ContainersWorkspace/README.md

# Containers-Workspace
Various useful and useless Dockerfiles, often experimental and work in progress

## toolbox

Fedora based container wih preinstalled many usefull tools for various debug and problem searching purposes
run help-toolbox to show what can you do in there

Typical container run options that allows for host data access:
```bash
podman run --rm -it --privileged \
    --network host --pid host --ipc host --no-hosts --ulimit host \
    --userns host \
        --name toolbox toolbox
```

## cloud-toolbox

Sounds huge, but it is just set of tools for cloud-based stuff,
like openstack-cli, rclone, openshift cli, etc...

Also contains `fzf` and bash-completion. Mount your bash_history for
best experience.

```bash
podman run --rm -it \
    -v "$HOME/.bash_history:/root/.bash_history" \
    --security-opt label:disable \
        cloud-toolbox:latest
```

## gui-container

gui-container is an experiment for apps with GUI

how to run with default, permissive options:

```bash
podman run --privileged -it \
    -e XDG_RUNTIME_DIR=/runtime_dir \
    -e WAYLAND_DISPLAY="$WAYLAND_DISPLAY" \
    -e DISPLAY="$DISPLAY" \
    -v /tmp/.X11-unix:/tmp/.X11-unix:rw \
    -v $HOME/.Xauthority:/root/.Xauthority:ro \
    -v "$XDG_RUNTIME_DIR:/runtime_dir:rw" \
    --entrypoint bash \
    --name "gui_container" \
        gui-container:latest
```

Minimal(?)permissions example (for wayland)(you could also select single sockets from XDG_RUNTIME_DIR)
```bash
podman run -it --security-opt label:disable \
    -e XDG_RUNTIME_DIR=/runtime_dir\
    -e WAYLAND_DISPLAY="$WAYLAND_DISPLAY" \
    -v "$XDG_RUNTIME_DIR:/runtime_dir:rw" \
    --entrypoint bash --name "gui_container" \
        gui-container:latest
```

starting dbus:

```bash
export $(dbus-launch)
```

allowing podman to connect to X display as "non-network local connections"

```bash
xhost +"local:podman@"
```

unsetting `WAYLAD_DISPLAY` or `DISPLAY` can force apps to use the other one

```bash
unset DISPLAY
# or
unset WAYLAD_DISPLAY
```

to mage Qt-based apps work:

```bash
export QT_QPA_PLATFORM=wayland
```

## rathole

Compiled from source [rathole](https://github.com/rapiz1/rathole) image.

## snowflake

Compiled from source [torproject snowflake](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake) image.

## Tor relay/bridge node

```bash
# prepare
cd tor/;
podman build -t tornode .;
chmod 777 ./data ./logs;

# run (network host for easy port bind on ipv6)
podman run -d --read-only --network host \
    -v "/home/user/torrc.conf:/torrc:rw,Z" \
    -v "/home/user/tor/logs:/var/log:Z,rw" \
    -v "/home/user/tor/data:/var/lib/tor:Z,rw" \
    --name tornode tornode:latest

# prepare systemd service for reboot persistence
podman generate systemd --new --name tornode > /etc/systemd/system/tornode.service;
restorecon -v /etc/systemd/system/tornode.service;
systemctl daemon-reload;
systemctl enable --now tornode.service;

# view nyx dashboard
podman exec -it tornode nyx
```

## Wireguard

Simple container that will setup wireguard interface according to
`/data/wg0.conf` and then replace process with pid 1 to `sleep infinity`.
MASQUERADE required for accessing external networks is done by nftables, so
it should work with nftables kernel modules, iptables-only modules can
be missing.

Before seting up the wg interface, entrypoint will execute files in
`/setup.d/` if any.

`PostUp` and `PostDown` in network interface config should look like this:

```bash
PostUp = nft add table inet filter; nft add chain inet filter forward { type filter hook forward priority 0 \; }; nft add rule inet filter forward iifname "%i" accept; nft add rule inet filter forward oifname "%i" accept; nft add table inet nat; nft add chain inet nat postrouting { type nat hook postrouting priority 100 \; }; nft add rule inet nat postrouting oifname "eth*" masquerade
PostDown = nft delete table inet filter
```

Example run (requires root and privileged for nftables setup)

```bash
podman run --privileged --name wireguard -d \
    -v './config:/data:ro' \
    -v './setup:/setup.d:ro' \
    -wireguard:latest
```
Initial commit 2023-03-17 19:19:29 +00:00			`# Containers-Workspace`
			`Various useful and useless Dockerfiles, often experimental and work in progress`
add gui-container, rathole, snowflake 2023-03-18 18:14:16 +00:00
version upgrades, toolbox WIP 2023-04-23 18:20:41 +00:00			`## toolbox`

			`Fedora based container wih preinstalled many usefull tools for various debug and problem searching purposes`
			`run help-toolbox to show what can you do in there`

			`Typical container run options that allows for host data access:`
			```bash
			`podman run --rm -it --privileged \`
			`--network host --pid host --ipc host --no-hosts --ulimit host \`
			`--userns host \`
			`--name toolbox toolbox`
			```

Initial cloud-toolbox, add util-linux to toolbox 2023-07-18 17:19:10 +00:00			`## cloud-toolbox`

			`Sounds huge, but it is just set of tools for cloud-based stuff,`
			`like openstack-cli, rclone, openshift cli, etc...`

			Also contains `fzf` and bash-completion. Mount your bash_history for
			`best experience.`

			```bash
Fix selinux labeling for cloud-toolbox 2023-07-19 09:10:03 +00:00			`podman run --rm -it \`
			`-v "$HOME/.bash_history:/root/.bash_history" \`
			`--security-opt label:disable \`
			`cloud-toolbox:latest`
Initial cloud-toolbox, add util-linux to toolbox 2023-07-18 17:19:10 +00:00			```
version upgrades, toolbox WIP 2023-04-23 18:20:41 +00:00
add gui-container, rathole, snowflake 2023-03-18 18:14:16 +00:00			`## gui-container`

			`gui-container is an experiment for apps with GUI`

			`how to run with default, permissive options:`

			```bash
			`podman run --privileged -it \`
			`-e XDG_RUNTIME_DIR=/runtime_dir \`
			`-e WAYLAND_DISPLAY="$WAYLAND_DISPLAY" \`
			`-e DISPLAY="$DISPLAY" \`
			`-v /tmp/.X11-unix:/tmp/.X11-unix:rw \`
			`-v $HOME/.Xauthority:/root/.Xauthority:ro \`
			`-v "$XDG_RUNTIME_DIR:/runtime_dir:rw" \`
			`--entrypoint bash \`
			`--name "gui_container" \`
			`gui-container:latest`
			```

Update README.md with minimal gui-container command 2023-07-22 19:11:50 +00:00			`Minimal(?)permissions example (for wayland)(you could also select single sockets from XDG_RUNTIME_DIR)`
			```bash
			`podman run -it --security-opt label:disable \`
			`-e XDG_RUNTIME_DIR=/runtime_dir\`
			`-e WAYLAND_DISPLAY="$WAYLAND_DISPLAY" \`
			`-v "$XDG_RUNTIME_DIR:/runtime_dir:rw" \`
			`--entrypoint bash --name "gui_container" \`
			`gui-container:latest`
			```

add gui-container, rathole, snowflake 2023-03-18 18:14:16 +00:00			`starting dbus:`

			```bash
			`export $(dbus-launch)`
			```

Add instruction for X connections from gui container 2023-07-25 16:46:52 +00:00			`allowing podman to connect to X display as "non-network local connections"`

			```bash
			`xhost +"local:podman@"`
			```

add gui-container, rathole, snowflake 2023-03-18 18:14:16 +00:00			unsetting `WAYLAD_DISPLAY` or `DISPLAY` can force apps to use the other one

			```bash
			`unset DISPLAY`
			`# or`
			`unset WAYLAD_DISPLAY`
			```

			`to mage Qt-based apps work:`

			```bash
			`export QT_QPA_PLATFORM=wayland`
			```

			`## rathole`

			`Compiled from source [rathole](https://github.com/rapiz1/rathole) image.`

			`## snowflake`

			`Compiled from source [torproject snowflake](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake) image.`
add tor relay/bridge 2023-03-26 15:16:56 +00:00
			`## Tor relay/bridge node`

			```bash
			`# prepare`
			`cd tor/;`
			`podman build -t tornode .;`
			`chmod 777 ./data ./logs;`

tor config updates 2023-03-26 18:02:57 +00:00			`# run (network host for easy port bind on ipv6)`
			`podman run -d --read-only --network host \`
add tor relay/bridge 2023-03-26 15:16:56 +00:00			`-v "/home/user/torrc.conf:/torrc:rw,Z" \`
			`-v "/home/user/tor/logs:/var/log:Z,rw" \`
			`-v "/home/user/tor/data:/var/lib/tor:Z,rw" \`
tor config updates 2023-03-26 18:02:57 +00:00			`--name tornode tornode:latest`
add tor relay/bridge 2023-03-26 15:16:56 +00:00
			`# prepare systemd service for reboot persistence`
			`podman generate systemd --new --name tornode > /etc/systemd/system/tornode.service;`
			`restorecon -v /etc/systemd/system/tornode.service;`
			`systemctl daemon-reload;`
			`systemctl enable --now tornode.service;`

			`# view nyx dashboard`
			`podman exec -it tornode nyx`
			```
Wireguard initial setup 2023-08-01 14:28:44 +00:00
			`## Wireguard`

			`Simple container that will setup wireguard interface according to`
			`/data/wg0.conf` and then replace process with pid 1 to `sleep infinity`.
			`MASQUERADE required for accessing external networks is done by nftables, so`
			`it should work with nftables kernel modules, iptables-only modules can`
			`be missing.`

Wireguard: add setup scripts directory 2023-08-01 15:01:01 +00:00			`Before seting up the wg interface, entrypoint will execute files in`
			`/setup.d/` if any.

			`PostUp` and `PostDown` in network interface config should look like this:

			```bash
			`PostUp = nft add table inet filter; nft add chain inet filter forward { type filter hook forward priority 0 \; }; nft add rule inet filter forward iifname "%i" accept; nft add rule inet filter forward oifname "%i" accept; nft add table inet nat; nft add chain inet nat postrouting { type nat hook postrouting priority 100 \; }; nft add rule inet nat postrouting oifname "eth*" masquerade`
			`PostDown = nft delete table inet filter`
			```

Wireguard initial setup 2023-08-01 14:28:44 +00:00			`Example run (requires root and privileged for nftables setup)`

			```bash
Wireguard: add setup scripts directory 2023-08-01 15:01:01 +00:00			`podman run --privileged --name wireguard -d \`
			`-v './config:/data:ro' \`
			`-v './setup:/setup.d:ro' \`
			`-wireguard:latest`
Wireguard initial setup 2023-08-01 14:28:44 +00:00			```