Hi, I'm trying to generate a custom image but the persistent files look confusing to me.

I see during build it does backup a selection of files in the container.
rootfs/usr/local/hstc/install/add-default-persistent-files.sh

After that during the boot there is another operation that updates more files persistence.
rootfs/etc/my_init.d/10_updates.sh

I'm confused about how that works specially in regard the /conf persistent volume.
Can you give us some details about the purpose and operation?

By the way, many thanks for sharing the build environment.

I get an error message when starting the container:

Starting domain name service...: bind9 failed!
Any idea how I can troubleshoot this?

TIA

The main reason one would use docker on a server is segregation! This means a flaw in mariadb only affects mariadb, not the whole system. Docker images with multiple services running is less than ideal because of this. While it is useful for a quick and dirty "does this work", it should never be used in a production environment. What would be great is seeing something built that segregates all services to their own containers.

There is also no way to disable insecure applications such as ftp - yes, you can not map the port, but the service is still running.

There is also the issue that host networking and the big ports like 80 and 443 are used, this could be circumvented by use of an edge router such as traefik, or use of nginx proxy manager. Both of these options would allow for easy mapping of domains to other docker services. Want to install plex too? Just throw in a docker-compose with labels to add it to traefik, or set it up with nginx proxy manager! Right now you can't run HestiaCP on a server with only a single IP address and use a useful application such as traefik to route to other containers - this project could improve on that.

The biggest security flaw right now is MARIADB_ROOT_HOST: "%" alongside a mapped port. This means that anybody who knows your server IP can bruteforce your mysql root pass with no issues! Ports that are not needed externally should NEVER be mapped!

I would highly recommend:

• Install script to write a custom docker-compose.yml file
• Options within the install script to include or exclude software (A la original install.sh)
• Separate docker images for each service (use of the official docker images would be beneficial here like you did with MariaDB)
• Integration of either traefik (complex) or nginx proxy manager (easier) for domains
• Map my.cnf to allow tuning of MariaDB

While this will be a little bit of work, I think it would make the project much more adoptable in a production environment.

We are a small company running Hestia in production and would like to run it in a kubernetes cluster soon.
Are you interested in working with us on improving this configuration and turning it into an enterprise-ready (but of course open-source) helm chart?