Mayan on Synology with macvlan driver an static IP

Reverse proxies, SSL termination, web servers, helm charts, integrations, batch files, anything having to do with installing Mayan.
Post Reply
redfindiver
Posts: 1
Joined: Sat Dec 07, 2019 3:34 pm

Mayan on Synology with macvlan driver an static IP

Post by redfindiver »

Hello,
First of all: I`m new to docker, so maybe I`m missing something very basic.

What I want to achieve:
- Running Mayan on a Synology NAS with Docker -> works
- Mayan container reachable on a static IP on my LAN (192.168.178.101 in my example) -> works fine with docker macvlan network
- Router configured that "http://documents" resolve as 192.168.178.101 -> works

BUT:
Mayan is only reachable under port 8000, I want it working under port 80, e.g. http://documents NOT http://documents:8000
All my efforts to get it working in above conditions on port 80 failed.
What I'm missing? Could anyone give me some advise? After hours searching the internet I'm stuck...

Here are my docker run commands which created the containers:

Code: Select all

docker run -d \
 --name postgres \
 --network=myvlan \
 --ip="192.168.178.102" \
 -p 5432:5432 \
 -e POSTGRES_USER=mayan \
 -e POSTGRES_DB=mayan \
 -e POSTGRES_PASSWORD=MlMs2011uGs2000 \
 -v /volume1/docker/mayan/postgres:/var/lib/postgresql/data \
 postgres:9.6-alpine

docker run -d \
 --name=redis \
 --network=myvlan \
 --ip="192.168.178.103" \
 -p 6379:6379 \
 redis:5.0-alpine \
 redis-server \
 --databases "2" \
 --maxmemory-policy \
 allkeys-lru \
 --save ""

docker run -d \
 --name mayan \
 --network=myvlan \
 --ip="192.168.178.101" \
 -p 80:8000 \
 -e MAYAN_DATABASES="{'default':{'ENGINE':'django.db.backends.postgresql','NAME':'mayan','PASSWORD':'MlMs2011uGs2000','USER':'mayan','HOST':'192.168.178.102'}}" \
 -e MAYAN_CELERY_BROKER_URL="redis://192.168.178.103/0" \
 -e MAYAN_CELERY_RESULT_BACKEND="redis://192.168.178.103:6379/1" \
 -v /volume1/docker/mayan/media:/var/lib/mayan \
 -v /volume1/scan:/var/lib/mayan/scan \
 mayanedms/mayanedms:3.3.3
thanks in advance!
Markus

User avatar
rssfed23
Moderator
Moderator
Posts: 213
Joined: Mon Oct 14, 2019 1:18 pm
Location: United Kingdom
Contact:

Re: Mayan on Synology with macvlan driver an static IP

Post by rssfed23 »

Not sure if you got this sorted in the end but for others out there:
You're not missing anything - Macvlan is working how it's designed to in this case.
When you run in macvlan mode the -p option doesn't work in the same way as each container is given its own IP on your network and acts as if it's physically part of the network (like a physical server or bridged virtual machine would). It's usually used if you need something like broadcast responses (DHCP) or need different containers to be in different VLANS at the L2 layer.

With macvlan, as each container has its own IP opposed to being part of dockers "internal" network there's no NAT happening and no port forwarding. You don't do -p 80:8000 docker ignores the first part and just exposes the second

On docker-compose this looks like:
ports:
- 8000/tcp

As a result, rather than changing docker port forwarding options you need to change the port that mayan itself listens on. I've not had much exposure to the docker version but from what I can tell port 8000 is actually hardcoded inside the frontend startup script (https://gitlab.com/mayan-edms/mayan-edm ... rontend.sh).
What you could do is build your own mayan container changing that file to 80.

**!!HOWEVER!!**
To use ports < 1024 you need superuser privileges. This means passing --privileged when running the container.
Furthermore, within the container you would have to run mayan as root as docker can't bind to 80 if the user isn't root
You would also need to change the gunicorn startup line to have "authbind" mentioned (so it would look like su root -c "authbind ${MAYAN_PYTHON_BIN_DIR}gunicorn -w ${MAYAN_GUNICORN_WORKERS} mayan.wsgi --max-requests ${MAYAN_GUNICORN_MAX_REQUESTS} --max-requests-jitter ${MAYAN_GUNICORN_MAX_REQUESTS_JITTERS} --worker-class ${MAYAN_GUNICORN_WORKER_CLASS} --bind 0.0.0.0:8000 --timeout ${MAYAN_GUNICORN_TIMEOUT}""

Doing that change is a really bad idea though. Mayan runs as its own non-root user within the container (which itself has isolation provided by docker) for security reasons. If you run the container in privileged mode AND change the user to a superuser so you can use port 80 this introduces some significant security risks (you're running Mayan as root without any isolation). It's not something the team will likely change because of that (default for gunicorn is 8000).
This is especially bad on a Synology box. You'd be potentially giving anyone that can access mayan root access to your NAS which could lead to all sorts of problems.

But users in this situation aren't without options:
1) Use nginx, running as root, in front of mayan in a seperate container proxying port 80 (what i personally do)
2) Use something like trafeik to proxy it

I guess the options boil down to why you're using Macvlan in the first case? - For most Mayan use cases using a private container network should suffice and brings with it security benefits. Using 1/2 above work best in that situation.
If it's because you need the different containers in different vlans (the main reason I can think of) then you can create 1/2 above in a separate container forwarding traffic to each vlan behind it. There's still some security risk but it's much better to only have nginx/trafeik running as root rather than all of Mayan.
Please bear with us during the current global situation. The team all have families and local communities to look after as well as the community here. Responses may be delayed during this time, but rest assured we will get to your query eventually.

holzhannes
Posts: 4
Joined: Sat Sep 14, 2019 10:57 am

Re: Mayan on Synology with macvlan driver an static IP

Post by holzhannes »

I am running Mayan on Synology as well but without vlan. I am using the synology reverse proxy (Control Pannel > Application Portal > Reverse Proxy) to run Mayan on Port 443 with a valid SSL-Cert and a fqdn (dms.example.com). I am also using the proxy to redirect dms.example.com from Port 80 to Port 443. To use the fqdn you need a lokal DNS-Server or edit the host file of your computer.

Maybe this helps you

mcarlosro
Posts: 11
Joined: Fri Jan 10, 2020 3:23 pm

Re: Mayan on Synology with macvlan driver an static IP

Post by mcarlosro »

Synology reserves ports 80 and 443 for internal use. This comes from Synology Support:
We don't have a procedure to change port 80 and 443 because differents services or appplications use these ports.
I'm using a similar configuration with docker. Please, in order to avoid problems in the future use a separate network for Mayan as explained in https://docs.mayan-edms.com/chapters/do ... twork.html

I'm configuring traefik (not Synology reverse proxy) to expose my different docker services using URLs such as mayan.domain.com and others like https://*.domain.com but always using a port in your Synology different to 80 and 443. If you need to expose this to internet, you want NAT port 80/443 in your router to ports 81/444 in your Synology (it is always a good practice to use ports above 1024).

Post Reply