[13:09] <punkgeek> I want to upload a shell script file into the running VM on qemu. Is there any way other than using ssh access? libvirtguestfs was a good method but it requires turning VM off. I'm using VMware tools on the VMware infrastructure which gives me an option to login into the VM by user and password. What can I do on qemu virtualization?
[13:58] <tomreyn> punkgeek: spice offers some kind of file sharing or transfer, i think
[13:59] <tomreyn> or you could mount another storage (with just the script in it) to the VM, or set up some other network based disk access on the vm (nfs, samba, nbd, ...)
[14:33] <punkgeek> tomreyn: Thank you but I want to run it after uploading
[16:24] <JanC> what's wrong with using SSH and/or SPICE?
[16:45] <punkgeek> JanC: the vm doesn't have network
[16:45] <JanC> so what _does_ it have enabled?
[16:48] <JanC> how do you interact with it normally?
[18:27] <patdk-lap> normally if there is no network, I'll just use paste into the vm console
[18:47] <TheGuestMovie> Is there any point in using ESXi on a home server now that there's Docker/LXC/containers? If all you're running is Linux systems, then VMs are just extra overhead for nothing, right?
[19:26] <patdk-lap> depends
[19:28] <TheGuestMovie> patdk-lap: lay it on me
[19:29] <TheGuestMovie> I've used ESXi before, before I learned Docker. Last week I started using Docker and it seems way superior, if only because of very low RAM usage, and shared storage filesystem.
[19:54] <patdk-lap> I use esxi + docker + k8s + lxc
[19:54] <patdk-lap> basically gave up on lxc and moved it to docker, lxc is much more vm like than docker
[19:55] <patdk-lap> but some things just don' twork in docker, or is just way too annoying to bother in docker
[19:55] <patdk-lap> I do run esxi clusters and k8s clusters side by side
[20:03] <TheGuestMovie> bearing in mind I'm a home user just running random independent self-hosted apps and hoping to minimize required hardware. I dont need "corporate" features (and ESXi doesnt really have those either)
[20:04] <TheGuestMovie> what doesnt work in Docker?
[20:04] <TheGuestMovie> I know snaps dont 
[20:10] <patdk-lap> for me, just doing network management has been a huge pain to do in docker
[20:23] <tomreyn> the main difference between virtualization and containers would be the strength of isolation, and whether you can run cross-platform code.
[20:24] <TheGuestMovie> tomreyn: right. So for someone who's only running Linux services, and who considers Docker "isolated enough", it's a no-brainer, Docker wins right?
[20:26] <tomreyn> if you can live with its network + storage management, and the design which is more targetted at development rather than long term operation, yes.
[20:27] <TheGuestMovie> I mean I have a Ubuntu 20.04 container I'm using to run my backup jobs on my NAS, and it's just using 20MB of RAM and a tiny amount of disk space. 
[20:27] <tomreyn> or lxc/lxd, which is the better design, just ubuntu sadly made it a snap, which makes it pretty useless.
[20:27] <TheGuestMovie> why isn't it good for long term operation? 
[20:27] <TheGuestMovie> eh, I already learned Docker, dont feel like learning something else
[20:27] <TheGuestMovie> (My NAS only supports Docker anyway)
[20:29] <tomreyn> i'd say don't run complex / live services where your backups are (which is often on a NAS)
[20:30] <tomreyn> i didn't say docker isn't good for long-term operation, just saying it's primarily designed for the use case where you create minimalistic images, deploy them, run them for a while, then replace them by a new image. you can do long term operation that way, as long as you keep building new images.
[20:31] <tomreyn> you can also break out of this original design and just run those guests long-term, it's just not how it's meant to be used.
[20:33] <TheGuestMovie> yeah I get that. I'm using --volume to have the data dir be on the host filesystem. As long as the updated image doesnt break anything (and because I'm not using "latest" tag, it shouldnt), I'll be OK
[20:33] <tomreyn> "long term operation" is probably not the best way to describe it. i was comparing to the general home system which you install at some point, then just keep installed and run release upgrades on over the years (at least that's a common pattern)
[20:35] <TheGuestMovie> so from what I'm picking up here, a power user who knows they're using Linux ,and who will use --volume mappings to keep data outside the container, Docker is a superior replacement to ESXi due to far smaller resource usage, and simpler management 
[20:35] <TheGuestMovie> *who knows they're using Linux exclusively
[20:36] <patdk-lap> for me, setting up and doing autoupdates in a vm is *simpler* mostly
[20:36] <patdk-lap> backing that up might be more complex for a home user
[20:36] <patdk-lap> docker is simple to backup, but updating images can be a pain
[20:36] <patdk-lap> if the source you use updates good nice, and just have to watch for breaking changes
[20:36] <patdk-lap> then it's just the images you build yourself
[20:37] <TheGuestMovie> why would updating the OS/image be more of a challenge on Docker than a VM?
[20:38] <patdk-lap> well letys just say there is something called debian/ubuntu that already made that auotupdate work and they test the updates
[20:38] <patdk-lap> docker images, not so much
[20:38] <patdk-lap> some do, and they are good, most are kindof crap
[20:38] <patdk-lap> and the more specific you get your docker image, the more crap you tend to run into
[20:39] <TheGuestMovie> but they're the ones publishing the docker images. eg https://hub.docker.com/layers/ubuntu/library/ubuntu/focal/images/sha256-3555f4996aea6be945ae1532fa377c88f4b3b9e6d93531f47af5d78a7d5e3761?context=explore
[20:39] <patdk-lap> yes, and that is a base
[20:39] <patdk-lap> but that doesn't do anything in itself
[20:39] <patdk-lap> you would have to build a docker image that installs apache or whatever it is you want to do
[20:39] <patdk-lap> now it's not so much autoupdate anymore
[20:39] <TheGuestMovie> right, the Dockerfile. I wrote that one myself
[20:40] <TheGuestMovie> I see what you mean
[20:40] <patdk-lap> it's not a huge deal, but your going have to update and re publish it and move over to it
[20:40] <TheGuestMovie> I'm good until 2025 though. 
[20:41] <patdk-lap> ya, but it is nicer to use someone elses apache made containers
[20:41] <patdk-lap> like say, use nginx, and not worry about it, and let it update itself in docker
[20:41] <patdk-lap> you just have to watch for breaking changes, and if they continue to update it
[20:41] <patdk-lap> nginx your not likely to have an issue
[20:41] <TheGuestMovie> OK, I get what you mean
[20:42] <patdk-lap> but like I said, the more specific you get, the more issue, like nextcloud
[20:42] <TheGuestMovie> oh? tell me about Nextcloud. I was planning to run that at home soon.
[20:42] <patdk-lap> I put it on a manual pile
[20:43] <patdk-lap> it's always having conflicts when going between major versions, kindof expected, and sql issues you need to resolve manually
[20:43] <patdk-lap> but they made that upgrade process really manually attended :(
[20:43] <patdk-lap> it can work ok most of the time, but you really need to check it each time and cannot just leave it to upgrade at will
[20:44] <TheGuestMovie> that makes sense though. Even if they claimed upgrades are fully tested I'd still never run a "latest" image of ANYTHING that saved data.
[20:44] <TheGuestMovie> cause you're one developer bug away from losing stuff. I know, I know, backups.
[20:48] <TheGuestMovie> do you advise a casual user with some Linux experience, but zero experience in hosting stuff on the public internet, in running a Nextcloud on the Internet? Can I just stay on their major Docker image (v22 right now), recreate it periodically for updates, and update the image when v23 is out, and not get hacked?
[20:48] <TheGuestMovie> only the Nextcloud port (443) would be open on the firewall
[20:49] <patdk-lap> well, install otp and set it up for your accounts
[20:50] <TheGuestMovie> 2fa? I'm not worried about being brute-forced, I'd pick a complex password created by my password manager. It's more about flaws in Nextcloud or the webserver software. I've never used any of that.
[20:50] <TheGuestMovie> And I presume Nextcloud has some sort of "ban IP on too many login failures" setting
[20:50] <patdk-lap> it's easy to protect from brute force
[20:50] <patdk-lap> that isn't what 2fa is protecting against
[20:51] <patdk-lap> well, there is no way around flaws
[20:51] <patdk-lap> the idea about flaws is to use something popular enough that flaws are found quickly
[20:51] <patdk-lap> or if it isn't and is attacked, someone else will report the attack and it will be fixed before you are attacked
[20:52] <patdk-lap> or can apply protection for that attack
[20:52] <TheGuestMovie> so nothing wrong with hosting Nextcloud on the internet despite lack of experience
[20:52] <TheGuestMovie> as long as I make sure the container image is updated periodically
[20:52] <patdk-lap> na, normally experience just has to do with how quickly you respond to issues
[20:52] <TheGuestMovie> (to pull the latest v22 with the patches)
[20:53] <TheGuestMovie> tbh I was hoping to simply let it run in autopilot and never look at it again :/
[20:53] <patdk-lap> I put a docker-notify thing so when a new image is released I'm notified and can check the release changlog
[20:53] <patdk-lap> for things that don't have their own security mailing list
[20:54] <patdk-lap> nextcloud does have a build in email security thing if you add yourself to the admin group
[20:54] <TheGuestMovie> nice, I'll save this
[20:54] <patdk-lap> love docker-notify
[20:54] <patdk-lap> mostly cause cloudflared doesn't have any release notifications :(
[20:57] <TheGuestMovie> I set up Radarr, Sonarr, Calibre-web, etc at home with Docker. honestly I love how convenient Docker made this, it's become AppImage for Linux backend daemons. 
[20:58] <TheGuestMovie> better than AppImage, since AppImage is still contending with Flatpak and Snap
[20:58] <TheGuestMovie> while Docker images are supported in most container systems (correct me if I'm wrong)
[20:59] <patdk-lap> well, a docker image is just a filesystem
[21:00] <patdk-lap> just a collection of tar.gz files in basic terms
[21:00] <patdk-lap> and some metadata added
[21:01] <TheGuestMovie> imagine if desktop apps had a similar "ship all dependencies" mentality. I think Debian (and therefore Ubuntu) is still shackled by restraints from 20 years ago, by forcing the split of dynamic libraries.
[21:01] <patdk-lap> no, that would be insane
[21:02] <patdk-lap> dynamic libraries allows you to contain security to limited set of things
[21:02] <patdk-lap> if everything installed whatever version of everything it wanted
[21:02] <patdk-lap> it would be insane to patch
[21:03] <patdk-lap> like right now, if openssl has an issue
[21:03] <TheGuestMovie> and yet , we ended up either running old obsolete software, or AppImage and Snap and Flatpak which have the same issue, but are fragmenting the choice of a single format
[21:03] <patdk-lap> it's simple to patch that
[21:03] <patdk-lap> in docker, you have to wait for every docker image to update openssl then download those images and run them
[21:04] <patdk-lap> snap resolves it, by keeping the dependencies as seperate snaps
[21:04] <patdk-lap> I don't know anything about the others and I'm not fond of snap at all
[21:04] <TheGuestMovie> so snap has eg Qt 5.1, 5.2, ... 5.15, 6.0, all as separate snaps that remain in the snap database?
[21:04] <patdk-lap> yes, unless you remove them, and as long as some other snap it using it
[21:05] <TheGuestMovie> so there's a list of base dependency snaps? Who maintains those, Canonical? 
[21:05] <patdk-lap> whoever made that snap
[21:06] <patdk-lap> canonical made many
[21:06] <patdk-lap> changing lxc to only be a snap is what finally killed lxc for me
[21:06] <TheGuestMovie> I didnt actually know this, I havent used Snap. the one time I needed it, when I ran the app, it didnt work (required a webservice) and the dev said the snap was too old.  I just find the odd AppImage sometimes online.
[21:07] <TheGuestMovie> (to be clear the webservice was the website the snap app was a client for, not Ubuntu's fault)
[21:07] <TheGuestMovie> AppImage is "here's everything, it WILL work"
[21:10] <TheGuestMovie> About OpenOTP which you recommended earlier...the latest Nextcloud version posted here is 15: https://apps.nextcloud.com/apps/twofactor_rcdevsopenotp/releases   Nextcloud is at v22 now
[21:11] <TheGuestMovie> will it still work? Do you use it?
[21:11] <patdk-lap> dunno about openotp
[21:12] <TheGuestMovie> ok, nm, there's many more 2FA apps on Nextcloud under Security. I just mentioned OpenOTP cause you did.
[21:13] <patdk-lap> Two-Factor TOTP and Two_Factor U2F
[21:13] <patdk-lap> I mentioned OTP
[21:13] <patdk-lap> I didn't specify the type of otp
[21:14] <TheGuestMovie> my bad, you did
[21:14] <patdk-lap> just use my yubikey in u2f mode
[21:14] <patdk-lap> and totp for if I don'y have my yubi on me
[21:16] <TheGuestMovie> Thanks for all the advice. I'm looking forward to setting up Nextcloud...even though I have a feeling I wont use it much
[21:17] <patdk-lap> I have all my backups get copied offsite using it
[21:17] <patdk-lap> and phones all get backedup to it
[21:17] <TheGuestMovie> via the Nextcloud mobile apps? 
[21:17] <punkgeek>  can I excute system command such as virt-customize through python libvirt conenction?  conn = libvirt.openAuth('qemu+ssh://root@ip', auth, 0)
[21:18] <patdk-lap> yes
[21:18] <patdk-lap> also desktop
[21:18] <patdk-lap> my wife gets her pictures synced from phone to her desktop and backup in nextcloud now, she happy
[21:18] <patdk-lap> icloud won't sync it to the desktop
=== amurray_ is now known as amurray