Linux on Dark Kernel

DIY Containers: Building a Lightweight Container System from Scratch on Linux

Wed, 23 Apr 2025 00:00:00 +0000

In today’s cloud-native world, containers have revolutionized how we deploy and manage applications. While Docker and Kubernetes dominate the landscape, understanding what’s happening under the hood can be valuable. This blog post will guide you through building a minimalist container system from scratch using Linux’s namespaces and other kernel features.

What Are Containers, Really?

At their core, containers are just processes running with isolation features provided by the Linux kernel. Unlike virtual machines, containers don’t need a separate OS kernel - they share the host’s kernel while maintaining isolation through several key technologies:

Namespaces: Provide isolation for system resources
Control Groups (cgroups): Limit and account for resource usage
Chroot: Change the root directory for a process
Mount Points: Control what filesystems are visible

Before we begin

Before jumping to the code, you need a filesystem for your container. You can create one from a base distribution:

# Create a directory for your rootfs
mkdir -p mycontainer/rootfs

# Use debootstrap to create a minimal Debian system
sudo debootstrap --variant=minbase bullseye containers/mycontainerr/rootfs

# OR Download the Arch Linux rootfs
curl -O https://mirrors.edge.kernel.org/archlinux/iso/latest/archlinux-bootstrap-x86_64.tar.zst
sudo tar xf archlinux-bootstrap-x86_64.tar.zst -C mycontainer/rootfs --strip-components=1 

# OR Alpine (Lightweight)
wget https://dl-cdn.alpinelinux.org/alpine/v3.14/releases/x86_64/alpine-minirootfs-3.14.0-x86_64.tar.gz
tar -xzf alpine-minirootfs-3.14.0-x86_64.tar.gz -C containers/mycontainerr/rootfs

The rootfs is a directory containing the root filesystem of our container. It contains the necessary files and directories to run a basic system.

Let’s begin

We’ll start with the necessary includes and definitions, yes we are doing it in c :)

#define _GNU_SOURCE
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/mount.h>
#include <sys/wait.h>
#include <string.h>
#include <signal.h>
#include <sys/types.h>
#include <sys/stat.h>

#define STACK_SIZE (1024 * 1024)
static char child_stack[STACK_SIZE];

char *child_args[] = { "/bin/sh", NULL };

These includes provide access to necessary system calls for creating our container. We also define a stack size for our container process and set up the default command to run inside our container (/bin/sh). If you know docker that last line should be familiar to you.

Creating the Container Process

Next, we need to define what happens inside our container. The child_main function will be executed inside the container namespace:

int child_main(void *arg) {
    // Set container hostname
    sethostname("minicontainer", 10);
    
    // ... more container setup to come
    
    return 1;
}

Setting the Hostname

The first step in our container setup is to set a hostname. This is important because it helps identify the container environment:

sethostname("minicontainer", 10);

This sets the hostname to “container” with a maximum length of 10 characters. The hostname is isolated because we’re using the CLONE_NEWUTS namespace flag when creating the container.

Changing Root Directory

Now, we need to isolate the filesystem by changing the root directory using chroot():

if (chroot("/path/to/mycontainer/rootfs") != 0 || chdir("/") != 0) {
    perror("chroot/chdir");
    return 1;
}

This changes the root directory to “/path/to/mycontainer/rootfs” and let us in there. After changing the root, we also change the current directory to the new root with chdir("/"). If you still wonder what roofs directory is then you can think it as a OS image.

Setting Up /proc Filesystem

To ensure our container has access to process information (the thing we do using ps command), we need to mount a /proc filesystem:

// Make sure /proc exists
mkdir("/proc", 0555);

// Mount /proc
if (mount("proc", "/proc", "proc", 0, "") != 0) {
    perror("mount /proc");
    return 1;
}

First, we create the /proc directory with appropriate permissions (if it doesn’t already exist). Then we mount the proc filesystem, which gives processes in the container access to information about running processes within their namespace. This namespace creates the isolation.

Executing the Container Command

Finally, we execute the command that will run inside our container:

// Execute shell
execv(child_args[0], child_args);
perror("exec");
return 1;

This replaces the current process with the specified command (by default, /bin/sh). If the execv call fails, we print an error and return.

Setting Up the Main Function

Now let’s look at the main function that will create our container:

int main(int argc, char *argv[]) {
    
    int flags = CLONE_NEWUTS | CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWNET | SIGCHLD;
    printf("Launching container...\n");

    // ... container creation code to come
    
    return 0;
}

Defining Namespace Flags

Now we define the namespace flags that will determine what isolation features our container will have, read it again:

int flags = CLONE_NEWUTS | CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWNET | SIGCHLD;

Each flag provides different isolation:

CLONE_NEWUTS: Isolates hostname and domain name
CLONE_NEWPID: Gives the container its own process ID namespace
CLONE_NEWNS: Creates a new mount namespace
CLONE_NEWNET: Isolates the network stack
SIGCHLD: Signal to send when child terminates

Creating the Container Process

Finally, we create the container process using the clone() system call:

pid_t pid = clone(child_main, child_stack + STACK_SIZE, flags, NULL);
if (pid < 0) {
    perror("clone");
    return 1;
}

waitpid(pid, NULL, 0);

The clone() system call creates a new process that runs the child_main function with the specified namespace flags. We pass it the stack we defined earlier and wait for the container process to finish with waitpid().

Now our container is ready to go!

c container.c


#define _GNU_SOURCE
#include <sched.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>

#define STACK_SIZE (1024 * 1024)
static char child_stack[STACK_SIZE];

char *child_args[] = {"/bin/sh", NULL};

int child_main(void *arg) {
  // Set container hostname
  sethostname("minicontainer", 10);

  if (chroot("/home/stroky/.local/codes/Dockers/custom_container/containers/"
             "mycontainerr/rootfs") != 0 ||
      chdir("/") != 0) {
    perror("chroot/chdir");
    return 1;
  }

  mkdir("/proc", 0555);

  // Mount /proc
  if (mount("proc", "/proc", "proc", 0, "") != 0) {
    perror("mount /proc");
    return 1;
  }
  // Execute shell
  execv(child_args[0], child_args);
  perror("exec");
  return 1;

  return 1;
}

int main(int argc, char *argv[]) {

  int flags = CLONE_NEWUTS | CLONE_NEWPID | CLONE_NEWNS | CLONE_NEWNET | SIGCHLD;
  printf("Launching container...\n");
  pid_t pid = clone(child_main, child_stack + STACK_SIZE, flags, NULL);
  if (pid < 0) {
    perror("clone");
    return 1;
  }

  waitpid(pid, NULL, 0);
  return 0;
}

Building and Running the Container

Compile the code:

gcc -o container container.c

Run it:

sudo ./container

You should now be in a shell inside your container with its own isolated environment!

❯ sudo ./container
Launching container...
sh-5.2#
sh-5.2# ls
bin   dev  home  lib64	opt   root  sbin  sys  usr  version
boot  etc  lib	 mnt	proc  run   srv   tmp  var
sh-5.2#

What this container provides?

Our minimal container provides:

Process Isolation: Processes inside the container can’t see processes outside
Filesystem Isolation: The container has its own root filesystem
Hostname Isolation: The container has its own hostname
Network Isolation: The container has its own network namespace

Now, this is a minimalist implementation, but a production-grade container systems also include:

cgroup support to limit CPU and memory usage
Implementation of user namespace isolation (CLONE_NEWUSER)
Bridge network interface for container connectivity
Support for mounting volumes from the host

Conclusion

Building a container system from scratch helps in understanding what’s going on under the hood. Though our implementation is basic, it reflects the core that underlie all container systems, including Docker and containerd.

The Linux kernel provides all the building blocks we need like namespaces, chroot, and mount points - to create isolated environments for running applications.

So that’s it.

Secure Your Linux Server

Mon, 04 Dec 2023 00:00:00 +0000

Almost everyone thinks Linux is more secure, right? Well, hold your penguins, because the truth is as slippery as a buttered-up Tux sliding on ice.

Is linux actually secured?

Simple answer No. yeah, Linux is considered secure, but not straight out of the box, particularly when dealing with minimalist distributions like Arch, Gentoo, and Void Linux. Which ships with literally nothing out of the box. Not even a firewall :) Shocking, I know. In this case, Windows suddenly looks like it’s rocking a cyberpunk suit, and Linux seems to have left the house without pants.

cyberpunk windows

Yeah, your whole life was a lie :)

But wait, before you hit the panic button and decide to replace your Linux partition with Windows, there’s a plot twist. If you’re an everyday Linux user, you’re still in the safe zone. Why?

Let’s rewind to the 1990s when Windows dominated the desktop operating system market with its proprietary MS-DOS. Windows maintained this monopoly for years, making Linux a relatively secure option for normal users. Confused? Allow me to elaborate.

In this scenario, users and the operating system share the stage, but there’s a third player – hackers. With the majority using Windows, hackers found it convenient to focus on exploiting vulnerabilities in a single OS.

This led to a period where Windows users were constantly under attack.

But, and it’s a significant but, it doesn’t mean Linux lacks security; it’s simply not inherently secure out of the box. With the right configurations and additional security measures, Linux can surpass Windows security levels by a considerable margin. So, while Windows may seem like it’s dressed in cyber armor from the get-go, Linux is more of a security project waiting for customization.

But wait, this doesn’t mean Linux is just chilling in a hammock, sipping coconut water, and avoiding cyber-attacks. No, it’s like the VIP of hacking targets, especially on servers. Linux is like the hottest party spot, and hackers RSVP every day.

Well, you got the problem; but what about the solution?

Here you go

Secure your linux server.

There are plenty of ways you can secure your server but here i will mention only the important one.

1. Network Filtering

You might already heard about this thing, but most likely never tried ;)

It is nothing but securing linux in network.

For this just open your /etc/sysctl.d/local.conf

bash /etc/sysctl.d/local.conf


   
   # Turn on Source Address Verification in all interfaces to
   # prevent some spoofing attacks
   #net.ipv4.conf.default.rp_filter=1
   net.ipv4.conf.all.rp_filter=1
   
   # Ignore echo broadcast requests to prevent being part of smurf attacks
   net.ipv4.icmp_echo_ignore_broadcasts=1
   
   # Enable TCP/IP SYN cookies to protect against SYN flood attacks.
   # See http://lwn.net/Articles/277146/
   net.ipv4.tcp_syncookies=1
   
   # ipv6 settings (no autoconfiguration)
   net.ipv6.conf.default.autoconf=0
   net.ipv6.conf.default.accept_dad=0
   net.ipv6.conf.default.accept_ra=0
   net.ipv6.conf.default.accept_ra_defrtr=0
   net.ipv6.conf.default.accept_ra_rtr_pref=0
   net.ipv6.conf.default.accept_ra_pinfo=0
   net.ipv6.conf.default.accept_source_route=0
   net.ipv6.conf.default.accept_redirects=0
   net.ipv6.conf.default.forwarding=0
   net.ipv6.conf.all.autoconf=0
   net.ipv6.conf.all.accept_dad=0
   net.ipv6.conf.all.accept_ra=0
   net.ipv6.conf.all.accept_ra_defrtr=0
   net.ipv6.conf.all.accept_ra_rtr_pref=0
   net.ipv6.conf.all.accept_ra_pinfo=0
   net.ipv6.conf.all.accept_source_route=0
   net.ipv6.conf.all.accept_redirects=0
   net.ipv6.conf.all.forwarding=0

2. Secure SSH server

Edit the configuration file
```
sudo vim /etc/ssh/sshd_config
```

Toggle these options

PermitRootLogin no
X11Forwarding no
AllowUsers <your username>
PubkeyAuthentication yes
ChallengeResponseAuthentication no
Port 2202 # use random port instead of 22

Restart your sshd service.

# For systemd
sudo systemctl restart ssh.service

# For sysVinit
sudo service sshd restart

# For runit
sudo sv restart sshd

Make sure you have created your keys, then add your host system’s key to .ssh/authorized_keys file in server or use below command

ssh-copy-id -i ~/.ssh/id_rsa.pub <server ip>

3. Setup firewall

Now, here you have two choices:

Use ufw
Use Iptables directly

For UFW.

sudo apt install ufw -y

Enable it.

sudo ufw enable

4. Limit SUDO

To limit the sudo access use the sudoers file.

Edit it.

sudo vim /etc/sudoers

Add your user with privileges.

## User privilege specification

root ALL=(ALL:ALL) ALL
<user> <privileges>

5. Use SELinux

Final suggestion, it is very powerful but sometimes it’s annoying. Without learning it don’t install it on your server, or you will waste your day in figuring out why you are not able to access your nginx webserver on port 80 ;)

6. Other Tips & Tools

Stop & disable all unnecessary services, this will probably reduce the attack surface.
Enforce strict memory access controls.

After all these, you can also configure,

Security & system auditing tool - lynis
Intrusion detection system - psad
Eliminate bruteforce - fail2ban

In the end, Linux isn’t just secure; it’s a security ninja doing a moonwalk while wearing a fedora 󰱸 .

Git concepts

Sun, 13 Aug 2023 00:00:00 +0000

Git

Branching strategies
Vcs reset / revert
PR merge / branch merge
Merge vs rebase
Cherry pick
git stash

Never commit directly in master branch.

Important branches:

master: The main stable branch.
staging: For QA team, can be sent for production. Most of the time it is same as master.
develop: From where developers get codes.
feature: To add any feature.
- If passed => develop ↓
- If passed => staging ↓
- If passed => master.

Branching Strategies:

Small team strategy

Use all important branches
Create features from develop/dev branch.
- develop ↴
  
  → feature1
  
  → feature2
  
  → feature3 …
Use hot fixes whenever needed, like for small bugs, can be done by team lead.

hotfix: Fixing small bugs, like correction of spelling, no devs needed directly team lead can change it.

Big team strategy

There is change in branch name conventions like:
- master -> prd
- staging -> stg
- develop -> dev
Use JIRA like software, to manage projects. Tasks are assigned as tickets and then status is changed according to progress.
Integrate JIRA with github

Jira is Issue & project tracking system, which is used by many large scale companies.

Git Revert & Reset

git revert:

Used to revert/undo a particular commit, It creates new commit of revert, and keeps original commit history.

Example:
- Get commit id
```
git log --oneline
```
- Revert
```
git revert <commit-id>
```

Git Reset:

It is used to undo to a particular commit but, it removes all commits history after that commit. Mostly used in case like commited security credentials and want to remove it completely from commit history.

Example:
- If we have following log:
```
❯ git log --oneline
9210da8 (HEAD -> dev) added git ignore
e803737 no keys now
de7aa15 Revert "added line 2"
99c25e5 added line 2
25d7961 (master) initial commit
```
- We want to reset de7aa15, so we will have to use commitid of previous/below commit.
```
git reset 99c25e5
```
- So after 99c25e5 all commits will be deleted.

Don’t use git add ., some times it might track files which is confidential and can lead to risk.

Git Merge

Branch Merge:

Git merge is used for merging two branches.

Example,
- You have added some features in dev branch.
- It is passed by QA.
- Now to add that feature to release, you need to merge that feature in main/master/production branch.
```
# first switch to branch in which you want to merge.
git checkout master

# Then merge
git merge dev
```
- There is something called squash which is used to merge without commit history.
```
git merge dev --squash
```

Git rebase

It Adds commit history of other branch/remote in linear/sequence way while merging.

Difference:

Merge	Rebase
Only HEAD commit is maintained while merging	Full commit history is maintained while merging in sequence

Example:

While pulling we can use rebase, to reconcile divergent branch.
```
git pull origin master --rebase
```
Rebase a particular branch.
```
git rebase master
```

Cherry pick

Pick a particular commit from any branch and apply to master or any other branch. In simple words apply that particular commit to current branch.

Example:

git cherry-pick <commit-id>

Git stash

Using this your current work is stored somewhere, not commited but tracked by git which can be loaded anytime. This is something where you can store your partial changes and commit later on.

Example:

Stash
```
git stash
```
Apply stash to working dir
```
git stash pop
```
List stashs
```
git stash list
```
Apply a particular stash
```
git stash apply stash@<list-number>
```

So, that’s it.

Firefox Hardening

Sun, 30 Jul 2023 16:43:11 +0530

Using firefox?

Firefox is the best browser for linux nerds and others who want browser other than chromium, it’s being almost 2 decades of firefox and now it is filled with some craps which needs to be removed to increase the quality.

Mozilla and Google have extended their current search deal to keep Google as the default search engine provider inside the Firefox browser until at least 2023, with an estimated price tag of around $400 million to $450 million per year.

Well, today we will see some of the steps to increase the security and surfing experience of firefox.

Update the user.js profile.

. Visit about:profiles on your firefox, don’t touch any profile, create new.
click on open directory, it will open the location where that user profile exists.
create new file user.js in that directory
```
vim user.js
```

Now here the game starts,

This file is used to toggle and set multiple preferences for firefox which cannot be changed directly using firefox ui. So here we will be defining some the important user_preferences.

Increase speed.

user_pref("nglayout.initialpaint.delay", 0);
user_pref("nglayout.initialpaint.delay_in_oopif", 0);
user_pref("content.notify.interval", 100000);
user_pref("browser.startup.preXulSkeletonUI", false);

Set the browser cache limit

user_pref("browser.cache.memory.max_entry_size", 153600);

Increase tracking protections

user_pref("browser.contentblocking.category", "strict");
user_pref("urlclassifier.trackingSkipURLs", "*.reddit.com, *.twitter.com, *.twimg.com, *.tiktok.com");
user_pref("urlclassifier.features.socialtracking.skipURLs", "*.instagram.com, *.twitter.com, *.twimg.com");
user_pref("privacy.query_stripping.strip_list", "__hsfp __hssc __hstc __s _hsenc _openstat dclid fbclid gbraid gclid hsCtaTracking igshid mc_eid ml_subscriber ml_subscriber_hash msclkid oft_c oft_ck oft_d oft_id oft_ids oft_k oft_lk oft_sk oly_anon_id oly_enc_id rb_clickid s_cid twclid vero_conv vero_id wbraid wickedid yclid");
user_pref("browser.uitour.enabled", false);
user_pref("privacy.globalprivacycontrol.enabled", true);
user_pref("privacy.globalprivacycontrol.functionality.enabled", true);

Avoid the usage of disk cache

user_pref("browser.cache.disk.enable", false);
user_pref("browser.privatebrowsing.forceMediaMemoryCache", true);
user_pref("browser.sessionstore.privacy_level", 2);

Disable search prefecher/predictor

user_pref("network.http.speculative-parallel-limit", 0);
user_pref("network.dns.disablePrefetch", true);
user_pref("browser.urlbar.speculativeConnect.enabled", false);
user_pref("browser.places.speculativeConnect.enabled", false);
user_pref("network.prefetch-next", false);
user_pref("network.predictor.enabled", false);
user_pref("network.predictor.enable-prefetch", false);

Disable annoying search suggestions like: topsites, search engines, etc.

user_pref("browser.search.separatePrivateDefault.ui.enabled", true);
user_pref("browser.urlbar.update2.engineAliasRefresh", true);
user_pref("browser.search.suggest.enabled", false);
user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false);
user_pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false);
user_pref("security.insecure_connection_text.enabled", true);
user_pref("security.insecure_connection_text.pbmode.enabled", true);
user_pref("network.IDN_show_punycode", true);
user_pref("browser.urlbar.suggest.engines", false);
user_pref("browser.urlbar.suggest.topsites", false);

/* Adding some features */
user_pref("browser.urlbar.suggest.calculator", true);
user_pref("browser.urlbar.unitConversion.enabled", true);

Disable cross site scripting

user_pref("network.auth.subresource-http-auth-allow", 1);
user_pref("pdfjs.enableScripting", false);
user_pref("extensions.postDownloadThirdPartyPrompt", false);
user_pref("permissions.delegation.enabled", false);

Disbale accessibility and location services.

user_pref("accessibility.force_disabled", 1);
user_pref("identity.fxaccounts.enabled", false);
user_pref("browser.tabs.firefox-view", false);
user_pref("permissions.default.desktop-notification", 2);
user_pref("permissions.default.geo", 2);
user_pref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
user_pref("geo.provider.ms-windows-location", false); // WINDOWS
user_pref("geo.provider.use_corelocation", false); // MAC
user_pref("geo.provider.use_gpsd", false); // LINUX
user_pref("geo.provider.use_geoclue", false); // LINUX
user_pref("permissions.manager.defaultsUrl", "");
user_pref("webchannel.allowObject.urlWhitelist", "");

Disable pockets

user_pref("extensions.pocket.enabled", false);

By adding these preferences your firefox is now more secure, but you also need some other changes.

Ad-blocker (recommended)

UBlock origin
AdGuard AdBlocker

Both are free and opensource.

Search engine

Even after all these you need to change one more thing i.e search engine. By default google is set which sucks lot of user data and also show the ads in search results. That’s why we need to change search engine also.

These are few safe search engines with minimal look & great results without ads.

To add any search engine,

first visit the page of it.
click on search bar and click on add search engine...

Customize look with pywal (optional)

To customize look of firefox you can use pywal to generate colorscheme according to your wallpaper which can improve the look. There’s an extension for this called pywalfox which will be using.

Install pywalfox

pip install pywalfox --break-system-packages

Run command

pywalfox install

Add the extension then, open it and click Fetch pywal colors.

Set custom home/new tab (optional)

Read this blog to configure it.

Set master password.

Yes, you need to set master password, by default when you save password it is stored in firefox’s profile directory; which can be decrypted easily using tools like firefox_decrypt; see demo

Go to settings -> Privacy & Security -> under ‘Login and Passwords’ section.
Check ‘Use Primary Password’ -> Enter you super secret master password.

So that’s how you can make your firefox more secure and usable.

Reference: Betterfox | Mozilla Support

Linux stuffs

Sat, 22 Jul 2023 00:00:00 +0000

echo "Hello world"

We are going to learn: [–more–]

User / group
grep, awk, find.
File permission
ssh/scp
systemctl

Groups: collection of users
```
sudo groupadd devops
```
use the /etc/group file to get groups

Whenever you create a user it creates groups also with the same name.
- Add user to group
  
  whenever you add a user to a group you modify the user.
```
sudo usermod -aG devops user1
```
- To add multiple users, we can also use gpasswd to add user
```
sudo gpasswd -M user1,user2,user3 testers
```
- Delete user form group
```
sudo gpasswd -d user2 testers
```
- Delete group
```
sudo groupdel testers
```
- Use chgrp to change group of file
```
sudo chgrp tester file.txt
```

File permissions:

Numeric Permissions:
- r - read = 4
- w - write = 2
- x - execute = 1
- There are three set of permissions for:
  - U - User/Owner
  - G - Group
  - O - Others
- Combinations
  
  _ U _ . _ G _ . _ O _ => rwx rwx rwx
  
  Example:
  
  U - read+write = 4+2 => 6
  
  G - read+executable = 4+1 => 5
  
  O - read = 4 => 4
  
  Final permission numeric == 654
- User chmod command to modify permissions
```
chmod 700 file.txt
```

Find files
- Grep: To find anything inside file or name of files.
  - Find some keyword or filename in directory.
```
grep -r keyword /home/ubuntu/
```
  -r is for searching recursively inside directotries
  - grep something inside file
```
grep keyword file.txt
```
  - Search case insensitive
```
grep -i keyword file.txt
```
  -i stands for case insensitive, by default grep is case sensitive.
- AWK:
  - Find TRACE from log and print column 1,2,5
```
awk '/TRACE/ {print $1,$2,$5}' errors.log
```
  - Get the exact line number
```
awk '/TRACE/ {print NR,$1,$2,$5}' errors.log
```
  - User condition using NR => row number
```
awk 'NR>=1 && NR<=20 && /TRACE/ {print NR,$1,$2,$5}' errors.log
```
- Find:
  - Find files with specific extension
```
find *.txt
```
  - Find files in some directory with specific ending
```
find dir/ *.log
```
  - Find files by a particular owner
```
find dir/ -user ubuntu
```
  - Find files by a particular group
```
find dir/ -group devops
```
SSH:
- Keys:
  - Public key (id_rsa.pub)
  - private key (id_rsa)
    
    Public key must be known by the server where you want to connect, and you must also have private key to connect.
- Create keys:
```
ssh-keygen
```
  Keys are stored in ~/.ssh/ directory.
- Connect using keys:
  1. Permission must be 400
```
chmod 400 key.pem
```
  2. connect
```
ssh -i /path/to/key.pem user@ipaddress
```
  3. Types yes when asked.
- scp from host system to server
```
scp -i "key.pem" file.txt user@ipadd:/home/user/file.txt
```
- scp from server to our host system
```
scp -i "key.pem" user@ipadd:/home/user/file .
```
Systemctl

It is a Service controller, services like docker, apache2, sshd, nginx, etc.
- Start any service
```
sudo systemctl start <service> 
```
- Stop any service
```
sudo systemctl stop <service>
```
- Check status of any service
```
sudo systemctl status <service>
```

Linux on Dark Kernel

DIY Containers: Building a Lightweight Container System from Scratch on Linux

What Are Containers, Really?

Before we begin

Let’s begin

Creating the Container Process

Setting the Hostname

Changing Root Directory

Setting Up /proc Filesystem

Executing the Container Command

Setting Up the Main Function

Defining Namespace Flags

Creating the Container Process

Building and Running the Container

What this container provides?

Conclusion

Secure Your Linux Server

Is linux actually secured?

Secure your linux server.

1. Network Filtering

2. Secure SSH server

3. Setup firewall

4. Limit SUDO

5. Use SELinux

6. Other Tips & Tools

In the end, Linux isn’t just secure; it’s a security ninja doing a moonwalk while wearing a fedora 󰱸 .

Git concepts

Git

Important branches:

Branching Strategies:

Small team strategy

Big team strategy

Git Revert & Reset

git revert:

Git Reset:

Git Merge

Branch Merge:

Git rebase

Cherry pick

Git stash

Firefox Hardening

Using firefox?

Update the user.js profile.

Ad-blocker (recommended)

Search engine

Customize look with pywal (optional)

Set custom home/new tab (optional)

Set master password.

Linux stuffs

Groups: collection of users

File permissions:

Example:

Find files

SSH:

Systemctl