Starting podman containers on boot with systemd

Podman is pretty cool, and I have been playing around with it a bit recently.

Podman is essentially docker but without a daemon so it runs in userspace, and is developed by RedHat so it has nice things like Ansible integration, and is the driver behind Fedora’s Toolbox, a tool for Fedora Silverblue.

The podman blog says that you can start containers by creating an entry in /etc/systemd/system for every container that you want to start with the following example for Redis

[Unit]
Description=Redis Podman container
Wants=syslog.service
[Service]
Restart=always
ExecStart=/usr/bin/podman start -a redis
ExecStop=/usr/bin/podman stop -t 10 redis
[Install]
WantedBy=multi-user.target

However, when I looked at Wireguard’s systemd service file as an example, I found a neater way to do it.

  • Create a new file /etc/systemd/system/podman@.service (the @ is the important part – be sure not to leave that out)
  • Add the following to the file:
[Unit]
Description=podman %I container

[Service]
Restart=always
ExecStart=/usr/bin/podman start -a %i
ExecStop=/usr/bin/podman stop -t 2 %i

[Install]
WantedBy=local.target
  • Stop (don’t rm) the container you want to run, and take note of its container name, eg: bitwarden_bitwarden_1
  • Start and enable the service with systemctl enable --now podman@container_name

I hope this helps someone out there 😀

The minimalist guide to digital minimalism

I was recently inspired by Matt D’Avella on YouTube to try and minimalise my digital life. This guide will teach you to be minimalist without having to use Apple products.

1. Install Ubuntu.

Click here for a guide to installing Ubuntu.

It is safe to say that Windows 10 is an incredibly messy OS, cluttered with unnecessary programs, and some of which are surprisingly difficult to remove.

Yes, there are plenty of distributions which are more minimalistic than Ubuntu, but the time you put into installing and maintaining the distribution, as well as the fact that there is far more software and support available for Ubuntu make Ubuntu the best option. Debian is also a good choice.

When you are installing Ubuntu, be sure to check the “Minimal Installation” box. This makes sure that only the essential programs are installed.

2. Don’t keep duplicates.

NOTE: This does not apply to backups of your data. Keep as many duplicate backups of your data as you can.

I find that for whatever reason I have 2 copies of the same file in different folders, or maybe two different web browsers for absolutely no reason.

Try, for a week, to stick to just one web browser. I recommend Brave Browser (as long as you turn off Brave Rewards) as it is pretty simple to install unlike Ungoogled Chromium, and tries to respect your privacy, unlike Google Chrome. Firefox-based browsers can be difficult to use exclusively as some websites are designed to only work in Google Chrome.

3. Organise your files.

I cannot emphasise this enough.

Create sub-directories of your Documents, Pictures, Downloads and Music folders. Create sub-directories for your sub-directories. Set your browser to ask where you want to save files. Make your screenshot tool autosave to a specific directory. AVOID CLUTTER!

Clutter leads to frustration.

Also remember your hidden dot files. Try to use XDG specification to keep these organised and avoid cluttering your $HOME.

3. Keep away from distractions.

One nice looking way to do this on Android is to install a simplistic launcher. I recommend Light Android Launcher from F-Droid, because it has a simple list layout without app icons, and you can pin the applications which are essential.

Quit social media.

Quit as many social media sites as you can. The obvious ones such as Twitter, Facebook, Instagram, Reddit, Snapchat and TikTok have endless scolling features which I am guilty of spending hours and hours on. A bonus to this is you will have more privacy in your day-to-day life.

You have reached the end of my blogpost. Thank you for putting up with my rambling.

Pine64’s PinePhone – Testing a few OSs

Disclaimer – The development on the PinePhone is very rapid and it is more than likely that by the time you are reading this, most of the issues I describe are fixed. I will try to update this blogpost as I test different OS images on the phone.

Last Thursday (2020-02-12) I received my Braveheart PinePhone all the way from Hong Kong. I had to pay £11.81 customs fees when I went to collected it, as I live in the UK. The box contained the phone, a note from Pine64, and a red USB-C to USB-A. When I took the phone out of the box and pressed the power button, it hesitated for about 5 seconds, then lurched into the factory test image based on PostmarketOS. It had a few tests such as for the vibration motor and the modem (which will automatically fail without the SIM inserted. If yours fails, don’t worry! Just insert a SIM card).

UBPorts

The first image I tried on the PinePhone was UBPorts. This is the most complete of the images available as of writing this blogpost. With a few scripts and commands you can get it to make phone calls, make the audio work on the speakers and make it pick up FM radio stations. Keep in mind that these do not work without running the scripts, and the scripts do not persist reboots so you will have to re-run the scripts every boot.

At this point in time, the battery life is pretty bad, as the necessary optimizations have not been added to the image. The phone gets very warm, and the battery lasts for a few hours, but will not last the whole day. If you plan to bring your PinePhone around with you, remember to bring a power bank!

PostMarketOS

PostMarketOS is probably my favourite of the OSs currently available, as it runs all the full desktop programs natively. That being said, more things seem broken on PMOS than on UBPorts and the DEs available are still in pretty early development.

Plasma Mobile on PostmarketOS

Plasma mobile is the DE I am most excited for. It is very fast paced in terms of development and it looks really awesome.

Phosh on PostmarketOS

Phosh, short for ‘Phone Shell’ is a shell based on Gnome created by Purism intended for use on their Librem 5 phone. It seems to work quite nicely, but I found that in some apps the keys were mapped incorrectly, and often the apps would not fit on the screen. A simple workaround for this is to rotate the screen to landscape mode.

Debian

The last Debian image which I tried, loaded with Phosh, seemed to work slightly better than Phosh on PostmarketOS. The battery drain is still an issue and the UI crashed a lot, but more apps seemed to fit the screen in portrait mode and I found myself switching to Landscape mode much less often. The Debian image seemed to have the modem working nicely and I was able to receive and send phone calls without running any scripts which was a nice thing to see. As far as I can tell, SMS doesn’t seem to work at all.

Fedora

The Fedora experience was very similar to Debian, as they were both running Phosh and must have had similar patches.

In conclusion, the PinePhone seems to be coming along quite nicely and I suspect that in 3 or 4 months I will have my SIM card in it and carry it around every day. That is, if we are out of lockdown by then.

-Joe.

PostmarketOS on the Mozilla Flame (t2m-flame)

One of my friends was fortunate enough to get his hands on two Mozilla Flame devices some years ago and gifted one to me just recently. These were devices originally intended for developers and early adopters of the now obsolete Firefox OS (codenamed b2g, or boot to gecko), an operating system using base android tools such as ADB and Fastboot, but instead of booting to Android, booted to an interface on top of Gecko, Firefox’s web engine. Although Firefox OS has been discontinued, the source code live on in the emerging KaiOS, which is an OS for non-touchscreen mobile phones aimed at providing internet and mobile phone access to millions of people who wouldn’t otherwise have it.

PostmarketOS is an Alpine Linux based operating system for phones which aims to achieve a whopping 10 years of updates to every phone it supports once it is stable (at the time of writing it is in pre-alpha). As luck has it, the Mozilla Flame is supported by PostmarketOS! however, as I found out it is not as straightforward as that. The port for the Flame is quite old, from before PmOS supported Armv7, so it is designed around ArmHF. The problem with this is that modern interfaces like KDE’s Plasma Mobile and Purism’s Phosh don’t support ArmHF, so I had to make some modifications to the port. As this is a tutorial, I will show you how to set up the environment and make these changes, although I will warn you that most things don’t work and all it does is boot and allow SSH access in its current state. Please refer to https://wiki.postmarketos.org/wiki/Mozilla_Flame_(t2m-flame) as well, as there is a lot of useful information there.

What you’ll need

  • Root access to a GNU/Linux machine
  • A MicroSD card larger than 4GB
  • A Mozilla Flame
  • Fastboot installed on your computer

How to do it

The first thing you’ll want to do it grab PMBoostrap, PostmarketOS’s bootstrap tool’s source code.

git clone https://gitlab.com/postmarketos/pmbootstrap
cd pmbootstrap

Now you’ll want to run the init script, just to download the device configs and stuff

./pmbootstrap.py init

However, once it asks you to select a device exit it by pressing ctrl+c, because we don’t want it to set everything up with armhf instead of armv7.

Now what we want to do is edit some files to tell the build scripts to compile for armv7 instead of armhf.

nano aports/device/device-t2m-flame/APKBUILD

This will open a text edior (nano) which will allow you to edit the APKBUILD instructions for the device. What you’ll want to do is change line 6 from arch="armhf" to arch="armv7" . Next we will change the device info.

nano aports/device/device-t2m-flame/deviceinfo

Navigate your way to line number 16, and change deviceinfo_arch="armhf" to deviceinfo_arch="armv7". We are not done yet though, as we still have to change the APKBUILDs for the kernel and the firmware.

nano aports/device/linux-t2m-flame/APKBUILD

On line 25, once again change arch="armhf" to arch="armv7"

nano aports/firmware/firmware-t2m-flame/APKBUILD

And on line 6, change arch="armhf" to arch="armv7"

Now we’ve finished all the changes we need to make, we can run pmboostrap init once again, but for real this time. I would recommend not choosing to include the WiFi firmware during this, as I have had problems with it before.

Now we build the image, and flash it on to your SD card. Insert your SD into your computer and type in:

./pmbootstrap.py install --sdcard /dev/mmcblkX

but replacing the mmcblkX with the path of your sdcard. You can list the paths by typing sudo fdisk -l and looking for your SD card.

To get the phone to boot our image, we first need to flash on the postmarketos kernel we just built. Boot the device to fastboot (by holding down vol - and power at the same time) and use this command:

./pmbootstrap.py flasher flash_kernel

Now insert your SD card into your phone, reboot and you’re off. Have fun!

Managing your privacy on later Android versions

A while back, I used to use an Xposed module called XPrivacyLUA to let me precisely control (and fake) permissions to apps, which helped in cases of apps which I didn’t particularly trust (eg: Steam Chat, Instagram etc) which required permissions and had access to things on my phone I didn’t want to give them access to.

So, when I upgraded my device to LineageOS 16 (based on Android 9.0) I was quite displeased to be met with a screen on the Xposed Installer app that stated that my Android version was not supported yet — and over a year and a half later still isn’t supported so I would have to take things into my own hands and try something else.

I am rooted with Magisk, which has modules itself a bit like Xposed, but there didn’t seem to be support for XPrivacyLUA.

Then I came across TaiChi, which claims to be a replacement to Xposed, and there is a module to get it working right in the Magisk repos. Upon further looking into this, I found that there is a modified version of XPrivacyLUA in their module repository on their website, and so I installed it right away.

One thing to note is that right away, TaiChi seems to default to non-system-wide mode where it cannot interact with other apps the way Xposed does, but this can be changed (as long as you have the TaiChi magisk module) in the setting section of the TaiChi app. Also, you will have to press the button in TaiChi to enable it in the “manage modules” section, then reboot.

Now, you will be able to open the XPrivacyLUA app you installed from the TaiChi repos, and tap on apps you want to restrict the permissions of (although beware that it does not seem to be able to fake storage access so you may want to leave this part to Android’s built in permissions manager and put up with apps pestering you for it).

Avoiding Google

It is a well known fact that Google has the ability to track your every move. From recognizing your daily work commute to collecting your DNA and selling information about your genetic diseases to life insurance companies who will in turn raise your health insurance price, there is a lot to fear, even if you have nothing to hide. In this post I will share my knowledge of small things and big things that you can do to avoid the google botnet.

Using alternative services

This is probably one of the first things that comes to mind when you think of how you can avoid google – and probably the most effective.

Gmail

Some people may have a hard time switching over to, say, ProtonMail or a self hosted email from a google service such as gmail because their gmail address is how many people may contact them, and they might find it too much effort to distribute their new email address to everyone in their contacts. One solution to this is to set up a forwarding service to forward your gmail inbox to a more privacy centered provider. You can see Google’s official page on how to do this on this link: https://support.google.com/mail/answer/10957?hl=en or avoid going to the google website and view the archived link here: http://archive.is/cXmIs.

A smaller way to ‘avoid’ gmail is to stop using the official app and instead use another email app that can connect to gmail through the standard IMAP and SMTP protocols, such as K-9 Mail. This might sound confusing but K-9 should configure this for you and you should be good to go. One thing to note is that in some cases you might be required to enable ‘less secure services’ on your google account, but do not fret! This is just one of google’s many tactics to tie you in to using their apps. IMAP and SMTP are standard, secure protocols used by almost every email provider on the planet.

YouTube

This is one of the harder ones to avoid, seeing as most creators upload to YouTube and only YouTube so competitors are often lacking in content, and most competitors fail after a few years because hosting is very expensive and not much money can be made, even if you plague the site with advertisements (see http://vid.me and http://vanillo.co, and a news article detailing YouTube’s net loss).

– Invidio.us

invidio.us is a private, add-free way of watching YouTube. It is open source under AGPL and does not require JavaScript to view the site. There have been other attempts at achieving this before, most notable HookTube, however hooktube relied heavily on YouTube’s API and the API states in its terms and conditions that you cannot use it to create YouTube alternatives. This caused HookTube to essentially shut down and now it just embeds the YouTube content, meaning Google can still track you. Invidio.us gets around this by directly crawling YouTube which does not require use of their API, but it does mean that sometimes videos fail to load. There is also an instance of invidio.us on Tor, which allows for extra privacy: http://qklhadlycap4cnod.onion/.

– Floatplane

Floatplane is a video hosting site from the popular creator Linus Tech Tips. I believe this will not fail like many others as it is backed by Linus Media Group and already has many creators on the site. They have a sustainable business model because the viewers pay a monthly subscription to see exclusive videos from creators. Because of this, it is not a complete alternative to YouTube because many YouTube users would not be willing to pay.

Search

This is arguably the easiest service to replace. Many alternative search engines exist; DuckDuckGo is a very prominent alternative and claims to respect your privacy, however the creator of DuckDuckGo was previously involved in a data analytics company so personally I don’t trust him. It is up to you to decide if he’s changed his ways. They have been caught using a notorious tracking method ‘Tracking Pixels‘. It is also in US jurisdiction and does not have a warrant canary so I assume that they are being forced to share information with the US government.

Some good search engines to use are: Qwant, a search engine in French jurisdiction which claims not to track you; and StartPage, a search engine that returns Google search results without compromising privacy. StartPage are in EU jurisdiction.

Google Chrome

Chrome is the dominating web browser, with 65% market share. Like many other Google products they track your every move. Chrome’s tactics can be explained in the infographic below

Obviously, Firefox looks to be a good alternative at first glance, but when you look into Mozilla they don’t appear to be much better than Google. More details can be found here: https://spyware.neocities.org/articles/firefox.html and here https://digdeeper.neocities.org/ghost/mozilla.html.

Personally I use GNU IceCat, which is a fork of Firefox ESR but with spyware disabled and some privacy-enabling addons, although I do recommend disabling the ‘Third Party Request Blocker’ and ‘LibreJS’ extensions as they tend to break most websites. Another option is to use LibreFox which is a set of files you put in Firefox’s installation directory which disables Mozilla’s spying, and because it is not a fork you can keep Firefox up to date, meaning you will always get the latest bug-fixes and security mitigations.

Installing Haiku

Back in the 90’s there was a company called Be Inc, who created a relatively small operating system known as BeOS. The Operating system was partially POSIX compliant, in that it had support for Bash and a few UNIX programs could be ported. BeOS was known for it’s error messages written in haikus which were a quirky humanness to the OS that many other popular operating systems at the time lacked. In 2001, however, Be Inc went out of business and the development of BeOS was discontinued. This is where Haiku comes in to place, Haiku was created my a bunch of developers that wanted to re-implement BeOS in an entirely open source operating system. It has been in alpha (early, unstable development) up until November of 2018 when they released the first beta (more stable and could be used as a daily use OS), so I decided to give Haiku a shot.

Getting the images

Haiku OS is available from their website over at https://haiku-os.org. Download the 64 bit image (unless you have a 32 bit computer, which chances are you don’t) and extract it using your archive manager of choice.

Downloading…
the tar.gz file open in Ark

Creating the Live USB

USB in my ThinkPad

You can burn the image to a USB in a multitude of different ways. There are easy ways such as etcher, and more lightweight, efficient options such as dd. It is entirely up to you how you do it so I went with dd.

installing Haiku to a USB using dd

Once you are done, boot to your freshly burned USB!

Testing out Haiku OS

Using Haiku is relatively straight forward. You can install it using the user-friendly ‘installer’ program, you can install programs using the package manager ‘HaikuDepot’, and you can browse the internet using Haiku’s exclusive lightweight web browser ‘WebPositive’, although be aware that this browser does not have an adblocker so you may want to install a more advanced browser such as Otter Browser (which has a Haiku port). Have fun!

My website open on WebPositive on Haiku

Ricing (customising) Haiku

Using Haiku’s built-in theme engine, I was able to take control of how Haiku looks. Unfortunately, the theme engine is not as robust as something like XFCE or Plasma, however I as able to cobble together a makeshift dark theme and make it feel slightly more modern. I did notice, however, that changing the colours updates the theme for Qt applications, but I was not able to install any pre-existing Qt themes.

Haiku running my makeshift dark theme

The File System

Strangely, Haiku doesn’t follow the file system scheme that Mac, the BSDs and GNU/Linux all have in common. These operating systems tend to have (with a little variation between distros) /usr, /home, /var, /etc and so on… Haiku does things differently by having some of the same folders (namely /bin, /etc and /var) but most of the files are in a folder that does not exist on unix-like OSes: /system.

/system contains a folder called ‘apps’ where the applications you install will go (kind of like /usr/share, or /Applications on a Macintosh). It also contains your home folder, and because Haiku is single-user only, is the only home folder so your home folder is literally just /system/home/ /boot/home (corrected by commenter). Other things /system includes are: the kernel (which is not linux), preferences (instead of them clogging up your home folder with dotfiles) and sources (Haiku keeps a copy of its source code for licensing purposes, but this is not present in nightly builds.)

Necessary Tweaks

Haiku does come with some strange settings which make it harder to transfer to from most other OSes, for instance all the keyboard shortcuts are different.

To change the keyboard shortcuts back to what is familiar, go to the menu (the feather icon) -> Preferences -> Keymap -> Switch shortcut keys to Windows/Linux mode (notice how that mistook Linux, which is a kernel, for GNU/Linux, which is an OS). Now your shortcuts should be easier and things like Alt+Tab work. Alt+F4 doesn’t seem to work though, maybe this will be fixed in a future release.

Haiku Keyboard Settings

Refurbishing Old ThinkPads (T43 and T23)

A couple of weeks ago, I managed to win an auction of two ThinkPads, the T43 and T23 for the humble price of £36.

A friend offered to buy the T23 from me so we could restore them and install some lightweight OS such as Haiku or ReactOS.

Part One: Replacing the CMOS batteries

The first thing we did was power on the ThinkPads, to which we were greeted with a screen telling us that the time and date were wrong, on both of them! This could only mean one thing – the CMOS battery was dead.

At the time we did not have any laptop CMOS batteries at hand, so we set off to Waitrose to buy some CR2032 coin cell batteries. The problem is, the coin cells needed to be wrapped in shrink wrap to connect the pins that connect to the connector.

Luckily, my friend had some shrink wrap and a lighter, all we needed to do was heat the wrap to fit around the new battery – couldn’t be too hard, right?

Yeah, no. We accidentally melted the connector on end of the wire just enough to prevent it from fitting in to the motherboard. fuck.

Fortunately for us, eBay has our ass covered and I was able to order new CMOS batteries.

Part Two: Solving Thermal Issue

It is a well known fact that you must replace thermal paste every 2-3 years to prevent overheating. From what I could see from opening the ThinkPads was they had not been replaced once. In over fifteen years. Because of this, turning them on resulted in them attempting to take off on the next unmanned mission in to orbit.

After repasting them and blowing out the T43’s fans (it was VERY dusty and was probably kept in a cupboard for the majority of its previous life, poor thing) the thermal issues were pretty much solved.

Part Three: Installing a Modern OS with a Lightweight Footprint

I have not done this yet as I am waiting for my power supply, but I intend to install Haiku OS 32 bit on my ThinkPad T43, as it seems to run some applications and is still updated.