4 votes

Docker rootless and Watchtower and some general questions about Docker

I finally decided to accepted that my interest in working and playing with computers and servers is worth to spend some money on. So I ditched my old box in the corner and with it all my fights with my ISP, their NAT, dynamic DNS and all that and got myself a VPS and 1 TB storage solution for less than I would have paid a static IP with my ISP.
Best decicion ever :-)

So I'm getting into Docker a bit, just because it's just so easy to get Nextcloud running. I used native Caddy as a reverse proxy, because if I got this "machine" there I will use it for other things as well, so make it right from the beginning. And I used native b.c I did not yet understand bridge/host mode and installing caddy native seems easier.
Then I fought for one day with CIFS and the nextcloud gui to get the semantics right to get my storage solution accepted as external storage.
Then I set up Jellyfin with Docker because why not. As well through caddy.
Then I fucked something up and was like, fuck it, lets start again this time for real :-P
I wiped my VPS clean (chose ubuntu again) set up and hardend ssh + sudo installed Docker, and then I found out about docker rootless and in the docker docs it's mentioned that it is/might be more secure, so I set up docker rootless and installed all the rest again.
And then I was like, hmm, do these Docker Images/Containers update themself? Like snap did?
It seems not, so I looked for a solution and found watchtower. And now I wasted another day trying to get watchtower to run, and I just can not.

I tried so many variations of the run command now most recently I tried:

docker run \
--name watchtower \
-v ${DOCKER_SOCKET_PATH}:/var/run/docker.sock \
containrrr/watchtower

time="2023-01-20T01:17:41Z" level=error msg="Cannot connect to the Docker daemon at unix:///var/run/docker.sock. Is the docker daemon running?"
time="2023-01-20T01:17:41Z" level=info msg="Waiting for the notification goroutine to finish" notify=no

/run/user/1000/docker.sock exists, I own it, i tried connecting to it through docker -e and containrrr/watchtower --host "unix:///run/user/1000/docker.sock"
I dont now what to try more and I'm at my end with my ddg-fu as well.

And now while proofreading this, I read everything again and decided to try something again and it just worked...

docker run \
--name watchtower \
-v /run/user/1000/docker.sock:/var/run/docker.sock \
containrrr/watchtower

seems like the environment variable was not set. But I'm shure I tried that before and it did not work... ghost in a machine :-)

So thats where I'm at. I have to say it was a lot of fun and doing and learning all that tingled my brain in a funny way :-)

But now I have some questions for my much more experienced Tildes-friends:

  • Do I even need watchtower? because I'm not actually interested to connect to my server regularly to do the updates/maintenance.
  • Was switching to docker rootless even a good idea? it seemed so reading the docker installation docs, but just now I read the Archwiki and there it seems it has some heavy security implications, so I made the security situation acutally worse by thinking making it better.
  • How do I get this watchtower thing to fucking work? (only if I actually need it)

I very much appreciate all further/other advise, tricks, recomendations, questions and discussion as well :-)

7 comments

  1. [5]
    vord
    (edited )
    Link
    I personally don't use watchtower. I prefer using docker-compose and a simple bash script to keep up to date. I find this works better when I craft my own containers. Sometimes just pulling latest...

    I personally don't use watchtower. I prefer using docker-compose and a simple bash script to keep up to date. I find this works better when I craft my own containers. Sometimes just pulling latest images can get you into trouble, so I prefer to set major versions and bump manualy.

    Docker security is complicated. For an average person, I'd say standard Docker install is fine. You'll get most of the security benefits by not having the containers running as the root user. Sadly this is the most common config, and the easiest way to fix it is often build your own container.

    On top of that...trusting public images itself is a pretty big risk. Bigger-name ones like from linuxserver.io tend to be ok, but a lot of projects don't push new containers for OS patches. As a result, best practice is to have your own custom Dockerfile, either referencing the base image and running updates, or by building from scratch and following the project's 'native install' guide. Depends on your comfort level though.

    If you like the idea of Docker rootless, perhaps give podman a look.

    Also I mostly love Traefik as a docker-native ingress. Handles Letsencrypt certs and dyndns like a champ. It's especially great if you don't need to proxy any non-docker stuff.

    5 votes
    1. aphoenix
      Link Parent
      I don't have anything to add other than as a disinterested third party, everything here is good information and / or a reasonable approach to docker.

      I don't have anything to add other than as a disinterested third party, everything here is good information and / or a reasonable approach to docker.

      2 votes
    2. [3]
      Don_Camillo
      Link Parent
      thank you for your complete answer! i don't think I'm there yet, building my own containers, but I will try to switch over to linuxserver builds where that makes sense. but just to understand the...

      thank you for your complete answer! i don't think I'm there yet, building my own containers, but I will try to switch over to linuxserver builds where that makes sense.

      but just to understand the point about rootless right. so you would advise to use the default docker and not the rootless docker?

      2 votes
      1. [2]
        vord
        Link Parent
        Yes, especially if you are in a position where you don't feel comfortable building containers. The disadvantages of default Docker install manifest more at scale (IE a cloud provider getting...

        Yes, especially if you are in a position where you don't feel comfortable building containers.

        The disadvantages of default Docker install manifest more at scale (IE a cloud provider getting services compromised for millions). For an individual user, doing hardening of the host OS (and taking backups!!) should do you fine. Make sure to have a firewall in place that blocks everything but SSH, HTTPS, and perhaps any other secured port you need. I highly advise against having any open insecureservices on a cloud provider.

        2 votes
        1. Don_Camillo
          Link Parent
          okey, thank you very much, so i need to migrate back to default, but that should be easy, export the volumes in rootless and import them in default... we'll see how that works :-) my provider...

          okey, thank you very much, so i need to migrate back to default, but that should be easy, export the volumes in rootless and import them in default... we'll see how that works :-)
          my provider actually has a really nice firewall built in and their ubuntu images all have auto-updates. so I think i'll be fine.
          So as I understand it now, I don't actually gain any security by running in docker as a small user. So I might move Jellyfish to native as well.

          2 votes
  2. [2]
    Arshan
    Link
    Like @vord I would recommend podman and linuxserver.io images, but with the warning that running either rootless and mounting directories can be a pain in the ass. I recommend podman because it...

    Like @vord I would recommend podman and linuxserver.io images, but with the warning that running either rootless and mounting directories can be a pain in the ass. I recommend podman because it can perform auto-updates for you, see article. As for general security concerns, I would focus more on the network-side. Make sure the firewall is setup properly and make sure your private services are actually private. I'd recommend looking at using a vpn for your private services, but that does depend if these are just used by you and/or people who are willing to use a vpn. I'd say Tailscale is by far the easiest and pretty much Just Works.

    3 votes
    1. Don_Camillo
      Link Parent
      thank you. I don't think I will use VPN as I'm actually interested to host some publicly aviable stuff.

      thank you. I don't think I will use VPN as I'm actually interested to host some publicly aviable stuff.

      2 votes