For sending a mail message on port 25:
HELO
mail-from: whoever@whatever.com
mail-to: sysadmin@yaya.com
<other headers>
<blank line>
Body of the message yay.
<two blank lines to end>
POP3 was so long ago I forgot but you could list the mailboxes then get individual messages and so on.
This revelation was the beginning of "there is no magic" for me. The realization that every part of the computer was built by human beings and was at some level understandable if one undertook the effort.
Perhaps most people in the future won't bother. They'll just let agents do it all. I'm sure that will leave some interesting holes in various systems for people willing to actually learn how they work without the filter of a model (or its safety rails).
razodactyl 2 minutes ago [-]
Me too! Writing Winsock and learning WinAPI on XP then Vista. It took me a while to realise Linux was better / OSX was my gateway drug haha
kps 3 hours ago [-]
Last century I would read and send personal email from work using telnet to pop3 and smtp respectively.
bijowo1676 44 minutes ago [-]
perhaps you meant "in previous millennium" ?
__float 4 minutes ago [-]
If someone referred to the "previous decade" in 2004, would you have said the same thing?
As the calendar rolled from 1999 to 2000, we entered a new millennium, century, decade, year, day, ...
chrisbrandow 25 minutes ago [-]
Presumably the years including 1999 and earlier
MuffinFlavored 26 minutes ago [-]
I must have tried to write the same "perfect" IRC client from scratch in C a dozen times growing up...
jazz9k 3 hours ago [-]
When I was 12, I learned about open SMTP relays and how to spoof email this way. I once spoofed an email between two rivals on a community I was a part of and started a flame war.
Good times.
sejje 2 hours ago [-]
I once made an enemy on AOL and he was a spammer--he put my email in the from: field and I got a lot of hostile emails.
But the joke's on him--it led directly to me meeting a lifelong friend & mentor.
basilikum 5 hours ago [-]
> As it turns out, bash can speak HTTP by itself.
No, it can not. Bash lets you open TCP sockets.
What you are doing here is trying to speak HTTP yourself, which is fine for testing and debugging, and hella cool for fun to do by hand, but you will shoot yourself in the foot if you try to use this pseudo http client unattended in reality. This toy code does not parse HTTP properly and will break.
For less insane, non-bash shells there is always nc which is usually probably the wiser choice.
iam-TJ 3 hours ago [-]
Need to be clear that "full http server in pure bash" is incorrect. Bash cannot listen on a TCP/UDP socket for incoming connections.
bash-web-server project builds a C language socket listener [0] that is dynamically loaded at run-time as a "built-in" module that makes the functionality available.
it's not that insane. i've been manually typing http requests in since before http/1.1 and the mandatory host header.
it is insane to use it for anything serious (also the opposite, implementing webservers in bash), but for quick testing it's pretty great!
bitmasher9 4 hours ago [-]
Why wouldn’t you use curl for the quick test?
hnav 4 hours ago [-]
Sometimes you want to do something that curl cannot express, e.g. timing, protocol oddities, etc. For example you may want to issue a CONNECT to an echo server through a proxy and observe the bytes flowing back and forth. You may want to see what happens when conflicting hop-by-hop headers are specified without worrying about the client's (curl's) interpretation of them. A simple nc -c (or openssl s_client -crlf) lets you do all of that.
Bender 37 minutes ago [-]
For what it's worth curl can do very detailed timing [1] and it can also do this using a proxy
Because curl is not installed in minimal docker images.
gear54rus 2 hours ago [-]
neither is bash or even sh for that matter :) if you have bash, you probably have apk or apt
a-dub 4 hours ago [-]
because in those days there was no curl, or wget. and then when there was, there was no guarantee they'd be installed.
telnet was always there though. it also worked for speaking all the other plaintext internet protocols. (imap, pop, smtp, etc)
HeckFeck 3 hours ago [-]
I used telnet to send mail via SMTP once, it's quite literally a good social protocol because it begins with a polite 'HELO'.
nativeit 12 minutes ago [-]
Is it the reply to ‘HELO’ that enables things like tarpits?
Like if my server replied with ‘HI PLEASURE TO MEET YOU 127.0.0.1 THAT NAME SOUNDS FAMILIAR ARE YOU BY CHANCE FROM BOSTON MY MOTHER IS FROM BOSTON WELL QUINCY ACTUALLY BUT DO YOU KNOW 127.0.1.1 THEY ARE A REALLY GOOD FRIEND OF MINE YOU SHOULD MEET I HEAR THEIR DAUGHTER IS A DOCTOR DONTYAKNOW AND YOU COULD…”
etc, etc?
a-dub 2 hours ago [-]
the '90s version of finding the hiring manager or boss on linkedin to try and get a job was connecting to the company's public smtp server with telnet, using their name to probe different email address patterns with "rcpt to:" (those days the actual servers were often directly connected to the internet and would leak email address validity in how they would respond to rcpt to) and then sending them a nice email.
smtp grew up to be an antisocial curmudgeon. extended smtp starts with EHLO.
jolmg 1 hours ago [-]
> smtp grew up to be an antisocial curmudgeon. extended smtp starts with EHLO.
"EHLO" still sounds friendly. It just sounds like a different accent or something. Know someone that used to answer calls with a friendly "Jello?".
a-dub 1 hours ago [-]
yeah, i think you're right. i originally read a bit of snarky blow-off, like "eh?" ... but you know, now that i think of it, it's actually does have more of a friendly canadian style vibe.
endofreach 2 hours ago [-]
> smtp grew up to be an antisocial curmudgeon. extended smtp starts with EHLO.
email will become so unusable, next one will have to be HELNO i guess
dragontamer 4 hours ago [-]
Note: Telnet is not completely plaintext and has control characters in the upper byte range (like 0xff or something, I forget).
Use nc or this TCP Bash technique if you really want to ensure decent compatibility when doing hacky solutions, otherwise a random 0xFF somewhere from a terminal console color change (or other control character) might really screw you over.
EDIT or ya know, use the correct tool like Curl.
crewindream 17 minutes ago [-]
[dead]
mrshu 5 hours ago [-]
> No, it can not. Bash lets you open TCP sockets.
Very fair pushback -- I did get carried away and will update the article to be more precise. Thanks for raising it!
> For less insane, non-bash shells there is always nc which is usually probably the wiser choice.
For completeness, `nc` or any netcat equvialent I could think of was not available in the image I was trying this with. It would certainly be a better option though.
bearjaws 5 hours ago [-]
This is the most Claude pilled comment I've seen here.
thih9 4 hours ago [-]
This worries me. Some AI writing styles became mainstream; at first it was the em-dashes, now it’s “A, not B” patterns and excessive acknowledging. There will be more.
Was grandparent comment written by an LLM?
Or is this a human who copies a style they saw in a blog post, unaware that they’re copying an AI?
Or is this a human who spent too much time talking to an AI and now they just talk like this?
Or is this an organic human response and we’re all paranoid by now?
I don’t know which would be worse.
elevation 3 hours ago [-]
When learning a language, I've heard it's good to find a reference speaker, such as a prolific actor, and mimic them in order to absorb several aspects of what makes them sound authentic as a speaker, such as vocabulary, intonation, diction, pacing.
For many in the next generation of language learners, this reference will be Claude.
disqard 2 hours ago [-]
Insightful, and scary! Imitating an imitation machine... even if no one is trying to intentionally do so, McLuhan's "we become what we behold" is inescapable.
8bitsout 3 hours ago [-]
I'm going to go insane from all of this
eddd-ddde 1 hours ago [-]
So? That's literally how language works. The importance is not in the writing style, but in the content of the words.
mrshu 4 hours ago [-]
It's pretty rough to learn I sound like Claude. Will need to do something about it then.
(For what it's worth I did write the message above manually but I understand why no one would believe that now. At least I did not call netcat "load-bearing" [https://mareksuppa.com/til/load-bearing/] or something...)
sisve 1 hours ago [-]
I did not think you sounded like claude. Then I looked again after the comment was made and then I saw some of the vibes. Like acknowledging a mistake you have done.
Before that would just made you top 5% (or maybe top 1%) of the nicest people to talk too.. know ppl think you are Claude.
We are all going crazy s a sibling comment said.
ffsm8 3 hours ago [-]
I know that feeling
I notice myself getting afflicted with llm-isms after a full workday. And I didn't always notice, sometimes I only realize the day after...
Like it slowly siphoned out my soul, which then reconnected with me over night
ed_elliott_asc 3 hours ago [-]
Ok Claude :)
nandomrumber 3 hours ago [-]
[dead]
48 minutes ago [-]
nialv7 4 hours ago [-]
what would be a non-pilled way of saying the same thing?
xeyownt 4 hours ago [-]
Yeah. The comments saying it's AI-pilled comments are more annoying and less informative than the comments themselves.
WD-42 4 hours ago [-]
Good point however netcat wasn’t available either.
scubbo 3 hours ago [-]
FWIW, I didn't read this as AI-like. Even on a re-read, it's only the quasi-em-dash, and _maybe_ the polite acknowledgement of "Very fair pushback" (just good etiquette, IMO!) that would ring any alarm bells. You're fine.
throwrioawfo 4 hours ago [-]
[flagged]
mrshu 4 hours ago [-]
An old habit that unfortunately makes one indistinguishable from LLMs these days...
disqard 2 hours ago [-]
I have done the same for many years now, and I feel like it's going to be an annoying false positive for people like us.
I remember when the "hacker vs. cracker" distinction went away because Hollywood co-opted the former and it became de facto "hacker == bad guy"
Nice parameter expansion examples in that bash-web-server. It uses the $_ parameter in ways I hadn’t thought to before, often preceded by a single : ${x} line for pre-processing of the variable.
TZubiri 4 hours ago [-]
>No, you can't write 10 lines of code, you have to import a 100k LOC dependency
Common misconception, if you want to replace a dependency on a swiss knife you don't need to implement a swiss knife, sometimes you can just implement the last helix of the corkscrew.
cyanydeez 3 hours ago [-]
it's curious what you'd be building where you think you can hit the reliability of curl with a bash script.
pillmillipedes 3 hours ago [-]
a script ten lines long perhaps?
TZubiri 3 hours ago [-]
health check, check that website/webapp returns 4xx and some known keyword
api, GET url, content-type aplication/json, parse json
you can even invert it and make a server
morpheuskafka 5 hours ago [-]
> No, it can not. Bash lets you open TCP sockets.
I thought you had to use a program called netcat for that--if not then what is the point of that binary? And for that matter, can't you also use telnet to manually send HTTP?
some_random 4 hours ago [-]
nc is basically just a nicer interface for the same thing, in the same way that curl is.
Where `service` is just the hostname of whatever you’re talking to and 8642 is the port you are trying to talk HTTP to.
Pretty cool!
sevenzero 5 hours ago [-]
It seems pretty cool, but I am wondering if there's any drawback on just using images that support curl? I can't think of any and to me it's kinda a must have, even on production images
OptionOfT 5 hours ago [-]
I always recommend to not have any dependencies outside of the code.
So we start at compiling the codebase (Rust) against MUSL. That way we can run it with FROM scratch images.
If we need more tooling available at runtime, then we look at alpine, but still using MUSL.
If MUSL itself is proving problematic, or if some of the libraries we use need glibc then we can look at using some locked down image.
The cool part about FROM scratch images is that you'll never have to update your base image to address CVEs. Only your software and its (compiled) dependencies.
xmodem 5 hours ago [-]
> The cool part about FROM scratch images is that you'll never have to update your base image to address CVEs. Only your software and its (compiled) dependencies.
What's the benefit really, though? If you still need to be able to rapidly deploy a new image in response to a dependency CVE, what have you gained?
regularfry 4 hours ago [-]
You've gained that happening much less frequently. The tradeoff is making every other problem harder to diagnose.
NewJazz 2 hours ago [-]
Debug containers are a thing.
Add an ephemeral container to an already running pod, for example to add debugging utilities without restarting the pod.
Yup! They are a good solution to the massive problem you caused for yourself by implementing a different "solution" to a non-problem.
And even that's only true if you assume kubernetes is the only place your container runs where you might want to also debug it.
NewJazz 2 hours ago [-]
You want to ship every debug utility you will need in every image? Just seems wasteful. What about 3rd party images, you will respin images just to add your preferred toolset?
xmodem 1 hours ago [-]
Nope, not my position at all. I want to have a minimal OS environment with rudimentary tools available with zero extra friction. FROM alpine:latest adds less than 10MB and covers 95% of use cases. Typically depending on the container I will often throw in curl and some other QoL tools too.
For the rare cases where you find yourself needing to attach a debugger to your pods running in staging/prod, a debug container is absolutely the right tool to reach for.
OptionOfT 4 hours ago [-]
If the base image I use is based on Debian, it comes with more than 15 binaries that I don't use.
But when Docker scans my image and notices that there is a CVE in one of those binaries, my image is currently out of compliance.
FROM scratch just reduces the surface.
xmodem 3 hours ago [-]
> FROM scratch just reduces the surface.
The actual attack surface of your application? Or the attack surface of you and your team's attention from a busybody security org.
It's important not to confuse the two.
xmodem 5 hours ago [-]
More than one ~500 employee company I've worked at has had security policies either encouraging or requiring the use of "distro-less" images - images with no OS components other than the absolute minimum required to run the application. For go binaries this meant literally nothing in the container apart from the executable.
In theory it has a couple of benefits. You don't have to re-deploy your image to patch CVE's in OS components if you don't have any OS components. And it provides some measure of defence-in-depth - one could certainly theory-craft a scenario where an attacker gains some limited control over your application and then uses some OS component to escalate.
These days if a security engineer is proposing my team adopt distro-less containers to receive these benefits, I would point out that we need to weigh them against the very real drawbacks of not having standard debugging tools available where and when we need them. And also to consider the relative impact of other defence-in-depth measures they could be pursuing instead - such as any sort of network policy to limit network traffic.
NewJazz 2 hours ago [-]
Debug containers are a thing.
Add an ephemeral container to an already running pod, for example to add debugging utilities without restarting the pod.
For what its worth, this container used `python:3.12.2-slim-bookworm` and I really would not expect that sort of an image to bundle `curl` -- even if it is intended for production.
TZubiri 4 hours ago [-]
You can also use the sockets lib in that case, you depend on POSIX instead of Linux
sevenzero 5 hours ago [-]
Ah I see so it was basically a minimal image that bundles just python? I can see why it wouldn't bundle curl! Thought it was a custom Image for some reason, hence my original comment
mrshu 5 hours ago [-]
Yes, a very minimal image indeed. Had it been a custom image, curl would be one of the first things I would make sure it contains :)
monkpit 2 hours ago [-]
You might not have any say on what image is in use, for example, in a cicd library project.
5 hours ago [-]
figmert 5 hours ago [-]
This of course only supports http, not https. It's great for health checks e.g. in a docker environment. To do https, you'd have to use something like socat, but of course that doesn't use bash only.
TZubiri 4 hours ago [-]
Https is almost always terminated separately from the application code.
giobox 5 hours ago [-]
It's also a two line Dockerfile to add wget or curl to almost any pre-existing container image. This is a fun idea though.
HTTP/1.1 200 OK
Date: Tue, 16 Jun 2026 17:37:45 GMT
Content-Type: text/html
...
I always end up on example.com for this kind of thing because there are so few domains these days that don't enforce https!
QuantumNomad_ 5 hours ago [-]
example.com is also great for that reason when something fails about a captive portal on a public WiFi.
I open my web browser and go to http://example.com and get redirected to the captive portal page again and retry completing what they need from me to get internet access.
some_random 4 hours ago [-]
Fun fact, this is almost exactly how active portal detection is done in the OS/browser!
Plus, it feels nice to depend on the reserved domain name example.com instead of relying on a domain that any one specific corporation has to maintain :D
You can even take out the \r though they should be there
pickle-wizard 1 hours ago [-]
At a past job the security team wouldn't let us have netcat or curl on our systems. So I just used /dev/TCP to get around that. The ergonomics were not as nice as using netcat or curl, but it got the job done.
Sohcahtoa82 41 minutes ago [-]
This was something I learned about 10 years ago when earning my OSCP, useful during penetration tests and CTFs when you get a low-priv shell that's running a minimal OS (No curl, nc, python, etc.) but running a web server listening on localhost.
Using /dev/tcp was also handy in getting that initial low-priv shell.
MisterTea 35 minutes ago [-]
TIL: bash and other shells try to copy Plan 9's /net directory and the kernel ip(3) file server. Too bad it's not a real file system. And a missed opportunity to call the root of the path /net.
dennis16384 1 hours ago [-]
This is the kind of content we all deserved in 2026, and this is still why I ask during interviews to explain how cookies are represented in HTTP protocol.
Note that this is not what the article is about. Bash has a fake /dev/tcp path that opens sockets. What you have there is just perl opening a socket normally. Great solution, but the interesting bit is that fake path.
tzot 52 minutes ago [-]
I would use HTTP/1.0 without a need for Connection: close. Unless 1.0 is not generally supported anymore, but this is not the case in my experience.
nedt 43 minutes ago [-]
I actually have a couple of Dockerfiles that are using exactly this in the HEALTHCHECK. Less packages to install.
timwis 2 hours ago [-]
You could also use nsenter if curl is installed on the host, eg
docker inspect -f '{{.State.Pid}}' container-name
# let's imagine that outputs 814538
nsenter -t 814538 -n curl example.com
saidinesh5 3 hours ago [-]
Fun story: A few years ago, I worked for a small company that customized off the shelf routers to enable businesses provide Wifi Hotspots.
The routers were very basic model with very limited flash memory (~4MB?). I was brought in to build firmware for those routers. I ended up customising openwrt - removed all kinds of packages to make their packages fit on those routers. At the end, I had less than 4KB space, And I needed to implement a "heart beat" service. A lot of routers were behind firewalls that only allowed http, https and a couple of other protocols. Libcurl was too heavy. So I ended up writing a shell script that used this feature of bash to send out heart beats.
Fun times...
chaps 2 hours ago [-]
Once had a coworker tell me to never to use this because "you never know when the customer doesn't have bash installed; use python instead" even though our contract required that the customer had bash. I'm still laughing at that.
2 hours ago [-]
quotemstr 59 minutes ago [-]
FWIW, some distributions (I forget which ones, but I've seen it more than once) compile bash without the network features. Python is ubiquitous, and I've never seen it subsetted this way, so I'd have sided with the coworker.
chaps 18 minutes ago [-]
Eh, looking around, I think you're thinking of Debian. They re-enabled it by-default back in 2009. So, sure, I guess. But if you're dealing with an OS that's from 2009 these days, whether /dev/tcp is enabled in bash or not isn't exactly relevant anymore. And I've seen enough broken python installs (even with stdlib) to put my faith in /dev/tcp working in bash :)
washbasin 3 hours ago [-]
This is an old post-compromise trick used when an attacker needs to download a payload or make a network connection and curl, wget and nc are all not available.
AndrewStephens 5 hours ago [-]
This is pretty neat if all you need is to ping a local server but please use curl (or something equivalent) for contacting remote services. HTTP1.1 seems like such a simple protocol but in the real world you need to deal with proxies, different encodings, and redirects. Curl takes care of that (and a host of other annoying stuff) for you.
mrshu 5 hours ago [-]
Totally!
I was really just trying to see if intra-container connectivity works, and this ended up being a very quick way of doing so. (The alternative being building and deploying a new image, which would likely take significantly longer.)
KomoD 5 hours ago [-]
> The alternative being building and deploying a new image, which would likely take significantly longer
You are right, I am not sure why I did not realize Python is the whole point of the image. This is indeed much faster and easier.
dchest 4 hours ago [-]
It's interesting that most of the comments here are about using this feature to bypass security restrictions (whether valid or not). It says a lot about the attack surface of GNU utilities caused by featuritis.
uberex 11 minutes ago [-]
telnet then?
nesarkvechnep 3 hours ago [-]
I find /dev/udp much more useful. I can create aliases for fire and forget commands to my daemons without actually writing *ctl program.
Retr0id 4 hours ago [-]
It's a fun trick, but I really don't like that bash does this. It's such an un-clean interface, and I'm not aware of any use cases beyond trying to exfiltrate data from a badly locked-down shell.
orthogonal_cube 5 hours ago [-]
It was fun exploring this to make a native-shell-only peer-to-peer file transfer utility at work for some automation scripts. At least, it was until trying to replicate it in Powershell was somehow triggering Crowdstrike and the corporate Cybersecurity team thought I was writing malware.
geoctl 5 hours ago [-]
I discovered this bash trick by chance when I was once trying to healthCheck the Envoy's official OCI image container which didn't include curl or wget while forcing the envoy admin interface to listen on localhost which breaks the traditional k8s httpGet checks.
devsda 5 hours ago [-]
Yes, it used to be my goto few times when some devices tried to lockdown everything with bare minimum core utils and no network capable tools like curl etc.
sc68cal 5 hours ago [-]
That's pretty neat, thanks for sharing
m3047 4 hours ago [-]
At least on my systems there's also /dev/udp...
alienbaby 4 hours ago [-]
Reminds me of telnetting to port 80 to make a get request years and years ago
black_knight 59 minutes ago [-]
Wait until they hear about Plan 9!
Steeeve 4 hours ago [-]
brb. recompiling bash in all my base images.
alienbaby 4 hours ago [-]
Reminds me of using telnet to port 80 to make get requests aeons ago
Simple get: GET / HTTP/1.1 Content-Type: text/html User-Agent: l33t hax0rs lol X-Funny-Monkey: farts
For sending a mail message on port 25: HELO mail-from: whoever@whatever.com mail-to: sysadmin@yaya.com <other headers> <blank line> Body of the message yay. <two blank lines to end>
POP3 was so long ago I forgot but you could list the mailboxes then get individual messages and so on.
This revelation was the beginning of "there is no magic" for me. The realization that every part of the computer was built by human beings and was at some level understandable if one undertook the effort.
Perhaps most people in the future won't bother. They'll just let agents do it all. I'm sure that will leave some interesting holes in various systems for people willing to actually learn how they work without the filter of a model (or its safety rails).
As the calendar rolled from 1999 to 2000, we entered a new millennium, century, decade, year, day, ...
Good times.
But the joke's on him--it led directly to me meeting a lifelong friend & mentor.
No, it can not. Bash lets you open TCP sockets.
What you are doing here is trying to speak HTTP yourself, which is fine for testing and debugging, and hella cool for fun to do by hand, but you will shoot yourself in the foot if you try to use this pseudo http client unattended in reality. This toy code does not parse HTTP properly and will break.
You could of course write a full http/1.1 client in bash, you can even do a full http server in pure bash: https://github.com/bahamas10/bash-web-server
For less insane, non-bash shells there is always nc which is usually probably the wiser choice.
bash-web-server project builds a C language socket listener [0] that is dynamically loaded at run-time as a "built-in" module that makes the functionality available.
[0] https://github.com/bahamas10/bash-web-server/tree/main/loada...
it is insane to use it for anything serious (also the opposite, implementing webservers in bash), but for quick testing it's pretty great!
[2] - torsocks, tsocks, wireproxy, shadowsocks-rust, proxychains-ng, etc...
telnet was always there though. it also worked for speaking all the other plaintext internet protocols. (imap, pop, smtp, etc)
Like if my server replied with ‘HI PLEASURE TO MEET YOU 127.0.0.1 THAT NAME SOUNDS FAMILIAR ARE YOU BY CHANCE FROM BOSTON MY MOTHER IS FROM BOSTON WELL QUINCY ACTUALLY BUT DO YOU KNOW 127.0.1.1 THEY ARE A REALLY GOOD FRIEND OF MINE YOU SHOULD MEET I HEAR THEIR DAUGHTER IS A DOCTOR DONTYAKNOW AND YOU COULD…”
etc, etc?
smtp grew up to be an antisocial curmudgeon. extended smtp starts with EHLO.
"EHLO" still sounds friendly. It just sounds like a different accent or something. Know someone that used to answer calls with a friendly "Jello?".
email will become so unusable, next one will have to be HELNO i guess
Use nc or this TCP Bash technique if you really want to ensure decent compatibility when doing hacky solutions, otherwise a random 0xFF somewhere from a terminal console color change (or other control character) might really screw you over.
EDIT or ya know, use the correct tool like Curl.
Very fair pushback -- I did get carried away and will update the article to be more precise. Thanks for raising it!
> For less insane, non-bash shells there is always nc which is usually probably the wiser choice.
For completeness, `nc` or any netcat equvialent I could think of was not available in the image I was trying this with. It would certainly be a better option though.
Was grandparent comment written by an LLM?
Or is this a human who copies a style they saw in a blog post, unaware that they’re copying an AI?
Or is this a human who spent too much time talking to an AI and now they just talk like this?
Or is this an organic human response and we’re all paranoid by now?
I don’t know which would be worse.
For many in the next generation of language learners, this reference will be Claude.
(For what it's worth I did write the message above manually but I understand why no one would believe that now. At least I did not call netcat "load-bearing" [https://mareksuppa.com/til/load-bearing/] or something...)
Before that would just made you top 5% (or maybe top 1%) of the nicest people to talk too.. know ppl think you are Claude.
We are all going crazy s a sibling comment said.
I notice myself getting afflicted with llm-isms after a full workday. And I didn't always notice, sometimes I only realize the day after...
Like it slowly siphoned out my soul, which then reconnected with me over night
I remember when the "hacker vs. cracker" distinction went away because Hollywood co-opted the former and it became de facto "hacker == bad guy"
Common misconception, if you want to replace a dependency on a swiss knife you don't need to implement a swiss knife, sometimes you can just implement the last helix of the corkscrew.
api, GET url, content-type aplication/json, parse json
you can even invert it and make a server
I thought you had to use a program called netcat for that--if not then what is the point of that binary? And for that matter, can't you also use telnet to manually send HTTP?
https://linux.die.net/man/1/nc
The main surprise was that Bash has /dev/tcp which lets you do the equivalent of an HTTP request with a bit of shell magic, for instance:
Where `service` is just the hostname of whatever you’re talking to and 8642 is the port you are trying to talk HTTP to.Pretty cool!
So we start at compiling the codebase (Rust) against MUSL. That way we can run it with FROM scratch images.
If we need more tooling available at runtime, then we look at alpine, but still using MUSL.
If MUSL itself is proving problematic, or if some of the libraries we use need glibc then we can look at using some locked down image.
The cool part about FROM scratch images is that you'll never have to update your base image to address CVEs. Only your software and its (compiled) dependencies.
What's the benefit really, though? If you still need to be able to rapidly deploy a new image in response to a dependency CVE, what have you gained?
Add an ephemeral container to an already running pod, for example to add debugging utilities without restarting the pod.
https://kubernetes.io/docs/reference/kubectl/generated/kubec...
And even that's only true if you assume kubernetes is the only place your container runs where you might want to also debug it.
For the rare cases where you find yourself needing to attach a debugger to your pods running in staging/prod, a debug container is absolutely the right tool to reach for.
But when Docker scans my image and notices that there is a CVE in one of those binaries, my image is currently out of compliance.
FROM scratch just reduces the surface.
The actual attack surface of your application? Or the attack surface of you and your team's attention from a busybody security org.
It's important not to confuse the two.
In theory it has a couple of benefits. You don't have to re-deploy your image to patch CVE's in OS components if you don't have any OS components. And it provides some measure of defence-in-depth - one could certainly theory-craft a scenario where an attacker gains some limited control over your application and then uses some OS component to escalate.
These days if a security engineer is proposing my team adopt distro-less containers to receive these benefits, I would point out that we need to weigh them against the very real drawbacks of not having standard debugging tools available where and when we need them. And also to consider the relative impact of other defence-in-depth measures they could be pursuing instead - such as any sort of network policy to limit network traffic.
Add an ephemeral container to an already running pod, for example to add debugging utilities without restarting the pod.
https://kubernetes.io/docs/reference/kubectl/generated/kubec...
For what its worth, this container used `python:3.12.2-slim-bookworm` and I really would not expect that sort of an image to bundle `curl` -- even if it is intended for production.
I open my web browser and go to http://example.com and get redirected to the captive portal page again and retry completing what they need from me to get internet access.
https://gist.github.com/skull-squadron/edb8c0122f902013304c0...
- http://captive.apple.com/
- http://connectivitycheck.gstatic.com/generate_204
- http://detectportal.brave-http-only.com/
Plus, it feels nice to depend on the reserved domain name example.com instead of relying on a domain that any one specific corporation has to maintain :D
Using /dev/tcp was also handy in getting that initial low-priv shell.
https://github.com/ksh93/ast-open-archive/blame/master/src/c...
FROM openjdk:11-jre-slim HEALTHCHECK --start-period=10s --timeout=3s --retries=5 \ CMD perl -e "use IO::Socket; $sock = IO::Socket::INET->new(Proto => 'tcp', PeerAddr => 'localhost', PeerPort => '8888') or die $@; $sock->autoflush(1); print $sock 'GET /actuator/health HTTP/1.1' . chr(0x0a) . chr(0x0d) . 'Host: localhost:8888' . chr(0x0a) . chr(0x0d) . 'Connection: close' . chr(0x0a) . chr(0x0d) . chr(0x0a) . chr(0x0d); while (my $line = $sock->getline ) { if ($line =~ /UP/) {exit;} }; close $sock; exit 1;"
docker inspect -f '{{.State.Pid}}' container-name
# let's imagine that outputs 814538
nsenter -t 814538 -n curl example.com
The routers were very basic model with very limited flash memory (~4MB?). I was brought in to build firmware for those routers. I ended up customising openwrt - removed all kinds of packages to make their packages fit on those routers. At the end, I had less than 4KB space, And I needed to implement a "heart beat" service. A lot of routers were behind firewalls that only allowed http, https and a couple of other protocols. Libcurl was too heavy. So I ended up writing a shell script that used this feature of bash to send out heart beats.
Fun times...
I was really just trying to see if intra-container connectivity works, and this ended up being a very quick way of doing so. (The alternative being building and deploying a new image, which would likely take significantly longer.)
You said the image was Python, though? Using that is way easier and faster. https://news.ycombinator.com/item?id=48558763
If all you need to know is that it can connect:
python3 -c 'import socket as s;s.create_connection(("8.8.8.8",53))'
or http:
python3 -c 'from urllib.request import*;print(urlopen("http://example.com").status)'