Docker 和 Podman 中的 Linux Capabilities
在运行 Docker (或 Podman) 容器时,有时即使使用 root 用户或者使用了 sudo,也会出现 Operation not permitted 的错误信息。这是因为容器中的 root 并不具有完整的 root 权限。这种权限的控制是通过 Linux capabilities 实现的。本文将首先介绍 Linux capabilities 的概念,然后以 Docker 为例介绍如何调整容器的 capabilities,最后介绍 Docker 和 Podman 在默认 capabilities 上的差异,以为容器的开发者和用户提供参考。
Linux Capabilities in Docker and Podman
When running Docker (or Podman) containers, sometimes you may encounter Operation not permitted error messages even if you are using the root user or sudo. This is because the root in the container does not have full root permissions. This permission control is implemented through Linux capabilities. This article will first introduce the concept of Linux capabilities, then use Docker as an example to introduce how to adjust the Linux capabilities of containers, and finally introduce the differences between Docker and Podman in default capabilities, providing reference for container developers and users.
Generate Private Keys on YubiKey and Use them on Windows
Up until I wrote this blog post, the tutorials and documentation I have come across regarding the use of Yubikey PIV certificates with Windows all involved having a complete set of private and public keys (generated outside of Yubikey) to be installed on Windows and imported into Yubikey for use. However, Yubikey also provides a more secure option: generating the private key on the Yubikey itself. The advantage of this method is that the private key never leaves the Yubikey, making it impossible for it to be leaked. But in such a case, we don't have a private key to import into Windows, and Windows is unaware of our corresponding digital certificate, so it won't consider our certificate as an available one for signing.
This article will explain how to generate a private key on the Yubikey and associate it with the certificate on Windows, to enable code signing on Windows. Although the purpose of this article is code signing, the association method described in the article also applies to other scenarios that require the use of private keys generated on the Yubikey.
截止到我写这篇博客,我在网络上所看到的将 Yubikey PIV 证书与 Windows 一起使用的教程和文档都是已经有完整的私钥和公钥(在 Yubikey 外生成),将其安装在 Windows 和导入到 Yubikey 使用。但是,Yubikey 还提供了一种具有更高安全性的选项:在 Yubikey 上生成私钥,这种方法的好处是私钥不会离开 Yubikey,因此不可能被泄露。但是在这样的情况下,我们没有可以用于导入到 Windows 的私钥,Windows 并不知道我们具有相应数字证书的私钥,在签名时不会将我们的证书作为可用的证书。
本文将介绍如何在 Yubikey 上生成私钥,使 Windows 将证书与 Yubikey 上的私钥相关联,以便在 Windows 上进行代码签名。尽管本文的目的是进行代码签名,但是文中的关联方法也适用于其他需要使用在 Yubikey 上生成的私钥的场景。
Cloudflare WARP is a free VPN service provided by Cloudflare. As most service providers consider its exit IP as a reputable residential broadband IP, many people use it for accessing websites that have strict risk control policies, especially when their server’s IP address is not clean. However, when we use it on our own servers, we may encounter the following issues:
1.1.1.1 with WARP, blocks all inbound connections, which means that websites and services on servers cannot be accessed.Local Proxy mode does not have the problem of blocking inbound connections, the HTTPS/SOCKS5 proxy it provides cannot transmit UDP packets.This article will run the official WARP client in Docker to solve the above problem. The project is published on GitHub.
Cloudflare WARP 是 Cloudflare 提供的免费 VPN 服务,由于多数服务商都将其出口 IP 视作信誉良好的家宽 IP,许多人将其用于 IP 地址较脏的服务器,以便访问风控较严格的网站。然而当我们将它在自己的服务器上使用时,会遇到以下的问题:
1.1.1.1 with WARP 下会阻断所有入站连接,这意味着服务器上的网站和服务都无法被访问Local Proxy 模式下尽管没有阻断入站连接的问题,其提供的 HTTPS/SOCKS5 代理并不能传输 UDP 数据包本文将在 Docker 中运行官方 WARP 客户端,以解决上述问题。项目代码已经发布到 GitHub。
Use PowerShell to Revoke Permission from a Certain User to Azure API
We can't revoke permissions from a certain user to an Azure API in Azure portal, but we can do this in PowerShell。You need administrator rights on this API。
This is to revoke the user's permission given to the azure API, not to prohibit the user from using the API. The user can still authorize the API again.
用PowerShell删除特定用户对Azure API的授权
在 Azure 门户中我们无法删除特定用户对 Azure API 的授权,但我们可以通过 PowerShell 来完成。你需要对该 API 的管理员权限。
这是撤销用户对 Azure API 的授权,而非禁止该用户使用该 API 。该用户仍然可以再次授权。