<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type="text/xsl" href="../assets/xml/rss.xsl" media="all"?><rss version="2.0" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Linux Sin Humo (Publicaciones sobre podman)</title><link>https://sergiobelkin.com/</link><description></description><atom:link href="https://sergiobelkin.com/categories/podman.xml" rel="self" type="application/rss+xml"></atom:link><language>es</language><copyright>Contents © 2026 &lt;a href="mailto:sebelk@gmail.com"&gt;sebelk&lt;/a&gt; 
&lt;a rel="license" href="https://creativecommons.org/licenses/by-nc-sa/4.0/"&gt;
&lt;img alt="Creative Commons License BY-NC-SA"
style="border-width:0; margin-bottom:12px;"
src="https://i.creativecommons.org/l/by-nc-sa/4.0/88x31.png"&gt;&lt;/a&gt;
</copyright><lastBuildDate>Sun, 21 Jun 2026 02:32:28 GMT</lastBuildDate><generator>Nikola (getnikola.com)</generator><docs>http://blogs.law.harvard.edu/tech/rss</docs><item><title>3 Power Tips + 1 Power Link I8</title><link>https://sergiobelkin.com/posts/3-power-tips-power-link-i8/</link><dc:creator>sebelk</dc:creator><description>&lt;figure&gt;&lt;img src="https://sergiobelkin.com/images/PowerTipsPlus.png"&gt;&lt;/figure&gt; &lt;p&gt;&lt;strong&gt;Resumen&lt;/strong&gt;: En esta entrega, un ejemplo del poder que tienen la subshells de bash, como solucionar problemas de SELinux con Podman, y el uso de la herramienta yq para procesar archivos yaml.&lt;/p&gt;
&lt;p&gt;&lt;code&gt;Nota: En los ejemplos de comandos el prompt del usuario no privilegiado es "$", mientras que el del superusuario es "#"&lt;/code&gt;&lt;/p&gt;
&lt;h3 id="power-tip-1-crear-entornos-de-bash-efimeros-usando-subshells"&gt;Power Tip #1: Crear entornos de bash efímeros usando subshells&lt;/h3&gt;
&lt;p&gt;Una subshell es una copia del proceso de la shell actual. Una manera de crear una subshell es usando &lt;code&gt;()&lt;/code&gt; y sirve: para personalizar el entorno de bash de manera reversible. Por ejemplo, podemos cambiar de directorio y la variable de entorno C (POSIX) para que muestre los mensajes de salida y de error en inglés:&lt;/p&gt;
&lt;div class="code"&gt;&lt;pre class="code literal-block"&gt;$&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;echo&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="nv"&gt;$LANG&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;
es_AR.UTF-8
$&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;pwd&lt;/span&gt;
/home/sergio
&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Ahora creamos una &lt;strong&gt;subshell&lt;/strong&gt;:&lt;/p&gt;
&lt;div class="code"&gt;&lt;pre class="code literal-block"&gt;$&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="nv"&gt;LANG&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;C&lt;span class="p"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;echo&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"La variable LANG cambia a  &lt;/span&gt;&lt;span class="nv"&gt;$LANG&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;cd&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;/algun_dir&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;||&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;cd&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;/tmp&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;echo&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"el directorio actual es &lt;/span&gt;&lt;span class="nv"&gt;$PWD&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;&lt;span class="w"&gt;  &lt;/span&gt;myscript.sh&lt;span class="o"&gt;)&lt;/span&gt;
La&lt;span class="w"&gt; &lt;/span&gt;variable&lt;span class="w"&gt; &lt;/span&gt;LANG&lt;span class="w"&gt; &lt;/span&gt;cambia&lt;span class="w"&gt; &lt;/span&gt;a&lt;span class="w"&gt;  &lt;/span&gt;C
-bash:&lt;span class="w"&gt; &lt;/span&gt;cd:&lt;span class="w"&gt; &lt;/span&gt;/algun_dir:&lt;span class="w"&gt; &lt;/span&gt;No&lt;span class="w"&gt; &lt;/span&gt;such&lt;span class="w"&gt; &lt;/span&gt;file&lt;span class="w"&gt; &lt;/span&gt;or&lt;span class="w"&gt; &lt;/span&gt;directory
el&lt;span class="w"&gt; &lt;/span&gt;directorio&lt;span class="w"&gt; &lt;/span&gt;actual&lt;span class="w"&gt; &lt;/span&gt;es&lt;span class="w"&gt; &lt;/span&gt;/tmp
-bash:&lt;span class="w"&gt; &lt;/span&gt;myscript.sh:&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;command&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;not&lt;span class="w"&gt; &lt;/span&gt;found
&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Al terminar la subshell, volvemos a la shell madre y tanto el directorio de trabajo como la variable LANG, vuelven a sus valores predeterminados:&lt;/p&gt;
&lt;div class="code"&gt;&lt;pre class="code literal-block"&gt;$&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;pwd&lt;/span&gt;
/home/sergio
$&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;echo&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="nv"&gt;$LANG&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;
es_AR.UTF-8
&lt;/pre&gt;&lt;/div&gt;

&lt;h3 id="power-tip-2-identificar-y-solucionar-problemas-de-selinux-al-usar-volumenes"&gt;Power Tip #2: Identificar y solucionar problemas de SELinux al usar volúmenes.&lt;/h3&gt;
&lt;p&gt;Supongamos que necesitamos probar una configuración en un contenedor:&lt;/p&gt;
&lt;div class="code"&gt;&lt;pre class="code literal-block"&gt;$&lt;span class="w"&gt; &lt;/span&gt;podman&lt;span class="w"&gt; &lt;/span&gt;run&lt;span class="w"&gt;  &lt;/span&gt;--name&lt;span class="w"&gt; &lt;/span&gt;mynginx&lt;span class="w"&gt;  &lt;/span&gt;-d&lt;span class="w"&gt; &lt;/span&gt;-v&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nv"&gt;$HOME&lt;/span&gt;/sandbox/nginx.conf:/etc/nginx/nginx.conf&lt;span class="w"&gt; &lt;/span&gt;--pull&lt;span class="o"&gt;=&lt;/span&gt;never&lt;span class="w"&gt; &lt;/span&gt;docker.io/library/nginx@sha256:553f64aecdc31b5bf944521731cd70e35da4faed96b2b7548a3d8e2598c52a42
&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Ahora bien: ¿Qué sucede si el contenedor en realidad, falla al arrancar como lo muestran los logs?:&lt;/p&gt;
&lt;div class="code"&gt;&lt;pre class="code literal-block"&gt;$&lt;span class="w"&gt; &lt;/span&gt;podman&lt;span class="w"&gt; &lt;/span&gt;logs&lt;span class="w"&gt; &lt;/span&gt;mynginx&lt;span class="w"&gt; &lt;/span&gt;
/docker-entrypoint.sh:&lt;span class="w"&gt; &lt;/span&gt;/docker-entrypoint.d/&lt;span class="w"&gt; &lt;/span&gt;is&lt;span class="w"&gt; &lt;/span&gt;not&lt;span class="w"&gt; &lt;/span&gt;empty,&lt;span class="w"&gt; &lt;/span&gt;will&lt;span class="w"&gt; &lt;/span&gt;attempt&lt;span class="w"&gt; &lt;/span&gt;to&lt;span class="w"&gt; &lt;/span&gt;perform&lt;span class="w"&gt; &lt;/span&gt;configuration
/docker-entrypoint.sh:&lt;span class="w"&gt; &lt;/span&gt;Looking&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;for&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;shell&lt;span class="w"&gt; &lt;/span&gt;scripts&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;in&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;/docker-entrypoint.d/
/docker-entrypoint.sh:&lt;span class="w"&gt; &lt;/span&gt;Launching&lt;span class="w"&gt; &lt;/span&gt;/docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
&lt;span class="m"&gt;10&lt;/span&gt;-listen-on-ipv6-by-default.sh:&lt;span class="w"&gt; &lt;/span&gt;info:&lt;span class="w"&gt; &lt;/span&gt;Getting&lt;span class="w"&gt; &lt;/span&gt;the&lt;span class="w"&gt; &lt;/span&gt;checksum&lt;span class="w"&gt; &lt;/span&gt;of&lt;span class="w"&gt; &lt;/span&gt;/etc/nginx/conf.d/default.conf
&lt;span class="m"&gt;10&lt;/span&gt;-listen-on-ipv6-by-default.sh:&lt;span class="w"&gt; &lt;/span&gt;info:&lt;span class="w"&gt; &lt;/span&gt;Enabled&lt;span class="w"&gt; &lt;/span&gt;listen&lt;span class="w"&gt; &lt;/span&gt;on&lt;span class="w"&gt; &lt;/span&gt;IPv6&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;in&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;/etc/nginx/conf.d/default.conf
/docker-entrypoint.sh:&lt;span class="w"&gt; &lt;/span&gt;Sourcing&lt;span class="w"&gt; &lt;/span&gt;/docker-entrypoint.d/15-local-resolvers.envsh
/docker-entrypoint.sh:&lt;span class="w"&gt; &lt;/span&gt;Launching&lt;span class="w"&gt; &lt;/span&gt;/docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh:&lt;span class="w"&gt; &lt;/span&gt;Launching&lt;span class="w"&gt; &lt;/span&gt;/docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh:&lt;span class="w"&gt; &lt;/span&gt;Configuration&lt;span class="w"&gt; &lt;/span&gt;complete&lt;span class="p"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;ready&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;for&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;start&lt;span class="w"&gt; &lt;/span&gt;up
&lt;span class="m"&gt;2025&lt;/span&gt;/11/24&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;20&lt;/span&gt;:09:21&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;emerg&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt;&lt;span class="c1"&gt;#1: open() "/etc/nginx/nginx.conf" failed (13: Permission denied)&lt;/span&gt;
nginx:&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;emerg&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;open&lt;span class="o"&gt;()&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"/etc/nginx/nginx.conf"&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;failed&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;(&lt;/span&gt;&lt;span class="m"&gt;13&lt;/span&gt;:&lt;span class="w"&gt; &lt;/span&gt;Permission&lt;span class="w"&gt; &lt;/span&gt;denied&lt;span class="o"&gt;)&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Si estás tentado a desactivar SELinux, te recomiendo enfáticamente que leas &lt;a href="https://sergiobelkin.com/posts/selinux-nah-deshabilitalo/"&gt;¿SELinux? Nah, dejalo en Disabled&lt;/a&gt;. Lo que ocurre es que no hay ninguna regla que permita que el contenedor acceda al contexto del archivo nginx.conf del host.&lt;/p&gt;
&lt;p&gt;Contexto del archivo:&lt;/p&gt;
&lt;div class="code"&gt;&lt;pre class="code literal-block"&gt;$&lt;span class="w"&gt; &lt;/span&gt;ls&lt;span class="w"&gt; &lt;/span&gt;-Z&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nv"&gt;$HOME&lt;/span&gt;/sandbox/nginx.conf
unconfined_u:object_r:user_home_t:s0&lt;span class="w"&gt; &lt;/span&gt;/home/sergio/sandbox/nginx.conf
&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Este problema se soluciona fácilmente:&lt;/p&gt;
&lt;div class="code"&gt;&lt;pre class="code literal-block"&gt;podman&lt;span class="w"&gt; &lt;/span&gt;stop&lt;span class="w"&gt; &lt;/span&gt;mynginx
podman&lt;span class="w"&gt; &lt;/span&gt;rm&lt;span class="w"&gt; &lt;/span&gt;mynginx
&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Y ahora el contenedor arrancará sin inconvenientes:&lt;/p&gt;
&lt;div class="code"&gt;&lt;pre class="code literal-block"&gt;podman&lt;span class="w"&gt; &lt;/span&gt;ps
CONTAINER&lt;span class="w"&gt; &lt;/span&gt;ID&lt;span class="w"&gt;  &lt;/span&gt;IMAGE&lt;span class="w"&gt;                                                                                            &lt;/span&gt;COMMAND&lt;span class="w"&gt;               &lt;/span&gt;CREATED&lt;span class="w"&gt;         &lt;/span&gt;STATUS&lt;span class="w"&gt;         &lt;/span&gt;PORTS&lt;span class="w"&gt;       &lt;/span&gt;NAMES
a29c08eda1b1&lt;span class="w"&gt;  &lt;/span&gt;docker.io/library/nginx@sha256:553f64aecdc31b5bf944521731cd70e35da4faed96b2b7548a3d8e2598c52a42&lt;span class="w"&gt;  &lt;/span&gt;nginx&lt;span class="w"&gt; &lt;/span&gt;-g&lt;span class="w"&gt; &lt;/span&gt;daemon&lt;span class="w"&gt; &lt;/span&gt;o...&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="m"&gt;12&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;seconds&lt;span class="w"&gt; &lt;/span&gt;ago&lt;span class="w"&gt;  &lt;/span&gt;Up&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;12&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;seconds&lt;span class="w"&gt;              &lt;/span&gt;mynginx
podman&lt;span class="w"&gt; &lt;/span&gt;logs&lt;span class="w"&gt; &lt;/span&gt;mynginx&lt;span class="w"&gt; &lt;/span&gt;
/docker-entrypoint.sh:&lt;span class="w"&gt; &lt;/span&gt;/docker-entrypoint.d/&lt;span class="w"&gt; &lt;/span&gt;is&lt;span class="w"&gt; &lt;/span&gt;not&lt;span class="w"&gt; &lt;/span&gt;empty,&lt;span class="w"&gt; &lt;/span&gt;will&lt;span class="w"&gt; &lt;/span&gt;attempt&lt;span class="w"&gt; &lt;/span&gt;to&lt;span class="w"&gt; &lt;/span&gt;perform&lt;span class="w"&gt; &lt;/span&gt;configuration
/docker-entrypoint.sh:&lt;span class="w"&gt; &lt;/span&gt;Looking&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;for&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;shell&lt;span class="w"&gt; &lt;/span&gt;scripts&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;in&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;/docker-entrypoint.d/
/docker-entrypoint.sh:&lt;span class="w"&gt; &lt;/span&gt;Launching&lt;span class="w"&gt; &lt;/span&gt;/docker-entrypoint.d/10-listen-on-ipv6-by-default.sh
&lt;span class="m"&gt;10&lt;/span&gt;-listen-on-ipv6-by-default.sh:&lt;span class="w"&gt; &lt;/span&gt;info:&lt;span class="w"&gt; &lt;/span&gt;Getting&lt;span class="w"&gt; &lt;/span&gt;the&lt;span class="w"&gt; &lt;/span&gt;checksum&lt;span class="w"&gt; &lt;/span&gt;of&lt;span class="w"&gt; &lt;/span&gt;/etc/nginx/conf.d/default.conf
&lt;span class="m"&gt;10&lt;/span&gt;-listen-on-ipv6-by-default.sh:&lt;span class="w"&gt; &lt;/span&gt;info:&lt;span class="w"&gt; &lt;/span&gt;Enabled&lt;span class="w"&gt; &lt;/span&gt;listen&lt;span class="w"&gt; &lt;/span&gt;on&lt;span class="w"&gt; &lt;/span&gt;IPv6&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;in&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;/etc/nginx/conf.d/default.conf
/docker-entrypoint.sh:&lt;span class="w"&gt; &lt;/span&gt;Sourcing&lt;span class="w"&gt; &lt;/span&gt;/docker-entrypoint.d/15-local-resolvers.envsh
/docker-entrypoint.sh:&lt;span class="w"&gt; &lt;/span&gt;Launching&lt;span class="w"&gt; &lt;/span&gt;/docker-entrypoint.d/20-envsubst-on-templates.sh
/docker-entrypoint.sh:&lt;span class="w"&gt; &lt;/span&gt;Launching&lt;span class="w"&gt; &lt;/span&gt;/docker-entrypoint.d/30-tune-worker-processes.sh
/docker-entrypoint.sh:&lt;span class="w"&gt; &lt;/span&gt;Configuration&lt;span class="w"&gt; &lt;/span&gt;complete&lt;span class="p"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;ready&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="k"&gt;for&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;start&lt;span class="w"&gt; &lt;/span&gt;up
&lt;span class="m"&gt;2025&lt;/span&gt;/11/24&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;21&lt;/span&gt;:16:10&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;notice&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt;&lt;span class="c1"&gt;#1: using the "epoll" event method&lt;/span&gt;
&lt;span class="m"&gt;2025&lt;/span&gt;/11/24&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;21&lt;/span&gt;:16:10&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;notice&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt;&lt;span class="c1"&gt;#1: nginx/1.29.3&lt;/span&gt;
&lt;span class="m"&gt;2025&lt;/span&gt;/11/24&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;21&lt;/span&gt;:16:10y&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;notice&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt;&lt;span class="c1"&gt;#1: built by gcc 14.2.0 (Debian 14.2.0-19) &lt;/span&gt;
&lt;span class="m"&gt;2025&lt;/span&gt;/11/24&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;21&lt;/span&gt;:16:10&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;notice&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt;&lt;span class="c1"&gt;#1: OS: Linux 4.18.0-553.84.1.el8_10.x86_64&lt;/span&gt;
&lt;span class="m"&gt;2025&lt;/span&gt;/11/24&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;21&lt;/span&gt;:16:10&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;notice&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt;&lt;span class="c1"&gt;#1: getrlimit(RLIMIT_NOFILE): 262144:262144&lt;/span&gt;
&lt;span class="m"&gt;2025&lt;/span&gt;/11/24&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;21&lt;/span&gt;:16:10&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;notice&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt;&lt;span class="c1"&gt;#1: start worker processes&lt;/span&gt;
&lt;span class="m"&gt;2025&lt;/span&gt;/11/24&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;21&lt;/span&gt;:16:10&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;notice&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt;&lt;span class="c1"&gt;#1: start worker process 28&lt;/span&gt;
&lt;span class="m"&gt;2025&lt;/span&gt;/11/24&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;21&lt;/span&gt;:16:10&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="o"&gt;[&lt;/span&gt;notice&lt;span class="o"&gt;]&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt;&lt;span class="c1"&gt;#1: start worker process 29&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Ahora bien, la opción &lt;code&gt;:Z&lt;/code&gt; no es mágica, para tener una aproximación a lo que hace veamos el contexto del archivo $HOME/sandbox/nginx.conf:&lt;/p&gt;
&lt;div class="code"&gt;&lt;pre class="code literal-block"&gt;$&lt;span class="w"&gt; &lt;/span&gt;ls&lt;span class="w"&gt; &lt;/span&gt;-Z&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nv"&gt;$HOME&lt;/span&gt;/sandbox/nginx.conf
system_u:object_r:container_file_t:s0:c369,c839&lt;span class="w"&gt; &lt;/span&gt;/home/sergio/sandbox/nginx.conf
&lt;/pre&gt;&lt;/div&gt;

&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Campo&lt;/th&gt;
&lt;th&gt;Antes&lt;/th&gt;
&lt;th&gt;Después&lt;/th&gt;
&lt;th&gt;Comentario&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Usuario (SELinux)&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;unconfined_u&lt;/td&gt;
&lt;td&gt;system_u&lt;/td&gt;
&lt;td&gt;Pasa de ser un usuario sin restricciones a un usuario gestionado por el sistema&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Rol (SELinux)&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;object_r&lt;/td&gt;
&lt;td&gt;object_r&lt;/td&gt;
&lt;td&gt;Se mantiene sin cambios&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Asignación basada en tipos&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;user_home_t&lt;/td&gt;
&lt;td&gt;container_file_t&lt;/td&gt;
&lt;td&gt;Cambia a un tipo de asignación en la cual los contenedores pueden escribir&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;Rango (SELinux)&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;s0&lt;/td&gt;
&lt;td&gt;s0:c369,c839&lt;/td&gt;
&lt;td&gt;Este cambio implica que solamente podrá utilizarlo de manera exclusiva un único contenedor&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;h3 id="power-tip-3-filtrar-un-archivo-de-template-en-formato-yaml-de-zabbix-sin-instalar-absolutamente-nada"&gt;Power Tip #3: Filtrar un archivo de template en formato yaml de Zabbix sin instalar absolutamente nada&lt;/h3&gt;
&lt;p&gt;Solamente necesitamos Podman, en el siguiente ejemplo estamos filtrando todos los triggers estáticos con nivel de severidad &lt;strong&gt;HIGH&lt;/strong&gt; o &lt;strong&gt;DISASTER&lt;/strong&gt;:&lt;/p&gt;
&lt;div class="code"&gt;&lt;pre class="code literal-block"&gt;podman&lt;span class="w"&gt; &lt;/span&gt;run&lt;span class="w"&gt; &lt;/span&gt;--rm&lt;span class="w"&gt; &lt;/span&gt;-v&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="si"&gt;${&lt;/span&gt;&lt;span class="nv"&gt;PWD&lt;/span&gt;&lt;span class="si"&gt;}&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt;:/workdir:Z&lt;span class="w"&gt; &lt;/span&gt;mikefarah/yq&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="s1"&gt;'.zabbix_export.templates[].items[].triggers[] | select(.priority == "HIGH" or .priority == "DISASTER")| {"Trigger": .name}'&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;template_db_mssql_agent2.yaml
Trigger:&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;'MSSQL: Percentage of the buffer cache efficiency is low'&lt;/span&gt;
Trigger:&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;'MSSQL: Page life expectancy is low'&lt;/span&gt;
Trigger:&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;'MSSQL: Percentage of work tables available from the work table cache is low'&lt;/span&gt;
Trigger:&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;'MSSQL: Service is unavailable'&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;

&lt;h3 id="fuentes-y-mas-recursos"&gt;Fuentes y más recursos&lt;/h3&gt;
&lt;ul&gt;
&lt;li&gt;&lt;a href="https://danwalsh.livejournal.com/81269.html"&gt;Container Labeling&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;a href="https://danwalsh.livejournal.com/76016.html"&gt;Be careful relabeling volumes with Container run times. Sometimes things can go very wrong?&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="power-link"&gt;Power Link&lt;/h3&gt;
&lt;p&gt;El enlace de esta edición apunta a una entrevista a Linux Torvalds que gira en torno a la evolución del hardware, la IA y su impacto en el Linux y el desarrollo del kernel: &lt;a href="https://www.youtube.com/watch?v=NjGHrDnPxwI"&gt;Linus Torvalds — Talks about AI Hype, GPU Power, and Linux’s Future &lt;/a&gt;. En la actualidad cuestiones como la programación guiada por la intuición con la ayuda de chatbots debates importantes, no solamente en Linux sino en el ámbito IT en general.&lt;/p&gt;</description><category>bash</category><category>podman</category><category>seguridad</category><category>SELinux</category><category>yq</category><category>zabbix</category><guid>https://sergiobelkin.com/posts/3-power-tips-power-link-i8/</guid><pubDate>Sun, 23 Nov 2025 22:09:59 GMT</pubDate></item><item><title>3 Power Tips + 1 Power Link I6</title><link>https://sergiobelkin.com/posts/3-power-tips-power-link-i6/</link><dc:creator>sebelk</dc:creator><description>&lt;figure&gt;&lt;img src="https://sergiobelkin.com/images/PowerTipsPlus.png"&gt;&lt;/figure&gt; &lt;p&gt;&lt;strong&gt;Resumen:&lt;/strong&gt; Tips para KDE Plasma, manejo de directorios temporales e información detallada sobre Podman. Además, un link a un post en el cual un líder de ingenería recomienda pasar de Docker a Podman.  &lt;/p&gt;
&lt;h3 id="power-tip-1-reiniciar-kde-plasma-sin-cerrar-sesion"&gt;Power Tip #1 Reiniciar KDE Plasma sin cerrar sesión&lt;/h3&gt;
&lt;div class="code"&gt;&lt;pre class="code literal-block"&gt;kquitapp6&lt;span class="w"&gt; &lt;/span&gt;plasmashell&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;plasmashell&lt;span class="w"&gt; &lt;/span&gt;--replace&lt;span class="w"&gt; &lt;/span&gt;&amp;gt;/tmp/plasma.log&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="m"&gt;2&lt;/span&gt;&amp;gt;&lt;span class="p"&gt;&amp;amp;&lt;/span&gt;&lt;span class="m"&gt;1&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;&amp;amp;&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="nb"&gt;disown&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;-h
&lt;/pre&gt;&lt;/div&gt;

&lt;h3 id="power-tip-2-crea-un-sandbox-con-limpieza-automatica-usando-tmpfilesd"&gt;Power Tip #2 Crea un sandbox con limpieza automática usando tmpfiles.d&lt;/h3&gt;
&lt;p&gt;Podemos tener un directorio al cual usamos como sandbox, por ejemplo para:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Descarga de archivos&lt;/li&gt;
&lt;li&gt;Volcar Logs y dumps temporarios&lt;/li&gt;
&lt;li&gt;Scripts, código... y cualquier cosa que queremos probar.... por un tiempo.&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Pero la idea es que no queremos que esos archivos se almacenen de manera indefinida... entonces:&lt;/p&gt;
&lt;div class="code"&gt;&lt;pre class="code literal-block"&gt;cat&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s"&gt;&amp;lt;&amp;lt; EOF &amp;gt;  ~/.config/user-tmpfiles.d/user-sandbox.conf &lt;/span&gt;
&lt;span class="s"&gt;&amp;gt; d %h/sandbox - - - 7d&lt;/span&gt;
&lt;span class="s"&gt;&amp;gt; d %h/sandbox/ephemeral - - - 10m&lt;/span&gt;
&lt;span class="s"&gt;&amp;gt; EOF&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Una idea tentadora es usar un directorio como &lt;code&gt;/tmp&lt;/code&gt;. Pero no es buena práctica usar ese directorio como sandbox. Luego de crear ese archivo, hay que ejecutar: &lt;code&gt;systemd-tmpfiles --create --user&lt;/code&gt; que creará los directorios en las rutas especificadas. El servicio &lt;code&gt;systemd-tmpfiles-clean&lt;/code&gt; eliminará periódicamente los archivos más viejos de 7 días del directorio ~/sandbox. El contenido de &lt;code&gt;~/sandbox/ephermeral&lt;/code&gt; en cambio, no se borrará automáticamente excepto que creemos una unit de tipo timer. Sin embargo se puede hacer manualmente mediante &lt;code&gt;systemd-tmpfiles --clean --user&lt;/code&gt;. Como siempre entender por qué hacés lo que hacés es fundamental, los manpages son siempre aliados a tener en cuenta aun en pleno hype de la AI.&lt;/p&gt;
&lt;p&gt;A propósito... el comando en el Power Tip #1 podría haber usado el directorio del sandbox en lugar de /tmp....&lt;/p&gt;
&lt;h3 id="power-tip-3-revisar-espacios-y-objetos-de-manera-detallada-en-podman"&gt;Power Tip #3 Revisar espacios y objetos de manera detallada en Podman&lt;/h3&gt;
&lt;div class="code"&gt;&lt;pre class="code literal-block"&gt;podman&lt;span class="w"&gt; &lt;/span&gt;system&lt;span class="w"&gt; &lt;/span&gt;df&lt;span class="w"&gt; &lt;/span&gt;-v
&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;De esta manera obtenemos información muy útil sobre las imágenes, contenedores y volúmenes que tenemos.&lt;/p&gt;
&lt;p&gt;&lt;a class="image-reference" href="https://sergiobelkin.com/images/pt6-podman-system-df.webp"&gt;&lt;img src="https://sergiobelkin.com/images/pt6-podman-system-df.thumbnail.webp" alt="Espacio ocupado por podman"&gt;&lt;/a&gt; &lt;/p&gt;
&lt;h4 id="power-link"&gt;Power Link&lt;/h4&gt;
&lt;p&gt;&lt;a href="https://www.odbms.org/blog/2025/10/beyond-the-ai-hype-guido-van-rossum-on-pythons-philosophy-simplicity-and-the-future-of-programming/"&gt;Entrevista a Guido van Rossum, creador de Python, en la cual trata entre temas sobre AI&lt;/a&gt;&lt;/p&gt;</description><category>kde-plasma</category><category>podman</category><category>systemd</category><guid>https://sergiobelkin.com/posts/3-power-tips-power-link-i6/</guid><pubDate>Mon, 13 Oct 2025 21:13:07 GMT</pubDate></item><item><title>3 Power Tips + 1 Power Link I5</title><link>https://sergiobelkin.com/posts/3-power-tips-power-link-i5/</link><dc:creator>sebelk</dc:creator><description>&lt;figure&gt;&lt;img src="https://sergiobelkin.com/images/PowerTipsPlus.png"&gt;&lt;/figure&gt; &lt;p&gt;&lt;strong&gt;Resumen:&lt;/strong&gt; Tips para contenedores, uso de digests y análisis de seguridad de imágenes y obtener información de imágenes remotas. Además, un link a un post en el cual un líder de ingenería recomienda pasar de Docker a Podman.  &lt;/p&gt;
&lt;h3 id="power-tip-1-etiquetar-las-imagenes-con-digest-en-produccion"&gt;Power Tip #1 Etiquetar las imágenes con digest en producción&lt;/h3&gt;
&lt;p&gt;&lt;strong&gt;❌ Mala práctica, apuntar a un tag:&lt;/strong&gt;&lt;/p&gt;
&lt;div class="code"&gt;&lt;pre class="code literal-block"&gt;podman&lt;span class="w"&gt; &lt;/span&gt;run&lt;span class="w"&gt; &lt;/span&gt;-d&lt;span class="w"&gt; &lt;/span&gt;--name&lt;span class="w"&gt; &lt;/span&gt;pass_git&lt;span class="w"&gt; &lt;/span&gt;localhost/passteiner-ubi9:1
&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Esta es una mala práctica porque:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Es mutable, puede apuntar a otro build&lt;/li&gt;
&lt;li&gt;También es un error confiar ciegamente usar &lt;em&gt;latest&lt;/em&gt;, hoy puede apuntar a una versión, mañana a otra&lt;/li&gt;
&lt;li&gt;Dificulta el debugging al no saber exactamente qué versión usás&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;&lt;strong&gt;✅ Buena práctica:&lt;/strong&gt;&lt;/p&gt;
&lt;div class="code"&gt;&lt;pre class="code literal-block"&gt;podman&lt;span class="w"&gt; &lt;/span&gt;run&lt;span class="w"&gt; &lt;/span&gt;-d&lt;span class="w"&gt; &lt;/span&gt;--name&lt;span class="w"&gt; &lt;/span&gt;pass-git&lt;span class="w"&gt; &lt;/span&gt;--pull&lt;span class="o"&gt;=&lt;/span&gt;never&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="se"&gt;\&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;localhost/passteiner-ubi9@sha256:3ca1e63acb24d88fde5e86eb1f476ba69eb740cd43590c37f3a964b5a19f001
&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;&lt;strong&gt;Ventajas:&lt;/strong&gt;&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;
&lt;p&gt;Totalmente reproducible y auditable.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Evitás actualizaciones sorpresa.&lt;/p&gt;
&lt;/li&gt;
&lt;li&gt;
&lt;p&gt;Ideal para ambientes de producción, CI/CD, y entornos donde la confiabilidad importa.&lt;/p&gt;
&lt;/li&gt;
&lt;/ul&gt;
&lt;h3 id="power-tip-2-examinar-vulnerabilidades-en-imagenes-de-contenedores"&gt;Power Tip #2 Examinar vulnerabilidades en imágenes de contenedores&lt;/h3&gt;
&lt;p&gt;La abstración con que nos proporcionan los contenedores, tal vez nos den una falsa sensación de seguridad, sin embargo, con trivy se pueden escanear en una imagen vulnerabilades por ejemplo:&lt;/p&gt;
&lt;div class="code"&gt;&lt;pre class="code literal-block"&gt;trivy&lt;span class="w"&gt; &lt;/span&gt;image&lt;span class="w"&gt; &lt;/span&gt;docker.io/bitnami/wordpress
&lt;/pre&gt;&lt;/div&gt;

&lt;p&gt;Debajo podemos ver un resumen:&lt;/p&gt;
&lt;p&gt;&lt;a class="image-reference" href="https://sergiobelkin.com/images/pt5-trivy.webp"&gt;&lt;img src="https://sergiobelkin.com/images/pt5-trivy.thumbnail.webp" alt="Resumen del reporte realizado por trivy"&gt;&lt;/a&gt; &lt;/p&gt;
&lt;h3 id="power-tip-3-examinar-imagenes-de-contenedores-sin-necesidad-pullearlas"&gt;Power Tip #3 Examinar imágenes de contenedores sin necesidad "pullearlas"&lt;/h3&gt;
&lt;div class="code"&gt;&lt;pre class="code literal-block"&gt;skopeo&lt;span class="w"&gt; &lt;/span&gt;inspect&lt;span class="w"&gt; &lt;/span&gt;docker://docker.io/ollama/ollama&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="se"&gt;\&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="p"&gt;|&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;jq&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s1"&gt;'{Digest: .Digest, Labels: .Labels, UltimaCapa: .Layers[-1]}'&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;

&lt;div class="code"&gt;&lt;pre class="code literal-block"&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;"Digest"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"sha256:a5409cb903d30f9cd67e9f430dd336ddc9274e16fd78f75b675c42065991b4fd"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;"Labels"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nt"&gt;"org.opencontainers.image.ref.name"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"ubuntu"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;
&lt;span class="w"&gt;    &lt;/span&gt;&lt;span class="nt"&gt;"org.opencontainers.image.version"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"24.04"&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="p"&gt;},&lt;/span&gt;
&lt;span class="w"&gt;  &lt;/span&gt;&lt;span class="nt"&gt;"UltimaCapa"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"sha256:45fafbfc0e267e3b61858ae5cb28ff739d901d85e1b60ee62db5dad64ae7c0d5"&lt;/span&gt;
&lt;span class="p"&gt;}&lt;/span&gt;
&lt;/pre&gt;&lt;/div&gt;

&lt;h4 id="de-esta-manera-obtenemos"&gt;De esta manera obtenemos:&lt;/h4&gt;
&lt;ul&gt;
&lt;li&gt;El &lt;strong&gt;Digest&lt;/strong&gt; de la imagen (identificador único inmutable).&lt;/li&gt;
&lt;li&gt;En qué &lt;strong&gt;distro base y versión&lt;/strong&gt; se construyó la imagen (&lt;code&gt;ubuntu:24.04&lt;/code&gt;).&lt;/li&gt;
&lt;li&gt;El &lt;strong&gt;Digest de la última capa&lt;/strong&gt;, que representa el &lt;strong&gt;último cambio&lt;/strong&gt; al sistema de archivos durante el proceso de build.&lt;/li&gt;
&lt;/ul&gt;
&lt;blockquote&gt;
&lt;p&gt;&lt;em&gt;El digest de la última capa representa el último cambio al sistema de archivos en el proceso de construcción de la imagen.&lt;/em&gt;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;h4 id="power-link"&gt;Power Link&lt;/h4&gt;
&lt;p&gt;&lt;a href="https://codesmash.dev/why-i-ditched-docker-for-podman-and-you-should-too"&gt;Why I Ditched Docker for Podman And You Should Too&lt;/a&gt;&lt;/p&gt;</description><category>podman</category><category>seguridad</category><category>skopeo</category><category>trivy</category><guid>https://sergiobelkin.com/posts/3-power-tips-power-link-i5/</guid><pubDate>Sat, 13 Sep 2025 19:38:48 GMT</pubDate></item></channel></rss>