Autonomic launches open alpha of Co-op Cloud

Hey folks, we launched a new software project today called Co-op Cloud. It’s a system designed for small to medium sized hosting providers based upon docker swarm.

Running libre software apps and infrastructure for ourselves and our clients is central to what we do at Autonomic. Now, after a year of work, we’re stoked to share our “Co-op Cloud” project with the world. We want to make it easier for others to join the party, ditch corporate spyware, and make their tools sustainable, transparent and private.

All our code is on our Gitea server.

We also have a public matrix room at #coopcloud:autonomic.zone

I would imagine this is particularly interesting for the folks looking at Cloudron, YunoHost and other similar systems for self-hosting management. Delighted to finally get this out public and looking forward to comments/questions/critique/testing

Looks very interesting, the float project from Autistici/Inventati, appears to be designed to do the same kind of thing, it uses Ansible to deploy containers to Podman.

@chris yeh we’re using Ansible as well in combination for configuration management but we wanted to build something based on what the upstream projects are actually releasing.

The down sides of Ansible based system we identified are:

Upstream libre software communities aren’t publishing Ansible roles
Lots of manual work involved in things like app isolation, backups, updates

For us, that’s enough to not use it for the basis of the system. We want to use the upstream project’s packaging and they’re mostly using Docker.

We did try podman but we didn’t think it was stable enough and there’s the upstream compatibility issue.

Hi KawaiiPunk,
Thank you for this important initiative. As a non techie and member of the german hostsharing coop, I asked for comments on the project. So far as i know, our tech team is heavily using Ansible in daily work to manage our hosting infrastructure.

I got one (german) feedback from one coop member, that he thinks, that your concept makes sense, but he made the experience, that docker compose needs often root rights in the containers, which can be critical concerning security issues.

KawaiiPunk, could you please explain, how you deal with potentials security issues in the project?

With help of deepl, I also translated the comment of my coop colleague. Please consider this, if the text is may be a little strange…

As far as I can see, Autonomic is right. If you have to manually maintain all role configurations with Ansible manually, it’s quite a bit of extra work compared to upstream deployed docker-compose configurations.
I’m not entirely happy after using docker-compose on a large project with many containers in the development thread, but this mainly concerns maintenance issues when you update containers very often with new code states.
The filesystem can get full with outdated images, which is not cleaned automatically. However, this is also stated in the documentation that docker compose is not optimized for this particular scenario.

From a security point of view, docker/docker-compose is a bit problematic, since it works a lot with root rights in the containers.
OpenShift, for example, uses individual one-time users in the root group and more stringent security policies, but is also more difficult to configure, has discontinued docker support, and is just not very free.

So if docker-compose is delivered upstream, it would have to be evaluated whether the security is sufficient.

Hi @JanPeter thanks for this thoughtful response! You raise important points. I can add some info here (I am a member of Autonomic and also work on the Co-op Cloud project as a developer).

I actually realise now that the relationship between Co-op Cloud and Docker compose is not quite as clear as it should be in the documentation. I’ve patched that in this commit and updated the FAQ entry. What is important to note is that we use the compose specification to describe apps but we do not require or need the use of the Docker compose tool itself at all.

We have two pieces on the FAQ for this which try to unpack the security concerns:

• Aren’t containers horrible from a security perspective?
• What is important to consider when running containers in production?

Further thoughts and questions really welcome! The documentation can always be better.

Rootless operation is possible.

Heya @JanPeter, echoing @decentral1se’s gratitude for you and your colleague’s comments, thank you! (I’m another Autonomic member who’s been involved with this project )

Yes; we currently have a scheduled job to run docker system prune to mitigate this issue – we should add that suggestion to the documentation if it’s not there already.

@decentral1se already mentioned the “rootless” option for the daemon – I wonder if you’re also asking about root within the containers, which would also be a fair question!

The answer varies depending on what upstreams are doing. Images like Nextcloud and Wordpress run using an unprivileged www-data user, just like a traditional deployment, so if someone finds a vulnerability in one of those apps then they’d need a separate Linux exploit to affect other apps on the same machine, or the host operating system.

If you (or anyone) notices apps which are running web-facing process as root (e.g. I just checked, and it seems like our Drone configuration does that) then we’d encourage opening tickets with the upstream developers, so that all their Docker users can benefit.

Little update: we hammered out another version of abra, our command-line tool for managing Co-op Cloud instances, see the change log at https://git.autonomic.zone/coop-cloud/abra/src/branch/main/CHANGELOG.md#abra-0-6-0-2021-03-17. The new version is already cooking. We’ve been having some really nice discussions in the public matrix channel (see https://docs.cloud.autonomic.zone/contact/ for more) and we even saw our first not-autonomic contributor working on packaging peertube over at mirsal/peertube: An ActivityPub-federated video streaming platform using P2P directly in your web browser. - peertube - Git with solidaritea. Exciting

This is really great, thanks!

I assume you’ve also seen https://k8s.libre.sh/ from the good people at https://indiehosters.net/ ? (they use it to power their cool Liiibre offering).

Oh super cool to see the offerings page which I missed. Got a lot of respect for the Indiehosters and the work they do. We ended up not going with kubernetes as a basis for the system because it is often not feasible for small scale providers to skill-up on running a cluster based on the design goals of kubernetes. We wrote a little about that here and here.

Some updates!

Initial project website launched: (feedback very welcome, introductory video Coming Soon™)

https://cloud.autonomic.zone/

(Unreleased) updates to abra, Co-op Cloud’s command-line tool:

• Tracking versions of each image in an app
• Checks for local and remote Docker versions
• More reliable deployment logic
• Better debugging of SSH connection issues

New (work-in-progress) apps:

• Workadventure (game-style voice / video chat)
• go-neb (Matrix bot)
• znc (IRC bouncer)
• osticket (ticket tracking system)

New documentation pages:

• “Manage your app configuration”, including tips on collaborating with one or more teams on one or more Coöp-Cloud-managed servers
• “Managing secret data”, explaining Co-op Cloud’s use of Docker Secrets
• New FAQ section “What about Caprover?”.

We’re also excited to announce that another 2 paid projects using Co-op Cloud have just landed And, we applied to the EU Culture of Solidarity Fund!

Hey we’re working on getting a public blog up and some socials and so on but in the meantime, we’re having an open hour today (and will be doing this weekly going on) where you can drop by and learn more about the project! Here is the invite below:

Hey folks, you’re all warmly invited to the Co-op Cloud Kite Flying Hour at 15:00 CEST Today over in meet.jit.si/CoopCloudKiteFlyingHour! Inspired by exquisite childhood memories of flying kites, eating popsicles and looking at clouds, it’s an open hour for anyone to come hang out online and discuss/co-work/lurk/etc. around the Co-op Cloud project. There are no “stupid questions”! It’s a space to inquire, be curious, have a good time and get to know each other. We take notes and doodle on this collaboratively editable pad. If you don’t have time to attend, feel free to drop your questions and some contact details also, so we can get in touch. This is only the first Kite Flying Hour in a recurring series of Kite Flying Hours. Hope to see you there!

We’re on twitter/fediverse if anyone wants to follow along!

Here’s the blog folks! The Co-op Cloud | Blogs

July status update!

We’ve been hammering away at this each month on the blog over on The Co-op Cloud | Blogs and our current public funding body have published a overview/interview piece on Developing an ecosystem of cooperative service providers that host open-source tools – European Cultural Foundation. More stable beta launch will be coming soon ! Will post updates on #tech:coop-cloud from now on