• 27 Posts
Joined 4 years ago
Cake day: September 14th, 2021

  • The only two important columns are “Local address: port” and “process”. The later is what process is listening whille the former is the interface that process is listening on and the port.

    So you see that I don’t have any process listening on any port other than 80 and 443 iin the host and the regular ones.

    That said, you containers will still listen on the ports you want but only on a virtual network interface.

    Basically you only need to publish ports 80 amd 443 on the container or pod you have your reverse proxy on. Other containers need to only be attached to the same network as you already did.

  • It is good you have solved you initial issue. However, as you say, your rules are too permissive. You should not publish ports from containers to the host. Your container ports should only be accessible over reverse-proxy network. Said otherwise <my domain>:3000 should not resolve to anything.

    This can be simply acheive by not publishing any port on your service containers.

    Here is an example of my VPS:

    Exposed ports:

    $ ss -ntlp
    State                Recv-Q               Send-Q                             Local Address:Port                             Peer Address:Port              Process                                                  
    LISTEN               0                    128                                                      *                  users:(("sshd",pid=4084094,fd=3))                       
    LISTEN               0                    4096                                                    *                  users:(("conmon",pid=3436659,fd=6))                     
    LISTEN               0                    4096                                                   *                  users:(("systemd-resolve",pid=723,fd=11))               
    LISTEN               0                    4096                                                     *                  users:(("conmon",pid=3436659,fd=5))                     
    LISTEN               0                    4096                                                  *                  users:(("systemd-resolve",pid=723,fd=19))               
    LISTEN               0                    4096                                               *                  users:(("systemd-resolve",pid=723,fd=17))  

    Redacted list of containers:

    $ podman container ls
    CONTAINER ID  IMAGE                                        COMMAND               CREATED        STATUS                 PORTS                                     NAMES
    docker.io/tootsuite/mastodon-streaming:v4.3  node ./streaming      2 months ago   Up 2 months (healthy)                                            social_streaming
    docker.io/eqalpha/keydb:alpine               keydb-server /etc...  2 months ago   Up 2 months (healthy)                                            cloud_cache
    localhost/podman-pause:4.4.1-1111111111                            2 months ago   Up 2 months  >80/tcp,>443/tcp  1111111111-infra
    docker.io/library/traefik:3.2                traefik               2 months ago   Up 2 months  >80/tcp,>443/tcp  traefik
    docker.io/library/nginx:1.27-alpine          nginx -g daemon o...  3 weeks ago    Up 3 weeks                                                       cloud_web
    docker.io/library/nginx:1.27-alpine          nginx -g daemon o...  3 weeks ago    Up 3 weeks                                                       social_front

  • As @xmunk said, cleaning needs to be embedded in other tasks. If you cannot figure out how to embed a given task then you can set it for a fixed schedule. For example, you say that you clean your desk or office on Saturday morning and you have a given set of steps you accomplish.

    Another trick I learned from corporate world is to delegate the tasks. It is more manageable to follow up on someone doing it for you than you actually doing it. This can be someone else living with you, or someone you can hire to do. For example, you can hire someone to clean the house every Sunday. This later option could be expensive.

    If you want to embed tasks and do it yourself, then you need to make them easy for you, for example, you can overstock cleaning products. Let’s say you have a kitchen microfiber towel that hangs nearby and a dedicated cleaning product at reach. You consider that a meal (launch or dinner) equals, fetching the ingredients, cooking, eating and cleaning dishes, putting away dishes, and finally cleaning them. If you don’t clean dishes then you consider you did not finish your dinner.

    Same thing for the bathroom, you need cleaning tools at reach when you are in the bathroom, don’t reuse kitchen stuff to clean the bathroom. Then when you shower, you clean the bathtub, the mirror, the sink, your underwear, wipe the floor, etc.