TrueCharts

TrueCharts 2023 Common

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
ornias submitted a new resource:

TrueCharts - Community App Catalog for TrueNAS SCALE

Truecharts is an innitiative to provide high quality Apps to use with the TrueNAS SCALE App Ecosystem.
Our primary goals are:
- Freedom
- Stability
- Consistancy

All our apps are supposed to work together, be easy to setup using the TrueNAS UI and, above all, give the average user more than enough options to tune things to their liking.


Getting started using TrueCharts
Installing TrueCharts within TrueNAS SCALE, still requires the CLI. However it's not that hard:
- Go...

Read more about this resource...
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
To be clear: this starts working next release of TrueNAS SCALE ;-)
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
@shadofall It's best keeping TrueCharts discussions here, or on github-discussions.
Anyway, if the issue isn't listed on the FAQ in the readme and it about multiple charts, please bundle it into a single issue.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
@ornias could you be so kind to create a rough step-by-step cheat sheet for the Docker impaired? If I want to e.g. deploy the TrueCommand chart from your repo - how do I make it accessible over the network?
This is the docker-compose.yml I currently use:
Code:
version: '3.3'
services:
  truecommand:
    container_name: truecommand
    restart: always
    image: 'ixsystems/truecommand'
    ports:
      - '80:80'
      - '443:443'
    volumes:
      - '/app/ixsystems/truecommand:/data'

This publishes ports 80 and 443 of the container at the host's public interface. Which is not a problem when (in my case) the host is a virtual machine dedicated to that single application.
How do I go about running multiple chars side by side in SCALE? My favourite way to go would be to assign alias IP addresses to the LAN interface of my SCALE appliance, then connect each of these to one running application. Is that possible at the current state of the software? If not, what's the concept? Pointers to documentation (RTFM with a link to the FM) always gladly accepted.

I tried messing with the deployment menu but that did not get me very far. Another point puzzling me: why manage certificates at the SCALE/chart level? In the case of TrueCommand currently I just forward ports 80 and 443 and that is that. Certificates can be managed in the TrueCommand UI perfectly well ;)

Thanks and kind regards,
Patrick
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
@Patrick M. Hausen Yeah, guides and docs are on my todo list.
But to be fair: It doesn't have much to do with docker/k8s to install the apps. (besides maybe knowing what clusterIP/nodePort and ingress are.

TrueCharts does not (actively) support unsecure (port 80) connections, in any way, shape or form. In line with latest guidelines from the browser vendors.

For setting up your TrueCommand container:

When it comes to networking (the ports section in docker-compose.yaml) you have 2 options:
- clusterIP (internal k8s networking only) and adding Traefik Ingress (reverse proxy)
- nodePort (same as clusterIP, but mounting the App to a Port on the Host)

When it comes to storage you also have 2 options:
- use ix_volumes (the default, auto creates storage under ix-applications/releases/[releasename]/volumes/ix_volumes )
- mount a manual hostPath, by selecting hostPath and entering (for example) "/app/ixsystems/truecommand"


How do I go about running multiple chars side by side in SCALE?

Just giving each App a different name should be enough. All charts from TrueCharts should support this, except Traefik (due to part of the integration work with CertManager and Ingress)

My favourite way to go would be to assign alias IP addresses to the LAN interface of my SCALE appliance
SCALE networking (besides k8s) is not really part of TrueCharts at all. We don't deal with it we just craft Apps.

Is that possible at the current state of the software?
Using ingress would allow you to filter based on hostname. In the theory more ingress filtering would be supported with Traefik, but we currently do not support that with TrueCharts. I highly doubt we ever will, if you need that kind of advanced settings, IMHO it's best to run native helm charts instead.

I tried messing with the deployment menu but that did not get me very far.
I think you're smart enough to know I can't give you assistance based on nothing more than "doesn't work when click"... ;-)

Another point puzzling me: why manage certificates at the SCALE/chart level?
If you want you can just use nodePort. I don't get why you think we enforce use of Traefik/Ingress. We also don't manage certificates at the chart level at all, you can very well setup a single (at the moment) wildcard and select the wildcard option on any ingress.
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
TrueCharts does not (actively) support unsecure (port 80) connections, in any way, shape or form. In line with latest guidelines from the browser vendors.
I hate browser vendors/projects for that. Seriously. What about a perfectly working printer, UPS, switch ... with a web management that only supports SSLv3? This is my private network. I know what I am doing. But of course this is outside of your and my sphere of influence. For all these devices I have come to the conclusion that it's probably better to connect to them unencrypted, because support for plain HTTP is not completely going away but obsolete SSL standards definitely are. So effectively browsers are lowering security because they force me back to plain text for certain applications.

For setting up your TrueCommand container:
When it comes to networking (the ports section in docker-compose.yaml) you have 2 options:
- clusterIP (internal k8s networking only) and adding Traefik Ingress (reverse proxy)
- nodePort (same as clusterIP, but mounting the App to a Port on the Host)
Currently I have it running in a VM and ports 80 and 443 mapped to the host IP. So I can reach TrueCommand at http://truecommand.local/ or http://192.168.1.20/. If I understand you correctly, either distinct ports per application or proper ingres with a real FQDN are mandatory with Scale apps. Makes sense for public stuff, I'm not complaining. OK ... a little bit. :wink:

Using ingress would allow you to filter based on hostname. In the theory more ingress filtering would be supported with Traefik, but we currently do not support that with TrueCharts. I highly doubt we ever will, if you need that kind of advanced settings, IMHO it's best to run native helm charts instead.
I don't consider mapping container A to host IP 1 and container B to host IP 2 with no ingress, no SSL, no nothing, "advanced" but rather the most basic setup imaginable.

I tried messing with the deployment menu but that did not get me very far.
I think you're smart enough to know I can't give you assistance based on nothing more than "doesn't work when click"... ;-)
Sure. Thank you very much, I just needed some more hints to get the big picture. Looks like I'll stick with one VM per Docker app for the moment for production and not move these over to Scale right now.

If you want you can just use nodePort. I don't get why you think we enforce use of Traefik/Ingress.
Because it looked like ingress is the only way to run multiple applications on the same port.

Thanks again, don't take this as criticism, please. It's just me thinking out loud and coming to terms with these new concepts.
Patrick
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
I hate browser vendors/projects for that. Seriously. What about a perfectly working printer, UPS, switch ... with a web management that only supports SSLv3? This is my private network. I know what I am doing. But of course this is outside of your and my sphere of influence. For all these devices I have come to the conclusion that it's probably better to connect to them unencrypted, because support for plain HTTP is not completely going away but obsolete SSL standards definitely are. So effectively browsers are lowering security because they force me back to plain text for certain applications.

I was refering mostly to Traefik, when it comes what we support.
If you use nodePorts you're on your own when it comes to SSL or not, thats outside our sphere of influence.

Currently I have it running in a VM and ports 80 and 443 mapped to the host IP. So I can reach TrueCommand at http://truecommand.local/ or http://192.168.1.20/. If I understand you correctly, either distinct ports per application or proper ingres with a real FQDN are mandatory with Scale apps. Makes sense for public stuff, I'm not complaining. OK ... a little bit. :wink:
Actually, fake FQDN with selfsigned certificates are definately possible, but unavailable due to a UI bug.
Bug fix is already made, would take a few days to reach the actuall app, but afterwards you could select "none" for CertManager Provider and just use fake FQDN's for every app with "selfsigned" certificates.

I don't consider mapping container A to host IP 1 and container B to host IP 2 with no ingress, no SSL, no nothing, "advanced" but rather the most basic setup imaginable.
Firstoff: stop using the word containers, it's confusing.
SCALE apps are NOT containers, they are Apps based on Helm charts, which are based on K8S. A "container" is so many layers of abstraction below that, that will only confuse people.

Specifying specific interfaces for nodePorts is NOT easy and not something I even know how to do in such a way I can write a SCALE UI for it.
Feel free to send a PR if you know beter.

Sure. Thank you very much, I just needed some more hints to get the big picture. Looks like I'll stick with one VM per Docker app for the moment for production and not move these over to Scale right now.
More hints on what?!
At least send screenshot of what config you used, or name the settings you have doubts about.
SCALE Apps are not a docker container, not a helm chart, not a k8s deploytment... they are SCALE Apps.

The UI is it's own thing, it's custom crafted for every App.
So unless you tell me what you want to know, how can I help you? A bigger picture of the UI? Most options already have help-text, that help-text IS the big picture.

I really want to help you out here, but as long as you keep being vague about what you want to know, I can't help you.

TLDR: Ask the god damn question.


Because it looked like ingress is the only way to run multiple applications on the same port.
I think you always need reverse proxies to run multiple applications on the same port. (a single port, means a single port on a single network interface).


Thanks again, don't take this as criticism, please. It's just me thinking out loud and coming to terms with these new concepts.
Patrick
No worries, it's just that I really want to help out but you haven't given me anything to go with...
 

Patrick M. Hausen

Hall of Famer
Joined
Nov 25, 2013
Messages
7,740
I was refering mostly to Traefik, when it comes what we support.
If you use nodePorts you're on your own when it comes to SSL or not, thats outside our sphere of influence.
So nodePorts probably for me since I want to handle SSL in my one reverse proxy for everything that is public and more or less not at all for things that are limited to my LAN.

Actually, fake FQDN with selfsigned certificates are definitely possible, but unavailable due to a UI bug.
Yeah, I noticed. :wink:

Firstoff: stop using the word containers, it's confusing.
SCALE apps are NOT containers, they are Apps based on Helm charts, which are based on K8S. A "container" is so many layers of abstraction below that, that will only confuse people.
:oops: OK.

Specifying specific interfaces for nodePorts is NOT easy and not something I even know how to do in such a way I can write a SCALE UI for it.
Feel free to send a PR if you know beter.
I don't know zilch. My expectation was that Scale could be used to host the various applications that come as "Of course we are open source. Build instructions? FreeBSD? Here's your Docker image ...". Like Collabora, OnlyOffice, ... even TrueCommand, now.

More hints on what?!
[...]
TLDR: Ask the ******** question.
You already answered everything I asked, although the questions were rather implicit than explicit.
  • what's with this "ingress" vs. "nodePort" stuff?
  • why can't I open up port 80 but only 443
  • where do I put the IP address so I can run different applications on different addresses without ingress
  • why is this not like Docker compose?
  • what is it supposed to be like instead?
You have given me more than enough pointers to find my way around for a while. I will certainly come back if I have more concrete questions.

I think you always need reverse proxies to run multiple applications on the same port. (a single port, means a single port on a single network interface).
Alias IP addresses? VNET? There must be something like this in the Linux world, right? All our jails are simply layer 2 connected and all do their own layer 3 stuff. Pretty darn simple in my book ...

TLDR; you already helped a lot - thanks :smile:
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
So nodePorts probably for me since I want to handle SSL in my one reverse proxy for everything that is public and more or less not at all for things that are limited to my LAN.
Yeah if you really don't want to use certificates at all locally, thats nodeports for you...

uhmm no, I was talking TrueCharts, we don't use TrueNAS SCALE certificates, we use traefik and certmanager.
I was talking:


:oops: OK.


I don't know zilch. My expectation was that Scale could be used to host the various applications that come as "Of course we are open source. Build instructions? FreeBSD? Here's your Docker image ...". Like Collabora, OnlyOffice, ... even TrueCommand, now.
Thats the idea, but that also means certain features might or might not be abstracted away a bit more...



Alias IP addresses? VNET? There must be something like this in the Linux world, right? All our jails are simply layer 2 connected and all do their own layer 3 stuff. Pretty darn simple in my book ...

TLDR; you already helped a lot - thanks :smile:
a VNET or Alias, is still one port because it's a different ipadress...
The thing is: K8S is not layer 2 connected, it's it's own layer 3 network, with NAT in between (at least be default) changing that is possible afaik, but I that goes byond "standard" k8s setup...

  • what's with this "ingress" vs. "nodePort" stuff?
Ingress is (TLDR) an abstracted away reverse proxy

  • why can't I open up port 80 but only 443
Well you can "open them up" from a SCALE point of view, traefik has just been programmed to forward all traefik to a secure connection. Apps are for the average+ user and in 99% of cases people should try to use HTTPS and can use HTTPS .

  • where do I put the IP address so I can run different applications on different addresses without ingress
I've no idea :P

  • why is this not like Docker compose?
Because it isn't docker-compose.. basically.
Docker compose is an integrated package, with networking and all the giggles included. K8S is a "build like you want" kind of thing, where IX (SCALE Apps) made some design choices and which I'm carefull not to alter too much when maintaining TrueCharts (for sure as long as SCALE is ALPHA).

  • what is it supposed to be like instead?
SCALE Apps are a way to streamline and simplify installing Helm charts on K8S.
The key words here are "streamline" and "simplify".
Simply put: they are the new "plugins" but with more options for the end user and easier ways for the community to be involved.

You have given me more than enough pointers to find my way around for a while. I will certainly come back if I have more concrete questions.
Please do :)
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
ornias updated TrueCharts with a new update entry:

Wiki and Website updates

From today onewards we finally start having some decent progress on the documentation.

The new website (Just a landing page) has been launched at https://truecharts.org and the new wiki finally has some actually usefull information.

Currently available are:
- FAQ
- Code of Conduct
- Contribution Guidelines
- General information on every App
- License information on every App
- A guide to get you started with using GIT
- General...

Read the rest of this update entry...
 
Joined
Oct 18, 2020
Messages
2
This is great news! I have been waiting for progress to reach this point and having tools available. One request that can be anywhere in your queue as I assume you are swamped, but I would like to see Syncthing as one of the apps. Thanks for your efforts!
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
@jhawkinsvalrico Thanks for your feedback, if you check out the issuetracker on github you would notice Syncthing has already been submitted as a request. :)
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
Small Notice:
People please submit new PR's to the "staging" branch, instead of master.
Significant rework is going on.
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
ornias updated TrueCharts with a new update entry:

New: TrueCharts Containers

After a week of hard work, we can finally announce:
TrueCharts Containers

While there are many great container sources available, it often happens those are either:
- Are not compatible with native K8S securityContexts
- Contain bloat
- Use weird versioning schemes

Using external containers, also makes it harder for us to ensure everything works as promised. As we can't ensure the containers stay online and are tested enough before being...

Read the rest of this update entry...
 
Joined
Feb 6, 2021
Messages
18
Greeting.
How to add traefik support for Plex and other Docker images (custom applications) using UI? Is it possible or that can only be done using config files?
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
Greeting.
How to add traefik support for Plex and other Docker images (custom applications) using UI? Is it possible or that can only be done using config files?
Thank you for your question!

With 21.04 we will introduce our own Plex App, which runs as non-root and includes support for our Traefik Reverse Proxy.

However: We are a community catalog and are not related to the "add docker" button designed by iX systems.
Our reverse proxy (ingress) code is also heavily optimised for Traefik and does not support other reverse proxies, hence it's not likely iX is going to add support for our Reverse Proxy in their official "add docker" button.

In theory we could role out or own "add custom docker container" App. While I would review a PR for it fairly, i'm personally not going to work on it. As my preference is people adding Apps to the Catalog and together working on Apps for eachother, instead of a "one size fits all/none" App.
 
Joined
Feb 6, 2021
Messages
18
Thank you, ornias, for your answer, but my question is not about addindg Traefik support to "add docker" IX systems button, nor about add "add custom docker container"application to Truecharts, but it's about ability to configure community Traefic app to work with any http docker container, not just with community applications. If I understood you correctly, this can not be done in UI not now, nor in the future. So, please, give me a direction where to dig to achive that. I hope, Traefik configuration file is a right direction, is it correct?
 

ornias

Wizard
Joined
Mar 6, 2020
Messages
1,458
but it's about ability to configure community Traefic app to work with any http docker container, not just with community applications

Okey, let me explain some things:

---

Deploying containers:
There are 4(!) supported ways of deploying containers on SCALE:
1. The Official App catalog
2. Community App catalogs
3. Helm charts (Semi-supported)
4. The "add docker" button

There is no other supported solution to run containers on TrueNAS SCALE.

---

App UI Seperation

Each Application (official or not) has it's UI bound to that App. I can NOT alter the installation UI for other catalogs or app (official or community) from another catalog or app.

---

I understood you correctly, this can not be done in UI not now, nor in the future. So, please, give me a direction where to dig to achive that. I hope, Traefik configuration file is a right direction, is it correct?

You should NEVER be running any other container solution than the 4 solutions meantioned above. 3 of which we already support with our Traefik deployment. We also already support external(/VM) services on our latest (21.04) staging release.

The Traefik static config is not available when using TrueCharts. Not at all and is technically not possible to be made available. However, please see the issues section on github in regards to the dynamic config.

If your question is "are you going to support mixing Apps with manual docker containers on SCALE", the answer is: No, Never. Thats not supported by iX, so we can't support it either.


So, please, give me a direction where to dig to achive that. I hope, Traefik configuration file is a right direction, is it correct?

Before going to dig heavily into one of our most complicated charts, it might be wise starting with something simpler, like porting a little App from another (native) helm repository... But as I have no idea what you actually want to do (or have the feeling you try to hack things into SCALE that aren't supported) I can't give you any guidelines anyway.

That being said:
I hightly suggest thoroughly checking out our Github and website/manual. Because a lot of what you can use to answer your question should be available there. (information about external services, dynamic config folder etc.)
 
Top