change docker to docker rootless

1. offizieller Beitrag

    If I used docker with the installation via omv-extras, is it possible to uninstall docker and replace the installation rootless? If this is possible, can I start all my containers or compose files again without customization?

    omv 6.x | 64 bit | omvextrasorg 6.x |
    used plugins: omv-extras | portainer | rsnapshot | antivirus
    used container: portainer/portainer | nextcloud/all-in-one | linuxserver/swag | paperless-ngx | jellyfin/jellyfin | lmscommunity/logitechmediaserver | adguard/adguardhome |

    • Offizieller Beitrag
    Zitat von happyreacer

    If I used docker with the installation via omv-extras, is it possible to uninstall docker and replace the installation rootless?

    Sure but why are you doing that?

    Zitat von happyreacer

    If this is possible, can I start all my containers or compose files again without customization?

    Maybe. Not all containers are happy rootless.

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.1.4 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    Zitat von ryecoaaron

    Sure but why are you doing that?

    some DockerContainer are accessible from the Internet. I would therefore feel more secure

    omv 6.x | 64 bit | omvextrasorg 6.x |
    used plugins: omv-extras | portainer | rsnapshot | antivirus
    used container: portainer/portainer | nextcloud/all-in-one | linuxserver/swag | paperless-ngx | jellyfin/jellyfin | lmscommunity/logitechmediaserver | adguard/adguardhome |

    Zitat von happyreacer

    some DockerContainer are accessible from the Internet. I would therefore feel more secure

    If they're all behind letsencrypt/swag then they should be secured.

    And containers don't need run with ID 0.


    That is why it's advocated on this forum to create a user to be used for docker and run the containers with that user.

    • Offizieller Beitrag
    Zitat von happyreacer

    I would therefore feel more secure

    Personally, I run my containers in a VM which I consider more secure than rootless docker. Are any of your containers listening on a port less than 1024?

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.1.4 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    I use the linuxserver/swag Container and i use also a PUID and a PGID in my compose-files.


    ryecoaaron i use only the port 443 and subdomain configs. What is the background of your question?

    omv 6.x | 64 bit | omvextrasorg 6.x |
    used plugins: omv-extras | portainer | rsnapshot | antivirus
    used container: portainer/portainer | nextcloud/all-in-one | linuxserver/swag | paperless-ngx | jellyfin/jellyfin | lmscommunity/logitechmediaserver | adguard/adguardhome |

    Einmal editiert, zuletzt von happyreacer ()

    • Offizieller Beitrag
    Zitat von happyreacer

    i use only the port 443 and subdomain configs. What is the background of your question?

    You can't use a port less than 1024 rootless.

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.1.4 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    Zitat von happyreacer

    I use the linuxxsurver/swag Container and i use also a PUID and a PGID in my compose-files.

    That's how most people here do, ;)


    But if you still feel unsecure, you can block all external access and run those containers only locally.

    Install Wireguard and only access the LAN services while tunneled via VPN.


    In the end, you'll always have to feel a bit unsafe since there's always a port open to the outside.

    Only way to feel 100% secure is to power down the server and disconnect all cables, (sorry just joking)

    Zitat von ryecoaaron

    You can't use a port less than 1024 rootless.

    ryecoaaron Thank you for your information

    omv 6.x | 64 bit | omvextrasorg 6.x |
    used plugins: omv-extras | portainer | rsnapshot | antivirus
    used container: portainer/portainer | nextcloud/all-in-one | linuxserver/swag | paperless-ngx | jellyfin/jellyfin | lmscommunity/logitechmediaserver | adguard/adguardhome |

    i know :D

    omv 6.x | 64 bit | omvextrasorg 6.x |
    used plugins: omv-extras | portainer | rsnapshot | antivirus
    used container: portainer/portainer | nextcloud/all-in-one | linuxserver/swag | paperless-ngx | jellyfin/jellyfin | lmscommunity/logitechmediaserver | adguard/adguardhome |

  • happyreacer

    Hat das Label gelöst hinzugefügt.
    • Offizieller Beitrag
    Zitat von Zoki

    You can, but you have to add capabilities

    True but that starts to open the exploit options back up.

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.1.4 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Offizieller Beitrag
    Zitat von Zoki

    Can't have all

    True. That is why I follow VMware's approach and run docker in a VM. Even if the container is exploited, the attacker is stuck in the VM. Not great but better than access to the entire OMV box.

    omv 7.0.5-1 sandworm | 64 bit | 6.8 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.13 | compose 7.1.4 | k8s 7.1.0-3 | cputemp 7.0.1 | mergerfs 7.0.4


    omv-extras.org plugins source code and issue tracker - github - changelogs


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Offizieller Beitrag
    Zitat von ryecoaaron

    True. That is why I follow VMware's approach and run docker in a VM. Even if the container is exploited, the attacker is stuck in the VM. Not great but better than access to the entire OMV box.

    I thought about doing this when I rebuild my server in a couple months... just haven't looked that heavy into it yet.


    I'm hoping to order my MB, RAM, CPU, and PSU next week. Then I'm not sure whether I'll go ahead and just rebuild with my old drives, or wait till I pick up all my new drives end of July'ish. Of course Saturday I was pleasantly "greeted" by a 17yr old driver w/ a beginners permit (who of course had no adult with her), no insurance, a paper tag that expired in April..lol. Fortunately my car was drivable... so I'm waiting on the police report to use my uninsured motorist coverage... Was driving to work today, and a rock flew off a truck and put a good size spot in my windshield about 3in wide. I got their phone number and took a picture, which I'm sure will do absolutely nothing. I guess I'm just glad it's on the lower passenger side.


    I've had a great week.. :rolleyes:

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!

Benutzerkonto erstellen Anmelden