Differences
This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
omv7:docker_in_omv [2024/04/28 14:00] – [Why use 64 bits?] chente | omv7:docker_in_omv [2024/05/10 17:41] (current) – [User and permission management in docker and OMV. More security.] chente | ||
---|---|---|---|
Line 16: | Line 16: | ||
\\ | \\ | ||
\\ | \\ | ||
- | **This document establishes a method to successfully install a docker application on OMV.** | ||
- | |||
[[https:// | [[https:// | ||
- | | + | **This document establishes a method to successfully install any application on OMV using Docker.** |
- | | + | |
- | * We will use docker-compose due to its ease of use and the integration offered by the [[omv7: | + | The [[https:// |
+ | |||
+ | In the case of Docker, the forum has received numerous queries | ||
+ | |||
+ | \\ | ||
\\ | \\ | ||
- | **This document contains the following points:** | + | **Index:** |
* [[omv7: | * [[omv7: | ||
* [[omv7: | * [[omv7: | ||
* [[omv7: | * [[omv7: | ||
- | * [[omv7: | + | * [[omv7: |
* [[omv7: | * [[omv7: | ||
* [[omv7: | * [[omv7: | ||
Line 122: | Line 124: | ||
The result of all of the above is that, at the time of creating a shared folder, **any user created in the OMV GUI by default has read and write permissions on any shared folder**. This is then restricted by individually managing the permissions of each shared folder or each user. To do this OMV uses a samba-based permissions system, an upper layer of permissions applied on top of filesystem-level permissions that allows it to enforce these restrictions. | The result of all of the above is that, at the time of creating a shared folder, **any user created in the OMV GUI by default has read and write permissions on any shared folder**. This is then restricted by individually managing the permissions of each shared folder or each user. To do this OMV uses a samba-based permissions system, an upper layer of permissions applied on top of filesystem-level permissions that allows it to enforce these restrictions. | ||
+ | |||
+ | < | ||
+ | | ||
+ | </ | ||
+ | Don't confuse file system level permissions with samba system permissions. Samba permissions are a top layer that can restrict permissions to the file system level, never expand them. The file system level permissions will always be the same even if you modify the permissions in the OMV GUI.< | ||
+ | Another very different issue is ACL permissions, | ||
+ | </ | ||
+ | |||
All of this may be convenient for managing permissions on the NAS but **it has security implications that need to be considered from a docker point of view**. | All of this may be convenient for managing permissions on the NAS but **it has security implications that need to be considered from a docker point of view**. | ||
Line 187: | Line 197: | ||
</ | </ | ||
- | On the right you can see how the plugin' | + | On the right you can see how the plugin' |
{{ : | {{ : | ||
Line 195: | Line 204: | ||
< | < | ||
</ | </ | ||
- | Separating | + | <b>Separating |
- If Docker is installed along with the operating system, Docker data will be lost if you need to reinstall OMV for any reason. For a possible reinstall of OMV, having the docker data on a separate drive only requires mounting that drive and everything is back up and running in a matter of minutes.< | - If Docker is installed along with the operating system, Docker data will be lost if you need to reinstall OMV for any reason. For a possible reinstall of OMV, having the docker data on a separate drive only requires mounting that drive and everything is back up and running in a matter of minutes.< | ||
- Avoid rootfs filling problems. Depending on the number and type of containers, it is very possible to exhaust rootfs storage if docker is located next to the operating system, this causes a lot of problems.< | - Avoid rootfs filling problems. Depending on the number and type of containers, it is very possible to exhaust rootfs storage if docker is located next to the operating system, this causes a lot of problems.< | ||
- Allows you to place docker on a higher speed drive. The OMV operating system does not need to be on fast storage, it can live perfectly on a pendrive (just remember to install openmediavault-flashmemory to ensure the longevity of the pendrive). However, Docker containers will benefit from increased execution speed if docker is installed on a high-access speed drive, such as an SSD or NVMe.< | - Allows you to place docker on a higher speed drive. The OMV operating system does not need to be on fast storage, it can live perfectly on a pendrive (just remember to install openmediavault-flashmemory to ensure the longevity of the pendrive). However, Docker containers will benefit from increased execution speed if docker is installed on a high-access speed drive, such as an SSD or NVMe.< | ||
- | - Installing OMV on a USB flash drive is a good idea. But installing docker also on that pendrive is detrimental to the pendrive because docker will perform continuous writes, penalizing the longevity of the pendrive despite openmediavault-flashmemory. | + | - Installing OMV on a USB flash drive is a good idea. But installing docker also on that pendrive is detrimental to the pendrive because docker will perform continuous writes, penalizing the longevity of the pendrive despite openmediavault-flashmemory.< |
+ | - If you don't have a fast drive you can install docker on one of the data drives. The applications won't go as fast but at least they will be separated from rootfs. | ||
</ | </ | ||
Line 258: | Line 268: | ||
* WHAT IS DATA FOLDER: | * WHAT IS DATA FOLDER: | ||
- | * This folder | + | * Use of this field is optional. |
- | * The plugin creates a variable called '' | + | * In order to put this field to useful use, despite the legend in the GUI about persistent data, we will use this variable |
* If you have more than one folder of these characteristics in different file systems, you will only be able to choose one of them to use the '' | * If you have more than one folder of these characteristics in different file systems, you will only be able to choose one of them to use the '' | ||
* ...< | * ...< | ||
Line 634: | Line 644: | ||
* ...< | * ...< | ||
</ | </ | ||
- | You can use relative paths, for example | + | You can use relative paths. Set the volume mapping in the compose file:< |
+ | < | ||
+ | will create the folder< | ||
+ | < | ||
+ | on the host. | ||
</ | </ | ||
* In the first line we are mapping the ///config// folder of the jellyfin container to a folder on our system. The ///config// folder is the one that contains the jellyfin configuration files, the database, users and passwords, plugins, etc. We want this folder to be located on a drive with access speed. So we map it to our /// | * In the first line we are mapping the ///config// folder of the jellyfin container to a folder on our system. The ///config// folder is the one that contains the jellyfin configuration files, the database, users and passwords, plugins, etc. We want this folder to be located on a drive with access speed. So we map it to our /// | ||
Line 738: | Line 752: | ||
In each of them the container has been configured following the system and folder scheme outlined in this document. Adapt it to your server configuration if it is different. | In each of them the container has been configured following the system and folder scheme outlined in this document. Adapt it to your server configuration if it is different. | ||
+ | \\ | ||
+ | \\ | ||
---- | ---- | ||
=== Duplicati === | === Duplicati === | ||
- | Useful application | + | Useful application |
[[https:// | [[https:// | ||
< | < | ||
Line 815: | Line 831: | ||
* In the OMV GUI go to SYSTEM > WORKBENCH and change those two ports to others. For example, change 80 to 8888 and 443 to 8443. Or whatever you want that is not in use. | * In the OMV GUI go to SYSTEM > WORKBENCH and change those two ports to others. For example, change 80 to 8888 and 443 to 8443. Or whatever you want that is not in use. | ||
* When you change them you will have to add the port to your browser' | * When you change them you will have to add the port to your browser' | ||
+ | < | ||
+ | </ | ||
+ | NPM requires ports 80 and 443 on the router to validate Let's Encrypt certificates. You can free those ports by changing the ones used by the OMV GUI as suggested or you can do a forwarding from the router to the container.< | ||
+ | To do this, forward 80 and 443 on the router to, for example, 30080 and 30443 with the server' | ||
+ | - 30080: | ||
+ | - 30443: | ||
+ | The result will be the same, the container will receive the traffic from those router ports and you will still have the OMV GUI on port 80 and 443 of your local network. | ||
+ | </ | ||
+ | |||
[[https:// | [[https:// | ||
< | < | ||
Line 875: | Line 900: | ||
* The official Nextcloud administration documentation is here -> [[https:// | * The official Nextcloud administration documentation is here -> [[https:// | ||
- | Before installing Nextcloud you need to previously install a proxy, such as the one described above Nginx Proxy Manager. Install NPM first and configure it following these instructions: | + | Before installing Nextcloud you need to previously install a proxy, such as the one described above Nginx Proxy Manager |
For this container to work you will have to do the following: | For this container to work you will have to do the following: | ||
* You will need a domain, you can buy it or get a free one, for example at [[https:// | * You will need a domain, you can buy it or get a free one, for example at [[https:// | ||
- | * Point the domain to your server's public IP (make sure your ISP hasn't put you behind CGNAT). | + | * Point the domain to your router's public IP (make sure your ISP hasn't put you behind |
- | * On your router, direct ports 80 and 443 to the IP of your server. The proxy (NPM) will be in charge of directing | + | * On your router, direct ports 80 and 443 to the IP of your server. The proxy (Nginx Proxy Manager) will receive the traffic |
[[https:// | [[https:// | ||
< | < | ||
# https:// | # https:// | ||
+ | # For custom configuration consult -> https:// | ||
services: | services: | ||
nextcloud-aio-mastercontainer: | nextcloud-aio-mastercontainer: | ||
image: nextcloud/ | image: nextcloud/ | ||
+ | init: true | ||
restart: always | restart: always | ||
container_name: | container_name: | ||
Line 908: | Line 935: | ||
</ | </ | ||
\\ | \\ | ||
+ | Start the container and make the first configuration. Follow these steps from point 4 -> [[https:// | ||
- | Notice that we have configured the Nextcloud data volume in the //appdata// folder. | + | Notice that we have configured the Nextcloud data volume in the //appdata// folder. |
+ | * All files that Nextcloud manages directly are synchronized | ||
+ | * Nextcloud AIO provides a backup system in its GUI that specifically includes all user data. This may not be convenient if those folders are too large and you use other means to back up that data. | ||
+ | All of this can be easily | ||
- | Then in the data volume set up for Nextcloud there will only be information such as phone books or calendars | + | < |
+ | Note | ||
+ | </ | ||
+ | Nextcloud AIO is a container that spawns other containers and stores them in the docker folder. The openmediavault-compose plugin backup utility does not back up data in this folder.< | ||
+ | If you want to have a backup | ||
+ | </ | ||
---- | ---- | ||
Line 925: | Line 961: | ||
Most of the example compose files will work out of the box if you run them without making any modifications. But it will probably be better to adapt them to your system configuration according to everything explained in this document. This will avoid unexpected situations. | Most of the example compose files will work out of the box if you run them without making any modifications. But it will probably be better to adapt them to your system configuration according to everything explained in this document. This will avoid unexpected situations. | ||
</ | </ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | === Create your own custom container === | ||
+ | \\ | ||
+ | [[omv7: | ||
+ | If you can't find a container that fits what you need in the plugin' | ||
+ | |||
+ | The openmediavault-compose plugin makes it easy to create images using the Dockerfile. You can see its use here -> [[omv7: | ||
---- | ---- | ||
Line 936: | Line 981: | ||
=== How to schedule container updates and/or backups === | === How to schedule container updates and/or backups === | ||
+ | [[omv7: | ||
Especially useful is this feature of the plugin. You will be able to selectively schedule container updates. And you can also make backups of the containers and volumes you want on a scheduled basis. | Especially useful is this feature of the plugin. You will be able to selectively schedule container updates. And you can also make backups of the containers and volumes you want on a scheduled basis. | ||
Line 959: | Line 1005: | ||
* In the OMV GUI go to SERVICES > COMPOSE > FILES, select the container row and press the DOWN button. This will stop the container. | * In the OMV GUI go to SERVICES > COMPOSE > FILES, select the container row and press the DOWN button. This will stop the container. | ||
- | * Delete the config folder corresponding to the container. In the example ''/ | + | * Delete the config folder corresponding to the container. In the example ''/ |
* This folder contains all the configurations that we have made inside the container. | * This folder contains all the configurations that we have made inside the container. | ||
* When the container starts again it will recreate the files in this folder, so no configuration will exist. We can start configuring it from scratch again. | * When the container starts again it will recreate the files in this folder, so no configuration will exist. We can start configuring it from scratch again. | ||
Line 968: | Line 1014: | ||
=== Other procedures === | === Other procedures === | ||
- | [[omv7: | + | [[omv7: |
\\ | \\ | ||
- | |||
You can find several useful procedures in the corresponding section of the openmediavault-compose plugin document. Among them you will find a procedure to configure a vlan that will allow you to install **pihole** or **adguard**. -> [[omv7: | You can find several useful procedures in the corresponding section of the openmediavault-compose plugin document. Among them you will find a procedure to configure a vlan that will allow you to install **pihole** or **adguard**. -> [[omv7: | ||
Line 983: | Line 1028: | ||
=== Why use global environment variables === | === Why use global environment variables === | ||
+ | [[omv7: | ||
* If you change a path or any other variable that affects multiple containers, it is enough to vary this value in the global environment variables file. The value will change automatically in all containers. Useful if you change a data drive, or if you reinstall OMV and change routes, for example. | * If you change a path or any other variable that affects multiple containers, it is enough to vary this value in the global environment variables file. The value will change automatically in all containers. Useful if you change a data drive, or if you reinstall OMV and change routes, for example. | ||
* It is integrated into the plugin, it is enough to press a button to access the file to directly introduce the variables without doing anything else. | * It is integrated into the plugin, it is enough to press a button to access the file to directly introduce the variables without doing anything else. | ||
Line 1038: | Line 1084: | ||
=== Why use 64 bits? === | === Why use 64 bits? === | ||
- | [[omv7: | + | [[omv7: |
* You should use a 64-bit system if your hardware allows it, 32-bit systems have been out of use for many years now. The compatibility of many software packages is still maintained, but as time goes by they are disappearing. | * You should use a 64-bit system if your hardware allows it, 32-bit systems have been out of use for many years now. The compatibility of many software packages is still maintained, but as time goes by they are disappearing. | ||
* Docker starts to be inaccessible for 32-bit systems. Many reputable container builders are stopping releasing 32-bit versions. | * Docker starts to be inaccessible for 32-bit systems. Many reputable container builders are stopping releasing 32-bit versions. |