This week was a busy week!
The final release of our immutable HostOS Leap Micro 5.4 is now available. This update brings SELinux in enforcing mode by default as well as tuning. Leap Micro is not a traditional distribution, but rather a lightweight HostOS for running virtual machines and containerized workloads.
The availability of Leap Micro 5.4 automatically marks Leap Micro 5.2 as End of Life. From this point, Leap Micro 5.2 will no longer receive updates.
To remain secure, Leap Micro 5.2 users can either do a fresh deployment, which should be under 5-minutes, or upgrade.
Leap Micro 5.3 users can still remain on the existing release and enjoy updates until the next Leap Micro release is out, which should be in Fall 2023.
Users who would like to receive support and updates for up to 4 years for a given release should consider switching to SLE Micro.
Users can upgrade to Leap Micro 5.4 by running the following command
sudo transactional-update shell
zypper --releasever 5.4 dup
reboot # Enjoy
Please bear in mind that we’re switching to SELinux enforcing by default, therefore you might have an easier life if you do a clean build instead. Especially on slower storage if you’d be subject to relabeling.
Let’s make some practical use of the new Leap Micro 5.4!
In this article, we’ll leverage our existing Pi-hole from the previous article and setup up a home instance of a Nextcloud AIO. Such a solution is appealing especially to users valuing their privacy or just like me looking to bridge Apple and Android devices.
This tutorial should take less than 15 minutes, on top of instructions the from previous hands-on.
My personal use case for Leap Micro is to have as much ad-free browsing as possible, DNS entries for local services, and a Nextcloud instance as a bridge to share pictures and videos in between my wife’s iPhone, kids’ tablet and my Android phone.
My private home setup is a Raspberry Pi 4 8GB with 1TB SDD connected via USB 3.0 to SATA III. I have a mesh via TP Link Deco X20. I do use port mapping from the Deco to expose services to the public via a static public IP. I have a public domain name with a few subdomains pointing to the mentioned public IP.
The public domain name is a prerequisite for the NextCloud AIO.
The Raspberry Pi has a reserved address based on its MAC address to keep stuff simple. If you have a dynamic public address, you can consider some dynamic DNS (DDNS) solutions.
I am personally happily using the described setup on my 8GB Raspberry Pi 4 with Leap Micro 5.3 along with Pi-hole for ad-free browsing and mapping of my Nextcloud instance to a local address.
I would not recommend to this particular hands-on in a VM unless you can deal with the public domain aspect of the tutorial.
The benefit I see in using Leap Micro is that the machine does not require any of my attention. I have automatic updates and self-healing on. The machine automatically reboots into an updated snapshot in the defined maintenance window (set by default) and if there is an issue that requires my attention, then I simply resolve the issue with the Cockpit interface in the web browser.
Leap Micro is an immutable operating system with a read-only root. openSUSE solves this via btrfs snapshots and tools that enable automatic rollback and boot into a previous snapshot in case a system identifies that the boot into a new snapshot has failed.
Warning: Running Nextcloud AIO requires a public domain. Otherwise, you’ll hit SSL errors unless you use self-signed certificates, such setup would be outside the scope of this article, plus such a solution is not practical.
Making a local DNS entry for the NextCloud
For local access, a user should create a local DNS entry with a local IP address pointing to the intended domain nextcloud.mydomain.org.
Deploying the NextCloud AIO container
Just by following https://github.com/nextcloud/all-in-one I’ve tried to run the AIO image with just podman, however, the solution is very docker centric and you’d have to use podman-docker, which will only be available in the next Leap Micro release.
In my setup, I do have a 1TB disk mounted on the Leap Micro host under
Feel free to adjust
NEXTCLOUD_DATADIR destination to your liking.
I personally had an issue with domain validation with my Pi-hole setup so I did use -e SKIP_DOMAIN_VALIDATION=true as per readme instructions.
/var are of course writable even on ImmutableOS.
If you’re using port mapping from your home router to expose services to the public, you’ll want to expose and map ports 80, and 8443 and 3478 (talk container) from the router to the Leap Micro host.
# mkdir -p /srv/nextcloud
My fstab entry for the btrfs formatted 1TB WD Blue SSD drive connected to my Raspberry Pi via AXAGON ADSA-1S6 USB to SATA connector.
You can get your UUIID with
# grep nextcloud /etc/fstab
UUID="881ab56d-d577-4d12-8014-f5a76f3febe6" /srv/nextcloud btrfs noatime 0 0
And now let’s deploy the Nextcloud All in One image.
Just note that our deployment will survive reboot(s). I highly recommend skipping the domain validation (part of the example command), especially with described setup.
# docker run \
--name nextcloud-aio-mastercontainer \
--restart always \
--publish 80:80 \
--publish 8080:8080 \
--publish 8443:8443 \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
-e NEXTCLOUD_DATADIR="/srv/nextcloud" \
-e SKIP_DOMAIN_VALIDATION=true \
And we’re almost done here. Rest is just about following the browser instructions.
You might want to reconsider what add-ons to run based on the available memory of your device, especially if you have less than 4GB of memory. My Rpi has 8GB, so I went with all available add-ons.
And we are done! Have a lot of fun!