Struggling with filesystem permissions for Nextcloud

Nomad
1

I’m trying to deploy Nextcloud and have its DB and data dirs mounted in from a NFS storage volume. I used the official Nextcloud pack as the starting point, added the volumes I needed, and adjusted the mounts:

job "nextcloud" {
  region = "global"
  datacenters = ["dc1"]
  namespace   = "default"
  type        = "service"
  
  constraint {
    attribute = "${attr.kernel.name}"
    operator  = "="
    value     = "linux"
  }

  group "nextcloud" {
    volume "nextcloud-www-html" {
      type            = "csi"
      source          = "nextcloud-www-html"
      read_only       = false
      attachment_mode = "file-system"
      access_mode     = "multi-node-multi-writer"
    }

    volume "nextcloud-postgres" {
      type            = "csi"
      source          = "nextcloud-postgres"
      read_only       = false
      attachment_mode = "file-system"
      access_mode     = "multi-node-multi-writer"
    }

    network {
      mode = "bridge"
      port "http" {
        to = 80
      }
      port "db" {
        to = 5432
      }
    }

    task "application" {
      driver = "docker"

      config {
        image = "nextcloud:latest"
        args = []
      }

      volume_mount {
        volume      = "nextcloud-www-html"
        destination = "/var/www/html"
      }

      resources {
        cpu    = 2000
        memory = 4048
      }

      env {
        NEXTCLOUD_ADMIN_USER = "admin"
        NEXTCLOUD_ADMIN_PASSWORD = "password"
        NEXTCLOUD_DATA_DIR = "/var/www/html/data"
        POSTGRES_DB = "nextcloud"
        POSTGRES_USER = "nextcloud"
        POSTGRES_PASSWORD = "password"
        POSTGRES_HOST = "localhost"
      }
    }

    task "database" {
      driver = "docker"
      
      service {
        name = "nextcloud-db"
        port = "db"
        tags = ["postgres"]
        check {
          type     = "tcp"
          interval = "30s"
          timeout  = "2s"
        }
      }

      config {
        image = "postgres:9.6.14"
      }

      volume_mount {
        volume      = "nextcloud-postgres"
        destination = "/var/lib/postgresql/data"
      }

      env {
        POSTGRES_DB = "nextcloud"
        POSTGRES_USER = "nextcloud"
        POSTGRES_PASSWORD = "password"
        POSTGRES_HOST = "localhost"
        PGDATA="/appdata/postgres"
      }

      
      resources {
        cpu    = 100
        memory = 512
      }
    }

    task "create-data-dirs" {
      lifecycle {
        hook = "prestart"
        sidecar = false
      }

      driver = "raw_exec"

      config {
        command = "sh"
        args = ["-c", "mkdir -p /var/lib/postgresql/data && chown 1001:1001 /var/lib/postgresql/data && mkdir -p /var/www/html && chown 1001:1001 /var/www/html"]
      }

      resources {
        cpu    = 50
        memory = 50
      }
    }
  }
}

Once deployed the app container actually starts up fine and populates the www/html dir with a bunch of data. Issue is that during initialization, it then prints hundreds of permission denied errors from rsync, seemingly for every single file it put into the dir. Here’s a few lines from the logs:

...
rsync: [receiver] chown "/var/www/html/apps/circles/lib/Db/.AccountsRequestBuilder.php.AKKaZN" failed: Operation not permitted (1)
rsync: [receiver] chown "/var/www/html/apps/circles/lib/Db/.CircleRequest.php.qgIET7" failed: Operation not permitted (1)
rsync: [receiver] chown "/var/www/html/apps/circles/lib/Db/.CircleRequestBuilder.php.pVt2ST" failed: Operation not permitted (1)
rsync: [generator] chown "/var/www/html/apps/dav/appinfo" failed: Operation not permitted (1)
rsync: [generator] chown "/var/www/html/apps/dav/appinfo/v1" failed: Operation not permitted (1)
rsync: [generator] chown "/var/www/html/apps/dav/appinfo/v2" failed: Operation not permitted (1)
rsync: [generator] chown "/var/www/html/apps/dav/composer" failed: Operation not permitted (1)
rsync: [generator] chown "/var/www/html/apps/dav/composer/composer" failed: Operation not permitted (1)
rsync: [generator] chown "/var/www/html/apps/dav/css" failed: Operation not permitted (1)
rsync: [generator] chown "/var/www/html/apps/dav/img" failed: Operation not permitted (1)
rsync: [generator] chown "/var/www/html/apps/dav/l10n" failed: Operation not permitted (1)
rsync: [receiver] chown "/var/www/html/apps/circles/lib/Db/.CoreQueryBuilder.php.zOnTPW" failed: Operation not permitted (1)
rsync: [receiver] chown "/var/www/html/apps/circles/lib/Db/.CoreRequestBuilder.php.juWlog" failed: Operation not permitted (1)
rsync: [receiver] chown "/var/www/html/apps/circles/lib/Db/.DeprecatedRequestBuilder.php.z5lIcn" failed: Operation not permitted (1)
...

In the original pack, filesystem storage is used, while I’m trying to use this NFS CSI plugin for storage. I assume that’s where the issue stems from… but I can’t find a way to specify permissions for the volume mount in any way.

I already tried replacing the create-data-dirs task with one that mounts the actual volumes into a Docker container and attempts setting permissions there, but it didn’t make a difference.

Any ideas?

2

Hi. what is going on with the last task? You meant to mount something there? Why are you creating some directories in the host?

So what are the permissions of the directory? Add something along (also tip, you can use <<)

entrypoint=["sh","-xc",<<EOF
id
whoami
stat "/var/www/html"
ls -la "/var/www/html"
sleep infinity
EOF
]

To “application” container and check the logs. Also, with sleep infinity, you can then nomad exec into the comtainer and init stuff manually.

I wonder what is args=[] doing? What is the user in the nextcloud container?

3

I took that last task from the official nextcloud nomad task, which assumes local filesystem storage. I of course tried it without at first but I had the same issue, so I thought i’d see if it’d somehow make a difference. As I mentioned I also tried an alternative where instead of using raw-exec, it starts a generic Busybox image with the actual volumes mounted into it and set the permissions on that — but it itself fails with chown Permission denied.

Let me try your suggestions now!

4

Thank you @Kamilcuk, your suggestion pointed me the right way.

id in the container returned 0, but the share is owned on my NAS by a user 999. I simply set user = "999" in the task "application" stanza, and the permission errors disappeared!

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.