@wind-gmbh said in Silverblue - for container-based software:

But unfortunately No in regarding the ton of work that could be necessary to support Cloudron.

There is another important aspect as to why Ubuntu is the underlying platform for Cloudron. A lot (if not all) hosting providers are offering servers with this os preinstalled, which makes it easy to get started with Cloudon. If MicroOS would be the (only) supported choice then Cloudron users would be limited to hosting options which either provide it by default, or allow admins to install their own os (which could be a challenge for some).

If I remember correctly both Nebulon and Girish are former Suse employees, so I'd wager they would be biased towards MicroOS otherwise 😄

@girish great thanks, It works 😉

@ei8fdb right the graphs don't update immediately, but every 6 hours or so. Otherwise, the disk spins a lot 🙂

I will mark this thread as solved, but this problem will go away soonish. I think only ~20 apps are left to use the new base image. The 7.1 release also updates all the internal containers to use the latest image. Should all be done end of this month.

It's back online now!

Agree about having a second source. Ideally, we can have some self-hosted docker registry which is used as a fallback for such situations.

Flatpack and Appimage formats do not provide the kind of process and filesystem isolation that Docker does. I would not be comfortable running run a service like Cloudron if it allowed running things other than well-defined/managed containers.

Yes, there are ways to break isolation and escalate out of a Docker container, but flatpack apps can, essentially, write anywhere on my system. Updating the ecosystem is also much more difficult; by comparison, it is possible to auto-build Docker containers from source and track recent updates/manage timely security vulns in a way that flatpack/appimage packages do not/rarely do.

@girish said in Docker Container - Unable To Install Cloudron:

@brutalbirdie said in Docker Container - Unable To Install Cloudron:

Maybe adding Docker in there as well to prevent confusion.

Done!

The fast guy! 😄

@fortytwo said in How to delete unused docker images ?:

Scaleway S3 Object Storage with 75GB free

Is this for your backup? Cloudron does not backup images (and code), just your data. From your screenshot, it's only going to take 1.13G (nextcloud) + 6.5M (bitwarden) + 520K (box) + 212K (email). So, it's way less than 2GB per backup. If you store like 30 full backups, it's still under your object storage.

We use what is called immutable infrastructure for this if you want to learn more.

Nice!

Properly open source and maintained forks of Elasticsearch and Kibana

https://github.com/opensearch-project/OpenSearch

https://github.com/opensearch-project/OpenSearch-Dashboards

Thanks for the quick response!

@girish I can't thank you enough. Had some difficulties with the -o /tmp/filename.deb (it wasn't saving the file) so I downloaded and renamed the .deb onto my computer, filezilla'd to my home directory, then used mv filename.deb /tmp

I restarted unbound and everything started running perfectly

Here is the result:
The lib files seemed untouched

root@cloudron0:/var/lib/docker# ls -al total 200 drwx--x--x 14 root root 4096 Aug 6 14:31 . drwxr-xr-x 47 root root 4096 Dec 10 2020 .. drwx------ 2 root root 4096 Dec 10 2020 builder drwx--x--x 4 root root 4096 Mar 15 03:35 buildkit drwx-----x 59 root root 12288 Aug 6 13:32 containers drwx------ 3 root root 4096 Dec 10 2020 image drwxr-x--- 3 root root 4096 Dec 10 2020 network drwx-----x 507 root root 73728 Aug 6 13:57 overlay2 drwx------ 4 root root 4096 Dec 10 2020 plugins drwx------ 2 root root 4096 Aug 6 13:57 runtimes drwx------ 2 root root 4096 Dec 10 2020 swarm drwx------ 2 root root 4096 Aug 6 13:57 tmp drwx------ 2 root root 4096 Dec 10 2020 trust drwx-----x 458 root root 61440 Aug 6 13:57 volumes -rw-r--r-- 1 root root 1394 Aug 6 14:31 'ystemctl status unbound'

I hope this worked the way it should:

root@cloudron0:/tmp# apt install -y /tmp/containerd.deb Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting 'containerd.io' instead of '/tmp/containerd.deb' The following packages were automatically installed and are no longer required: amd64-microcode aufs-tools cgroupfs-mount golang-docker-credential-helpers intel-microcode iucode-tool libsecret-1-0 libsecret-common pigz python-asn1crypto python-backports.ssl-match-hostname python-cached-property python-certifi python-cffi-backend python-chardet python-cryptography python-docker python-dockerpty python-dockerpycreds python-docopt python-enum34 python-funcsigs python-functools32 python-idna python-ipaddress python-jsonschema python-mock python-openssl python-pbr python-pkg-resources python-requests python-six python-texttable python-urllib3 python-websocket python-yaml Use 'apt autoremove' to remove them. The following NEW packages will be installed: containerd.io 0 upgraded, 1 newly installed, 0 to remove and 43 not upgraded. After this operation, 129 MB of additional disk space will be used. Get:1 /tmp/containerd.deb containerd.io amd64 1.4.3-1 [28.1 MB] Selecting previously unselected package containerd.io. (Reading database ... 151160 files and directories currently installed.) Preparing to unpack /tmp/containerd.deb ... Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting 'docker-ce-cli' instead of '/tmp/docker-ce-cli.deb' docker-ce-cli is already the newest version (5:20.10.3~3-0~ubuntu-bionic). The following packages were automatically installed and are no longer required: amd64-microcode aufs-tools cgroupfs-mount golang-docker-credential-helpers intel-microcode iucode-tool libsecret-1-0 libsecret-common pigz python-asn1crypto python-backports.ssl-match-hostname python-cached-property python-certifi python-cffi-backend python-chardet python-cryptography python-docker python-dockerpty python-dockerpycreds python-docopt python-enum34 python-funcsigs python-functools32 python-idna python-ipaddress python-jsonschema python-mock python-openssl python-pbr python-pkg-resources python-requests python-six python-texttable python-urllib3 python-websocket python-yaml Use 'apt autoremove' to remove them. 0 upgraded, 0 newly installed, 0 to remove and 43 not upgraded. root@cloudron0:/tmp# apt install -y /tmp/docker.deb Reading package lists... Done Building dependency tree Reading state information... Done Note, selecting 'docker-ce' instead of '/tmp/docker.deb' The following packages were automatically installed and are no longer required: amd64-microcode golang-docker-credential-helpers intel-microcode iucode-tool libsecret-1-0 libsecret-common python-asn1crypto python-backports.ssl-match-hostname python-cached-property python-certifi python-cffi-backend python-chardet python-cryptography python-docker python-dockerpty python-dockerpycreds python-docopt python-enum34 python-funcsigs python-functools32 python-idna python-ipaddress python-jsonschema python-mock python-openssl python-pbr python-pkg-resources python-requests python-six python-texttable python-urllib3 python-websocket python-yaml Use 'apt autoremove' to remove them. Recommended packages: docker-ce-rootless-extras The following NEW packages will be installed: docker-ce 0 upgraded, 1 newly installed, 0 to remove and 43 not upgraded. After this operation, 121 MB of additional disk space will be used. Get:1 /tmp/docker.deb docker-ce amd64 5:20.10.3~3-0~ubuntu-bionic [24.8 MB] Selecting previously unselected package docker-ce. (Reading database ... 151174 files and directories currently installed.) Preparing to unpack /tmp/docker.deb ... Unpacking docker-ce (5:20.10.3~3-0~ubuntu-bionic) ... Setting up docker-ce (5:20.10.3~3-0~ubuntu-bionic) ... Processing triggers for systemd (237-3ubuntu10.43) ...#############################.................................] Processing triggers for ureadahead (0.100.0-21) ... root@cloudron0:/tmp# systemctl status box ● box.service - Cloudron Admin Loaded: loaded (/etc/systemd/system/box.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2021-08-06 18:49:09 UTC; 3min 8s ago Main PID: 21658 (node) Tasks: 11 (limit: 4915) CGroup: /system.slice/box.service └─21658 node /home/yellowtent/box/box.js Aug 06 18:49:09 cloudron0 systemd[1]: Started Cloudron Admin. Aug 06 18:49:16 cloudron0 sudo[24775]: pam_unix(sudo:session): session opened for user root by (uid=0) Aug 06 18:49:16 cloudron0 sudo[24775]: pam_unix(sudo:session): session closed for user root Aug 06 18:49:16 cloudron0 sudo[24838]: pam_unix(sudo:session): session opened for user root by (uid=0) Aug 06 18:49:16 cloudron0 sudo[24838]: pam_unix(sudo:session): session closed for user root Aug 06 18:49:47 cloudron0 sudo[29454]: pam_unix(sudo:session): session opened for user root by (uid=0) Aug 06 18:49:47 cloudron0 sudo[29454]: pam_unix(sudo:session): session closed for user root root@cloudron0:/tmp# systemctl status unbound ● unbound.service - Unbound DNS Resolver Loaded: loaded (/etc/systemd/system/unbound.service; enabled; vendor preset: enabled) Active: failed (Result: exit-code) since Fri 2021-08-06 14:45:47 UTC; 4h 7min ago Main PID: 1346 (code=exited, status=1/FAILURE) Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable. root@cloudron0:/tmp# unbound-anchor -a /var/lib/unbound/root.key boundroot@cloudron0:/tmp# systemctl restart unbound root@cloudron0:/tmp# systemctl status unbound ● unbound.service - Unbound DNS Resolver Loaded: loaded (/etc/systemd/system/unbound.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2021-08-06 18:53:01 UTC; 3s ago Main PID: 4506 (unbound) Tasks: 1 (limit: 4915) CGroup: /system.slice/unbound.service └─4506 /usr/sbin/unbound -d Aug 06 18:53:01 cloudron0 systemd[1]: Started Unbound DNS Resolver. Aug 06 18:53:01 cloudron0 unbound[4506]: [4506:0] notice: init module 0: subnet Aug 06 18:53:01 cloudron0 unbound[4506]: [4506:0] notice: init module 1: validator Aug 06 18:53:01 cloudron0 unbound[4506]: [4506:0] notice: init module 2: iterator Aug 06 18:53:01 cloudron0 unbound[4506]: [4506:0] info: start of service (unbound 1.6.7). root@cloudron0:/tmp# systemctl status nginx ● nginx.service - nginx - high performance web server Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled) Drop-In: /etc/systemd/system/nginx.service.d └─cloudron.conf Active: active (running) since Fri 2021-08-06 14:45:45 UTC; 4h 7min ago Docs: http://nginx.org/en/docs/ Main PID: 980 (nginx) Tasks: 5 (limit: 4915) CGroup: /system.slice/nginx.service ├─ 980 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf ├─29499 nginx: worker process ├─29500 nginx: worker process ├─29501 nginx: worker process └─29502 nginx: worker process Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable. root@cloudron0:/tmp# systemctl status mysql ● mysql.service - MySQL Community Server Loaded: loaded (/lib/systemd/system/mysql.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2021-08-06 14:45:44 UTC; 4h 7min ago Main PID: 756 (mysqld) Tasks: 32 (limit: 4915) CGroup: /system.slice/mysql.service └─756 /usr/sbin/mysqld --daemonize --pid-file=/run/mysqld/mysqld.pid Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

@eddowding Plug: https://git.atridad.dev/CTPR

Instructions: https://git.atridad.dev/CTPR/docs/ctpr-documentation

@ianhyzy ah, good to know! basically, the snap version of docker starts with it's own container data which seems totally separate from the normal docker.

@girish Belated marking as resolved for anybody looking in future. girish did some remote ssh support magic and solved the problem.

@msbt thanks for reporting, fixed in the new package.

@infogulch RTFM myself 😄 nice catch, thanks for that.

@girish Thanks -- you summed up the bug I noticed, and I'll be sure to try the Location-save workaround if I run into any nginx issues in the future.

@girish it's been solved. I did a docker logout and tried again. Got the error again but this time the error was a bit more detailed. Tried it again and it worked.

Thanks!

@girish ah so that’s because I was messing with dind for GitLab runner... whoops. Thanks for taking a look!

@makemrproper I have seen this as well . I am not sure what's causing this. But I will keep this thread open, just in case someone else hits this. I has to restart docker to "fix this" (systemctl restart docker)

It looks like restarting docker and running configure again did the trick. Fixed!

@xaddison the prune is done automatically when needed in the code. Most likely the containers that got removed are the ones that were "stopped". Cloudron runs cron jobs of apps in containers, for example. They will be in stopped state after finishing a run but will be reused in the next run. As for images, not sure what it cleaned up. Do you have the output of what it removed?

@girish Looks good now, yeah likely just a Docker hiccup then I guess. Thanks Girish. 🙂

That's not a docker config file with defaults 😉

I am looking to change various default parameters like runc, DNS, etc..

Gotcha, thanks for the clarification! ☺️

My wording isn't quite correct, it's not full VMs. See below.

https://blog.nestybox.com/2019/09/13/system-containers.html

A Nestybox system container is an enhanced Docker container, designed to package not just applications but also low-level system software.

What type of system software are we talking about? Currently Systemd and Docker, but in the near future software such as Kubernetes, graphical display servers, and others.

The following figure illustrates the difference.

But can’t you do this on a regular Docker container? No you can’t. Not properly.

For example, in order to run Docker inside a regular container (i.e., Docker-in-Docker) you need to run the container in “privileged” mode. This significantly weakens isolation between the container and the underlying host, posing a strong security risk (especially if you don’t trust the workloads running inside the container).

But in some cases even privileged mode is not sufficient. For example, some system level programs read resource consumption information from the kernel (e.g., via the Linux /proc directory). In order for the program to work properly inside a container, such information must be provided relative to the resources assigned to the container itself, not the resources of the underlying host. A regular container does not do this, even when running in privileged mode.

Nestybox system containers are designed to solve these problems.

We can summarize the key properties of a Nestybox system container as:

Runs low-level system workloads (as well as applications).

Provides strong isolation from the underlying host.

Presents a more complete abstraction of a virtual host to its workloads.

Typically runs multiple applications within it (rather than just one app).

One way to look at it is that a regular container packages applications. In contrast, a Nestybox system container packages virtual host environments capable of running applications as well as system-level workloads.
See it work!

Use Cases

But why would you want to run such system-level software inside a container in the first place? I.e., Why do we need system containers?

There are several use cases.

For example, by virtue of running Docker inside the container (securely), the system container can be used for:

CI/CD pipelines (where the need for a container to run another container arises).

Docker sandboxing (e.g., to run multiple Docker instances with total isolation between them).

Our blog site contains articles with practical examples of such use cases.

In the near future, as we add support for more system-level workloads inside the system container, more use cases will open up.

In general, if you have a need for a virtual host that runs many of the same workloads that you could run on a VM, yet is faster and more efficient, then a Nestybox system container is a good fit.

Key Features and Benefits

Deployment with Docker (and Kubernetes)

This allows you to leverage the power of these amazing tools to build, deploy, and manage system containers. No need to learn new tools.

Fast & Efficient

Just like regular application containers.

Strong Container Isolation

Nestybox system containers always use the Linux user namespace.

This means the root user in the system container has full capabilities inside the system container, but none outside of it.

In addition, Nestybox system containers use exclusive Linux user namespace user-ID and group-ID mappings for each system container.

If a process inside the container escapes the container sandbox, it will find itself without privileges to access resources of the host or of other containers.
Image Flexibility

A Nestybox system container image can be created with Docker, just like any Docker container.

However, it typically is configured with an environment resembling a virtual host (e.g., process manager, multiple apps, docker, app containers, graphical display server, etc), although you can also configure it with a single system-level application (e.g., Docker) if you wish. It’s up to you to choose what’s in the image and the entry-point.
Portability

You can deploy Nestybox system containers on any Linux machine, whether it’s bare-metal, a local VM, or a cloud VM, in a data-center, your laptop, an edge device, or even an IoT device.

And as with any Docker container you have the flexibility to move the system container around as you wish. Just upload it to your repo and deploy it on the target machine with Docker.
Partially virtualized procfs

In Nestybox system containers, portions of the Linux procfs (/proc) are virtualized. The goal is to make the system container more closely resemble a real host or VM. For example, the /proc/uptime file returns the container’s uptime, not the underlying host’s uptime.

How does it work?

Nestybox system containers are made possible by Sysbox, our system container runtime.

Sysbox is software that installs on the Linux host machine, integrates with Docker (and soon Kubernetes), and works under the covers.

Users interact with Docker to create the system container image and deploy it, just as with application containers. The difference is that this image can now include system-level software such as Docker itself (for Docker-in-Docker), etc.

The following figure illustrates this.

Running the system container is simple, it only requires passing the --runtime=sysbox-runc flag to Docker:

$ docker run --runtime=sysbox-runc -it my-syscont-image

Under the covers, Sysbox takes care of setting up the system container abstraction so that it can properly run system level workloads.

It’s easy. And you avoid the need for unsecure privileged containers or complex container configurations.

Is it a VM?

No, it’s not. It’s an enhanced container. As with all containers, it uses OS-level virtualization and shares the Linux kernel with the rest of the system. In contrast, VMs use hardware-level virtualization (i.e., emulate hardware in software) and have a dedicated OS per VM.

The following figure illustrates the differences.

This gives system containers and VMs different properties. In particular system containers are faster, more efficient, and more portable (see above) but offer a lesser degree of isolation from the underlying host.

From a workload perspective however, Nestybox is working to make our system containers support as many workloads as VMs can run such that they can present a viable alternative to VMs in some scenarios.

@smilebasti The /home/yellowtent/appsdata is the location of apps. This size seems to roughly match the nextcloud size. As for docker, you should not use du tools inside docker's image directories since they are overlays and the du tool is not smart enough to figure out the size correctly. Try docker system df to get a better idea about the actual size docker uses (this is what is reported in the graph as ~5GB). The volumes also link into appsdata so they might be double counted the du tools.

To take a wild guess, maybe you were backing up to the file system for some time before you moved to NAS via SMB? If this was the case, then you should remove the old backups manually from /var/backups. You can just safely nuke all the timestamped directories and the snapshot directory inside it.

@JOduMonT Yup, we are waiting for the next peertube release to make it stable (there is a bug in current release which makes it hard to finish the setup) and then start posting videos there.

For others looking for examples, there's a bunch of custom app templates I made that should help getting started:

https://git.cloudron.io/cloudron/tutorial-php-app/ https://git.cloudron.io/cloudron/tutorial-nodejs-app https://git.cloudron.io/cloudron/tutorial-basic https://git.cloudron.io/cloudron/tutorial-redis https://git.cloudron.io/cloudron/tutorial-supervisor-app

Not to mention that if your software is closed source you do not need to publish it for all cloudron users if only you want to use it. With a bit of technical knowledge you can build apps yourself (see the link from @mehdi), push it to a private registry and then use the cloudron cli to install it yo your instance.

I am actually hosting a few apps on my Cloudron that I am just building locally (Bitwarden for example before it was available as an official app).

If you don't make your app official you are of course on the hook for maintaining it, but you still benefit from the user management of Cloudron, automatic ssl and backups/easy restore.

https://simply-how.com/free-docker-container-registry lists a few hosted docker registries that offer free private repositories if you don't want to host your own.

Edit: as long as you only need one container you could even use the Docker Hub, as it offers one private image as well.

I can attest that it is definitely NOT a good idea to add more Docker images to a CR box outside of CR. CR assumes it has full use of the box, so, anything additional you add can and possibly will break things 🙂