this post was submitted on 01 May 2025
14 points (100.0% liked)

Self Hosted - Self-hosting your services.

16397 readers
6 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules

Important

Cross-posting

If you see a rule-breaker please DM the mods!

founded 4 years ago
MODERATORS
 

I am in the process of migrating my Nextcloud instance from one server to another. I copied the Borg archive to one mountpoint, /mnt/ncbackup and intend to keep my data in /mnt/ncdata.

I couldn't really find out what to mount the backup directory to, so I just fired it up as documented in the documentation, and I was able to retrieve my backups from the non-mounted directory.

So this reveals a fundamental flaw in my understanding of how Docker works - I had assumed the container only had access to whatever was explicitly mounted. But I guess I am wrong?

This is the command I run:

sudo docker run \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 8080:8080 \
--env APACHE_PORT=11000 \
--env APACHE_IP_BINDING=0.0.0.0 \
--env APACHE_ADDITIONAL_NETWORK="" \
--env SKIP_DOMAIN_VALIDATION=false \
--env NEXTCLOUD_DATADIR="/mnt/ncdata" \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
ghcr.io/nextcloud-releases/all-in-one:latest
you are viewing a single comment's thread
view the rest of the comments
[–] kaki@sh.itjust.works 13 points 5 months ago (1 children)

The Nextcloud AIO container itself doesn't have access to the backup directory, but it has access to the docker socket (/var/run/docker.sock). Having access to the docker socket means it can perform any docker operation on the host system, in this case starting a separate backup container with the backup directory mounted.

[–] cyberwolfie@lemmy.ml 5 points 5 months ago

Ah, got it! That sounds like an unhealthy amount of trust to give to a container, but I understand the need to give that access to the mastercontainer.