I am in the process of migrating my Nextcloud instance from one server to another. I copied the Borg archive to one mountpoint, /mnt/ncbackup and intend to keep my data in /mnt/ncdata.

I couldn’t really find out what to mount the backup directory to, so I just fired it up as documented in the documentation, and I was able to retrieve my backups from the non-mounted directory.

So this reveals a fundamental flaw in my understanding of how Docker works - I had assumed the container only had access to whatever was explicitly mounted. But I guess I am wrong?

This is the command I run:

sudo docker run \
--init \
--sig-proxy=false \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 8080:8080 \
--env APACHE_PORT=11000 \
--env APACHE_IP_BINDING=0.0.0.0 \
--env APACHE_ADDITIONAL_NETWORK="" \
--env SKIP_DOMAIN_VALIDATION=false \
--env NEXTCLOUD_DATADIR="/mnt/ncdata" \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
ghcr.io/nextcloud-releases/all-in-one:latest
  • kaki@sh.itjust.worksEnglish
    12·
    1 day ago

    The Nextcloud AIO container itself doesn’t have access to the backup directory, but it has access to the docker socket (/var/run/docker.sock). Having access to the docker socket means it can perform any docker operation on the host system, in this case starting a separate backup container with the backup directory mounted.

    • cyberwolfie@lemmy.mlOP
      5·
      1 day ago

      Ah, got it! That sounds like an unhealthy amount of trust to give to a container, but I understand the need to give that access to the mastercontainer.

  • Xanza@lemm.eeEnglish
    5·
    1 day ago

    When giving docker access to a socket, the docker process will have access to any folder/file the running user has access to. That doesn’t mean that your containers do, generally, but they can. This is how the Kinsing docker virus is so prevalent.

  • jlsalvador@lemmy.mlEnglish
    8·
    1 day ago

    You are giving access to the docker socket (/var/run/docker.sock), so this container can create/edit/remove any container from your system, even add,edit, remove volumes or host path.

    I have no idea if you can send modification API commands to a ReadOnly socket. I think you could, in the same way that you can do something with just HTTP-GET. Example: curl --unix-socket /var/run/docker.sock http:/images/json

    Doc: https://docs.docker.com/reference/api/engine/version/v1.41/#tag/Container/operation/ContainerInspect

    • cyberwolfie@lemmy.mlOP
      2·
      1 day ago

      rsync from one server to the other.

      When actually loading in the backup from the Nextcloud AIO interface, I specified the path on my local system (not the container).