Security question about Nextcloud AIO

I would like to set up Nextcloud behind a reverse proxy and therefore I fiddled around with Nextcloud AIO as it is announced as the future way to go. At first, I assumed that all necessary services (web server, database, …) get executed within the same container. After understanding that AIO spawns containers via the Docker socket, I am shocked a bit. Please correct me if I am wrong but does this mean that AIO has full control over the Docker daemon? In most environments this would mean that AIO also has indirect root access to the system as most environments do not make use of rootless mode.

In my current understanding, Nextcloud also promotes AIO as the future way to go. This means that I should not set up the old-fashioned Nextcloud anymore if I want to have a future-proof solution, right?

Please tell me that I am wrong.

(already tried to google that topic but did not find anything)

Hi, feel free to read through the whole discussion in Why is it mounting the docker socket / spawning auxiliary containers? · nextcloud/all-in-one · Discussion #500 · GitHub

Thanks for the response. Unfortunately, this confirms my concerns.

Is there a statement about the “way to go” from Nextcloud? Will only AIO be supported in the near future or will the “old-fashioned way” (multiple containers deployed manually) further be supported?

Not sure if you saw this? all-in-one/manual-install at main · nextcloud/all-in-one · GitHub

I took a look into this but it seems to be very time-consuming to keep a Nextcloud instance maintained (especially because no automated update procedure is supported). With the old way of deploying a Nextcloud container together with a database container, it is pretty easy to update version by version.

So, same question: Will the old way of deploying Nextcloud with Docker still be supported or will only AIO be supported in the future? I am interested in the mid- to long-term planning.

If this implies that AIO does not update itself automatically, that is wrong. It does.

1 Like

I think there is no reason for end Nextcloud Docker or Nextcloud AIO. Maybe read this thread.

Nextcloud itself is AGPL software. If enough developers can be found, it will be developed where developers enjoy it. Nextcloud is also a LAMP software that is easy to implement both with and without Docker.

3 Likes

No, I am referring to the manual setup of AIO, not the fully-automated setup AIO.

I continue to use GitHub - nextcloud/docker: ⛴ Docker image of Nextcloud and it’s maintained by the community. It works fine and I see no (sorry for the previous typo) signs of it going away. Worst case I’d need to fork to buy some time. If you need absolute certainty about support timelines, I think you’re looking for enterprise support. :slight_smile:

1 Like