If you’re here, you’re probably looking for a way to store secrets securely. This post isn’t about Kubernetes or managing cluster secrets — it’s about keeping stuff safe locally on your own machine. User-focused.

On a regular mutable system, setting up tools like SOPS and AGE is pretty straightforward. But on atomic/immutable systems (like Fedora Silverblue or openSUSE MicroOS), things get trickier. That’s what I’m tackling here.

Foreword 🔗

For the past few years I’ve been using CryFS to keep my secrets safe: keys, tokens, backups of my password manager — basically anything private. It worked great, but it started feeling like time to move to something more modern and future-proof.

My talk took place at openSUSE.Asia Virtual Summit 2021 August 08, 2021. During this talk I was sharing some information as how we at OpenStorage.io are utilizing GitlabCI, Ansible and MicroOS to achive some DevOpsie automation to make our life a lot easier. Enjoy! (click pic)

Note: The pipeline has a bug cause I mixed zypper and apt, but it is fixed in the slides in my Github repo

Podman Checkpoint/Restore in Userspace 🔗

Recently I was migrating our entire Podman infra to a new, bigger server, roughly ~180 container. Most of our things are running in pods which are fairly easy to migrate, just podman generate kube --filename xyz.yml xyz-pod, clean up the yml a bit and on the new server I just play it with podman play xyz.yml. Done, pod migrated. On the other hand we have a few containers that are running outside of pods and was interested how lazy I can get with those using Podman. Fairly quickly ran into Podman Checkpoints/Restore in Userspace (CRIU). With CRIU Podman is able to checkpoint and restore containers in their current state. Migration is just one use-case, another would be to restore a container after a host reboot exactly the way it was prior the restart. This is exactly what I needed, scripts back in the box, in the new and shiny stuff comes.

What is Podman 🔗

Podman is a a daemonless, open-source tool to manage, deploy and build application containers. Podman is using Open Containers Initiative (OCI) Containers and container images, which means that containers crated with/for Docker or CRI-o will work with Podman as well and vice versa. It is coming with a command line interface (CLI) which offers pretty much the same commands like Docker does. How similar are Podman commands to Docker’s? Let’s put it this way: many Podman users just alias docker to podman. Like other runtimes, Podman also relies on an OCI compliant container runtime to interface with the operating system. Podamn also has a RESTful API to manage containers, offers automatic updates of containers and has a fantastic systemd integration.

Getting started 🔗

By now you’re probably familiar with git. Git is a popular distributed version control system with which people can collaborate on pretty much anything that you can/want to version control and collaborate on. This can be source code, documentation, automation scripts, anything really. To work on a project with others, one would generally create a fork of the main repository where the code, it’s branches and issues are being stored at. This short article explains what to do when the upstream project pulls too far ahead that it leaves your fork out-of-date creating potential issues during a pull request (PR) which would have to be resolved by the person who the PR is assigned to.

Purpose 🔗

First of all this a GNU/Linux - and mostly openSUSE - focused technical blog with a bunch of know-how, tools, personal recommendations. Recently had this realization that the content I’m keeping in my QOwnNotes would be a little bit more valuable if…

• ..it would be available publicly,
• ..it would be DDG/Google searchable,
• ..I could just link to it when I’m helping others AkA “laziness”.

Being active in different communities, I run into a lot of repeated questions. How to do this, how to do that, what would be an ideal setup for xyz. So instead of searching for the answer in QOwnNotes or in the messaging history I could just send a link to the corresponding entry here.