Yes

K3s (and k8s for that matter) expect you to build a hierarchy of yaml configs, mostly because spinning up docker instances will be done in groups with certains traits applying to whole organization, certain ones applying only to most groups, but not all, and certain configs being special for certain services (http nodes added when demand is higher than x threshold).

But I wonder why you want to cluster navidrome or pihole? Navidrome would require a significant load before service load balancing is required (and non-trivial to implement), and pihole can be put behind a round-robin DNS forwarder, and also be weird to implement behind load balancing.

I don’t think anyone here disagrees that port scanning is bad, nor that you even filed an aws ticket. And congrats on your live service.

But your answers to comments are weird, like this is not only your first server or vps experience with a public interface, but your first time exposing anything to the public web. And even if that’s true, there’s a first time for everyone.

But man, doubling down and insisting that “port scanning is unauthorized traffic” betrays a certain naivete about how tcpip works.

What you are seeing is not only normal, but AWS can’t do anything about it because that’s how IP source and destination sockets work.

Oh, OK. I moved to mikrotik 8 years ago and haven’t looked back.

OpenWRT on a 5009? Why? You’ll lose the switch/cpu integration and a whole lot of speed, not to mention features…

Port scanning is not authorized traffic.

Lol what

I think you should read the terms of your AWS contract. How do you think aws moves instances if not for agents gathering metrics?

And this case is Mandiant, so you’re fine.

Are you sure you’re ready for AWS?

Umm…

You know how that works, right? Like, if you don’t want to expose ports, just… don’t expose them. But you can’t prevent port scanning.

I would love to see the support request from AWS for this.

Edit: also, I think “script kiddy” is a bit of a stretch here.

deleted by creator

And poettering is an absolute good guy here.

You obviously weren’t actually around when he was granted mini-king status and acted like a jackass to literally anyone who objected to pulse or systemd. As a result, redhat, canonical, and Debian had to eat criticism over pushing these before they were ready… because of “superstar” poettering.

Poettering is a disrespectful clown.

At the time, canonical was throwing its weight around and essentially bullying Debian upstream repos. Around this time, there was a mass exodus of the Debian leadership over this kind of thing.

The old guard of Debian wasn’t as… enthusiastic about systemd either, but look what they use now.

It’s true, and it was a huge pain in the ass:

https://answers.launchpad.net/ubuntu/+question/223855

I think so. I lost count of the little things, it really was death by a thousand paper cuts.

I was a pretty rabid fan of Ubuntu, still have an x86 and ppc CD of 5.04 somewhere.

But by the time snaps started appearing, and then Ubuntu pro, Ubuntu decided to revert some of my customized configs in /etc after an upgrade, I had had enough. When snaps were reinstalled after an upgrade in 2021, I just flipped over to Debian, which has come a long way in being usable out of the box.

I was at this point until about 3 years ago. Switched to debian, wont look back.

Or mir, or pulseaudio before it was ready, or deprecating ffmpeg for half a year… Etc etc

Agree. The person who wrote the article is Avery Pennarun, co-creator of tailscale. I’ve heard him in interview ; he’s very smart, both technically, and in high picture thinking.

But… Missing the point that VC money is cursed because they don’t care if your product is good, successful or a boon to others, is a bit naive.

Docker runs fine nested in lxc with uid/gid mapping.

The difficulties of running docker in lxc are particular to proxmox, I ran docker in lxc on proxmox for years, but I’m glad I moved incus; much more sensible approach.

Oh, dammit. Thank you.

I’m also 90% done migrating to jellyfin. I’ve had the instance running for 6 months now, the cultural change to watch jellyfin is complete, except for my wife’s iPad.

Heck, I should just retire Plex. That will force the change.

These are the thoughts of a cold and calloused sysadmin. Didn’t get the email about the change? Too bad.

You say this as though security is naturally a consideration for most docker images.

Man, we really need to make “The Church Cathedral and the Bazaar” required reading.

You clearly have missed the entire point of Linux, which is the freedom to do with your machine as you like. The endless number of choices for specific tastes is the result of people having the choice to write their own thing.

When consolidation happens, when people say “make my choice for me, I can’t make decisions” we end up with super constrained setups like MacOS, Windows 11 and stupid Gnome the way it is now; no choice, do it our way or not at all.

And the answer is still freedom. It’s obvious in the plugins and addons for gnome that get it to do basic customizing you find in, say xfce as a toggle in the settings. You find it in the myriad of softwares written for windows and mac that let the user do what they want to do.

And I will likely not be the first to point out to you Linux doesn’t “aim for desktops”, linux isn’t an organization the way ms and apple are. And it likely never will be.

Newbies will be scared and confused no matter what’s in front of them.