Defining Shared Folder Access Volume

oneitonitram · February 29, 2024, 5:38am

At the moment, it seems each application creates its own directories contained within the Application Folder Structure in the format
/home/$appName/.local/share/containers/storage/volumes/$definedVolumeName/_data

So if there are 2 Application, Utilizing the same Volume Names
App1
/home/$appName1/.local/share/containers/storage/volumes/$sameDefinedVolumeName/_data

App2
/home/$appName2/.local/share/containers/storage/volumes/$sameDefinedVolumeName/_data

Each of the $sameDefinedVolumeName is contained within the Application constrained.
if this is the case then,
@davidep
How could one Implement or Define a Volume within NS8 that can and is Shared between 2 Applications? That would basically correspond to a shared folder.
Within the constrains of a Single NS8 Node of course.
Is this achievable?

Additionally, is this achievable within a Mounted Partition as well?

Is it possible to Have something akin to this
/home/$sharedAppsDirectory /.local/share/containers/storage/volumes/$sameDefinedVolumeName /_data

or something simpler

So that, if there is 2 or More Apps i would like to store and retrieve data from the same directory it would be like
App1
/home/$sharedAppsDirectory/.local/share/containers/storage/volumes/$sameDefinedVolumeName/_data

App2
/home/$sharedAppsDirectory/.local/share/containers/storage/volumes/$sameDefinedVolumeName/_data

davidep · February 29, 2024, 7:47am

It is not possible: SELinux (and Apparmor) forbids the access to other users’ home directory. And even if you disable them, it looks a really bad practice, like doing chmod -r 777 /

Make a concrete example so I can understand your use case.

oneitonitram · February 29, 2024, 8:46am

I Have Built 2 Modules.

Calibre with Server
Calibr Web.

Calibre Web Assumes a user already has an Active Calibre library for pulling Data from.

Calibre has the capacity to Upload multiple Files and create the Calibre library database that calibre web requires.

IF the 2 Volumes are Mounted in the same Directory Volume, then calibre Web would be able to automatically Load the Given Files.

I understand that the first instinct would be just build an APP that combines the 2, But, what if a User Only want One.

And as stated before, We cant bundles everything into a single App in NS8, the reason why all apps using Ldap, connect to the single Ldap Instance, I think we need somethign similar for Apps as well.

If i already Have my Library, i dont need the full heavyweight Calibre. Mind you the Calibre Image utilized KASM to stream a full desktop UI via browser, Similar to what Guacamole would do, but constrained.

I would just Wget my library to the respective folde,r and use calibre Web.

If i need to Add Multiple Files, or engage other advanced features, then i can install calibre, Modify my Database, then remove/Disable it and only use the web interface.

While this is the most easier prevalent case, There are other cases in which i have hard a similar kind of Situation with building other Apps.

We just need a way to define a Useable directory Accessible By more than one App.

IF the issue is security, Both Apps are internal, and should not really be an issue per se, considering one already accesses it, a similar fashion needs to be defined.

IF its completely entirely Not Possible and Feasible, I think we need to Define a Universal Directory Module, that other Apps can tap into it for Files storage and access.

Example docker compose

services:
  calibre:
    image: ghcr.io/linuxserver/calibre
    container_name: calibre
    environment:
      - PUID=$PUID #change this to your user's PID
      - PGID=$PGID #change this to your user's PGID
    volumes:
      - path/to/your/calibre/config:/config #change before the ':'
      - path/to/your/calibre/upload:/uploads #change before the ':'
      - path/to/your/calibre/plugins:/plugins #change before the ':'
      - path/to/your/CalibreLibrary:/Calibre_Library #this is where your ebooks will end up
    ports:
      - 8080:8080 #change before the ':' if necessary
      - 8081:8081 #change before the ':' if necessary
    restart: unless-stopped
    networks:
      - ebooks

  calibre-web:
    image: ghcr.io/linuxserver/calibre-web
    container_name: calibre-web
    environment:
      - PUID=$PUID
      - PGID=$PGID
    volumes:
      - $DOCKERDIR/calibre/calibre-web:/config
      - path/to/your/Calibre Library:/books
    restart: unless-stopped
    depends_on:
      - calibre
    ports:
      - 8083:8083
    networks:
      - ebooks

  readarr:
    image: ghcr.io/linuxserver/readarr:nightly
    container_name: readarr
    environment:
      - PUID=$PUID #change to your PID
      - PGID=$PGID #change to your PGID
    volumes:
      - /path/to/your/docker/readarr:/config #change before the ':'
      - /path/to/your/CalibreLibrary:/books #change before the ':'
      - /path/to/your/downloads:/downloads  #change before the ':'
    ports:
      - 8787:8787
    restart: unless-stopped
    networks:
      - ebooks

networks:
  ebooks:
    external: true

Andy_Wismer · February 29, 2024, 5:23pm

And have you certified this as a fact, or is this just you “thinking”?

I was not aware that you are a core kernel security expert, and I do not like the implications of careless security when programming a key OS, even if it’s only modules.

I may be wrong, but it looks like we’re starting to open BIG holes, just because of a really much needed “Book” app…

Sloppy programming just to increase the list of highly asked for apps?

@davidep

Does NS8 soon need a Modul rating page?

NS7 had a lot of modules from both @stephdl and @mrmarkuz , and I’ld personally rate both as TOP app / modul developers!
Both are human, and as such do make errors. But both have consistantly made top efforts to fix / repair any errors - for several years now.
And both had a sensible idea of security, and associated “sensible” defaults / options for their modules.

Reading above, and other questions here about developing makes me really worry about the quality of apps to be upcoming.

PS:

I do approve of the fact that user @oneitonitram is giving a serious effort to integrate new modules.
But not when security is compromised!

My 2 cents
Andy

oneitonitram · February 29, 2024, 5:48pm

Would be wonderful to have such a feature.

IF the One App has a folder access within the app, Why can’t another app Have similar access within the constrains 'of an NS8 App

Security is Important and i take security seriously.

I am not a security Expert, However I would love to be one, and given enough time i will.

This matter Does not concern Only this specific App, there are other apps I have worked on, I am working on and that other community members will work on, and even at the core development level, Assuming they will not constrain themselves to only Apps available in NS7, I am sure will experience the need for such a solution.

NS8 is still a work in progress, and the valuable feedback from the challenges we experience help shape the product.

Is it wrong of me to point out a constraint, and suggest a proposal for resolving?

I would say that this comment is careless and unreasonable, just because you dont need the app, there are others who would value its availability, and going by the discussions and views of similar apps, I would say there are people who would love to have it available and functioning properly.

Andy_Wismer · February 29, 2024, 5:56pm

SELINUX, APPARMOR are two stated issues, both well known.

Simple: Because it is no more “One App”, it’s two!

I have my own opinion about this, and I strongly think this does not really serve any SME environment. But it’s my own opinion.
Then again, I care about SME needs, not about “others”.

I do recall you saying the same about having AD in the cloud,then discovering that you are almost the only one. Besides me, no one else replied to that post. The other “Cloud only” users who also don’t use NS as a SME server, but as Home or Private server, which is OK.

Andy_Wismer · February 29, 2024, 5:59pm

PS:

I’m not critising you per se. You did read this?

I’m worried about the tendency to alleviate security, just to get an app working. And without really inquiring about best practices for Docker like Containers to share common data. This is not a new issue…
As such, there are solutions out there.

My 2 cents
Andy

oneitonitram · February 29, 2024, 6:08pm

=====================================

@stephdl is currently a core developer, and may not really be available to work on specific apps, even the ones he worked on in NS7 he has mentioned this on the forum
@mrmarkuz is at the moment, by his own admission not fully available to work on NS8 Apps, I wish he was as well.

Nethserver as pointed out multiple times by @alefattorini is a community project, that being said, as a way to offer value i embarked on the journey of Building Apps,

I am not trying to replace or claim to offer Top NS8 app development, but tbh ATM i beleive to have the most expereince as a community member in building apps for Ns8, it will definately not remain that way for long, and i do not regret the efforts i put into learning and building apps for Ns8

I am asking the questions i do so that i can offer the best, I am not the architect of NS8, Just because i am building Apps for Ns8 Does not mean that i can not deploy or have not been able to deploy them on other Systems, its just my way of saying thank you and offering my valuable time.

If you feel that the quality of Any app i have built is subpar, or does not meet the minimums in the norms of what an NS8 App should be, you are free to Point it out, Equally, everything is Opensource, you are free to do a PR, or even fork the App.
Anyone is free to do that.

Thank you for this.

As i said, I am asking the STUPID questions so that i can learn and be able to offer better value, and work with Best practices.

I take security Seriously as both a Developer and as a Systems Solution architect.

I wouldnt want to Compromise anyon’s Prodcution server by the Apps i am building on NS8
this is why All Apps i have built Go through the following processes before being made available

Build an initial Version and Test on an active Server.
Delete and re-install the App
Run an Update and or Upgrade procedure for the given App
Announce the App for community to test
Schedule and Test backups for the Given App.
DO a Beta Release of the App after working on Feedback from community members
Multiple Beta releases are possible, depending on the complexities of the given Feedback.
Do a release candidate> at this point Upgrade to Release without Data loss must be possible
Submit to Nethforge for Listing on software centre. with Pre-release Tag
Do further test, and if no issues from community members are experienced
Do a release.
Announce the final release in the community

Sometime depending on the complexity of the module i would announce earlier while developing to get community input, feedback and development support

Just because i have been working on Multiple Apps at once, Does not by any means make it easier, and does not in anyway mean I am being sloppy

oneitonitram · February 29, 2024, 6:13pm

I am curious as to this, the NS8 concept is more restrictive than even podman Directly, and way more than Docker model.

You have no idea how many articles Someone has to read just to get one App working.
This includes release Notes, Forum discussions, Best practise on installation and maintennac,e and Videos,

By the time an APp is worked On Andy, Alot of care, thought and Many Tabs are open

@davidep correct me if i am wrong, Not all standard concepts are application within the constrains of NS8 Apps.

For instance Most Docker and podman images publish 2 ports for http and https, in NS8, we only utilize the one port of http, but in some other cases, the secondary port is required.

I am learning as ai move along, and when i cant figure out, I ask. Sorry, but sometime i have so many questions, and the only way is to post them in this community.

Andy_Wismer · February 29, 2024, 6:19pm

If you put in more effort into security, the purpose of my post is achieved
As said, I aprove of more apps on NS8.

I don’t need to aprove every app, and do question whatever use case someone may be thinking about - especially in relation to SME. Some of your Apps only make sense for a hosting environment, and for that, NS8 is still far away for being an ideal platform!

oneitonitram · February 29, 2024, 6:31pm

the more the apps, the more people would be inclined to use NS8, for new users, and for old users, Inclined to swich
the more the communty would be robust, and the more Actual App developers might want to officially support their Apps,

Wouldn’t it be amazing if the actual developer of software, builds and maintains the App on NS8, instead of third party like myself. I have actually taken the effort to speak some, and others are willing to do it.

Testers are needed, and testing and documenting issues experiences is hard, IF you can offer the time to test Non prod versions, the feedback would be valuable.

I disagree, Most are actually not designed for shared hosting, which i guess is what you are suggesting, Some like matomo are just Quality of life Provisions, but others like PaperlessNGX, Uptime Kuma, Docuseal, coder etc, Not possible in hosting environment.

Sometime you build an App not because of your own needs, but because of the community benefit.

stephdl · February 29, 2024, 9:55pm

Sharing data among applications cannot be done as you wish, either you share the data over a tls encrypted channel like we do with traefik by http or you could create a pod with containers that you enable to start by a condition. Like this a container can be up or down following the need of a service

oneitonitram · February 29, 2024, 10:31pm

i was almost about to ask regarding this.

How can i achieve this?
is there an example module?
Is there some documents i can go through?

Ah…?!

stephdl · March 1, 2024, 6:45am

Everything is systemd and podman based so this is the documentation you need to master

https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html#ExecCondition=

But in the systemd services system I shared with the community we require to others service so it stop the pod because one service is not running

github.com

NethServer/ns8-mattermost/blob/5b7491489d7928e938ddf192a53ccabc40181307/imageroot/systemd/user/mattermost-ldap.service#L13


      
          BindsTo=mattermost.service
          After=postgres-app.service
          
          [Service]
          Environment=PODMAN_SYSTEMD_UNIT=%n
          EnvironmentFile=%S/state/environment
          EnvironmentFile=-%S/state/discovery_ldap.env
          WorkingDirectory=%S/state
          Restart=always
          TimeoutStopSec=70
          ExecCondition=/bin/sh -c '[ -n "$OAUTH_TCP_PORT" ]'
          ExecStartPre=/usr/local/bin/runagent discover-ldap
          ExecStartPre=/bin/rm -f %t/mattermost-ldap.pid %t/mattermost-ldap.ctr-id
          ExecStart=/usr/bin/podman run --conmon-pidfile %t/mattermost-ldap.pid \
              --cidfile %t/mattermost-ldap.ctr-id --cgroups=no-conmon \
              --pod-id-file %t/mattermost.pod-id --replace -d --name  mattermost-ldap \
              --env ldap_host="ldap://accountprovider:${LDAP_PORT}/" \
              --env ldap_port=${LDAP_PORT} \
              --env ldap_version=3 \
              --env ldap_start_tls=0 \
              --env ldap_search_attribute="${LDAP_SEARCH}" \

I find a way in mattermost to prevent to start the sso container if we miss an environment variable. Check the systemd requirement it has changed

oneitonitram · March 1, 2024, 8:06am

This kind of implementation is important especially for the cases where we want to implement more than one containers in a pod, but we want the ability to enable or disable some containers.

Example. We can implement phpmyadmin on WordPress app, but if defined variable visible is set to false, then phpmyadmin is not started and therefore, if exposed, not accessible.

Great concepts to brainstorm on. As I have had a similar need, would be happy on some learnings in regards to that.

oneitonitram · March 3, 2024, 4:08am

While a point has been made in not being able to offer said,
IS it not possible then to copy the contents from one module to another, using anything similar to how rsync could be used between servers?

pike · March 3, 2024, 7:16am

If you want to applications to pass data among themselves… you should deliver a two-application container.
Currently the only data transferred among module is… login, using a defined procedure and protocol knowing from the start that there would be a login repository container and several other application that should use that for login. It has been developed, tested, broken, hardened.

However.
Container orchestrator (NS8) is not responsible to make the two containers interdependent. It’s like a guarded road, but without traffic lights. Provide communication infrastructure (more or less) which is not the same one for the configuration and command deployment (from NS8 to containers, not the other way around).

You’re asking for traffic. I can relate with that.
Move the guarded road between applications inside the container. Because if you poke holes into fences of guarded roads, someone will use it for do something unwanted from the Sysadmin.

Seems stupid but it’s not about tech. It’s about design culture and philosophy.

Lots of vulnerabilities, malicious hacks, cracks, exploits among decades were able to be discovered and misused because the design since day 0 of product or product parts was not considered. So the baseline changed from “make it work than make it safe” to “think it safe, than make it work”.

Container interconnetion can work, but it’s unsafe design and could create more issues for NS8 if implemented. It’s a galaxy of possible issues, starting from security and proceeding with management.

oneitonitram · March 3, 2024, 10:47am

This is Indeed Going to Make things way more complicated.

I had a proposiiton of building a Matrix Module for Nethserver, Based on the Spantleeve asnible Playbook.

Iniially i was to buil a single usint, but later on, felt, it would be better to have each component as a seprate module, that a user can install depending on what they Require

but now its starting to look like we will have to go back to the single system.

Or possibly apply something similar to what Nethvoice has done…

pike · March 3, 2024, 1:38pm

I can understand why, and I feel you.
However, I don’t think the developers will allow creating security holes for one application/module/container pair.

oneitonitram · March 3, 2024, 2:22pm

Even if it may not be supported, there could/should be a secure way to achive given.

is Rsync a security hole?