• Activity
  • Votes
  • Comments
  • New
  • All activity
  • Showing only topics with the tag "docker". Back to normal view
    1. Reverse-Proxying services both inside and outside of Podman

      Hey all, not-a-networks-guy here. I've currently got an rpi set up running pihole natively (not in a container) for ad and website blocking reasons. (Using port 80, no TLS) I've used the pihole...

      Hey all, not-a-networks-guy here.

      I've currently got an rpi set up running pihole natively (not in a container) for ad and website blocking reasons. (Using port 80, no TLS) I've used the pihole localdns feature to set an internal hostname for that ip (me.lan).

      On the same pi, I have podman "set up" to run FreshRSS, and I'm getting more and more annoyed about using the port # to access it. (me.lan:12345) I'd like to set up a reverse proxy (probably Traefik) in a container to redirect internally, but considering that port 80 is taken (by pihole, outside of podman) I don't see a way to direct traffic from the pihole to Traefik.

      I'd really rather not reconfigure the whole setup to use containers.... I'm lazy, and also prefer my dns resolver to have the least amount of overhead possible. Is configuring the router an option here, or is the only way to achieve what I'm looking for an overhaul of the pi and containers?

      If I've missed any pertinent details, let me know and I'll update here.

      4 votes
    2. Tips for Docker security on a NAS?

      How do you make sure that your Docker containers don't go rogue and start snooping around or contacting external servers that they shouldn't be talking to? Is there a network traffic monitoring...

      How do you make sure that your Docker containers don't go rogue and start snooping around or contacting external servers that they shouldn't be talking to? Is there a network traffic monitoring program that I could use? Or a service that would notify me about vulnerabilities in containers that I have installed?

      Some background:

      Last year, I asked help setting up my new Synology NAS, and many of you wonderful people offered some really, really good advice. I have recently started to play around with Docker containers more, and I am a little uneasy about the idea that my NAS is home to my files, my own scripts, and Docker containers made by other people, and that it is always on and these containers have constant internet access. I don't have the time (or frankly the skills) to verify the contents of the containers beyond making sure that they come from reputable sources, but I would like to have a bit more peace of mind and make sure that things remain private and secure.

      My setup at the moment is the following: I have a Synology DS923+ and I manage Docker containers with Synology's Container Manager, using docker compose files. I have so far put all containers into the same virtual network (perhaps something I need to think about), which is a separate IP range from my other devices, and has internet access through my DNS. I use Synology's DNS Server (for everything in my home network) and Reverse Proxy so that I can use local domain names and HTTPS. For HTTPS, I have made myself a certificate authority and created the necessary certificates and installed them on my devices. No ports are opened on the router and things like UPnP are turned off. I use Tailscale to access my home network when not at home. And while I have not yet done so, I have been considering setting up some firewall rules, for instance to restrict access to the DSM. I use 2FA for the NAS and its SSH is turned on only when I need to use it.

      12 votes
    3. How safe am I? (self hosting)

      I have a server running Unraid at home. I have ~20 docker containers running at the moment with almost all of them only available within my local network. I just stood up an instance of Seafile on...

      I have a server running Unraid at home. I have ~20 docker containers running at the moment with almost all of them only available within my local network. I just stood up an instance of Seafile on the server to act as a google drive replacement. Still in the early test phase before I commit to throwing important stuff on there. I have my domain proxied through Cloudflare so none of my local ports are exposed to the internet. Seafille has complicated passwords set for admin and user accounts (generated with Bitwarden, hot damn I love that app). I also enabled 2FA on each account. I know that I can further clamp it down using some of Cloudflare's extra access controls but in my admittedly limited experience, those all cause issues getting an app to authenticate with the service. Web apps don't have this issue of course.

      So am I ok with this setup? I can encrypt the data before uploading easily as it's a built in feature of Seafile. Or would it be better to just run with local only and run a VPN to access when I'm outside?

      I figure just about any effort along these lines I trust more than Google with my data. But I may be overconfident in that perhaps. I'm still learning the ropes with Linux and self-hosting in general.

      17 votes
    4. Docker Nextcloud AIO Mastercontainer update failing

      I've got a problem with my nextcloud and as tildes is my favourite nice place to ask for tech-support, maybe somebody here can help me with that. I can start and run Nextcloud AIO without any...

      I've got a problem with my nextcloud and as tildes is my favourite nice place to ask for tech-support, maybe somebody here can help me with that.

      I can start and run Nextcloud AIO without any problems. I can update the subcontainers without any problems. But the update of the Mastercontainer always fails and I don't kno why, only that it has to be something with docker.sock and permissions, but I could not resolve the issues, and google does not seem to be helpful (or I'm looking for the wrong stuff).

      my update logs:

      time="2023-06-14T12:47:59Z" level=debug msg="Sleeping for a second to ensure the docker api client has been properly initialized."
      time="2023-06-14T12:48:00Z" level=debug msg="Making sure everything is sane before starting"
      time="2023-06-14T12:48:00Z" level=info msg="Watchtower 1.5.3"
      time="2023-06-14T12:48:00Z" level=info msg="Using no notifications"
      time="2023-06-14T12:48:00Z" level=info msg="Only checking containers which name matches \"nextcloud-aio-mastercontainer\""
      time="2023-06-14T12:48:00Z" level=info msg="Running a one time update."
      time="2023-06-14T12:48:00Z" level=debug msg="Checking containers for updated images"
      time="2023-06-14T12:48:00Z" level=debug msg="Retrieving running containers"
      time="2023-06-14T12:48:00Z" level=debug msg="FIXME: Got an status-code for which error does not match any expected type!!!" error="Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?" module=api status_code=-1
      time="2023-06-14T12:48:00Z" level=error msg="Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?"
      panic: runtime error: invalid memory address or nil pointer dereference
      [signal SIGSEGV: segmentation violation code=0x1 addr=0x30 pc=0x9f4a22]
      
      goroutine 1 [running]:
      github.com/containrrr/watchtower/pkg/metrics.NewMetric({0x0, 0x0})
      	/home/runner/work/watchtower/watchtower/pkg/metrics/metrics.go:31 +0x22
      github.com/containrrr/watchtower/cmd.runUpdatesWithNotifications(0xc0002fd830)
      	/home/runner/work/watchtower/watchtower/cmd/root.go:375 +0x15e
      github.com/containrrr/watchtower/cmd.Run(0xc00033c300?, {0xc000281300?, 0x4?, 0x4?})
      	/home/runner/work/watchtower/watchtower/cmd/root.go:168 +0x570
      github.com/spf13/cobra.(*Command).execute(0xc00033c300, {0xc0000300b0, 0x4, 0x4})
      	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.6.1/command.go:920 +0x847
      github.com/spf13/cobra.(*Command).ExecuteC(0xc00033c300)
      	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.6.1/command.go:1044 +0x3bc
      github.com/spf13/cobra.(*Command).Execute(...)
      	/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.6.1/command.go:968
      github.com/containrrr/watchtower/cmd.Execute()
      	/home/runner/work/watchtower/watchtower/cmd/root.go:71 +0x52
      main.main()
      	/home/runner/work/watchtower/watchtower/main.go:13 +0x17
      
      

      my startup command

      sudo docker run \
      --sig-proxy=false \
      --name nextcloud-aio-mastercontainer \
      --restart unless-stopped \
      --publish 8080:8080 \
      -e APACHE_PORT=11000 \
      -e APACHE_IP_BINDING=127.0.0.1 \
      --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
      --volume /var/run/docker.sock:/var/run/docker.sock:ro \
      nextcloud/all-in-one:latest
      

      output after start:

      Trying to fix docker.sock permissions internally...
      Creating docker group internally with id 998
      WARNING: No swap limit support
      Initial startup of Nextcloud All-in-One complete!
      You should be able to open the Nextcloud AIO Interface now on port 8080 of this server!
      E.g. https://internal.ip.of.this.server:8080
      
      If your server has port 80 and 8443 open and you point a domain to your server, you can get a valid certificate automatically by opening the Nextcloud AIO Interface via:
      https://your-domain-that-points-to-this-server.tld:8443
      ++ head -1 /mnt/docker-aio-config/data/daily_backup_time
      + BACKUP_TIME=04:00
      + export BACKUP_TIME
      + export DAILY_BACKUP=1
      + DAILY_BACKUP=1
      ++ sed -n 2p /mnt/docker-aio-config/data/daily_backup_time
      + '[' '' '!=' automaticUpdatesAreNotEnabled ']'
      + export AUTOMATIC_UPDATES=1
      + AUTOMATIC_UPDATES=1
      + set +x
      {"level":"info","ts":1686746753.2700157,"msg":"using provided configuration","config_file":"/Caddyfile","config_adapter":""}
      {"level":"info","ts":1686746753.2748601,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/quic-go/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
      [14-Jun-2023 12:45:53] NOTICE: fpm is running, pid 106
      [14-Jun-2023 12:45:53] NOTICE: ready to handle connections
      
      

      I tried to change permissions on /var/run/docker.sock
      I tried to change permissions on /lib/systemd/system/docker.sock

      same but with restart of docker.sock
      same but with restart of docker.sock and docker.service

      nothing helped

      does somebody know where I go wrong or can me point in the right direction to resolve this problem? It's not a game stopper as I can update the container manually, but it is annoying.

      edit: it runs on a ubuntu server 20.04.6 LTS

      6 votes
    5. Docker rootless and Watchtower and some general questions about Docker

      I finally decided to accepted that my interest in working and playing with computers and servers is worth to spend some money on. So I ditched my old box in the corner and with it all my fights...

      I finally decided to accepted that my interest in working and playing with computers and servers is worth to spend some money on. So I ditched my old box in the corner and with it all my fights with my ISP, their NAT, dynamic DNS and all that and got myself a VPS and 1 TB storage solution for less than I would have paid a static IP with my ISP.
      Best decicion ever :-)

      So I'm getting into Docker a bit, just because it's just so easy to get Nextcloud running. I used native Caddy as a reverse proxy, because if I got this "machine" there I will use it for other things as well, so make it right from the beginning. And I used native b.c I did not yet understand bridge/host mode and installing caddy native seems easier.
      Then I fought for one day with CIFS and the nextcloud gui to get the semantics right to get my storage solution accepted as external storage.
      Then I set up Jellyfin with Docker because why not. As well through caddy.
      Then I fucked something up and was like, fuck it, lets start again this time for real :-P
      I wiped my VPS clean (chose ubuntu again) set up and hardend ssh + sudo installed Docker, and then I found out about docker rootless and in the docker docs it's mentioned that it is/might be more secure, so I set up docker rootless and installed all the rest again.
      And then I was like, hmm, do these Docker Images/Containers update themself? Like snap did?
      It seems not, so I looked for a solution and found watchtower. And now I wasted another day trying to get watchtower to run, and I just can not.

      I tried so many variations of the run command now most recently I tried:

      docker run \
      --name watchtower \
      -v ${DOCKER_SOCKET_PATH}:/var/run/docker.sock \
      containrrr/watchtower
      
      time="2023-01-20T01:17:41Z" level=error msg="Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?"
      time="2023-01-20T01:17:41Z" level=info msg="Waiting for the notification goroutine to finish" notify=no
      

      /run/user/1000/docker.sock exists, I own it, i tried connecting to it through docker -e and containrrr/watchtower --host "unix:///run/user/1000/docker.sock"
      I dont now what to try more and I'm at my end with my ddg-fu as well.

      And now while proofreading this, I read everything again and decided to try something again and it just worked...

      docker run \
      --name watchtower \
      -v /run/user/1000/docker.sock:/var/run/docker.sock \
      containrrr/watchtower
      

      seems like the environment variable was not set. But I'm shure I tried that before and it did not work... ghost in a machine :-)

      So thats where I'm at. I have to say it was a lot of fun and doing and learning all that tingled my brain in a funny way :-)

      But now I have some questions for my much more experienced Tildes-friends:

      • Do I even need watchtower? because I'm not actually interested to connect to my server regularly to do the updates/maintenance.
      • Was switching to docker rootless even a good idea? it seemed so reading the docker installation docs, but just now I read the Archwiki and there it seems it has some heavy security implications, so I made the security situation acutally worse by thinking making it better.
      • How do I get this watchtower thing to fucking work? (only if I actually need it)

      I very much appreciate all further/other advise, tricks, recomendations, questions and discussion as well :-)

      4 votes
    6. Rant: Docker is a labyrinth maze of brick walls and show-stopping issues that has done nothing but slow my development

      Firstly, I apologise for the rant. I guess this is a meek follow-up to my submission earlier in ~comp, questioning how to deploy Docker into production. Since then, I haven't been able to dedicate...

      Firstly, I apologise for the rant. I guess this is a meek follow-up to my submission earlier in ~comp, questioning how to deploy Docker into production. Since then, I haven't been able to dedicate much time to solving any of the issues I've outlined in that thread, but what I will say is that docker has caused me nothing but pain, and I have realised zero benefits from attempting to utilise it. Right from the start, the syntax for docker, docker-compose, and Dockerfiles is confusing and full of edge cases which no one explains to you in the hype of actually discussing it:

      • These 'images' you build grow to insane sizes unless you carefully construct and regiment your RUN, COPY, and other commands.
      • Docker complains to you about leaving empty lines in multi-line RUN commands (which is itself, as I see it, basically a hack to get around something called a "layer limit"), even if it contains a comment (which is not an empty line) and does not provide a friendly explanation on how to solve this issue.
      • There's basically no good distinction between bind mounts and volumes, and the syntax is even more confusing: declaring a volumes entry in a docker-compose.yml? You have no good idea if you're creating a volume or a bindmount.
      • Tutorials & documentation tends to either assume you're a power user who knows this sort of thing, or are so trivial they don't accurately represent a real-world solution, and are therefore basically useless.

      I've suffered endless permissions issues trying to run portions of my application, such as being unable to write to log files, or do trivial things like clearing a cache—that I have tried a dozen different ways of fixing with zero success.

      Then, when I run some things from within the docker container, such as tests, they can take an excruciatingly long time to run—only then did I discover that this is yet another docker issue. The whole point of docker is to abstract away the host OS and containerise things and it can't even do that.

      So now I'm regenerating and rebuilding images and containers every 5 minutes trying to find a configuration that appears to work with the slow and complicated syntax of docker rm $(docker ps -aq) -f followed by docker rmi $(docker images -q) followed by docker-compose -f docker-compose.yml -f docker-compose.dev.yml up -d, followed by docker container exec -it php sh.

      Docker-sync, kubernetes, docker-compose, images, containers. It's legitimately too much. I'm not a dev-ops or infrastructure guy. I just want to write code and have my app work. I don't have the money to employ anyone to solve this for me (I'm not even employing myself yet).

      I guess you can say I've learnt my lesson. I'm sticking to git and a simple VPS for future endeavours. I don't know how you folks who manage to hype docker do it, and I don't know what I'm doing wrong, but Docker doesn't like me, and I don't like it.

      21 votes
    7. Tildes Docker Image

      Looking at the development setup page, the suggested setup is to use vagrant to create and provision a VM. Out of curiosity, is there a reason for this preference over setting up a Tildes Docker...

      Looking at the development setup page, the suggested setup is to use vagrant to create and provision a VM. Out of curiosity, is there a reason for this preference over setting up a Tildes Docker image inside the repo? Tildes seems like a pretty simple and straightforward web app, it shouldn't be difficult to create. Is it just a developer preference of Deimos/Tildes devs? Or is there a logistical reason?

      9 votes
    8. Full blown SSH servers within Docker containers?

      Trying to get a sense on how the networking would go down? If I had one public IP address and say 4 Docker containers on the host, how would the SSH connections work? Would I have to reserve ports...

      Trying to get a sense on how the networking would go down?

      If I had one public IP address and say 4 Docker containers on the host, how would the SSH connections work? Would I have to reserve ports for each container?

      7 votes
    9. Are Python virtual environments comparable to Docker containers?

      I've been trying to understand Docker and while also learning Python it occurred to me that virtual environments seem to be the same thing. They're probably not, but can anyone shed some light on...

      I've been trying to understand Docker and while also learning Python it occurred to me that virtual environments seem to be the same thing. They're probably not, but can anyone shed some light on this?

      6 votes
    10. Opinions on Kubernetes and Cloud-Native

      I don't want to start a flame-war around this, but I am curious to hear about other peoples opinions. I've been working in 'the cloud' for a few years now and love how convenient and easy it is to...

      I don't want to start a flame-war around this, but I am curious to hear about other peoples opinions.

      I've been working in 'the cloud' for a few years now and love how convenient and easy it is to build on. My work is 100% cloud-based, and we host absolutely nothing. From internal tooling (slack, payroll, email) to what we sell (kubernetes, orchestration, some custom-tooling).

      I'm not sure what side I stand as I still run all of my own tooling myself on a dedicated box. I love being able to have my own server to tinker with, and run my own websites/rss-aggregators/VPN servers/etc.

      Having used AWS/GoogleCloud, I can see huge value in the automation and reduction in overhead that they provide when it comes to setting up and managing infrastructure.

      I am genuinely interested in different opinions and viewpoints on the way computation and data are managed, especially with companies that deal with sensitive information.

      As an aside, I would be interested in opposing ideas regarding containerisation (ie. Docker/Rkt).

      Edit: I realise this probably should have been posted on ~comp

      4 votes