Video: Dockers '--userns-remap' feature explained

• docker • Comments

I have been up to the ears in work and in projects, that’s why I haven’t been posting a lot. I initially wanted to create a series about automatic service discovery and configuration with Consul, Registrator and consul-template, but decided to switch to Rancher in the process as I encountered too much hassle and had to make too much workarounds.

But that’s not the topic of this post. I recently created a short video on asciinema to further explain dockers --userns-remap feature which significantly improves security.

What is it you ask? The original description from the docker-daemon manpage:

--userns-remap=default|uid:gid|user:group|user|uid Enable user namespaces for containers on the daemon. Specifying “default” will cause a new user and group to be created to handle UID and GID range remapping for the user namespace mappings used for contained processes. Specifying a user (or uid) and optionally a group (or gid) will cause the daemon to lookup the user and group’s subordinate ID ranges for use as the user namespace mappings for contained processes.

Here’s my video explaining it:

Simplifying Let's Encrypt on Uberspace

• Uberspace • Comments

I’m regularly using Uberspace, a provider for Shared Hosting with a lot of special quirks (sadly only available in German). I’m also using Let’s Encrypt to create certificates for most of my websites. The hard working folks at Uberspace have integrated a very easy way to apply Let’s Encrypt certificates for your domains, but it’s also very limited:

Übrigens ist dieses Zertifikat für alle oben angegebenen Domains gültig, du bekommst also nicht ein Zertifikat pro Domain, sondern ein Zertifikat, welches für alle Domains gültig ist:

“Your certificate is valid for all entered domains. You don’t get one certificate per domain, but one certificate which can be used for all domains.”

I don’t want this at all. I’ve got several domains set up which are not logically linked, some are not even linked with my name and shall stay this way.

So I created a small script to allow the creation of Let’s Encrypt certificates for several Uberspace domains independently. Introducing letsencrypt-uberspace-mgr.

Windows 10: Fix Reboot instead of Shutdown

• windows • Comments

Short tip because I had to spend more time onto it than I wanted. If your Windows 10 often denies a shutdown and reboot instead, check the Power Management setting of your network cards.

Windows 10 Device Manager

Network adapter Power Management

That’s it, your PC should now stay off if you shut it down. It’s possible this setting is reset after updates, so check if the problem resurfaces.

I have no idea why this feature was introduced. From my understanding that’s what the magic packet is for. So if one of my readers knows something about it, feel free to comment.

(via superuser)

Backup Windows partitions as virtual hard disk (VHD)

• windows and virtualization • Comments

Although I prefer Linux as Desktop OS, Gaming on it is still very hard to realize. That’s why I need a Windows installation on my system. Said installation didn’t age well, so I decided to rejuvenate my six year old Windows installation and install Windows 10.

I wanted to have a fresh start and didn’t want to keep anything, but I still wanted to retain my old system and data partition as backup. I decided to use a Virtual Hard Disk (VHD) file as backup format. The advantage of this is that I can easily boot up a VM to compare my old system with my new one. Additionally Windows 7 natively supports mounting VHD, enabling easy access to the files. Thus, I created a step-by-step instruction for later reference.


Tidy up your Docker lab

• Docker • Comments

Short tip for people like me experimenting with Docker: Cleaning up after you can be time-consuming and annoying. This also applies to keeping 3rd party images up-to-date. Luckily there’s Spotify’s docker-gc for housekeeping which - although very basic - does the job exceptional well. Just create one file with containing the names or IDs of all images you want to keep and one file with all the container names or IDs you want to keep and run docker-gc afterwards. Thereafter you can simply do a docker pull on the remaining images.
Here’s how I do the whole process, first cleaning up, afterwards refreshing the images which remain. As I do not conserve any containers, there is no EXCLUDE_CONTAINERS_FROM_GC:


set -e
set -u
set -o pipefail
/bin/docker run -e "EXCLUDE_FROM_GC=/mnt/docker-gc-exclude" \

  -v "/docker-gc/:/mnt/" -v "/var/run/docker.sock:/var/run/docker.sock" \

for IMAGE in $(docker images|tail -n +2 |awk '{print $1 ":" $2}')
  docker pull "${IMAGE}"