Chmod(): Operation not permitted issues after volume migration in Docker

Idefix_Forum · July 15, 2024, 2:08am

Hi there,

I recently deployed Nextcloud v via Docker Compose.
The system is up and running and working well except the following 2 errors:

chmod(): Operation not permitted at /var/www/html/lib/private/Log/File.php#84

chmod(): Operation not permitted at /var/www/html/lib/private/Config.php#288

I had to move the data folder post-installation to a new directory and the ownership was lost in the process. To get it all running again I changed the ownership of all files and folders back to www-data:www-data but it seems this was not enough.

I believe the above error appeared after adding a new application to Nextcloud through the App page.

Permissions for the files are:

-rwxrwx--- 1 www-data www-data 9516 Jul  9 17:31 Config.php
-rwxrwx--- 1 www-data www-data 4252 Jul  9 17:31 ./Log/File.php

any pointers are highly appreciated. Thanks !

wwe · July 15, 2024, 5:52am

as always please provide your docker compose file and more of the log context. files and folders are expected to be 750/640 but I don’t think this is a reason. more likely your docker containers has no rights to change the files for some reason.

simple search for the log lists some promising results e.g. Chmod(): Operation not permitted at /usr/share/webapps/nextcloud/lib/private/Log/File.php#84

Idefix_Forum · July 15, 2024, 8:52am

Thanks for your help.
I did check the other posts I could find but did not find a conclusive answer unfortunately

Please see the detailed log data:


{"reqId":"yUOvcVQkxZzCJH88yuWq","level":3,"time":"2024-07-12T14:28:51+00:00","remoteAddr":"10.0.0.1","user":"admin","app":"PHP","method":"GET","url":"/settings/apps/update/calendar","message":"chmod(): Operation not permitted at /var/www/html/lib/private/Config.php#288","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","version":"29.0.3.4","data":{"app":"PHP"}}
{"reqId":"yUOvcVQkxZzCJH88yuWq","level":3,"time":"2024-07-12T14:28:57+00:00","remoteAddr":"10.0.0.1","user":"admin","app":"PHP","method":"GET","url":"/settings/apps/update/calendar","message":"chmod(): Operation not permitted at /var/www/html/lib/private/Config.php#288","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","version":"29.0.3.4","data":{"app":"PHP"}}
{"reqId":"yUOvcVQkxZzCJH88yuWq","level":3,"time":"2024-07-12T14:28:57+00:00","remoteAddr":"10.0.0.1","user":"admin","app":"PHP","method":"GET","url":"/settings/apps/update/calendar","message":"chmod(): Operation not permitted at /var/www/html/lib/private/Log/File.php#84","userAgent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36","version":"29.0.3.4","data":{"app":"PHP"}}

And please see the compose file below:

services:
  nextcloud:
    env_file:
      - ./.env
    hostname: ${SERVICE_NAME}
    networks:
      - docker_main
    image: nextcloud
    container_name: nextcloud
    restart: always
    volumes:
      - /mnt/Nextcloud:/var/www/html
    environment:
      - TZ=${TZ}
      - POSTGRES_HOST=postgres
      - POSTGRES_DB=nextcloud
      - POSTGRES_USER=${DB_USER}
      - POSTGRES_PASSWORD=${DB_PASS}
      - REDIS_HOST=redis
      - NEXTCLOUD_ADMIN_USER=${NC_USER}
      - NEXTCLOUD_ADMIN_PASSWORD=${NC_PASS}
      - NEXTCLOUD_TRUSTED_DOMAINS=${HOST_NAME}
      - PHP_MEMORY_LIMIT=1G
      - TRUSTED_PROXIES=10.0.0.1/32
      - OVERWRITEPROTOCOL=https
      - NC_default_phone_region=US
    labels:
      - traefik.enable=true
      - traefik.http.routers.${SERVICE_NAME}.entrypoints=web
      - traefik.http.routers.${SERVICE_NAME}.rule=Host(`${HOST_NAME}`)
      - traefik.http.middlewares.${SERVICE_NAME}-https-redirect.redirectscheme.scheme=https
      - traefik.http.routers.${SERVICE_NAME}.middlewares=${SERVICE_NAME}-https-redirect
      - traefik.http.routers.${SERVICE_NAME}-secure.entrypoints=websecure
      - traefik.http.routers.${SERVICE_NAME}-secure.rule=Host(`${HOST_NAME}`)
      - traefik.http.routers.${SERVICE_NAME}-secure.tls.certresolver=letsencrypt
      - traefik.http.routers.${SERVICE_NAME}-secure.tls=true
      - traefik.http.routers.${SERVICE_NAME}-secure.middlewares=nextcloud-dav,nextcloud-header
      - traefik.http.services.${SERVICE_NAME}-secure.loadbalancer.server.port=80
      - traefik.http.middlewares.${SERVICE_NAME}-dav.redirectRegex.regex=https://(.*)/.well-known/(card|cal)dav
      - traefik.http.middlewares.${SERVICE_NAME}-dav.redirectRegex.replacement=https://$${1}/remote.php/dav/
      - traefik.http.middlewares.${SERVICE_NAME}-dav.redirectRegex.permanent=true
      - traefik.http.middlewares.${SERVICE_NAME}-header.headers.referrerPolicy=no-referrer
      - traefik.http.middlewares.${SERVICE_NAME}-header.headers.stsSeconds=15552000
      - traefik.http.middlewares.${SERVICE_NAME}-header.headers.forceSTSHeader=true
      - traefik.http.middlewares.${SERVICE_NAME}-header.headers.stsPreload=true
      - traefik.http.middlewares.${SERVICE_NAME}-header.headers.stsIncludeSubdomains=true
      - traefik.http.middlewares.${SERVICE_NAME}-header.headers.browserXssFilter=true
      - traefik.http.middlewares.${SERVICE_NAME}-header.headers.customRequestHeaders.X-Forwarded-Proto=https
networks:
  docker_main:
    external: true

Thanks for your help

wwe · July 15, 2024, 10:29am

sounds weird… I can’t access this URL in my system… please try isolate the origin of this request (some external app, client, script etc). for further support provide additional details like support report (run occ support:report and occ config:list) and

This error is referenced in Update will always fail, beacuse of: Directory not empty but there is an exception included - did you strip some data? If you I would focus on the directory mentioned there.

jtr · July 15, 2024, 11:58am

Please note that the error is not about those files, but occurring at those lines of code within those files.

The first was in referring to your configured logfile (or the default located within your datadirectory called nextcloud.log.

The second is referring to your config.php (or the entire config/ folder).

EDIT: Given your compose file:

      - /mnt/Nextcloud:/var/www/html

Check the permissions of all of the files in (and folders themselves):

/mnt/Nextcloud/config ← from within your host
/mnt/Nextcloud/data ← same
/var/www/html/config ← from within your container
/var/www/html/data ← same

Idefix_Forum · July 15, 2024, 1:10pm

Thanks. I checked them on the host and inside the container.

The directories and files are are owned by www-data:www-data in both host and container with exception of one file “nextcloud-init-sync.lock” which is owned by root (located in /var/www/html.

I migrated the individual user folders over after installation:

Deployed the docker container
created the users
copied the user folder files (files & files_versions) over
resynced the files for all users

could user data cause the calendar issues or maybe a sync from CalDAV?
Also the error occurred once and since then it did not pop up again.

Update: I disabled and enabled some apps (incl. calendar) to see if I get the error again. I will monitor and see if it pops up again and what causes it.

Idefix_Forum · August 17, 2024, 2:53pm

Hi there,

I’m back again. Apparently it was not the issue of a few apps.
After a few app updates I can say that I get the error consistently with each and every app update.

To recap the error - consistently these 3 with every app update:

chmod(): Operation not permitted at /var/www/html/lib/private/Log/File.php#84
chmod(): Operation not permitted at /var/www/html/lib/private/Config.php#288
chmod(): Operation not permitted at /var/www/html/lib/private/Config.php#288

The log/file.php error seems to refer to this portion of the code.
I’m not sure which file it tries to access which could throw the error though:

	/**
	 * get entries from the log in reverse chronological order
	 */
	public function getEntries(int $limit = 50, int $offset = 0): array {
		$minLevel = $this->config->getValue("loglevel", ILogger::WARN);
		$entries = [];
		$handle = @fopen($this->logFile, 'rb');
		if ($handle) {
			fseek($handle, 0, SEEK_END);
			$pos = ftell($handle);
			$line = '';
			$entriesCount = 0;
			$lines = 0;

while it looks like the config.php error refers to this one:

	// Write the config and release the lock
		ftruncate($filePointer, 0);
		fwrite($filePointer, $content);
		fflush($filePointer);
		flock($filePointer, LOCK_UN);
		fclose($filePointer);

		if (function_exists('opcache_invalidate')) {
			@opcache_invalidate($this->configFilePath, true);
		}
	}

I have checked my folder and file permissions.
www-data is the owner and group for all. permissions are set to -rwxrwx—
The only file which does not show www-data for both user and group is the nextcloud-init-sync.lock file. It has the correct group but root as user.
I see from posts that this file is created each time docker starts.

The mounted Nextcloud folder I use for the container is a truenas scale data set with ACL permissions and owner set to www-data:www-data

Does anyone have an idea what I can try?

Thanks a lot