Updated the app icons on all apps running in my Cloudron instance for fun

Well, I gave myself a fun little short project (took maybe 30 minutes) today where I replaced every app icon in the Dashboard of Cloudron. Here's what it looks like:

I used FlatIcon's website, filtering to Free icons and for Linear Colour as the style. I was surprised at how many fairly accurate icons I could find, even one for my email 'autoconfig' app which I had doubted I'd be able to find a good icon replacement for. Even found separate ones for the two websites which aren't really websites at all but just redirect visitors to another externally hosted website on a different domain (two clients are realtors who just wanted their own short marketing domain name for email and then having the web address forward to their actual realtor's webpage for their own listings), so they're literally just the LAMP app with a single html file which does an immediate redirect.

I may make further changes, or heck I may even revert back to the default app icons in the future, but I thought this was a nice little distraction to change the overall look of the Dashboard by replacing all the app icons with new ones, and ensuring a bit of consistency where possible between them all too so that none of them stood out from others. I think it went fairly well. Just wanted to share to maybe inspire others if they think they'd benefit from some extra bit of flair in their Dashboard.

@jdaviescoates Great idea! I'd definitely love to be a part of something like that.

What I do:
I do freelance web & tech services as a side business, and that includes hosting a bunch of things for customers which I do on Cloudron. Specifically WordPress websites for roughly 15 clients, and recently even some SFTP servers for one client too. Also a nodeBB forum for a client, Bitwarden password manager, email hosting of course, webmail apps, all that jazz. WordPress and email is the vast majority of what I host for my clients, but I get to dabble in other areas too which I like. Oh and web analytics too of course as that's bundled with my web hosting plan I sell to them, and to my surprise many of them actually really like seeing the emailed report from Matomo where they see all the results from each city, country, dates and times of busy traffic, etc. When I started offering it I honestly didn't think too many people would care, but most of them really like that part. I guess it sort of helps justify to them why they have a website in the first place so they can see how many people they're effectively reaching and such too in one area.

I don't necessarily market my services as a Saas-Cloudron or anything like that, just to be clear in case that's kind of what you were asking earlier, but I am very open in spreading the word of Cloudron (sounds like I'm in a cult, lol) to any of my clients that want to learn more about how I manage things, and even link to Cloudron from my website, so generally the customers that actually care to know that stuff all know I'm using Cloudron as the platform for everything.

Quick side story about the SFTP server I recently setup, just because I think it's really cool, haha:
Using Surfer, I setup an SFTP server to bridge a medical clinic (client of mine) administering COVID-19 tests and the lab they hired to actually process the tests. Before, they were emailing constantly between clinic and lab and it was a hassle for them to keep track of everything... and we later found out that the lab they contracted actually had a script which they use for their larger clients I guess - it polls the SFTP server every 5 minutes for a CSV file which the clinic fills it out and saves to the SFTP server for each patient, each patient being it's own row on the CSV. It's streamlined their entire process now - just that one thing alone - to the point where they get their results much faster now from the lab and can then forward that to the patients much quicker than before as it's way less overhead in communications between the lab and clinic. Once I heard about this and set it up for them and learned how much better it made things for them, honestly I was humbled in a way, I consider myself fortunate to have been a very very very tiny part of that process to ensure people can get their COVID-19 test results sooner. It really wasn't much work on my part at all, Cloudron made it easy to implement! It was still cool to be a part of an improvement to this essential service in my region none-the-less.

Sorry I'm rambling on now, lol, the answer to your original question is "Yes, I offer services to my clients that I host using Cloudron". haha.

These apps serve different purposes, so I don't think one can really answer the question without knowing the use-case.

My suggestion is if you only care about webmail, then Rainloop wins. It's quicker, nicer interface (IMO), intuitive, etc. If you however also want to manage a calendar and contacts, then SOGo is likely the better one as Rainloop does mail and contacts only, no calendar or anything like that. And even for contacts, it's differently managed - Rainloop simply stores them, but SOGo "hosts" them so they're also accessible via CardDAV protocols into apps like Contacts on macOS or iOS, Calendar on macOS, etc.

Basically, Rainloop is a webmail client whereas SOGo is what's called "groupware" as it will sync contacts, calendars, tasks, etc. in addition to the mail client role.

If you elaborate on your use-case, then people can probably give you a more accurate answer. Hopefully the above helps in the meantime.

I've been spending a long time lately on spam improvements on the Cloudron mail server. I've made a ton of improvements and while still not perfect (it never will be) it's a giant leap over how it was a few weeks ago.

I already made some updates in the other post on DNSBLs, for anyone who hasn't seen that already.

I've also improved the spam classifications for anything that gets past the DNSBLs. It was already pretty decent at classifying spam that was spam with no false-positives, however there was still a good amount getting to the inbox for some users in particular. I've trained them to use the spam folder and archive folder accordingly to train the filter for their account, but I also made a whole bunch of tweaks in the custom rules to overwrite scoring server-wide.

Tip: You can easily override the default SpamAssassin scores or even create your own rules using the Custom Spam Filtering Rules feature in Cloudron.

I thought I'd share what I have currently which adds in a few new providers as well as increasing the scores from their defaults. Here is what I've got currently and it seems to be working very well for me and my users with no false-positives that I can find and much more in the spam box where they should be. Feel free to adapt of course for your own servers.

The main highlights of the changes I made was the following:

• Increasing the scores for various DNSBLs where appropriate from their defaults
• Increasing the scores for SPF failures but keeping them still reasonable as not ever mail server has setup SPF correctly even if legitimate
• Modifying the scores for the BAYES_ learning ones, scoring them according to their confidence levels (and a bit above the default in most cases)
• Added three new DNSBLs for SpamAssassin (seen at the bottom of the list) which when combined with the overall scoring changes for DNSBLs built-in has provided a noticeable improvement in spam recognition

# scoring DNSBLs (blocklists & allowlists)
score RCVD_IN_BL_SPAMCOP_NET 2.0
score RCVD_IN_DNSWL_NONE 0.5
score RCVD_IN_DNSWL_LOW -0.5
score RCVD_IN_DNSWL_MED -2.5
score RCVD_IN_DNSWL_HI -5.0
score RCVD_IN_GBUDB 4.0
score RCVD_IN_JMF_BL 3.0
score RCVD_IN_MSPIKE_H3 -2.0
score RCVD_IN_MSPIKE_H4 -3.0
score RCVD_IN_MSPIKE_H5 -3.5
score RCVD_IN_MSPIKE_L3 2.0
score RCVD_IN_MSPIKE_L4 3.0
score RCVD_IN_MSPIKE_L5 3.5
score RCVD_IN_MSPIKE_WL 0
score RCVD_IN_MSPIKE_ZBI 4.0
score RCVD_IN_SBL 3.0
score RCVD_IN_SORBS_BLOCK 2.0
score RCVD_IN_SORBS_DUL 2.0
score RCVD_IN_SORBS_HTTP 2.0
score RCVD_IN_SORBS_MISC 2.0
score RCVD_IN_SORBS_SMTP 2.0
score RCVD_IN_SORBS_SOCKS 2.0
score RCVD_IN_SORBS_SPAM 2.0
score RCVD_IN_SORBS_WEB 2.0
score RCVD_IN_SORBS_ZOMBIE 2.0
score RCVD_IN_SPAMRATS 4.0
score RCVD_IN_XBL 3.5
score RCVD_IN_PBL 3.5
score RCVD_IN_SBL_CSS 3.5
score RCVD_IN_ZEN_BLOCKED_OPENDNS 0.5
score RCVD_IN_ZEN_BLOCKED 0.5

# scoring URIBLs
score URIBL_ABUSE_SURBL 3.0
score URIBL_BLACK 3.0
score URIBL_CR_SURBL 3.0
score URIBL_CSS 2.0
score URIBL_CSS_A 2.0
score URIBL_DBL_ABUSE_BOTCC 2.0
score URIBL_DBL_ABUSE_MALW  2.0
score URIBL_DBL_ABUSE_PHISH 2.0
score URIBL_DBL_ABUSE_REDIR 2.0
score URIBL_DBL_ABUSE_SPAM 2.0
score URIBL_DBL_BLOCKED 2.0
score URIBL_DBL_BLOCKED_OPENDNS 2.0
score URIBL_DBL_BOTNETCC 2.0
score URIBL_DBL_ERROR 2.0
score URIBL_DBL_MALWARE 2.0
score URIBL_DBL_PHISH 2.0
score URIBL_DBL_SPAM 2.0
score URIBL_GREY 1.5
score URIBL_MW_SURBL 2.0
score URIBL_PH_SURBL 2.0
score URIBL_RED 2.5
score URIBL_RHS_DOB 2.0
score URIBL_SBL 2.0
score URIBL_SBL_A 2.0
score URIBL_WS_SURBL 2.0
score URIBL_ZEN_BLOCKED 2.0
score URIBL_ZEN_BLOCKED_OPENDNS 2.0

# scoring SPF & DKIM
score DKIM_INVALID 1.0
score DKIM_SIGNED -0.5
score DKIM_VALID -0.5
score DKIM_VALID_AU -0.5
score DKIM_VALID_EF -0.5
score DKIM_VERIFIED -1.0
score SPF_FAIL 2.0
score SPF_HELO_FAIL 2.0
score SPF_HELO_NEUTRAL 0.5
score SPF_HELO_NONE 0.5
score SPF_HELO_PASS -0.5
score SPF_HELO_SOFTFAIL 1.0
score SPF_NEUTRAL 0.5
score SPF_NONE 0.5
score SPF_PASS -0.5
score SPF_SOFTFAIL 1.5

# scoring BAYES
score BAYES_00 -1.5
score BAYES_05  -1.0
score BAYES_20  -0.5
score BAYES_40  0.5
score BAYES_50  1.0
score BAYES_60  1.5
score BAYES_80  2.0
score BAYES_95  3.0
score BAYES_99  4.5
score BAYES_999 5.0

# additional scoring tweaks
score BILLION_DOLLARS 2.0
score FREEMAIL_FROM 0.5
score HEADER_FROM_DIFFERENT_DOMAINS 3.5
score HTML_FONT_LOW_CONTRAST 2.0
score HTML_MESSAE 0.5
score LOTS_OF_MONEY 1.5
score MISSING_HEADERS 1.0

# add GDUB TRUNCATE DNSBL
header RCVD_IN_GBUDB eval:check_rbl('gbudb', 'truncate.gbudb.net.')
describe RCVD_IN_GBUDB Listed in truncate.gbudb.net
tflags RCVD_IN_GBUDB net

# add JMF-Black DNSBL
header RCVD_IN_JMF_BL eval:check_rbl('jmfbl', 'black.junkemailfilter.com.')
describe RCVD_IN_JMF_BL Listed in black.junkemailfilter.com
tflags RCVD_IN_JMF_BL net

# add Spamrats DNSBL
header RCVD_IN_SPAMRATS eval:check_rbl('spamrats', 'all.spamrats.com.')
describe RCVD_IN_SPAMRATS Sender listed in all.spamrats.com
tflags RCVD_IN_SPAMRATS net

@imc67 I definitely agree, lots of areas for improvements.

I do have one item of your post I wanted to share my two cents on though...

Wordfence imho needs to be installed by default in Wordpress

This is just my personal view so take it with a grain of salt of course, I don't think there's really any right or wrong way to it. My two cents...

I have the belief that we should aim to keep all apps (WordPress included) about as close to default as the developer intended for the app, leaving Cloudron to just handle the default user and mail config for the app, etc. I think it's a bit of a slippery slope to add in all these extras regardless of how important they may be for certain use-cases, because the line needs to be drawn somewhere of course and deciding where that line is isn't particularly clear. In such a case, I'd ere on the side of "keep it as close to default as possible as intended by the developer" to stay free of any tightrope walking so-to-speak. haha.

For WordPress in particular, there's practically hundreds of thousands of plugins available, some of which are "default installs" in my environments where I have a template setup with the ones I use all the time for example, but I would never want to force my defaults on others because what works for me or the plugins I prefer to use may not work or be preferred by other users. Security plugins are one area where there's a ton of them, and there was a similar discussion not too long ago I had regarding a suggestion for including a caching plugin by default too.

And that's kind of the slippery slope I am referring too... what is the criteria for when a "default plugin suggestion" gets approved, and when would one get denied?

I just really want to see apps be as close to default as possible. But of course that's just my two cents. I'm sure many might disagree with me. haha.

I totally agree with the rest of your suggestions though, I would love to see the improvements for additional security in the Cloudron server itself. I completely forgot about the GEO-blocking request for countries, that'd be pretty great to have!

As Radicale isn't the most RFC-compliant (they even state that's not their goal), it'd be nice to have a more compliant CardDAV and CalDAV server to use as an alternative to Radicale, SOGo, and Nextcloud.

A good one I have seen recommended often is "sabre/dav". It's also updated more often than Radicale too from what I can tell. I think this would be a great addition for those people who want a more pure CalDAV and CardDAV server.

https://sabre.io/dav/
https://github.com/sabre-io/dav

I just realized from comments on a different thread that you now have yearly/annual pricing which is a generous discount per month. I may have missed the announcement of those pricing changes, not sure when that came into effect but I appreciate it.

As a Canadian who ends up paying even more than the listed price due to currency conversion between USD and CAD, I am very thankful for the chance to have that discount by paying for a year in advance. Of course one has to have the means to be able to justify a year up-front, but I can definitely see myself using this for a year or more at least.

As a result, I have changed my plan from monthly to yearly, and I just wanted to say thank you. This brings down my total cost of ownership (TCO) by quite a bit. This takes me down from roughly $40 CDN to $20 CDN, saving me $20 a month, or $240 over the course of the year.

Anyways, ultimately I really just wanted to say thank you, and hopefully let others know about this too in case it helps them. This was a pleasant surprise to see.

Reference: https://cloudron.io/pricing.html

@girish It's also quicker to do from Cloudron at times depending on the VPS host as well. For example I'm hosted currently at OVH and it's not the nicest control panel, not super mobile friendly either and takes me about 6 clicks to get to the reboot option. Cloudron is only about 2 (login > System).

Just wanted to check in and see how 6.3 is coming along.

Any ETA by chance? I'm super excited for these email improvements many of us have been requesting, particularly the DNSBL checks; greylisting; blocklist & whitelist auto-updating/DNSWL; email autoexpunge; and not forwarding spam to mailing lists. I know that's a lot, lol.

I know many of them came from me, haha, so if you want to discuss any of them or want clarification on the requests, I'd be happy to help offer guidance or clarification.

It'd be great to have the ability to add comments to backups, particularly app backups.

My example use-case: I have a WordPress app running, which I am working on some performance-projects. I'm making backups after each different plugin change for example to be able to easily restore back to baseline and after certain plugin changes. After making so many app backups, it can be difficult to later remember which one was the baseline, which one was for any particular plugin change, etc.

Having the ability to add notes to app backups would be a great way to handle that type of use-case.

I picture the UI with a small icon next to each backup to easily add notes. Then to view them, it'd be great to have it either pop-up when hovering over a backup or to perhaps have a short accordion effect to expand the notes applied to the backup. The latter would be more mobile-friendly as mobile devices don't really have the ability to "hover" over items.

@fbartels I concur with your conclusion - that was my understanding too. I just assume in the further future that it may evolve to be more of a HA feature too since that was what users also had been clamouring for.

@jagan I really don't think this will be too feasible for Cloudron to add, but I mean if the Cloudron team can do it then that's great. I don't think anyone can complain about improved compatibilities and integrations that improve important items like monitoring.

I just want to make a quick clarification though because you said you were "not an expert" and thought maybe this could be a bit of a teaching moment. Ignore the rest though if you're more experienced than I'm assuming you to be based on your earlier statement.

Cloudways and Cloudron are very different beasts. They share some level of overlap for sure, but they have different audiences and different goals and different problems they intend to solve for users. Cloudways sets up your server for you so it has a deep integration into everything about the server which means monitoring will be much easier for them to do since they're building the servers themselves. Cloudron on the other hand does not set up any servers for you, it's a manual process to get it setup. Cloudron is basically a further step removed from actually managing the server itself than Cloudways, since that's not Cloudron's goal.

Cloudron is there to manage itself and the files and services it requires only, not everything else about the server. It is not sold as a "managed server" provider. Of course the overlap means there is still a need to monitor things like memory and CPU usage, disk space, etc. and install necessary updates on occasion, but that's about it. Outside of that, Cloudron is really only responsible for itself and what it needs, not the entirety of the server. Conversely, Cloudways' literally selling you a service to manage the entirety of the server for you. So naturally Cloudways would be able to do a lot more on that level, which Cloudron is not really targeted to do (yet).

They basically serve very different purposes, with only a bit of overlap. I hope that helps clarify things a bit. Sorry in advance if you already knew all of that above, just figured I'd maybe try to explain a bit so that you're not expecting Cloudron to do basically everything Cloudways does down the road.

I still agree though, I think it'd be awesome if Cloudron could add that type of functionality to improve monitoring, I just don't expect that it'll be very feasible for them to do at all given where they sit on the server.

Ah interesting, I thought they were already in the main admin account given they said:

logged in my main cloudron user

haha. Oh well, good to know it's resolved now.

@nebulon Okay, I've further lowered the backup config and will hope that works for now. I just don't quite get why memory is an issue when my server never seems to go much beyond 5 GB used out of 8 GB. Nothing really changed outside of moving to Vultr, and even then that was about 1.5 months ago and this issue only started in the past week or so.

@girish I think that might be an improvement worth considering, no? Making the necessary changes would (I think)...

1. Make it clear to monitoring tools and manual checks by users which processes being run are local to the host and which are from containers, particularly useful when multiple instances of a service are being run both on the host and container.

2. Follow what appears to be "best practices" when running containers.

3. Improve security in certain situations.

Admittedly these may be minor and not worth the overhead, but now that I'm aware of the behaviour, I'm a bit irked by it as it currently prevents me from easily identifying which services are container-run and which are local to the host, as well as making it confusing to which user is actually running the process listed.

@girish I'd just assume these permissions should be consistent, no? What I was trying to do was run a command like nano /home/yellowtent/boxdata/mail/vmail/*/sieve/roundcube.sieve to edit all the sieve filters for the mailboxes. Not too long ago (maybe a few weeks ago) I was able to run that command and edit them all. Now, it only loads a few of them. I'm unsure what changed, and that's when I noticed the permissions discrepancies in the vmail folder.

Just encountered the issue again.

Here are the latest logs:

Jun 17 03:13:17 my kernel: redis-server invoked oom-killer: gfp_mask=0x100cca(GFP_HIGHUSER_MOVABLE), order=0, oom_score_adj=0
Jun 17 03:13:17 my kernel: CPU: 1 PID: 6436 Comm: redis-server Not tainted 5.4.0-74-generic #83-Ubuntu
Jun 17 03:13:17 my kernel: Hardware name: Vultr HFC, BIOS  
Jun 17 03:13:17 my kernel: Call Trace:
Jun 17 03:13:17 my kernel:  dump_stack+0x6d/0x8b
Jun 17 03:13:17 my kernel:  dump_header+0x4f/0x1eb
Jun 17 03:13:17 my kernel:  oom_kill_process.cold+0xb/0x10
Jun 17 03:13:17 my kernel:  out_of_memory.part.0+0x1df/0x3d0
Jun 17 03:13:17 my kernel:  out_of_memory+0x6d/0xd0
Jun 17 03:13:17 my kernel:  __alloc_pages_slowpath+0xd5e/0xe50
Jun 17 03:13:17 my kernel:  __alloc_pages_nodemask+0x2d0/0x320
Jun 17 03:13:17 my kernel:  alloc_pages_current+0x87/0xe0
Jun 17 03:13:17 my kernel:  __page_cache_alloc+0x72/0x90
Jun 17 03:13:17 my kernel:  pagecache_get_page+0xbf/0x300
Jun 17 03:13:17 my kernel:  filemap_fault+0x6b2/0xa50
Jun 17 03:13:17 my kernel:  ? unlock_page_memcg+0x12/0x20
Jun 17 03:13:17 my kernel:  ? page_add_file_rmap+0xff/0x1a0
Jun 17 03:13:17 my kernel:  ? xas_load+0xd/0x80
Jun 17 03:13:17 my kernel:  ? xas_find+0x17f/0x1c0
Jun 17 03:13:17 my kernel:  ? filemap_map_pages+0x24c/0x380
Jun 17 03:13:17 my kernel:  ext4_filemap_fault+0x32/0x50
Jun 17 03:13:17 my kernel:  __do_fault+0x3c/0x130
Jun 17 03:13:17 my kernel:  do_fault+0x24b/0x640
Jun 17 03:13:17 my kernel:  __handle_mm_fault+0x4c5/0x7a0
Jun 17 03:13:17 my kernel:  handle_mm_fault+0xca/0x200
Jun 17 03:13:17 my kernel:  do_user_addr_fault+0x1f9/0x450
Jun 17 03:13:17 my kernel:  __do_page_fault+0x58/0x90
Jun 17 03:13:17 my kernel:  do_page_fault+0x2c/0xe0
Jun 17 03:13:17 my kernel:  do_async_page_fault+0x39/0x70
Jun 17 03:13:17 my kernel:  async_page_fault+0x34/0x40
Jun 17 03:13:17 my kernel: RIP: 0033:0x5642ded5def4
Jun 17 03:13:17 my kernel: Code: Bad RIP value.
Jun 17 03:13:17 my kernel: RSP: 002b:00007ffe39d1f480 EFLAGS: 00010293
Jun 17 03:13:17 my kernel: RAX: 0000000000000001 RBX: 0000000000000000 RCX: 00005642dedb5a14
Jun 17 03:13:17 my kernel: RDX: 0000000000000001 RSI: 00007f6c13408823 RDI: 0000000000000002
Jun 17 03:13:17 my kernel: RBP: 0000000000000000 R08: 0000000000000000 R09: 00007ffe39d1f3d8
Jun 17 03:13:17 my kernel: R10: 00007ffe39d1f3d0 R11: 0000000000000000 R12: 00007ffe39d1f648
Jun 17 03:13:17 my kernel: R13: 0000000000000002 R14: 00007f6c1341f020 R15: 0000000000000000
Jun 17 03:13:17 my kernel: Mem-Info:
Jun 17 03:13:17 my kernel: active_anon:961079 inactive_anon:871527 isolated_anon:0
Jun 17 03:13:17 my kernel: Node 0 active_anon:3844316kB inactive_anon:3486108kB active_file:624kB inactive_file:464kB unevictable:18540kB isolated(anon):0kB isolated(file):20kB mapped:900656kB dirty:0kB writeback:0kB shmem:1207700kB shmem_thp: 0kB shmem_pmdmapped: 0kB anon_thp: 0kB writeback_tmp:0kB unstable:0kB all_unreclaimable? no
Jun 17 03:13:17 my kernel: Node 0 DMA free:15900kB min:132kB low:164kB high:196kB active_anon:0kB inactive_anon:0kB active_file:0kB inactive_file:0kB unevictable:0kB writepending:0kB present:15992kB managed:15908kB mlocked:0kB kernel_stack:0kB pagetables:0kB bounce:0kB free_pcp:0kB local_pcp:0kB free_cma:0kB
Jun 17 03:13:17 my kernel: lowmem_reserve[]: 0 2911 7858 7858 7858
Jun 17 03:13:17 my kernel: Node 0 DMA32 free:44284kB min:24988kB low:31232kB high:37476kB active_anon:1420788kB inactive_anon:1398328kB active_file:0kB inactive_file:360kB unevictable:0kB writepending:0kB present:3129200kB managed:3063664kB mlocked:0kB kernel_stack:9504kB pagetables:29712kB bounce:0kB free_pcp:1560kB local_pcp:540kB free_cma:0kB
Jun 17 03:13:17 my kernel: lowmem_reserve[]: 0 0 4946 4946 4946
Jun 17 03:13:17 my kernel: Node 0 Normal free:42004kB min:42460kB low:53072kB high:63684kB active_anon:2423528kB inactive_anon:2087780kB active_file:588kB inactive_file:808kB unevictable:18540kB writepending:0kB present:5242880kB managed:5073392kB mlocked:18540kB kernel_stack:29040kB pagetables:53096kB bounce:0kB free_pcp:3512kB local_pcp:676kB free_cma:0kB
Jun 17 03:13:17 my kernel: lowmem_reserve[]: 0 0 0 0 0
Jun 17 03:13:17 my kernel: Node 0 DMA: 1*4kB (U) 1*8kB (U) 1*16kB (U) 0*32kB 2*64kB (U) 1*128kB (U) 1*256kB (U) 0*512kB 1*1024kB (U) 1*2048kB (M) 3*4096kB (M) = 15900kB
Jun 17 03:13:17 my kernel: Node 0 DMA32: 3172*4kB (UME) 1384*8kB (UE) 744*16kB (UME) 242*32kB (UME) 15*64kB (UME) 0*128kB 0*256kB 0*512kB 0*1024kB 0*2048kB 0*4096kB = 44368kB
Jun 17 03:13:17 my kernel: Node 0 Normal: 157*4kB (UME) 2012*8kB (UMEH) 976*16kB (UMEH) 291*32kB (UME) 4*64kB (M) 2*128kB (M) 1*256kB (M) 0*512kB 0*1024kB 0*2048kB 0*4096kB = 42420kB
Jun 17 03:13:17 my kernel: Node 0 hugepages_total=0 hugepages_free=0 hugepages_surp=0 hugepages_size=2048kB
Jun 17 03:13:17 my kernel: 337832 total pagecache pages
Jun 17 03:13:17 my kernel: 33532 pages in swap cache
Jun 17 03:13:17 my kernel: Swap cache stats: add 413059, delete 379528, find 3909879/3976154
Jun 17 03:13:17 my kernel: Free swap  = 0kB
Jun 17 03:13:17 my kernel: Total swap = 1004540kB
Jun 17 03:13:17 my kernel: 2097018 pages RAM
Jun 17 03:13:17 my kernel: 0 pages HighMem/MovableOnly
Jun 17 03:13:17 my kernel: 58777 pages reserved
Jun 17 03:13:17 my kernel: 0 pages cma reserved
Jun 17 03:13:17 my kernel: 0 pages hwpoisoned
[...]
Jun 17 03:13:17 my kernel: oom-kill:constraint=CONSTRAINT_NONE,nodemask=(null),cpuset=ac3d3b89315a33f079b879cebf2fa7d68e0512640f9a7ab16e1b9c79b192fa1b,mems_allowed=0,global_oom,task_memcg=/system.slice/box-task-10731.service,task=node,pid=1757378,uid=0
Jun 17 03:13:17 my kernel: Out of memory: Killed process 1757378 (node) total-vm:2615204kB, anon-rss:1725444kB, file-rss:0kB, shmem-rss:0kB, UID:0 pgtables:8244kB oom_score_adj:0
Jun 17 03:13:17 my kernel: oom_reaper: reaped process 1757378 (node), now anon-rss:0kB, file-rss:0kB, shmem-rss:0kB
Jun 17 03:13:17 my sudo[1757377]: pam_unix(sudo:session): session closed for user root
Jun 17 03:13:17 my systemd[1]: box-task-10731.service: Main process exited, code=exited, status=50/n/a
Jun 17 03:13:17 my systemd[1]: box-task-10731.service: Failed with result 'exit-code'.

This time it wasn't MySQL but was redis apparently?

The system memory output is below too:

free -h
              total        used        free      shared  buff/cache   available
Mem:          7.8Gi       4.5Gi       237Mi       1.2Gi       3.1Gi       1.8Gi
Swap:         980Mi       969Mi        11Mi

@girish - I stumbled across this article: https://blog.dbi-services.com/how-uid-mapping-works-in-docker-containers/

The article seems to imply (unless I'm misunderstanding it) that it may be a good practice to create a user on the host system that matches up with the user running the service in each container. So in other words, taking mysql as the example... on the Ubuntu host the mysql user should be a known user that's created with UID 2000 for example, and then in the Docker container for MySQL it'll also run with a UID of 2000. Then for something like mongodb, it'll be a host user with UID 2001 for example and then the user running mongodb in the container will also run with the UID of 2001. You're definitely allowed to create users with a specific UID, so hopefully this is all doable.

The above makes it a bit more secure from what I'm reading, plus of course for the "OCD" in all of us it keeps things cleaner and easier to understand what's happening when looking at top of a ps output for example.

Another article that is similar in nature is this one: https://medium.com/@mccode/understanding-how-uid-and-gid-work-in-docker-containers-c37a01d01cf

I'm just wondering if this is an improvement that should and could be made to Cloudron's images for at least the fundamental services that Cloudron deploys and runs in both host and containers.

I guess I'm not convinced the current setup is the ideal setup for people. Since Cloudron is mean to to be deployed on brand new Ubuntu systems, there should be no real need to accomodate other UIDs which may be present on some providers and not others because you can simply choose a really high UID that no default Ubuntu image should be using. Hopefully the above makes sense. Please correct me if I'm misunderstanding some of this.

@nebulon For what it's worth, I don't see that flag mentioned anywhere in the docs.cloudron.io system - maybe I missed it? If it's not there, I guess it needs to be added (and any other flags perhaps that aren't listed yet). Great to know it's there though!

@jagan It's a bit of a slipper slope in my opinion, because there are a large number of monitoring agents out there for different monitoring software, and it would not be seen as "clean" to have all of them pre-installed for easy use. I'm not certain if Cloudron could easily integrate something like that into their UI because typically something like new relic is for server monitoring, not specifically one application (though I think that's possible too, I'm not super familiar with New Relic, only used it a few times), not to mention how the Cloudron UI would then need to work for many different agent types too. I don't think this is something that's too feasible to do at all - my best guess anyways.