kevinveenbirkenbach (@kevinveenbirkenbach@microblog.infinito.nexus)
🚀 Infinito.Nexus ist das Infrastruktur-Framework für #ITDienstleister & #SoftwareAgenturen:
✅ On-Premise Deploy in 90 Min
✅ #LDAP & #OIDC SPOT für #IAM
✅ Integriert: #Nextcloud #Confluence #Jira #Moodle #BigBlueButton & mehr
✅ Eigene Apps einfach via #Docker einbinden
#InfinitoNexus #OpenSource #InfrastructureAsCode #SelfHosted
Show Original Post
jobsfordevelopers (@jobsfordevelopers@mastodon.world)
CLEAR is hiring Senior Frontend Engineer
🔧 #javascript #typescript #react #node #aws #docker #kubernetes #seniorengineer
🌎 New York City, New York
⏰ Full-time
🏢 CLEAR
Job details https://jobsfordevelopers.com/jobs/senior-frontend-engineer-at-clearme-com-jul-8-2025-6eca80?utm_source=mastodon.world&utm_medium=social&utm_campaign=posting
#jobalert #jobsearch #hiring
Show Original Post
ostechnix (@ostechnix@floss.social)
A Complete Guide to Install Docker in Rootful Mode in Debian 13 Trixie. Setup Docker like a pro!
Read full guide here: https://ostechnix.com/install-docker-debian-rootful-mode/
#Docker #DockerEngine #DockerCompose #DevOps #Debian13 #DebianTrixie #Oslevelvirtualization #Paas #Linux
Show Original Post
zusammenfassung-der-wichtigsten-informationen-und-erkenntnisse (@zusammenfassung-der-wichtigsten-informationen-und-erkenntnisse@dasnetzundich.de)
Zusammenfassung der wichtigsten Informationen und Erkenntnisse
Artikelbild (lokal gehostet) – Quelle: linuxnews.deQuelle: linuxnews.de
Show Original Post
vikonava (@vikonava@bijaiv.com)
🚀 Take control of your AI usage! With LiteLLM + OpenWebUI you can unify cloud & local models, set real budgets, and never get surprise bills. Perfect for home labs and small teams. 🧑💻💡
#LiteLLM #OpenWebUI #Docker #AItools #HomeLab #LocalLLMs #APIGateway #AIbudget #TechBlog #SmallBusinessAI
https://victornava.dev/2025/09/02/litellm-at-home-one-endpoint-real-budgets-zero-surprises/
Show Original Post
geco_de (@geco_de@troet.cafe)
Das System auf meinem #Raspberry 4 ist arg veraltet. Es läuft noch ein altes Bullseye drauf. #Pihole im #Docker ist auch hoffnungslos veraltet und wahrscheinlich auch nicht sauber konfiguriert wegen viel Spielerei damit.
Das beste wird sein den einmal neu aufzusetzen.
Es soll dann wieder Pihole drauf laufen. Zusätzlich:
#Homeassistant oder #ioBroker (noch nicht entschieden)
Außerdem ein #ADSB Empfänger und #FR24 Feeder.
Offene Frage: Mit oder ohne Docker? Wohl ohne wegen einfacherer Updates.
Show Original Post
FrankM (@FrankM@nrw.social)
Ein neuer Forumbeitrag: https://linux-nerds.org/topic/1774/opencloud-release-3.4.0 #opencloud #docker #linux
Show Original Post
notes (@notes@fedihub.space)
✨ Neugierig auf effizientes Download-Management? Entdecke, wie du Aria2c einfach per Docker einrichten kannst! 🚀 Lies den vollständigen Artikel und folge @lars@dasnetzundich.de im Fediverse für mehr Technik-Tipps. Reblog des Artikels: ⬇️ https://dasnetzundich.de/aria2c-einrichten-per-docker/ #TechTalk #Docker #Aria2c
Show Original Post
nickproud (@nickproud@techhub.social)
A Docker Desktop zero-day allows container escape on Windows & macOS—malicious containers can access the Docker Engine API, mount host drives & escalate to host compromise. Linux unaffected.
Update to Docker Desktop 4.44.3 now!
#Docker #Security #DevSecOps
Show Original Post
GripNews (@GripNews@mastodon.social)
🌗 WinBoat:在 Linux 上無縫整合並執行 Windows 應用程式
➤ 在 Linux 桌面體驗 Windows 應用程式的奇蹟
✤ https://github.com/TibixDev/winboat
WinBoat 是一個開源專案,旨在讓使用者能在 Linux 環境下執行 Windows 應用程式,並提供與原生 Linux 桌面相似的無縫整合體驗。此專案利用 Docker 進行容器化,並透過 FreeRDP 實現遠端桌面連接,使 Windows 應用程式能以獨立視窗的形式顯示在 Linux 桌面上,同時支援檔案系統整合與其他進階功能。
+ 這個專案聽起來很棒,終於可以在 Linux 上使用我習慣的 Windows 軟體了!
+ 感謝開發者們的努力!期待看到 WinBoat 的未來發展,尤其是穩定性和更多應用程式的支援。
#Linux #Windows #虛擬化 #Docker #RDP
Show Original Post
linuxnews (@linuxnews@social.anoxinon.de)
Paperless-ngx 2.18 mit PDF-Editor
https://linuxnews.de/paperless-ngx-2-18-mit-pdf-editor/ #paperless_ngx #pdf #docker #opensource #linuxnews
Show Original Post
reynardsec (@reynardsec@infosec.exchange)
A grumpy ItSec guy walks through the office when he overhears an exchange of words.
devops0: These k8s security SaaS prices are wild.
devops1: Image scanning, policy engines, "enterprise tiers"... why are we paying so much?
ItSec (walking by): You pay for updates & support, probably, but you can do some of this yourselves with a bit of k8s hacking.
devops0: How, exactly?
Disclaimer: this is a PoC for learning, not a production-ready solution.
Kubernetes can ask an external webhook whether a given image should be allowed via Admission Controller, in this case ImagePolicyWebhook [1]. The webhook receives an ImageReview payload [2], initiates a scan, and returns "allowed: true/false".
We will write a Flask endpoint that invokes Trivy [3] for each image and denies pod creation process if HIGH or CRITICAL vuln appear.
Below is a minimal Flask service.
from flask import Flask, request, jsonify
import subprocess, json, shlex, re
app = Flask(__name__)
def is_valid_image_format(image: str) -> bool:
if not re.fullmatch(r"[A-Za-z0-9/_:.@+-]{1,300}", image):
return False
if image.startswith("-"):
return False
return True
def scan_with_trivy(image: str):
cmd = [
"trivy", "--quiet",
"--severity", "HIGH,CRITICAL",
"image", "--format", "json",
image
]
r = subprocess.run(cmd, capture_output=True, text=True)
try:
data = json.loads(r.stdout or "{}")
results = data.get("Results", [])
vulns = []
for res in results:
for v in res.get("Vulnerabilities", []) or []:
if v.get("Severity") in ("HIGH", "CRITICAL"):
vulns.append(v)
return vulns
except json.JSONDecodeError:
return None
@app.route("/scan", methods=["POST"])
def scan():
body = request.get_json(force=True, silent=True) or {}
containers = body.get("spec", {}).get("containers", [])
if not containers:
return jsonify({
"apiVersion": "imagepolicy.k8s.io/v1alpha1",
"kind": "ImageReview",
"status": {"allowed": False, "reason": "No containers provided"}
})
results = []
decision = True
for c in containers:
image = c.get("image", "")
if not is_valid_image_format(image):
results.append({"image": image, "allowed": False, "reason": "Invalid image format"})
decision = False
continue
vulns = scan_with_trivy(shlex.quote(image))
if vulns is None:
results.append({"image": image, "allowed": False, "reason": "Scanner error"})
decision = False
continue
if vulns:
results.append({"image": image, "allowed": False, "reason": "HIGH/CRITICAL vulnerabilities detected"})
decision = False
else:
results.append({"image": image, "allowed": True})
return jsonify({
"apiVersion": "imagepolicy.k8s.io/v1alpha1",
"kind": "ImageReview",
"status": {"allowed": decision, "results": results}
})
if __name__ == "__main__":
app.run(host="0.0.0.0", port=5000)
Run the service wherever Trivy is available. Tip: warm up the trivy vulns db once so the first request will not timeout.
trivy image alpine:3.22 #warm up
gunicorn -w 4 -b 0.0.0.0:5000 app:app
Test it with an ImageReview-like request. Replace the and URL and images as you wish/need.
curl -s -X POST http://127.0.0.1:5000/scan -H "Content-Type: application/json" -d '{
"apiVersion": "imagepolicy.k8s.io/v1alpha1",
"kind": "ImageReview",
"spec": {
"containers": [
{"image": "alpine:3.22"},
{"image": "nginx:latest"}
]
}
}' | jq .
Tell the API server to use ImagePolicyWebhook. The AdmissionConfiguration points at a kubeconfig for the webhook endpoint (/etc/kubernetes/admission-control-config.yaml).
apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
- name: ImagePolicyWebhook
configuration:
imagePolicy:
kubeConfigFile: /etc/kubernetes/webhook-kubeconfig.yaml
allowTTL: 50
denyTTL: 50
retryBackoff: 500
defaultAllow: false
The webhook kubeconfig targets your scanner's HTTP endpoint (/etc/kubernetes/webhook-kubeconfig.yaml). Edit "server" value for your case.
apiVersion: v1
kind: Config
clusters:
- name: webhook
cluster:
server: http://192.168.108.48:5000/scan
contexts:
- name: webhook
context:
cluster: webhook
user: ""
current-context: webhook
Mount the AdmissionConfiguration and enable the plugin in the API server manifest. Add the following flags and mount the config file; adjust paths and IPs to your environment (kube-apiserver.yaml):
---
apiVersion: v1
[...]
containers:
- command:
- kube-apiserver
[...]
- --admission-control-config-file=/etc/kubernetes/admission-control-config.yaml
- --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook
[...]
volumeMounts:
[...]
- mountPath: /etc/kubernetes/admission-control-config.yaml
name: admission-control-config
readOnly: true
- mountPath: /etc/kubernetes/webhook-kubeconfig.yaml
name: webhook-kubeconfig
readOnly: true
volumes:
[...]
path: /etc/kubernetes/admission-control-config.yaml
type: FileOrCreate
- name: webhook-kubeconfig
hostPath:
path: /etc/kubernetes/webhook-kubeconfig.yaml
type: FileOrCreate
After the API server restarts, the cluster will begin asking app about images during pod creation. A quick check shows an allowed image and a blocked one:
kubectl run ok --image=docker.io/alpine:3.22
pod/ok created
kubectl run nope --image=docker.io/nginx:latest
Error from server (Forbidden): pods "nope" is forbidden: one or more images rejected by webhook backend
That's the whole trick. Kubernetes asks our Flask app. App calls Trivy. If HIGH or CRITICAL vulnerabilities are present, the admission decision is deny, and the pod never starts. It's not fancy and as I wrote before, it's not meant for production, but it illustrates exactly how admission can enforce image hygiene without buying an external SaaS.
[1] https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#imagepolicywebhook
[2] https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#request-payloads
[3] https://github.com/aquasecurity/trivy
For more grumpy stories visit:
1) https://infosec.exchange/@reynardsec/115093791930794699
2) https://infosec.exchange/@reynardsec/115048607028444198
3) https://infosec.exchange/@reynardsec/115014440095793678
4) https://infosec.exchange/@reynardsec/114912792051851956
#appsec #devops #kubernetes #programming #webdev #docker #containers #k8s #cybersecurity #infosec #cloud #hacking #sysadmin #sysops
Show Original Post