i guess @Not_Oles gonna one of these shortly!

13»

Comments

  • Not_OlesNot_Oles Hosting ProviderContent Writer
    • Progress report:

    The server seems to be installed with Proxmox on Debian 10. The server seems, so far, to survive reboots. Updates and dist-upgrades seem to work. LXC containers seem to work. KVM virtual machines seem to work. Networking seems to work. Firewall seems to work. I may have figured out some prices.

    • To do:

    Configure and test local back up. A couple of security things.

    • Wondering about:

    I have this weird inclination to do everything via command line -- errr, at least everything that doesn't involve images. :) To me, it would be warm and nice to cd into /home, run ls, and see a list of my neighbors. So, as I have said a few times, maybe someday I want to try setting up a server so all the neighbors who wanted could run a traditional shell account plus administer their VPSes via command line.

    These days, however, it might seem a security nightmare to give neighbors shell accounts. So here is today's question: Would giving shell accounts to neighbors who wanted them be completely crazy in 2021?

    Thanks everyone! Greetings from Mexico! :) :) :)

    Thanked by (2)quangthang Asim
  • @Not_Oles said:
    These days, however, it might seem a security nightmare to give neighbors shell accounts. So here is today's question: Would giving shell accounts to neighbors who wanted them be completely crazy in 2021?

    I managed three servers in university.
    Graduate students get a shell account with ability to launch virtual machines with Vagrant. I have a spreadsheet telling everyone what port numbers they are allowed to bind to, but there's no technical means to enforce that.
    Undergraduate students get logins to two virtual machines, and a webpage with a reboot button. For some students it could be their first time using Linux command line, and it's too much to ask them to figure out Vagrant.
    I graduated in 2017 but the server is still there and still being managed in the same procedure.

    AlwaysData gives everyone a restricted shell account, but they only offer HTTP hosting and there's no virtual machine involved.

    You probably need something in between:

    • A restricted shell.
    • A client certificate in the home folder that authenticates the user to MetalVPS API.
    • A shell script that invokes the API.
    • iptables rule to make user's traffic originate from an IP address assigned to them, instead of the server's IP address.
    Thanked by (1)Not_Oles

    Webhosting24 aff best VPS; ServerFactory aff best VDS; Cloudie best ASN; Huel aff best brotein.

  • Not_OlesNot_Oles Hosting ProviderContent Writer

    Thank you @yoursunny!

    @yoursunny said: AlwaysData

    I had heard of matomo but not about AlwaysData. I will take a careful look. Very interesting!

    @yoursunny said: restricted shell.

    Just now, for the very first time, I found out about rbash.

    API

    There are a few other things on my plate, so it will take awhile, but I will work on the API. I already just started a little bit. I recently was watching the beginning of a very introductory video about APIs done by a Stripe engineer. The video introduces the Stripe API as an example.

    I got distracted by Stripe's enticing command line static go binary, which seemed to work for me inside an LXC container, but -- despite that it seemed to work -- there had been an error message from apt on installation that I wanted to understand. Then JFrog announced they were closing Bintray, so my guess is that Stripe might change the way the distribute the binary.

    Then I found that one can use Stripe in a primitive way, without the API. So I set that up, and it seems to work.

    Sometime soon I will go back to the metalvps API, the shell script which will invoke it, and also the Stripe API.

    @yoursunny said: iptables rule to make user's traffic originate from an IP address assigned to them, instead of the server's IP address.

    Do you mean anything more than dropping traffic from a VPS which doesn't originate from the IP address assigned to the VPS?

    @yoursunny said: I graduated in 2017

    Time is passing. Makes me think of 不知老之將至。 But I do not agree with this part: 猶不能不以之興懷;I am happy! :)

  • @Not_Oles said:

    @mobile said:
    if this can take off in tuesday/wednesday i probably bite one. really need a testing ground badly now especially with dedicated core

    Hi @mobile! As always, lovely to see you!

    good to see you again sire

    • How many slices?

    one slice

    • What OS?

    Debian stable, latest
    (rest in peace, centos)

    • LXC or KVM?

    I have no idea, if the server LXC, should i pick LXC too? as long as Podman works, i think LXC is fine

    • Same public key or do you want to use a different one?

    Different one, i think that key was from my disposable one. so to be safe I'll use new key

    • What are one or two IP addresses from which you want administrative access?

    I'm sure i only need one IPv4, no need IPv6 yet (well because my use isn't exactly about it's networking)

    • Can you burn the processor? ??

    Yes. you will regret it for asking this question

    Thanked by (1)Not_Oles
  • vyasvyas OGRetired

    So what is on offer finally? I mean sometimes money gets uneasy sitting in the wallet?

    Thanked by (1)Not_Oles
  • Not_OlesNot_Oles Hosting ProviderContent Writer

    @mobile said: Podman inside LXD or LXC

    Google found me this seemingly good news that Podman might work with LXC or LXD: https://github.com/containers/podman/issues/4131#issuecomment-542357584

    I will do some more checking. If LXC works and you like it -- that's great. If not, we can try KVM. Or, if you wanna spend invest the time, you can take one of each for awhile and see which you like better.

    IP addresses for administrative access

    Okay, one IPv4 address for your VPS, no IPv6, no problem. :)

    Proxmox has a web GUI to which you can have access to start, shutdown, stop, reboot, and reinstall, your VPS. Also, in the web GUI you can monitor performance of both the host node and your VPS. The web GUI is firewalled, so, if you want access to the web GUI, I need to know one or two IP addresses from which to allow access.

    Maybe you could PM me your access addresses and your new public key? Or just post them here.

    you will regret it

    Hope so! :)

  • @Not_Oles said:

    @mobile said: Podman inside LXD or LXC

    Google found me this seemingly good news that Podman might work with LXC or LXD: https://github.com/containers/podman/issues/4131#issuecomment-542357584

    I will do some more checking. If LXC works and you like it -- that's great. If not, we can try KVM. Or, if you wanna spend invest the time, you can take one of each for awhile and see which you like better.

    If that's the case, i will use LXC. there's a good chance we might learn something interesting from it. well my container are indeed rootless, and it doesn't need any special permission like from CAP (capabilities)

    (...)

    Proxmox has a web GUI to which you can have access to start, shutdown, stop, reboot, and reinstall, your VPS. Also, in the web GUI you can monitor performance of both the host node and your VPS. The web GUI is firewalled, so, if you want access to the web GUI, I need to know one or two IP addresses from which to allow access.

    Maybe you could PM me your access addresses and your new public key? Or just post them here.

    ah here it is my new key
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAy+3I31biDr2eG25kbTKxndq/EhpEN5lnGwTbvHgsX6 mobile@lowendspirit
    as for address, can you set it up so it's only accessible from my localhost side? i mean, i will log in to ssh later and open a dynamic port, then I'll access the GUI just from that socks5

    Thanked by (1)Not_Oles
  • @Not_Oles said:
    Just now, for the very first time, I found out about rbash.

    rbash is too restrictive: it limits what commands can be executed, based on command binary name.
    If user can compile and execute their own programs in the shell account, rbash cannot save you.

    It's better to impose restrictions using file ownership, capabilities, cgroups, etc.
    This allows more flexibility: user can compile or upload their programs, but they would not get around any restriction in place.

    Not every usage requires a virtual machine or container.
    The shell account itself is capable of running compute and networking workloads.

    @yoursunny said: iptables rule to make user's traffic originate from an IP address assigned to them, instead of the server's IP address.

    Do you mean anything more than dropping traffic from a VPS which doesn't originate from the IP address assigned to the VPS?

    Using iptables owner module, you can make traffic from the shell account originate from an IP address assigned to the user.


    I got distracted by Stripe's enticing command line static go binary, which seemed to work for me inside an LXC container

    Go programs are statically linked and only depend on the kernel. It doesn't even need libc. Thus, the same binary can work everywhere.


    JFrog announced they were closing Bintray, so my guess is that Stripe might change the way the distribute the binary.

    I have two blog posts that depend on Bintray. I'm in trouble now.

    Install OpenCV 3.2.0 on Raspberry Pi Zero W in 15 Minutes uses an APT repository.
    This can be self-hosted with reprepro.

    How to Flash C.H.I.P Offline uses a static file repository.
    This will be eliminated because another site has a copy already.

    Thanked by (1)Not_Oles

    Webhosting24 aff best VPS; ServerFactory aff best VDS; Cloudie best ASN; Huel aff best brotein.

  • Not_OlesNot_Oles Hosting ProviderContent Writer

    @vyas said:
    So what is on offer finally? I mean sometimes money gets uneasy sitting in the wallet?

    Okay, let's see if I can make a clear and concise preliminary statement of the offer as currently seems like it might be proposed. I need to do that for an ad, which I hope to put up soon.

    Each stackable slice gets:

    • 1 AMD Ryzen™ 9 5950X logical core (your choice of either one 100% dedicated core or four x 25% dedicated burstable to 100% fair share cores)

    • 4 GB ECC RAM

    • 100 GB NVME RAID 1

    • 1 IPv4 plus 1 IPv6 (/128) if desired

    • 1 Gbps unlimited fair share

    • Access to Proxmox web GUI (start, shutdown, stop, reboot, backup, and reinstall, your VPS. Also monitor performance of your VPS and the host node).

    • Maybe a shell account on the host node.

    • Pricing

      • One slice, $11.02 per month.

      • Two slices, but with only 1 IPv4, $19.40 per month.

      • No payment due until VPS is up, and client is 100% satisfied.

      • Payment via Paypal or Stripe.

    • Usual warnings about grumpy, incompetent, clueless, greedy, slow administrator; not for business use; no Service Level Agreement.

    Thanked by (2)cybertech vyas
  • @Not_Oles said: Would giving shell accounts to neighbors who wanted them be completely crazy in 2021?

    this is the way -> http://www.panix.com/shell/

    Thanked by (2)Not_Oles yoursunny

    HS4LIFE (+ (* 3 4) (* 5 6))

  • @uptime said:

    @Not_Oles said: Would giving shell accounts to neighbors who wanted them be completely crazy in 2021?

    this is the way -> http://www.panix.com/shell/

    Wow Panix - the home to some oldschool hackers.

    Thanked by (1)Not_Oles

    For domain registrations, create an account at Dynadot (ref) and spend $9.99 within 48 hours to receive $5 DynaDollars!
    Looking for cost-effective Managed/Anycast/DDoS-Protected/Geo DNS Services? Try ClouDNS (aff).

  • Not_OlesNot_Oles Hosting ProviderContent Writer

    Hi @mobile! Your container is up. I sent you a PM with login info. Have fun! :) Tom

    Thanked by (1)mobile
  • @Not_Oles said: Time is passing. Makes me think of 不知老之將至。 But I do not agree with this part: 猶不能不以之興懷

    wow you know your Chinese!

    Thanked by (1)Not_Oles

    The all seeing eye sees everything...

  • Not_OlesNot_Oles Hosting ProviderContent Writer
    edited February 2021

    @terrorgen said:

    @Not_Oles said: Time is passing. Makes me think of 不知老之將至。 But I do not agree with this part: 猶不能不以之興懷

    wow you know your Chinese!

    不是 :) There is a Chinese to English translation in the above linked Wikipedia article. :)

    I am a terrible student. The worst!

    @terrorgen How is your wenyanwen and guwen? (Not joking. Serious question, as long as you do not mind my asking.)

    People say that the old poems sometimes rhyme when recited in modern Cantonese! I wonder how true that is. . . .

    You know about the four treasures, right? Well, my ink is light grey. I do not understand why. I grind and grind. It's still light grey. . . .

    You know about the butterfly dream, right? Inside my mind there is a dream that someday I would know Chinese. But perhaps there is no more reality in my dreams than in the dreams of the butterfly? "Name is the guest of reality." :)

    What I am writing here will sound completely crazy to many people. Nevertheless these are words from the heart. ? To the Chinese, what are "words from the heart?"

  • I am PMing you to not derail the discussion here =)

    Thanked by (1)Not_Oles

    The all seeing eye sees everything...

  • I am cancelling my account due to morale and legal reason. 10/10 metalvps recommended service if you aren't doing illegal sh*t

    thank you for party

    Thanked by (1)Not_Oles
Sign In or Register to comment.