FUSE (rclone) mount into docker data volume "not writable"

I am trying to use external storage as the base directory for my files. To achieve that:

  1. Use a docker volume for the data directory: data:/var/www/html/data
    This means the container’s /var/www/html/data directory is mounted from the host’s /var/lib/docker/volumes/nextcloud_data/_data/.
  2. Mount my storage into the volume location on the host:
    # rclone mount my-remote: /var/lib/docker/volumes/nextcloud_data/_data/<user> --uid 33 --gid 33 --allow-non-empty

The web interface does not reflect any changes (other than being now unable to actually open the files).

When the mount directory is inspected from within the container as root, it appears perfectly fine:

user@host $ sudo docker exec --user root -it <container_id> /bin/bash

root@<container_id>:/var/www/html# ls -al /var/www/html/data/<user>/files/
total 99868
drwxr-xr-x 1 www-data www-data         0 Jul  3 11:29 .
drwxr-xr-x 4 www-data www-data      4096 Jul  3 11:09 ..
-rw-r--r-- 1 www-data www-data 102259473 Jul  2 18:21 video.mp4
-rw-r--r-- 1 www-data www-data         7 Jul  2 22:06 text.txt

Creating, copying, moving, editing…everything works as expected.
Note that uid, gid and permissions of the directory are set correctly.

However, when the same is done as user www-data, the result is unexpected:

user@host $ sudo docker exec --user www-data -it <container_id> /bin/bash

www-data@<container-id>:~/html$ ls -al /var/www/html/data/<user>/files/
ls: cannot access '/var/www/html/data/<user>/files/': Permission denied

www-data@<container-id>:~/html$ ls -al /var/www/html/data/<user>/
total 12
drwxr-xr-x 4 www-data www-data 4096 Jul  3 11:09 .
drwxrwx--- 4 www-data root     4096 Jul  2 23:58 ..
drwxr-xr-x 2 www-data www-data 4096 Jul  3 11:09 cache
d????????? ? ?        ?           ?            ? files

Any suggestions on what might be the issue here?

Setup details
  • Host: Debian 10 (OpenStack VPS)
  • Nextcloud 21.0.3
  • Docker 20.10.7
  • docker-compose 1.29.2
  • rclone v1.55.1
  • fusermount 2.9.9
# FILE: docker-compose.yml

version: '3'


    image: mariadb
    restart: always
    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
      - db:/var/lib/mysql
      - MYSQL_ROOT_PASSWORD=<rpasswd>
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_PASSWORD=<passwd>

    image: redis:alpine
    restart: always

    image: nextcloud
    restart: always
      - 9030:80
      - data:/var/www/html/data
      - db
      - redis
      - MYSQL_HOST=db
      - MYSQL_DATABASE=nextcloud
      - MYSQL_USER=nextcloud
      - MYSQL_PASSWORD=<passwd>
      - REDIS_HOST=redis
What I have tried
  • Understandably, trying to re-scan files results in an error:
    user@host $ sudo docker-compose exec --user www-data app php occ files:scan --all
    Starting scan for user 1 out of 1 (<user>)
    Home storage for user <user> not writable
    Make sure you're running the scan command only as the user the web server runs as
    | Folders | Files | Elapsed time |
    | 0       | 0     | 00:00:00     |
  • Replacing docker volumes with bind mounts changes nothing.
  • Mounting inside the host before starting the container or vice versa. Order changes nothing.
  • Mounting with different uid/gid/permissions. Permissions change inside the container as one would expect, but www-data is the requirement. (and it is what’s set up by nextcloud by default)
  • Tried to find the cause of the ???? question marks in ls -al output. Suggests the lack of execute bit on the directory - but in my case it is set!
  • Mounting the directory elsewhere in the container and using Nextcloud’s external storage plugin with a local directory. Similar issue.
  • Can’t use the plugin directly, because my back end is unsupported (rclone crypt).

I imagine this is primarily a docker+FUSE issue and not Nextcloud-centered, but this still seems to be the right forum to ask: such a set up seems common?

Update: appears to be an rclone issue primarily. Opened a thread on the respective forum.

rclone mount simply needs the --allow-other flag.
Look here for more details.