Questions about the 'deploy configurations' #498
Comments
Probably it have no access to the file(does te webuser can access docker socket file?), as file_exists function fails. public function buildDockerUrl(DaemonConfig $daemonConfig): string {
if (file_exists($daemonConfig->getHost())) {
return 'http://localhost';
}
return $daemonConfig->getProtocol() . '://' . $daemonConfig->getHost();
}
Security considerations; DockerSocketProxy restricts what commands can be send to the Docker and with what arguments.
We always recomend from our side to use Docker-Socket-Proxy& |
|
Thanks for the clarification! Regarding "Direct communications with Docker via Suggestion 1: Wouldn't it be better to generate an error message here and not switching to local HTTP communication? Using the Docker Socket Proxy seems to be the preferred way here (for security reasons). **Suggestion 2: Maybe the should be more clear in the documentation, e.g. "always use Docker Socket Proxy, use direct communication only as last resort"? And another question: When using the Docker Socket Proxy, the documentation says the "mount" the socket in the container: Does the webserver user also needs access to the socket in this scenario? I guess not, because its also working with no modified access rights. |
I guess there's a reason why this fallback has been implemented (even though I don't know it 😄 ). But what would definitely help here would logging a warning.
If you check https://docs.nextcloud.com/server/latest/admin_manual/exapps_management/DeployConfigurations.html#docker-deploy-daemon, the warning is pretty prominent IMHO 😃
No, in case you're using the Docker Socket Proxy, the proxy is the only component which needs direct access to the Docker socket. What it does is (besides security, authentication, ...) it basically routes the Docker commands through it's http REST interface to the socket and returns the result. You can find a working solution here: https://apps.nextcloud.com/apps/workflow_ocr_backend . Depending on your setup you might only be interested in using the |
yes, it is possible to do this (check whether the path starts with a slash, URL of DSP can't start with a slash) - someone need to make a PR for this. |
|
I can prepare something if needed |
|
Feel free to do it, if you have time, we will be happy to review the PR. |
I'm referring here to the docs 'Deploy configurations': https://nextcloud.github.io/app_api/DeployConfigurations.html
Questions in bold.
When I got it right, the first (and easiest) configuration is 'NC and Docker on the same host' (see here):
/var/docker/docker.sockI've configured this exactly as mentioned in the docs:
When testing the connection, this fails and I get following error in the NC logs:
Question 1: Why it tries to connect to localhost on port 80? Shouldn't it use the Docker socket directly (without HTTP communication)?
Question 2: Am I missing something here? Is the documentation lacking an important piece of information?
Using the Docker Socket Proxy, see "Suggested way to communicate with Docker via Docker Socket Proxy container" it works then using method A or B.
Question 3: What are the advantages/disadvantages between "direct communication via
/var/run/docker.sock" and using the Docker Socket Proxy? Is there one recommended way when NC, Docker and ext. apps should run on the same system?Thanks in advance!
The text was updated successfully, but these errors were encountered: