So oddly tier iii is just tier 2. Most places don’t have a tier 2.
1 years experience as sysadmin is great. Here’s the neat little trick no one tells you: what you say your job is on your resume should reflect WHAT YOU DO. Not the title of what you were hired for
Are you doing dev ops at a small outfit as a support engineer? Your resume should not say “support engineer.” It should say what your tasks reflect to the market. Not what some dude said your position is.
I’m sure the job postings will say, but many dev ops roles are looking for someone with senior experience. Like 8-10 years or the resume is ignored.
Id say the way to beat this is look for tier iii roles for folks that don’t know what they need is dev ops. Explain the value of what you want to do as a sysadmin to bring value. Then just write dev ops on your resume when you wind up doing dev ops.
Holy fucking pretentious douche, batman! Catch my block list.
100% building a home lab and being able to talk about it openly, from memory, in your own words, from experience, is invaluable for interviews.
I might update this. I might not. I have a lot to say but In out drinking.
All I will say now is save this list. You’ll look back at it in 5 years and wonder what half of those things are.
…
Okay a bit more from the bar:
If you want dev sec ops, grafana, elk, build dashboards, get your agents setup in your fleet, get it all secure locally. That alone will impress any interviewer who knows anything.
Dev ops specifically? Focus on building a local GitLab instance. Use grafana to monitor it. Run some app that has a busy db. Grafana dashboards on that. Oh my goodness, what a HOG you are GitLab! Tune it for your env. Purposely misconfigure something to watch, idk, the RAM keep growing because you didn’t setup redis or some shit.
The sea is vast. You’re hungry. Employers will see that once you land interviews.
If you want a ton of dev sec ops ideas, I am a good sounding board. Regular dev ops isn’t my daily grind so I know a bit less. What I do know is if you’re not ready to rebuild a multi node cluster some night after hours, you’re not quite a boss (doesn’t mean you’re not ready). So, emulate that nightmare.
Back to drinking 🍻
Edit: double check your *arr ideas bc afaik most of those were abandoned after a few major vulns were uncovered. That was months ago so that may be old hat.
Woah, soulseek
I haven’t used soulseek in literally 20 years… Is it still a relevant place to get music?
This is a crippling reality.
Whenever I explain anything I am constantly evaluating how in depth any given node must be expanded for my audience.
Came here to ask if this was some OCaml joke I didn’t get
My current uptime has survived 2 power outages that lasted about 10 minutes each.
Thanks! I hope it helped.
I’m actually literally in the process of reaching out to my old Computability and Complexity professor who is now cs chair and cyber security lead for my alma mater. Wanna pitch him some ideas for me doing an adjunct in a cyber warfare lab 🤓
If it’s a Linux box, everything over 1023 just needs root.
For Debian flavors,
/proc/sys/net/ipv4/ip_local_port_range
At least for those I use. Idk for rhel etc.
I can check my boxes with system ctl:
sysctl net.ipv4.ip_local_port_range
And tested on a VM, this wide s your ephemeral range:
sysctl -w net.ipv4.ip_local_port_range=“1024 65535”
Manage persistence in /etc/sysctl.conf
I’ll be honest here, I asked Claude for the windows equiv of that. I haven’t tested. Proceed with caution:
To check:
netsh int ipv4 show dynamicport tcp
To expand ephemeral range:
netsh int ipv4 set dynamicport tcp start=10000 num=55535
Syntax makes enough sense to me, but I repeat I have not vetted this.
HOWEVER,
all moot. You have 65k ports PER CONNECTION, holmes. Sorry I’m drunk now my tones changes and typos = more :)
So you at 10.0.0.1 connect to Google at 8.8.8.8 and cloudflare at 1.1.1.1, you can use 130k connections between the two. So this isn’t as useful as you may think you need it to be (idk what you’re doing lol, load balancer?)
If you’re churning through tons of short connections, you can “run out” of ports even though you have plenty… they’re all just cooling down.
net.ipv4.tcp_tw_reuse=1
lets the kernel grab them sooner.
Claude says Windows would be
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\TcpTimedWaitDelay
That’s a registry change. Proceed with extreme caution. Use a VM or throw away machine. I have absolutely not vetted the windows version here and registry edits are inherently dangerous. I usually yell at an AI that tells me to use regedit. Probably don’t do this unless the system is backed up and those backups are tested.
Hope this helps your crazy load balancer or whatever :)
Welcome to foggy’s IP, ports, and containers lesson, take a shot of espresso, we’re going in!
special IP addresses:
127.0.0.1 - “This same machine.” Talking to yourself. Also written as localhost.
192.168.x.x - private home network range. What your router hands out to your devices. Not routable on the internet. 10.x.x.x - another private range. Bigger, used by businesses and some routers. Same idea as 192.168.
172.16.x.x to 172.31.x.x - the third private range. Docker likes this one for its internal container networks.
0.0.0.0 - “all interfaces” or “any address.” When a service binds to this, it means “listen on every network this machine is connected to.” Also sometimes means “no specific address” depending on context.
255.255.255.255 - brosdcast. “Everyone on this network.” Rarely something you’ll type, but you’ll see it.
169.254.x.x - link-local. What your machine assigns itself when it wanted a DHCP address from the router but didn’t get one. If you see this, something’s wrong with your network.
Port talk:
Ports 0-1023: well-known ports. Reserved for standard services. On Linux you need root to bind to these. The ones you’ll actually see:
Ports 1024-49151: registered ports. Assigned to specific apps by convention. A sampling:
Nothing enforces these: they’re just conventions. You could run Jellyfin on port 7777 if you wanted.
Ports 49152–65535: ephemeral ports. A neato part:
When you connect to a servers port 443, for example, your machine connects to the server’s port 443, but it also needs a port on your end for the server to send replies back to. Your OS grabs a random unused port from this high range, uses it for that one connection, and releases it when done. Thus, ‘ephemeral’
Containers? Sure:
A container is a program packaged in a bubble. It’s basically a VM without the machine part. Let’s say you wanna run Jellyfin AND Plex. Let’s say tomorrow there’s a brand new video file format and Jellyfin supports it and Plex doesn’t. Jellyfin needs to use some new version of ffmpeg that Plex cannot use. The solution? Containers.
Each program is containered with what it needs to run happily. Nothing more. Your machine does the rest.
I didn’t have too much coffee, you had too much coffee.
IP address: a machine’s address on a network. Like a street address.
Port: a numbered door on that machine. The IP gets you to the building; the port gets you to the right room. Different programs listen on different ports.
DNS: the phonebook. Maps friendly names like example.com to IPs so you don’t have to memorize numbers.
Router: the doorman between your home and the internet. Stuff inside can reach out; nothing gets in unless you tell it to.
Container: a sandboxed mini-computer running on your machine. Isolated by default. You map a host port to a container port to let traffic in.
Reverse proxy: a switchboard. One program that takes all incoming traffic and routes it to the right service based on the hostname.
Ah sneaky. You added a question.
The answer to is there somewhere you can learn about this? Yes and no. You will ultimately learn by doing for this stuff.
Comptia network+ study guides will have all this knowledge and more.
If you’re all in, Hack The Box is a freemium platform (think codecademy but less hand-holdy) that isn’t designed to teach you this, but will absolutely teach you this in the process. It is a platform for offensive and defensive cybersecurity. These things are covered as afterthoughts in bigger pictures, but it will (at least for folks who learn by doing) force you to familiarize yourself with it implicitly.
Otherwise as far as IPs and ports and containers, I can tell you all you need to know, because it ain’t much. It feels confusing/overwhelming at first but everything individual slice of this stuff is pretty simple. It’s just an absurd amount of knowledge. Just take baby steps and learn what you need to know to get done what you seek.
To your first questions, well need to untangle a few thoughts wrapped into that.
Right now, http://your-server-ip:8096/ is plain HTTP. On your home network that’s usually fine. Over the internet, you’d want HTTPS so passwords and stream data aren’t sent in the clear.
Just opening a port on Docker only exposes it to your local network. It’s not on the public internet unless you also forward the port on your router. So by default, only devices on your network can reach it.
From there is it secure? That’s on Jellyfin. Using strong passwords and trusting Jellyfin is secure is as good as you can do here.
The reverse proxy is where you handle the https, and where you go from domain.com:8096 to jelly.domain.com
If using caddy for example, that looks like this somewhere in your caddyfile
reverse_proxy localhost:8096
}
Your reverse proxy sits in front of your containers and routes traffic by hostname. You tell it: “when someone visits jellyfin.yourdomain.com, send them to the Jellyfin container on port 8096.”
The other pieces you’ll need:
DNS pointing jellyfin.yourdomain.com at your server’s IP (public IP if accessing from outside, local IP if just at home) A TLS certificate so HTTPS works, Let’s Encrypt is free, and Caddy gets them automatically with zero config (Nginx and Traefik can too, just more setup).
Also rputer port forwarding on 80 and 443 to make it accessible outside the house.
The last part there is the actual risky part. When you put a service on the open internet, bots from everywhere will find it instantly and begin running scripts to try to find a way in. With only this setup, again, the insecurity is Jellyfin. When an exploit drops, you need to be updated ASAP to stay on top of your security.
There are tons of ways to make this more secure. The easiest way would be tailscale/(wireguard). You basically install tailscale on every device that will connect to your server instead of opening your routers port. It keeps your device off the open internet but allows devices all on its tailscale VPN connect to it with the domain you setup.
You can achieve something similar using cloudflare tunnels. Your server runs a daemon that reaches out to cloudflare and it’s served to the internet that way, friends access via normal URL, no extra download required.
Lastly the best but cost prohibitive option is to do it through a VPS. A virtual private server does what cloudflare does, basically, but you control it. If the money is not prohibitive, I strongly recommend this. When cloudflare goes down again (and it will go down again), you won’t be beholden to their infrastructure being online to access your server.
Happy to clarify anything here. I wrote this response in 3 parts and rereading it it feels a little disjointed lol
Docker containers are isolated by default… nothing on the outside can reach them unless you say so. You open the door with a port mapping
In your compose file:
ports:
- ‘8096:8096’
Read this as HOST:CONTAINER. It says: “when something hits my server on port 8096, forward it to port 8096 inside the Jellyfin container.”
So once it’s running, you go to http://your-server-ip:8096/ in a browser and you’re talking to Jellyfin. The container is still isolated you’ve just opened one specific door to access it.
I just found my todo list and half of it is irrelevant and half of it is done.
I even had a work todo list for my old job lol.
Yep.
It’s like they wanna get bought to compete with GitHub or something.
They’re moving fast and breaking things. And bloating their product in the process. In the last 24 months they paid over $1M to a single bug bounty hunter who basically took them to the cleaners.
But totally agree. It’s the best UX, best product for home lab or even small enterprise use if you’ve got someone to get it tuned appropriately.
While I agree, out of the box the configs ARE NOT for home lab use.
I mean if it describes what you do accurately then they won’t be able to say much other than yes.