New to docker, asking if the docker-compose is correct
version: "3.2"
services:
# Homarr - https://github.com/ajnart/homarr
# mkdir /volume1/docker/appdata/homarr
# mkdir /volume1/docker/appdata/configs
# mkdir /volume1/docker/appdata/icons
homarr:
container_name: homarr
image: ghcr.io/ajnart/homarr:latest
restart: unless-stopped
logging:
driver: json-file
options:
max-file: ${DOCKERLOGGING_MAXFILE}
max-size: ${DOCKERLOGGING_MAXSIZE}
labels:
- org.hotio.pullio.update=${PULLIO_UPDATE}
- org.hotio.pullio.notify=${PULLIO_NOTIFY}
- org.hotio.pullio.discord.webhook=${PULLIO_DISCORD_WEBHOOK}
environment:
- PUID=${PUID}
- PGID=${PGID}
- TZ=${TZ}
volumes:
- ./homarr/configs:/app/data/configs
- ./homarr/icons:/app/public/icons
ports:
- 7575:7575
26 Replies
Hello @berserker._. ,
the docker compose file can vary on your setup.
Thus, I can't verify 100% that this will be working.
I just had a quick glance at it and I think that it should be working.
Is there a particular reason, why you're asking if this will work?
Why don't you just try it out?
It looked like it didn't put files into the folders but it just did. I wasn't 100% sure if the paths were correct.
i was working with a .env file that adds a part of the path to the docker-compose
DOCKERSTORAGEDIR=/volume1/nas and DOCKERCONFDIR=/volume1/docker/appdata
But i guess that isn't needed when you begin with ./homarr/
Sorry i'm fairly new at this 🙃No worries
Is now Homarr working as expected?
Sorry for the noob question maybe i should delete the whole thread lol
Uhm, i'm gonna try it out now!
No, you can leave it
If other people have the same question, they'll see this
I guess i forgot to add this line?
/var/run/docker.sock:/var/run/docker.sock:roIf you want to use the Docker module, yes
I'm using a Synology NAS to run this by the way. Should that line always be like this? I'm worried i put things in folders i can't access or something or where they aren't supposed to be. Instead of in my docker shared folder with all the appdata/configs
Usually, /var/run/docker.sock is the default path for the Docker socket, which is used to communicate with Docker itself
There are some security risks connected with this approach
You can use Docker socket proxies to minimize the security risks
Okay, yes that's what i thought. It's not like i'm putting files some where where they don't belong or don't get removed when i delete the image or something..
I'm not sure how i do that
No, Homarr will only "read" this file
Thus, the ":ro" permission at the end
I think there are multiple solutions to that, but this seems to be a popular one:
https://github.com/Tecnativa/docker-socket-proxy
GitHub
GitHub - Tecnativa/docker-socket-proxy: Proxy over your Docker sock...
Proxy over your Docker socket to restrict which requests it accepts - GitHub - Tecnativa/docker-socket-proxy: Proxy over your Docker socket to restrict which requests it accepts
I do have all docker containers on a specific PUID and PGID limited to only what they should have access to if that helps
to a user account called ''docker''
But then, you have to trust the socket proxy... So ultimately, there will always be some security risk involved
Yes, that's good practice
But you would still recommend me to do this?
Because i don't fully understand what the security risk is 😄
I'll read a bit on the Github page
You need to decide if you want to do that
But correct me if i'm wrong, if all my docker containers have limited access and all the services for example DSM web UI etc.. Are all disabled for that user account could it still gain root access?
Probably not. But never say never I guess
But I think your bigger concern should be DSM
Most of the containers have the permissions of the user account ''docker'' and i fully disabled all the services for that account so it can't login to DSM
And i have only local ip's whitelisted in the firewall
I only have a couple ports open, one for plex and one for wireguard both limited to my country only
I was watching IBRACORP's video about this container and he added that line as well but he's talking about reverse proxies which i don't understand 🙃
Instead of exposing multiple ports, you should controll access using a reverse proxy
Also, you should not expose DSM to the WWW.
But you need to figure that out yourself. There are tons of awesome tutorials out there.
You need to know this yourself 😂
Yeah that stuff all works no need to talk about that 🤣
My Sabnzbd is connected to Homarr, green light, API key inside.. etc. But a widget on the right hand side still says
No supported download clients found! any idea what i'm doing wrong here?What widget? Download speed?
Yes
Yes, that's expected behaviour. The module only works for Torrent clients
There is no implementation yet for Usenet
Oh okay, thanks for letting me know!