H
Homarr•3y ago
BerserkeR

New to docker, asking if the docker-compose is correct

version: "3.2" services: # Homarr - https://github.com/ajnart/homarr # mkdir /volume1/docker/appdata/homarr # mkdir /volume1/docker/appdata/configs # mkdir /volume1/docker/appdata/icons homarr: container_name: homarr image: ghcr.io/ajnart/homarr:latest restart: unless-stopped logging: driver: json-file options: max-file: ${DOCKERLOGGING_MAXFILE} max-size: ${DOCKERLOGGING_MAXSIZE} labels: - org.hotio.pullio.update=${PULLIO_UPDATE} - org.hotio.pullio.notify=${PULLIO_NOTIFY} - org.hotio.pullio.discord.webhook=${PULLIO_DISCORD_WEBHOOK} environment: - PUID=${PUID} - PGID=${PGID} - TZ=${TZ} volumes: - ./homarr/configs:/app/data/configs - ./homarr/icons:/app/public/icons ports: - 7575:7575
26 Replies
Manicraft1001
Manicraft1001•3y ago
Hello @berserker._. , the docker compose file can vary on your setup. Thus, I can't verify 100% that this will be working. I just had a quick glance at it and I think that it should be working. Is there a particular reason, why you're asking if this will work? Why don't you just try it out?
BerserkeR
BerserkeROP•3y ago
It looked like it didn't put files into the folders but it just did. I wasn't 100% sure if the paths were correct. i was working with a .env file that adds a part of the path to the docker-compose DOCKERSTORAGEDIR=/volume1/nas and DOCKERCONFDIR=/volume1/docker/appdata But i guess that isn't needed when you begin with ./homarr/ Sorry i'm fairly new at this 🙃
Manicraft1001
Manicraft1001•3y ago
No worries Is now Homarr working as expected?
BerserkeR
BerserkeROP•3y ago
Sorry for the noob question maybe i should delete the whole thread lol Uhm, i'm gonna try it out now!
Manicraft1001
Manicraft1001•3y ago
No, you can leave it If other people have the same question, they'll see this
BerserkeR
BerserkeROP•3y ago
I guess i forgot to add this line? /var/run/docker.sock:/var/run/docker.sock:ro
Manicraft1001
Manicraft1001•3y ago
If you want to use the Docker module, yes
BerserkeR
BerserkeROP•3y ago
I'm using a Synology NAS to run this by the way. Should that line always be like this? I'm worried i put things in folders i can't access or something or where they aren't supposed to be. Instead of in my docker shared folder with all the appdata/configs
Manicraft1001
Manicraft1001•3y ago
Usually, /var/run/docker.sock is the default path for the Docker socket, which is used to communicate with Docker itself There are some security risks connected with this approach You can use Docker socket proxies to minimize the security risks
BerserkeR
BerserkeROP•3y ago
Okay, yes that's what i thought. It's not like i'm putting files some where where they don't belong or don't get removed when i delete the image or something.. I'm not sure how i do that
Manicraft1001
Manicraft1001•3y ago
No, Homarr will only "read" this file Thus, the ":ro" permission at the end
Manicraft1001
Manicraft1001•3y ago
I think there are multiple solutions to that, but this seems to be a popular one: https://github.com/Tecnativa/docker-socket-proxy
GitHub
GitHub - Tecnativa/docker-socket-proxy: Proxy over your Docker sock...
Proxy over your Docker socket to restrict which requests it accepts - GitHub - Tecnativa/docker-socket-proxy: Proxy over your Docker socket to restrict which requests it accepts
BerserkeR
BerserkeROP•3y ago
I do have all docker containers on a specific PUID and PGID limited to only what they should have access to if that helps to a user account called ''docker''
Manicraft1001
Manicraft1001•3y ago
But then, you have to trust the socket proxy... So ultimately, there will always be some security risk involved Yes, that's good practice
BerserkeR
BerserkeROP•3y ago
But you would still recommend me to do this? Because i don't fully understand what the security risk is 😄 I'll read a bit on the Github page
Manicraft1001
Manicraft1001•3y ago
You need to decide if you want to do that
BerserkeR
BerserkeROP•3y ago
But correct me if i'm wrong, if all my docker containers have limited access and all the services for example DSM web UI etc.. Are all disabled for that user account could it still gain root access?
Manicraft1001
Manicraft1001•3y ago
Probably not. But never say never I guess But I think your bigger concern should be DSM
BerserkeR
BerserkeROP•3y ago
Most of the containers have the permissions of the user account ''docker'' and i fully disabled all the services for that account so it can't login to DSM And i have only local ip's whitelisted in the firewall I only have a couple ports open, one for plex and one for wireguard both limited to my country only I was watching IBRACORP's video about this container and he added that line as well but he's talking about reverse proxies which i don't understand 🙃
Manicraft1001
Manicraft1001•3y ago
Instead of exposing multiple ports, you should controll access using a reverse proxy Also, you should not expose DSM to the WWW. But you need to figure that out yourself. There are tons of awesome tutorials out there. You need to know this yourself 😂
BerserkeR
BerserkeROP•3y ago
Yeah that stuff all works no need to talk about that 🤣 My Sabnzbd is connected to Homarr, green light, API key inside.. etc. But a widget on the right hand side still says No supported download clients found! any idea what i'm doing wrong here?
Manicraft1001
Manicraft1001•3y ago
What widget? Download speed?
BerserkeR
BerserkeROP•3y ago
BerserkeR
BerserkeROP•3y ago
Yes
Manicraft1001
Manicraft1001•3y ago
Yes, that's expected behaviour. The module only works for Torrent clients There is no implementation yet for Usenet
BerserkeR
BerserkeROP•3y ago
Oh okay, thanks for letting me know!
Want results from more Discord servers?
Add your server