Michael Neale's questions

I am happily running systemd inside a docker container, however, it requires CAP_SYS_ADMIN in order to dynamically create private tmp mounts.

I have attempted to disable the PrivateTmp, PrivateNetwork and PrivateDevices - but to no avail, when I startup the container I see:

Failed to mount tmpfs at /run: Operation not permitted

However, nowhere in /usr or /etc is there a service with PrivateTmp=yes (and others). Basing on: https://bugzilla.redhat.com/show_bug.cgi?id=1033604#c14 - I thought these would be all that causes systemd to dynamically create a mount - but there must be more. Any advice appreciated.

I am trying to see if I can run systemd inside a docker container (which is running arch linux in the container).

I start docker with all capabilities, and bind mount in cgroups:

docker run -it --rm --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:ro ..

however, if I try to run the systemd binary:

Trying to run as user instance, but the system has not been booted with systemd.

Trying to find out how to init things correctly to systemd starts.

I can see in the lxc repo README there is a trivial example:

lxc.seccomp = /var/lib/lxc/q1/seccomp.full

whith some commands to fill up a file with a whitelist which (it is claimed) allows everything.

Is there any documentation of what you can do with that seccomp config (specifically with LXC in this case). There seems to be no visible documentation on seccomp and LXC that I can find.

I am trying to use error_page like the following, to trap errors, and then read content from an external url, and send that to the client:

    error_page 404    =404      @err404;                                                                                                                                                               
    location @err404 {                                                                                                                                                                                  
             proxy_pass     http://www.myserver.com;                                                                                                                                                     
    }

This is in the "server" directive. I want any 404 to be caught by this (it is) - and then the content from http://www.myserver.com read - and returned as the body of the 404 returned to the client.

This almost works - but when I try to access http://myserver/somenonexistingURL, proxies through to http://www.myserver.com/somenonexistingURL - which seems unhelpful - is there a way to have it just proxy the content of exactly what I typed? Not proxy the entire request?

If I put

error_page 404 http://backend

Then I get a 30X redirect (as per the docs) - which is not what I want either.

Any ideas?

Docs: http://wiki.nginx.org/HttpCoreModule#error_page and http://nginx.org/en/docs/http/ngx_http_core_module.html#error_page

I am using http://wiki.nginx.org/HttpProxyModule for proxying.

Are there any tools that can give me statistics/connection data per server entry?

With FUSE it is possible to mount many things purely as a non privileged user. However, it seems that for webdav davfs2 is the preferred project, which appears to be a filesystem driver and uses the standard mount/umount which requires privileges.

Is there a way to use this (or another library) to mount webdav only as a user via fuse ? (i.e. so each user could mount a different webdav on a different server, without needing to configure anything in fstab etc).

As a happy user of runit - I am curious if it is possible to send a signal to the main process (or similar) telling it to look now at the service directory? the current behaviour is < 5 seconds (seems much faster most of the time) between scans for new services - but I thought it would be nice if I could also tell it (in cases where the 5 second worst case is annoying - rare - but annoying).

I need to support the realtek rtl8139 network card - is this included in modern (> 3.0) linux kernels? do I have to load any modules or install anything?

When reloading config (specifically for proxy_pass) - occasionally this will be seen: nginx: [emerg] host not found in upstream

However - the upstream server's name WILL resolve in the os (linux) - only nginx seems to have this problem.

This seems to be a recent regression - as it didn't seem to happen previous to 1.0.10 versions.

Has anyone noticed this recently?

Trying to narrow down places to search.

Is it possible to have a path appended (like the requirep below) but on a per server basis ? I can't see how it is possible in 1.3 or 1.4. There is redir, but redir does a HTTP redirect, not what I need.

backend something.abc.com 
    ...
  reqirep ^([^\ \t])(.*)[\ \t]/(.*) \1\2\ /businessGov/pad/businessgov.html\3
  server node1 someserver1:80 cookie node1  check
  server node1 someserver2:80 cookie node2  check

Is there a way for a running instance, via the meta-data facility to find out the ec2 account name that the instance is running under?

Looking up the meta-data service yields the following items we can query:

ami-id
ami-launch-index
ami-manifest-path
hostname
instance-id
local-ipv4
public-keys/
reservation-id
security-groups

None of which satisfy this - any ideas?

In EC2 EBS, when I attach a device via UI or api, I specify the device name (eg /dev/sdf through sdp). That drive letter is consistent between reboots ? It seems implied that it is (otherwise why would they let me set it).

And obviously I am meaning practically - is it dozens, or hundreds?

When using HAProxy for virtual hosting, I can see how to use the Host from the header at the front end to decide what backend to route to. However, is it possible to make the back end be a URL which includes a path (not unlike what you would do with apache or nginx when setting up virtual hosting).

http://www.techrawr.com/tag/haproxy/ - shows most of it. But what if the back ends were on the one server but with backend1 and backend2 as the servers?

If I have a master DNS that is not bind - can bind still slave to it? (ie does it use the DNS protocol or something else?).

Kind of related - but do people still do this or do they use some other form of data replication to keep DNS records in sync to the slaves (ie file/database copying)? I would like to have the slaves refreshed as fast as possible so I am thinking normal slaving with is expiry/poll based might not be optimal?

I would like to make them store data in a encrypted location.

I am also interested in Thunderbird, postbox etc...