CasaOS – A simple, easy-to-use, elegant open-source home cloud system(casaos.io)
casaos.io
CasaOS – A simple, easy-to-use, elegant open-source home cloud system
https://casaos.io
35 comments
It doesn't run VMs because it clearly says that it's running Docker containers.
It's also been posted to HN a year a go.
It's also been posted to HN a year a go.
Didn't quick Ctrl+F, neither the landing page not the GitHub README mentions the word "container" once.
Is that what a "cloud" is? Runs containers? Is that obvious?
Is that what a "cloud" is? Runs containers? Is that obvious?
I _was_ going to take a look, but the trendy page design is effectively unreadable on mobile... just FYI.
Also references JQuery.
Headquartered in the PRC
Interesting, but no, thanks!
Interesting, but no, thanks!
Yeah I noticed that too. Sorry but no way I'm installing this given that.
Looks like the company running this is simply located in a co-working space in China. Didn't know that just living in China made you a possible PRC asset.
All Chinese companies are possible PRC assets:
https://www.cnbc.com/2019/03/05/huawei-would-have-to-give-da...
Note - I'm not commenting about whether these guys are PRC assets or not. Or whether there is anything nefarious going on at all. I'm just pointing out that they could be compelled to become assets, even if that's against their wishes.
https://www.cnbc.com/2019/03/05/huawei-would-have-to-give-da...
Note - I'm not commenting about whether these guys are PRC assets or not. Or whether there is anything nefarious going on at all. I'm just pointing out that they could be compelled to become assets, even if that's against their wishes.
I mean, and all US companies are possible NSA/CIA assets. Which is kinda worse because it was already proven more than once. Snowden and PRISM, anyone?
Kinda worse? That's highly debatable. It's just a different risk profile. I personally don't expect the US government to take an interest in my activities, but I'm not as convinced about the Chinese for various reasons.
More to your point, as far as I'm aware, individuals can't be forced under law to cooperate with US intelligence. In China, individuals have to cooperate - by law - and the penalties for non-compliance are harsh.
In the case of an open source project maintained by individuals, that's an important consideration.
More to your point, as far as I'm aware, individuals can't be forced under law to cooperate with US intelligence. In China, individuals have to cooperate - by law - and the penalties for non-compliance are harsh.
In the case of an open source project maintained by individuals, that's an important consideration.
"living in China made you a possible PRC asset"
Unfortunately, really anything coming out of China might be a PRC asset. We just wouldn't know unless it was too late.
Unfortunately, really anything coming out of China might be a PRC asset. We just wouldn't know unless it was too late.
I mean gitea is too, as long as its fully open source its OK for me personally.
How do you know the packaged binaries were built from the published source?
You don't. If you are paranoid you can just build it yourself!
How do you know your compiler was built from its published sources? :)
https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...
https://www.cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Ref...
I think I just shut down the machine for demo.casaos.io. Sorry, I didn't realize the "Shutdown" button would actually shut it down for everyone...
Maybe you shouldn't use the word cloud for something that works locally and respects your privacy.
This is just a private Cloud type platform. Private Clouds are perfectly normal.
Really? Cloud implies it's ephemeral, typically by outsourcing to someone else.
I'm not sure about that. Cloud can involve virtualized resources that can be provisioned or deprovisioned dynamically based on demand but, it doesn't necessarily imply that the software / data in the cloud is ephemeral. Both can be designed to be persistent and durable, with long-term storage and retention. I think you're confusing an accident for an essence.
Having just gone through certifications for 2 of the 3 big providers, the people who are known for providing cloud services think private clouds are a thing.
No, that is wrong. Have you ever heard of Azure Stack Hub? It’s an Edge Cloud. You manage it yourself
sudo bash? really?
And it only works for Linux+systemd+Docker, so it's not like a script is needed to adapt to many environments.
I also don't like it, but it is less common now a days
https://github.com/pi-hole/pi-hole#method-2-manually-downloa...
https://github.com/pi-hole/pi-hole#method-2-manually-downloa...
Yes the easiest method for beginners
You are free not to use it.
How? There isn't any other installation documentation. In fact it doesn't look like there is any documentation at all.
my first guess would normally be to look at the shell script[0] and follow along, but it looks like it's not super easy to follow. It's also not very easy to audit, for that matter.
I do see it using its root privileges to force-install packages without prompting (it uses `apt-get` rather than `apt`—why?), and it's completely unclear that I'd be consenting to this.
Actually, the reason why I don't execute arbitrary code on my machine as root is because it's impossible not to consent to having packages force-installed without prompt.
So the shell script installer grants this app a hard pass for me.
[0]: http://get.casaos.io/
I do see it using its root privileges to force-install packages without prompting (it uses `apt-get` rather than `apt`—why?), and it's completely unclear that I'd be consenting to this.
Actually, the reason why I don't execute arbitrary code on my machine as root is because it's impossible not to consent to having packages force-installed without prompt.
So the shell script installer grants this app a hard pass for me.
[0]: http://get.casaos.io/
apt is asking you not to use apt in scripts because it doesn't yet have a stable cli interface yet.
> apt is asking you not to use apt in scripts because it doesn't yet have a stable cli interface yet.
Oh, nice catch
Oh, nice catch
> the easiest method for beginners
Why do people think this way? Honest question.
People create "installers" like these with the goal of making Just One Command that Does Everything For You, saying stuff like "easiest method for beginners". This is suboptimal for many reasons.
I don't want Just One Command that Does Everything For Me. I control the machine; I want to command it myself. This is one of Linux's main selling points. But even for people who don't think this way and just want to install your software quickly, I have concerns.
Providing this installer script as the only way to install your software distribution is actually setting people up for failure:
- Nobody knows how the script works, if it fails they have no way to debug what happened except grepping for log messages in the source code and guessing. At that point just read the whole script and do it manually.
- If the script isn't compatible with their setup, they can't just do the equivalent for their computer, because they might not even know what they need to do. And even if they do figure it out, how will they move on to the next step? They can't just re-run the script if it's not compatible with their setup, remember. Back to reading the whole script and doing it manually.
- The script performs arbitrary changes to their system configuration without asking, like updating repositories(!) and installing dependencies. That's not an OK thing for you to do without asking. And on some rolling-release distributions, like Arch, you never want to update repositories carelessly. Because, if the rest of the system's packages are left outdated after a repository update, they may no longer be compatible with the latest packages available upstream. But you update repositories, on Arch, without telling the user you did so. On Arch, one of the most active rolling-release distributions. So not only will the dependencies you install yourself not necessarily be compatible with the rest of the system—because Arch—random future package installs may also be screwed until the next full system upgrade. Which may never happen if the user never figures out what the problem is.
I sort of lost interest in installing the thing myself, so I never completed my personal audit, but I would recommend, at the very least, not installing packages or updating repositories without prompting first, and also publishing documentation on how to install this without running a fricken' shell script as root, which is not even an acceptable thing to teach "beginners" in the first place. They should be taught not to run things they don't trust, and definitely not to blindly run any shell script from any random website as root.
Sure, it may be 'easy' (for some definition of easy) for 'beginners' (for some definition of beginners) but please don't.
Why do people think this way? Honest question.
People create "installers" like these with the goal of making Just One Command that Does Everything For You, saying stuff like "easiest method for beginners". This is suboptimal for many reasons.
I don't want Just One Command that Does Everything For Me. I control the machine; I want to command it myself. This is one of Linux's main selling points. But even for people who don't think this way and just want to install your software quickly, I have concerns.
Providing this installer script as the only way to install your software distribution is actually setting people up for failure:
- Nobody knows how the script works, if it fails they have no way to debug what happened except grepping for log messages in the source code and guessing. At that point just read the whole script and do it manually.
- If the script isn't compatible with their setup, they can't just do the equivalent for their computer, because they might not even know what they need to do. And even if they do figure it out, how will they move on to the next step? They can't just re-run the script if it's not compatible with their setup, remember. Back to reading the whole script and doing it manually.
- The script performs arbitrary changes to their system configuration without asking, like updating repositories(!) and installing dependencies. That's not an OK thing for you to do without asking. And on some rolling-release distributions, like Arch, you never want to update repositories carelessly. Because, if the rest of the system's packages are left outdated after a repository update, they may no longer be compatible with the latest packages available upstream. But you update repositories, on Arch, without telling the user you did so. On Arch, one of the most active rolling-release distributions. So not only will the dependencies you install yourself not necessarily be compatible with the rest of the system—because Arch—random future package installs may also be screwed until the next full system upgrade. Which may never happen if the user never figures out what the problem is.
I sort of lost interest in installing the thing myself, so I never completed my personal audit, but I would recommend, at the very least, not installing packages or updating repositories without prompting first, and also publishing documentation on how to install this without running a fricken' shell script as root, which is not even an acceptable thing to teach "beginners" in the first place. They should be taught not to run things they don't trust, and definitely not to blindly run any shell script from any random website as root.
Sure, it may be 'easy' (for some definition of easy) for 'beginners' (for some definition of beginners) but please don't.
I also love the "featured in Hackernews". This post has 9 points as I'm writing this.