Mount custom volume in app container

I would like to propose/discsuss the following: How about an option to bind additional Docker volumes for Cloudron apps?

My usecase is the following: As discussed several times in this forum, the built-in backup options of Cloudron are not so well suited for the rather large data directories of Nextcloud. Therefore, I would like to move the Nextcloud data to another volume (which is not included in the Cloudron backup) and change the nextcloud-config to use that as data directory. I would then take care of backing up that directory on the Cloudron host by myself.

I currently implemented that behaviour by creating a symlink of the data directory on the host. @tobru mentioned that in this post and asked how to include it in the backup. I explicitly went that way to exclude a folder from the backup. But that seems like misusing an implementational detail of the Cloudron backup, which might change at some point and should not be done on purpose. Thus my question to bind a custom folder as volume in the app-container.

I know that you plan to implement a per-app choice of tgz/rsync backup-options in one of the upcoming releases. That wouldn't really solve it for me though, as I use the Filesystem backup provider and would end up with an additional copy of my nextcloud data. (I use restic btw, to backup both the Cloudron backup-directory and the nextcloud data folder.)

@hendrikvl Just wanted to report that I switched to volumes which are now implemented in Cloudron 6. I have the Nextcloud-config and apps in appsdata and a separate Nextcloud datadirectory mounted through a volume. Cloudron takes care of backing up appsdata and I backup the NC-datadirectory separately. Works like a charm.

Thanks for implementing that!

Not sure if this has been discussed before, as it seems a quite general question. I could not find it through a search though.

How fast are security updates applied, if you push them to the app store?

I realized that last week a new wordpress package was pushed (see this thread), but it has still not been installed on my cloudron. Even when clicking the Update-button for the app manually, nothing happens.

@girish: You write in the thread mentioned above "Note that unlike most other packages, we have a very large number of WP installs. For this reason, you may not see an update immediately. It will happen over the course of a week from the package announcement."

Does this refer to package updates with new features only? Or is this the case for security updates as well? I mean a week is rather long and might seem okay for new features, but security updates should be applied within a day IMHO.

@girish The release notes of wordpress 5.4.1 mention security issues at least.

My question was of more general nature though and I took this wordpress release as an example only. But if I understand you correctly, you guys have a way to push updates faster, in case they contain security fixes with a high criticality?

Having more control as an admin would be nice of course. If I read about a security issue in an app of which I think it might affect my site, I should be able to update. As your post shows, you are quite quick in packaging a new version.

@girish said in security updates for apps:

Over the course of a week, some are given an update and some are not. The main reason for this rollout style is that if we break something, it only breaks small number of instances and not everything simultaneously.

That's what I meant with "push". Of course my Cloudron polls, but your server decides whether I receive an update or not.

So let me rephrase my question: If there is an app update which contains security fixes of high criticiality, does the same "over the course of a week" mechanism apply? Or would all Cloudrons which poll for an update receive it immediately?

@hendrikvl Just wanted to report that I switched to volumes which are now implemented in Cloudron 6. I have the Nextcloud-config and apps in appsdata and a separate Nextcloud datadirectory mounted through a volume. Cloudron takes care of backing up appsdata and I backup the NC-datadirectory separately. Works like a charm.

Thanks for implementing that!

@girish said in security updates for apps:

Over the course of a week, some are given an update and some are not. The main reason for this rollout style is that if we break something, it only breaks small number of instances and not everything simultaneously.

That's what I meant with "push". Of course my Cloudron polls, but your server decides whether I receive an update or not.

So let me rephrase my question: If there is an app update which contains security fixes of high criticiality, does the same "over the course of a week" mechanism apply? Or would all Cloudrons which poll for an update receive it immediately?

@girish The release notes of wordpress 5.4.1 mention security issues at least.

My question was of more general nature though and I took this wordpress release as an example only. But if I understand you correctly, you guys have a way to push updates faster, in case they contain security fixes with a high criticality?

Having more control as an admin would be nice of course. If I read about a security issue in an app of which I think it might affect my site, I should be able to update. As your post shows, you are quite quick in packaging a new version.

Not sure if this has been discussed before, as it seems a quite general question. I could not find it through a search though.

How fast are security updates applied, if you push them to the app store?

I realized that last week a new wordpress package was pushed (see this thread), but it has still not been installed on my cloudron. Even when clicking the Update-button for the app manually, nothing happens.

@girish: You write in the thread mentioned above "Note that unlike most other packages, we have a very large number of WP installs. For this reason, you may not see an update immediately. It will happen over the course of a week from the package announcement."

Does this refer to package updates with new features only? Or is this the case for security updates as well? I mean a week is rather long and might seem okay for new features, but security updates should be applied within a day IMHO.

The postfix generic_maps feature only overwrites the envelope-from.

I actually installed Postfix on my Cloudron Host, listening on the gateway address of the Cloudron-network and used that address as mail server in the Cloudron mail settings. The setup works, but it seems a bit odd to have an extra postfix running just to do the address rewriting.

But using this setup, all my apps can send mails which have the app-specific sender in the From-Header. Only the envelope-from is rewritten to the generic address.

And no, my mail relay does not accept IP whitelisting. It's not a proper mail relay service to be exact, but just a regular mail service with outgoing smtp for authenticated users.

Thanks for the fast response, @girish and cool to hear that you consider to implement it.

I want to use the external SMTP option for the built-in Cloudron mail server. The server which I want to use as a relay server only accepts specific sender addresses though. I think this is the case for many mailservers nowadays.

In the past, when I set up simple app servers, I configured postfix to use a smarthost and used the generic_maps-feature to rewrite the sender address of all outgoing emails. I don't know if that is possible with the built-in mailserver of cloudron. If it is possible, an option in the Cloudron Email relay dialog for a fixed sender address which configures the mailserver that way would be great.

I would like to propose/discsuss the following: How about an option to bind additional Docker volumes for Cloudron apps?

My usecase is the following: As discussed several times in this forum, the built-in backup options of Cloudron are not so well suited for the rather large data directories of Nextcloud. Therefore, I would like to move the Nextcloud data to another volume (which is not included in the Cloudron backup) and change the nextcloud-config to use that as data directory. I would then take care of backing up that directory on the Cloudron host by myself.

I currently implemented that behaviour by creating a symlink of the data directory on the host. @tobru mentioned that in this post and asked how to include it in the backup. I explicitly went that way to exclude a folder from the backup. But that seems like misusing an implementational detail of the Cloudron backup, which might change at some point and should not be done on purpose. Thus my question to bind a custom folder as volume in the app-container.

I know that you plan to implement a per-app choice of tgz/rsync backup-options in one of the upcoming releases. That wouldn't really solve it for me though, as I use the Filesystem backup provider and would end up with an additional copy of my nextcloud data. (I use restic btw, to backup both the Cloudron backup-directory and the nextcloud data folder.)