• 2 Posts
  • 22 Comments
Joined 1 year ago
cake
Cake day: June 14th, 2023

help-circle




  • Running without docker is out of question, is a bundle of 6 docker containers. Deployment and management without it would be too complicated. Luckily somebody in another reply made me realize that the RAM eating container (cockroach DB) is far less essential than I thought and I can look for a replacement.



  • Thanks, this is a really good point, I can try to replace the identity provider! I did not realized that cockroachDB was only a Zitadel requirement! There are many great alternatives for mesh VPNs, netmaker, nebula, and headscale as you mentioned and all of them are much lighter. I ended up hosting netbird as it is natively able to traverse my corporate NAT (maybe headscale could do it as well, I did not try it since I do not like having to configure registry keys on windows clients and losing the kernel wireguard speed on linux clients) .










  • Thanks for sharing your experience, indeed the distribution is relevant here. I am running Arch (BTW) on this VPS which idles at about 300 MB with dockerd and containerd, I am not sure how does exactly compare to Debian on RAM usage (I have a couple of other VPS running debian which seem to use a little bit more RAM but it could be because those images are bastardized by the addition of cloud provider services). In any case my setup is pretty minimal, to get some large benefit there I fear I should use something without systemd :/


  • The server is clearly overloaded, as soon as I start using some 10% of CPU frequently for some minutes (due to swap operations), the Hypervisor starts to throttle my instance and this of course makes the thing worse with an avalanche effect. When this happens steal time displayed from top can go literally as high as 90%.



  • Hi, to check attacks you should look at the logs. In this case auth.log. Being attacked on port 22 is not surprising neither really troublesome if you connect via key pair.

    My graph was showing egress traffic, on any kind of server the traffic due to these attacks would have been invisible but on a backup server which has (hopefully) only ingress you can clearly see the volume of connections from attackers from bytes teansmitted