❯ ps aux | grep hydrus ghost_u+ 38817 0.0 0.0 3748 2204 ? S 21:45 0:00 /usr/bin/bwrap --args 40 -- hydrus_client ghost_u+ 38832 0.0 0.0 3852 1356 ? S 21:45 0:00 /usr/bin/bwrap --args 40 -- hydrus_client ghost_u+ 38833 4.2 3.5 4824044 261588 ? Sl 21:45 0:09 python3 /app/bin/hydrus_client ghost_u+ 39613 0.0 0.0 231268 2420 pts/0 S+ 21:48 0:00 grep --color=auto hydrus

❯ docker stats monbooru --no-stream CONTAINER ID NAME CPU % MEM USAGE / LIMIT MEM % NET I/O BLOCK I/O PIDS 0a46831f9470 monbooru 0.00% 19MiB / 7.047GiB 0.26% 13.6MB / 54.3MB 14.4GB / 5.51GB 20

you are viewing a single comment's thread
view the rest of the comments

[–] vort3@lemmy.ml 2 points 1 week ago (2 children)

So, how do I use iptables to open ports for docker apps? Usually I install a thing that requires for example port 8080, and I open the port 8080. Does docker respect iptables?

[–] gary_host_laptop@lemmy.ml 3 points 1 week ago* (last edited 1 week ago) (1 children)

this is my compose file for monbooru, ive added some comments to show you what each thing does, if you want to change the port simply change the the first 8080. all of these value:value mean that the first value is your machine, and the second one inside the container. that's it, create a folder named monbooru, create a file named docker-compose.yml, add the thing i gave you below and save it. with your terminal cd into the directory where the compose file lives and do docker compose up -d and it will download the image and it'll be runnin. believe me, i used to prefer to not use docker because i thought, ohh i have to learn to use docker, but honestly i wish i knew it was this simple long before so i wouldnt have done so many installs of some apps where i'll lose my data

services:
  monbooru:
    container_name: monbooru
    image: ghcr.io/leqwin/monbooru:latest
    ports:
      - "127.0.0.1:8080:8080"
    user: "1000:1000"
    security_opt:
      - no-new-privileges:true
      - label:disable
    cap_drop:
      - ALL
    volumes:
      - /PATH/TO/YOUR/GALLERY:/gallery
      - ./config:/config #this one
      - ./data:/data #and this one make the app data live next to the compose file, so that you can move the folder and the data stays there
      - ./models:/models #use this if you add autotaggers, otherwise delete it, i'd try it without them first
    environment:
      - MONBOORU_SERVER_BIND_ADDRESS=0.0.0.0:8080
    healthcheck:
      test: ["CMD-SHELL", "curl --fail --silent --max-time 5 http://localhost:8080/health || exit 1"]
      interval: 30s
      retries: 3
      start_period: 10s
      timeout: 5s
    restart: unless-stopped

[–] vort3@lemmy.ml 1 points 1 week ago (1 children)

Can you set up docker in a way that it does not mess with my firewall?

[–] gary_host_laptop@lemmy.ml 2 points 1 week ago

it will not mess with your firewall at all, you just select the port, that's it, most apps come with a predefined port but you can change it. ive had 0 issues with ports or firewalls. if you try this and need some help let me know.

[–] Ghoelian@piefed.social 1 points 1 week ago (1 children)

Docker automatically opens ports your containers need through iptables. Because of this, it bypasses rules set by ufw, which is great.

Podman does not do this afaik, and since it only runs rootless it's a lot less risky as well.

[–] vort3@lemmy.ml 1 points 1 week ago (1 children)

You see, this is an issue for me because I don't want my ports "automagically" being open, I want to know exactly which ports are in use and by which apps, I don't want package manager to manage my ports. I know this sounds "old school" but I prefer to control my ports manually and I don't want my iptables rules be a mess I can't understand.

Maybe that's more of a "me" issue than a docker issue, but anyway, I prefer to not use such software.

[–] Ghoelian@piefed.social 1 points 1 week ago

No I totally understand. This is why I use podman personally. You can use the same images as you would with docker, even its compose is pretty much exactly the same I think.