I actually ran into a scenario where I wanted HDR on a Linux desktop only days after writing this. It was a stupid comment
I actually ran into a scenario where I wanted HDR on a Linux desktop only days after writing this. It was a stupid comment
If you don’t like snaps, don’t use the distribution by the company who tries to establish them.
PathPrefix no longer being regex stood out
Sharing the network space with another container is the way to go IMHO. I use podman and just run the main application in one container, and then another VPN-enabling container in the same pod, which is essentially what you’re achieving with with the network_mode: container:foo
directive.
Ideally, exposing ports on the host node is not part of your design, so don’t have any --port
directives at all. Your host should allow routing to the hosted containers and, thus, their exposed ports. If you run your workloads in a dedicated network, like 10.0.1.0/24
, then those addresses assigned to your containers need to be addressable. Then you just reach all of their exposed ports directly. Ultimately, you then want to control port exposure through services like firewalld, but that can usually be delayed. Just remember that port forwarding is not a security mechanism, it’s a convenience mechanism.
If you want DLNA, forget about running that workload in a “proper” container. For DLNA, you need the ability to open random UDP ports for communication with consuming devices on the LAN. This will always require host networking.
Your DLNA-enabled workloads, like Plex, or Jellyfin, need a host networking container. Your services that require internet privacy, like qBittorrent, need their own, dedicated pod, on a dedicated network, with another container that controls their networking plane to redirect communication to the VPN. Ideally, all your manual configuration then ends up with a directive in the Wireguard config like:
PostUp = ip route add 192.168.1.0/24 via 192.168.19.1 dev eth0
Wireguard will likely, by default, route all traffic through the wg0
device. You just then tell it that the LAN CIDR is reachable through eth0
directly. This enables your communication path to the VPN-secured container after the VPN is up.
I prefer having a convenient pull mechanism that I can trigger from a workstation in the lab network. I maintain the setup with Ansible