Skip to content

Instantly share code, notes, and snippets.

View gdahlm's full-sized avatar

Greg Dahlman gdahlm

5 followers · 2 following
  • Merkki
View GitHub Profile
@gdahlm
gdahlm / Dockerfile
Created December 9, 2025 22:51
Dockerfile to modify the `docker.io/ollama/ollama` official docker image to use a regular user and drop privileges
FROM ollama/ollama:latest
# explicitly set the ollama user/group IDs to assist with volumes etc...
RUN set -eux; \
groupadd -r ollama --gid=842; \
useradd -r -g ollama --uid=842 --home-dir=/home/ollama --shell=/bin/bash ollama; \
# Create the ollama user's home directory with appropriate permissions
install --verbose --directory --owner ollama --group ollama --mode 1750 /home/ollama
# Switch to the above user and drop the elevated privlages of the container-root user
# Without this the root user processes were all running as "CapEff: 00000000800405fb"
@gdahlm
gdahlm / pg_pod_demo.md
Last active November 24, 2025 19:45
Quick demo on using volumes in podman/k8s for high performance intra-pod communication

Quick demo on using volumes in podman/k8s for high performance intera-pod communication

As k8s/podman use various local networking stacks, in both rootful and rootless modes that do have a performance cost, sometimes it is valuable to use unix sockets between pod members.

To demonstrate this concept you can run the follwing with podman, with pasta or slirp4netns there is typically around a 10% loss on pgbench benchmarks for using localhost, which can be regained using sockets.

This also allows you to run containers like a db server or webapp server with their own network namespace with no internet connection, as unix sockets do not depend on a shared net or ipc namespace.

Create Pod:

@gdahlm
gdahlm / usr.bin.run_keybase
Last active May 22, 2019 05:57
Apparmor profile for Keybase.io to prevent insecure and multi-user unfriendly use of /keybase; will prevent start unless run_keybase is modified.
#include <tunables/global>
# At the time of writing requires changing /usr/bin/run_keybase
# Partial diff, which may or may not work for your needs.
#
# - if fusermount -uz /keybase &> /dev/null ; then
# + if fusermount -uz $HOME/Keybase &> /dev/null ; then
#
# - kbfsfuse -debug -log-to-file /keybase &>> "$logdir/keybase.start.log" &
# + kbfsfuse -debug -log-to-file $HOME/Keybase &>> "$logdir/keybase.start.log" &
@gdahlm
gdahlm / keybase.md
Created December 23, 2017 22:48

Keybase proof

I hereby claim:

  • I am gdahlm on github.
  • I am gdahlman (https://keybase.io/gdahlman) on keybase.
  • I have a public key ASBjvxhQRqSmqC0WqinWzt4Is6-l4Qg2E3hExsOEsJyQZAo

To claim this, I am signing this object:

@gdahlm
gdahlm / gist:30e62516448b6dfaff095f1876bb21b6
Created July 7, 2017 01:32
byte diff
diff --git a/lib/ansible/modules/remote_management/wakeonlan.py b/lib/ansible/modules/remote_management/wakeonlan.py
index 5308901f59..195f14b0af 100644
--- a/lib/ansible/modules/remote_management/wakeonlan.py
+++ b/lib/ansible/modules/remote_management/wakeonlan.py
@@ -97,10 +97,10 @@ def wakeonlan(module, mac, broadcast, port):
module.fail_json(msg="Incorrect MAC address format: %s" % mac_orig)
# Create payload for magic packet
- data = ''
- padding = ''.join(['FFFFFFFFFFFF', mac * 20])
@gdahlm
gdahlm / Dockerfile
Created May 21, 2017 19:39
Dockerfile for launching a Jupyter notebook container.
FROM python:3
ENV PYTHONUNBUFFERED 1
RUN mkdir /code
WORKDIR /code
ADD requirements.txt /code/
RUN pip install -r requirements.txt
ADD . /code/
# Add Tini. Tini operates as a process subreaper for jupyter. This prevents
# kernel crashes.
ENV TINI_VERSION v0.6.0
@gdahlm
gdahlm / docker-compose.yaml
Created May 21, 2017 19:36
Jupiter Notebook Docker Compose yaml
version: '2'
services:
notebook:
build: .
command: jupyter notebook --port=8887 --no-browser --ip=0.0.0.0 --allow-root
volumes:
- .:/code
ports:
- "8887:8887"