It's 2022: nftables kind of integrates now
This is a follow up to the It’s 2021: nftables still does not integrate. The good: What works compared to 2021? Pretty much everything is still revolving around the iptables-nft compatibility layer, but it has improved a lot so things seem to work just fine now. libvirt Everything works. Seems to implicitly use compatibility layer very likely (assuming from libvirt Network Filters). Docker Everything works out of the box, without having to write own rules or handle wiring with own Docker event handler.
Flakes and little convenient impurity escape hatch
Started using flakes recently? But then you found that: You need per-machine configuration for experimentation/secrets (well, e.g firewall config), but don’t want to publish them. Your configuration is against your usual quality standards, so it’d be shame to show them to the world. Here’s one solution to that - works similarly to how current NixOS deployments are still done. flake.nix { inputs = { impure-local.url = "path:./impure-local"; impure-local.flake = false; }; outputs = { nixpkgs, impure-local }: { nixosConfigurations.
Container bind mount pitfalls: DNS
It's not DNS. There's no way it's DNS. It was DNS. Story time? Story time. I had this very old deployment of Clojure app around, orchestrating quite many Docker containers and their data volumes. It was set up to connect to a PostgreSQL database and Redis running on the container host, implying no magical DNS solutions nor any convenience at all (manual /24 subnet configuration and firewalling). 1 It also bound whole /var/run into the container to access Docker API socket (it’s still sitting at /var/run/docker.
It's 2021: nftables still does not integrate
You probably have seen it around somewhere already, for example Debian trying hard to replace iptables with it. Debian 10 (buster) shipped with it already, Arch Linux wiki provided (usable) examples for the adventurous back in 2014 etc. (nftables is quite promising, don’t get me wrong - I quite like it, because how much easier it is to use and integrate. This is rather a rant towards other projects.) HOWEVER, integrating it into existing solutions turns out to be VERY painful:
An adventure of getting Docker on NixOS running only with cgroups v2
After discovering Linux’s wonderful Pressure Stall Information (PSI for short) subsystem, I’ve been trying to set up monitoring on Docker containers where I run very memory, CPU and I/O hungry game servers (not hard to guess - it’s Minecraft). Since I monitor pretty much everything using Prometheus, then finding Cloudflare’s psi_exporter project made my life a lot easier - I didn’t have to write an exporter myself. Why do cgroups v2 matter?