April 18Apr 18 Unraid is a great way to start with docker containers. It's easy as with some plugins unraid can take care of backup and updates automatically.But some apps require the use of several services with dependencies and unraid alone is not sufficient to manage updates.You can manage that with compose plugin and watchtower and some docker labelsWhen you have many services running it 's not so efficient.To enhance my experience i started to use portainer but the way it manages compose files is a pain (at least for me)I recently discovered dockhand and arcane. They are both apps for managing containers, stacks and images. And you can define where you want your compose files to reside.My preference is for dockhand for the gui but it's a pain when you need to control stacks on another host through the hawser agent: for example you define a stack on the dockhand host and the compose file resides here until it's deployment. Then it's created on the remote host or the existing compose file on the remote host is updated. That makes it impossible to simply run a docker command on the remote host in a container that need an init for example.With arcane it's better handled but imho dockhand has the best gui.Both these 2 apps have vulnerability scanning of images which is great but wtf the number of vuln found in most of the images i run.I have to say that lsio images are those with the fewest vulns.I'm still in the process of understanding the way those vulns impact the security of my homelab but for now it's quite scary as i publish many of the services i use for my family members.So for now i'm in the process of trying to improve my security posture. Until now i've always used prebuilt images. I'm curious to know if many of you build their own images and if so how do you implemented it in your homelab.How do you build new image for an app according to the result of a scan ?What do you have to modify in a compose file to use ownbuilt images instead of prebuilt ?How to manage dependencies ? Can all these steps be automated ?I hope to have some hints to move forward.
April 18Apr 18 I use Unraid for my home and as a NAS. My homelab is separate. My homelab uses Unraid for NAS storage, but runs its own stack of containers. I expose a very limited slice of Unraid using tailscale now. I used vpn + reverse proxy previously.Frankly, if you're to the point where you want to use Unraid in a way that they expressly warn not to do ("don't open Unraid to the internet") and you're worried about vulnerabilities - then you need to use Compose with containers that meet your standards. You can start rolling your own containers so you can lock them down. Getting it right and keeping the app you're trying to deploy working correctly isn't always straight-forward or easy. I write some docker files on my own, that I keep in Github.I've never tried to automate maintenance in Unraid (other than the plugins that are available). I use scripts and chron jobs on my homelab server that help to manage containers running there. I use dependabot on my github repo where I keep all my docker files. If I can find something like Snyk to also scan my repo for free, I will add that. I'm looking at adding a Claude review bot to my repo, which would also provide CVE checking.Claude/ChatGPT/whatever can give you pretty solid guidance on how to write a docker file. If you don't use those tools often, then start with OpenAI Academy and one of their beginner tutorials. Learning the basics on how to use them is the difference between solid, basic guidance and hallucinations of unicorns doing it for you.Something you need to accept & remember - you can't control vulnerabilities in the App you use, regardless of what container you use. If something in the *arr stack or immich or whatever has a vulnerability because they use a library or package that is vulnerable - you either quit using that app or you upgrade once they've addressed it. The truth of using nuget/npm/pypi/gems (or any other public source of code) is that there is a chaotic mess of upstream entanglements for a lot of apps we use. You can't fix those issues. You can only choose how you respond to those issues. Edited April 18Apr 18 by whipdancer
April 18Apr 18 Author I don't expose unraid itself of course. Unraid and other management interfaces are behind a vpn whenever i need access outside of my lan.I expose things like plex, jellyfin, nextcloud, immich,.... and for those when compatible i use authentik for managing user authentication. All those services are in a dmz behind a reverse proxy sitting on my opnsense router. If you decide to host those services for your family members they need to be exposed because if not what is the utility of a nextcloud instance accessible only inside your lan ? Of course i have still work to do enforce better security (for example some of my older containers may not use docker secrets).I have also have to review my docker networks to ensure they are bound to only the interface i want.42 minutes ago, whipdancer said:Something you need to accept & remember - you can't control vulnerabilities in the App you use, regardless of what container you use. If something in the *arr stack or immich or whatever has a vulnerability because they use a library or package that is vulnerable - you either quit using that app or you upgrade once they've addressed it. The truth of using nuget/npm/pypi/gems (or any other public source of code) is that there is a chaotic mess of upstream entanglements for a lot of apps we use. You can't fix those issues. You can only choose how you respond to those issues.My post was more about that subject. Things you can't control despite doing things right when you setup an exposed service.Vulnerabilities can be introduced by the image and the way way it's built.And if i understood correctly you can build an image locally (without modifying the dockerfile) and it will be more up to date than the one on the public registry.From what i've read so far you would need to clone the repo of the app and replace the image in your compose file with build. That each time you execute compose up the image is built locally with the most up to date base image and dependency packages.But i need to read more about the subject and also figure out which vulnerabilities are the most dangerous; because some require access to the host others don't,...
April 18Apr 18 34 minutes ago, caplam said:I expose things like plex, jellyfin, nextcloud, immich,...35 minutes ago, caplam said:And if i understood correctly you can build an image locally (without modifying the dockerfile) and it will be more up to date than the one on the public registry.You can, but most of the things that are designed to be exposed already have their own tracking and are updated regularly. Some apps build new images nightly regardless.35 minutes ago, caplam said:But i need to read more about the subject and also figure out which vulnerabilities are the most dangerous; because some require access to the host others don't,...You'll quickly be spending your entire time tracking things if you go down that rabbit hole...I tend to check my Docker page once in a while and look at container creation dates, I'd only start worrying if something that is exposed is more than 3ish months old or so. If it's long unmaintained then I'll reevaluate whether I need it or not or should rebuild/maintain my own container, replace with an entirely different app,...Often it'll be something like the tag or repo changed, or development has moved to a fork, which can't necessarily get automated even if you build yourself. Edited April 18Apr 18 by Kilrah
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.