syncthing headless on OMV6 without docker

  • I know there's a tutorial for setting up syncthing with docker.


    I'm not too keen on docker and would wanna avoid setting it up just for this single purpose.


    Questions:

    a) is there anyone else who tried setting it up just as headless on OMV and are there any recommendations / advise you'd offer? Or reasons not to do it that way?

    b) if not - is there any interest in a HowTo if I do it? A friend of mine uses it like that already, so it shouldn't be a big deal to set this up.

    • Offizieller Beitrag

    I'm not too keen on docker and would wanna avoid setting it up just for this single purpose.

    docker is so simple that it is fine for a single purpose. You will probably configure more by not using docker. Did you read the guide? - [How-To] Install Syncthing using Docker

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • docker is so simple that it is fine for a single purpose. You will probably configure more by not using docker. Did you read the guide? - [How-To] Install Syncthing using Docker

    I did.

    I'm very familiar with syncthing, not at all with docker.

    If you recommend it even for this I'll at least give it a try.

    Gotta be sure with one machine to have it ready by tomorrow, so I was hesitant to use docker since - if anything goes wrong I got no idea how to fix it. :)


    Setting it up without docker pretty much is only installing the .deb file and making sure in systemd that it automatically starts, plus setting up a user, right?

    • Offizieller Beitrag

    I'm very familiar with syncthing, not at all with docker.

    I know both and wrote the syncthing plugin. I stopped porting the syncthing plugin because docker is the way to go. Personally, I think anything that connects to the internet like syncthing should at least be containerized.


    Setting it up without docker pretty much is only installing the .deb file and making sure in systemd that it automatically starts, plus setting up a user, right?

    OMV is debian. If you do something outside of the web interface, it is still debian. But if you install docker from omv-extras and the compose plugin, you just have to cut&paste the compose file from guide and tweak the settings.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Zitat

    Personally, I think anything that connects to the internet like syncthing should at least be containerized.

    Interesting. I thought it might be better to keep the surface minimal for security reasons, your argument seems to be exactly to do the docker-route for the same reason. I need to check with my friend, he somehow worked the security-aspect differently.


    Zitat

    But if you install docker from omv-extras and the compose plugin, you just have to cut&paste the compose file from guide and tweak the settings.

    Hm. That sounds rather simple, but tbh the [How to] Prepare OMV to install docker applications seemed to be quite a bit of a hassle for just wanting syncthings webinterface available. The How-To is great, as in very detailed, but right now I tend to wanna try both routes, yet for tonight I'm worried I might fuck something up with docker and ruin my sunday. :)

    And I'm not sure which advantage the containerization would offer - which is mainly because I have no experience with it, so feel free to advise if you want to.

    • Offizieller Beitrag

    I thought it might be better to keep the surface minimal for security reasons, your argument seems to be exactly to do the docker-route for the same reason. I need to check with my friend, he somehow worked the security-aspect differently.

    When you run something in a container exposed to the internet, you are basically running another very minimal OS with just the application running and only the ports specified in the compose file open. You are not able to access anything else on the host OS except for the volumes allowed for access in the compose file.


    So, if a hacker wants to break into your system through syncthing using a buffer overflow for instance, they would only get what is in the container if you are using docker. If you are running syncthing on the host OS, they now have access to the entire system. And some might say a hacker could break out of docker as well but that is a second, tougher layer. Just remember that Google and most enterprises are running apps in containers.

    Hm. That sounds rather simple, but tbh the [How to] Prepare OMV to install docker applications seemed to be quite a bit of a hassle for just wanting syncthings webinterface available. The How-To is great, as in very detailed, but right now I tend to wanna try both routes, yet for tonight I'm worried I might fuck something up with docker and ruin my sunday.

    The guide is verbose but not really more steps than installing from the OS. It talks about creating folders. You have to do that anyway. Once syncthing is running, you setup things in its web interface the same in either install method. If you really don't like docker, uninstall it. I don't know how it is going to break anything other than itself.

    And I'm not sure which advantage the containerization would offer - which is mainly because I have no experience with it, so feel free to advise if you want to.

    Any time you can protect the host OS from an application, that is good. chroot was created 40+ years ago, freebsd jails almost 25 years ago, and lxc 15 years ago. They are all very similar to containers Even web browsers are putting things in a jail or sandbox. The concept is pretty much the same. All of the separate the app from the OS.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

  • Very helpful, thank you for the detailed explanation.

    Where do you see the advantage to use KVM instead? Wouldn't that sort of achieve the same thing? With of course more overhead, since you need to use a whole VM, but that these days has gotten rather simple to manage as well and the resources are not that much of a difference for my purposes anyway.


    I'm a lot more used to qemu / kvm as well, so you see, "if you hold a hammer everything looks like a nail" etc. :)

    • Offizieller Beitrag

    Very helpful, thank you for the detailed explanation.

    Where do you see the advantage to use KVM instead? Wouldn't that sort of achieve the same thing? With of course more overhead, since you need to use a whole VM, but that these days has gotten rather simple to manage as well and the resources are not that much of a difference for my purposes anyway.

    I believe a VM is even more secure. It is more overhead and increases your attack surface since you have an entire OS. But ideally you are only using the VM for one purpose and a hacker wouldn't have access to additional data. With my personal setup, I go a step further. I run docker in a VM (VMware does this as well with their kubernetes offering).

    I'm a lot more used to qemu / kvm as well, so you see, "if you hold a hammer everything looks like a nail" etc.

    The VM is fine but it is bit more difficult to get data into it. You typically would have to mount an nfs share or something.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Offizieller Beitrag

    but tbh the [How to] Prepare OMV to install docker applications seemed to be quite a bit of a hassle for just wanting syncthings webinterface available

    This howto may seem extensive at first glance, but once you've assimilated it, you realize that it boils down to two main points:

    1. NEVER use the admin user (let alone root) to run a container.

    2. Use docker away from OS disk.

    This caused a loooooot of trouble for novice users. The sole purpose of this guide is to solve that. The rest is... details :) If you are an experienced user you will go over many lines of the howto.

    Also keep in mind that you only do this once. Then it serves you for the containers you want.

    • Offizieller Beitrag

    On the security side, maybe we should start looking at podman, given its ability to run containers without the need for a daemon.

    • Offizieller Beitrag

    On the security side, maybe we should start looking at podman, given its ability to run containers without the need for a daemon.

    I haven't tried this yet but if someone wants to use podman, they can just enable the podman socket instead of installing docker. Then docker-compose should be able to use podman just like docker according to this Red Hat article - https://www.redhat.com/sysadmin/podman-docker-compose


    I will try this in a bit. If it works, I'm not opposed to offering an option to have docker and podman (not both) options in omv-extras.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Offizieller Beitrag

    redhat must be modifying docker-compose in their repo to work with podman. It doesn't work that way on omv/debian.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

    • Offizieller Beitrag

    redhat must be modifying docker-compose in their repo to work with podman. It doesn't work that way on omv/debian.

    Looks like it's not fully supported yet. In this article they also talk about the podman-compose project and the integration of podman with Kubernetes YAML, in which they seem to put more interest. https://www.redhat.com/sysadmi…an-compose-docker-compose

    • Offizieller Beitrag

    In this article they also talk about the podman-compose project and the integration of podman with Kubernetes YAML, in which they seem to put more interest.

    That article also says podman 4.1 would be needed for docker-compose 2.x. Debian 11 is getting podman 3.0.1. 4.2 is in experimental but I wouldn't want to enable the experimental repo for this.

    omv 7.0.4-2 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.10 | compose 7.1.2 | k8s 7.0-6 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!