Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix chown permission issue custom_apps dir #686

Closed
wants to merge 1 commit into from
Closed

fix chown permission issue custom_apps dir #686

wants to merge 1 commit into from

Conversation

onny
Copy link

@onny onny commented Mar 12, 2019

Fix issue #620 mounting custom app with correct permissions

So the mount to /var/www/html/custom_apps gets the correct permissions, otherwise web based installation page throws an error.

@onny onny mentioned this pull request Mar 12, 2019
Closed
@J0WI
Copy link
Contributor

J0WI commented Mar 13, 2019

@tilosp is there a reason why we shoudn't touch the permissions of mounted files? There might be other locations like NEXTCLOUD_DATA_DIR.
@onny please make sure that all checks are passing.

@tilosp
Copy link
Member

tilosp commented Mar 13, 2019

@J0WI there are 3 reason i can think of:

  1. it's slow (see for example For big installations, chown of data folder is taking a looong time #26)
  2. it only works if the container is started as root
  3. some mounts don't support it. for example some cifs mounts

i don't think it makes sense to merge this, it is only really useful if you mount a host folder into the container. And in this situation it's reasonable to either change to owner/permissions manually or run the container with the right uid.

@onny
Copy link
Author

onny commented Mar 13, 2019
edited
Loading

@tilosp

i don't think it makes sense to merge this, it is only really useful if you mount a host folder into the container. And in this situation it's reasonable to either change to owner/permissions manually or run the container with the right uid.

Changing the ownership on the host doesn't affect the mount in the docker container since it is not the mounted directory itself:

root@3c12c52ca62d:/var/www/html/custom_apps# ls -la
total 0
drwxr-xr-x  1 root     root  10 Mar  8 13:48 .
drwxrwxrwx  1 www-data root 428 Mar  8 13:48 ..
drwxr-xrwx 13     1000 1000 360 Mar  8 10:41 radio

Somehow Docker changes the user of the custom_apps directory to root while mounting into it. So the uid/gid of the app folder radio doesn't play any role here. But custom_apps has to be owned by www-data otherwise Nextcloud throws an error.

Also I'm not sure how to run the container with a different user correctly:

docker run --user=www-data -v /tmp/radio:/var/www/html/custom_apps/radio -p 8080:80 nextcloud
Initializing nextcloud 15.0.2.0 ...
Initializing finished
New nextcloud instance
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Docker doesn't start with user wwww-data.
Using chown in the Dockerfile seems to be the only way to mount and use custom apps into the container?
To avoid conflicts, maybe we could add an check if there is a mount into this directory before running chown ...

@tilosp
Copy link
Member

tilosp commented Mar 13, 2019

@onny have you tried starting it with --user 1000?

@J0WI
Copy link
Contributor

J0WI commented Mar 13, 2019

I think this is because of the folder creation...
Does it work for you if you mount the whole custom_apps instead of custom_apps/radio?

@onny
Copy link
Author

onny commented Mar 13, 2019

@tilosp

docker run --user=1000 -v /tmp/radio:/var/www/html/custom_apps/radio -p 8080:80 nextcloud
Initializing nextcloud 15.0.2.0 ...
Initializing finished
New nextcloud instance
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
(13)Permission denied: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

@J0WI:

docker run -v /tmp/custom_apps:/var/www/html/custom_apps -p 8080:80 nextcloud
Initializing nextcloud 15.0.2.0 ...
Initializing finished
New nextcloud instance
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[Wed Mar 13 16:51:07.807704 2019] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.25 (Debian) PHP/7.2.14 configured -- resuming normal operations
[Wed Mar 13 16:51:07.807778 2019] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'
[...]

localhost:8080:

Cannot write into "apps" directory

This can usually be fixed by giving the webserver write access to the apps directory or disabling the appstore in the config file. See https://docs.nextcloud.com/server/15/go.php?to=admin-dir_permissions

docker exec -it hardcore_germain /bin/bash
root@fef949f0e1e6:/var/www/html# ls -la
total 104
drwxrwxrwx 1 www-data root   428 Mar 13 16:52 .
drwxrwxr-x 1 www-data root    16 Jan 16 01:24 ..
[...]
-rw-r--r-- 1 www-data root  4979 Mar 13 16:52 cron.php
drwxr-xr-x 3     1000 1000    60 Mar 13 16:50 custom_apps
[...]
root@fef949f0e1e6:/var/www/html# cat /etc/passwd | grep www-data
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin

@tilosp
Copy link
Member

tilosp commented Mar 13, 2019

@onny sorry i forgot, you also need --sysctl net.ipv4.ip_unprivileged_port_start=0

@onny
Copy link
Author

onny commented Mar 13, 2019

@tilosp thanks for helping out. here is the result:

docker run --user 33 --sysctl net.ipv4.ip_unprivileged_port_start=0 -v /tmp/radio:/var/www/html/custom_apps/radio -p 8080:80 nextcloud
Initializing nextcloud 15.0.2.0 ...
Initializing finished
New nextcloud instance
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[Wed Mar 13 17:54:52.011625 2019] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.25 (Debian) PHP/7.2.14 configured -- resuming normal operations
[Wed Mar 13 17:54:52.011721 2019] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'

www-data@197691af9e44:~/html/custom_apps$ ls -la
total 0
drwxr-xr-x  1 root     root  10 Mar 13 17:54 .
drwxrwxrwx  1 www-data root 428 Mar 13 17:54 ..
drwxr-xr-x 13     1000 1000 360 Mar 13 16:35 radio

other test

docker run --user 1000 --sysctl net.ipv4.ip_unprivileged_port_start=0 -v /tmp/radio:/var/www/html/custom_apps/radio -p 8080:80 nextcloud
Initializing nextcloud 15.0.2.0 ...
Initializing finished
New nextcloud instance
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[Wed Mar 13 17:56:26.601537 2019] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.25 (Debian) PHP/7.2.14 configured -- resuming normal operations
[Wed Mar 13 17:56:26.601631 2019] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'

I have no name!@afcbe4ccb0ac:/var/www/html/custom_apps$ ls -la
total 0
drwxr-xr-x  1 root     root  10 Mar 13 17:56 .
drwxrwxrwx  1 www-data root 428 Mar 13 17:56 ..
drwxr-xr-x 13     1000 1000 360 Mar 13 16:35 radio

other test

docker run --user www-data --sysctl net.ipv4.ip_unprivileged_port_start=0 -v /tmp/radio:/var/www/html/custom_apps/radio -p 8080:80 nextcloud
Initializing nextcloud 15.0.2.0 ...
Initializing finished
New nextcloud instance
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 172.17.0.2. Set the 'ServerName' directive globally to suppress this message
[Wed Mar 13 17:57:46.378823 2019] [mpm_prefork:notice] [pid 1] AH00163: Apache/2.4.25 (Debian) PHP/7.2.14 configured -- resuming normal operations
[Wed Mar 13 17:57:46.378912 2019] [core:notice] [pid 1] AH00094: Command line: 'apache2 -D FOREGROUND'

www-data@5b68e633fd13:~/html/custom_apps$ ls -la
total 0
drwxr-xr-x  1 root     root  10 Mar 13 17:57 .
drwxrwxrwx  1 www-data root 428 Mar 13 17:57 ..
drwxr-xr-x 13     1000 1000 360 Mar 13 16:35 radio

in any case getting the nextcloud error:

Error
Cannot write into "apps" directory
This can usually be fixed by giving the webserver write access to the apps directory or disabling the appstore in the config file. See https://docs.nextcloud.com/server/15/go.php?to=admin-dir_permissions

@tilosp
Copy link
Member

tilosp commented Mar 13, 2019

are you trying to setup a dev environment? if this is the case take a look at https://github.com/David-Development/nextcloud-dev-docker
it uses a third app dir, that is read only for nextcloud, to avoid to this error

@onny
Copy link
Author

onny commented Mar 13, 2019

@tilosp yep thats the case. I also used different nextcloud docker containers successfully before but I was hoping to get the official one running :/

@tilosp
Copy link
Member

tilosp commented Mar 13, 2019

@onny it's based on the official one, and it might later become the official dev image

@lazka
Copy link
Contributor

lazka commented Jun 23, 2020

What's the recommended docker-compose setup for app development nowadays? This issue still prevents the use of the official images and nextcloud-dev-docker is abandoned.

@J0WI
Copy link
Contributor

J0WI commented Jun 23, 2023

Closing in favour of #1964

@J0WI J0WI closed this Jun 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@onny @J0WI @tilosp @lazka