Everyone has personal data that is worth archiving. Data that does not change, that is not accessed all the time but data that you want to access in the future. There are different solutions to this problem. Here I’ll show you how I archive my photo collection.

Over the years I have collected quite a number of personal photos. I wanted a way to store them safely to have them available for many years to come. Most people use a photo service that promises to store pictures for a monthly fee in their cloud. At first their prices are quite appealing but over the time as you use more and more storage and as you have to pay each month it becomes more and more unattractive. That is the reason I want to store the data on physical media in my control.

Physical Storage Options

There are different options for storing larger amounts of Data on physical media. For me it is important to store the data for a long time without having to copy it, refresh it or renew the physical media every now and then. I want the data to be stored offline, that means I do not want to use for example an network attached storage device that has to be plugged in. The last criterion of importance to me was a format that has sufficient relevance, so there is a high likelihood that devices capable of reading it will be available in the future.

M-Disk Standard

For now I went with M-Disk. That is a disk technology compatible with the DVD or Blu-ray standard. They use a glassy carbon material instead of the organic material that is commonly used in DVDs and Blu-rays. That’s why they claim they have a longer lifetime of several hundred years. Of course there is no way to find out how long they live since they only have been around for a few years by now. However there have been several tests by different entities that suggest a longer lifetime than regular blu-rays.

M-Disks exist in different storage sizes: DVD with 4,7 GB, Blu-ray with 25 GB and Blu-ray XL with up to 128 GB of storage. Depending on the amount of data to archive that may be a lot of disks. I went with the regular Blu-ray ones since it appears to be a good tradeoff between large enough storage and a widespread format that can be read by a lot of drives. For the drives I won’t be recommending any devices. I’ve got an external USB Blu-ray writer that is capable of writing M-Disks.

A Thought about Encryption

The content on a disc could be encrypted using different methods. I thought about this but decided against it. My personal photo collection is insensitive enough to be readable by anyone who can get their hands on the disks. Access Keys also need to be securely stored in a way that is different than the disks. If the keys are lost there is no way to restore the archive. That’s why for now I decided against encrypting the data on my disks.

What is on a Disk

My disks currently follow a straight forward folder structure.

2026_PHOTOS_2022_0812
   ├── README.md
   ├── VERIFICATION.md
   ├── manifest.sha256
   ├── redundancy/
   └── CONTENT/

The readme file contains information about the disk. This is primarily for myself if I’m accessing one of the discs in the future. Each disk gets a disk id that I assign to it which also goes into the readme. Here is an example of a readme file in one of my discs:

# Archive Disk
Disc ID: 2026_PHOTOS_2022_0812

This data belongs to Benjamin Brunzel
E-Mail: b***@***.de
*Address goes here*

## Metadata
Created: 2026-01-09
Category: Photos
Content:
 - Photos from 2022 August to December
 - Includes hamburg, radtour
Size: 20GB

## Privacy / Usage Notice
These data contain personal and private content (photos, videos, documents).
They are intended for personal use only.

**It is strictly prohibited to copy, distribute, publish, or otherwise use the data without the explicit permission of the owners.**

The verification file describes the verification process that can be used to check the integrity of the disk. This process will be described later.

The manifest file contains sha256 checksums for every file in the CONTENT folder. They allow for checking if a file can be correctly read from the archive. This is checked during verification.

The redundancy folder contains redundant parity data per top level folder in CONTENT This allows to reconstruct the data in case of losing data within the archive due to unreadable sectors. In my configuration I use 15% of redundancy. This means I can recover from up to 15% lost sectors. So if a disk only has 86% of readable sectors I’m theoretically able to restore the files without errors.

Creating a Disk

To create a disk I’m selecting which data goes onto it. I copy it to a directory on my linux machine that I want to use to burn the data to the disk. In that directory I create the target file structure as it should be found on the resulting disk. I have to make sure not to exceed 20GB of file size in CONTENT because I will add the 15% of redundancy that has to be accounted for.

After I’m fine with the contents that should go on my disk I create the sha256 checksums with the following command on the shell:

find ./CONTENT -type f -print0 | sort -z | xargs -0 sha256sum > manifest.sha256

Next, I’m generating the redundancy using the par2 program and move those files into the redundancy directory. It will generate multiple files for each folder in the top level of the CONTENT directory.

mkdir redundancy

for dir in CONTENT/*/; do
  if [ -d "$dir" ]; then
    par2 create -r15 -s4194304 "$(basename "$dir").par2" $(find "$dir" -type f)
  fi
done

mv *.par2 redundancy

Now the directory is ready to generate the universal disk format file system image that can be used to burn the resulting disk. We use this command:

mkisofs -udf -r -V 2026_PHOTOS_2022_0812 -o ../2026_PHOTOS_2022_0812.iso .

You should check the filesize of the resulting iso file. It must not exceed 25 GB to fit onto a blu-ray. Finally, I write the image onto a M-Disk using the growisofs command. Make sure you have your drive attached and an empty disk inserted. We will limit the writing speed to 4x which is reported to work better when writing M-Disk.

growisofs -dvd-compat -speed=4 -Z /dev/sr0=2026_PHOTOS_2022_0812.iso

Once this succeeds the data has been written to the disk. Now it’s time to verify the integrity of the disk we just created.

Verification of a Disk

This procedure will be conducted directly after creation of a new disk to make sure that the data on it can be relied on. After that it is recommended to verify stored disks every so often to ensure data remains to be readable. If you experience unreadable sectors you should still be able to restore all the data using the par2 parity data.

There are multiple steps to verification. First we’ll read all sectors of the disk printing an error in case there are any broken sectors.

dd if=/dev/sr0 of=/dev/null bs=2048 conv=noerror,sync status=progress

In case of an error it would look like this: dd: error reading '/dev/sr0': Input/output error Note that we are using the block size of 2048 as this is the standard block size for optical media.

If that command runs without any issues we continue with checking the checksums from the manifest file we’ve created earlier.

sudo mount /dev/sr0 /mnt
cd /mnt
sha256sum -c manifest.sha256 2>&1 | grep -v ': OK$'

This command checks all the files for their checksum in the manifest file. Only files that are not OK will be printed. If there is no output from this command everything is fine and the verification was successful. This process should be done every few years. I write down the verification result with date in the booklet of the disks enclosure. I’ve created over twenty disks by now and so far none of them had any issues during creation and verification.

Storage of the Disks

The Disks should be stored in a dark and dry environment in vertical orientation. I write each iso twice and store the disks in two different locations.

Let’s see how long this archive will hold up for me. So far all disks were without any errors. It is worth noting that writing disks and also the verification takes quite some time. If you have a lot of disks this becomes unbearable. Probably it would be an option to look into Blu-ray XL disks for larger data sets. For my personal archive I’ve not had any issue yet.

Are you archiving data? What is your approach? I’d like to hear about it.

The web browser is one of the most important programs in my day-to-day work on the computer. I want a browser setup that addresses a couple of goals. First I’d like to be independent of large corporations that try to observe my browsing behaviour for their profit. That is why I’d rather use an open source implementation instead of the various chrome based browsers. Since the servo browser¹ is not there yet², a mozilla firefox based browser is the most viable option as of today. Because Mozilla has started to put more and more questionable features into the firefox main release line, I was looking to try one of the open source forks promising more privacy. I need a reasonable tradeoff between privacy and ease of use. That is why I didn’t went with the tor browser providing the best privacy of the alternatives I looked at. I settled with the LibreWolf browser.

The tiling window manager on my linux distribution can be completely managed from the keyboard without having to use the mouse. That is why I’d like to have improved keybindings for my browser as well. Since I’m using vim bindings for many of my other programs as well a vi plugin serves me very well in this regard. I added the firefox extension Tridactyl to LibreWolf.

Finally I also wanted to do some changes to the UI of the browser so the space used for the actual content of a webpage is maximized and it is not displaying active UI elements that I do not use.

The result is a quite clean web browsing experience as can be seen on the screenshot above. It works nicely on large screens as well as smaller tiled areas as can be seen in the example.

How to set this up

I’m describing how to install the setup here so I can remember when moving to a different installation. First you have to install the LibreWolf browser on your linux machine. The complete setup should in my eyes also work on MacOS or even Windows machines even though I have never tested it myself. The LibreWolf website describes the installation for the various operating systems.

After that you have to install the Tridactyl browser extension through the extension management in about:addons. Open that page in your browser, search for the plugin and apply it. Once that is done I have opted for the default dark theme. This can be selected in about:preferences. Next I wanted to hide the huge tab bar on the top of the browser. Tridactyle offers a tab list by pressing b, but I found that I do not use nearly as many open tabs at a time now that I use this extension³. This can be achieved by using a userChrome.css file⁴. That file has to go into your browser profile directory which is located in your home config directory.

/* asciijungles's userChrome.css
 * write to ~/.config/librewolf/librewolf/{yourProfile}/chrome/userChrome.css
 */

/* hide header tab bar */
#TabsToolbar {
    visibility: collapse !important;
}
/* hide huge sidebar header*/
#sidebar-header, #search-box {
    display: none!important;
}
#sidebar-header {
    display: none !important;
}

/* minimize sidebar splitter */
#sidebar-splitter {
    background-color: black!important;
    width: 1px!important;
    border: 0px!important;
}

After that you have to enable usage of the userChrome file in about:config. On that page you are able to set values for configuration properties. Serch for the following config and toggle its value to be true.

toolkit.legacyUserProfileCustomizations.stylesheets = true

The changes apply after a restart of the program.

Last quick thing: I like to cycle through the open tabs with Ctrl + Tab. I use the setting “Activate Ctrl+Tab cycles through tabs in recently used order” that can be set in about:preferences. That way I can always jump back to the previous tab instead of tabbing through the whole list. Try it, it’s nice.

That is all you have to do to clone my setup. Enjoy.

What I wish for

I’m very happy with the setup as is at the moment. But there is one thing that I would really love to have. The browser supports multiple profiles with separate histories and shared sessions between tabs. In order to change profiles you have to start a different instance of the browser program. At work I have different profiles for different customers I work for and can be logged in to several web applications using OpenID Connect. I have to run two browsers and switch between them on different workspaces. It works but, I think it would be awesome to be able to use different profiles per tab in the same session. I imagine to be able to have a keybinding “open in profile 2” that opens in a profile other than my default.

What do you think? How are you using your browser? I’d love to hear about it. Please get in touch with me on the fediverse.

Footnotes

The CCC’s Chaos Communication Congress of is an event I’m always looking forward to. It’s the annual conference of the German and international sub culture around computers and the culture surrounding it. I’ve attended all four days and want to share my key takeaways as well as what I observed to be the major topics of 2025

Digital sovereignty

The global political balance is shifting. Not just in the United States, populist movements are gaining traction. Relying on big tech vendors and trusting them with our data and using their infrastructure for critical communication has become a liability.

On the congress there were multiple talks but also self organized sessions around what options we have, and how to move away from IT services under direct control of other parties. Using selfhosted open source alternatives run on hardware run and controlled by someone you trust is the proposed solution.

The community proclaimed the Digital Independence Day, a distributed event where people get help with moving their digital infrastructure towards self hosted alternatives. The talk Die Känguru-Rebellion: Digital Independence Day introduced the idea and gave a motivation on why it is important.

In addition to that vendors are selling devices that come with operating systems in their control and it is getting harder to write and distribute programs for them that are not approved by them. This has been discussed in the talk A post-American, enshittification-resistant internet.

European citizens are customers and give a lot of power to the vendors and operators of critical digital infrastructure. It is on us to minimize risks of being held to ransom.

Gen- and Agentic AI

The rise of Artificial Intelligence powered features in software has also been addressed by a couple of talks and sessions. In AI Agent, AI Spy the people behind the signal messenger talked about a new feature within the windows operating system currently in beta testing. Windows recall is a function that is taking a screenshot of the whole desktop every couple of seconds. These screenshots are then run through a text detection LLM run locally to extract information from the text displayed on the screen and store them in a local file for later usage by copilot.

According to security researchers this is extremely dangerous because it is creating a honeypot of very sensible data that also includes information that has been end to end encrypted because that encryption is terminated on the end device.

Features like that put users at extreme risk. In addition to that such features could be used to find out extreme sensitive information for example about employees.

Another talk went though the possible ways to attack software engineers using coding agent tools by doing prompt injection attacks: Agentic ProbLLMs: Exploiting AI Computer-Use and Coding Agents.

Because todays Large Language Models (LLMs) do not have a separation of input data into context and commands, these issues will not be fixed but only mitigations will make it harder to exploit these design flaws. Currently, they cannot be prevented completely.

Hardware Security

Over the years security researchers have demonstrated various attacks on the hardware of computer systems like the CPU or the RAM. This years congress demonstrated that even though vendors invested in mitigations various of these attacks were proven to be exploitable in real world scenarios. The talk Rowhammer in the Wild: Large-Scale Insights from FlippyR.AM evaluated a field study were various people ran tests on their system. These studies showed that a lot of systems can be targeted by rowhammer attacks. Also Spectre in the real world: Leaking your private data from the cloud with CPU vulnerabilities showed that it was possible to extract information from other customers CPU processes on a public cloud provider. In addition to that the talk Bluetooth Headphone Jacking: A Key to Your Phone showed that insecure bluetooth devices that can act as an input device can be used to attack a computer paired to them.

Rise of far right politics

The last topic that I want to point out is the rise of far right political actors in a lot of western democracies. I especially liked the talk Gegenmacht - Best of Informationsfreiheit which pointed out the importance of the Informationsfreiheitsgesetz, Germanys Freedom of Information Act, which allows civil society actors to use the courts to have information made publicly available by the government. This is effective to control a government and fight corruption.

Call to action

The chaos communication congress is a very important event with talks of outstanding quality. They point out techological and social hotspots. It is on us to have a look, discuss and address them. The event shows that technology always has a social impact on all of us. As people working with software it is our responsibility to keep that in mind when working on software and digital infrastructure. All of the talks from 39C3 are being published on the media.ccc.de portal. I encourage you to take a peek into the recordings.

Hexagonal Architecture and GenAI: A good Combination for Modern Software Development

Introduction

Some time ago, I had the pleasure of leading a workshop on “Hexagonal Architecture and AI Tools for Modern Software Development.” For those who couldn’t attend, I’d like to summarize the key insights here – particularly why Hexagonal Architecture harmonizes so well with GenAI tooling.

Hexagonal Architecture, also known as Ports-and-Adapters Architecture, is an architectural pattern that emphasizes separation of concerns. Without going too deep into details: it’s about isolating core business logic (the “Domain”) from external systems and technical details by using clearly defined interfaces (“Ports”) and interchangeable implementations (“Adapters”).

But why is this architecture also particularly advantageous when working with GenAI tools like rooCode? That’s what I’d like to explain in this post.

Benefits of Hexagonal Architecture for GenAI Development

Clear Separation of Concerns

Like human developers, AI also benefits from clear context:

• The distinct structure shows where specific code can be found. This is ideally already evident from the directory listing with descriptive filenames.
• The business logic is well-described in the domain with strong types
• AI can focus on specific parts without needing to understand the entire system. That keeps the context small.
• Changes to one part don’t affect others (reducing the risk of AI-introduced errors)

Directory Structure

Let’s have a look at what an example of the directory structure might look like:

src/
├── domain/
│   ├── model/     # Domain entities and value objects
│   ├── service/   # Domain business logic
│   └── ports/
│       ├── in/    # Input ports (application APIs)
│       └── out/   # Output ports (repositories, etc.)
├── adapters/
│   ├── in/        # Input adapters (controllers, UI, etc.)
│   └── out/       # Output adapters (database, external services)

That is a standard directory structure of a ports and adapters architecture that is also known to most coding models. That way the agent natuarly knows where to look for files. File names are also very important they should use the same terms that are used in the business logic.

Well-defined Interfaces (Ports)

Ports are clearly defined interfaces that help AI, and also humans, understand expected behavior. Type safety guides AI to generate compatible code. That’s why I encourage to use a strongly typed Language and use expressive types like Domain Entities or Enums over basic types like e.g. String.

Interface types serve as documentation for AI. They define the building blocks that are supposed to be used to build new functionality. When using Ports it’s easy to break development tasks down into manageable tasks. You can first write the business logic of a new feature against new or existing ports, and then generate the adapter implementations in a second step.

Here’s an example from our workshop example codebase of how a port definition might look like:

// Example: Database interface
export interface Database extends Adapter {
    findById(id: MMSI): Vessel | undefined
    saveVessel(vessel: Vessel): void
    findAllVessels(): Vessel[];
    savePosition(id: MMSI, position: Position): void
    findHistory(id: MMSI): VesselHistory | undefined
}

With this clear interface definition, AI knows exactly which operations are available, which parameters are expected, and which return types to expect. This makes it much easier for AI to generate correct code.

Swappable and Mockable Implementations (Adapters)

Adapters are implementations of ports that connect the domain with external systems. They may be swapped with other implementations or mocks in tests. This interchangeability offers several advantages for working with GenAI tools:

AI-generated code can be tested in isolationk. New adapters can be developed in parallel with existing ones to ensure backward compatibility. So if you ask AI to implement a new adapter, you can test it without affecting the rest of the system. If it doesn’t work as expected, you can simply revert to the previous adapter. In our definition functional external dependencies may only be used in Adapter implementations. That way we ensure that our business logic stays pure. This can also be enforced by architecture tests.

Practical Example: Vessel Tracking Application

In our workshop, we worked with an application for tracking vessel positions. This application tracks ships via AIS (Automatic Identification System), stores position data and vessel information, and displays current positions and history on a map.

In this application:

• The Domain contains the core business logic and entities such as Vessel, Position, and VesselHistory
• The Ports define interfaces such as DataAccessPort, AisPort, and Database
• The Adapters implement these interfaces to connect the domain with external systems, such as WebAppAdapter, MqttAdapter, and InMemoryDatabase

This clear structure makes it easier for GenAI tools to understand and extend the application.

Practical Workflow with GenAI Tools

During the workshop, we developed a practical workflow for working with GenAI tools in a hexagonal architecture. First, create an implementation plan, then implement this plan step by step and Continuously test and refine the outcome.

Division of Labor Between Developers and AI

You can take over yourself whenever you see fit. One strategy might be:

1. You as a developer define the domain and ports
2. AI implements business functions on the defined types
3. You define testcases and let the test code generate
4. AI creates adapter implementations

That way you stay in control and there is at now point in time too much code generated so that it would be too much to review.

Test-Driven Development

Hexagonal architecture nicely supports a test-driven approach. You can define test cases for the expected functionality in prosa text. Then you let the AI implement the code that fulfills these tests. Because of the Architecture you can always test implementations in isolation before integrating them into the overall system. You can mock your Ports for extensive coverage of your business logic. That way you’ll get a good confidence that the resulting system does what it should. RooCode can run unit and architecture tests independently and thus correct errors directly from within the chat.

Conclusion

In my eyes Hexagonal Architecture provides an ideal foundation for working with GenAI tools like rooCode:

• Clear separation of concerns allows AI to understand and modify specific parts of the code without affecting others.
• Well-defined interfaces make it easier for AI to understand expected behavior and generate compatible code.
• Swappable implementations enable testing AI-generated code in isolation before it’s integrated.

By applying this architecture, development teams can use GenAI tools more effectively to accelerate development, reduce errors, and improve code quality. The overhead of implementing abstraction layers is not such a burden when using GenAI tools. The clear boundaries and contracts provided by the architecture help AI generate correct and compatible code, while the isolation of components reduces the risk of AI-introduced errors affecting the entire system. Thus your code base becomes manageable even over lots of iterations.

I’d like to hear about your expeciences. Did you try something similar?

When working with containerized applications in AWS ECS, you might encounter file permission issues, especially when implementing security best practices. Recently, I had to debug file permissions in an AWS ECS task with the following requirements:

• The process within the container must run as an unprivileged user
• The root file system must be mounted as read-only
• The process must be able to write to the /tmp directory
• The contents of the /tmp directory should be cleared on container start
• The container runs in AWS ECS with Fargate backend

Me and the team tried multiple approaches. Involving EFS and S3 as volumes meant we had to implement the clearing the /tmp directory on container start. Defining and mounting an ephemeral storage volume caused trouble because it was mounted as the root user so it cannot be used by the unprivileged user. Then I stumbled accross a solution that was posted in a subreddit¹. They suggested to define a Docker volume in the Dockerfile and have ECS create an ephemeral storage mount automatically.

VOLUME /tmp

In this post, I’ll share my debugging approach used to validate this solution. The debugging approach is not limited to the use of AWS ECS. It can be of value for all container environments such as kubernetes or plain docker.

Debugging with an overriden Container Entrypoint

When troubleshooting container permission issues, it’s helpful to use simple CLI tools to check the current user and directory permissions. I modified my container’s entry point in the ECS task definition to run a series of diagnostic commands:

resource "aws_ecs_task_definition" "my-task" {
  family                   = "service"
  network_mode             = "awsvpc"
  requires_compatibilities = ["FARGATE"]
  cpu                      = "256"
  memory                   = "512"

  execution_role_arn = aws_iam_role.ecs-task-execution-role.arn
  task_role_arn = aws_iam_role.ecs-task-execution-role.arn

  container_definitions = jsonencode([
    {
      name                     = "my-service"
      image                    = local.image_uri
      cpu                      = 256
      memory                   = 512
      essential                = true
      readonlyRootFilesystem   = true
      user                     = "185"
      portMappings = [
        {
          containerPort = 9090
          hostPort      = 9090
        }
      ]
      entryPoint = [
        "sh",
        "-c"
      ]
      command = [
         "set -x; whoami; ls -la /tmp; touch /tmp/itWorks; ls -la /tmp; cat /proc/mounts; df -h"
      ]
    }
  ])
}

Let’s break down these commands and understand what each one does:

Command Chaining with Semicolons

In the shell, the semicolon `;` allows you to run multiple commands sequentially on a single line. Each command runs independently, regardless of whether the previous command succeeded or failed. This is different from using `&&` which only runs the next command if the previous command succeeded, or `||` which only runs the next command if the previous one failed. In this case failing means returning a non zero returncode.

set -x

The `set -x` command enables debug mode in the shell. When this mode is active, the shell prints each command before executing it, prefixed with a + sign. This is useful for debugging scripts as it shows what commands are being executed. Without this it can be difficult to see which command yielded which output.

whoami

The `whoami` command prints the current user’s username. In our case, it showed that the container was running as the “jboss” user, confirming that we were indeed running as an unprivileged user defined in the Dockerfile of the base image.

ls -la /tmp

The `ls -la` command lists all files in a directory showing permissions, ownership, size, and modification time. This helped me see the current state of the /tmp directory and its permissions.

touch /tmp/itWorks

The `touch` command creates an empty file. I used it to test if the current user had write permissions in the /tmp directory. If this command succeeds, it confirms that the current user can write to the specified location.

cat /proc/mounts

The `cat /proc/mounts` command displays all mounted filesystems in the container. This is useful for seeing how filesystems are mounted. In this case, it showed that the root filesystem was indeed mounted as read-only (ro), while /tmp had its own mount point.

df -h

The `df -h` command shows disk space usage. This helped confirm which filesystems were available and how much space was allocated to them.

Analyzing the Output

Let’s run the container and have a look at the output of these commands:

+ whoami
jboss
+ ls -la /tmp
total 16
drwxrwxrwt 2 root root 4096 Apr 24 11:55 .
drwxr-xr-x 1 root root 4096 Apr 24 11:55 ..
-rwx------ 1 root root 291 Mar 13 11:05 ks-script-fb_e6y2x
-rwx------ 1 root root 701 Mar 13 11:05 ks-script-s7hte0c5
+ touch /tmp/itWorks
+ ls -la /tmp
total 16
drwxrwxrwt 2 root root 4096 Apr 24 11:55 .
drwxr-xr-x 1 root root 4096 Apr 24 11:55 ..
-rw-r--r-- 1 jboss root 0 Apr 24 11:55 itWorks
-rwx------ 1 root root 291 Mar 13 11:05 ks-script-fb_e6y2x
-rwx------ 1 root root 701 Mar 13 11:05 ks-script-s7hte0c5

From this output, I could see:

1. The container was running as the “jboss” user (unprivileged) otherwise it would have stated `root`
2. The /tmp directory belongs to root bu it has the sticky bit set (t in drwxrwxrwt), which allows any user to create files but only the owner can delete them. This is common for the /tmp directory.
3. The “jboss” user was able to successfully create a file in /tmp

The mount information was particularly revealing:

+ cat /proc/mounts
overlay / 
overlay ro,relatime,lowerdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/103/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/102/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/101/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/100/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/99/fs:/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/93/fs,upperdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/107/fs,workdir=/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/107/work 0 0
/dev/nvme1n1 /tmp ext4 rw,relatime 0 0

This showed that:

1. The root filesystem (/) was mounted as read-only (ro)
2. The /tmp directory was mounted as a separate filesystem with read-write permissions (rw)

The disk usage information confirmed this setup:

+ df -h
Filesystem Size Used Avail Use% Mounted on
overlay 30G 11G 18G 37% /
tmpfs 64M 0 64M 0% /dev
shm 464M 0 464M 0% /dev/shm
tmpfs 464M 0 464M 0% /sys/fs/cgroup
/dev/nvme1n1 30G 11G 18G 37% /tmp
tmpfs 464M 0 464M 0% /proc/acpi

So in the end the definition of a docker volume for /tmp did the trick. When you define a volume in your Dockerfile, ECS with Fargate automatically creates an ephemeral storage mount with the correct permissions for the user specified in your container. This eliminates the need for manual permission adjustments. The storage used is AWS’s ephemeral storage, meaning it is temporary and will be removed when the container stops. This is ideal for temporary data storage needs.

Additional Considerations

ECS on Fargate automatically handles permissions for volumes. It will create the montpoint folder owned by the user that is specified in your container (e.g., user 185 or jboss). You can define multiple volumes if your application needs to write to different directories. If you need persistent storage instead of ephemeral, you would need to use EFS or other persistent storage options with ECS. This solution will not work for you in that case. I have not found any resource documenting this, admittedly useful, implementation of ECS. I don’t know but this behaviour might change in the future. There is an open Github Issue with a discussion regarding this though².

Conclusion

Debugging file permissions in containerized environments can be challenging, but using simple CLI tools can provide valuable insights into what’s happening inside your container. Hope that helps you out.

Footnotes

I have to manage multiple git repositories hosted on different servers. Each project might require specific configurations, especially when it comes to commit signing with Git. This blog post will guide you through setting up different SSH identities and email addresses for commit signing in various Git repositories, all while maintaining a clean and organized configuration.

First, let’s establish a global configuration in your ~/.gitconfig file. This will serve as the default for repositories that don’t require specific settings. Here’s an example configuration:

# core {{{
[core]
    editor = /usr/bin/vim
    excludesfile = ~/.gitignore_global
    pager=less
#}}}

# user {{{
[user]
    email = benjamin.brunzel@my-company.com
    name = Benjamin Brunzel
#}}}

This configuration sets your default email and name for commits, along with some core settings like your preferred editor and global ignore file.

For repositories under ~/dev/customer1, you might want to use a different email and signing key. Git allows you to include specific configurations based on the directory structure. Here’s how you can set it up:

In your global ~/.gitconfig, add an includeIf directive:

# includes for customer1
[includeIf "gitdir:~/dev/customer1/**"]
    path = ~/dev/customer1/customer1.gitconfig

This tells Git to include the configuration from ~/dev/customer1/customer1.gitconfig for any repository within the ~/dev/customer1 directory.

Create a customer1.gitconfig file in the ~/dev/customer1 directory with the following content:

[user]
    email = benjamin.brunzel@customer1.com
    name = Benjamin Brunzel
    signingkey = ~/.ssh/customer1_id_ed25519.pub

[core]
    sshCommand = "ssh -i ~/.ssh/customer1_id_ed25519"

[gpg]
    format = ssh

[commit]
    gpgsign = true

This configuration specifies a different email and signing key for commits made in repositories under ~/dev/customer1. The gpgsign option ensures that all commits are signed using the specified SSH key.

Note that by setting the `sshCommand` like specified above you are able to select different keys for different git accounts based on the directory the checked out repositories reside in. Very important here is that the ssh agent uses connection multiplexing. That means ssh will not create a new session to the same server as long as it still maintains one. If you want to switch accounts bewteen the same server you will have to terminate an existing session. If you need it this can be done with

ssh -O exit git@your-git-server.com

By structuring your configurations based on directory paths, you maintain a clean and organized setup that automatically applies the correct settings based on the repository location. Using different SSH keys for different environments enhances security by compartmentalizing access. Easily switch between different configurations without manually changing settings each time you work on a different project.

Configuring Git to use different identities and email addresses for commit signing across multiple environments is a powerful way to manage your projects efficiently. By leveraging Git’s includeIf directive, you can ensure that each repository uses the correct settings, enhancing both security and productivity. I hope that helps you out.

I lately got into ham radio. Working on a side project which receives ship’s AIS Signals¹, I wanted to build an antenna for receiving them well. I read up on the internet and got a reccomendatin to meet up with the local ham radio folks that are building all sorts of antennas. Being curious about it I attended one of their community meetings at E13 in Bramfeld which is within cycling distance. They gave me some recommendations and said that, if I was interested in how antennas work, I should join their ham radio classes which had just started. I would go there once a week and learn all the basics that would be tested during the exam for the general license.

I have to say ham radio is quite a world of it’s own. A rabbit hole that is quite fun to go down. Especially since I enjoy learning about the history of communication technology and computer science. There is quite some overlap of these topics. For example morse code being the predecessor of radio teletype² which was used as the basis for the tty shell interfaces of the first computers. And rtty and morse code based radio telegraphy³ are still being used to this day by amateur radio operators!

But why would one care to learn all these things that are not used by the public anymore since we’ve developed far more advanced ways of communicating in the recent decades? First of all it’s fun to operate your own amateur radio station. There are quite some techniques to master in order to be able to have radio contacts with people hundreds or thousands of kilometers away. It just feels pleasant.

Then I think it is cool to keep the history of radio communication alive by talking to other tinkerers using old equipment. Ham radio operators are also allowed to build their own equipment. Antennas of cause but also transmitters and receivers which can also be a lot of fun. It’s a wide area of activity so there is a place for anybody.

So in the end I passed the exam and now am the proud owner of the international call-sign DL2XU.

If your interested I’d like to hear what you think.

Footnotes

The book by Tobias Hürter takes the reader back into a past that is both, long gone and strangely familiar. It introduces the physicians with their personalities and embeds them into a setting around the most famous universities of Europe at the time. Their relationships, families, friendships and disagreements bring them to life.

The rise and fall of the atomic and quantum physicians within their scientific community is astonishing to learn about. The book does not fail to describe the complex ideas behind modern quantum physics with their often times philosophical implications without overburdening with details and formulas.

It targets non physicians with a curiosity about the history of physics and particularly the circumstances in which the theories evolved. For me it was fascinating to learn about the interaction and close collaboration between scientists in a Europe that will soon be struck by two world wars. It hurt to see how open exchange of ideas and the freedom of speech was shut down by growing nationalism, racism and a society deluded by war.

After a sudden end the book leaves the reader curious about the advancement of quantum physics after the year 1945. I still enjoyed the book and can recommend it if this sounds compelling to you. I read the book in the german original (Das Zeitalter der Unschärfe). At the time of writing there is no english translation available yet.

The company I work for is currently working on a new corporate identity. But instead of puttering around on it behind closed doors they decided that they want to include the team in this process. And I quite agree with what they did.

When starting the work on the new design system they asked who of the personnel would want to be involved. Out of the people that expressed interest they selected 25 individuals that are representative for the whole company so that all age groups, jobs, genders and locations are covered.

These people where then presented with the ideas and the concept behind three different design “routes”. Each of the routes points towards a slightly different direction for the same brand. The Team was able to give feedback and express their impressions but also concerns.

When doing design work there is no “right way”. Just a lot of wrong ones. Not only does each coworker have a different taste in what they find visually pleasing, but also a different perception of what feelings they receive by looking at a particular design. In the process of coming up with a new corporate identity, a set of rules about how to communicate as a company via text and images, this limits the number of people being involved.

Yet it is desired to create something a majority of colleagues can agree and identify with. Involving them in the process greatly improves peoples connection to the new brand.

The feedback of the 25, if listened to, can help to fine tune a design. They will also help explaining the process and the decisions to the rest of the company.

I think it is great to involve the team in such kind of decisions. It is impossible to create a brand relaunch that everyone will totally agree with, but by knowing what is about to come and being able to provide feedback is a great way to improve the satisfaction with a new design. I think a similar approach is applicable to a lot of smaller scale design work as well.

As nowadays most computers suffer from security bugs ¹, glued together components, and undocumented, not upgradable hardware, its great to see people making an effort to provide an alternative. Instead of buying a new device every two to three years we need to repair and upgrade the devices we own. Now there is a laptop that claims to live up to these higher standards.

The MNT Research GmbH from Berlin, Germany started a new crowdfunding campaign in May 2020. It features the second generation of their open hardware laptop MNT Reform. I already followed the projects updates on twitter. A laptop that is truly open, without intels infamous CPU bugs and without it’s shady management engine is something that I have to support. In addition to that it features a nice keyboard, passive cooling and even has a trackball! Of course I went for the DIY kit option and will have to assemble the whole machine myself.

The crowdfunding platform of their choice crowdsupply.com accepts payment methods other than credit card on request. The hardware is expected to ship as early as December 2020.

Footnotes