Thanks. I will check that once I have access to the server again. Somehow it kicked me out and I cannot reconnect. Christian Düben Research Associate Chair of Macroeconomics Hamburg University Von-Melle-Park 5, Room 3102 20146 Hamburg Germany +49 40 42838 1898 christian.dueben@uni-hamburg.de<mailto:christian.dueben@uni-hamburg.de> http://www.christian-dueben.com From: Lars Vilhuber <lars.vilhuber@cornell.edu> Sent: Dienstag, 9. Juni 2020 16:29 To: Düben, Christian <Christian.Dueben@uni-hamburg.de>; Thomas Krichel <krichel@openlib.org> Cc: CollEc Run <collec-run@lists.openlib.org> Subject: Re: [CollEc] RePEc Visual No advice/experience with connecting out from the Docker, except that the default Linux docker setup does *not* allow for networking/bridging - that might be the reason you cannot connect. Also check permissions on the MariaDB - MySQL/MariaDB permissions are both at the user@host level, so you may need "user@*" or something like that to connect. -- Lars Vilhuber, Economist Cornell University, Executive Director, Labor Dynamics Institute and ILR School - Department of Economics American Economic Association - Data Editor Journal of Privacy and Confidentiality - Managing Editor e: lars.vilhuber@cornell.edu<mailto:lars.vilhuber@cornell.edu> p: +1.607-330-5743 v: https://cornell.zoom.us/my/larsvilhuber w: http://lars.vilhuber.com/ Assistant: ldi@cornell.edu<mailto:ldi@cornell.edu> | +1.607-255-2744 ________________________________ From: Düben, Christian <Christian.Dueben@uni-hamburg.de<mailto:Christian.Dueben@uni-hamburg.de>> Sent: Tuesday, June 9, 2020 10:19 To: Thomas Krichel <krichel@openlib.org<mailto:krichel@openlib.org>>; Lars Vilhuber <lars.vilhuber@cornell.edu<mailto:lars.vilhuber@cornell.edu>> Cc: CollEc Run <collec-run@lists.openlib.org<mailto:collec-run@lists.openlib.org>> Subject: RE: [CollEc] RePEc Visual I am having issues with connecting a Docker container with the MariaDB on the host. I tried various solutions, but nothing works. And now I am even facing a permission error when trying to access the database directly on the host. @Lars, any advice on connecting a Docker container with MariaDB? @Thomas, I do not want to break the host's database. I think I should therefore host another MariaDB server within a container. Christian Düben Research Associate Chair of Macroeconomics Hamburg University Von-Melle-Park 5, Room 3102 20146 Hamburg Germany +49 40 42838 1898 christian.dueben@uni-hamburg.de<mailto:christian.dueben@uni-hamburg.de> http://www.christian-dueben.com -----Original Message----- From: CollEc-run <collec-run-bounces@lists.openlib.org<mailto:collec-run-bounces@lists.openlib.org>> On Behalf Of Düben, Christian Sent: Donnerstag, 4. Juni 2020 18:25 To: Thomas Krichel <krichel@openlib.org<mailto:krichel@openlib.org>> Cc: CollEc Run <collec-run@lists.openlib.org<mailto:collec-run@lists.openlib.org>> Subject: Re: [CollEc] RePEc Visual Sorry, I got the login process to the root account wrong in the first place. I tried to sign in to root directly without using icanis first. Now I understand how it works. Thanks. I do not know what else you store on the server. But if you say that is does not require complex security that is fine with me. The CollEc database is now located in the subdirectory. Thanks for the respective code. I received an error when installing R outside Docker but it works fine when containerized. I am going to look into that. Running R inside containers is fine for now. Regarding point (2), I am not sure which directories ShinyProxy and Docker set. My apps follow the directory structure illustrated in the cheat sheet attached to this e-mail. I can set it up in the home directory. But that does not prevent ShinyProxy and Docker from writing files elsewhere. ShinyProxy's configuration file is in /etc/shinyproxy/. Christian Düben Research Associate Chair of Macroeconomics Hamburg University Von-Melle-Park 5, Room 3102 20146 Hamburg Germany +49 40 42838 1898 christian.dueben@uni-hamburg.de<mailto:christian.dueben@uni-hamburg.de> http://www.christian-dueben.com -----Original Message----- From: Thomas Krichel <krichel@openlib.org<mailto:krichel@openlib.org>> Sent: Donnerstag, 4. Juni 2020 15:03 To: Düben, Christian <Christian.Dueben@uni-hamburg.de<mailto:Christian.Dueben@uni-hamburg.de>> Cc: CollEc Run <collec-run@lists.openlib.org<mailto:collec-run@lists.openlib.org>> Subject: Re: [CollEc] RePEc Visual Düben, Christian writes
You mentioned in yesterday's e-mail that you gave me root access. However, I apparently need a password for that.
icanis@darni:~$ ssh root@darni Works for me. Am I missing something?
The app itself only needs read access. It reads data from the SQL database and from other files stored on disk and displays it. The scripts generating the data run independently of the app. They require read and write access to the database and the directories the app uses and are initiated by a scheduling system. Installing and updating the app requires more extensive permissions. I need full access to Docker and ShinyProxy for that.
How about two accounts? One handles the app and has minor access rights. And the other generates the data, controls the Docker images and ShinyProxy and has larger access permissions.
Actually I created another account "collec", then had a nap, and deleted it again. I don't see the point of the two accounts. We don't need complicated security, as we have nothing that anybody could steal. But if you want to create another user you can do that. For reason related to the weather, I am very sleepy at this time.
For security reasons I suggest that these accounts can only access the new CollEc's database within MariaDB. This prevents any repercussions on non-CollEc databases. When setting these permissions we should make sure that "LOAD DATA LOCAL INFILE" or " LOAD DATA INFILE" are still available. Restricted access apparently tends to block these statements which I use to insert large data sets.
root@darni has access to the mysql root account. To call my understanding of mysql security rudimentary would be heaping praise on it.
Feel free to choose any name you like for the account(s) and the database.
Kindly consider the following. (1) Once a week, I rsync all the /home /etc /var and /root as backup to aigtu, except anything that is in a folder called 'opt'. At this time, aigtu is short of space. It's a good idea to move bulky files that can be recalculated into folders called opt. For example, all the icanis path data is in a directory called opt, even though it would take months to regenerate it. You can do a cd /var/lib/mysql mkdir -p /var/lib/mysql/opt/foo ln -s opt/foo foo cd /var/lib/mysql (2) At server migration time---not imminent for helos and darni, both are quite new---I copy all of /home, /root and /var as is. All other directories will be dealt with by hand. Thus the change in /lib/, proposed by the shiny app installation is problematic because it needs to be remembered in a few years time when I migrate. For sudo, just use /etc/sudo/sudoers.d files. They can convienently be rsynced at migration time. We operate in a resource-poor environment where migrations take place only every few years, so I don't use things like docker that are important when you have lots of servers. But it pays off to keep things in users' home directories. -- Cheers, Thomas Krichel http://openlib.org/home/krichel skype:thomaskrichel