Docker

Articles

Pokemon Emerald in WebAssembly(https://github.com/tripplyons/pokeemerald-wasm) Github wxt: Next-gen Web Extension Framework Skills for threat modeling, scanning, triage, patching, plus an autonomous scanning harness you can /customize A curated list of awesome 3D printing resources hermes-agent: It’s the only agent with a built-in learning loop - it creates skills from experience, improves them during use, nudges itself to persist knowledge, searches its own past conversations, and builds a deepening model of who you are across sessions. Run it on a $5 VPS, a GPU cluster, or serverless infrastructure that costs nearly nothing when idle. It’s not tied to your laptop - talk to it from Telegram while it works on a cloud VM. loupe: A privacy-focused iOS app that raises awareness about what native apps can see(https://apps.apple.com/cn/app/loupe-app%E8%83%BD%E7%9C%8B%E5%88%B0%E4%BB%80%E4%B9%88/id6766152470) LaunchNext: Bring your Launchpad back in MacOS26+ ,highly customizable, powerful, free. endlessh: SSH tarpit that slowly sends an endless banner iptables-tracer: Trace packets as they go through iptables chains serverless-dns: The RethinkDNS resolver that deploys to Cloudflare Workers, Deno Deploy, Fastly, and Fly.io ouch: stands for Obvious Unified Compression Helper. It’s a CLI tool for compressing and decompressing various formats.(https://github.com/ouch-org/ouch#supported-formats) shpool: shpool is a service that enables session persistence by allowing the creation of named shell sessions owned by shpool so that the session is not lost if the connection drops. shpool can be thought of as a lighter weight alternative to tmux or GNU screen. While tmux and screen take over the whole terminal and provide window splitting and tiling features, shpool only provides persistent sessions. The biggest advantage of this approach is that shpool does not break native scrollback or copy-paste. capslock: is a capability analysis CLI for Go packages that informs users of which privileged operations a given package can access. This works by classifying the capabilities of Go packages by following transitive calls to privileged standard library operations. unregistry: Push docker images directly to remote servers without an external registry NetNewsWire is a free and open-source feed reader for macOS and iOS. It supports RSS, Atom, JSON Feed, and RSS-in-JSON formats. K4YT3X’s Hardened & Optimized Linux Kernel Parameters Turso is an in-process SQL database, compatible with SQLite. zizmor is a static analysis tool for GitHub Actions. RustFS is a high-performance, distributed object storage system built in Rust. Usage: is a spec and CLI for defining CLI tools. Arguments, flags, environment variables, and config files can all be defined in a Usage spec. It can be thought of like OpenAPI (swagger) for CLIs. SurfSense: An open source, privacy focused alternative to NotebookLM for teams with no data limits. ICANN implementation of the Registry Data Access Protocol (RDAP) OpenRDAP is a command line RDAP client implementation in Go. Article 1-Click GitHub Token Stealing via a VSCode Bug Linux 系统误将 chmod 权限改成了 000，如何恢复? Laptops all have built-in security tokens these days Tailscale and RustDesk: Secure remote access to all your desktops Unexpected security footguns in Go’s parsers 君子慎讀辭典中標注的「讀音」和「語音」是什麼？拜託別再「我汗你」了！ Linux 系统误将 chmod 权限改成了 000，如何恢复? #include <sys/stat.h> int main() { chmod("/usr/bin/chmod", 0755); return 0; } ubuntu@ubuntu:~$ which chmod /usr/bin/chmod ubuntu@ubuntu:~$ ls -lh /usr/bin/chmod lrwxrwxrwx 1 root root 8 Sep 27 2025 /usr/bin/chmod -> gnuchmod ubuntu@ubuntu:~$ ls -lh /usr/bin/gnuchmod -rwxr-xr-x 1 root root 67K Jan 23 21:34 /usr/bin/gnuchmod ubuntu@ubuntu:~$ sudo chmod 000 /usr/bin/chmod ubuntu@ubuntu:~$ ls -lh /usr/bin/chmod lrwxrwxrwx 1 root root 8 Sep 27 2025 /usr/bin/chmod -> gnuchmod ubuntu@ubuntu:~$ ls -lh /usr/bin/gnuchmod ---------- 1 root root 67K Jan 23 21:34 /usr/bin/gnuchmod ubuntu@ubuntu:~$ cat main.c #include <sys/stat.h> int main() { chmod("/usr/bin/chmod", 0755); return 0; } ubuntu@ubuntu:~$ gcc ./main.c ubuntu@ubuntu:~$ sudo ./a.out ubuntu@ubuntu:~$ ls -lh /usr/bin/chmod lrwxrwxrwx 1 root root 8 Sep 27 2025 /usr/bin/chmod -> gnuchmod ubuntu@ubuntu:~$ ls -lh /usr/bin/gnuchmod -rwxr-xr-x 1 root root 67K Jan 23 21:34 /usr/bin/gnuchmod Laptops all have built-in security tokens these days macOS https://github.com/yubico/libfido2

Wednesday, June 10, 2026 閱讀

用 WUD 取代 Watchtower：打造可控的 Docker 自動更新方案

用 WUD 取代 Watchtower：打造可控的 Docker 自動更新方案 WUD（What’s Up Docker） services: wud: image: getwud/wud:latest container_name: wud restart: unless-stopped ports: - "3000:3000" volumes: - /var/run/docker.sock:/var/run/docker.sock - ./store:/store environment: - TZ=Asia/Shanghai # 本机 Docker watcher - WUD_WATCHER_LOCAL_SOCKET=/var/run/docker.sock # 关键：默认不监控任何容器 - WUD_WATCHER_LOCAL_WATCHBYDEFAULT=false # 每 12 小时扫描一次 - WUD_WATCHER_LOCAL_CRON=0 */12 * * * # 自动更新 + 更新后清理旧镜像 - WUD_TRIGGER_DOCKER_AUTO_PRUNE=true # 效果等同于 `watchtower --cleanup` 只監控（不自動更新） labels: - "wud.watch=true" 會出現在 WUD UI 會提示有更新不會自動重啟監控 + 自動更新（等同 Watchtower） labels: - "wud.watch=true" - "wud.trigger.include=docker.auto"

Sunday, January 11, 2026 閱讀

Docker 容器無法存取外網？nftables 下的 NAT 配置指南

Wednesday, September 3, 2025 閱讀

透過LinuxServer.io打包的Docker映像檔，將桌面程式轉成網頁版，透過瀏覽器即可使用

透過 LinuxServer.io 打包的 Docker 映像檔，將桌面程式轉成網頁版，透過瀏覽器即可使用 LinuxServer.io 官網

Friday, August 1, 2025 閱讀

Gluetun：讓Docker容器走VPN連線，沒網路就斷線，使用教學

Gluetun：讓 Docker 容器走 VPN 連線，沒網路就斷線，使用教學 Gluetun OpenVPN services: gluetun: image: qmcgaw/gluetun container_name: gluetun restart: unless-stopped cap_add: - NET_ADMIN devices: - /dev/net/tun:/dev/net/tun ports: - 8888:8888/tcp # HTTP proxy - 8388:8388/tcp # Shadowsocks - 8388:8388/udp # Shadowsocks volumes: - /home/user/gluetun:/gluetun environment: # 按照VPN供應商的OpenVPN設定檔填寫 - VPN_SERVICE_PROVIDER=protonvpn - VPN_TYPE=openvpn - OPENVPN_USER= # OpenVPN帳號 - OPENVPN_PASSWORD= # OpenVPN密碼 - SERVER_COUNTRIES=United Kingdom # 指定伺服器所在國家，以逗號分隔 networks: # (選擇性) 固定Gluetun容器的IP network: ipv4_address: 172.27.0.5 networks: # (選擇性) 固定Gluetun容器的IP network: driver: bridge ipam: config: - subnet: 172.27.0.0/16 gateway: 172.27.0.5 WireGuard services: gluetun: image: qmcgaw/gluetun container_name: gluetun restart: unless-stopped cap_add: - NET_ADMIN devices: - /dev/net/tun:/dev/net/tun ports: - 8888:8888/tcp # HTTP proxy - 8388:8388/tcp # Shadowsocks - 8388:8388/udp # Shadowsocks volumes: - /home/user/gluetun:/gluetun environment: - VPN_SERVICE_PROVIDER=protonvpn # 按照VPN供應商的WireGuard設定檔填寫 - VPN_TYPE=wireguard - WIREGUARD_PRESHARED_KEY= # 預共享密鑰 - WIREGUARD_PRIVATE_KEY= # 私鑰 - WIREGUARD_ADDRESSES= # 填IPV4與IPV6位址，以逗號分隔 - SERVER_COUNTRIES=United Kingdom # 指定伺服器所在國家，以逗號分隔 networks: # (選擇性) 固定Gluetun容器的IP network: ipv4_address: 172.27.0.5 networks: # (選擇性) 固定Gluetun容器的IP network: driver: bridge ipam: config: - subnet: 172.27.0.0/16 gateway: 172.27.0.5 讓容器走 Gluetun 的 VPN 連線如果容器服務跟 Gluetun 寫在同一個 docker-compose：加入網路模式 network_mode: “service:gluetun” 如果該容器跟 Gluetun 不是寫在同一個 docker-compose：加入 network_mode: “container:gluetun” 開啟 Gluetun 的 docker-compose 檔案，把 service 用到的通訊埠(ex:8080)加回來依序啟動 Gluetun 和走 Gluetun 的 VPN 連線的服務容器公共 IP 應當跟您選擇的 VPN 伺服器一致

Friday, August 1, 2025 閱讀

在 Docker 環境使用 Traefik v3 與 MinIO 快速搭建私有化物件儲存服務

在 Docker 環境使用 Traefik v3 與 MinIO 快速搭建私有化物件儲存服務 https://github.com/soulteary/traefik-minio-example.git 在 Docker 環境使用 Traefik 3 的最佳實務：快速上手

Tuesday, August 6, 2024 閱讀

Container security fundamentals

Container security fundamentals: Exploring containers as processes Container security fundamentals part 2: Isolation & namespaces Container security fundamentals part 3: Capabilities Container security fundamentals part 4: Cgroups Container security fundamentals part 5: AppArmor and SELinux Container security fundamentals part 6: seccomp

Wednesday, October 4, 2023 閱讀

更快的多平台建置：Dockerfile 交叉編譯指南

更快的多平台建置：Dockerfile 交叉編譯指南方法 docker buildx create --use FROM --platform=linux/amd64 debian / FROM --platform=$BUILDPLATFORM debian 變數 BUILDPLATFORM — matches the current machine. (e.g. linux/amd64) BUILDOS — os component of BUILDPLATFORM, e.g. linux BUILDARCH — e.g. amd64, arm64, riscv64 BUILDVARIANT — used to set ARM variant, e.g. v7 TARGETPLATFORM — The value set with --platform flag on build TARGETOS - OS component from --platform, e.g. linux TARGETARCH - Architecture from --platform, e.g. arm64 TARGETVARIANT 範例 before FROM golang:1.17-alpine AS build WORKDIR /src COPY . . RUN go build -o /out/myapp . FROM alpine COPY --from=build /out/myapp /bin after FROM --platform=$BUILDPLATFORM golang:1.17-alpine AS build WORKDIR /src ARG TARGETOS TARGETARCH RUN --mount=target=. \ --mount=type=cache,target=/root/.cache/go-build \ --mount=type=cache,target=/go/pkg \ GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o /out/myapp . FROM alpine COPY --from=build /out/myapp /bin

Monday, September 4, 2023 閱讀

ElasticSearch 学习笔记

ElasticSearch 学习笔记安装中文分词插件 docker exec -it elasticsearch bash $ elasticsearch-plugin install https://github.com/medcl/elasticsearch-analysis-ik/releases/download/v8.4.1/elasticsearch-analysis-ik-8.4.1.zip Dev Tools content 类型为 text，写入时使用 ik_max_word 做分词，搜索时使用 ik_smart 分词。这两个的区别在于，前者产生尽可能多的分词，后者产生粗粒度的分词。 PUT /words { "mappings": { "properties": { "content": { "type": "text", "analyzer": "ik_max_word", "search_analyzer": "ik_smart" }, "age": { "type": "integer", "index": false } } } } { "acknowledged": true, "shards_acknowledged": true, "index": "words" }

Thursday, October 6, 2022 閱讀

為你的Go應用建立輕量級Docker映象？ | IT人

為你的 Go 應用建立輕量級 Docker 映象？ | IT 人 go build # default $ go build -o test1 main.go $ du -sh test1 14M test1 # 在程式編譯的時候可以加上 `-ldflags "-s -w"` 引數來優化編譯，原理是通過去除部分連結和除錯等資訊來減小編譯生成的可執行程式體積，具體引數如下： # -a：強制編譯所有依賴包 # -s：去掉符號表資訊，不過 panic 的時候 stack trace 就沒有任何檔名/行號資訊了 # -w：去掉 DWARF 除錯資訊，不過得到的程式就不能使用 gdb 進行除錯了 # 若對符號表無需求，-ldflags 直接新增 "-s" 即可 # 注：不建議-w和-s同時使用 $ go build -ldflags "-s -w" -o test2 main.go $ du -sh test2 11M test2 upx(brew/yum install upx) $ upx test2 Ultimate Packer for eXecutables Copyright (C) 1996 - 2020 UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020 File size Ratio Format Name -------------------- ------ ----------- ----------- 11490768 -> 4063248 35.36% macho/amd64 test2 Packed 1 file. $ upx --brute test2 $ du -sh test2 4.6M test2 upx 的壓縮選項

Monday, July 25, 2022 閱讀

Docker Introduction

Docker Concept VM vs Container VM - Base on OS Container - Base on Application (Linux Kernel: Namespace and Cgroup) Client to Server Docker daemon - containerd, docker-containerd-shim, docker-runc Docker client - cli command docker cli -> docker daemon -> containerd -> runc -> namespace & cgroup Image Snapshots Container Read-Only processes on image Hub / Registry Store images References Docker —— 從入門到實踐 docker docs Docker commands Dockerfile ARG dist="/tmp/password" ARG projectDir="/password" FROM golang:1.16-alpine3.14 AS builder RUN apk add build-base upx ARG dist ARG projectDir WORKDIR ${projectDir} COPY . . RUN go build -trimpath -o main cmd/main.go RUN upx -9 -o ${dist} main FROM scratch ARG dist ENV TZ=Asia/Taipei COPY --from=builder ${dist} /usr/local/bin/password Dockerfile1 FROM alpine CMD ["nc","-l","12345"] Dockerfile2 FROM alpine CMD ["echo","DOCKER"] docker build command docker build . -t program docker build . -f Dockerfile -t test_mysql docker build . -t hello:v1.1 --build-arg dist=/tmp/hello --build-arg projectDir=/hello docker build . docker/status echo -e "${GREEN}Before build${RESET}" docker image ls docker build . -f docker/Dockerfile1 -t test1 docker build . -f docker/Dockerfile2 -t test2 docker image . docker/status echo -e "${GREEN}After build${RESET}" docker image ls docker run AND rm . docker/status echo -e "${GREEN}Run container1${RESET}" docker run -d --name container1 test1 echo -e "${GREEN}Run container2${RESET}" docker run -d --name container2 test2 echo -e "${GREEN}List alive containers${RESET}" docker ps echo -e "${GREEN}List all containers${RESET}" docker ps -a echo -e "${GREEN}Remove alive container${RESET}" docker rm -f container1 echo -e "${GREEN}List all containers${RESET}" docker ps -a echo -e "${GREEN}Remove exit container${RESET}" docker rm container2 echo -e "${GREEN}List all containers${RESET}" docker ps -a docker pull AND rmi . docker/status echo -e "${GREEN}List all image${RESET}" docker image ls echo -e "${GREEN}Pull alpine image${RESET}" docker pull alpine echo -e "${GREEN}List all image${RESET}" docker image ls docker rmi . docker/status echo -e "${GREEN}Remove alpine image${RESET}" docker rmi alpine echo -e "${GREEN}List all image${RESET}" docker image ls prune docker system prune -f --volumes docker history . docker/status echo -e "${GREEN}History of test1${RESET}" docker history test1 echo -e "${GREEN}History of mysql:8${RESET}" docker history mysql:8 Docker remote Edit service file # /lib/systemd/system/docker.service ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock -H tcp://0.0.0.0:2375 Restart service systemctl daemon-reload systemctl restart docker Specify DOCKER_HOST . docker/status echo -e "${GREEN}List images on 192.168.185.9${RESET}" DOCKER_HOST=192.168.185.9:2375 docker images Docker-compose version: "3" services: svn: image: zeyanlin/svn environment: - LDAP_HOSTS=${LDAP_HOSTS} - LDAP_BASE_DN=${LDAP_BASE_DN} - LDAP_BIND_DN=${LDAP_BIND_DN} - LDAP_ADMIN_PASS=${LDAP_ADMIN_PASS} ports: - 8000:80 - 3690:3690 depends_on: - ldap ldap: image: zeyanlin/openldap environment: - LDAP_DOMAIN=${LDAP_DOMAIN} - LDAP_ADMIN_PASS=${LDAP_ADMIN_PASS} ports: - 389:389 - 636:636 php: image: zeyanlin/phpldapadmin environment: - LDAP_HOSTS=${LDAP_HOSTS} ports: - 80:80 depends_on: - ldap Env LDAP_HOSTS=ldap LDAP_DOMAIN="knowhow.fun" LDAP_BASE_DN="dc=knowhow,dc=fun" LDAP_BIND_DN="cn=admin" LDAP_ADMIN_PASS="123qwe"

Friday, September 17, 2021 閱讀

Docker 安全最佳實務：速查表

Docker 安全最佳實務：速查表映像安全使用可信任的映像非特權使用者 FROM base_image RUN addgroup -S appgroup && adduser -S appuser -G appgroup USER appuser User ID 命名空間隔離命名空間，避免容器權限提升影響主機。為了降低風險，請在主機與 Docker daemon 上使用 --userns-remap 選項設定獨立的命名空間。容器執行期安全禁止新增權限為了提升安全性，建議在建立容器後明確禁止新增權限：--security-opt=no-new-privileges。定義細粒度能力例如，Web 伺服器可能只需要 NET_BIND_SERVICE 來綁定 80 連接埠。控制資源使用 docker run --memory="400m" --cpus="0.5" 主機系統安全敏感檔案系統區域若需要存取主機設備，請謹慎以 [r|w|m] 旗標（read、write、mknod）開啟必要權限。容器檔案系統存取 docker run --read-only --tmpfs /tmp:rw ,noexec,nosuid 持久化儲存如果需要和主機檔案系統或其他容器共享資料，有兩種做法：使用可限制磁碟空間的 bind mount（--mount type=bind,o=size）為專用分割區建立 bind volume（--mount type=volume）網路安全 Docker daemon socket Docker 使用的 UNIX socket 不應暴露：/var/run/docker.sock

Friday, August 20, 2021 閱讀