Kernel exploits. Containers logically isolate resources but they’re still effectively running as processes on the same kernel sharing the same hardware. There was one of those just last year: blog.aquasec.com/cve-2022-0185-linux-kernel-conta…
Virtual machines are a whole other beast because the isolation is enforced at the hardware level, so you have to exploit hardware vulnerabilities like Spectre or a virtual device like a couple years ago some people found a breakout bug in the old floppy emulation driver that still gets assigned to VMs by default in QEMU.
Security comes in layers, so if you’re serious about security you do in fact plan for things like that. You always want to limit the blast radius if your security measures fail. And most of the big cloud providers do that for their container/kubernetes offerings.
If you run portainer for example and that one gets breached, that’s essentially free container escape because you can trick Docker into mounting and exposing what you need from the host to escape. It’s not uncommon for people to sometimes give more permissions than the container really needs.
It’s not like making a VM dedicated to running your containers cost anything. It’s basically free. I don’t do it all the time, but if it’s exposed to the Internet and there’s other stuff on the box I want to be hard to get into, like if it runs on my home server or desktop, then it definitely gets a VM.
Otherwise, why even bother putting your apps in containers? You could also just make the apps themselves fully secure and unbreachable. Why do we need a container for isolation? One should assume the app’s security measures are working, right?
If they can find a kernel exploit they might find a hardware exploit too. There’s no rational reason to assume containers are more likely to fail than VMs, just bias.
Oh and you can fix a kernel exploit with an update, good luck fixing a hardware exploit.
Now you’re probably going to tell me how a hardware exploit is so unlikely but since we’re playing make believe I can make it as likely it suits my argument, right?
If you don’t want a clevo/tongfang laptop with a custom logo on the lid, look at Framework, Starlabs, Purism, Dell or Lenovo, though the last two don’t offer Linux on most models.
If you don’t really care about the OEM, but still want a “guaranteed” good Linux experience, then System76, Tuxedo or Slimbook should fit your needs. Just consider that Slimbook and Tuxedo are from Europe so you could get duties if you’re in the US
I don't have any experience with Tuxedo or Framework, so I can't really comment on those 😅
I have definitely heard Lenovo ThinkPads are great though, and I'm currently rocking a Lenovo Legion Slim 7 which has been fantastic so far (albeit I JUST got it and I'm rolling Windows on it with WSL2 Debian, so not exactly a pure Linux experience).
Hell yeah I am. I’ve been using linux since 2019. I bought a dell laptop and installed manjaro.
I recently discovered GNU Guix and decided to install it onto an old desktop (built in 2009) I had laying around. I used a system crafters custom installer and the accompanying video to do a non-libre kernel install. I’ve been liking Guix and I think I’m going to install it onto my laptop and make it my daily driver.
Me - Yes. I use Debian 12. No intention any time to go back because of how much I love using Debian. May fire up a VM of Arch so I can run some specific AUR packages I am curious to try out, but we’ll see. I am cautious to go on another distor hopping bender between Debian and Arch as they are my 2 favorite distros and I am easily led to do that.
Work - No and that is fine me. I have no control over that and I’m still productive with Windows/Microsoft products.
Family - I am the tech support person of the household. I prefer for people to use what they are comfortable with because that’s less on me to maintain.
it always fascinates me when somebody tells about something they do and ppl first of any other reaction spits out how they should do instead. Not interesting at all and often annoying if it isn’t at least preceded by a “I find it interesting you did choose this approach, mind to share thenwhy and more details?” :D
I have a NVDIA GPU and no idea what could be the problem here, unfortunately. The only thing that comes to mind is that when you bake textures you need to disconnect the metallic node or turn it to 0, otherwise the bake will be completely black. No idea if this is related but it looks like it might be a problem with reflection?
You tried to uninstall and reinstall the GPU drivers? Are there different versions of the drivers (for NVDIA there are) that you could try?
build the image properly, or use good images. This means limit dependencies as much as possible, as minimal images as possible (less updates due to CVEs, less tooling).
do not mount host volumes, if you really have to, use a dedicated subpath owned by the user of the container. Do not use homedirs etc.
do not run in host namespaces, like host network etc. Use port mapping to send traffic to the container.
If you want to go hardcore:
analyze your application, and if feasible, build and use a more restrictive seccomp profile compared to the default. This might limit additional syscalls that might be used during an exploitation but that your app doesn’t need.
run falco on the node. Even with the default set of rules (nothing custom), many exploitation or posts-exploitation steps would be caught, such as “shell spawned” etc.
It’s the de-facto standard for runtime container security (sysdig is based on it). The only competitor afaik is aqua security’s tracee, which is way less mature. It is very well supporter, there are tons of rules maintained by the community and it is a CNCF project used by enterprise solutions (I.e., shouldn’t disappear overnight).
Why bother with Windows? Mostly the same reasons moving from Windows to a Mac can be a pain, however on macOS you get better professional software support and less reasons to virtualize Windows from time to time. To be fair, what’s the point of using X operating system if some of the tools you need require a virtual machine or you’ve to use alternatives that are sub-par, will make you waste time and have a worse experience. Again even under macOS with Microsoft’s own MS Office for Mac things sometimes aren’t as compatible as they should be.
Linux desktop is great, I love it but I don’t sugar coat it nor I’m delusional like most posting about it. Here is a list of cases that aren’t easy to deal in Linux:
People who need the real MS Office because once you have to collaborate with others Open/Libre/OnlyOffice won’t cut it;
Designers who use Adobe apps that won’t run properly without having a dedicated GPU, passthrough and a some hacky way to get the image back into your main system that will cause noticeable delays;
People that run old software / games because not even those will run properly on Wine;
Electrical engineers: Circuit Design Suite (Multisim and Ultiboard) are primarily designed for Windows. Alternatives such as KiCad and EasyEDA may work in some cases but they aren’t great if you’ve to collaborate with others who use Circuit Design Suite;
Labs that require data acquisition from specialized hardware because companies making that hardware won’t make drivers and software for Linux;
Architects: AutoCAD isn’t available (not even the limited web version works) and Libre/FreeCAD don’t cut it if you’ve to collaborate with AutoCAD users;
Developers and sysadmins, because not everyone is using Docker and Github actions to deploy applications to some proprietary cloud solution. Finding a properly working FTP/SFTP/FTPS desktop client (similar WinSCP or Cyberduck) is an impossible task as the ones that exist fail even at basic tasks like dragging and dropping a file.
If one lives in a bubble and doesn’t to collaborate with others then native Linux apps might work and might even deliver a decent workflow. Once collaboration with Windows/Mac users is required then it’s game over – the “alternatives” aren’t just up to it.
Windows licenses are cheap and things work out of the box. Software runs fine, all vendors support whatever you’re trying to do and you’re productive from day zero. Sure, there are annoyances from time to time, but they’re way fewer and simpler to deal with than the hoops you’ve to go through to get a minimal and viable/productive Linux desktop experience. It all comes down to a question of how much time (days? months?) you want to spend fixing things on Linux that simply work out of the box under Windows for a minimal fee. Buy a Windows license and spend the time you would’ve spent dealing with Linux issues doing your actual job and you’ll, most likely, get a better ROI.
Also, the guys take on “what you go for it’s entirely your choice” when it comes to DE is total BS. What usually happens is that you’ll eventually find out while you can use any DE in fact GNOME will provide a better experience because most applications on Linux are design / depend on its components and installing them on KDE will simply give you small issues here and there, windows that don’t pick on your theme or simply create a frankenstein of a system composed by KDE + a bunch of GTK components.
Im curious about your WINE comment, because you can go into the dialog that selects which version of Windows it “emulates”. The drop down has what looks like every release of windows back to DOS.
As for can’t collaborate, that depends on the industry. Teamcenter PLM and Siemens NX CAD work on both RHEL and SUSE desktop. When W10 came out it made those programs less performant so I switched to OpenSUSE and installed the NX CAD to get performance back.
WINE comment, because you can go into the dialog that selects which version of Windows it “emulates”.
Until the emulation fails at some basic Window API feature like window tabs with multiple rows that any Windows version from 95 does just fine. Or… until you try to get MS Office 2016 working and it requires dozens of hacks to end up with something very slow to startup and have graphical glitches… or 2019 also not working, or not being able to install 2021. Or… until you find out that Wine is still unable to just tell applications the screen size fucking up everything that depends on it. Wine is far from perfect and it isn’t that good.
As for can’t collaborate, that depends on the industry
Yes, you are lucky you got NX CAD for Linux, because for most people that’s not the case. Adobe products are a no go, AutoCAD is a no go, same goes for Multisim / Ultiboard.
WINE doesn’t emulate it translates the code so that it can run natively, so any problem you have is because you haven’t installed the windows dependencies of the program you are trying to run which you can do trough winetricks. And wine comes with a configuration tool called winecfg, and on there you can edit the window scaling, wine can in fact tell apps to screensize up
It sounds like you have Windows in one disk and Ubuntu in another disk. Confirm this before proceeding.
Now if that’s true, and what you said about dedicated windows ssd on a boot loop, it sounds like MRB needs fixing. I suggest you make yourself a windows 10 USB disk or disc. Run that and when it asks to install, you look for recovery. And try to run the fix boot and recover MRB.
You are correct. Thank you for giving some options for processing on this path. I’m still deciding whether I want to continue trying the dual boot route, figuring out how to get VMX running, or just maining Linux and dealing with the learning curve. I do feel that my end plan, however long that would be, is to be using Linux as my primary OS anyway and there’s no time like the present, but for all I know after sleeping on it I may decide that I still want a functional Windows in my laptop.
It’s probably like the Bixby button on my Samsung phone: all it does is complain I haven’t set it up yet when I accidentally push it while changing the volume.
Completely tangential tip, but in the very-limited video editing I’ve done recently: I’ve used Davinci Resolve, rendered as .mov, and then used ffmpeg to render to my actual desired format. e.g. h264 w/ aac audio so I can upload to Youtube:
I do think that finding the right flags to pass to ffmpeg is a cursed art. Do I need to specify the video profile and the pix_fmt? I don’t know; I thought I did when I adventured to collect these flags. Though maybe it’s just a reflection of the video-codec horrors lurking within all video rendering pipelines.
edit: there may also be nvidia-accelerated encoders, like h264_nvenc, see ffmpeg -codecs 2>/dev/null | grep -i ‘h.264’. I’m not sure if the profile:v and pix_fmt options apply to other encoders or just libopenh264.
using openh264… well that’s a choice. I would recommend to everyone that they use x264 whenever possible, and make sure to specify output crf and likely preset when you fo
A couple other things, you generally want to do pixel format conversion before the codec, is specified. You should be able to get satisfactory results with ffmpeg -i input.mpv -pix_fmt yuv420p -c:v libx264 -preset medium -crf 24 -c:a aac output.mp4 Play with preset a bit since that is where your Quality/Compression : Speed ratio comes in, CRF is the quality it handles. So you set CRF for a ballpark quality you want, then change the preset, slower = higher compression, faster = lower compression.
haha, yeah figuring out those ffmpeg flags is an absolute nightmare. My problem there isn’t so much the output format from Resolve, but source format I’m using. My camera only has the option to record in H.264/H.265 (consumer grade, what can you expect?) which Resolve can’t properly import on Linux. I could take the time to transcode them with ffmpeg before editing, but I’m usually working with ~2 hours worth of video per project and I don’t really want to wait all day for a transcode job to finish before I can even begin editing. On top of that my camera (rather neatly) generates its own proxy files while recording, and I’ve found leveraging these is necessary for getting good timeline performance on my aging rig. Now I could let Resolve generate its own proxy clips like I have in the past, but that’s more time waiting around before editing. I was SUPER stoked to see Kdenlive can natively utilize the proxy clips my camera generates.
Can I be ridiculous here and say that a nook e-reader or kobo e-reader, and a steamdeck would suffice?
Maybe just a kobo?
I know it’s not Linux and that’s what you asked for, but at the end of 2022 when I looked into this I had a hard time finding Linux tablet with a good UX.
E-reader sounds like good advice though, unless they really need colour (e.g. are planning to mainly read comics). MEGA sync probably won’t work, but Pocket might be good enough?
Kobo’s are basically Linux, and have quite a few customisation options.
I had reasoning for the steam deck when I wrote that but I’m struggling to recall why. There was some niche with Linux for it since it has good support for Linux applications but I can’t remember how I thought it would fit
You are lucky. Last night both Linus Torvalds and Bill Gates broke in my house and held me at gunpoint until I made my choice. (Tim Cook would have been there too, but apparently he was guided down the wrong street.)
while I was writing this comment I came across this: LinVAM which sounds like exactly what you are looking for. But, if that doesn’t work out for you here’s what I was originally writing:
Voice Attack may fit your needs.
BUT
it’s not Linux native.
It’s not free.
However, my research does suggest that it works in Linux via proton/wine, and so it may serve your needs since what you’ve described is basically exactly that software’s whole purpose. It’s popular for adding voice control to games by mapping voice commands to game controls.
i am sure LinVAM works great but i am on wayland so will have to give it a miss, also voice attack is a goto but i am unable to find how to use it in linux, theres a reddit post but deleted
It’s available on Steam, so you could get it there and run it through Proton. I don’t know how well it works there like that, but if it doesn’t work you could refund it.
Do you know what those dependencies are? They may be installable using protontricks, or manually via wine into the prefix if that doesn’t work. I have had some luck doing that for other software in the past that required dependencies that weren’t satisfied.
linux
Active
This magazine is from a federated server and may be incomplete. Browse more on the original instance.