https://piefed.social/u/Skavau posted on Feb 27, 2026 16:25
SLOP
I don’t remember him in The Wire, RIP.
An informative YT channel I found. I’m sure many people here might already know, but I found it helpful and it makes the comm a good resource for newer folks looking to get a handle on what all these tools do and how they will use them in their selfhosting.
Cgroups is not a really a security feature (from what I understand). It is about controlling process priority, hierarchy, and resources limiting (among other things).
With respect, I think you misunderstand what gvisor does and containerization in general. cgroups2 is the isolation mechanism used by most modern Linux containers, including docker and lxc both. It is similar to the jail concept in BSD, and loosely to chroot. It limits child process access to files, devices, memory, and is the basis for how subprocesses are secured against accessing host resources without the permission to do so.
Gvisor adds more layers of control over this system by adding a syscall control plane to prevent a container from accessing functions in the host’s kernel that might not be protected by cgroups2 policy. This lessens the security risk of the host running a cutting-edge or custom kernel with more predictable results, but it comes with caveats.
Gvisor is not a universally “better” option, especially for homelab, where environment workloads vary a lot. Gvisor comes with an IO performance penalty, incompatibility with selinux, and its very strength can prevent containers from accessing newer syscalls on a cutting edge host kernel.
My original comment was that ultimately, there is no blanket answer for “how secure is my virtualization stack”, because such a decision should be made on a case-by-case basis. And any choice made by a homelabber or anyone else should involve some understanding of the differences between each type.
Yes, I understand what GVisor does. Cgroups2 are for isolation of system resources, bit arent even the main sandbox feature used for isolation by Docker. I am pretty sure namespaces significantly more important for these containers’ security.
GVisor helps with one of the main risks in a container setup which is the shared kernel by hosts and guests. I understand it comes with a performance penalty (and I didnt know it was incompatible with SELinux), but that does change my original point that GVisor is a security improvement to default Docker. I understand there is more nuance, even when I wrote my original comment I understood (just like any other security feature) it cant be used in every scenario. I was being intentionally general, and in my second comment I was pretty specific about what it protects against: Kernel vulnerabilities and privilege escalation.
I researched cgroups2 more and I still dont understand why you brought it up in the first place. Cgroups2 and gvisor provide very different security benefits. Cgroups help to keep a system available (lessening the risk DoS attacks) by controlling access to some system resources (io, devices, cpu, memory) and grouping processes of a similar type. It seems rather optimized to solve resource control on a container host. I mentioned gvisor because it is mostly just a drop-in replacement container runtime which doesnt need setup to be used.s
Now for a different container runtime which provides significantly more features (than gvisor) with less downsides (if configured correctly for a specific workload), Sydbox provides syd-oci which id an application kernel runtime which uses a permission config file to create a sandbox, isolating using namespaces, seccomp, landlock, and more. It can sandbox in many different categories (often times leveraging multiple features to provide a multilayer sandbox), you can see the categories at the syd manpage. The biggest downside is that you must really understand what your container application needs otherwise it will prevent it from running. It is a “secure by-default” sandbox which can be softened through config.
I’mma shrink the sun so I can steal it for my personal use xD
(Also no, vitamin d supplements does not work as good as sunlight)
Some dudes in the 1940’s were working on some Gadget that would do that.
They never managed to get a sustained reaction, but I hear some good work’s being done in China on that front…
Take vitamin d.
A domain name I was interested in expired in January this year. It was previously registered at Squarespace.com.
Why is it still unavailable to purchase despite being more than a month since its expiry?
Not sure if relevant but I checked the expiry date at: whatsmydns.net/domain-expiration
If it’s not a cooldown period as that other guy said, you may contact the scammer new owner, he will ask for a billion dollars and it’s up to you whether that domain was important enough. Consider finding a new one right now if you can.
Basically many domain providers will hold onto domains for a little while after it expires.
Some like namecheap also advertise the domain names to peddle-man companies that will somehow buy temporary access to the domain after your extortion recall window expires.
To continue the namecheap example, when your namecheap domain expires, it gives you a lapse window where you can pay like double the cost of the domain renewal to reclaim it. If you don’t reclaim it during that window they give it to a middleman whom will somehow buy a 2 or 3 months domain lease for it. They will put it on a “site for sale” broker page and will charge yo easily 100x what you paid for the domain if you wanted it back.
This is wild and a rather unfortunate situation… Ty for sharing.
This is great thank you for this since the next step on my journey is the ARR stack!
Best lf luck, hit me up if you have any questions regarding it 😊
a blog post that chronicles what I’ve been up to this month: from attending FOSDEM in Brussels to creating an easy-to-follow self-hosting guide for newbies…
I recently configured forward auth with Authentik and Envoy Gateway and found the process troublesome enough to warrant a post. If you’ve been thinking about doing the same then maybe this post will save some time.
Here are some cool examples I was looking at:
https://github.com/zardoy/minecraft-web-client — Minecraft in your browser, complete with connections to servers.
https://github.com/inolen/quakejs — quake 3 in your browser, has multiplayer as well.
Any other good examples? or good lists?
probably also selfhosted.
Here is a link do selfhosting it: https://github.com/TeamHypersomnia/Hypersomnia/blob/master/README_SERVER.md#docker-setup