In incus, I had the same setup of an LCX container with a Docker container inside of it. I passed 1000/1000 to the LXC container but the LXC container’s default root user has a an ID set of 0/0. So I had to pass 0/0 to the Docker container, not 1000/1000 to get the read/write permissions working.

That may fix your issue as it’s basically the same tech, just different automated things implementing the LXC container!

Good to know Proxmox’s bad updates are more pervasive than the latest bad update.

I have been able to install Docker in the LXC containers and pull images in with the normal commands. I do that container-in-container to get effectively rootless docker containers for stuff that I couldn’t figure out how to run rootless. So you don’t even lose out on docker if you’re determined! And as you said incus goes on any OS, you can docker just fine on the base OS of your choice and use incus for specific things!

Try a diff email if you do want one, a friend recently got one via email signup and wait a few weeks. But I do abs agree it fuckin sucks you have to do any of this effort to get one, it is just enabling scalpers

I do use it to hold internet-exposed things in LXC containers to sidestep having to figure out how to not run things as Docker root.

You do not need it for everything, but since it’s not an OS that makes it your everything, that’s ok! Run Docker containers as you need, put internet-exposed ones in an LXC container, put home assistant in a VM because it’s special.

Ah, I was wondering which one you updated and it made your containers inaccessible!

You have to sign up for the in stock notifications, annoying but it works in a delayed fashion. Sad it does enable scalpers.

Incus or Proxmox (e.g., should I shift to Incus LTS or something?)

Incus is way easier to work with than Proxmox, and it sits on your OS of choice instead of being the OS you must use. For home use it’s way easier to use with the web ui, it even has clustering if you want to go hard.

So you can install Incus when you want a VM/LXC container and not have to commit to a VM/LXC container OS from the start.

Also Proxmox free just had a bad update that björked some stuff if you updated when it was live. Proxmox free is rolling and apparently lacks basic sanity checks for updates.

Your budget is really near a https://store.ui.com/us/en/collections/unifi-dream-router/products/udr Unifi dream router. Your family is gonna be way happier with you (0 downtime) and it’ll give you extender options if you ever need it. Unifi is good enough and they update regularly, just disable cloud access stuff and you’re good.

Otherwise you want Opnsense instead of Openwrt. The upgrade process for Openwrt is not automatic, while Opnsense is. Worth it not to have to dote on your router.

And you should get an access point (Unifi something or Tplink Omsomething), wifi is problematic with openwrt and I’m not sure if opensense even lets you do it (haven’t tried).

And you’ll need a switch, dumb or managed, up to you if you want VLANs. The Opnsense box will have just one LAN port, so it requires a switch if you want to plug more than one thing into it. A switch with PoE+ can power the access point directly.

Opnsense needs x64 arch (Intel or AMD CPUs), get a small thin client like a Dell Wyse 5070 extended or HP T730 or that mentioned Fujitsu Futro S720 (its CPU is old tho, you can do better). There may be newer thinclients, you just want a mini PCIe slot to install some Intel gigabit card from eBay with 2 ports. Google power efficient gigabit mini PCIe card - there’s an older model that sucks power and a newer one that doesn’t suck; if you go more than gigabit skip 2.5 on Intel unless you google hard and expect extra power draw. Very limited point to 4 port cards, just go higher gigabit speeds don’t think about multiplexing ports or whatever it is called; and switches switch better than the router can and remove CPU overhead for more actual routing work - 2 port card is the way.

Slap Incus (superior but newer, less guides, LXD is previous name if googling stuff) or Proxmox (good enough, more guides for this) on it, make a VM and pass through the 2 ports of the PCIe cards, slap Opnsense in the VM. Make an LXC container and slap Debian on it and spin up the Unifi controller for your AP. Another container for adguard home or pi hole and you’ve got a box that does the basic nets all in one. The built-in port on the thin client is how you will access the underlying OS, it gets plugged into the switch you’ll have to get. If you got something with 2 gigs of RAM and an AMD Geode/GX or aged Intel Atom CPU I’d just only do Opnsense no hypervisor stuff.

Sorry for the info dump but there’s a lot of angles!

But really, the Unifi dream router is much easier and solves it all-in-one. You need 3 pieces (router, wifi access point, Ethernet switch) for a good experience otherwise.

It looks like regular PSUs are isolated from the mains ground with a transformer. That means that two PSUs’ DC grounds will not be connected. That will likely cause problems for you, as they’ll have to back flow current in places that do NOT expect back flow current to account for the voltage differences between the two ground potentials. Hence it might damage the GPU which is going be the mediator between these two PSUs - and maybe the mobo if everything goes to shit.

Now I am not saying this will be safe, but you may avoid that issue by tying the grounds of the two PSUs together. You still have the issue where if, say, PSU1’s 12V voltage plane meets PSU2’s 12V voltage plane and they’re inevitably not the same exact voltage, you’ll have back flowing current again which is bad because again nothing is designed for that situation. Kind of like if you pair lithium batteries in parallel that aren’t matched, the higher voltage one will back charge the other and they’ll explode.

Old AMD cards can be flashed with any BIOS that says anything. Maybe the card was used for a scam and flashed to say it’s an RTX 2070, it should have a switch to go to its 2nd BIOS near the top left (when slotted in). And if it doesn’t, you can just get its original BIOS off of Techpowerup’s database and flash it with atiflash, also from Techpowerup.

Picture stolen from some Reddit help thread for a red dragon RX 580.

This is assuming that Linux is reading what the card claims it is correctly. Which seems likely, since reading device IDs is a really important feature that probably works nearly perfectly.

Thank you for the in-depth explanation!! I’ll keep this in mind as I try to club my way through podman!

I have tried pre-making the network in podman directly beforehand, but because I want a second docker image binding to port 53 I was under the impression that I had to use macvlans

Huh you’d think macvlans would have an error telling me to kick rocks for trying to use it in a rootless state. I guess that’s why it can’t see anything?

Weird though, like why can’t I make the macvlans network interface as root and then let rootless containers connect to it? If I sudo make the macvlans network thing it lives in the sudo podman zone. Hm

Love the idea, but theoretically with this “macvlan” it will have its own IP address and thus have free reign of all of its ports and not have any conflicts

I’ve made it so the host OS doesn’t require root, are you saying I’d need to make the image also do that?

I see, I’ll check that out and also check out how to ascertain that lol

Does that “similar security” still count if the image is hacked? Since the capability for “real” root is there.

I am reasonably pleased with my TV UI approximation. It’s an old Skylake-era CPU running Windows 10 Enterprise IoT LTSC which lasts until 2032.

I chose windows because Linux is often limited to 720p browser streaming. And I got tired of overcoming hurdles to make the thing work well, forget what they were but damn they sucked and took a lot of time. Burned through a ton of my self-allotted time fixing stuff till I just ripcorded Win 10 Ent IoT LTSC; Linux might go better for you!

Anyway, it’s at 150% desktop scale and I have the task bar auto hide. I have icons for all streaming sites, Freetube, and Jellyfin on the desktop arranged in a grid. It looks reasonably good, they open in Firefox or in their apps. I close the whole window when I’m done (I don’t use the browser’s tabs), which helps with the “TV box” feel of usage.

I have a remote that has some IR functions to turn the TV on and off and change inputs along with gyro mouse control. It’s hella China, just buy one on your relevant China source (Amazon, alibaba, etc.) - there are tons of clones. The light up feature on it makes an audible hum, so that sucks, but I don’t use it and don’t seem to miss it.

Best bonus is it blocks ads on all the streaming services I have (uBlock origin mostly, also AdGuard but I think uBlock Origin does the heavy lifting). And can turn on WireGuard for modern account sharing, going to automate it soon for certain streaming services.

GPU encoding uses (relatively) simpler fixed function encoders that do it much faster than the CPU which uses its general purpose transistors to run an encoding algorithm. End result is GPU encoding is speedy at the cost of visual quality per bitrate; the file size is bigger for same visual quality as a CPU encode. Importantly for storing your videos - CPU encoding, while much slower, will get your file size smaller at the same visual quality threshold you desire, so you can save more videos per drive!

I did a wireshark packet capture and found the wake-up packet is on UDP 987. I can only capture broadcasts, not specific stuff it looks like. Source: 10.0.69.69(iOS device IP) Destination: 10.0.69.255 Protocol: UDP Length: 105 Info 57477(or 62764, 62335, 60311 as source ports) -> 987 Len=63

Note the IP of the PS4 is 10.0.69.150

I’m not sure what to do with this, though. Nothing I tried worked (e.g., jamming 987 into the IP tables iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A PREROUTING -p udp --dport 987 -j DNAT --to-destination 10.0.69.150:987; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE; iptables -t nat -A POSTROUTING -p udp -d 10.0.69.150 --dport 987 -j SNAT --to-source 10.0.66.10:987 based on https://serverfault.com/questions/586486/how-to-do-the-port-forwarding-from-one-ip-to-another-ip-in-same-network).

Additionally setting the Wireguard mask to 10.0.66.1/16 makes the WG connection not route successfully, and setting the mask in OpnsenseRouter->Interfaces->[LAN]->(under Static IPv4 configuration section) to 16 did nothing. Oh well, this seems beyond me