Cloud Commander Runbook

Health Check

ssh [email protected] 'curl -sI http://localhost:8000 | head -1'
# Expect: HTTP/1.1 200 OK

Common Issues

oauth2-proxy or PocketID misconfiguration.

Verify the PocketID client cloudcmd exists with callback https://cmd.eva-00.network/oauth2/callback.

Check Vault has all three keys at secret/external-oauth2-proxies:

vault kv get secret/external-oauth2-proxies | grep cloudcmd

Check the proxy container is running on LXC 119:

ssh [email protected] docker logs oauth2-proxy-cloudcmd --tail 50

Container won't start

ssh [email protected] docker logs cloudcmd --tail 100

Most common: malformed /opt/cloudcmd/.cloudcmd.json. Validate with python3 -m json.tool /opt/cloudcmd/.cloudcmd.json.

File operations fail with EACCES

Cloud Commander runs as 0:0 (root) — same as Filebrowser. If you see permission denied, the bind-mount itself is the issue, not the container. Check the Proxmox mount config on host chizuru:

ssh [email protected] 'pct config 126 | grep mp'

Port 8000 already in use

Port 8000 is used by Cloud Commander on LXC 126. Note this overlaps with gluetun.eva-00.network upstream (192.168.1.110:8000), but those are different LXCs — no conflict in practice. If a future service on LXC 126 needs port 8000, remap Cloud Commander to another port and update both the Caddy block and this runbook.

Restart

ssh [email protected] 'cd /opt/cloudcmd && docker compose restart'

Update version

Edit services/cloudcmd/docker-compose.yml, bump the image: tag, commit, push. The filebrowser workflow re-runs and pulls the new image.