[{"content":"Ubuntu on Snapdragon X devices has been a long way coming. Getting it working on my Dell Inspiron 14 Plys (7441), was a fairly easy task. Thanks to improvements like Stubble, Secure Boot works as well. Here are the basics on getting Ubuntu 26.04 installed. Be sure to read through the whole guide before proceeding.\nBefore Installation Before installing Ubuntu, you\u0026rsquo;ll need to perform a couple tasks within Windows.\nUsing Disk Management shrink your Windows partition to make room for Ubuntu Create a tar file of C:\\Windows\\system32\\DriverStore\\FileRepository and transfer to a USB stick or network share. From Ubuntu, you\u0026rsquo;ll extract the firmware needed for Video, Audio, etc. Make sure you have a copy of your Bitlocker Recovery Key handy. You may be prompted for it the first couple times you boot back into Windows. Installation Insert the USB stick containing the installer image Spam F12, until you get a boot menu option. Pick the USB stick. Go through the setup wizard. Don\u0026rsquo;t wipe the disk. Once the install has finished, boot into Ubuntu. Transfer the tar of FileRepository to your system. Then, extract it. Install the firmware tool, sudo apt install qcom-firmware-extract Extract the firmware, sudo qcom-firmware-extract -d /full/path/to/FileRepository Reboot. Once the system comes back up, the following should be working:\nBattery indicator Fan shouldn\u0026rsquo;t be screaming Sound Webcam Graphics should perform better Issues GRUB generates a lockdown error for devicetree. This is a non-issue, other than a need to hit the Enter key. The Resources app shows the wrong number of CPU cores /proc/cpuinfo shows a bogus value for BogoMIPS Hibernate doesn\u0026rsquo;t work. ","permalink":"https://publicmx.com/posts/2026-06-13-ubuntu-2604-dell-inspiron-14-plus-7441/","summary":"\u003cp\u003eUbuntu on Snapdragon X devices has been a long way coming. Getting it working on my Dell Inspiron 14 Plys (7441), was a fairly easy task. Thanks to improvements like \u003cstrong\u003eStubble\u003c/strong\u003e, Secure Boot works as well. Here are the basics on getting Ubuntu 26.04 installed. Be sure to read through the whole guide before proceeding.\u003c/p\u003e\n\u003ch2 id=\"before-installation\"\u003eBefore Installation\u003c/h2\u003e\n\u003cp\u003eBefore installing Ubuntu, you\u0026rsquo;ll need to perform a couple tasks within Windows.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eUsing \u003cstrong\u003eDisk Management\u003c/strong\u003e shrink your Windows partition to make room for Ubuntu\u003c/li\u003e\n\u003cli\u003eCreate a tar file of \u003ccode\u003eC:\\Windows\\system32\\DriverStore\\FileRepository\u003c/code\u003e and transfer to a USB stick or network share. From Ubuntu, you\u0026rsquo;ll extract the firmware needed for Video, Audio, etc.\u003c/li\u003e\n\u003cli\u003eMake sure you have a copy of your Bitlocker Recovery Key handy. You may be prompted for it the first couple times you boot back into Windows.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch2 id=\"installation\"\u003eInstallation\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eInsert the USB stick containing the installer image\u003c/li\u003e\n\u003cli\u003eSpam F12, until you get a boot menu option. Pick the USB stick.\u003c/li\u003e\n\u003cli\u003eGo through the setup wizard. Don\u0026rsquo;t wipe the disk.\u003c/li\u003e\n\u003cli\u003eOnce the install has finished, boot into Ubuntu.\u003c/li\u003e\n\u003cli\u003eTransfer the tar of FileRepository to your system. Then, extract it.\u003c/li\u003e\n\u003cli\u003eInstall the firmware tool, \u003ccode\u003esudo apt install qcom-firmware-extract\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eExtract the firmware, \u003ccode\u003esudo qcom-firmware-extract -d /full/path/to/FileRepository\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eReboot.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp\u003eOnce the system comes back up, the following should be working:\u003c/p\u003e","title":"Ubuntu 26.04 on Dell Inspiron 14 Plus 7441 (Snapdragon)"},{"content":"This guide assumes you want to install Ubuntu 24.04, the server has a pair of NVME disks, and is set to boot using legacy mode. We also assume that the system has already been booted into the rescue system.\nWipe Disks Assuming the disks are NVME. We\u0026rsquo;ll wipe the partition information from them, before proceeding.\nwipefs -fa /dev/nvme*n1 Install Ubuntu using installimage Hetzner provides an operating system installation tool, installimage. We\u0026rsquo;ll use this to partition, install the OS, and perform network configuration. The install configuration should look like the following:\n# # Hetzner Online GmbH - installimage # # This file contains the configuration used to install this # system via installimage script. Comments have been removed. # # More information about the installimage script and # automatic installations can be found in our wiki: # # https://docs.hetzner.com/robot/dedicated-server/operating-systems/installimage/ # DRIVE1 /dev/nvme0n1 SWRAID 0 SWRAIDLEVEL 1 HOSTNAME fsn01 USE_KERNEL_MODE_SETTING no PART btrfs.1 btrfs all SUBVOL btrfs.1 @ / SUBVOL btrfs.1 @home /home IMAGE /root/.oldroot/nfs/install/../images/Ubuntu-2404-noble-amd64-base.tar.gz Add second disk The installimage process doesn\u0026rsquo;t support multiple disk btrfs configurations. So, we have to manually add the second disk, and install the bootloader.\nCopy partition tables Assuming both disks are identical, we can simply copy the partition configuration from the first disk to the second.\nsfdisk -d /dev/nvme0n1 | sfdisk --force /dev/nvme1n1 Mount to /mnt mount /dev/nvme0n1p1 /mnt Add nvme1n1p1 This will add the second disk to the file system. We need to use the force flag, so btrfs will ignore any file system signatures it finds.\nbtrfs device add -f /dev/nvme1n1p1 /mnt Convert to RAID1 (balance) Currently all data and metadata is stored on the initial disk. The balance process will duplicate everything across both disks, and configure the file system to do this for any future data.\nbtrfs balance start -dconvert=raid1 -mconvert=raid1 /mnt Reboot into new system reboot Install GRUB to both disks The installer only puts the boot loader on the first disk. Installing the boot loader on to both disks will enable the system to boot, should either disk fail.\nupdate-grub grub-install /dev/nvme0n1 grub-install /dev/nvme1n1 Install Hardware Enablement Stack With btrfs constantly evolving, it\u0026rsquo;s best to be using the latest supported kernels.\napt install --install-recommends linux-generic-hwe-24.04 Install btrfsmaintenance Ubuntu offers a package that perform automatic scrub, and other maintenance tasks. We\u0026rsquo;ll configure it to perform automatic scrubs.\napt install btrfsmaintenance systemctl enable btrfs-scrub.timer References Installimage Using The btrfs Filesystem (With RAID1) With Ubuntu 12.10 On A Hetzner Server Ubuntu - btrfs hetzner dedicated server with btrfs ","permalink":"https://publicmx.com/posts/2026-02-07-btrfs-on-hetzner-dedicated-server/","summary":"\u003cp\u003eThis guide assumes you want to install Ubuntu 24.04, the server has a pair of NVME disks, and is set to boot using legacy mode. We also assume that the system has already been booted into the rescue system.\u003c/p\u003e\n\u003ch1 id=\"wipe-disks\"\u003eWipe Disks\u003c/h1\u003e\n\u003cp\u003eAssuming the disks are NVME. We\u0026rsquo;ll wipe the partition information from them, before proceeding.\u003c/p\u003e\n\u003cdiv class=\"highlight\"\u003e\u003cpre tabindex=\"0\" style=\"color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;\"\u003e\u003ccode class=\"language-bash\" data-lang=\"bash\"\u003e\u003cspan style=\"display:flex;\"\u003e\u003cspan\u003ewipefs -fa /dev/nvme*n1\n\u003c/span\u003e\u003c/span\u003e\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\u003ch1 id=\"install-ubuntu-using-installimage\"\u003eInstall Ubuntu using \u003ccode\u003einstallimage\u003c/code\u003e\u003c/h1\u003e\n\u003cp\u003eHetzner provides an operating system installation tool, \u003ccode\u003einstallimage\u003c/code\u003e. We\u0026rsquo;ll use this to partition, install the OS, and perform network configuration. The install configuration should look like the following:\u003c/p\u003e","title":"Btrfs on a Hetzner Dedicated Server"},{"content":"While Claude Code is designed to be used with Anthropic\u0026rsquo;s service. You can in fact use it with third-party services, and even local models. To get started using it with a local model, you\u0026rsquo;ll need a few things (I\u0026rsquo;m assuming you\u0026rsquo;re using a Linux systems):\nDocker NVIDIA Container Toolkit (If using some other GPU, you\u0026rsquo;ll need to adapte the Docker compose file) VS Code with Claude Code extension And, of course, a local model Personally, I like to use Docker to containerize my models. Using a container, you can easily try out different runtimes, proxies, etc. For this, I\u0026rsquo;m using Docker to run gpt-oss-120b under llama.cpp. In order to adapt the API of llama.cpp to what Claude Code expects, we\u0026rsquo;re using LiteLLM.\nCreate a directory to store your Docker compose file, LiteLLM config, etc. mkdir local-claude-code Create the LiteLLM config, call it litellm_config.yaml model_list: - model_name: \u0026#34;anthropic/*\u0026#34; litellm_params: model: \u0026#34;openai/gpt-oss-120b-mxfp4-00001-of-00003.gguf\u0026#34; api_base: \u0026#34;http://llamacpp:8080/v1\u0026#34; api_key: \u0026#34;llamacpp\u0026#34; max_tokens: 32768 temperature: 1.0 top_k: 0 top_p: 1.0 min_p: 0.01 Create your Docker compose file. You\u0026rsquo;ll need to adjust the parameters to fit your computer\u0026rsquo;s capabilities. Name the file docker-compose.yaml services: llamacpp: image: ghcr.io/ggml-org/llama.cpp:full-cuda container_name: llamacpp command: - \u0026#39;--server\u0026#39; environment: - LLAMA_ARG_HOST=0.0.0.0 - LLAMA_ARG_MODEL=/models/gpt-oss-120b-mxfp4-00001-of-00003.gguf - LLAMA_ARG_N_CPU_MOE=32 - LLAMA_ARG_CTX_SIZE=32768 - LLAMA_ARG_JINJA=1 ports: - \u0026#34;8080:8080\u0026#34; volumes: - /opt/models:/models deploy: resources: reservations: devices: - driver: nvidia count: all capabilities: [gpu] litellm: image: docker.litellm.ai/berriai/litellm:main-latest container_name: litellm command: - \u0026#39;--config=/app/config.yaml\u0026#39; ports: - \u0026#34;4000:4000\u0026#34; volumes: - ./litellm_config.yaml:/app/config.yaml To make it easy to change model settings in Claude Code, I like to user a script to set the environment variables, and start it up. Name it what you want, I use code.sh #!/usr/bin/bash export ANTHROPIC_BASE_URL=\u0026#34;http://127.0.0.1:4000\u0026#34; export ANTHROPIC_AUTH_TOKEN=\u0026#34;llamacpp\u0026#34; code Once everything is setup, you can use docker compose up -d to start the containers. Once everything is running, use code.sh to launch VS Code. ","permalink":"https://publicmx.com/posts/2026-02-02-using-claude-code-with-local-models/","summary":"\u003cp\u003eWhile \u003ca href=\"https://marketplace.visualstudio.com/items?itemName=anthropic.claude-code\"\u003eClaude Code\u003c/a\u003e is designed to be used with \u003ca href=\"https://www.anthropic.com/\"\u003eAnthropic\u0026rsquo;s\u003c/a\u003e service. You can in fact use it with third-party services, and even local models. To get started using it with a local model, you\u0026rsquo;ll need a few things (I\u0026rsquo;m assuming you\u0026rsquo;re using a Linux systems):\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\u003ca href=\"https://www.docker.com/\"\u003eDocker\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/index.html\"\u003eNVIDIA Container Toolkit\u003c/a\u003e (If using some other GPU, you\u0026rsquo;ll need to adapte the Docker compose file)\u003c/li\u003e\n\u003cli\u003eVS Code with Claude Code extension\u003c/li\u003e\n\u003cli\u003eAnd, of course, a local model\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003ePersonally, I like to use Docker to containerize my models. Using a container, you can easily try out different runtimes, proxies, etc. For this, I\u0026rsquo;m using Docker to run gpt-oss-120b under \u003ca href=\"https://github.com/ggml-org/llama.cpp\"\u003ellama.cpp\u003c/a\u003e. In order to adapt the API of llama.cpp to what Claude Code expects, we\u0026rsquo;re using \u003ca href=\"https://docs.litellm.ai/docs/\"\u003eLiteLLM\u003c/a\u003e.\u003c/p\u003e","title":"Using Claude Code With Local Models"},{"content":"When I moved to self-hosting everything, my production and development environments were merged. My on-prem hosting capacity is limited, and even more so now that component pricing has gone insane. I have opted to migrate my production services that aren\u0026rsquo;t located behind a VPN to a dedicated server with Hetzner. This has also given me an opportunity to play with new configurations like security options and file systems. For example, I have gone with btrfs in a RAID1 configuration. Over time, I plan to share more about how that deployment was done, and any lessons learned afterward.\n","permalink":"https://publicmx.com/posts/2026-01-24-splitting-production-from-dev/","summary":"\u003cp\u003eWhen I moved to self-hosting everything, my production and development environments were merged. My on-prem hosting capacity is limited, and even more so now that component pricing has gone insane. I have opted to migrate my production services that aren\u0026rsquo;t located behind a VPN to a dedicated server with \u003ca href=\"https://www.hetzner.com/\"\u003eHetzner\u003c/a\u003e. This has also given me an opportunity to play with new configurations like security options and file systems. For example, I have gone with \u003ca href=\"https://docs.kernel.org/filesystems/btrfs.html\"\u003ebtrfs\u003c/a\u003e in a RAID1 configuration. Over time, I plan to share more about how that deployment was done, and any lessons learned afterward.\u003c/p\u003e","title":"Splitting Production From Dev"},{"content":"For a long time, I have relied on VPS or VM hosting services to host my sites and applications. While that could be considered self hosting, as I managed the VPS myself, it\u0026rsquo;s not fully self hosting. Recently, I picked up a mini PC, with an Intel N150 CPU. Installed Proxmox, created VMs, etc. Just like before, I\u0026rsquo;m still using Ansible for system configuration. To handle the multiple web applications, and a desire to avoid custom ports, I am using Cloudflare\u0026rsquo;s tunnel service. This makes it easy to map hostnames to my services, avoid the need for dynamic DNS, and no need for port forwarding. As for what the future holds, perhaps I will move the blog to Cloudflare\u0026rsquo;s Workers at some point (they appear to be deprecating their much simpler Pages service).\n","permalink":"https://publicmx.com/posts/2025-08-10-back-to-self-hosting/","summary":"\u003cp\u003eFor a long time, I have relied on VPS or VM hosting services to host my sites and applications. While that could be considered self hosting, as I managed the VPS myself, it\u0026rsquo;s not fully self hosting. Recently, I picked up a mini PC, with an Intel N150 CPU. Installed Proxmox, created VMs, etc. Just like before, I\u0026rsquo;m still using Ansible for system configuration. To handle the multiple web applications, and a desire to avoid custom ports, I am using Cloudflare\u0026rsquo;s tunnel service. This makes it easy to map hostnames to my services, avoid the need for dynamic DNS, and no need for port forwarding. As for what the future holds, perhaps I will move the blog to Cloudflare\u0026rsquo;s Workers at some point (they appear to be deprecating their much simpler Pages service).\u003c/p\u003e","title":"Back to Self Hosting"},{"content":"Until recently, I have been hosting my blog and other services on ColoCrossing. Unfortunately, their VPS service has been hacked. They are claiming that services were taken offline to prevent further issues, however, others have posted screenshots from the hackers indicating they may have deleted some customer data.\nSo, in the interest of getting things back online, I opted to move everything to a new host. It\u0026rsquo;s a bit more expensive than what I was paying (I had been on a holiday special plan), but the performance is much better.\n","permalink":"https://publicmx.com/posts/2025-05-25-moved-to-a-new-host/","summary":"\u003cp\u003eUntil recently, I have been hosting my blog and other services on ColoCrossing. Unfortunately, their VPS service has \u003ca href=\"https://lowendtalk.com/discussion/205968/colocrossing-database-breach\"\u003ebeen hacked\u003c/a\u003e. They are claiming that services were taken offline to prevent further issues, however, others have posted screenshots from the hackers indicating they may have deleted some customer data.\u003c/p\u003e\n\u003cp\u003eSo, in the interest of getting things back online, I opted to move everything to a new host. It\u0026rsquo;s a bit more expensive than what I was paying (I had been on a holiday special plan), but the performance is much better.\u003c/p\u003e","title":"Moved to a New Host"},{"content":"The shop is coming along. Installed heat some weeks back, just a simple 18K BTU diesel fuel heater. It\u0026rsquo;s not perfect, but it does take the chill off. More recently, setup an old computer to make it easier to look up documentation, part specs, etc. I had been using my laptop on occassion, but didn\u0026rsquo;t want to get a greasy finger prints on it.\nAs for the roadster project, it\u0026rsquo;s going slowly, but it is moving along. The suspension, brakes, and steering are assembled. Though, some need to be set to final torque. Currently working on pedals and steering column. Then back to sheet metal work. Should be ordering tires and remaining engine parts soon, though I do have an oil pan on the way.\n","permalink":"https://publicmx.com/posts/2024-01-06-shop-and-roadster-update/","summary":"\u003cp\u003eThe shop is coming along. Installed heat some weeks back, just a simple 18K BTU diesel fuel heater. It\u0026rsquo;s not perfect, but it does take the chill off. More recently, setup an old computer to make it easier to look up documentation, part specs, etc. I had been using my laptop on occassion, but didn\u0026rsquo;t want to get a greasy finger prints on it.\u003c/p\u003e\n\u003cp\u003eAs for the roadster project, it\u0026rsquo;s going slowly, but it is moving along. The suspension, brakes, and steering are assembled. Though, some need to be set to final torque. Currently working on pedals and steering column. Then back to sheet metal work. Should be ordering tires and remaining engine parts soon, though I do have an oil pan on the way.\u003c/p\u003e","title":"Shop and Roadster Update"},{"content":"Along with the switch back to CF Pages, I am making the switch to using Front Matter for content management. Hopefully the switch will make things easier, and improve the rate at which I post stuff.\n","permalink":"https://publicmx.com/posts/2023-11-23-front-matter-cms/","summary":"\u003cp\u003eAlong with the switch back to CF Pages, I am making the switch to using Front Matter for content management. Hopefully the switch will make things easier, and improve the rate at which I post stuff.\u003c/p\u003e","title":"Front Matter CMS"},{"content":"It\u0026rsquo;s true! The new garage is almost finished. It\u0026rsquo;s taken over a year to get to this point. The main delay was permitting related, both on the city side and the contractor side. The initial design proposal didn\u0026rsquo;t meet code requirements, and some negotiating was required. From there, we had delays due to employees being out sick (understandable), and general site plan issues. Once those were sorted, the project picked up speed. Now, we\u0026rsquo;re simply waiting on the door and gutters to be installed. That, and I\u0026rsquo;ve got to finish painting. But, that\u0026rsquo;s a relatively quick task with a sprayer.\n","permalink":"https://publicmx.com/posts/2022-11-11-new-garage-is-almost-done/","summary":"\u003cp\u003eIt\u0026rsquo;s true! The new garage is almost finished. It\u0026rsquo;s taken over a year to get to this point. The main delay was permitting related, both on the city side and the contractor side. The initial design proposal didn\u0026rsquo;t meet code requirements, and some negotiating was required. From there, we had delays due to employees being out sick (understandable), and general site plan issues. Once those were sorted, the project picked up speed. Now, we\u0026rsquo;re simply waiting on the door and gutters to be installed. That, and I\u0026rsquo;ve got to finish painting. But, that\u0026rsquo;s a relatively quick task with a sprayer.\u003c/p\u003e","title":"New Garage Is Almost Done"},{"content":"It wasn\u0026rsquo;t long ago that I moved my blog to IPFS. However, we\u0026rsquo;re back to a traditional setup. The change wasn\u0026rsquo;t due to some issue with IPFS, pinning service, etc. It was simply a change of requirements. I had a need for a VM to run some server-side logic for another project, so I chose to roll everything into one system. Here\u0026rsquo;s what my current setup is:\nRegistrar / DNS: Cloudflare VM Hosting: OVHcloud Email: Mailbox.org On the VM side of things, I\u0026rsquo;m running:\nUbuntu 20.04 Caddy (been meaning to try this) Shiny Server (been meaning to play with this for some time) As for VM specs, nothing fancy. Just 2 vCPU, 4GB RAM, and 80GB disk.\n","permalink":"https://publicmx.com/posts/2021-05-06-hosting-infrastructure-change/","summary":"\u003cp\u003eIt wasn\u0026rsquo;t long ago that I moved my blog to IPFS. However, we\u0026rsquo;re back to a traditional setup. The change wasn\u0026rsquo;t due to some issue with IPFS, pinning service, etc. It was simply a change of requirements. I had a need for a VM to run some server-side logic for another project, so I chose to roll everything into one system. Here\u0026rsquo;s what my current setup is:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eRegistrar / DNS: Cloudflare\u003c/li\u003e\n\u003cli\u003eVM Hosting: OVHcloud\u003c/li\u003e\n\u003cli\u003eEmail: Mailbox.org\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eOn the VM side of things, I\u0026rsquo;m running:\u003c/p\u003e","title":"Hosting Infrastructure Change"},{"content":"I recently moved my blog from a normal web host, to being hosted via IPFS. IPFS is the decentralized web, essentially the web equivalent to Bittorrent. And, thanks to the power of HTTP to IPFS gateways, users without IPFS capable devices or software can still access content hosted on the distributed web. With IPFS, content can be hosted from anywhere, even your home computer. However, you can also choose to use commerical pinning services to keep your content online and distributed at all times. For my blog, I chose to use Pinata to host the content, and took advantage of Cloudflare\u0026rsquo;s IPFS gateway to enable normal browsers to access the site.\nIf you want to start accessing the distributed web. You\u0026rsquo;ll need a couple things:\nIPFS Desktop IPFS Companion This combination will enable you share content via the distributed web, and easily access content directly from your browser. If the Companion extension detects that a site is reachable via IPFS, it\u0026rsquo;ll automatically redirect you to the IPFS version.\n","permalink":"https://publicmx.com/posts/2021-02-14-hosted-on-ipfs/","summary":"\u003cp\u003eI recently moved my blog from a normal web host, to being hosted via \u003ca href=\"https://ipfs.io/\"\u003eIPFS\u003c/a\u003e. IPFS is the decentralized web, essentially the web equivalent to Bittorrent. And, thanks to the power of HTTP to IPFS gateways, users without IPFS capable devices or software can still access content hosted on the distributed web. With IPFS, content can be hosted from anywhere, even your home computer. However, you can also choose to use commerical pinning services to keep your content online and distributed at all times. For my blog, I chose to use \u003ca href=\"https://pinata.cloud/\"\u003ePinata\u003c/a\u003e to host the content, and took advantage of \u003ca href=\"https://cloudflare-ipfs.com/\"\u003eCloudflare\u0026rsquo;s IPFS gateway\u003c/a\u003e to enable normal browsers to access the site.\u003c/p\u003e","title":"Hosted on IPFS"},{"content":"SystemD is loved by some, hated by others. It offers a wide range of features, beyond that of a simple init system. And, today I want to talk about service sandboxing. Now, I know what you\u0026rsquo;re going to say, why not use containers. Containers aren\u0026rsquo;t always an option, such as trying to improve security in an existing application deployment. With SystemD, sandboxing is a relatively simple process, just a simple text file defining what capabilities, system calls, and file system paths the service can write to. You can even go further, and run the service under a dynamically generated user account.\nBelow, is an example of a sandbox configuration for Apache on Ubuntu 18.04. You\u0026rsquo;ll notice several entries under SystemCallFilter. If you are running a newer distro, check your systemd man pages. It may offer more system call groups, making this configuration a bit simpler.\n[Service] CapabilityBoundingSet=~CAP_SYS_ADMIN ProtectSystem=strict ProtectHome=yes ReadWritePaths=/run /var/log /var/www /var/cache /tmp /var/tmp PrivateDevices=yes ProtectClock=yes ProtectKernelTunables=yes ProtectKernelModules=yes ProtectKernelLogs=yes ProtectControlGroups=yes LockPersonality=yes SystemCallFilter=~@clock @cpu-emulation @debug @obsolete @module @mount @raw-io @reboot @swap SystemCallErrorNumber=EPERM How do we go from sandbox config, to actual sandboxed service? Easy, just drop the config file into /etc/systemd/system/SOMESERVICE.service.d/sandbox.conf. You could use a different file name, but that seems most logical. Then, just use systemctl to reload, and then restart the service.\nDisclaimer: The above is not the most secure configuration you could use. Or, it may be too secure for your environment. Adjust as needed.\n","permalink":"https://publicmx.com/posts/2021-02-14-systemd-service-sandboxing/","summary":"\u003cp\u003eSystemD is loved by some, hated by others. It offers a wide range of features, beyond that of a simple init system. And, today I want to talk about service sandboxing. Now, I know what you\u0026rsquo;re going to say, why not use containers. Containers aren\u0026rsquo;t always an option, such as trying to improve security in an existing application deployment. With SystemD, sandboxing is a relatively simple process, just a simple text file defining what capabilities, system calls, and file system paths the service can write to. You can even go further, and run the service under a dynamically generated user account.\u003c/p\u003e","title":"SystemD Service Sandboxing"},{"content":"Over the past 6 months, I\u0026rsquo;ve been reading C.J. Cherryh\u0026rsquo;s Foreigner series of books. In other words, I read through all 21 books, and look forward to the next one.\nQuick run down on the series\u0026hellip;.\nA human colony ship has a navigational error, and ends up losing track of where home is. Colonists after some disagreement with their administration, descend upon an inhabitated alien world. Not suprisingly, war breaks out, and the humans lose the war. A treaty is signed, granting humans safe haven on the planet, in exchange for the transfer of their knowledge and technology. The natives create an office to be occupied by a single human, whose role is the translation and negotiation of technology transfer. After 200 years, that role is assigned to Bren Cameron.\nThat\u0026rsquo;s the back story. The series itself largely follows the life of Bren Cameron, whose role evolves from simply handling technology transfer. His life, and ultimately the lives of everyone else on the planet are turned upside down, by the return of the colony ship, encounters with another alien race, etc.\nIMO, it\u0026rsquo;s a great series. It has everything from politics, complex relationships, to open conflict.\n","permalink":"https://publicmx.com/posts/2021-01-30-foreigner-series/","summary":"\u003cp\u003eOver the past 6 months, I\u0026rsquo;ve been reading C.J. Cherryh\u0026rsquo;s Foreigner series of books. In other words, I read through all 21 books, and look forward to the next one.\u003c/p\u003e\n\u003cp\u003eQuick run down on the series\u0026hellip;.\u003c/p\u003e\n\u003cp\u003eA human colony ship has a navigational error, and ends up losing track of where home is. Colonists after some disagreement with their administration, descend upon an inhabitated alien world. Not suprisingly, war breaks out, and the humans lose the war. A treaty is signed, granting humans safe haven on the planet, in exchange for the transfer of their knowledge and technology. The natives create an office to be occupied by a single human, whose role is the translation and negotiation of technology transfer. After 200 years, that role is assigned to Bren Cameron.\u003c/p\u003e","title":"Foreigner Series"},{"content":"It\u0026rsquo;s been a year since I made the switch. I mean, switching from a metric adventure bike to a Harley-Davidson. It\u0026rsquo;s quite the switch, so how did I get here?\nFor several years I owned a Suzuki V-Strom 650. I rode the bike all over the place, visiting several states, and even Canada. I rode from sunny coastlines, to snowy mountain passes. But, after several years, I felt the need for more power, and a bit of change. For one thing, I wanted something a bit lower to the ground, a bit more relaxing for those times stuck in traffic.\nShopping for a new bike, is a bit like shopping for a car. There are a ton of choices, all with their own pros and cons. I visited several dealers, and looked at bikes from BMW, Honda, Ducati, etc. Some bikes, you can tell right away, it\u0026rsquo;s just not going to be comfortable. Others, you\u0026rsquo;ve got to feel them out. It\u0026rsquo;s more than just the seat, overall position of all the controls will impact rider comfort.\nAfter all that, I found myself wanting to try out a Harley-Davidson Low Rider. This is a bike with a low seat height, mid mounted controls, and a bit of old school style. Admittedly, at first I wasn\u0026rsquo;t 100% comfortable. The bike needed a bit more meat in the seat, and a windshield for those long rides. Since I was planning to ditch the saddle bags approach to luggage, I added a luggage rack. Finally, I rounded things out with a mustache bar to give some leg stretching room, and a bit of protection for the bike, should I manage to drop it.\nDuring this past year, the bike has done great. As with all the previous bikes I\u0026rsquo;ve owned, I did all my own maintenance. Big twin Harleys are a bit different than most bikes, since they have separate primary, transmission, and engine lubrication. But, it\u0026rsquo;s only a bit more work, since the primary and transmission oil are changed infrequently. From a riding standpoint, I\u0026rsquo;m pretty pleased. The limited suspension travel does mean a bit more road feel, but it\u0026rsquo;s not harsh like some older cruiser style bikes. And, being an air cooled twin, it does get a bit warm on hot days. But, the oil cooler seems to do the job, and the engine hasn\u0026rsquo;t had to turn off the rear cylinder when stuck at a stop.\nDue to the current pandemic, I haven\u0026rsquo;t been able to do a multi-state motorcycle trip this year. However, I\u0026rsquo;m hoping to do one next year, and visit some places I\u0026rsquo;ve never been. Perhaps ride across BC, drop back down into the Dakotas, and go from there.\n","permalink":"https://publicmx.com/posts/2020-09-07-riding-a-hog/","summary":"\u003cp\u003eIt\u0026rsquo;s been a year since I made the switch. I mean, switching from a metric adventure bike to a Harley-Davidson. It\u0026rsquo;s quite the switch, so how did I get here?\u003c/p\u003e\n\u003cp\u003eFor several years I owned a Suzuki V-Strom 650. I rode the bike all over the place, visiting several states, and even Canada. I rode from sunny coastlines, to snowy mountain passes. But, after several years, I felt the need for more power, and a bit of change. For one thing, I wanted something a bit lower to the ground, a bit more relaxing for those times stuck in traffic.\u003c/p\u003e","title":"Riding a Hog"},{"content":"There are many ways to enjoy classic console and computer video games. For most, that is done with software emulation, or in some casesl vintage hardware. A somewhat recent trend is the use of FPGA to build a kind of hardware implementation of those classic systems. If it isn\u0026rsquo;t obvious from the title, this post is about the MiSTer project.\nSo, what is MiSTer? It\u0026rsquo;s an open source FPGA implementation of several classic computer, console, and arcade systems. It\u0026rsquo;s built around a commercially available FPGA development board, which open source hardware addons for things like analog controllers, USB, audio, etc.\nI recently put together a MiSTer system, and found myself enjoying several games for classic consoles like SNES, and TurboGrafx-16. And, in proper retro gaming fashion, I had to play them on a CRT, for that old school scanline look. There are several ways to go about building a MiSTer, depending on your desires. I wasn\u0026rsquo;t interested in using original controllers, nor did I need digital audio output. So, here\u0026rsquo;s what I selected for mine:\nTerasic DE10-Nano (the core component) 128MB SDRAM USB Hub HDMI to VGA with Audio Fan Plate with PCB bottom plate Retro-Bit Saturn Controller (USB) Samsung 64GB microSD Card The above components were purchased from several vendors, including MiSTer Addons, Gator Cable, Best Buy, and Amazon.\nOn the display and audio front, I went somewhat old school. Purchased a used Dell P991 19\u0026quot; CRT off Craigslist. It\u0026rsquo;s a beautiful display, after all it\u0026rsquo;s just a rebranded Sony Trinitron. And, for audio I\u0026rsquo;m a headphones kind of guy, so I used my trusty Audio Technica ATH-M50, along with a FX-Audio PH-A1 headphone amplifier that I purchased from Parts Express.\nDuring the build, I learned a few lessons. Not all HDMI to VGA adapters are created equal. I purchased several models from different vendors, many of which either didn\u0026rsquo;t work, or worked intermittently. I suspect due to the high demand from people working at home, that quality control on display adapters has dropped. That said, the Gator Cable adapter works great, although it doesn\u0026rsquo;t support MiSTer\u0026rsquo;s optional Direct Video mode. Controller wise, I initially used an older Logitech gamepad I had, but found it didn\u0026rsquo;t quite have the feel I wanted. So, after reading reviews I purchased the Retro-Bit, which works great for platform type games.\nSo, what\u0026rsquo;s next for me? I haven\u0026rsquo;t spent any time using the classic computer cores. I\u0026rsquo;d like to fire up the Apple II core, for some classics like the original Oregon Trail. As well as check out the Amiga, which was a system I\u0026rsquo;ve never used, but still has quite the cult following.\n","permalink":"https://publicmx.com/posts/2020-09-05-retro-gaming-with-mister/","summary":"\u003cp\u003eThere are many ways to enjoy classic console and computer video games. For most, that is done with software emulation, or in some casesl vintage hardware. A somewhat recent trend is the use of FPGA to build a kind of hardware implementation of those classic systems. If it isn\u0026rsquo;t obvious from the title, this post is about the \u003ca href=\"https://github.com/MiSTer-devel/Main_MiSTer/wiki\"\u003eMiSTer\u003c/a\u003e project.\u003c/p\u003e\n\u003cp\u003eSo, what is MiSTer? It\u0026rsquo;s an open source FPGA implementation of several classic computer, console, and arcade systems. It\u0026rsquo;s built around a commercially available FPGA development board, which open source hardware addons for things like analog controllers, USB, audio, etc.\u003c/p\u003e","title":"Retro Gaming with MiSTer"},{"content":"It\u0026rsquo;s been 6 months since I purchased my ThinkPad X395, and I felt it was time to make an update on the experience. Specs:\nAMD Ryzen 5 Pro 3500U 8GB DDR4 256GB NVME 1920x1080 IPS (non-touch) Intel 9260 Wireless Fingerprint Reader I\u0026rsquo;ve been running Fedora on the laptop since the day I received it. Initially the fingerprint reader didn\u0026rsquo;t work with Linux. However, after a few months the Linux fingerprint library gained support for the reader (with the help of Lenovo and Synaptics). Overall the experience has been quite good.\nAs for battery life, I\u0026rsquo;m not really sure. I\u0026rsquo;ve never run out of battery, even after using it from several hours. The estimated battery life as reported by GNOME, seems to be a bit inacurrate.\nSo, what doesn\u0026rsquo;t work? I haven\u0026rsquo;t tried the TPM chip. But, the kernel does detect it, so it probably works.\n","permalink":"https://publicmx.com/posts/2020-08-31-thinkpad-x395-update/","summary":"\u003cp\u003eIt\u0026rsquo;s been 6 months since I purchased my ThinkPad X395, and I felt it was time to make an update on the experience. Specs:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eAMD Ryzen 5 Pro 3500U\u003c/li\u003e\n\u003cli\u003e8GB DDR4\u003c/li\u003e\n\u003cli\u003e256GB NVME\u003c/li\u003e\n\u003cli\u003e1920x1080 IPS (non-touch)\u003c/li\u003e\n\u003cli\u003eIntel 9260 Wireless\u003c/li\u003e\n\u003cli\u003eFingerprint Reader\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eI\u0026rsquo;ve been running Fedora on the laptop since the day I received it. Initially the fingerprint reader didn\u0026rsquo;t work with Linux. However, after a few months the Linux fingerprint library gained support for the reader (with the help of Lenovo and Synaptics). Overall the experience has been quite good.\u003c/p\u003e","title":"ThinkPad X395 Update"},{"content":"OK, so not really joyful. I\u0026rsquo;ve got an HP Proliant ML10 V2 as my home VM host. Recently I redid the system, and reset the BIOS. While setting things up, I noticed it was unusually slow. The only changes from the previous setup was OS (it\u0026rsquo;s now running Windows Server 2019 Standard, had been running OpenBSD 6.7), and the BIOS being reset. OK, so that\u0026rsquo;s a lot of changes.\nRan through the basics. Checked CPU usage, it was nice and low. Checked the drives to make sure they weren\u0026rsquo;t failing, S.M.A.R.T. said all is well. Made sure drivers were all up to date, along with firmware. Then, I went back to having Performance Monitor and Task Manager open while doing basic administrative tasks, and noticed it\u0026hellip; the CPU clock speed was reported as 0.11 GHz, and wasn\u0026rsquo;t fluctuating at all. Checked Windows power management profiles, and they were set correctly. Went into iLO, and checked power management, and saw it was set to \u0026ldquo;Dynamic Power Saving\u0026rdquo;. Switched it to \u0026ldquo;OS\u0026rdquo;, and rebooted\u0026hellip;.\nPOST takes forever on this machine. But, once it finished, in a couple blinks I was staring at the Windows logon screen. Performance was back, and CPU clock speed fluctuated as system load changed.\n","permalink":"https://publicmx.com/posts/2020-08-28-the-joys-of-power-management/","summary":"\u003cp\u003eOK, so not really joyful. I\u0026rsquo;ve got an HP Proliant ML10 V2 as my home VM host. Recently I redid the system, and reset the BIOS. While setting things up, I noticed it was unusually slow. The only changes from the previous setup was OS (it\u0026rsquo;s now running Windows Server 2019 Standard, had been running OpenBSD 6.7), and the BIOS being reset. OK, so that\u0026rsquo;s a lot of changes.\u003c/p\u003e\n\u003cp\u003eRan through the basics. Checked CPU usage, it was nice and low. Checked the drives to make sure they weren\u0026rsquo;t failing, S.M.A.R.T. said all is well. Made sure drivers were all up to date, along with firmware. Then, I went back to having Performance Monitor and Task Manager open while doing basic administrative tasks, and noticed it\u0026hellip; the CPU clock speed was reported as 0.11 GHz, and wasn\u0026rsquo;t fluctuating at all. Checked Windows power management profiles, and they were set correctly. Went into iLO, and checked power management, and saw it was set to \u0026ldquo;Dynamic Power Saving\u0026rdquo;. Switched it to \u0026ldquo;OS\u0026rdquo;, and rebooted\u0026hellip;.\u003c/p\u003e","title":"The Joys of Power Management"},{"content":"Recently found myself wanting to \u0026ldquo;relearn\u0026rdquo; C++. And, with that I needed the ability store data. Instead of tying myself to a particular storage format, or database engine, I opted to use ODBC. After reviewing several options for ODBC abstractions, I ended up selecting OTL (ODBC Template Library).\nFrom tools standpoint, I\u0026rsquo;m using Emacs + Eglot + clangd. To keep my code looking \u0026ldquo;consistent\u0026rdquo;, I\u0026rsquo;m using clang-format. With all development working being done under Linux, currently Fedora.\n","permalink":"https://publicmx.com/posts/2020-07-24-c-odbc-oh-my/","summary":"\u003cp\u003eRecently found myself wanting to \u0026ldquo;relearn\u0026rdquo; C++. And, with that I needed the ability store data. Instead of tying myself to a particular storage format, or database engine, I opted to use ODBC. After reviewing several options for ODBC abstractions, I ended up selecting \u003ca href=\"http://otl.sourceforge.net/\"\u003eOTL\u003c/a\u003e (ODBC Template Library).\u003c/p\u003e\n\u003cp\u003eFrom tools standpoint, I\u0026rsquo;m using Emacs + \u003ca href=\"https://github.com/joaotavora/eglot\"\u003eEglot\u003c/a\u003e + clangd. To keep my code looking \u0026ldquo;consistent\u0026rdquo;, I\u0026rsquo;m using clang-format. With all development working being done under Linux, currently Fedora.\u003c/p\u003e","title":"C++, ODBC, Oh My...."}]