Did it sound cold? Because I didn’t mean that, I just meant to actually answer the question from my PoV. Just for the record, I also did not down vote you.

So yeah, use whatever footgun you prefer, I don’t judge :)

Yeah ultimately every container has it’s own veth interface, so you can do shaping using tc on those.

Edit: I had a look at docker-tc. It does what you want, BUT. Unless your use case is complex, I would really think twice about running a tool written in bash which has access to the docker socket (I.e. trivial node escape) and runs with NET_ADMIN capability.

That’s a lot of power to do something you can also do with a few lines of code executed after you start the container. Again, provided that your use case is not complex.

Cgroups have the ability to limit TCP and total network bandwidth. I don’t know from the top of my mind whether this can be configured at runtime (I.e. via docker run), but you can specifcy at runtime the cgroup parent to use. This means you can pre-create the cgroup, set the limits and start the container with that parent cgroup.

You can also run some hook script after launch that adds the PID to a cgroup every time the container is launched, or possibly use tc.

I am not aware of the ability to only limit uplink bandwidth, but I have not researched this.

I think k8s is a different beast, that requires way more domain specific knowledge besides server/Linux basic administration. I do run it, but it’s an evolution of a need, specifically when you want to manage a fleet of machines running containers.

Because the lxc way is inherently different from the docker/podman way. It’s aimed at running full systems, rather than mono process containers. It has it’s use cases, but they are not as common IMHO.

Docker can run rootless too, see https://docs.docker.com/engine/security/rootless/

I would say Docker. There is no substantial benefit in running podman, while docker is a widely adopted tool (which means more tooling in the ecosystem, easier to find answers to questions etc.). The difference is not huge tbh, and some time ago the biggest advantage for podman was being able to run rootless, while docker was stuck with a root daemon. This is not the case anymore (docker can run rootless), so I would say unless you have some specific argument to use podman, stick with docker.

I personally package the files in a scratch or distroless image and use https://github.com/static-web-server/static-web-server, which is a rust server, quite tiny. This is very similar to nginx or httpd, but the static nature of the binary removes clutter, reduces attack surface (because you can use smaller images) and reduces the size of the image.

I don’t think this is needed to implement censorship. It’s Italy, I know better than thinking something is done out of malice, when it can be the result of incompetence. I completely believe this is some idiotic implementation of what football an TV economic powers wanted. Either way, this idea that everything bad is because “old white men” is bs. We don’t even need meloni, we can use the dear iron lady as an example…class and economic positions count way more than age and gender, ultimately.

This whole thing happened while a young woman is in power. This has to do with submission to economic power, not with gender and age.

Our starting point for design is longevity, which means making our devices more repairable, a very different approach to the electronics industry standard. To support maximum longevity and because of the IP rating, Fairphone 4 does not feature a headphone jack. In the end, it comes down to how we make a product that lasts for at least five years. We needed to eliminate as many vulnerabilities as possible, and the headphone jack is subject to dust and water ingress over time.

Again, you might disagree, you might know better, I don’t know. But this is their motivation when it comes to longevity and hence sustainability. To me, it seems a reasonable idea: if the jack helps reducing the consumption of batteries in headphones but decreases the lifespan of the phones, it seems a bad tradeoff.

They have literally an explanation for this on their website. You might disagree, but saying “it makes no sense”…makes no sense.

Also, they discontinued the earbuds and still no jack on FP5, so the idea that “they wanted to sell their own buds” doesn’t seem to be likely.