jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
15,779 Commits 33 Branches 583 Tags
aecc16af5d8d9bab4d118657d10934b04ac3a738
Commit Graph

684 Commits

Author SHA1 Message Date
Girish Ramakrishnan
ca83deb761 Docker IPv6 support 
Docker's initial IPv6 support is based on allocating public IPv6 to containers.
This approach has many issues:
* The server may not get a block of IPv6 assigned to it
* It's complicated to allocate a block of IPv6 to cloudron server on home setups
* It's unclear how dynamic IPv6 is. If it's dynamic, then should containers be recreated?
* DNS setup is complicated
* Not a issue for Cloudron itself, but with -P, it just exposed the full container into the world

Given these issues, IPv6 NAT is being considered. Even though NAT is not a security mechanism as such,
it does offer benefits that we care about:
* We can allocate some private IPv6 to containers
* Have docker NAT66 the exposed ports
* Works similar to IPv4

Currently, the IPv6 ports are always mapped and exposed. The "Enable IPv6" config option is only whether
to automate AAAA records or not. This way, user can enable it and 'sync' dns and we don't need to
re-create containers etc. There is no inherent benefit is not exposing IPv6 at all everywhere unless we find
it unstable.

Fixes #264
 2022-02-09 23:54:53 -08:00
Girish Ramakrishnan
c5f9c80f89 move comment to unbound.conf 2022-02-09 23:15:37 -08:00
Girish Ramakrishnan
852eebac4d move cloudron network creation to platform code 
this gives us more control on re-creating the network with different
arguments/options when needed.
 2022-02-09 23:15:37 -08:00
Girish Ramakrishnan
566def2b64 Disable IPv6 temporary address 2022-02-09 12:17:42 -08:00
Girish Ramakrishnan
5517d09e45 cloudron-setup: fix curl output capture 
not sure why the old method does not work. also move the cache file
 2022-01-26 10:22:17 -08:00
Johannes Zellner
8f8a59bd87 Unbound does no longer depend on docker 2022-01-26 16:33:19 +01:00
Johannes Zellner
8e15f27080 Make unbound listen also on future devices 
The local network for docker containers might not be up yet
https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html#term-ip-freebind-yes-or-no
 2022-01-26 16:32:48 +01:00
Girish Ramakrishnan
531a6fe0dc Use ipv4.api.cloudron.io endpoint for IPv4 detection 2022-01-04 22:14:53 -08:00
Johannes Zellner
d69758e559 Only set ldap allowlist if file exists and is not empty 2021-12-15 19:23:22 +01:00
Girish Ramakrishnan
6492c9b71f nginx: remove combined2 custom log format 
collectd does not use this anymore (eb47476c83)

This makes nginx work better with a variety of tools like Wazuh and ossec

https://forum.cloudron.io/topic/6077/nginx-logs-format/
https://forum.cloudron.io/topic/6161/implement-default-nginx-logging
 2021-12-13 10:47:12 -08:00
Johannes Zellner
1c7eeb6ac6 Handle exposed ldap allowlist 2021-12-10 17:04:30 +01:00
Johannes Zellner
63fe75ecd2 Reduce noisy externalldap debug()s 2021-11-26 09:55:59 +01:00
Girish Ramakrishnan
e5301fead5 exclude externalldap debugs by default 2021-11-25 14:49:59 -08:00
Johannes Zellner
3a8aaf72ba Expose LDAP via iptables 2021-11-23 12:37:03 +01:00
Johannes Zellner
735737b513 Initial attempt to expose the ldap server 2021-11-22 21:29:23 +01:00
Girish Ramakrishnan
fdefc780b4 docker: hardcode the bridge gateway IP 
on some environments like ESXi, the gateway gets the dynamic IP 172.18.0.2.
we have hardcoded 172.18.0.1 in many places in the code

https://forum.cloudron.io/topic/5987/install-cloudron-7-0-3-on-ubuntu-20-04-3-esxi
 2021-11-12 09:04:03 -08:00
Girish Ramakrishnan
e4cc431d35 Do not nuke all the logrotate configs on update 
this was added many releases ago to migrate to new logrotate configs.
looks like I forgot to remove this.

https://forum.cloudron.io/topic/4381/safe-to-truncate-home-yellowtent-platformdata-logs-when-large-disk-consumer
 2021-11-04 09:41:33 -07:00
Johannes Zellner
c81f40dd8c Ensure mail data dir is still created 2021-10-15 15:02:54 +02:00
Girish Ramakrishnan
405eae4495 Fix installation detection 2021-10-12 10:26:58 -07:00
Girish Ramakrishnan
004a264993 mail: dkim key update 2021-10-11 22:56:34 -07:00
Girish Ramakrishnan
dc8ec9dcd8 mail: move dkim keys into the database 2021-10-11 20:30:42 -07:00
Johannes Zellner
9eed3af8b6 add volume remount 2021-10-11 16:22:56 +02:00
Girish Ramakrishnan
f17e3b3a62 mail: export pop3 port 2021-10-07 22:06:26 -07:00
Girish Ramakrishnan
73315a42fe setup: fix journalctl configuration 
/var/log/journal/*/system.journal does not exist on some systems

https://forum.cloudron.io/topic/4068/installation-failed-on-20-04-server
https://forum.cloudron.io/topic/5731/time4vps-installation-error
 2021-09-28 19:21:16 -07:00
Girish Ramakrishnan
ad3dbe8daa mail: keep mail backups separately from box backups 
part of #717
 2021-09-26 21:47:24 -07:00
Girish Ramakrishnan
9584990d7a remove old migration code 2021-09-26 18:10:39 -07:00
Girish Ramakrishnan
77989893df remove boxdata/well-known directory 
this has already moved into the domains table
 2021-06-17 11:37:03 -07:00
Girish Ramakrishnan
593038907c unbound: on ubuntu 16, sd_notify is not working 
not clear, when unbound added support for this.

on ubuntu 16, unbound is 1.5.8.
on ubuntu 20, unbound is 1.9.4
 2021-06-04 09:41:54 -07:00
Girish Ramakrishnan
2421536c23 add indexes for ORDER BY fields used in code 
we hit ER_OUT_OF_SORTMEMORY with large tables
 2021-05-17 07:06:11 -07:00
Girish Ramakrishnan
a56766ab0e ensure nss-lookup.target is hit after unbound starts 
https://github.com/NLnetLabs/unbound/issues/296

this fixes volume hostname resolution on reboot
 2021-05-14 12:07:05 -07:00
Girish Ramakrishnan
50407eba0b volumes: generate systemd mount files based on mount type 2021-05-12 23:57:12 -07:00
Girish Ramakrishnan
84af9580a6 migrate certs into the blobs database 
use platformdata/nginx/cert to store the certs
 2021-05-07 21:26:49 -07:00
Girish Ramakrishnan
182918b13d add note 2021-05-07 20:20:15 -07:00
Girish Ramakrishnan
963e92b517 store fallback certs in the database 2021-05-04 22:30:28 -07:00
Girish Ramakrishnan
7de454911e migrate firewall configuration into database 
the ports.json is for the moment server specific
 2021-05-04 15:55:54 -07:00
Girish Ramakrishnan
dcea55cd81 chown the sftp directory 2021-05-04 00:27:45 -07:00
Girish Ramakrishnan
c17743d869 migrate secrets into the database 
the infra version is bumped because the nginx's dhparams path has changed
and the sftp server key path has changed.
 2021-05-03 22:11:18 -07:00
Girish Ramakrishnan
6a32291609 Move updatechecker.json into platform data 2021-04-29 14:01:24 -07:00
Girish Ramakrishnan
b8ea9de439 move profile icons into the database 2021-04-29 13:57:24 -07:00
Girish Ramakrishnan
7b8fd3596e well known is now stored in the database 2021-04-29 12:17:44 -07:00
Girish Ramakrishnan
00856b79dd firewall: Set BOX_ENV 2021-04-14 23:01:08 -07:00
Girish Ramakrishnan
131711ef5c mysql: bump connection limit to 200 2021-04-09 10:55:31 -07:00
Girish Ramakrishnan
84dfd4aa84 firewall: no need to keep 25 always open 2021-03-30 15:56:01 -07:00
Girish Ramakrishnan
c1ee3dcbd4 collectd: cache du values and send it every Interval (20) 
collectd plugin ordering matters. the write_graphite plugin establishes
a TCP connection but there is a race between that and the df/du values that
get reported. du is especially problematic since we report this only every 12 hours.

so, instead we cache the values and report it every 20 seconds. on the carbon side,
it will just retain every 12 hours (since that is the whisper retention period).

there is also FlushInterval which I am not 100% sure has any effect. by default, the
write_graphite plugin waits for 1428 bytes to be accumulated. (https://manpages.debian.org/unstable/collectd-core/collectd.conf.5.en.html)

https://github.com/collectd/collectd/issues/2672
https://github.com/collectd/collectd/pull/1044

I found this syntax hidden deep inside https://www.cisco.com/c/en/us/td/docs/net_mgmt/virtual_topology_system/2_6_3/user_guide/Cisco_VTS_2_6_3_User_Guide/Cisco_VTS_2_6_1_User_Guide_chapter_01111.pdf
 2021-03-26 00:21:38 -07:00
Girish Ramakrishnan
c1b61bc56b add note 2021-03-24 20:30:02 -07:00
Girish Ramakrishnan
0447dce0d6 graphite: restart collectd as well 2021-03-23 16:34:36 -07:00
Girish Ramakrishnan
32f385741a graphite: implement upgrade 
for the moment, we wipe out the old data and start afresh. this is because
the graphite web app keeps changing quite drastically.
 2021-03-23 16:34:32 -07:00
Girish Ramakrishnan
8048e68eb6 graphite: disable tagdb 2021-03-18 18:03:45 -07:00
Girish Ramakrishnan
f7bd47888a Fix issue where df output is not parsed correctly 
LANG is the default locale i.e when LC_* are not specificall
LC_ALL will override them all

https://forum.cloudron.io/topic/4681/going-to-system-info-triggers-assertion-error
 2021-03-17 11:14:07 -07:00
Girish Ramakrishnan
4d4aad084c remove hard dep on systemd-resolved 
the start.sh script does a "systemctl restart systemd-resolved". this
ends up restarting the box code prematurely! and then later when mysql
restarts, the box code loses connection and bad things happen (tm)
especially during a platform update.

we don't log to journald anymore, so not sure if EPIPE is still an issue
 2021-03-04 21:07:52 -08:00