this is now moved entirely to cloudron-support --enable-remote-access.
this emphasizes more that users have to get ssh access to the server before
we can do anything about it. it's far too simple for people to click this
button.
we have now also added clear terms to understand what remote access entails.
(what happens if support personnel makes a mistake. who is liable? etc)
SpamHaus rejects queries from ipv6.
unbound does not work on ipv6 only servers without do-ip6: true
prefer-ip4 only works on ubuntu 24
this leads to a situation that we cannot support ipv6 only servers with
older ubuntu
this has many advantages:
* easy to deliver the updateInfo via the apps object
* after updating, the task can clear it
* when apps are deleted, the info is automatically gone
otherwise, it's a mess of deps between apps/updater/apptask/rest routes
box update info is still in a file
https://forum.cloudron.io/topic/13408/update-to-cloudron-8.3-error
We get a Task xx crashed with code null in the notification.
The crux of the issue is that we use KillMode=control-group. This ends
up sending SIGTERM signal to box code and all the sudo in parallel. The box
code then sees the sudo die and records the task as failed.
To fix, we switch to KillMode=mixed. This gives box code a chance to handle SIGTERM
first. It cleans out its task list and kills all the sudo.
the idea (previously) was that the box code knew how to stop itself.
this is why stop.sh of the _old_ code was invoked. we can just inline
the code needed to stop the old version into installer.sh itself.
coturn will send 401 when receiving UDP packets with forged source IP.
this can cause a flood of 401s at the victim. the primary concern appears
to be that these packets are quite large compared to handshake packets
below.
TCP is also affected but effects are minimal because they will get
discarded at the connection handshake level.
UDP/TLS (DTLS) has similar handshake mechanism of TCP and effects are
minimal.
https://forum.cloudron.io/topic/13855/reflection-attack-via-stun-turnhttps://github.com/coturn/coturn/pull/1588
collectd (with the python plugin) seems semi-abandoned. replace
with our own. we have more control over how to collect things instead
of relying on random plugins.
Port 546 is reserved for the client-side of the Neighbor Discovery Protocol (NDP).
This is used for communication between IPv6 nodes (such as a device and its router)
to discover and configure network information (such as IP address).
Router Advertisement (RA) messages sent by routers use port 547 (router-side), and
devices use port 546 to receive these messages.
See https://forum.cloudron.io/topic/13566/infomaniak-ipv6-issues/61
it seems unbound-anchor is not a dep of unbound in ubuntu 24. some
installations are thus missing this package.
in any case, ignore unbound-anchor exit status
this changes unbound to listen to 127.0.0.150 (150 is roman CL)
we cannot only bind on docker bridge because unbound is relied
upon for the initial domain setup. docker itself is only initialized
when the platform initializes
