The importance of a network namespace

Docker/Podman/Containers have the ability to put your network interfaces into a "network namespace" that hides them from the outside world, so instead of a container user seeing you have a wlan0 and an enp5s0, they'd see a loopback and a single eth0 fake device that routes to something like 10.0.2.3, which routes to a real gateway interface via a containerized network bridge. Very cool stuff, and generally recommended.

EXCEPT when you are running Caddy, or another webserver, on, oh let's say

A public AWS Lightsail instance...

Why do you ask? Oh, nothing, it's not like I had, for example, a public AWS Lightsail instance taken offline by a bot DDOS attempt or anything - no. Of course not...

When you use the network namespace in this case, all the IP addresses in your logs look like 10.0.2.3, instead of the correct X.Y.Z.A that you would generally want them to be. The reason this is of chief importance, is because nice tools like crowdsec and fail2ban rely on these client_ip addresses being valid to block repeat offenders. By using the network namespace that comes by default in a container, you are missing this information, and thus your important network security is effectively bypassed!

Keep all your other containers in a network namespace, but remember to run your reverse proxy entry point container on the host stack so that it can preserve IP address information for logging and reporting! And remember to test your security by using a VPN to make yourself appear as an attacker. Attempt to break into your own services!

Stay tuned

========================
Follow pyamsoft around the Web for updates and announcements about the newest applications!
Like what I do?

Send me an email at: pyam.soft@gmail.com
Or find me online at: https://pyamsoft.blogspot.com

Follow my Facebook Page
Check out my code on GitHub
=========================

Flatpak and You

Flatpak is cool. It seems to be positioning itself as the future of packaging on desktop Linux. But, as with all cool things, there are a few top-of-mind points that you should be aware of, even if nobody actively talks about them.

Your decision tree, when installing a flatpak should be as follows, where failing to answer any step with an emphatic "YES" would stop you from continuing down the chain of application installation.

1. Is this a verified flatpak?

2. Is this verified flatpak published by the developer or a trusted developing community member?

3. Is the project still alive, does the flatpak run on the latest runtime, or have a very good reason for why it's not?

4. Does the flatpak ship with a minimal number of extra libraries outside of the runtime?

If you've answered yes to all the above, then it's safe to install the flatpak via the flathub-verified subset, life is good! This is generally the hardest step, as a poorly maintained flatpak can lack security updates or be too open by default. Generally you'll want to pick projects which official publish builds under flatpak, ideally as the "only" distribution channel, to ensure that they are always maintained to the best of the developer's ability.

If you've answered no, then your decision tree splits under the following:

1. Is the package in my distro's official repositories?

2. Is the package maintained by a reliable third party in the AUR, can I vouch for their ability to script a build and maintain it with reasonable turnaround time?

If you've answered yes, then great, install the package. As far as getting the "flatpak sandbox" style experience, you need to remember that flatpak is not a SECURITY sandbox, it's chiefly a "hide my user-homedir from other apps" kind of sandbox. This kind of low-security/high-convenience sandbox can easily be replicated using "raw" bwrap or things like distrobox if you are so inclined. This option is always second to installing an official flatpak, as flatpak handles all of the security and seperation bits for us and we just need to much around in little override files, as opposed to understanding the intricacies of bwrap itself. Nevertheless, bwrap jailing is better than not jailing at all.

Finally, if bwrap is not a viable solution for your program, you can prevent as much "user-homedir" access as possible by running the app as a second user and setting up a kind of "user-jumphost" script.

--

For general reference, I run almost all of my "daily" applications via verified flatpaks with restrictive overrides. 

For apps that have no officially verified flatpak, like Android Studio and Webstorm, I run them as bwrap restricted jails via packages from either the distro repositories, or the AUR, which at least allow me to namespace UTS, PID, USERNS, and shadow directories like /var/, /proc, /run, and /tmp. I use my own jail script, that gives me access to X11, Wayland, and Pipewire by default, so that "general desktop usage" is seamless. Sharing files in and out of the jail just requires me to copy or move a file into the jail-home first, which is minimal effort.

And finally, for apps like Steam, which I like to run using gamescope which requires root access to the /tmp/.X11-unix socket location and thus cannot be jailed, I run as a delegated user that has minimal privileges, no sudo access, and is only able to be interacted with to run that specific command. Generally this delegated user is reserved only for very special apps, like gamescope, which create their own nested display servers. Basically every other "normal" app can be bwrap jailed with some configuration.

With a bit of extra configuration and some files in the right places, you can have a system which is nicely compartmentalized! If I need to uninstall or reset a flatpak, I delete it's folder in ~/.var/app. If I need to uninstall or reset a bwrap jailed program, I delete it's folder in ~/.local/etc/jails. And if I need to reset a delegated user style application, I delete it's user and all their related home files. Keeps things nicely separated and running with minimal permission where possible.

Stay tuned!

========================
Follow pyamsoft around the Web for updates and announcements about the newest applications!
Like what I do?

Send me an email at: pyam.soft@gmail.com
Or find me online at: https://pyamsoft.blogspot.com

Follow my Facebook Page
Check out my code on GitHub
=========================

TetherFi Is Stubborn

Some devices run into a weird unexplained problem when trying to launch the TetherFi hotspot - the Broadcast starts up fine but the Proxy hits a random unexplainable "Invalid argument" error and fails to start.

According to the internet and the ktor source code in examples, the proper way to handle this, is to not handle it, ignore it, and try again. So okay, fine. TetherFi now has support for an optional mode called "Stubborn Proxy" which, when it sees this "Invalid Argument" error, will ignore it and simply try again. If it fails to start 10 times in a row, then we consider it truly a problem and stop, but for devices which just have single time random failures, this change should allow them to launch the proxy.

Various bugfixes in bound for the first release of 2024, version 40! It will enter Alpha on the store in a few days time and hopefully hit a wide public release sometime later this week.

Stay tuned!

========================
Follow pyamsoft around the Web for updates and announcements about the newest applications!
Like what I do?

Send me an email at: pyam.soft@gmail.com
Or find me online at: https://pyamsoft.blogspot.com

Follow my Facebook Page
Check out my code on GitHub
=========================

Trickle Just Never Catches a Break

Trickle is sadly dead dead this time around :(

It's a long and technical explanation so brace yourself - but the tl;dr of it all is:

Trickle will sadly be unable to function reliably enough on Android 14 and beyond. As such, I do not feel comfortable continuing to publish it as I do not believe it upholds the high standard of performance and reliability that I have set for myself. As of today Trickle is unpublished from the Play Store and is no longer maintained or supported. Sorry!

Android 14 changes various bits and pieces of how the system works - but the war on "background work" continues. Google has this time around changed things so that

1. Any process that runs in the background that expects a "reliable" level of regular activity needs to declare itself a Foreground Service.

2. Declaration of an FGS requires you to fill out a Google Play Store policy document for your service (this was, for example, done for TetherFi, which was able to get approval because it fit into a pre-defined Google category for "allowed Foreground Services", but Trickle does not).

The two problems with this were that - Trickle would never be approved for FGS policy, and running the service as a foreground priority would actually end up using more battery than the service saved - so from day 1, using Trickle as a long-running foreground service was a "no-go" solution.

Back in July, some changes were made to how the Trickle service was used that allowed it to run reliably in the background without needing to declare itself a Foreground Service. At the time, I thought this would be a long term solution, and that would be the end of the worries about future version compatibility.

In October, Android 14 released and with it came one important implementation change regarding cached processes. To avoid a long technical talk, on Android 14+, when your app is NOT a foreground service, and your UI is not open, the operating system "suspends" your app and all of its services until you re-open the UI again. This "suspend" window is generally unfixed, but can be anywhere between 30 seconds and 10 minutes. Basically, after 30 seconds of not being an open UI on screen, Trickle would stop receiving the system screen-off and screen-on events, and would therefore not be reliable any longer. Any potential solutions to this problem would generally use more battery than they saved, and thusly, it is infeasible to continue Trickle development further given that the future direction of Android seems to only be continuing to lock itself down regarding these "background service" style applications.

A sad day, but a day I had known would come eventually, and it seems like despite my initial excitement for it back in July, the reality of the October release brought back my original fear.

Trickle is sadly gone, and probably for good this time. Unless the big G decides to publish an API specifically for apps like these, there are no reasonable alternatives. A sad day.

TetherFi continues to be fully supported and the next release (40) will even include some performance improvements and hopefully improve compatibility with various devices, particularly those running on Android 14.

Stay tuned!

========================
Follow pyamsoft around the Web for updates and announcements about the newest applications!
Like what I do?

Send me an email at: pyam.soft@gmail.com
Or find me online at: https://pyamsoft.blogspot.com

Follow my Facebook Page
Check out my code on GitHub
=========================