• ultorpha@lemmy.nz
    link
    fedilink
    English
    arrow-up
    1
    ·
    9 months ago

    I’ve never known a reason to expose the docker socket to Nextcloud. It’s certainly not required, I’ve run Nextcloud for years without ever granting it socket access.

    Most of the things on that linked page seem to be for Docker rather than Nextcloud, and relate to non-standard configuration. As someone who is not a political target, I’d be pretty happy that following Nextcloud’s setup guide and hardening guide is enough.

    I also didn’t mention it, but I geoblock access from outside my country as a general rule.

    • jkrtn@lemmy.ml
      link
      fedilink
      English
      arrow-up
      2
      ·
      9 months ago

      I was looking into setting up Nextcloud recently and the default directions suggest exposing the socket. That’s crazy. I checked again just now. I see it is still possible to set it up without socket access, but that set of instructions isn’t as prominent.

      I linked to Docker in specific because if Nextcloud has access to the socket, and hackers find some automated exploit, they could easily escalate out of the Docker container. It sounds like you have it more correctly isolated.

      • ultorpha@lemmy.nz
        link
        fedilink
        English
        arrow-up
        2
        ·
        9 months ago

        Was it Nextcloud or Nextcloud All in One? I’ve just realised that the Nextcloud docker image I use is maintained by Docker, not Nextcloud. It’s this one: https://hub.docker.com/_/nextcloud/

        I use Docker-compose and even the examples there don’t have any socket access.

        The all in one image apparently uses Traefik, which seems weird to use an auto configuring reverse proxy for an all in one image where you know the lay of the land. Traefik requires access to the docker socket for auto configuration. But you can proxy the requests to limit access to only what it needs if you really want to use it.

        • jkrtn@lemmy.ml
          link
          fedilink
          English
          arrow-up
          2
          ·
          9 months ago

          What I was looking at was the All in One, yes. I didn’t realize there was a separate maintained image, thank you! I’d much rather have a single image without access to the socket at all, I’ll give that a shot sometime.

          • ultorpha@lemmy.nz
            link
            fedilink
            English
            arrow-up
            2
            ·
            9 months ago

            One warning: in my experience, you can not jump two major versions. Not just it won’t work, but that if you try it everything will break beyond repair and you’ll be restoring from a backup.

            Two major versions can sometimes be a matter of a few months apart, so make sure you have a regular update schedule!

            (Also, people say never update to a X.0 release, the first version of a major release often has major bugs).

            TL;DR don’t take too long to update to new releases, and don’t update too quickly!

            Also, the docker image is often a day or so behind the new release, soNextcloud tells you an update is available but often you then need to wait until the next day to get the updated docker image. I guess this is because (as I’ve just learnt) the image is built by Docker not Nextcloud.