How to (and how not to) maintain your system, GIT and packages

/en/linux/blog/ zero-trustsecurity
10/Gennaio/2026
autoreRentaro
Rentaro
Good admin and his server
Good admin and his server 1000x1000
good_admin_and_his_server_exw.jpg

Let’s consider a standard situation where you have a main work computer on which you have three different projects.
One project is on nodejs, the second is a production project on python, and the third is your personal “pet project”, also on python.
You also have personal and work email in the same system, and, say, a browser and home-banking.
And all this under your login.
Well, not under the root login, of course! ¯\_(ツ)_/¯
Everything is quite normal.

Many technically competent developers may have dozens of such projects.
And dozens of keys for SSH or GIT servers.


An example with the popular PyTorch framework


It’s quite ordinary: you write your code, commit it from time to time, and then a torchtriton update arrives in your cozy pet project.
And after that, the following data sets were transferred from your system, in accordance with the binary’s main function:

  • Get system information:
    • nameservers from /etc/resolv.conf
    • hostname from gethostname()
    • current username from getlogin()
    • current working directory name from getcwd()
    • environment variables
  • Read the following files:
    • /etc/hosts
    • /etc/passwd
    • The first 1,000 files in $HOME/*
    • $HOME/.gitconfig
    • $HOME/.ssh/*

The update arrived and the confidential data flew away.
It’s not just everything under your account (and possibly the system) has been compromised, but also, down the chain, everything you managed, committed to, and connected to.

How to (and...

Installing Major Python Versions on Debian Trixie

24/Dicembre/2025 pythontrixie

Very, very often you have to deal with the need to use a certain version of Python, for example, for torch, or for something specific.
Using conda or Docker with nvidia-container-toolkit and then setting up images like nvidia/cuda:13.0.1-runtime-ubuntu22.04 feels counterintuitive to me, even though I’ve done it many times.
And an additional packages have to be installed in the container.

It’s easier and more convenient to compile everything on the host system, but at the same time prevent contamination of the entire system with third-party libraries and executable files.

The following is an example of building multiple Python versions for the verpy group only, which is a bit more convenient than installing for just one user.

  • ai - an arbitrary user from whom the compilation is performed.
  • verpy - the group that will be allowed to use these versions.
1
2
3
4

apt install \
    build-essential libssl-dev zlib1g-dev libbz2-dev libreadline-dev libsqlite3-dev \
    wget curl llvm libncurses5-dev libncursesw5-dev xz-utils tk-dev libffi-dev \
    liblzma-dev libgdbm-dev libnsl-dev libgdbm-compat-dev

mkdir /opt/openssl
mkdir /opt/python
groupadd --gid 42398 verpy
usermod -aG verpy ai

Installing Major Python...

GitLab Agent Server Unauthorized error

25/Novembre/2025 kubernetesgitlabagentk

GitLab Agent Server: Unauthorized: Authorization header: expecting Bearer token 1400x350 kubernetes_gitlab_agent_error.png
GitLab Agent Server: Unauthorized: Authorization header: expecting Bearer token

Without going into detail about how exactly and why everything is organized, access is provided through the following chain:

1

Nginx stream ingress <> Main Nginx Frontend <> Nginx Backend inside GitLab instance.

The Main Frontend manages the gitlab subdomain, which is closed to external access via auth_basic authorization.

GitLab Agent Server...

Installing Kubernetes on LXC

21/Novembre/2025 kubernetesk8slxc

Kubernetes on LXC 1000x1040 kubernetes-on-lxc.png
Kubernetes on LXC

This example shows an installation over LXC, while for any more or less serious use this is completely unacceptable and requires using KVM with additional security measures.
And besides, installation on KVM will be much, much easier.
LXC does not provide adequate security because, for proper operation, it requires mounting the /sys and /proc partitions from the host, which are accessible to all LXC instances.
Furthermore, this example requires using a PRIVILEGED virtual machine.
However, LXC allows relatively easy setting up a testing infrastructure without the overhead associated with KVM.
So some aspects in this example will only be related to the setup in LXC.


On the HOST system

First, let’s make preparations on the host system.

nano /etc/modules

1
2
3
4
5
6
7
8
9
10
11

overlay
nf_nat
br_netfilter
xt_conntrack
rbd
fuse
ip_vs
ip_vs_rr
ip_vs_wrr
ip_vs_sh
iptable_nat

nano /etc/sysctl.d/35-lxc-kubernetes.conf

1
2
3
4
5
6
7
8
9
10
11

kernel.dmesg_restrict = 0
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.bridge.bridge-nf-call-iptables = 1
# --conntrack-max-per-core Default: 32768 * N
net.netfilter.nf_conntrack_max=131072
# net.bridge.bridge-nf-call-arptables
# kernel.pid_max=100000
# user.max_user_namespaces=15000
vm.compact_memory = 1
vm.overcommit_memory = 1
Installing Kubernetes on...

The root of all electronics problems

8/Novembre/2025 repairdyson

Dyson v12 turbine and main PCB 5504x3096 IMG_20251108_125522.jpg
Dyson v12 turbine and main PCB
The root of...
Pagina 1 di 11
1 2 3 4 5 Inoltrare