@ajz
link
7
edit-2
3M

Wow, super awesome! That means that Yunohost can have Lemmy as package, and maybe as Lemmy grows via others like Installatron (via regular hosting providers) and similar as well. And thanks @kinetix@lemmy.ca

@nutomic
mod
admin
creator
link
43M

Thats great, I didnt even know that Yunohost was blocked by our lack of documentation.

@ajz
link
6
edit-2
3M

Thanks! It is very uncommon for Yunohost apps to use Docker. I’ve looked up some history about this :

I made this package because it was requested by someone. And honestly I did not wanted to use Docker for this. But I did not had time to figure out on how to install it without Docker…

Then why this package uses Docker? It’s because the developers of the core app do not support simple installation. And packaging without documentaion is time consuming.

So now that this has been fixed, the next step could be to somehow make the manual install option aware within the Yunohost community (I am not sure what is the best way for this, hopefully others can) and then hopefully a Lemmy package for Yunohost can grow from level 0 to level 6 or 7 or 8, and by doing so have much more “exposure” among Yunohost users.

@nutomic
mod
admin
creator
link
22M

So now that this has been fixed, the next step could be to somehow make the manual install option aware within the Yunohost community

I simply made a comment in the thread you linked haha

@ajz
link
22M

Nice, thanks ! :)

Dessalines
admin
link
-23M

Considering how many apps use docker nowadays, that really surprises me that they wouldn’t support it. There’s that linuxserver docker repository that’s packaged hundreds of applications for docker.

@ajz
link
53M

Yunohost is focused on easy install on among others a VPS. If the VPS provider runs OpenVZ or LXC in their infrastructure then Docker is either not possible, or with limitations or first needs tweaking by the provider.

poVoq
link
53M

Imho I think yunohost is fine for what it is. adding Docker support to this would just make it unnecessarily complex.

However an YunoHost alternative that was build from ground up to be docker based would be cool.

@federico3
link
23M

docker is really bad for security and adds a lot of unnecessary complexity

@remram
link
0
edit-2
3M

Docker is not bad for security, unless you do insecure things like exposing your Docker socket or running random workloads as root, however those are just as insecure under systemd.

@nutomic
mod
admin
creator
link
52M

It has some weird behaviour, for example ufw rules dont apply to Docker.

@remram
link
-12M

This is not insecure. It is surprising if you don’t know how containers work, but in a real deployment you’d only bind to localhost and use a reverse proxy and that is perfectly safe.

@ajz
link
1
edit-2
2M

Not insecure ? Here an old blog post about it https://blog.viktorpetersson.com/2014/11/03/the-dangers-of-ufw-docker.html btw, Docker also had/has Google DNS as fallback, so the moment your DNS servers fail to respond Docker uses Google, not very privacy friendly.

@remram
link
12M

As I said this is surprising if you don’t know how containers work. This is similar from how e.g. virtual machine networking would trip you. As long as you know how to set things up properly, which is documented at length, Docker is not “insecure”.

@ajz
link
12M

You are saying that if one installs containers or VMs with Qemu or VirtualBox or OpenVZ or LXC or Kubernetes or VMware these technologies will all punch holes to the outside by default despite the iptables setup of the host machine ?

@remram
link
1
edit-2
2M

So-called “bridged networking” is not the default for VirtualBox but it is recommended for Qemu, yes. In that case only the routing rules on the bridge apply, not the filtering rules on your host’s interface.

@federico3
link
3
edit-2
2M

Docker runs the whole daemon as root and has a large attack surface. Also, it has a lot of footguns that can mislead the user. Its security track record speaks for itself: https://www.cvedetails.com/product/28125/Docker-Docker.html?vendor_id=13534

@remram
link
1
edit-2
2M

How is this different from say, SystemD? It runs as root and has a larger attack surface.

The link you pointed out has every CVE for every application packaged as Docker image. Would you make the same point that APT or AppImage is insecure because there are insecure applications packaged that way?

@federico3
link
22M

How is this different from say, SystemD?

It’s very different because SystemD does way more things than running containers. Also, this is whataboutism.

The link you pointed out has every CVE for every application packaged as Docker image.

You could scan through the list and check for yourself which ones are due to docker itself. Besides, I updated the link to filter out the spurious CVEs.

Would you make the same point that APT or AppImage is insecure because there are insecure applications packaged that way?

I would not… unless the tool itself was actively encouraging bad security practices, for example bundling dependencies, as Docker/AppImage/Flatpak/Snap do.

@remram
link
02M

It is not whataboutism since SystemD is what you’ll use to run services if you don’t use Docker… If I say that mass transit is a terrible idea because it pollutes, and you point out that cars pollute even more, I can’t claim “whataboutism” to dismiss your argument.

Here’s the corresponding page for SystemD: https://www.cvedetails.com/product/38088/Freedesktop-Systemd.html?vendor_id=7971 as you can see there are even more vulnerabilities, which makes sense as the attack surface is even larger.

Kinetix
link
22M

Hey, that’s cool that someone formatted them for the lemmy docs… I think I’ll have to get in there and try and push some updates. Heh, I also see mention of things like “respective authors” with no authors mentioned. I’ll try and get some changes merged soon.

@Echedenyan
link
63M

Oh. THAT IS GREAT.

@ajz
link
22M

I found some more written down reasons for Yunohost not wanting to use Docker :

Disclaimer

This package installs Discourse without Docker, for several reasons (mostly to support ARM architecture and low-profile servers, to mutualize nginx/postgresql/redis services and to simplify e-mail setup). As stated by the Discourse team:

The only officially supported installs of Discourse are Docker based. You must have SSH access to a 64-bit Linux server with Docker support. We regret that we cannot support any other methods of installation including cpanel, plesk, webmin, etc.

So please have this in mind when considering asking for Discourse support.

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to !meta@lemmy.ml.

  • 0 users online
  • 26 users / day
  • 43 users / week
  • 96 users / month
  • 266 users / 6 months
  • 938 subscribers
  • 310 Posts
  • 2248 Comments
  • Modlog