(Question) How can I stop Cloudron from starting automatically?

3246

For context, I am planning to manually mount encrypted volumes (/home, /backups) and would like to prevent Cloudron from starting until I have done so. I am unsure if there is a service to disable or anything else?

Related: https://forum.cloudron.io/topic/2939/optional-full-disc-encryption/19?_=1650817812249, https://forum.cloudron.io/post/21878

fbartels

Hi @3246,

I have not tested it, but the heart of cloudron is as far as I know the "box" service. So I'd suggest disabling this service through systemd. Or even better mount your volumes as a systemd unit and make the box service dependent on it.

girish

@3246 Interesting question!

Doesn't ubuntu ask for some password in the boot sequence when trying to decrypt home already? If so, we should try to latch on to that ideally. As @fbartels said, there's a whole bunch of things here - docker, box, unbound, nginx, log service etc which all depend on "home".

girish

Apparently, ubuntu does not support encrypting part of a disk anymore per https://www.linuxuprising.com/2018/04/how-to-encrypt-home-folder-in-ubuntu.html since eCryptfs is buggy, under-maintained and they recommend full disk encryption. Of course, if you use full disk encryption, you don't need to worry about systemd service ordering since it will ask you the password on boot.

Can you tell me how you have setup the encryption ?

3246

@fbartels @girish thank you. I have not build it yet but am planning to next week if time permits

That's a bummer to hear that encrypting just /home is no longer recommended. I am not sure how I will be able to enter my password at boot, although I will give it a try using Scaleway's(1) console.

I also need to see if I can install Ubuntu using an ISO.

(1) I am planning to give their new "Elastic Metal" a try

girish

@3246 linode can do this apparently - https://www.linode.com/docs/guides/use-luks-for-full-disk-encryption/ . You enter password in the "console". Not sure if scaleway has a web console.

3246

@girish it does, yes. They also have a KVM style one for their "elastic metal" service. I'll give this a try and report back. My main question is whether I can install the OS from an image or if I have to use one of theirs. Otherwise, I may have to find another host

bwag

I had the same question and a very similar motivation. In my case, the boot disk is not encrypted, but an external disk where I store some of the apps' data, like my photos, is encrypted. (By the way, one nice benefit of encrypting a disk is that when it fails, you can just get rid of it without as much worry that personal information can be recovered.)

In my experience, the apps don't handle it gracefully when the server boots first and the external drive is mounted second. I have to manually go through and restart each app after that.

It sounds like a good solution is to set box.service to not start automatically, and to start it manually once I decrypt and mount the external drive?

girish

@bwag the apps run separately from the box service. So, you have to disable docker.service as well .

I haven't tried this but I would try something like this:

• systemd has a concept of drop-ins. these unit files overwrite the existing ones. So, I would create a /etc/systemd/system/box.service.d/custom.service and the same for docker as well.
• In the custom service files, add a After=my-disk-mounter.service (there is also Wants and Requires). my-disk-mounter can be a Type=oneshot , which you start manually only after you mount things.
• Then, systemctl start my-disk-mounter would automatically start docker and box

The above solution should also be update safe in general.

bwag

Thank you, @girish !

bwag

Edit: fixed. I found docker.service inside /etc/systemd/system/multi-user.target.wants/

I didn't get this to happen: "Then, systemctl start my-disk-mounter would automatically start docker and box." But that's ok. I run a manual startup script that prompts for the encryption password, mounts the disk, then starts all the systemd services. Instead of my-disk-mounter.service, I have check-that-all-disks-are-properly-mounted.service which is Required by box and docker. Thanks again.