moonpiedumplings @ moonpiedumplings @programming.dev

Posts

18

Comments

433

Joined

2 yr. ago

Have you tried running a vpn to your phone while tethering?

https://moonpiedumplings.github.io/guides/unrestricted-tethering/

I experimented with it a little bit, but it didn't go anywhere when I discovered my phone already proxies/NATs all my traffic.

No, Android Go still supports ADB.

On an XDA review of an android go phone, they managed to connect to it via ADB

It doesn't need root, but it is shady as fuck. Thankfully, there's been no reports of malware from the official lucky patcher project... although that link doesn't look official, given the ads and popups, I got that link from my copy of the app.

I briefly looked into the revanced project to see if they had any relevant patches, as I would rather recommend FOSS solutions first, and revanced is shaping up to be lucky patcher, but FOSS, but they didn't have anything,

I use this too, and it should be noted that this does not require wireguard or any VPN solution. Rathole can be served publicly, allowing a machine behind a NAT or firewall to connect.

What made it better?

Upstart was better, but even Ubuntu, who was by the creators of upstart (Canonical) decided to switch to systemd after using upstart for a bit?

https://www.die.lu/

https://github.com/Katana-Official/SPatch-Update

Might not work, but at least it's updated.

You could also look into https://www.luckypatchers.com/. There might be patches for what you want to do.

No, it is lock in. If apple allowed for multiple app stores other than their own, then users could pay for an app on one app store, and then not have to pay again on another, potentially even on non-apple devices.

I encountered this when I first purchased minecraft bedrock edition on the amazon kindle. Rather than repurchasing it on the google play store when on a non-amazon, I simply tracked down the Amazon app store for non-amazon devices, and redownloaded it from there. No lock in to Amazon or other android devices, both ways.

Now, the Apple app store would still probably not work on androids... but now they would actually have to compete for users on the app store, by offering something potentially better than transferable purchases across ecosystems.

I suspect the upcoming Epic store for iOS and android may be like that... pay for a game/app on one OS, get it available for all platforms where you have the Epic store. But the only reason the Epic store is even coming to iOS is because Apple has been forced to open up their ecosystem.

It's a shame the price you pay for that is no crossplatform support.

If you have a little bit of server management know-how, you can set up https://geysermc.org/, which allows for crossplay between bedrock and java on a java server.

LXD/Incus. It's truly free/open

Please stop saying this about lxd. You know it isn't true, ever since they started requiring a CLA.

LXD is literally less free than proxmox, looking at those terms, since Canonical isn't required to open source any custom lxd versions they host.

Also, I've literally brought this up to you before, and you acknowledged it. But you continue to spread this despite the fact that you should know better.

Anyway, Incus currently isn't packaged in debian bookworm, only trixie.

The version of lxd debian packages is before the license change so that's still free. But for people on other distros, it's better to clarify that incus is the truly FOSS option.

Also switched here. OBS on wayland has some new features, that I'm excited to take advantage of, but I still cannot find a way to share some windows, but not an entire monitor.

OBS has another feature: "virtual monitor". It does what it sounds like, and creates a virtual monitor, which you can then treat like a real monitor, like extending to, or unifying outputs, etc.

It also has a feature to share the entire workspace, but it doesn't work like I expect, and instead uses all monitors (not workspaces) as a single input source. I suspect that's a bug tbh, because this behavior is useless considering you can just add monitors as a source side by side.

Edge WebView2

I'm like 90% sure this requires edge to be installed, even though the EU mandated that they make edge uninstallable. So that might be their game here.

I remember this being brought up with an acquaintance, but basically there's a bug where the newest fedora kernel isn't compatible with VMWare.

So yeah. Either wait for a kernel patch, or wait for VMWare to fix their stuff. But they might not, other users have mentioned that they've gone downhill after being bought by Broadcom.

If you want 3d acceleration on virtualized Linux guests, other than vmware, you have two options:

• GPU passthrough
• Virtual gpu (virgl/virtualgl/egl-headless)

The latter is basically only going to work on a Linux host, virtualizing Linux guests (although it is possible on windows, with caveats).

The other downside is that no matter which option you pick, it's all going to end up being a bit more tinkering (either a little — assign a vm a gpu, or a lot, install unsigned windows drivers), compared to VMWare's "just works"/one click 3d acceleration setup.

Dockers manipulation of nftables is pretty well defined in their documentation

Documentation people don't read. People expect, that, like most other services, docker binds to ports/addresses behind the firewall. Literally no other container runtime/engine does this, including, notably, podman.

As to the usage of the docker socket that is widely advised against unless you really know what you’re doing.

Too bad people don't read that advice. They just deploy the webtop docker compose, without understanding what any of it is. I like (hate?) linuxserver's webtop, because it's an example of the two of the worst footguns in docker in one

To include the rest of my comment that I linked to:

Do any of those poor saps on zoomeye expect that I can pwn them by literally opening a webpage?

No. They expect their firewall to protect them by not allowing remote traffic to those ports. You can argue semantics all you want, but not informing people of this gives them another footgun to shoot themselves with. Hence, docker “bypasses” the firewall.

On the other hand, podman respects your firewall rules. Yes, you have to edit the rules yourself. But that’s better than a footgun. The literal point of a firewall is to ensure that any services you accidentally have running aren’t exposed to the internet, and docker throws that out the window.

You originally stated:

I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.

And I'm trying to say that even if that was true, it would still be better than a footgun where people expose stuff that's not supposed to be exposed.

But that isn't the case for podman. A quick look through the github issues for podman, and I don't see it inundated with newbies asking "how to expose services?" because they assume the firewall port needs to be opened, probably. Instead, there are bug reports in the opposite direction, like this one, where services are being exposed despite the firewall being up.

(I don't have anything against you, I just really hate the way docker does things.)

Probably not an issue, but you should check. If the port opened is something like 127.0.0.1:portnumber, then it's only bound to localhost, and only that local machine can access it. If no address is specified, then anyone with access to the server can access that service.

An easy way to see containers running is: docker ps, where you can look at forwarded ports.

Alternatively, you can use the nmap tool to scan your own server for exposed ports. nmap -A serverip does the slowest, but most indepth scan.

Yes it is a security risk, but if you don’t have all ports forwarded, someone would still have to breach your internal network IIRC, so you would have many many more problems than docker.

I think from the dev’s point of view (not that it is right or wrong), this is intended behavior simply because if docker didn’t do this, they would get 1,000 issues opened per day of people saying containers don’t work when they forgot to add a firewall rules for a new container.

My problem with this, is that when running a public facing server, this ends up with people exposing containers that really, really shouldn't be exposed.

Excerpt from another comment of mine:

It’s only docker where you have to deal with something like this:

    
---
services:
  webtop:
    image: lscr.io/linuxserver/webtop:latest
    container_name: webtop
    security_opt:
      - seccomp:unconfined #optional
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Etc/UTC
      - SUBFOLDER=/ #optional
      - TITLE=Webtop #optional
    volumes:
      - /path/to/data:/config
      - /var/run/docker.sock:/var/run/docker.sock #optional
    ports:
      - 3000:3000
      - 3001:3001
    restart: unless-stopped

  

Originally from here, edited for brevity.

Resulting in exposed services. Feel free to look at shodan or zoomeye, internet connected search engines, for exposed versions of this service. This service is highly dangerous to expose, as it gives people an in to your system via the docker socket.

If you need public access:

https://github.com/anderspitman/awesome-tunneling

From this list, I use rathole. One rathole container runs on my vps, and another runs on my home server, and it exposes my reverse proxy (caddy), to the public.

https://nixlang.wiki/en/tricks/distrobox

https://distrobox.it/

Not the nix way, but when you really need something to work, you can create containers of other distros.

From what I've heard, true multiseat is very to configure. You probably also want to investigate using GPU accelerated containers, because it's legitimately easier to share the same GPU across multiple containers as opposed to multiple seats.

Wezterm. I started out on konsole, and was happy with it, but then I started using zellij as my terminal multiplexer. Although zellij allows you to configure what command copies and pastes text, copy/paste on wayland and windows only works by default with wezterm. It gives me consistency across multiple DEs/OSes, with minimal configuration, which is good because I was setting up development environments for many people, with many configurations