Software Engineer turned Director at a Silicon Valley company.
After the switch to management I was eager for a technical project and decided to take on self hosting for privacy and ethical reasons as well as the technical challenge. I’ve made several attempts at managing all my self hosted services from scratch and eventually found Cloudron.
I've got a branch where I've almost gotten LDAP syncing fully working, but invites don't seem to be working properly.
Even if I try to send an invite directly through the web interface, it just hangs. The user shows in the list, however the logs never show a success or failure response for the request. I've checked the SMTP settings and they appear to be correct. I'll keep debugging though.
https://git.cloudron.io/iamthefij/bitwardenrs-app/tree/ldap-sync
@yusf What are you wanting to see incorporated? The directory sync connector?
That diff that @girish linked is to add experimental support for the upstream Directory Connector APIs to allow you to use the upstream connector.
The directory connector could probably be added as a separate app much like ONLYOFFICE is with Nextcloud.
Alternately, I wrote the original bitwarden_rs_ldap connector, which was supported from within the single install. It was auto configured and then triggered by a timer every 5 min to auto send invites. The reason it wasn't included in the final Cloudron release was because the LDAP connector doesn't in the same way as other Cloudron apps and it was confusing to the users who were testing.
As @girish said, it works by sending users invites. Passwords cannot be synced because the Bitwarden server never even gets to know your password.
It looks like it has been removed, but we could probably patch back in the old LDAP sync at least and make it something that could be configured using file manager or the terminal as an advanced feature.
It would seem that supporting Keycloak would be a great way to still only really have to maintain LDAP on the Cloudron side and then add support for OpenID Connect, OAuth 2.0
and SAML 2.0.
I've never set up Keycloak though, so I can't speak to it's ease of use or maintaining, but it is often recommended when people talk about FOSS Identity and Access Management tools.
@nicolas Are your wordpress instances up to date? Do you have plugins installed in those instances?
That's where my mind goes immediately.
I'm working on packaging Authelia as a Cloudron app, which is slightly different.
Use case is that I have a second server with some services that I would like to authenticate against my Cloudron LDAP.
LDAP syncing is now available for bitwarden_rs. Check it out on the wiki.
Do you have your app shared on git.cloudron.io yet? If so I can help contribute.
Got it working! Turns out I needed to enable SMTP_EXPLICIT_TLS.
Now I just have to schedule the sync task and do some cleanup. Should have a fully ready app soon.
@will just a note, I don't believe fbartels version supports a using a dump for backing up the database. This means that if the backup is taken while the db is in a transaction, it could be corrupted.
Bitwarden_rs now supports an admin API for making sqlite backups, but does not have any cron embedded. Similar to the way the LDAP sync tool works, an additional script could be added to periodically make dumps of the sqlite database so that it can be properly backed up.
Instead, the version I have is using MySQL, which leverages the native Cloudron backup and restore functionality.
That and the LDAP invite service are the real differences between the two forks. If you do not wish to use automated LDAP invites on my fork, you can select to opt out when installing. This is covered in the readme.
@yusf Yea, the Readme describe the reasoning.
There is no way to actually do true SSO without breaking the model for Bitwarden. The only thing that we can do is automatically invite users to sign up.
The Bitwarden_rs project doesn't have a way to invite without sending an email as when an SMTP server is configured, it will generate unique invite links for each user.
If you disable SSO, you only disable the auto-invite feature. You will then need to invite yourself via the Admin panel (admin token is echoed in the logs and in /app/data/admin_token). You can then invite anyone else you wish manually.
Way back when this first came up in 2017, there was a discussion on the issue boards for Ubuntu. This is the response from the PM at Canonical who added the feature including an explanation of how it has been used in the past and how they intend to use it.
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1701068/comments/11
It can be disabled entirely by running sudo sed -i 's/^ENABLED=.*/ENABLED=0/' /etc/default/motd-news (source).
Debian support would be great, but I thought I'd present a bit more information for folks stumbling on this to read up on and make a decision on how they want to manage their server.
I'd prefer to restrict a Cloudron instance to a particular zone rather than use the Global API Key. Whenever I do so, I get an error from Cloudron. What should the account be scoped to? Or is it even possible to use this?
After making a few upstream patches to Authelia, I've gotten an Authelia Cloudron App running! (yay!)
Unfortunately it won't work due to the Cloudron Nginx config. (Bummer!)
Repo and context for those interested https://git.cloudron.io/iamthefij/authelia-app
Would be cool to have still, but I'm not ready to dig through the Nginx changes given how broad the impact would be.
@JOduMonT First off, that site is just reviewing app permissions. It’s docking Signal for requesting things like access to camera (used for taking and sending photos). That’s not really relevant here.
From a security standpoint, the Signal protocol is the gold standard for secure messaging. Other apps , like WhatsApp have even implemented it themselves.
Signal is also a non-profit and spends a considerable amount of effort in reducing knowledge needed to operate on the server. Their goal is to get to a point you don’t have to trust the server at all.
I have never heard of the app you’re recommending, but I don’t see any information about how they manage their encryption. Their website link (from Google Play) lands on some obscure website that doesn’t really load unless I turn off my tracker blockers. The site then doesn’t really indicate why I should trust them. No information on their funding or security. Also, the Play Store listing says it includes Ads. Which is a huge no-no for privacy.
Telegram is a popular app, but Signal is often recommended for security/privacy. First off, Telegram offers both encrypted and unencrypted messaging and defaults to unencrypted. Group messages cannot even be encrypted at all. In Signal, all is encrypted. Furthermore, when using encryption, Telegram uses a custom crypto algorithm they wrote rather than industry trusted ones like Signal does. This goes against a common maxim in the security industry “don’t roll your own crypto”. It could be just as secure, but less eyes on it means we just don’t know enough about it. Most professionals prefer a tried and true system.
Anyway, I’m pretty passionate about secure messaging, so I’ve done a bit of research here. All that said, unless they are willing to switch, the best one is the one your friends are using. Messaging is useless if you’re the only one with it. Kinda relates to the article will posted about encrypted email in the first place.
Thanks @nebulon! I'm just realizing that we should be able to improve the experience by using making the default env be SIGNUPS_DOMAINS_WHITELIST=$CLOUDRON_MAIL_DOMAINS, so signups can only be from the the domains that the users have configured for email. A few caveates though, I'm not sure how that variable gets set if you use a relay and it also looks like only $CLOUDRON_MAIL_DOMAIN is set for me, maybe because I have only one email domain.
@jdaviescoates Mailpile has both those features: https://www.mailpile.is/
Might be a good app request.
@nebulon Why do you say that? Is there something wrong with SQLite? Or you just worried about when support is eventually added?
Any insights on the issues accessing the API from a scheduled task? It would be good to get this resolved anyway.
@nebulon said in Cloudron on a Raspberry pi?:
To give one simple example, any app using the go language, where we take the release builds, has to get some logic or separate Dockerfile to deal with arm.
I have some experience with this and have set up my own multi-arch go build pipelines using a single Dockerfile for some of my other apps: minitor-go, dockron, tag-checker, and for Python ones too: original minitor.
Here's a sample repo demonstrating my process: multiarch-pipeline-test. It's easier these days if your server has docker buildx though.
Also, since with Cloudron we're most often building things that exist upstream, here's an example multi-arch build repo I have for the Golang project cadvisor. It will auto build a particular cadvisor version on a git tag so I just need to create a release on my Gitea server and the build is started and deployed. With cadvisor, I have to clone the whole repo and cross-compile the cadvisor binary for arm becaue there is no pre-compiled binary. If there is, it should be even easier to just pull that binary.
Anyway, I'm happy to help if there are any applications that may be critical to be ported.
@yusf yea, that was the feedback from the other thread too. Unfortunately, if email is enabled, Bitwarden_rs will automatically send emails for all invited users. An upstream change to provide an API option to skip sending emails would need to be added.
@jk That actually used to be possible, but the OAuth provider is now gone.
Adding something like Keycloak or even Shibboleth would add back an OAuth provider.
Hey @nebulon, @girish . Any ideas how I can proceed to make this work for Cloudron?
I'm happy to patch box to use exec rather than run, or provide an option, but it's unclear why the decision was made to do run in the first place.
Very interesting conversation.
Getting upstream projects to support Cloudron distribution as well as others (eg. Docker Compose, Helm, Flatpak, etc.) would be the most scalable, but probably a hard sell. Additionally, even if it were done, would that be the right call? Even projects like Debian maintain their own repositories.
I'm not sure if this is available somewhere, but if there were install metrics for apps, that could go a long way in showing upstream projects how many users are using their application on the platform and encouraging them to offer more support, even if Cloudron maintains the repo.
For example, this is how Home Assistant reports install metrics: https://analytics.home-assistant.io/#integrations
Actually, Home Assistant also has their own "Addons" features which installs managed Docker based applications from a repo that is mostly maintained by the project leads but is also community supported. Much like Cloudron. They also have addon stats here: https://analytics.home-assistant.io/#add-ons
FYI @murgero @will I don’t think that git repo has any of the fixes or changes I’ve added. Try the one I linked much earlier. (I’m on mobile so I can’t link it now).
Yes. It supports a variety of 2FA including YubiKey.
Awesome! Thanks @fbartels!
I've merged your changes in, switched back to the single stage build for speed (possible now that MySQL support is offered in a Docker image), and updated the Readme and Changelog.
I believe this "works for me" but someone else should validate as well.
Go and TensorFlow are things that were/are built by Google, but it not a "Google Product" in the way that most think about. They are Open Source projects that Google contributes to. They are as Google as React is a Facebook product and Kafka is a LinkedIn (or Microsoft) one.
Most everything making reference to Google is, in some way, related to Location info. Here is the detailed sheet on Geocoding:
https://github.com/photoprism/photoprism/wiki/Geocoding
Generally, it appears that they are using OSM for goecoding but are using several tools or algorithms built by Google in the process.
@yusf that is referring to the build process. When building you fetch the index of dependencies from somewhere. By default this is a Google server (because Google maintains it). For Node it's a NodeJS server. For Python it's a Python.org server.
In all of these cases (including Go), you can replace it with any private server or proxy you'd like.
But in any rate, it has no impact on the running software.
Where does this stand on becoming "official" in some way? I'm still running Bitwarden off Cloudron myself as my Cloudron instance is hosting the version I'm using for development.
@will Yes, you can use LDAP if you use the version I published.
https://git.cloudron.io/iamthefij/bitwardenrs-app
Updated to the latest version. I haven't updated to the latest versions of Bitwarden just yet though. I'll give that a go now.
Edit: It looks like Bitwarden_rs was updated to use a newer base image for building it's binaries. That means that when the binary used in the MySQL image is built, it's compiled against a newer version of libmariadb. It doesn't look like the Cloudron base image has been updated in a year, so I'm unable to just bump the version in the single-stage Dockerfile in my repo. However, I also have a multi-stage Dockerfile that will compile Bitwarden_rs from source against whatever version of libmariadb that is present. This should work but takes more time to build so I'm letting that run right now. I'll update when it's done. Edit: It's done!
Related, but kind off topic: Can we get an update to the Cloudron base? How will those be handled in an ongoing basis since apps are pinned (as they should be) to a particular base? I imagine there have been security updates in the last year.
@nebulon yea, the best for Cloudron would be a way to silently invite so only ldap users could sign up. Maybe I’ll make that suggestion over at the main project.
I feel that would make a much better experience for users and admins here.
What I did was install it scoped to only my user and then expanded the users to a group later.
Are there any packaged / bundled importers for the Cloudron FF3 app? I'm not finding any instructions for that, but I'm also new to Firefly.
For what it's worth, my Cloudron is installed on an Ubuntu Xenial box (16.04) from Scaleway and it does not have this "feature" enabled. Someone on the HN thread mentioned that they believe it was added around 2017, so that makes sense.
I don't imagine the diffs between Debian and Ubuntu being too vast, though given that Debian has a longer release cycle, there may be issues with older versions.
@will, have you tried to install on Debian yet?
Restic would be really great.
For my non-Cloudron services, I use this Docker image: https://github.com/ViViDboarder/docker-restic-cron.
It wouldn't make sense to take that as is, but it could be a good example of basic Restic functionality for something like Cloudron.
Just set up the scheduler, but I'm getting weird results.
When the sync is run through the scheduler I get:
Apr 23 00:10:08 thread 'main' panicked at 'Could not authenticate with http://127.0.0.1:3000. Error { kind: Hyper(Error { kind: Connect, cause: Os { code: 111, kind: ConnectionRefused, message: "Connection refused" } }), url: Some("http://127.0.0.1:3000/admin/") }', src/bw_admin.rs:62:17
However, it runs just fine when I drop into a terminal and select the task from the dropdown and run it.
@girish I figured it would be using docker exec, and when I ssh to my server I can run it successfully using
sudo docker exec 92ad3d37-2014-44f4-870f-25d862f57b4a sh -c '/app/code/ldap_sync.sh'
However I just dug through the source for the scheduler addon and found that it's creating a new container.
How should we access the original container via HTTP? Is there a reason this is a new container and not simply an exec?
@murgero according to the docs, the importers are separate web applications that you host and connect to FF3. Given that Cloudron doesn't really support setting up auxiliary web applications on the box, it looks like the only way to use it would be for me to host the csv-importer on a different server and then direct that to my Cloudron FF3.
Is that how others are using it?
@JOduMonT said in A little bit about why your email are considered as a SPAM by Microsoft and Google.:
Personally I prefer using my own set of key, I say that because apps like Telegram, WhatsApp, Messenger yes they use encryption but they also generate the key and have both the private and public key so it's only a matter of semantic and if you trust their business.
You still have to trust the application, but private keys for Signal are generated on the device and not sent to the server. To improve trust in the application, Signal actually has reproducible builds. WhatsApp should, in theory, function the same way, but they are not open source and do not have reproducible builds so you have no way to verify that is actually how it’s functioning.
@fbartels I'm not certain it's actually required, but it is recommended.
I added it because I saw some strange behavior with the LDAP access controls. Without the Admin Token, I was somehow able to access the admin page with no auth check via a Private Browsing window. I can do some more testing and see if I can do away with the token.
For sending the email, I had set both SSL and TLS to true. Though I just realized I may have been using Mailgun as I did switch to that to rule out the Cloudron SMTP server. I'll do another test. Edit: Just verified and it works using the Cloudron SMTP server with both those settings as true.
In an effort to build better monitoring, it would be good to look at supporting existing tooling as well. For example, a Prometheus exporter would allow users to take advantage of the robust feature set offered by Prometheus and Grafana. Or, if Cloudron already stores persisted metrics in a graphite database or something, a way to connect to that from an external server running a monitoring suite would suffice.
@JOduMonT said in I believe in Cloudron's mission 200%. How can I help?:
I'm more Security CowBoy but, @will would you like to improve the server security by implementing the recommendation of Lynis on Cloudron ?
What a cool tool!! I haven't seen this before, but I have a feeling I'm going to love it.
I'm also happy to help out when possible. My background is mostly in software engineering and a few decades of personal Linux use. I'm far from a "proper" sys-admin, but have a decently strong background nonetheless.
I'm blocked on getting the app working without a little guidance from @girish on why nginx is overwriting the X-Forwarded-* headers.
@murgero I’ve been meaning to do the same.
Should be doable with something like HAProxy, but I wanted to use some better auth mechanism, so I’ve been working on this: https://git.iamthefij.com/iamthefij/dockamole
The server is essentially just an ssh server that is configured to disallow running commands and only allow port forwarding. The client can be run anywhere and it exposes the ports for you.
I’m planning to run a server on my Cloudron to forward LDAP and Graphite (hopefully), and then I can deploy a client on my other VPS. I also plan to do the same with my NAS at home so I can have my VPS access it without exposing http access to my home network.
There are many ways to do this though. 
I don't expect that the security issue is one of ongoing concern, but the ethical one is. I've read several articles about it and will probably avoid registering one myself.
Still, branding is powerful and rebranding something is a huge risk. I wouldn't recommend Cloudron attempt it. Maybe there is a way to balance things out with a banner somewhere calling attention to the issue and that Chagos support website.
@nebulon any idea how I can get some clarity here so that I can deliver this app?
@girish using something like Restic for backups instead would offer encrypted block based backups. It's great for things like this where you would have lots of potentially duplicate backup data.
I know I suggested this on another thread, but using an existing backup engine would allow you to offload the complexities of efficient backups, integrity checks, and restoration as well as add support for loads more backup destinations (like B2).
I've build and maintain a bunch of multi-arch images myself for some of my smaller projects.
You can definitely build on an x86 system by using emulation. I used to install qemu and then use build args to ensure that the right base image was being pulled (eg library/ubuntu for x86 vs armv7/ubuntu for armv7) because otherwise, by default, an x86 machine would pull the x86 image. After building and pushing I generate a manifest and push that so that each platform pulls the right image. This is probably the simplest example I have of that since it's a single Python file.
All that said... there is now an experimental feature of Docker available via the docker buildx command.
Here's a recent (April) blog post from Docker about the new method. It's far simpler, so if you can get that working, it'd be ideal. I haven't taken the time to switch over myself just yet.
@fbartels well, I guess I didn't look hard enough! (Edit: Looks like the 1.10.0 release was only 2 hours ago. No wonder I missed it. ) It would be good to roll those all into one image with multiple tags, but I can chat with them about that on Matrix.
Anyway, adding the multi-stage build wasn't terribly hard and cuts out an extra dependency on that build pipeline, which is probably a good thing for a security sensitive project.
Latest on my master is now fully operational. Working email, working ldap sync, working MySQL.
BIG WARNING! There is no migration path from SQLite to MySQL. You should export your vault to CSV or something and then re-import it after migration.
So I recently upgraded my Cloudron to the newest version that includes notifications. Now I get this notification once a day.
When I check my email status, it's all green checkboxes (yay!), but I still get the notification.
I checked my box logs and I found:
2019-02-25T10:30:05.219Z box:mail Ignored error - relay: Error: Timeout
at Socket.<anonymous> (/home/yellowtent/box/src/mail.js:150:18)
at emitNone (events.js:106:13)
at Socket.emit (events.js:208:7)
at Socket._onTimeout (net.js:410:8)
at ontimeout (timers.js:498:11)
at tryOnTimeout (timers.js:323:5)
at Timer.listOnTimeout (timers.js:290:5)
2019-02-25T10:30:06.347Z box:mail checkRblStatus: myhost.com (ip: 123.456.789.101) servers: []
2019-02-25T10:30:06.348Z box:cloudron checkMailStatus: myhost.com failed status checks
2019-02-25T10:30:06.352Z box:notifications upsert: uid-9261ef5c-e91a-4d31-9575-4fb5fd7cfa08 Email is not configured properly /#/email
Looks like there is some kind of bug in the checker logic.
@nebulon would all binaries not run (eg. /bin/sh from within the base) or just Go binaries that you compiled within the buildx pipeline? If it's the former, it may not be using the right base image. If it's the latter and the former works, perhaps setting the GOARCH variable via a build-arg would solve it.
Note: I personally have not used buildx yet, but from what I can see it's a simpler, automatic version of what I'm trying to do with qemu that handles the manifest for you. So I think you should just be able to build without the muckiness of all the build-args I pass, but if not you can play with mixing those in until it works.
I think buildx is supported on my laptop, so I can give it a try, but it's not supported on my CI box yet, so I haven't switched.
Hey @girish any updates on this? I've been holding off on migrating from my external instance to my Cloudron one because I'm not sure about the process of migrating from the dev one to an official one. Any guidance on when to expect this or if it's possible to preserve the Docker volume would be helpful.
Tried that, but it did not fix it. For some reason it still shows the same thing.
FYI, the default is insecure. [a-zA-Z0-9_\-.]*example.com would actually allow someone to use a malicious domain like fake-example.com and use the instance as it would match that regex. It should really be example.com|[a-zA-Z0-9_\-]+.example.com. That way it's checking for root domain or any subdomain with a dot before the domain.
@murgero I’m not sure what you mean. Anyone with shell access to the server as any user could do this.
@girish thanks for the quick update! L
Thinking on it a bit more, for more defense in depth I’m realizing that if the server is running as yellowtent the directory ought to be read only for that user. Otherwise a remote execution vulnerability is enough to own the server and escalate privileges.
I’m not a proper security auditor though...
Have you considered getting a professional audit?
@girish it should be good to go. My branch is working with MySQL and LDAP.
I've got two working Dockerfiles. One that compiles the entire project and another that just pulls the binary from the published images on Docker Hub. End result is the same.
After some automatic app upgrades, my MySQL service is no longer starting.
My Event Log shows apps stopping responding after updates to Ghost, Wekan, and Collabora office.
Yesterday healthmonitor wekan.example.com (Wekan) is down
Yesterday cron Ghost at blog.example.com was updated to v3.189.3
Yesterday cron Update of Ghost at blog.iamthefij.com started from v3.189.3 to v3.190.0
Yesterday healthmonitor blog.example.com (Ghost) is down
Yesterday cron Wekan at wekan.example.com was updated to v4.16.2
Yesterday cron Ghost at blog.example.com was updated to v3.189.2
Yesterday cron Collabora Office at docs.example.com was updated to v1.10.18
Yesterday cron Update of Wekan at wekan.example.com started from v4.16.2 to v4.16.3
Yesterday cron Update of Collabora Office at docs.example.com started from v1.10.18 to v1.10.19
Yesterday cron Update of Ghost at blog.example.com started from v3.189.2 to v3.189.3
One odd thing I see is that it appears to apply updates in odd orders... Eg. Chost from v3.189.2 to v3.189.3 started, then it says it completed update to v3.189.2 (old version). The same thing happens again shortly after showing update of Ghost at blog.example.com started from v3.189.3 to v3.190.0 and then saying that it's been updated to v3.189.3. Maybe that is just an error in the Event Log though posting the old version when the update is completed.
When I inspect the mysql container I find the following in the logs:
root@mysql:/# cat /tmp/mysqld.err
2021-11-07T17:18:12.374786Z 0 [System] [MY-010116] [Server] /usr/sbin/mysqld (mysqld 8.0.23-0ubuntu0.20.04.1) starting as process 13
2021-11-07T17:18:12.399005Z 1 [System] [MY-013576] [InnoDB] InnoDB initialization has started.
2021-11-07T17:18:13.560419Z 1 [System] [MY-013577] [InnoDB] InnoDB initialization has ended.
2021-11-07T17:18:14.130206Z 0 [System] [MY-011323] [Server] X Plugin ready for connections. Socket: /var/run/mysqld/mysqlx.sock
2021-11-07T17:18:14.224525Z 0 [ERROR] [MY-013183] [InnoDB] Assertion failure: trx0purge.cc:174:purge_sys->iter.trx_no <= purge_sys->rseg->last_trx_no thread 139872211805952
InnoDB: We intentionally generate a memory trap.
InnoDB: Submit a detailed bug report to http://bugs.mysql.com.
InnoDB: If you get repeated assertion failures or crashes, even
InnoDB: immediately after the mysqld startup, there may be
InnoDB: corruption in the InnoDB tablespace. Please refer to
InnoDB: http://dev.mysql.com/doc/refman/8.0/en/forcing-innodb-recovery.html
InnoDB: about forcing recovery.
17:18:14 UTC - mysqld got signal 6 ;
Most likely, you have hit a bug, but this error can also be caused by malfunctioning hardware.
Thread pointer: 0x7f3668000b60
Attempting backtrace. You can use the following information to find out
where mysqld died. If you see no messages after this, something went
terribly wrong...
2021-11-07T17:18:14.227292Z 0 [Warning] [MY-010068] [Server] CA certificate ca.pem is self signed.
2021-11-07T17:18:14.227358Z 0 [System] [MY-013602] [Server] Channel mysql_main configured to support TLS. Encrypted connections are now supported for this channel.
stack_bottom = 7f36897f9ba0 thread_stack 0x30000
/usr/sbin/mysqld(my_print_stacktrace(unsigned char const*, unsigned long)+0x41) [0x5628ef0ac961]
/usr/sbin/mysqld(handle_fatal_signal+0x31b) [0x5628eded7e0b]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x153c0) [0x7f36cfcd73c0]
/lib/x86_64-linux-gnu/libc.so.6(gsignal+0xcb) [0x7f36cf33518b]
/lib/x86_64-linux-gnu/libc.so.6(abort+0x12b) [0x7f36cf314859]
/usr/sbin/mysqld(+0xe89b63) [0x5628edc38b63]
/usr/sbin/mysqld(TrxUndoRsegsIterator::set_next()+0xa48) [0x5628ef392a18]
/usr/sbin/mysqld(+0x25e3d1e) [0x5628ef392d1e]
/usr/sbin/mysqld(+0x25e6931) [0x5628ef395931]
/usr/sbin/mysqld(trx_purge(unsigned long, unsigned long, bool)+0x13d) [0x5628ef39603d]
/usr/sbin/mysqld(srv_purge_coordinator_thread()+0x5be) [0x5628ef35ddae]
/usr/sbin/mysqld(std::thread::_State_impl<std::thread::_Invoker<std::tuple<Runnable, void (*)()> > >::_M_run()+0xbd) [0x5628ef25483d]
/lib/x86_64-linux-gnu/libstdc++.so.6(+0xd6d84) [0x7f36cf721d84]
/lib/x86_64-linux-gnu/libpthread.so.0(+0x9609) [0x7f36cfccb609]
/lib/x86_64-linux-gnu/libc.so.6(clone+0x43) [0x7f36cf411293]
Trying to get some variables.
Some pointers may be invalid and cause the dump to abort.
Query (0): is an invalid pointer
Connection ID (thread ID): 0
Status: NOT_KILLED
The manual page at http://dev.mysql.com/doc/mysql/en/crashing.html contains
information that should help you find out what is causing the crash.
I've done some research on recovering from database corruption and I'll try to follow that, but since all apps are backed up, I'm wondering if there's a way to blow away this database and just restore all apps that depend on MySQL from backup.
Also, it looks like MySQL support is available now. Once I get all the email support sorted out, I'll try to roll that in as well.
@iamthefij Ok. Just restored matomo from backup again and it's all good.
@JOduMonT said in Pandora: Secure your Cloudron:
I understand it is not specially related to pandora but before going further with this I would like to understand how much you are open to open your box to contributors ?
I've contributed to box before. As with many open source projects, narrowly scoped changes can be submitted and discussed on a review but if a large change is going to be submitted, it's probably best to discuss somewhere (forum, chat, RFC issue) before you invest a bunch of time.
@will Which thing is failing? Building still works for me, even if I clear my cache. Make sure you do a git pull though. It looks like your build command is using the single build Dockerfile rather than the multi-phase one.
@nebulon said in Increase Nextcloud PHP memory limit:
/app/data/php.ini
I undid everything I set, but then I grepped through /app/data and found php_value memory_limit 512M in /app/data/htaccess. It's not present in /app/data/.htaccess though. I'm confused as to why both of these exist in the first place.
But anyway, I commented out the lines in /app/data/htaccess, restarted and it looks like it worked!
Thanks for the help.
If you don't own the VPN server how is routing the send through a 3rd party VPN server any more private than sending it through a 3rd party relay (eg. Sendgrid, Mailgun, Amazon...)?
I've actually been interested in similar features but for very different reasons. I have my Cloudron hosted on a VPS, but I also have some services hosted at home on a RPi and NAS. I don't expose my home to the public internet except via a VPN, so connecting a Cloudron service to my home network could be useful.
I don't have a strong usecase for it right now though and I'm making due with a set of Docker containers forwarding ports over SSH. https://git.iamthefij.com/iamthefij/dockamole. I'm currently working on a Dockamole server Cloudron app that will allow me to access the Cloudron LDAP server remotely for SSO on other hosts. I also hoped I'd be able to access graphite so I could aggregate Cloudron metrics into my Grafana instance, but it doesn't seem like Graphite is reachable from a Cloudron app.