Notes about other stuff on Linux

• The size of a tmpfs directory as displayed in ls is always 40 + (20 * X), where X is the number of files (including direct subdirectories but excluding . and ..) in that directory.
• Normally, if an attempt to connect to an IPv6 link-local address does not have the scope ID parameter, then the connection will fail. However, if the socket was previously bound to an IPv6 link-local address with a scope ID supplied to bind(), then a connect() to an IPv6 link-local address without a scope ID supplied to connect() will succeed (the scope ID is implied from the previous bind() call). (Untested) This means that with the socketbox-preload library injected into nginx, you can do the following to connect to a link-local address for proxy_pass, assuming source of fe80::200:5eff:fe00:5341 and destination of fe80::200:5eff:fe00:5340, and eth0 has an interface ID of 6:

proxy_pass http://[fe80::200:5eff:fe00:5340];
proxy_bind fe8f:1:0:6:200:5eff:fe00:5341;

Due to socketbox-preload limitations, the scope ID has to be supplied numerically in bits 32-63 of the IPv6 address. If you have an automatic configuration file generator, you can call a Python script like this one to generate it automatically:

import socket, struct
src_ipv6_addr = socket.inet_ntop(socket.AF_INET6, struct.pack(">IIII", 0xfe8f0001, socket.if_nametoindex("eth0"), 0x02005eff, 0xfe005341))
print(f"proxy_bind {src_ipv6_addr};\n")

This method is unfortunately not recommended if there is a chance that the interface associated with the scope ID could disappear at any time (consider out-of-memory conditions, for example, if the interface is a virtual Ethernet device into a unprivileged container, or is a physical device and the device malfunctions or is unplugged from the system). Better to use a bridge interface instead, even if there is only one interface involved. Regardless of the method chosen, the scope ID will also change after rebooting the system, so it has to be done every time you start the web (or other) server that uses that address.

Result of bind-mounting a directory and moving a subdirectory out of it. Strange, isn't it?

• If a directory is moved out of a bind mount, then resolving .. (even in a subdirectory of that directory) will result in ENOENT:

mkdir -p /dir_1/dir_2/dir_3 /dir_1/test
mount --bind /dir_1/dir_2 /dir_1/test
cd /dir_1/test/dir_3
mv /dir_1/dir_2/dir_3 /dir_1/dir_3
ls -la

If running as non-root, you might want to do this first:

unshare -r -m --propagation=slave
mount -t tmpfs -o mode=0755 none /run

and replace all references of /dir_1 to /run.

• The restriction on not being able to pivot_root the initramfs only applies to the initramfs "mount" (i.e. the rootfs mount with mnt_id=1, including replicas of that mount in other mount namespaces). Bind mounting the initramfs on top of itself, or creating a separate tmpfs to mount on top of the initramfs, and using that as the root, is not subject to the above restriction.
• If you intend to run a postfix subservice with chroot=y in master.cf, then make sure that /var/spool/postfix contains the necessary files and libraries in /etc and /lib relative to the chroot for (reverse) DNS resolution to work; this may require a bind mount from /_fsroot_ro/lib to /var/spool/postfix/lib (if using ctrtool).