Webserver tricks

remi_python · April 11, 2024, 4:17pm

NethServer Version: latest
Module: webserver .

My nightmare comes true : containers everywhere !

we have folders in _data that holds websites

deleting one an recreating it by a symbolic link breaks everything.

I have a mirror, in /mir/data1 .

I do

ln -s /mir/data1 /........./_data/900X ...

I get 404 whatever I do, rights/modes etc .

One details, /mir is a second disk .

changing the root folder of the WWW site with sftpgo admin doesn’t help at all .

I would love to see a clean way of doing that, on NS7 it worked great .

Andy_Wismer · April 11, 2024, 5:13pm

This is VERY logical, as this would just break security. To keep things simple, Data for a module is best kept in the module…
Inside the container, you can symlink all you want, it would work. But would not solve your space problem. But outside the container?

And - to be honest, it worked on NS7, yes, but never was supported. But I also used that method for a short while. NS7 will not show the used space correctly, and other caveats.

Planning your Server is also a fundamental issue. NS8 is new, so why are old bottles used for new wine?
You should have learned from NS7 how much space your system requires, and planned that accordingly!

My 2 cents
Andy

remi_python · April 11, 2024, 6:10pm

Well that is life , I have a machine with this and that HW …

I put NS on the disk one SSD …
and my data on a huge HDD …

this is the principle of modern computers and … servers .

If a software cannot handle that , then it has problem that is called : Limitation .
I may sound picky, but this limitation should be known.

Web servers administrators have already their protocols and standards,
so “you” land in his office with a folder like:

/home/webserver1/.local/share/containers/storage/volumes/websites/_data/900X

he will not be happy, so

Or we can modify that ( a parameter somewhere)
Or we do the soft links tricks,

a process accesses a file, the OS takes care of the rest (the file can be a device, a regular file, a link …)

security wise, I don’t see the relationship … I mean, we have web-servers running “differently” than this everywhere …just fine .

logically there a solution to this in here (NS8).

the further I went is with www-data as the ‘user’ , later on I will redo everything with ‘webserver1’ as the user, as I suspect a read permission issue somewhere …

unless the container runs under a different (U)ID .

another question,

the folders in _data , 900X … , have UID and GID foreing to the server, so I deduct from what you said that , those UID/GID are local in the containers ?

exp: username “toto” has UID of 12134 , on the server that UID doesnt exist and yet has been created by NS8’s webserver installer .

also, I may just zap everything by just mounting the disk on _data folder ? or maybe higher in the tree ?

Andy_Wismer · April 11, 2024, 6:27pm

Hi @remi_python

You are very right, if the calendar would state somewhere in the last millenium, like 1990…

We now have 2024. And virtualization is everywhere. Doing a native install is sooo dated!

I use Proxmox as Hypervisor, and let that take care of Storage and redundancy.

If the software supports it (eg Windows), I do use several disks, classical C:, D: maybe even a E: Disk if needed.

Systems like NS7, which were always intended to run on a single “logical” disk (If mirrored or raided underneath, still the OS sees a single disk), but also a NS8 “Node”, I prefer to provide a single disk.

While it was always possible to add in another disk, and symlink as needed, the statistics on Cockpit would not show anymore correct data for disk usage, so added danger of disk overfilling, etc. Backups were also getting wrong data amounts in stats…
Ergo, the OS was never designed to handle this additional disk.

It takes about 2 minutes to let the disk grow to a newer required size for almost ANY OS, so why bother?

Containerization, like NS8 uses, is again a different animal. There are rootless containers, and some which need root. But generally, all containers have their own simple users - like almost any other linux - but highly limited. Applications in the container use LDAP or AD to access Users / Groups of the Cluster.

So allowing access from one container to the root file system of the Cluster would be inviting serious trouble!

I hope the above clarifies a few things.

And no, please don’t use a domain like .local or .lan in the days of LetsEncrypt.

Note:

If you have questions regarding Virtualization, Proxmox or general networking / planning issues, don’t hesitate to PM me.

My 2 cents
Andy

dnutan · April 11, 2024, 6:39pm

On NS7 most space or data was under /var/lib/nethserver, on NS8 it is mainly in /home.
From my point of view, NS8 will require more space than NS7.

remi_python · April 11, 2024, 6:39pm

Well no offense (you blame me, criticize me, and didn’t show a glimpse of a solution) so , my simple mind and wallet will wait for the “clean” solution, in the mean time I am “hacking in”.
and will for sure post the solution if found .

Otherwise,I go back to NS7, it is still a nice gem zero problem for years on the same installed servers

Andy_Wismer · April 11, 2024, 6:43pm

I did offer a PM, better for discussing security, IPs and such than in a public Forum…

The offer still stands.

Sure you can. It is EOL in less than 3 Months and will continue to work, but will have more and more unsupportable problems, besides being a security risk for the rest of the Internet…

You’re free to choose…

My 2 cents
Andy

remi_python · April 11, 2024, 6:52pm

that is not the goal of the game , at least how I understood.

we come here to help each others .

and that publicly, so: whoever gets across similar issues, he/she can be saved by a simple query on the forum.

Andy_Wismer · April 11, 2024, 6:56pm

@remi_python

More info about virtualization:

https://wiki.nethserver.org/doku.php?id=userguide:nethserver_and_proxmox

All still valid for NS8…

mrmarkuz · April 11, 2024, 7:12pm

I didn’t test yet but symbolic links seem only working with podman when absolute paths are the same in and out of the container:

github.com/containers/podman

Need podman to mount symbolic links for docker compatibility

opened 05:27PM - 12 Oct 23 UTC

closed 09:41AM - 19 Oct 23 UTC

wnm3

kind/bug remote macos machine locked - please file new issue/PR

### Issue Description I have used /etc/synthetic.conf to create a symbolic link… off root to a directory in my home directory. The net effect is to have: ``` ls -l / |grep store lrwxr-xr-x 1 root wheel 16 Oct 9 12:15 store -> Users/wnm3/store ``` as specified by the following (note: there is a tab separating the data in /etc/synthetic.conf: ``` cat /etc/synthetic.conf store Users/wnm3/store ``` If I attempt to mount /store/pipeline using -v in the podman run command as follows: ``` docker run -e DPLAPIKEY=${DPLAPIKEY} -v ~/store/pipeline:/opt/ol/wlp/output/defaultServer/data --publish 9078:9078 --publish 9440:9440 --detach --name pipelinesvcs pipelinesvcs ``` It fails with `Error: statfs /store/pipeline: no such file or directory` even though the data are there (/store just is a symlink directory). ### Steps to reproduce the issue Steps to reproduce the issue 1. create a ~/store/pipeline directory on a MacOS machine (mine is M1 but this also fails for Intel) using commands: `cd ~ ; mkdir -p store/pipeline` 2. create a synlinked directory using /etc/synthetic.conf as shown above and reboot 3. confirm the directory exists using `ls -l / |grep store` 4. attempt to run a container using -v /store/pipeline:/store/pipeline (this should fail) 5. attempt to run the same container using -v ~/store/pipeline:/store/pipeline (this should work) ### Describe the results you received Error: statfs /store/pipeline: no such file or directory And the container does not run ### Describe the results you expected The container runs without issue and the contents of /store/pipeline are visible in the container. ### podman info output ```yaml Note: docker aliased to podman docker info host: arch: arm64 buildahVersion: 1.32.0 cgroupControllers: - cpu - io - memory - pids cgroupManager: systemd cgroupVersion: v2 conmon: package: conmon-2.1.7-2.fc38.aarch64 path: /usr/bin/conmon version: 'conmon version 2.1.7, commit: ' cpuUtilization: idlePercent: 98.35 systemPercent: 0.7 userPercent: 0.95 cpus: 1 databaseBackend: boltdb distribution: distribution: fedora variant: coreos version: "38" eventLogger: journald freeLocks: 2046 hostname: localhost.localdomain idMappings: gidmap: - container_id: 0 host_id: 1000 size: 1 - container_id: 1 host_id: 100000 size: 1000000 uidmap: - container_id: 0 host_id: 501 size: 1 - container_id: 1 host_id: 100000 size: 1000000 kernel: 6.5.5-200.fc38.aarch64 linkmode: dynamic logDriver: journald memFree: 793878528 memTotal: 1980387328 networkBackend: netavark networkBackendInfo: backend: netavark dns: package: aardvark-dns-1.7.0-1.fc38.aarch64 path: /usr/libexec/podman/aardvark-dns version: aardvark-dns 1.7.0 package: netavark-1.7.0-1.fc38.aarch64 path: /usr/libexec/podman/netavark version: netavark 1.7.0 ociRuntime: name: crun package: crun-1.9.2-1.fc38.aarch64 path: /usr/bin/crun version: |- crun version 1.9.2 commit: 35274d346d2e9ffeacb22cc11590b0266a23d634 rundir: /run/user/501/crun spec: 1.0.0 +SYSTEMD +SELINUX +APPARMOR +CAP +SECCOMP +EBPF +CRIU +LIBKRUN +WASM:wasmedge +YAJL os: linux pasta: executable: /usr/bin/pasta package: passt-0^20230908.g05627dc-1.fc38.aarch64 version: | pasta 0^20230908.g05627dc-1.fc38.aarch64-pasta Copyright Red Hat GNU General Public License, version 2 or later <https://www.gnu.org/licenses/old-licenses/gpl-2.0.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. remoteSocket: exists: true path: /run/user/501/podman/podman.sock security: apparmorEnabled: false capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT rootless: true seccompEnabled: true seccompProfilePath: /usr/share/containers/seccomp.json selinuxEnabled: true serviceIsRemote: true slirp4netns: executable: /usr/bin/slirp4netns package: slirp4netns-1.2.1-1.fc38.aarch64 version: |- slirp4netns version 1.2.1 commit: 09e31e92fa3d2a1d3ca261adaeb012c8d75a8194 libslirp: 4.7.0 SLIRP_CONFIG_VERSION_MAX: 4 libseccomp: 2.5.3 swapFree: 0 swapTotal: 0 uptime: 72h 33m 53.00s (Approximately 3.00 days) plugins: authorization: null log: - k8s-file - none - passthrough - journald network: - bridge - macvlan - ipvlan volume: - local registries: search: - docker.io store: configFile: /var/home/core/.config/containers/storage.conf containerStore: number: 2 paused: 0 running: 2 stopped: 0 graphDriverName: overlay graphOptions: {} graphRoot: /var/home/core/.local/share/containers/storage graphRootAllocated: 106769133568 graphRootUsed: 3546521600 graphStatus: Backing Filesystem: xfs Native Overlay Diff: "true" Supports d_type: "true" Supports shifting: "false" Supports volatile: "true" Using metacopy: "false" imageCopyTmpDir: /var/tmp imageStore: number: 3 runRoot: /run/user/501/containers transientStore: false volumePath: /var/home/core/.local/share/containers/storage/volumes version: APIVersion: 4.7.0 Built: 1695839065 BuiltTime: Wed Sep 27 14:24:25 2023 GitCommit: "" GoVersion: go1.20.8 Os: linux OsArch: linux/arm64 Version: 4.7.0 docker version Client: Podman Engine Version: 4.7.0 API Version: 4.7.0 Go Version: go1.21.1 Git Commit: 073183fe1723d7bda826b574437891976a958c65 Built: Wed Sep 27 11:35:55 2023 OS/Arch: darwin/arm64 Server: Podman Engine Version: 4.7.0 API Version: 4.7.0 Go Version: go1.20.8 Built: Wed Sep 27 14:24:25 2023 OS/Arch: linux/arm64 ``` ### Podman in a container No ### Privileged Or Rootless None ### Upstream Latest Release No ### Additional environment details See details for setting up /store -> ~/store above ### Additional information This happens without fail. It is an incompatibility with docker. We need this to handle shell scripts used to start containers on various systems where additional disk space has been mounted off the root directory.

remi_python · April 12, 2024, 7:16am

Thank you, I am on it

@stephdl Sorry to bother you if you haven’t seen this post,
if I remember the ngix module is done by you, if you have any suggestion, I’ll be very grateful

stephdl · April 12, 2024, 1:47pm

what is the issue ?

lack of place, I have a solution, buy two SSD 4T one for me, one for you

More seriously, I am listening you

remi_python · April 12, 2024, 4:14pm

I work this way:

OS on a disk, Data on a disk .

It is not about space really, but to me a way of doing things .

So I spotted that the vhosts of the ngix server (“httpd”) reside in /home…/_data/900X/
(x as in x y or z parameter/number …)

making symlinks like in NS7 doesn’t work (yet? rights/userID ? …) , and instead of spending a lot of time debugging, I thought you may have an idea .

If symlinks are a no got because of this or that, I don’t mind mounting the Data disk on that folder (I haven’t tried that yet).

So I thought of you, is there a specific UID to use ? a folder permissions ? etc .
If I decide to “play” with the mount point of the Data disk, on what level do you suggest I hook it ? : _data or the vhosts ? or higher ?

stephdl · April 12, 2024, 7:44pm

Selinux is in the party I am not sure we could do easily a symlink

remi_python · April 13, 2024, 1:48am

I understand that,

I will then mount the disk on _data ,

Or, uninstall NS8 , mount the disk in /home “aka like many unixes …”
and then install NS 8

What do you think ?

remi_python · April 13, 2024, 2:49am

Well, thank you for your cooperation !

https://docs.nethserver.org/projects/ns8/en/latest/disk_usage.html

I will basically mount the disk in /home …