The server seems to be installed with Proxmox on Debian 10. The server seems, so far, to survive reboots. Updates and dist-upgrades seem to work. LXC containers seem to work. KVM virtual machines seem to work. Networking seems to work. Firewall seems to work. I may have figured out some prices.
To do:
Configure and test local back up. A couple of security things.
Wondering about:
I have this weird inclination to do everything via command line -- errr, at least everything that doesn't involve images. To me, it would be warm and nice to cd into /home, run ls, and see a list of my neighbors. So, as I have said a few times, maybe someday I want to try setting up a server so all the neighbors who wanted could run a traditional shell account plus administer their VPSes via command line.
These days, however, it might seem a security nightmare to give neighbors shell accounts. So here is today's question: Would giving shell accounts to neighbors who wanted them be completely crazy in 2021?
@Not_Oles said:
These days, however, it might seem a security nightmare to give neighbors shell accounts. So here is today's question: Would giving shell accounts to neighbors who wanted them be completely crazy in 2021?
I managed three servers in university.
Graduate students get a shell account with ability to launch virtual machines with Vagrant. I have a spreadsheet telling everyone what port numbers they are allowed to bind to, but there's no technical means to enforce that.
Undergraduate students get logins to two virtual machines, and a webpage with a reboot button. For some students it could be their first time using Linux command line, and it's too much to ask them to figure out Vagrant.
I graduated in 2017 but the server is still there and still being managed in the same procedure.
AlwaysData gives everyone a restricted shell account, but they only offer HTTP hosting and there's no virtual machine involved.
You probably need something in between:
A restricted shell.
A client certificate in the home folder that authenticates the user to MetalVPS API.
A shell script that invokes the API.
iptables rule to make user's traffic originate from an IP address assigned to them, instead of the server's IP address.
Just now, for the very first time, I found out about rbash.
API
There are a few other things on my plate, so it will take awhile, but I will work on the API. I already just started a little bit. I recently was watching the beginning of a very introductory video about APIs done by a Stripe engineer. The video introduces the Stripe API as an example.
I got distracted by Stripe's enticing command line static go binary, which seemed to work for me inside an LXC container, but -- despite that it seemed to work -- there had been an error message from apt on installation that I wanted to understand. Then JFrog announced they were closing Bintray, so my guess is that Stripe might change the way the distribute the binary.
Then I found that one can use Stripe in a primitive way, without the API. So I set that up, and it seems to work.
Sometime soon I will go back to the metalvps API, the shell script which will invoke it, and also the Stripe API.
@yoursunny said: iptables rule to make user's traffic originate from an IP address assigned to them, instead of the server's IP address.
Do you mean anything more than dropping traffic from a VPS which doesn't originate from the IP address assigned to the VPS?
I will do some more checking. If LXC works and you like it -- that's great. If not, we can try KVM. Or, if you wanna spend invest the time, you can take one of each for awhile and see which you like better.
IP addresses for administrative access
Okay, one IPv4 address for your VPS, no IPv6, no problem.
Proxmox has a web GUI to which you can have access to start, shutdown, stop, reboot, and reinstall, your VPS. Also, in the web GUI you can monitor performance of both the host node and your VPS. The web GUI is firewalled, so, if you want access to the web GUI, I need to know one or two IP addresses from which to allow access.
Maybe you could PM me your access addresses and your new public key? Or just post them here.
I will do some more checking. If LXC works and you like it -- that's great. If not, we can try KVM. Or, if you wanna spend invest the time, you can take one of each for awhile and see which you like better.
If that's the case, i will use LXC. there's a good chance we might learn something interesting from it. well my container are indeed rootless, and it doesn't need any special permission like from CAP (capabilities)
(...)
Proxmox has a web GUI to which you can have access to start, shutdown, stop, reboot, and reinstall, your VPS. Also, in the web GUI you can monitor performance of both the host node and your VPS. The web GUI is firewalled, so, if you want access to the web GUI, I need to know one or two IP addresses from which to allow access.
Maybe you could PM me your access addresses and your new public key? Or just post them here.
ah here it is my new key ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAy+3I31biDr2eG25kbTKxndq/EhpEN5lnGwTbvHgsX6 mobile@lowendspirit
as for address, can you set it up so it's only accessible from my localhost side? i mean, i will log in to ssh later and open a dynamic port, then I'll access the GUI just from that socks5
@Not_Oles said:
Just now, for the very first time, I found out about rbash.
rbash is too restrictive: it limits what commands can be executed, based on command binary name.
If user can compile and execute their own programs in the shell account, rbash cannot save you.
It's better to impose restrictions using file ownership, capabilities, cgroups, etc.
This allows more flexibility: user can compile or upload their programs, but they would not get around any restriction in place.
Not every usage requires a virtual machine or container.
The shell account itself is capable of running compute and networking workloads.
@yoursunny said: iptables rule to make user's traffic originate from an IP address assigned to them, instead of the server's IP address.
Do you mean anything more than dropping traffic from a VPS which doesn't originate from the IP address assigned to the VPS?
Using iptables owner module, you can make traffic from the shell account originate from an IP address assigned to the user.
I got distracted by Stripe's enticing command line static go binary, which seemed to work for me inside an LXC container
Go programs are statically linked and only depend on the kernel. It doesn't even need libc. Thus, the same binary can work everywhere.
JFrog announced they were closing Bintray, so my guess is that Stripe might change the way the distribute the binary.
I have two blog posts that depend on Bintray. I'm in trouble now.
@vyas said:
So what is on offer finally? I mean sometimes money gets uneasy sitting in the wallet?
Okay, let's see if I can make a clear and concise preliminary statement of the offer as currently seems like it might be proposed. I need to do that for an ad, which I hope to put up soon.
Each stackable slice gets:
1 AMD Ryzen™ 9 5950X logical core (your choice of either one 100% dedicated core or four x 25% dedicated burstable to 100% fair share cores)
4 GB ECC RAM
100 GB NVME RAID 1
1 IPv4 plus 1 IPv6 (/128) if desired
1 Gbps unlimited fair share
Access to Proxmox web GUI (start, shutdown, stop, reboot, backup, and reinstall, your VPS. Also monitor performance of your VPS and the host node).
Maybe a shell account on the host node.
Pricing
One slice, $11.02 per month.
Two slices, but with only 1 IPv4, $19.40 per month.
No payment due until VPS is up, and client is 100% satisfied.
Payment via Paypal or Stripe.
Usual warnings about grumpy, incompetent, clueless, greedy, slow administrator; not for business use; no Service Level Agreement.
For domain registrations, create an account at Dynadot (ref) and spend $9.99 within 48 hours to receive $5 DynaDollars! Looking for cost-effective Managed/Anycast/DDoS-Protected/Geo DNS Services? Try ClouDNS (aff).
@Not_Oles said: Time is passing. Makes me think of 不知老之將至。 But I do not agree with this part: 猶不能不以之興懷
wow you know your Chinese!
不是 There is a Chinese to English translation in the above linked Wikipedia article.
I am a terrible student. The worst!
@terrorgen How is your wenyanwen and guwen? (Not joking. Serious question, as long as you do not mind my asking.)
People say that the old poems sometimes rhyme when recited in modern Cantonese! I wonder how true that is. . . .
You know about the four treasures, right? Well, my ink is light grey. I do not understand why. I grind and grind. It's still light grey. . . .
You know about the butterfly dream, right? Inside my mind there is a dream that someday I would know Chinese. But perhaps there is no more reality in my dreams than in the dreams of the butterfly? "Name is the guest of reality."
What I am writing here will sound completely crazy to many people. Nevertheless these are words from the heart. ? To the Chinese, what are "words from the heart?"
Comments
The server seems to be installed with Proxmox on Debian 10. The server seems, so far, to survive reboots. Updates and dist-upgrades seem to work. LXC containers seem to work. KVM virtual machines seem to work. Networking seems to work. Firewall seems to work. I may have figured out some prices.
Configure and test local back up. A couple of security things.
I have this weird inclination to do everything via command line -- errr, at least everything that doesn't involve images. To me, it would be warm and nice to cd into
/home
, runls
, and see a list of my neighbors. So, as I have said a few times, maybe someday I want to try setting up a server so all the neighbors who wanted could run a traditional shell account plus administer their VPSes via command line.These days, however, it might seem a security nightmare to give neighbors shell accounts. So here is today's question: Would giving shell accounts to neighbors who wanted them be completely crazy in 2021?
Thanks everyone! Greetings from Mexico!
MetalVPS
I managed three servers in university.
Graduate students get a shell account with ability to launch virtual machines with Vagrant. I have a spreadsheet telling everyone what port numbers they are allowed to bind to, but there's no technical means to enforce that.
Undergraduate students get logins to two virtual machines, and a webpage with a reboot button. For some students it could be their first time using Linux command line, and it's too much to ask them to figure out Vagrant.
I graduated in 2017 but the server is still there and still being managed in the same procedure.
AlwaysData gives everyone a restricted shell account, but they only offer HTTP hosting and there's no virtual machine involved.
You probably need something in between:
Webhosting24 aff best VPS; ServerFactory aff best VDS; Cloudie best ASN; Huel aff best brotein.
Thank you @yoursunny!
I had heard of matomo but not about AlwaysData. I will take a careful look. Very interesting!
Just now, for the very first time, I found out about rbash.
There are a few other things on my plate, so it will take awhile, but I will work on the API. I already just started a little bit. I recently was watching the beginning of a very introductory video about APIs done by a Stripe engineer. The video introduces the Stripe API as an example.
I got distracted by Stripe's enticing command line static go binary, which seemed to work for me inside an LXC container, but -- despite that it seemed to work -- there had been an error message from apt on installation that I wanted to understand. Then JFrog announced they were closing Bintray, so my guess is that Stripe might change the way the distribute the binary.
Then I found that one can use Stripe in a primitive way, without the API. So I set that up, and it seems to work.
Sometime soon I will go back to the metalvps API, the shell script which will invoke it, and also the Stripe API.
Do you mean anything more than dropping traffic from a VPS which doesn't originate from the IP address assigned to the VPS?
Time is passing. Makes me think of 不知老之將至。 But I do not agree with this part: 猶不能不以之興懷;I am happy!
MetalVPS
good to see you again sire
one slice
Debian stable, latest
(rest in peace, centos)
I have no idea, if the server LXC, should i pick LXC too? as long as Podman works, i think LXC is fine
Different one, i think that key was from my disposable one. so to be safe I'll use new key
I'm sure i only need one IPv4, no need IPv6 yet (well because my use isn't exactly about it's networking)
Yes. you will regret it for asking this question
So what is on offer finally? I mean sometimes money gets uneasy sitting in the wallet?
VPS reviews and benchmarks |
Google found me this seemingly good news that Podman might work with LXC or LXD: https://github.com/containers/podman/issues/4131#issuecomment-542357584
I will do some more checking. If LXC works and you like it -- that's great. If not, we can try KVM. Or, if you wanna spend invest the time, you can take one of each for awhile and see which you like better.
Okay, one IPv4 address for your VPS, no IPv6, no problem.
Proxmox has a web GUI to which you can have access to start, shutdown, stop, reboot, and reinstall, your VPS. Also, in the web GUI you can monitor performance of both the host node and your VPS. The web GUI is firewalled, so, if you want access to the web GUI, I need to know one or two IP addresses from which to allow access.
Maybe you could PM me your access addresses and your new public key? Or just post them here.
Hope so!
MetalVPS
If that's the case, i will use LXC. there's a good chance we might learn something interesting from it. well my container are indeed rootless, and it doesn't need any special permission like from CAP (capabilities)
(...)
ah here it is my new key
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAy+3I31biDr2eG25kbTKxndq/EhpEN5lnGwTbvHgsX6 mobile@lowendspirit
as for address, can you set it up so it's only accessible from my localhost side? i mean, i will log in to ssh later and open a dynamic port, then I'll access the GUI just from that socks5
rbash
is too restrictive: it limits what commands can be executed, based on command binary name.If user can compile and execute their own programs in the shell account,
rbash
cannot save you.It's better to impose restrictions using file ownership, capabilities, cgroups, etc.
This allows more flexibility: user can compile or upload their programs, but they would not get around any restriction in place.
Not every usage requires a virtual machine or container.
The shell account itself is capable of running compute and networking workloads.
Using iptables owner module, you can make traffic from the shell account originate from an IP address assigned to the user.
Go programs are statically linked and only depend on the kernel. It doesn't even need
libc
. Thus, the same binary can work everywhere.I have two blog posts that depend on Bintray. I'm in trouble now.
Install OpenCV 3.2.0 on Raspberry Pi Zero W in 15 Minutes uses an APT repository.
This can be self-hosted with reprepro.
How to Flash C.H.I.P Offline uses a static file repository.
This will be eliminated because another site has a copy already.
Webhosting24 aff best VPS; ServerFactory aff best VDS; Cloudie best ASN; Huel aff best brotein.
Okay, let's see if I can make a clear and concise preliminary statement of the offer as currently seems like it might be proposed. I need to do that for an ad, which I hope to put up soon.
Each stackable slice gets:
1 AMD Ryzen™ 9 5950X logical core (your choice of either one 100% dedicated core or four x 25% dedicated burstable to 100% fair share cores)
4 GB ECC RAM
100 GB NVME RAID 1
1 IPv4 plus 1 IPv6 (/128) if desired
1 Gbps unlimited fair share
Access to Proxmox web GUI (start, shutdown, stop, reboot, backup, and reinstall, your VPS. Also monitor performance of your VPS and the host node).
Maybe a shell account on the host node.
Pricing
One slice, $11.02 per month.
Two slices, but with only 1 IPv4, $19.40 per month.
No payment due until VPS is up, and client is 100% satisfied.
Payment via Paypal or Stripe.
Usual warnings about grumpy, incompetent, clueless, greedy, slow administrator; not for business use; no Service Level Agreement.
MetalVPS
this is the way -> http://www.panix.com/shell/
HS4LIFE (+ (* 3 4) (* 5 6))
Wow Panix - the home to some oldschool hackers.
For domain registrations, create an account at Dynadot (ref) and spend $9.99 within 48 hours to receive $5 DynaDollars!
Looking for cost-effective Managed/Anycast/DDoS-Protected/Geo DNS Services? Try ClouDNS (aff).
Hi @mobile! Your container is up. I sent you a PM with login info. Have fun! Tom
MetalVPS
wow you know your Chinese!
The all seeing eye sees everything...
不是 There is a Chinese to English translation in the above linked Wikipedia article.
I am a terrible student. The worst!
@terrorgen How is your wenyanwen and guwen? (Not joking. Serious question, as long as you do not mind my asking.)
People say that the old poems sometimes rhyme when recited in modern Cantonese! I wonder how true that is. . . .
You know about the four treasures, right? Well, my ink is light grey. I do not understand why. I grind and grind. It's still light grey. . . .
You know about the butterfly dream, right? Inside my mind there is a dream that someday I would know Chinese. But perhaps there is no more reality in my dreams than in the dreams of the butterfly? "Name is the guest of reality."
What I am writing here will sound completely crazy to many people. Nevertheless these are words from the heart. ? To the Chinese, what are "words from the heart?"
MetalVPS
I am PMing you to not derail the discussion here
The all seeing eye sees everything...
I am cancelling my account due to morale and legal reason. 10/10 metalvps recommended service if you aren't doing illegal sh*t
thank you for party