Nextcloud asked in a poll at https://mastodon.social/@nextcloud@mastodon.xyz/115095096413238457 what database its users are running. Interestingly one fifth replied they don’t know. Should people know better where their data is stored, or is it a good thing everything is running so smoothly people don’t need to know what their software stack is built upon?
If you’re running it in a prebuilt container, as long as it works it shouldn’t matter and you don’t need to care.
Of course, when your database gets corrupted after Nextcloud updates because you had an app running that isn’t supported in the new version, it will suddenly matter a lot.
I‘m using a hosted Nextcloud instance from Hetzner and I have no idea what this is running on either. There’s a significant number of people who didn’t set up their Nextcloud instance, so people not knowing what it’s running on isn’t too surprising.
Will Nextcloud run apps not marked as compatible with that version?
No.
You can specify the behavior in a few places, gui, occ command, config.php. By default no, but if you have an app you want to force in regardless of the version compatibility you can make it so https://help.nextcloud.com/t/help-what-is-app-install-overwrite-for/71523
Bugs still happen. Just did with the most recent version and the polls app and mysql
And if you don’t know what database you’re running, how are you backing it up?
If you don’t know what database you’re running, are you bothering to do a full shutdown before backups? Are you doing backups at all…
Exactly. It’s not important … until it is. :D
If you’re using the AIO image, backup/restore can handled for you, so no need to worry about the manual steps involved. Or if you’re using a VM, a backup can take the form of full system snapshots, so also no need to understand how data are stored. Granted it’s always helpful to know what your running, but not necessarily requisite, even for backups.
The poll did not ask specifically for self-hosted instances. You know you can buy hosted Nextclouds where the service provider hopefully cares for that stuff? So customers wouldn’t know which database they use. I don’t know which database my mail provider uses ¯\_(ツ)_/¯
Fair enough, I did assume the target audience was selfhosters based on the question.
As for provider backups - well, you’d hope. But M$ doesn’t do user available backups, so I’d be surprised if that was bundled by the average SaaS provider.
I write software for a living, and have worked with all 3 database options in the past. I don’t know what DB backend my nextcloud server is using, nor do I care.
“18% of car owners don’t know their brake fluid DOT rating.”
That is actually good news. Means that people more likely to be “normies” are adopting an alternative solution.
I can confirm I’m a newer user (not a normie) to Nextcloud and I don’t know or really care what it uses because it works so I haven’t had to learn what it is or how to debug it.
@biofaust@lemmy.world @otto@programming.dev This also means there are probably a ton of unpatched databases directly connected to an internet facing service lol
Not really, they might not know because it is a hosted service like from Hetzner or they did start some prebuild (for example docker-compose) package and most of those have database attached locally without exposing it outside.
@kolorafa@lemmy.world It doesn’t really matter if it’s directly exposed. If the database is connected to a publicly available service you can feed it malicious data and commands.
Also docker-compose doesn’t change that you have to install updates and migrate to new major releases once in a while.If you can feed the database malicious data and commands then you are dirrectly connected to it or application is not correctly sanetizing the data.
What you are talking is about relates to the “unpatched applications” not about database running behind an app, as the difference does matter.
You can have 20years old database and it still be totally secure if the application (which is the guard in that scenario) correctly and very strictly sanitize its data.
So once again, it doesnt matter if I dont know what database is running inside some all-in-one app container, as long as this database is only accesed by the application and application is up-to-date and secure.
From every rules are exceptions, but it almost always boils down to the application not cirrectly sanetizing untrusted data.
@kolorafa@lemmy.world I just don’t see the use of discussing extremely theoretical scenarios. Most hacks and privilege escalations are usually a chain of unpatched vulnerabilities. Running an unpatched database with an application on a server that is protected against all zero days is not what the real world looks like, so I don’t see why you’d want to make it appear like it wasn’t a big deal. A statement like that only lulls people who don’t know any better into a false sense of security.
In a sense if you gain code execution on the application then you can just read the database credentials and authorize yourself to gain full access to data as those applications dont have any database access rules applied, so having exploitable database or not dont change anything.
But if we are talking about high security levels with complex inner-connected services with many apps connecting/talking to database or exposing database outside as a mistake, then yes, totally agree with you.
I’m not saying that you should use old db, Im just saying that you dont need to knoe what db is used in a scenario where app and database is a pre-packaged bundle, because when you update you update whole package so you update both, you are not in controll of the database used and you dont even need to know, what you need to know and do is to Update the whole bundle ASAP.
In case of Nextcould, if you install it from snap/flatpak or use some bundled all-in-one container then you don’t know what database is used and even if you know, then it could be hard to to do anything about it, as it is the package maintainer responsibility to update it.
But if its docker-conpose with 2 containers one for db, you are fully responsible, but then most likely you will know it is using mysql/postgres because it would be in your face.
Also you can use external services like Hetzner offers, then you know that you are using nextcloud but you dont know what they did decided to use as database backed, you are paying for service! So, its like asking if you knoe which database is used by your lemmy instance that you use.
Long story short: (As a user) if the database is bundled in app in a way it is not accessible from outside and is updated togheter with app or you are paying for it as a service, you as a user not knowing what database is running or even if it is using database at all doesnt matter. Just make sure its up-to-date.
True, you have a valid point, about outdated version of database running in background, as it does matter when you breach the prevuous layers.
My example was a little overreaching, because it sounded like you personally chosing to run old version is fine. Or like it doesnt matter at all. Which is not true. It just matter way way less in comparison of running old/exploitable part that is exposed directly to internet whout any protection.
That should be possible to solve even locally by making new versions a requirement,etc., right?
Whatever the docker compose file that I found had
I also have no idea if my place has PVC or galvanized steel plumbing; or its designed electrical load. Why should users care about the DBMS.
If you need to fix something, you should know what it is.
I’ll get that info as soon as something breaks, I guess.
The rule of internet polls is that the funniest answer is always over-represented.
I have five users, max, and barely any files. I don’t know which one Nextcloud AIO uses and I don’t care. There’s no wrong answer for such a small deployment. It uses whatever database Nextcloud felt was sensible as the default. They know more about picking the right tool for their requirements than I do.
If I’m building something for myself, then I care.
Isn’t that the whole point of containerised solutions? Having some pre-setup, auto-updating solution with very little requirement to dive into the details like what your database is and which dependencies you need to manage…
You still need to know what database system is being used in order to make backups of the database. You can’t just snapshot or backup the data directory while a database is running, because you might end up with an inconsistent state that won’t restore properly. You need to either stop the DB before doing the backup, or use the relevant DB-specific tools to perform a backup.
Most of my containerized solutions do that for me.
Which containers do automatic DB backups? Normally the database is a separate container, unless the app is using SQLite. Is there a MySQL or PostgreSQL container that does automated backups?
So one in five doesn’t do proper backups. That’s much better than expected… 😅
I’d say 9/10 aren’t doing proper backups given most people don’t actually do DR runs and verify whether they can fully recover from their backups. If you don’t test your backups, you don’t have backups!
90% is a bit low if the requirement is a full backup of nextcloud with database that is easily restorable.
If they do backups, most just copy the important stuff manually to an external hard drive.
*18% of the people who answered a poll on Mastodon
It’s funny that the headline frames it as “a big number” when in reality majority of users don’t know what database they’re using and probably don’t even know what a database is. Such polls aren’t useless but you always get skewed results towards the more technical population. They would have to create a poll inside the nextcloud webapp to get more balanced results.
Theres heaps of hosted nextcloud services. Those users wouldn’t know.
Nextcloud is pushed as an easy to use docker setup these days, heck most people I know who “use” it don’t do much with it at all so what database it is using is gonna be way back in their list of priorities…
Plus the users outweigh the admins surely (as in those that just install then forget)Honestly, does it matter to a regular user?
There will be some that do matter, if I were to run NC I would use Lite because why throw the data to another process just to write it to a disk when I only have a single node.Well it does depend on your exact use case, but using a proper database is usually the better option for production. Now if this is just some little service you made for yourself use whatever you want.
SQLite is a proper database. Realistically you’ll never exhaust its 278tb storage limits, it’s thoroughly battle tested, and it’s dead easy to backup.
I doubt nextcloud is running enough parallel db writes for this to actually matter — and if it is WAL mode is still probably good enough.
Once you have multiple software clients running then you will need a client server dbms like Postgres. For most home or group installations, this should not be an issue.
Even if you have multiple clients (most have a phone + laptop) WAL would be able to handle that easily, have you seen the benchmarks?
Since Nextcloud stores your actually data on the disk, it doesn’t actually matter all that much tbh
Where’s the option for “what’s a database?”
Agree - I’m sharing files, not databases…
I’m not even sharing files, I’m sharing mp3’s and some zips. Duh.
