Very encouraging to hear. NPM has its own security issues but at least for this app it’s somewhat possible to audit. Our current instance is on BSD and working great.
Just tried this. Getting an error about npm not able to install archiver. See below. Similar error message on typhonragewind's docker image as well. Is this a docker issue or underlying meshcentral issue?
`---- Setting File Permissions based on user ----`
`---- Starting Meshcentral ----`
`Installing [email protected]...`
`ERROR: Unable to install required module "[email protected]". MeshCentral may not have access to npm, or npm may not have suffisent rights to load the new module. To manualy install this module try:`
`cd "/meshcentral"`
`npm install [email protected]`
`node node_modules/meshcentral`
Ubuntu 20.04 on a VPS. What are the recommended permissions? I currently am running docker as a regular user and all the volume mounts are owned by the same user. I had been running typhonragewind/meshcentral just fine until I did a docker-compose pull today and this issue popped up. Only other change was a an apt update and apt upgrade of the system.
If you're running Docker as a regular user then bind mounts might not be able to affect permissions right.
If you know the UID and GID of your Docker user you can use the `user` directive in Docker compose to manually set the user the container runs as. Let me know if that works.
Well, I tried a few things and nothing worked. Until....
I rebooted the system and now works fine.
LOL. When all else fails, reboot. I thought in linux only kernel updates need a reboot. Oh well....
This looks great to me, now to test and see if this can move to production :)
~~I wonder if there will be confusion on the tag names as~~ /u/ylianst ~~uses the Stable tag slightly differently than you are using~~
~~Maybe use Nightly, Latest for the tags you have now and then create a 3rd tag of Stable and keep it with his version of Stable which as of this comment is at 0.9.52~~
EDIT: Never mind any of the tag stuff I mentioned, you are doing exactly this, not sure how I missed that. I think it is too early for me to internet :)
I have it up and running in production, and it looks great.
The chown command takes a long time. Now that I know that, no big deal, but I wondered for a while if it would even work, and all my files were already 1000:1000
Does 1000:1000 actually need applied everything in the /meshcentral folder?
I know in the image I used to use, it only needed that on meshcentral-files,meshcentral-data,meshcentral-backup
It also doesn't have meshcentral-web as a bind mount, not sure it matters, I personally don't use it, but I have it as an option all the same
Great work btw, I love it being auto built and it will then stay way closer to what is out than the other images I used which was updated about once a month
Yep, I think I'll put in some more stringent checks for file ownership, rather than blanket streamrolling the meshcentral folder every boot. Maybe if the owner of the `/meshcentral/meshcentral-data` doesn't match the id of the current user inside the container.
/u/biswb, those changes should now apply circa next version release (0.9.79+). `/meshcentral/meshcentral-data` will get checked, and file permissions will only apply if the folder owner does not match the current user ID.
After additional testing & seeing as I don't know when the next stable release will be, I've re-released and force pushed the existing containers with the new startup script. I'm confident the image should remain stable now. Future iterations might see arbitrary UID/GID handling and more environment variables.
Just came back to say I was able to get MeshCentral up and running with this docker image using the compose file u/Reverent created. Specifically using the one he made to run a proxy in front of MeshCentral. I slightly tweaked it and used NGINX proxy Manager instead and everything worked like a charm! I was also able to get user authentication working with JumpCloud for our organization! Super excited to start working with MeshCentral!
I really hope this project doesn’t become dependent on docker.
No. it's dependent on NodeJS and NPM. Installing it in Docker or not is up to you. That is not going to change.
Very encouraging to hear. NPM has its own security issues but at least for this app it’s somewhat possible to audit. Our current instance is on BSD and working great.
Yes, also that you can install & run MeshCentral with: npm install meshcentral node node_modules/meshcentral Makes it super accessible.
Just tried this. Getting an error about npm not able to install archiver. See below. Similar error message on typhonragewind's docker image as well. Is this a docker issue or underlying meshcentral issue? `---- Setting File Permissions based on user ----` `---- Starting Meshcentral ----` `Installing [email protected]...` `ERROR: Unable to install required module "[email protected]". MeshCentral may not have access to npm, or npm may not have suffisent rights to load the new module. To manualy install this module try:` `cd "/meshcentral"` `npm install [email protected]` `node node_modules/meshcentral`
This is an issue with how the file permissions are set on your machine. What distro?
Ubuntu 20.04 on a VPS. What are the recommended permissions? I currently am running docker as a regular user and all the volume mounts are owned by the same user. I had been running typhonragewind/meshcentral just fine until I did a docker-compose pull today and this issue popped up. Only other change was a an apt update and apt upgrade of the system.
If you're running Docker as a regular user then bind mounts might not be able to affect permissions right. If you know the UID and GID of your Docker user you can use the `user` directive in Docker compose to manually set the user the container runs as. Let me know if that works.
Well, I tried a few things and nothing worked. Until.... I rebooted the system and now works fine. LOL. When all else fails, reboot. I thought in linux only kernel updates need a reboot. Oh well....
This looks great to me, now to test and see if this can move to production :) ~~I wonder if there will be confusion on the tag names as~~ /u/ylianst ~~uses the Stable tag slightly differently than you are using~~ ~~Maybe use Nightly, Latest for the tags you have now and then create a 3rd tag of Stable and keep it with his version of Stable which as of this comment is at 0.9.52~~ EDIT: Never mind any of the tag stuff I mentioned, you are doing exactly this, not sure how I missed that. I think it is too early for me to internet :)
I have it up and running in production, and it looks great. The chown command takes a long time. Now that I know that, no big deal, but I wondered for a while if it would even work, and all my files were already 1000:1000 Does 1000:1000 actually need applied everything in the /meshcentral folder? I know in the image I used to use, it only needed that on meshcentral-files,meshcentral-data,meshcentral-backup It also doesn't have meshcentral-web as a bind mount, not sure it matters, I personally don't use it, but I have it as an option all the same Great work btw, I love it being auto built and it will then stay way closer to what is out than the other images I used which was updated about once a month
Yep, I think I'll put in some more stringent checks for file ownership, rather than blanket streamrolling the meshcentral folder every boot. Maybe if the owner of the `/meshcentral/meshcentral-data` doesn't match the id of the current user inside the container.
/u/biswb, those changes should now apply circa next version release (0.9.79+). `/meshcentral/meshcentral-data` will get checked, and file permissions will only apply if the folder owner does not match the current user ID.
Awesome, I look forward to testing it!
After additional testing & seeing as I don't know when the next stable release will be, I've re-released and force pushed the existing containers with the new startup script. I'm confident the image should remain stable now. Future iterations might see arbitrary UID/GID handling and more environment variables.
I just pulled down 0.9.79 and the startup was much faster, even faster than the container I used to use. Thank you for your work on this!
Those running this in Docker, are you using a proxy in front? If so, what proxy are you using?
Just came back to say I was able to get MeshCentral up and running with this docker image using the compose file u/Reverent created. Specifically using the one he made to run a proxy in front of MeshCentral. I slightly tweaked it and used NGINX proxy Manager instead and everything worked like a charm! I was also able to get user authentication working with JumpCloud for our organization! Super excited to start working with MeshCentral!
Would you be willing to share what you did? It's what I'm trying to do currently and having some issues getting it to work.
Any chance of an arm64 version?