wirklich geben und nicht nur in der Vitrine als "Muster". Bald also auf Lager und dann innerhalb von 3-4 Tagen lieferbar! Und ... ich kann meine dann auch bestellen 😀 Viele liebe Grüße an alle die mitgeholfen haben ... ist echt sowas wie Crowdfunding, oder? 😅
Ich habe auch gerade zwei bestellt. 😉 Und Ihr habt Kehrschaufeln aus Metall statt Kunststoff! 💖 Aber eine Bitte für die Zukunft: GLS als einzigen Logistiker? Das hab ich jetzt nur für das Feger-Crowd-Ordering gemacht, Leute! Bitte, bitte DHL, ich zahl auch dafür, aber nehmt einen zuverlässigen Versender.
@Linkshaender Lieber Armin, ich kann Dich gut verstehen. Bisher lief hier alles nur über Spedition und der Shop generiert jetzt die ersten Pakete - wenn die Stückzahlen wachsen, nehmen wir sicher auch noch DHL dazu, aber die kommen nicht wenn wir "vielleicht" ein Paket am Tag haben, das ist das Problem dabei. Über 90% sehen nur auf den Preis, so sehr ich das auch lieber geändert hätte. Viele Grüße auch an Chicco ❤️ 😉
@Linkshaender Ich bin auch gern bereit ne Woche (oder zwei) zu warten, bis genügend DHL-Päckchen zusammen sind, damit die das holen kommen. Aber Armin hat schon recht, GLS ist einfach ne mittelprächtige Katastrophe.
Meine Konfetti-Bestellung kommt btw auch noch, aber ich wollte in Ruhe am PC gucken, was man noch so gebrauchen kann, aktuell häng ich krank im Bett und ich hasse Handyshopping. :'D
@ashyda @Linkshaender Omg, dann wünsche ich Dir erstmal gute Besserung 💐 ja DHL ist leider nicht so flexibel. Die wünschen sich mindestens jeden Tag ein paar Pakete, sonst kommen sie nicht - also garnicht. WIr liebäugeln derzeit noch mit DPD ... mal sehen, aber in nächster Zeit wohl nicht. Wobei ... ich hätte auch nicht gedacht, dass das Posting von gestern solche Veränderungen hier mit sich gebracht hätte 🍀
Ich stimme @ashyda zu, lieber warte ich bis ihr einmal in der Woche für den „DHL-Tag“ genug beisammen habt als GLS oder DPD zu nehmen. Das kostet mich nämlich trotz eurem schnellen Versand mehr Zeit, weil die Typen an uns vorbeifahren und dann eine „Du warst ned da“-Mail schreiben. Dann kann ich zu irgendeiner Filiale fahren zu Zeiten, in denen ich auch arbeiten muss…. 😆🤪😝
Eure Preise sind eh unschlagbar günstig! Ob GLS oder DHL ist mir erstmal egal, bei mir haben alle eine Abstellerlaubnis und das klappt auch gut. Ich freue mich jedenfalls auf die Lieferung und zukünftige Bestellungen sind euch sicher 😀 @Linkshaender
@jwildeboer @Linkshaender Danke Jan, das freut mich sehr. Und wenn man als Unternehmen etwas kleiner ist, kann man ja vielleicht auch noch etwas besser kalkulieren ❤️
@jwildeboer Congrats zu Deiner Arbeit hier: mittlerweile habt ihr über 850 Leute, die es bunt und sauber lieben! 👍🏼💖 Das ist gekonntes und trotzdem unaufdringliches Marketing.
@Linkshaender @jwildeboer Danke mein Lieber ❤️ Ich habe schon etwas Angst, sollte es mal eine 1000 werden ... hier landen schon Vorschläge, was ich dann veranstalten soll 😅
konfetti: Handfeger, 285 mm, "Konfetti", PET - Farbmix, unlackiert - Saalbesen, 400 mm, "Konfetti", PET-Farbmix, Universalstielhalter mit Überwurfmutter Ø 24 mm
@Impertinenzija @padeluun wenn @buersten jetzt noch das Mastodon-Profil auf ihrer homepage verlinken...dann drücke ich sofort auf "bestellen&bezahlen". faebook, instragram und linkedin sind so oldschool ;)
@mc @Impertinenzija @padeluun Hallo und guten Morgen 😀 Mastodon ist tatsächlich schon verlinkt ❤️ allerdings mit dem Bild von Twitter hihi - ich hab noch ein Ticket beim Shopservice offen und die wollen kein extra Logo machen. Darum hab ich erstmal so verlinkt und tausche das sobald ich mal kann (muss mich da erst reinfuchsen) aus 😅
@MonaApp ive been getting 'Failed to translate. Tap to try again DeepL bad response: 403 forbidden' - my api keys and usage are fine, ive changed api keys also but no luck
Der US-Konzern OpenAI führt eine KI-basierte Altersschätzung für ChatGPT ein. Minderjährige sollen so künftig vor schädlichen Inhalten geschützt werden.
Der US-Konzern OpenAI führt eine KI-basierte Altersschätzung für ChatGPT ein. Minderjährige sollen so künftig vor schädlichen Inhalten geschützt werden.
I need some help if anyone could take the time and has the knowledge:
I'm basically new to podman and namespaces, relatively new to linux and a noob at networking. So figuring this out and getting it to work took many more hours than I would like to admit, but I still have a few problems. I have all my current Quadlets below in the spoiler (seperated by "---", assume user123 = UID 1000). I am on Bazzite, rootless Podman, which probably makes this even harder.
::: spoiler Spoiler with the Quadlets
[Unit]
Description=Arr-stack pod
[Pod]
PodName=arr-stack
# Network
# Network=vpn-only
# User mapping / I don't fully understand this yet, but the pod does not work without this (maps user id to specified ID inside the containers? So the containers have UID:GID 1000:1000?)
UserNS=keep-id:uid=1000,gid=1000
#
# Homepage Port Mapping
PublishPort=3000:3000
# Jellyfin Port Mapping
PublishPort=8096:8096/tcp
# qBittorrent Port Mapping
PublishPort=8080:8080
\#PublishPort=6881:6881
\#PublishPort=6881:6881/udp
# Prowlarr Port Mapping
PublishPort=9696:9696
# Flaresolverr Port Mapping
PublishPort=8191:8191
# Radarr Port Mapping
PublishPort=7878:7878
# Sonarr Port Mapping
PublishPort=8989:8989
# Jellyseerr Port Mapping
\#PublishPort=8055:5055
\#[Install]
# WantedBy=default.target
---
[Unit]
Description=Gluetun Container
# Dependencies
# pod
Wants=arr-stack-pod.service
After=arr-stack-pod.service
Requires=arr-stack-pod.service
PartOf=arr-stack-pod.service
# .pod is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=arr-stack.pod
After=arr-stack.pod
Requires=arr-stack.pod
PartOf=arr-stack.pod
[Container]
ContainerName=gluetun
Pod=arr-stack.pod
Image=docker.io/qmcgaw/gluetun:v3
AutoUpdate=registry
# Network
# Network=vpn-only
# UID/GID permissions / root + privileged for networking?
PodmanArgs=--privileged
User=0
Group=0
# Equivalent to cap_add: - NET_ADMIN # one wrong?
AddCapability=NET_ADMIN
AddCapability=CAP_NET_ADMIN
# Required for Gluetun to delete the bridge's default route, but does not work
AddCapability=NET_RAW
AddCapability=CAP_NET_RAW
# Equivalent to "devices: - /dev/net/tun:/dev/net/tun"
AddDevice=/dev/net/tun:/dev/net/tun
# EnvironmentFile=global.env
Timezone=UTC
Environment=TZ=Etc/UTC
# EnvironmentFile=gluetun.env
# Environment=FIREWALL_OUTBOUND_SUBNETS=10.90.0.0/24 / test from a specific podman network
Environment=FIREWALL_INPUT_PORTS=8080
#
Environment=VPN_SERVICE_PROVIDER= <123>
Environment=VPN_TYPE=wireguard
Environment=WIREGUARD_PRIVATE_KEY= <key>
Environment=SERVER_COUNTRIES= <country>
# for now:
Environment=VPN_PORT_FORWARDING=off
\#Secret=openvpn_user,type=env,target=OPENVPN_USER
\#Secret=openvpn_password,type=env,target=OPENVPN_PASSWORD
\#Volume
Volume=/var/home/user123/.config/arr-configs/gluetun:/gluetun:Z
# SecurityLabel=disable
[Service]
Restart=always
\#[Install]
\#WantedBy=default.target
---
[Unit]
Description=qBittorrent Container
# Dependencies
# pod
Wants=arr-stack-pod.service
After=arr-stack-pod.service
Requires=arr-stack-pod.service
PartOf=arr-stack-pod.service
# .pod is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=arr-stack.pod
After=arr-stack.pod
Requires=arr-stack.pod
PartOf=arr-stack.pod
# gluetun
Wants=gluetun.service
After=gluetun.service
Requires=gluetun.service
BindsTo=gluetun.service
# .container is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=gluetun.container
After=gluetun.container
Requires=gluetun.container
BindsTo=gluetun.container
[Container]
ContainerName=qbittorrent
Pod=arr-stack.pod
Image=lscr.io/linuxserver/qbittorrent:latest
AutoUpdate=registry
# Network
Network=container:gluetun
# UID/GID permissions / linuxserver images require UID:GID 0:0 at the start; they won't start without it
User=0
Group=0
Environment=PUID=1000
Environment=PGID=1000
# EnvironmentFile=global.env
Timezone=UTC
Environment=TZ=Etc/UTC
# EnvironmentFile=qbittorrent.env
Environment=WEBUI_PORT=8080
# Environtment=TORRENTING_PORT=6881
# Volume :Z (> :z) probably works as well and is saver for configs?
Volume=/var/home/user123/.config/arr-configs/qbittorrent:/config:z
Volume=/var/home/user123/Videos/Downloads:/downloads:z
# Volume=/var/home/user123/Videos/Downloads/completed:/downloads:z,U
# Volume=/var/home/user123/Videos/Downloads/incomplete:/incomplete:z,U
# Volume=/var/home/user123/Videos/Downloads/torrents:/torrents:z,U
[Service]
Restart=always
\#[Install]
\#WantedBy=default.target
---
[Unit]
Description=Prowlarr Container
# Dependencies
# pod
Wants=arr-stack-pod.service
After=arr-stack-pod.service
Requires=arr-stack-pod.service
PartOf=arr-stack-pod.service
# .pod is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=arr-stack.pod
After=arr-stack.pod
Requires=arr-stack.pod
PartOf=arr-stack.pod
# gluetun
Wants=gluetun.service
After=gluetun.service
Requires=gluetun.service
BindsTo=gluetun.service
# .container is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=gluetun.container
After=gluetun.container
Requires=gluetun.container
BindsTo=gluetun.container
[Container]
ContainerName=prowlarr
Pod=arr-stack.pod
Image=lscr.io/linuxserver/prowlarr:latest
AutoUpdate=registry
# Network
Network=container:gluetun
# UID/GID permissions / linuxserver images require UID:GID 0:0 at the start; they won't start without it
User=0
Group=0
Environment=PUID=1000
Environment=PGID=1000
# EnvironmentFile=global.env
Timezone=UTC
Environment=TZ=Etc/UTC
# EnvironmentFile=prowlarr.env
Environment=WEBUI_PORT=9696
# Volume
Volume=/var/home/user123/.config/arr-configs/prowlarr:/config:z,U
[Service]
Restart=always
\#[Install]
\#WantedBy=default.target
---
[Unit]
Description=Sonarr Container
# Dependencies
# pod
Wants=arr-stack-pod.service
After=arr-stack-pod.service
Requires=arr-stack-pod.service
PartOf=arr-stack-pod.service
# .pod is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=arr-stack.pod
After=arr-stack.pod
Requires=arr-stack.pod
PartOf=arr-stack.pod
# gluetun
Wants=gluetun.service
After=gluetun.service
Requires=gluetun.service
BindsTo=gluetun.service
# .container is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=gluetun.container
After=gluetun.container
Requires=gluetun.container
BindsTo=gluetun.container
[Container]
ContainerName=sonarr
Pod=arr-stack.pod
Image=lscr.io/linuxserver/sonarr:latest
AutoUpdate=registry
# Network
Network=container:gluetun
# UID/GID permissions / linuxserver images require UID:GID 0:0 at the start; they won't start without it
User=0
Group=0
Environment=PUID=1000
Environment=PGID=1000
# EnvironmentFile=global.env
Timezone=UTC
Environment=TZ=Etc/UTC
# EnvironmentFile=sonarr.env
Environment=WEBUI_PORT=8989
# Volume / Disable SecurityLabels due to SMB share, need to look this up
SecurityLabelDisable=true
Volume=/var/home/user123/.config/arr-configs/sonarr:/config:z
Volume=/var/home/user123/Videos/Shows:/tv:z
Volume=/var/home/user123/Videos/Downloads:/downloads:z
[Service]
Restart=always
\#[Install]
\#WantedBy=default.target
---
[Unit]
Description=Radarr Container
# Dependencies
# pod
Wants=arr-stack-pod.service
After=arr-stack-pod.service
Requires=arr-stack-pod.service
PartOf=arr-stack-pod.service
# .pod is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=arr-stack.pod
After=arr-stack.pod
Requires=arr-stack.pod
PartOf=arr-stack.pod
# gluetun
Wants=gluetun.service
After=gluetun.service
Requires=gluetun.service
BindsTo=gluetun.service
# .container is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=gluetun.container
After=gluetun.container
Requires=gluetun.container
BindsTo=gluetun.container
[Container]
ContainerName=radarr
Pod=arr-stack.pod
Image=lscr.io/linuxserver/radarr:latest
AutoUpdate=registry
# Network
Network=container:gluetun
# UID/GID permissions / linuxserver images require UID:GID 0:0 at the start; they won't start without it
User=0
Group=0
Environment=PUID=1000
Environment=PGID=1000
# EnvironmentFile=global.env
Timezone=UTC
Environment=TZ=Etc/UTC
# EnvironmentFile=radarr.env
Environment=WEBUI_PORT=7878
# Volume / Disable SecurityLabels due to SMB share
SecurityLabelDisable=true
Volume=/var/home/user123/.config/arr-configs/radarr:/config:z
Volume=/var/home/user123/Videos/Movies:/movies:z
Volume=/var/home/user123/Videos/Downloads:/downloads:z
[Service]
Restart=always
\#[Install]
\#WantedBy=default.target
---
[Unit]
Description=Flaresolverr Container
# Dependencies
# pod
Wants=arr-stack-pod.service
After=arr-stack-pod.service
Requires=arr-stack-pod.service
PartOf=arr-stack-pod.service
# .pod is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=arr-stack.pod
After=arr-stack.pod
Requires=arr-stack.pod
PartOf=arr-stack.pod
# gluetun
Wants=gluetun.service
After=gluetun.service
Requires=gluetun.service
BindsTo=gluetun.service
# .container is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=gluetun.container
After=gluetun.container
Requires=gluetun.container
BindsTo=gluetun.container
[Container]
ContainerName=flaresolverr
Pod=arr-stack.pod
Image=ghcr.io/flaresolverr/flaresolverr:latest
AutoUpdate=registry
# Network
Network=container:gluetun
# UID/GID permissions
User=0
Group=0
Environment=PUID=1000
Environment=PGID=1000
# EnvironmentFile=global.env
Timezone=UTC
Environment=TZ=Etc/UTC
# EnvironmentFile=flaresolverr.env
Environment=WEBUI_PORT=8191
Environment=LOG_LEVEL=info
Environment=LOG_HTML=false
Environment=CAPTCHA_SOLVER=none
# Volume=flaresolverr:/app/
[Service]
Restart=always
\#[Install]
\#WantedBy=default.target
---
[Unit]
Description=Podman - Jellyfin
# Dependencies
# pod
Wants=arr-stack-pod.service
After=arr-stack-pod.service
Requires=arr-stack-pod.service
PartOf=arr-stack-pod.service
# .pod is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=arr-stack.pod
After=arr-stack.pod
Requires=arr-stack.pod
PartOf=arr-stack.pod
# gluetun
Wants=gluetun.service
After=gluetun.service
Requires=gluetun.service
BindsTo=gluetun.service
# .container is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=gluetun.container
After=gluetun.container
Requires=gluetun.container
BindsTo=gluetun.container
[Container]
ContainerName=jellyfin
Pod=arr-stack.pod
Image=ghcr.io/jellyfin/jellyfin
AutoUpdate=registry
# Network
Network=container:gluetun
# UID/GID permissions / 1000:1000 might work?
User=0
Group=0
Environment=PUID=1000
Environment=PGID=1000
# EnvironmentFile=global.env
Timezone=UTC
Environment=TZ=Etc/UTC
# EnvironmentFile=jellyfin.env
Environment=WEBUI_PORT=8096:8096/tcp
\#PublishPort=8096:8096/tcp
\#PublishPort=8920:8920
\#PublishPort=7359:7359/udp
\#PublishPort=1900:1900/udp
# Volume
Volume=/var/home/user123/.config/arr-configs/jellyfin:/config:z
Volume=/var/home/user123/Videos/jellyfin-cache:/cache:z
Volume=/var/home/user123/Videos/Movies:/data/movies:z
Volume=/var/home/user123/Videos/Shows:/data/shows:z
[Service]
# Inform systemd of additional exit status
# SuccessExitStatus=0 143a
Restart=always
TimeoutStartSec=900
\#[Install]
# Start by default on boot
\#WantedBy=default.target
---
[Unit]
Description=Homepage Dashboard
# Dependencies
# pod
Wants=arr-stack-pod.service
After=arr-stack-pod.service
Requires=arr-stack-pod.service
PartOf=arr-stack-pod.service
# .pod is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=arr-stack.pod
After=arr-stack.pod
Requires=arr-stack.pod
PartOf=arr-stack.pod
# gluetun
Wants=gluetun.service
After=gluetun.service
Requires=gluetun.service
BindsTo=gluetun.service
# .container is probably not quite what I want, but it works and I might as well keep it, in case they change the syntax
Wants=gluetun.container
After=gluetun.container
Requires=gluetun.container
BindsTo=gluetun.container
# idk about this?:
After=network-online.target
Wants=network-online.target
# Socket
Wants=podman.socket
After=podman.socket
Requires=podman.socket
[Container]
ContainerName=homepage
Pod=arr-stack.pod
Image=ghcr.io/gethomepage/homepage:latest
AutoUpdate=registry
# Network
Network=container:gluetun
# UID/GID permissions
User=1000
Group=1000
Environment=PUID=1000
Environment=PGID=1000
# EnvironmentFile=global.env
Timezone=UTC
Environment=TZ=Etc/UTC
# EnvirontmentFile=homepage.env
\#Environment=LOG_LEVEL=debug
Environment=HOMEPAGE_ALLOWED_HOSTS=gethomepage.dev
\#PublishPort=3000:3000
# Podman socket (recommended on Bazzite)
Volume=%t/podman/podman.sock:/var/run/docker.sock:ro
\#Volume=/var/run/docker.sock:/run/user/1000/podman/podman.sock:ro
\#Volume=/%t/podman/podman.sock:/run/user/1000/podman/podman.sock:ro
# Volume / Config directory
SecurityLabelDisable=true
Volume=%h/apps/homepage:/app/config:Z
Volume=%h/apps/homepage/icons:/app/public/icons:Z
[Service]
Restart=on-failure
TimeoutStartSec=300
\#[Install]
\#WantedBy=default.target
:::
Questions: - 1. If I use "podman exec ip route" (on e.g. qbittorrent) the default route goes through my actual network interface (actual ip adress) which I very much do not want (or through my killswitch dummy network from my VPN if on, which is better but still not ideal). Is there a way to completely remove my actual network from a container's eyes? "podman exec ip addr" shows 1 lo (local), 2 my actual network, 4 tun0 from gluetun. The traffic does go through gluetun correctly, but I don't trust it 100%. Having the containers separated and NOT inside a pod gives the same result, since the containers share the network namespaces from the gluetun container when I do "Network=container:gluetun" (same as just having them in a pod as far as I understand). I tried to also create a podman network without a default gateway, but then gluetun cannot connect to the VPN in the first place.
EDIT: A few notes: I thought gluetun was supposed to set the default route (but it seems it either doesn’t or can’t). My goal was to only have gluetun see my computer’s network and have the containers only see local network and gluetun’s tun0 network (with default routing through tun0). AFAIK pods share network namespaces, though, so that might not be possible? (even without pods?)
My setup works but is quite convoluted and probably has many unnecessary lines, so please give me any improvements you see
Is User=1000, Group=1000, even sensible? For example in the homepage container those lines result in the container showing User "1000:1000" (from podman inspect). Would User=0, Group=0 (or no lines since I use UserNS=keep-id in the pod?), which shows as User=root (podman inspect) mean that it has actual root access or just that it is root INSIDE the container?
Thank you in advance for the answers, in case I don't reply to your comment specifically.
I don't know much about ip routing, but userns=keep-id id determined based on what podman is run as. For example, I run podman as user 1000 on the host, so if I do keep-id the user in the container will map to the same id. This often messes with things as the container require it is root inside it's own context. It seems you are running podman as root, meaning that keep-id will map the container user to the actual root id, givintthe container essentially root access. Normally the container user is mapped to a random id on the host, like 653477, not 0. It's unsafe to map the containers id to root as they would be unbounded if they managed to escape. I would recommend doing systemctl cat on the different services to see what the .container file expands to.
When it comes to the networking I think that you need to create a podman network with internal set to true. I believe that this restricts internet access. Then you would need to only let these services communicate with gluetun.
I don't know if this was any help, but it's all I've managed to learn from doing it myself.
remember that: cats are always right. Signs can be wrong. don't trust a sign. and if someone trusts every sign please tell me so i can make a sign that says they have to give me headpats.
Quem disse que Linux não é para gamers? O universo dos jogos no pinguim está maior do que nunca! Reunimos 12 dicas incríveis para você aproveitar ao máximo seu sistema e se divertir com títulos imperdíveis. Pronto para jogar?
A consent driven live stream of indie music videos and animation from artists across the Fediverse. See Now Playing info at https://mastodon.social/@tibtvnowplayingbot - Fediwall at https://shorturl.
voyeur
in reply to kim 🏳️🌈 • • •kim 🏳️🌈
in reply to voyeur • • •