Good Morning from my Robotics Lab! This is Shadow_8472 and today I am continuing the grind on my Rocky Linux server running on my ButtonMash workstation. Let’s get started!
Quality of Life
I’ve had a single-focus mindset of getting Bitwarden/Vaultwarden working, but I’ve overlooked an important aspect of running a reliable server. One evening, any new connections to ButtonMash were failing. When I investigated the next day, the system was on and the network was connected, but when I logged in to console and pulled up the address with ip a, I found the router had incremented the IP by 1.
The task of setting up static IP’s is not alien to me. On some systems, I’ve even edited config files by hand. Cockpit has a Networking tab, though. From there, I was able to quickly worm my way into the correct network interface and configure a static IPv4 back to where it belongs. Cockpit tried to reestablish its connection with the new configuration and predictably failed. I had to make the change permanent with a follow up prompt.
Container Isolation
One of the draws of Podman over Docker is rootless containers. In the unlikely event someone hacks into Vaultwarden’s container and breaks out into the host system, he won’t be able to do as much damage if he finds himself in a non-root account – even better is if he finds himself in an account without sudo privileges.
With that, I added a user special for running Vaultwarden with sudo useradd vaultwardenUsr and I locked it with sudo usermod -L vaultwardenUsr to block any normal login attempts. sudo su vaultwardenUsr will still let me Substitute User into the account. And of course I find the tools to do all that under Cockpit tab Accounts.
From within my dedicated Vaultwarden container user, I looked for the two containers listed by the plugin. But I found nothing. From my background research I should have put together, containers are owned by users like any normal file. The two images the plugin listing their owner as “system” were actually owned and operated by root, as clarified by a test where I stepped back from Administrative access to download a new container image. Novel as it is, the plugin won’t be of much help for my use case unless Cockpit lets me access it without a password.
Bringing Vaultwarden Online
podman run -d --name vaultwarden -v /home/vaultwardenUsr/vw-data/:/data/:Z -p 44300:443 vaultwarden/server:latest
This is a long, complex command that took me while to puzzle into working order.
podman run
This is the base command. I used it to go from a container image to container.
-d
“Detach” runs containers in the background.
--name vaultwarden
By default, containers are given random pronounceable names. You can just spin up multiple copies of the same image without needing to give it much thought. Here, it’s best to have something descriptive.
-v /home/[username]/vw-data/:/data/:Z
“Volume” mounts a directory from the host into a directory in the container. This part deviates from most Vaultwarden guides the farthest. First of all, Docker installation assumes you’ll be mounting directory /vw-data/ directly from the root of your file system. However, that directory is off limits without elevated privileges, so it needs a place in the user’s home directory and a full path to that directory.
The other solved issue involves the :Z at the end. At one point, I seemingly had everything else sorted, but when ran **podman ps** to list running containers, it kept coming back empty. My online searches for Podman and Vaultwarden kept sending me back to last week’s progress-report of a post, but I eventually located a discussion on Vaultwarden’s GitHub. I didn’t do much follow up research after I got it working, but it appears to be related to SELinux (Security Enhanced Linux), a kernel level security module.
-p 44300:443
“Port” forwards ports from the host machine to individual containers: host on the left and container on the right. Recommended behavior (with Docker in mind) is to forward port 80 (HTTP), but I’d rather use HTTPS on port 443. Additionally: ports 0-1023 are reserved for system use, so I added a couple zeros on the host end.
vaultwarden/server:latest
With all the flags out of the way, this is the container image being copied into an operable format.
With the container running, all I had to do was punch a hole in the firewall and I can now have Firefox laugh at me for a failed secure connection. During assembly, I was able to make a non-secure HTTP connection with -p 8000:80 and bring up a Bitwarden login.
The next step is to obtain a security certificate, but that’s a topic for another week…
Side Project
When I walked my father through installing Debian/LXDE on his computer, he was left with a few specialty keys on the keyboard going unresponsive – particularly the volume up, down, and mute keys. The system is usable without them, but it would be nice if these keys worked. Originally, I assumed the problem would be somewhere with Debian itself, but when I tried a search targeting LXDE instead, I knew from the search results that I had today’s side project.
As we researched, I started building a system flow chart from key press to volume adjustment. The Keyboard transmits its key events to a USB receiver. The receiver communicates with some sort of keyboard driver be it discrete or compiled into the Linux kernel. The kernel then passes key events to the Xorg server. From here, we used xev (X EVent) to confirm that volume key events were all making it thus far.
At some point, PuleseAudio takes over and tells the Linux kernel what to push to the speakers and how loud to play it. While testing, we cut off a song with pulseaudio –stop / –start and had to refresh the webpage to get it back.
I personally think we’ll find the problem either within Xorg or between on a direct link between Xorg and Pulseaudio. In the meantime, the search continues.
Takeaway
For both these projects: ready-made solutions out there we could just copy, paste, and wish for luck but we’re trying to learn the innards of Linux, so it’s okay to take extra time.
Final Question
Have you ever had to program your keyboard events by hand?