Arthur Attout's questions

I have a data folder at the root of my filesystem

arthur@debian:~$ ls -la /data
total 36
drwxr-xr-x  9 root   root            4096 Dec 13 09:45 .
drwxr-xr-x 21 root   root            4096 Dec 13 10:08 ..
drwxr-xr-x  2 root   root            4096 Jun 15  2020 500g2
drwxr-xr-x  6 root   root            4096 Nov 16 18:20 quad_1
drwxr-sr-x  5 arthur arthur          4096 Dec 13 13:29 tera_1
drwxrwxr-x  6 root   root            4096 Dec  7 00:00 tera_2
drwxr-xr-x  5 root   root            4096 Sep 18 21:32 tera_3
drwxr-xr-x  6 root   root            4096 May  5  2021 tera_4

I want to mount the entire directory as a docker volume, but the container must have readonly access. So I used :ro

sudo docker run -it --name testcontainer -v /data:/internal_data:ro --rm alpine:latest /bin/sh

When the shell spawns, I'm still able to write into the supposedly readonly container. Why is that ?

/ # touch /internal_data/test
touch: /internal_data/test: Read-only file system        # Ok, container prevented from writing
/ # touch /internal_data/tera_1/test                     # This worked
/ # touch /internal_data/tera_2/test                     # This worked
/ # touch /internal_data/500g2/test                      
touch: /internal_data/500g2/test: Read-only file system # Ok, container prevented from writing
/ #

This answer redirects to OpenXtra that suggests server rooms shouldn't run too cold. Google also suggests not going lower than 55°F, but doesn't go into details regarding why.

Given that:

• CPUs do work completely fine while in sub-zero temperatures.
• Hard drives will fail if going into uncommonly low temperatures (which won't be reached if living anywhere between northern Norway and southern Argentina).
• In general, electronics won't be ruined by cold, but by condensation and humidity.

Why would it be bad to run my server into an unheated basement as long as the temperatures aren't extremely low (-10°C to +15°C) and the air is reasonably dry?

Sometimes this kind of lines pop up in my access.log :

149.28.156.181 - - [13/Sep/2018:20:35:09 +0100] "GET /js/czjl.js HTTP/1.1" 301 184 "-" "Mozilla/5.0 ..."

The resource /js/czjl.js does not exist on my server. However, NGINX answered with 301 instead of 404. If I try the same request with Postman I get

192.168.1.67 - - [13/Sep/2018:21:09:34 +0100] "GET /js/czjl.js HTTP/1.1" 404 1140 "-" "PostmanRuntime/7.3.0"

which is the expected behavior.

Why is NGINX returning 301 instead of 404 if those resource aren't on my server ?

Here is my config

server {
    listen 80;

    server_name example.com www.example.com;

    location ~ /.well-known {
        allow all;
    }

    location / {
        limit_except GET {
            deny all;     
        }
        return 301 https://www.example.com$request_uri;
    }

    location ~ /\. { deny all;}

}

server{
    #FOR INTERNAL REQUESTS

    listen 8080;

    server_name 192.168.1.75;
    error_page 401 403 404 /404.html;
    location = /404.html {
            root /var/www/html/error/;
            internal;
    }

    location / {
        limit_except GET {
            deny all;     
        }
    }

    root /var/www/html;
    index index.html;
}

server {
    listen 443 ssl;

    server_name example.com www.example.com;

    location / {
        limit_except GET {
            deny all;     
        }
    }

    root /var/www/html;
    index index.html;
    error_page 401 403 404 /404.html;
    location = /404.html {
            root /var/www/html/error/;
            internal;
    }

    #SSL Config
    ...
}

I have been stuck with this status for the past 3 days, I can't figure out what I'm doing wrong.

I have this docker-mailserver, that can send mails to public SMTP hosts (outlook, gmail ..) but not to itself. When trying to send from [email protected] to [email protected], I get the following log :

May 18 21:48:55 mail postfix/smtp[9268]: 34C559BE: to=<[email protected]>, relay=none, delay=0.21, delays=0.02/0/0.18/0, dsn=5.4.6, status=bounced (mail for newproject.org loops back to myself)

here is the output of postconf -n

alias_database = ldap:/etc/postfix/ldap-users.cf
alias_maps = ldap:/etc/postfix/ldap-users.cf
append_dot_mydomain = no
biff = no
broken_sasl_auth_clients = yes
compatibility_level = 2
content_filter = smtp-amavis:[127.0.0.1]:10024
disable_vrfy_command = yes
dkim_milter = inet:localhost:8891
dmarc_milter = inet:localhost:8893
inet_interfaces = allinet_protocols = all
mailbox_size_limit = 0
milter_default_action = accept
milter_protocol = 6
mydestination = $myhostname, localhost.$mydomain, localhost
mydomain = newproject.org
myhostname = mail.newproject.org
mynetworks = 127.0.0.0/8 [::1]/128 [fe80::]/64 172.20.0.30/32
non_smtpd_milters = $dkim_milterpolicyd-spf_time_limit = 3600postscreen_bare_newline_action = enforce
postscreen_dnsbl_action = enforce
postscreen_dnsbl_sites = zen.spamhaus.org*3 bl.mailspike.net b.barracudacentral.org*2 bl.spameatingmonkey.net bl.spamcop.net dnsbl.sorbs.net psbl.surriel.com list.dnswl.org=127.0.[0..255].0*-2 list.dnswl.org=127.0.[0..255].1*-3 list.dnswl.org=127.0.[0..255].[2..3]*-4
postscreen_dnsbl_threshold = 3
postscreen_dnsbl_whitelist_threshold = -1
postscreen_greet_action = enforce
readme_directory = no
recipient_delimiter = +
relayhost =
sender_dependent_relayhost_maps = texthash:/etc/postfix/relayhost_map
smtp_header_checks = pcre:/etc/postfix/maps/sender_header_filter.pcre
smtp_sasl_auth_enable = yes
smtp_sasl_password_maps = texthash:/etc/postfix/sasl_passwd
smtp_sasl_security_options = noanonymous
smtp_sender_dependent_authentication = yes
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtp_tls_CApath = /etc/ssl/certs
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtp_tls_security_level = encrypt
smtp_use_tls = yes
smtpd_banner = $myhostname ESMTP $mail_name (Debian)
smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unauth_destination, reject_unauth_pipelining
smtpd_delay_reject = yes
smtpd_helo_required = yes
smtpd_helo_restrictions = permit
smtpd_milters = $dkim_milter,$dmarc_milter
smtpd_recipient_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unauth_destination, check_policy_service unix:private/policyd-spf, reject_unauth_pipelining, reject_unknown_recipient_domain, reject_rbl_client zen.spamhaus.org,reject_rbl_client bl.spamcop.net
smtpd_relay_restrictions = permit_mynetworks permit_sasl_authenticated defer_unauth_destination
smtpd_sasl_auth_enable = yes
smtpd_sasl_local_domain = $myhostname
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_sasl_authenticated, permit_mynetworks, reject_unknown_sender_domain
smtpd_tls_CApath = /etc/ssl/certs
smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
smtpd_tls_dh1024_param_file = /etc/postfix/dhparams.pem
smtpd_tls_exclude_ciphers = aNULL, LOW, EXP, MEDIUM, ADH, AECDH, MD5, DSS, ECDSA, CAMELLIA128, 3DES, CAMELLIA256, RSA+AES, eNULL
smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
smtpd_tls_loglevel = 1
smtpd_tls_mandatory_ciphers = high
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
smtpd_tls_security_level = none
smtpd_use_tls = no
tls_high_cipherlist = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
tls_preempt_cipherlist = yes
tls_ssl_options = NO_COMPRESSION
virtual_alias_maps = ldap:/etc/postfix/ldap-aliases.cf, ldap:/etc/postfix/ldap-groups.cf
virtual_mailbox_domains = mail.newproject.org, /etc/postfix/vhost, ldap:/etc/postfix/ldap-domains.cf
virtual_mailbox_maps = ldap:/etc/postfix/ldap-users.cf
virtual_transport = lmtp:unix:/var/run/dovecot/lmtp

I have a MX record type for mail.newproject.org that points to the container (internal IP address).

What have I done that could cause the loop ?