In-browser ad blocker...





.... well, defense in depth man ;-)

EDIT: NOT removing this post as it is still informative. As @oleksandr (thanks) pointed out it has Russian binding. So probably going back to the drawing board and finding something else for Chrome.

My original post:

“During the post “uBlock Origin era”, I’ve came into conclusion that overall AdGuard fits the bill best:

https://adguard.com/en/welcome.html”

https://www.reuters.com/world/europe/zelenskiy-cautious-after-putin-proposes-direct-peace-talks-with-ukraine-2025-05-11/

#fastmail does not have "envelope-to" or similar when configuring rules i.e., you have to go raw Sieve to reach that but I hope this will be sufficient workaround :-)

I also have had difficulties configuring some tools, such as vdirsyncer while trying to access Google contacts and calendar.

I used to have my inbox in one place, and calendar and contacts at Gmail. Not a political statement against Google, just nice to have all of this consolidated to single provider, when it comes to PIM :-)

Migrated to #fastmail for my personal email and @kernel.org. #email

this is what we build the product (Opinsys OS) on top of:

https://en.wikipedia.org/wiki/Puavo

@lkundrak @vegard sure \,,/

@vegard @lkundrak Yeah, not eagerly exploring on topic :-) Now I know enough to wrap a shitty build container with bash and unshare, which will cover at least the next 5+ years ;-)

@vegard @lkundrak TBH, I'm quite newbie with namespaces. I've just stuck before to VMs because they are so much easier. Now I actually needed a container for the first time ever (to substitute systemd-nspawn in a build).

@vegard @lkundrak OK yet another option I was not aware about, thanks :-)

@lkundrak @vegard And if I ever need to get away from Debootstrap I can probably just:

mknod /dev/null c 1 3
mknod /dev/zero c 1 5
mknod /dev/full c 1 7
mknod /dev/random c 1 8
mknod /dev/urandom c 1 9
mknod /dev/tty c 5 0

@lkundrak @vegard getting rid of /dev was at least dead easy:

+# Debootstrap populates `/dev/{null,zero,full,random,urandom,tty}`, meaning that
+# mounting devtmpfs to `/dev` is not required.
 sudo unshare \
   --mount \
   --uts \
   --root "$ROOTFS" \
   sh -c "
-    mkdir -p /proc
-    mkdir -p /sys
-    mkdir -p /dev
-    mount -t sysfs /sys /sys
     mount -t proc /proc /proc
-    mount -t devtmpfs /dev /dev
     mount -t devpts /dev /dev/pts
     hostname $MACHINE
# ...

I think I can iterate from this :-) E.g, proc-mount can be probably (I’d guess) made unprivileged with “–fork –pid” i.e., creating PID namespace.

@lkundrak @vegard As open-coded apparently "--map-user=0 --map-group=0". Great now I know at least what it does.

Probably "--map-auto" makes sense too for using uid/gid maps.

The goal here is to just substitute "systemd-nspawn" in a build with something that uses as little features as possible so that the build nests nicely with Github/Gitlab CI or anything. And do a home-baked container wrapper in order not to add dependencies ...

I need to check how systemd-nspawn and podman handle /dev etc. mappings from the implementation 🙂

@vegard,

Here’s an example:

sudo unshare \
  --mount \
  --uts \
  --root "$ROOTFS" \
  sh -c "
    mkdir -p /proc
    mkdir -p /sys
    mkdir -p /dev
    mount -t sysfs /sys /sys
    mount -t proc /proc /proc
    mount -t devtmpfs /dev /dev
    mount -t devpts /dev /dev/pts
    hostname $MACHINE
    su -c '$CMDLINE' $USER
  "

If I took sudo away, the mounts would fail on permission error, even with --map-root-user.

It’s even expected outcome, because if such tweak would work, it would be a privilege escalation i.e., a security vulnerability.

Still wondering what is the magic dust Podman uses here :-)

Check out our own Ryan Goodfellow’s fantastic InfoQ talk on how we're innovating rack-scale computing with P4! From programmable fabrics to debugging tools, Ry shares how to turn theory into production-ready systems. https://www.infoq.com/presentations/tofino-2/

@bartk there's really not whole a lot of options.

Web page might need some refresh :-)

https://himmelblau-idm.org/

Is #Himmelblau #SUSE project? Just seems something I might have some professional use.

#Azure #Intune

@vegard Right, "--map-root-user" was the thing I was probably looking for, thanks.