serverfault.com

I’m building a Kubernetes homelab in VirtualBox using kubeadm (1 control-plane + 2 workers) and Calico as the CNI. Each VM has two NICs: NIC1: NAT (DHCP) for internet access NIC2: Host-Only (static IPs) for node-to-node traffic The Host-Only network is 192.168.56.0/24. Calico’s default IPPool CIDR in custom-resources.yaml is 192.168.0.0/16. Since 192.168.0.0/16 includes 192.168.56.0/24, the Pod network overlaps the VM/node network. Example configuration: VirtualBox Host-Only network: 192.168.56.0/24 VirtualBox NAT network: 10.0.2.0/24 (DHCP) Nodes (Host-Only NIC / static IPs): k8s-cp1: 192.168.56.21 k8s-w1: 192.168.56.22 k8s-w2: 192.168.56.23 Pod CIDR options: Calico default IPPool: 192.168.0.0/16 (possible overlap) Alternative Pod CIDR: 10.244.0.0/16 (non-overlapping example) kubeadm init command options: Option A (keep Cal

I’m doing browser automation for data extraction and partially for user-like scenarios such as logging in, filling out forms, and exporting data from a personal account area. I want to use a third-party cloud browser automation platform so I don’t have to maintain my own servers. The problem is that I need to understand how much I can trust such platforms, because in the process I will have: cookies / session tokens, sometimes a login/password (or one-time codes), proxies, page results that may contain sensitive information. At the same time, anti-bot checks and CAPTCHAs pop up almost everywhere (often reCAPTCHA/Turnstile). This kind of scenario doesn’t really qualify as “clean traffic”, so I’ll be integrating a third-party bypass/solver solution. Questions: By what practical signs/criteria should I evaluate the trustworthiness of these platforms (without “marketing”): what must I ask/check (logging, data storage, sess

On libvirt unprivileged container the lxc cgroup is active. find /sys/ -name *cpuse* 2> /dev/null |wc -l 465 On classic (lxc-start) container (unprivileged) is not. Why? find /sys/ -name *cpuse* 2> /dev/null |wc -l 0 This is the config file # Distribution configuration lxc.include = /usr/share/lxc/config/common.conf lxc.include = /usr/share/lxc/config/userns.conf lxc.arch = linux64 # Container specific configuration lxc.include = /etc/lxc/default.conf lxc.idmap = u 0 165536 65536 lxc.idmap = g 0 165536 65536 lxc.cgroup.devices.allow = a lxc.mount.auto = proc:rw sys:rw cgroup:rw:force lxc.apparmor.profile = unconfined lxc.apparmor.allow_nesting = 1 lxc.rootfs.path = dir:/var/lxcunpriv/.local/share/lxc/node5/rootfs lxc.uts.name = node5 What I miss?

I am looking to restrict which client can send mail to which domain (i.e., use my postfix server as a relay), and am struggling to figure it out. This needs to work on multiple OS and postfix versions (all modern, 3.5 or higher, on EL8 and Ubuntu 22.04 or later). My clients are identified by either host name (or corresponding IP address, of course), or by subdomain. Here is, simplified, what I'd like to accomplish: host1.example.com 192.168.10.5 host2.example.com 172.18.5.18 192.168.12.0/24 --> can send emails anywhere. host3.example.com 192.168.10.6 host4.example.com 172.18.5.19 *.printers.example.com --> can send emails only to @example.com Bonus (I can live without this for now, but anticipate a future need): host5.example.com 192.168.10.7 host6.example.com 172.18.5.20 --> can send emails only to @example.net Anything not listed --> cannot use this server to relay em

I'm having a high volume of traffic blocking my apache web server due reaching of MaxRequest of the MPM. In access log I found an huge numbers of request 90% of that are unique IPs from 34.0.0.0 to 223.255.255.255. Each request is received from an IP of each subnet from that range. I tried to find a logic, an user agent or something other to trigger a fail2ban filter, but without success. I can't block all the IP ranges because also legit IP are inside this big range. Any suggestion on how to handle this type of attack ?

The command lxc-enter-namespace don't work Distribution: Debian 13 Type of container: unprivileged (same error if run privileged) Run with: libvirt As root virsh -c lxc:///system lxc-enter-namespace node3 --noseclabel --cmd ls libvirt: Cgroup error : Unable to write to '/sys/fs/cgroup/machine.slice/machine-lxc\x2d84518\x2dnode3.scope/cgroup.procs': Device or resource busy error: internal error: Child process (310154) unexpected exit status 125 As unprivileged user (same who run container) virsh -c lxc:///system lxc-enter-namespace node3 --noseclabel --cmd ls libvirt: Cgroup error : Unable to write to '/sys/fs/cgroup/machine.slice/machine-lxc\x2d84518\x2dnode3.scope/cgroup.procs': Permission denied error: internal error: Child process (310299) unexpected exit status 125 Any idea about those errors?

I know the commonly used type1 vs type2 definition, and I also know that this definition is not clear-cut, and that the relevance of that definition is disputed by some. Still, I have some technical questions with the actual differences on how the inner works (mostly about the trap-and-emulate mechanism) between the most common definition of "hosted" and "baremetal" hypervisors: From my experience, the most common definition is something that sounds like this: List item Type 1 "interacts directly with the hardware" (whatever it means) "manages the hardware directly" Type 2 negotiates with the OS to obtain the underlying resources. Let's not consider hardware-assisted virtualization for this question. Both type 1 and type 2 run unprivileged instructions of the guests OS on the CPU without any form of emulation in-between¹. In both cases, Guests aren't run

NGINX doesn’t do Apache-style redirects. We want to replace these three URL queries "/grid/grid.html", "grid/grid.html", "grid.html" with just "/grid/". We have separate domain-specific config files inside "/etc/nginx/sites-available", and use CertBot for SSL. The RegEx in the examples below captures all the URL variations listed above. But which of these two is best practice: a location block inside the existing server block: server { ... location ~ ^(((/?)grid/)?grid.html) { return 301 $scheme://grid/; # OR https://grid/; } ... } add a rewrite block inside the existing server block, using the site root: server { ... rewrite ^(((/?)grid/)?grid.html) /grid/ last; return 403; ... } When updating the cert, Certbot writes to the existing

I'm trying to limit the access of IPs to my Docker service with iptables. Let's say my public IP is 1.2.3.4 and the range of IPs that I want to allow is 5.6.7.224/28. I don't want any other range accessing the service. My hostname is hello.com DOCKER-USER iptables: sudo iptables -L DOCKER-USER --line-numbers Chain DOCKER-USER (1 references) num target prot opt source destination 1 ACCEPT tcp -- hello.com/28 anywhere tcp dpt:8008 2 DROP tcp -- anywhere anywhere tcp dpt:8008 Docker container info 758e3dac5b23 vshiny "shiny run --host 0.…" 3 days ago Up 3 days 8008/tcp, 1.2.3.4:8008->8000/tcp This configuration prevents any IP from being allowed to enter the service, even the ones which are in the range I specified to be allowed (5.6.7.224/28

I'm planning to move my work machines (a Mac Studio and a Windows PC) from my studio to a rack room to reduce noise in my workspace. The idea is to use a silent client (fanless or similar) next to the monitor, speakers, keyboard, and mouse, and access the machines via remote desktop software. I'm considering Parsec and have some specific questions, especially about the free version: For daily intensive use with AutoCAD, is the free version sufficient or is the paid license required? I'd like to avoid software that behaves like some programs (e.g., Supremo Control) which stop working after a trial period. With two monitors connected to the host PC, does the free version block access or simply not project one of the displays? Same question for a MacBook Air M1 (2020) with an additional external monitor. Is it true that the free version limits color depth, making professional Photoshop work difficult? With a graphics tablet sensitive to pr