Alternative steps for switching to the docker version of Seafile

Seafile Server
,
2

Continuing from above

  • Set file permissions.
    Now we will need the container to have access to the files in the “persistent-data” directory. The admin guide says to run “chmod -R a+rwx /seafile-data/persistent-data” to give everyone access to these files and directories. This means that ever user on this server has full access to read, add and remove Seafile files. I don’t really like that idea, but if you’re running most of the code on this server as root, then file permissions aren’t going to do much to contain any problems anyway.

But since this guide is about running without root, it makes sense to instead just change these files to be owned by the seafile user inside the container. For that we need to know the uid this user will show up as outside the container. We can work this out from the subuid number you got above. Inside the container, the seafile user’s id is 8000. So we want to add to the subuid from above, this 8000 and subtract 1.
165536 + 8000 - 1 = 173535 for my system. So we run:

chown -R 173535:173535 /seafile-data/persistent-data

And wait a few minutes for that to finish.

  • Start the container for the first time.
    We need to log into the podman user as a full login session so systemd will work for us. Just su podman doesn’t do it for some reason (I would like to know why, so a note to myself to do some research).
machinectl shell podman@

Now we need to setup podman to be ready to run for this user.

systemctl --user enable podman.socket 
systemctl --user start podman.socket

The official guide says to use “docker compose up -d”. We will make 2 small changes here, and one larger one. First, because we are using podman to pretend to be docker, the command is now “docker-compose” instead of “docker compose”. And for the second, the -d tells it run in the background, which means you don’t see much status. For this first run lets run in the foreground to see the action.

The other change is that we need to tell docker-compose how to talk to podman since we aren’t using podman as root. Get the current user’s uid with the id command. In my case it was 1001, so put your number in for 1001 in this command:

docker-compose -H unix:///run/user/1001/podman/podman.sock up

It might take a few minutes the first time. You should see the startup log messages. You should either get an error, or something like this showing it worked:

seafile           | Done. 
seafile           | 
seafile           | Starting seahub at port 8000 ... 
seafile           | 
seafile           | Seahub is started 
seafile           | 
seafile           | Done. 
seafile           |

You can use ctrl-c to shutdown the containers once you know it is working.

  • Set the containers to start up with the system.
    Now we will create a systemd service within the podman user. Create and edit the ~/.config/systemd/user/seafile-containers.service file, and paste in this:
[Unit]
Description=Seafile Podman containers via docker-compose
Wants=network-online.target
After=network-online.target
#RequiresMountsFor=/seafile-data
Requires=podman.socket mariadb.service memcached.service 
​
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Environment=PODMAN_USERNS=keep-id
Environment=COMPOSE_HTTP_TIMEOUT=300
Restart=always
TimeoutStartSec=60
TimeoutStopSec=60
ExecStart=/usr/bin/docker-compose -H unix:///run/user/1001/podman/podman.sock up
ExecStop=/usr/bin/docker-compose -H unix:///run/user/1001/podman/podman.sock down
Type=simple
WorkingDirectory=/seafile-data/docker
​
[Install]
WantedBy=default.target

Save and exit

Now we will enable and start that service:

systemctl --user daemon-reload 
systemctl --user enable seafile-containers 
systemctl --user start seafile-containers

And that should be it. When your server boots, it should start the seafile containers, and all with as little exposure to root privileges as possible.

I haven’t yet tackled a few parts I want to get working eventually:

  • The container doesn’t log to my syslog server. I need to figure out how to make that work.
  • I need to update the monitoring system to alert if the firewall doesn’t block access to memcache or mariadb.
  • I also need the monitoring system to alert if any of the expected containers fails to start, or stops running.
  • I had some wrapper scripts to make seaf-fsck.sh and seaf-gc.sh real easy, but now those will need to be rewritten. I think it won’t be too hard, just need to do the usual stuff around these commands. Need help, passing arguments, make sure we are running in screen or tmux, etc. around:
sudo -u podman DOCKER_HOST=unix:///run/user/1001/podman/podman.sock docker exec -it seafile su seafile -c "/opt/seafile/seafile-server-latest/seaf-fsck.sh -r"

sudo -u podman DOCKER_HOST=unix:///run/user/1001/podman/podman.sock docker exec -it seafile su seafile -c "/opt/seafile/seafile-server-latest/seaf-gc.sh --rm-fs -t 8"

That switches to the podman user, and there is runs “docker exec” to run a program inside the container. Inside the container it will run su to become the seafile user, and as that user will run seaf-fsck or seaf-gc.

And finally, I will end with a quick thanks to the seafile developers who helped me get unstuck several times in the testing while making this process, and who have made a really top-notch system that was worth all this effort to keep using.

3 Likes
Seafile blocks on HDD and indexes on SSD