Migrating form apache to nginx (docker) - file permissions with xfs user

TLTR: I used nextcloud with apache in docker before with success. Now i switch to nextcloud with nginx and i get permission error because the new owner of all relevant files is not www-data anymore but xfs.

I am migrating my nextcloud docker environment from apache to nginx. After that i’ll get this error in web interface:

Configuration was not read or initialized correctly, not overwriting /var/www/html/config/config.php

This sounds like permission issues at first. But i checked it:

[user@nuc nextcloud]$ sudo ls -la /var/lib/docker/volumes/nextcloud_nextcloud/_data
insgesamt 1264
drwxrwxrwx 14 http http    4096 28. Dez 12:04 .
drwxr-xr-x  3 root root    4096  3. Jan 2021  ..
drwxr-xr-x 43 http http    4096 28. Dez 10:03 3rdparty
drwxr-xr-x 50 http http    4096 28. Dez 10:03 apps
-rw-r--r--  1 http http   23796 28. Dez 10:03 AUTHORS
-rw-r--r--  1 http http    1906 28. Dez 10:03 composer.json
-rw-r--r--  1 http http    3140 28. Dez 10:03 composer.lock
drwxr-xr-x  2 http http    4096 28. Dez 17:55 config
-rw-r--r--  1 http http    4124 28. Dez 10:03 console.php
-rw-r--r--  1 http http   34520 28. Dez 10:03 COPYING
drwxr-xr-x 24 http http    4096 28. Dez 10:04 core
-rw-r--r--  1 http http    6317 28. Dez 10:03 cron.php
drwxr-xr-x  9 http root    4096 28. Dez 19:30 custom_apps
drwxrwx---  2 http root    4096 25. Mär 2022  data
drwxr-xr-x  2 http http   20480 28. Dez 10:04 dist
-rw-r--r--  1 http http    4342 28. Dez 10:04 .htaccess
-rw-r--r--  1 http http     156 28. Dez 10:03 index.html
-rw-r--r--  1 http http    4403 28. Dez 10:03 index.php
drwxr-xr-x  6 http http    4096 28. Dez 10:04 lib
-rw-r--r--  1 root root       0 29. Dez 11:31 nextcloud-init-sync.lock
-rw-r--r--  1 http http       0 28. Dez 12:04 nextcloud.log
-rwxr-xr-x  1 http http     283 28. Dez 10:03 occ
drwxr-xr-x  2 http http    4096 28. Dez 12:04 ocs
drwxr-xr-x  2 http http    4096 28. Dez 12:04 ocs-provider
-rw-r--r--  1 http http    6991 28. Dez 10:03 package.json
-rw-r--r--  1 http http 1070279 28. Dez 10:03 package-lock.json
-rw-r--r--  1 http http    3187 28. Dez 10:03 public.php
-rw-r--r--  1 http http    5597 28. Dez 10:03 remote.php
drwxr-xr-x  4 http http    4096 28. Dez 10:04 resources
-rw-r--r--  1 http http      26 28. Dez 10:03 robots.txt
-rw-r--r--  1 http http    2452 28. Dez 10:03 status.php
drwxr-xr-x  3 http root    4096 25. Mär 2022  themes
-rw-r--r--  1 http http     101 28. Dez 10:03 .user.ini
-rw-r--r--  1 http http     403 28. Dez 10:04 version.php
[user@nuc nextcloud]$ sudo ls -la /var/lib/docker/volumes/nextcloud_nextcloud/_data/config
insgesamt 124
-rw-r--r--  1 http http     0  1. Aug 16:51  ,
drwxr-xr-x  2 http http  4096 28. Dez 17:55  .
drwxrwxrwx 14 http http  4096 28. Dez 12:04  ..
-rw-r--r--  1 http http     0  1. Aug 16:51  23.0.3.2,
-rw-r--r--  1 http http     0  1. Aug 16:51  6379,
-rw-r--r--  1 http http    60 25. Mär 2022   apache-pretty-urls.config.php
-rw-r--r--  1 http http    70 25. Mär 2022   apcu.config.php
-rw-r--r--  1 http http   377 25. Mär 2022   apps.config.php
-rw-rw----  1 http http  2025 29. Dez 09:34  config.php
-rw-r--r--  1 http http 66350 25. Mär 2022   config.sample.php
-rw-r--r--  1 http http     0  1. Aug 16:51  d7DgoxbqklIkNJtXkdh54S2azgA7+t5I550xMCKQO5grs96k,
-rw-r--r--  1 http http     0  1. Aug 16:51  db,
-rw-r--r--  1 http http     0  1. Aug 16:51  false,
-rw-r--r--  1 http http   495 25. Mär 2022   .htaccess
-rw-r--r--  1 http http    78 28. Dez 17:55  mimetypealiases.json
-rw-r--r--  1 http http   160 28. Dez 17:55  mimetypemapping.json
-rw-r--r--  1 http http     0  1. Aug 16:51  mysql,
-rw-r--r--  1 http http     0  1. Aug 16:51  nextcloud,
-rw-r--r--  1 http http     0  1. Aug 16:51  oc_,
-rw-r--r--  1 http http     0  1. Aug 16:51 '\\OC\\Memcache\\APCu,'
-rw-r--r--  1 http http     0  1. Aug 16:51 '\\OC\\Memcache\\Redis,'
-rw-r--r--  1 http http     0  1. Aug 16:51  ocst4wxqk0vi,
-rw-r--r--  1 http http     0  1. Aug 16:51  qgG_maWUIQB,
-rw-r--r--  1 http http     0  1. Aug 16:51  redis,
-rw-r--r--  1 http http   484 25. Mär 2022   redis.config.php
-rw-r--r--  1 http http   798 25. Mär 2022   reverse-proxy.config.php
-rw-r--r--  1 http http  1330 25. Mär 2022   s3.config.php
-rw-r--r--  1 http http     0  1. Aug 16:51  my.server.com,
-rw-r--r--  1 http http   944 25. Mär 2022   smtp.config.php
-rw-r--r--  1 http http  1103 25. Mär 2022   swift.config.php
-rw-r--r--  1 http http     0  1. Aug 16:51  true,
-rw-r--r--  1 http http     0  1. Aug 16:51  Y5sGgY,
[user@nuc nextcloud]$ docker-compose exec app ls -al /var/www/html
total 1268
drwxrwxrwx   14 xfs      xfs           4096 Dec 28 11:04 .
drwxrwxr-x    1 www-data root          4096 Dec 28 04:08 ..
-rw-r--r--    1 xfs      xfs           4342 Dec 28 09:04 .htaccess
-rw-r--r--    1 xfs      xfs            101 Dec 28 09:03 .user.ini
drwxr-xr-x   43 xfs      xfs           4096 Dec 28 09:03 3rdparty
-rw-r--r--    1 xfs      xfs          23796 Dec 28 09:03 AUTHORS
-rw-r--r--    1 xfs      xfs          34520 Dec 28 09:03 COPYING
drwxr-xr-x   50 xfs      xfs           4096 Dec 28 09:03 apps
-rw-r--r--    1 xfs      xfs           1906 Dec 28 09:03 composer.json
-rw-r--r--    1 xfs      xfs           3140 Dec 28 09:03 composer.lock
drwxr-xr-x    2 xfs      xfs           4096 Dec 28 16:55 config
-rw-r--r--    1 xfs      xfs           4124 Dec 28 09:03 console.php
drwxr-xr-x   24 xfs      xfs           4096 Dec 28 09:04 core
-rw-r--r--    1 xfs      xfs           6317 Dec 28 09:03 cron.php
drwxr-xr-x    9 xfs      root          4096 Dec 28 18:30 custom_apps
drwxrwx---    1 xfs      xfs           4096 Dec 29 08:56 data
drwxr-xr-x    2 xfs      xfs          20480 Dec 28 09:04 dist
-rw-r--r--    1 xfs      xfs            156 Dec 28 09:03 index.html
-rw-r--r--    1 xfs      xfs           4403 Dec 28 09:03 index.php
drwxr-xr-x    6 xfs      xfs           4096 Dec 28 09:04 lib
-rw-r--r--    1 root     root             0 Dec 29 10:31 nextcloud-init-sync.lock
-rw-r--r--    1 xfs      xfs              0 Dec 28 11:04 nextcloud.log
-rwxr-xr-x    1 xfs      xfs            283 Dec 28 09:03 occ
drwxr-xr-x    2 xfs      xfs           4096 Dec 28 11:04 ocs
drwxr-xr-x    2 xfs      xfs           4096 Dec 28 11:04 ocs-provider
-rw-r--r--    1 xfs      xfs        1070279 Dec 28 09:03 package-lock.json
-rw-r--r--    1 xfs      xfs           6991 Dec 28 09:03 package.json
-rw-r--r--    1 xfs      xfs           3187 Dec 28 09:03 public.php
-rw-r--r--    1 xfs      xfs           5597 Dec 28 09:03 remote.php
drwxr-xr-x    4 xfs      xfs           4096 Dec 28 09:04 resources
-rw-r--r--    1 xfs      xfs             26 Dec 28 09:03 robots.txt
-rw-r--r--    1 xfs      xfs           2452 Dec 28 09:03 status.php
drwxr-xr-x    3 xfs      root          4096 Mar 25  2022 themes
-rw-r--r--    1 xfs      xfs            403 Dec 28 09:04 version.php
[user@nuc nextcloud]$ docker-compose exec app ls -al /var/www/html/config
total 124
-rw-r--r--    1 xfs      xfs              0 Aug  1 14:51 ,
drwxr-xr-x    2 xfs      xfs           4096 Dec 28 16:55 .
drwxrwxrwx   14 xfs      xfs           4096 Dec 28 11:04 ..
-rw-r--r--    1 xfs      xfs            495 Mar 25  2022 .htaccess
-rw-r--r--    1 xfs      xfs              0 Aug  1 14:51 23.0.3.2,
-rw-r--r--    1 xfs      xfs              0 Aug  1 14:51 6379,
-rw-r--r--    1 xfs      xfs              0 Aug  1 14:51 Y5sGgY,
-rw-r--r--    1 xfs      xfs              0 Aug  1 14:51 \\OC\\Memcache\\APCu,
-rw-r--r--    1 xfs      xfs              0 Aug  1 14:51 \\OC\\Memcache\\Redis,
-rw-r--r--    1 xfs      xfs             60 Mar 25  2022 apache-pretty-urls.config.php
-rw-r--r--    1 xfs      xfs             70 Mar 25  2022 apcu.config.php
-rw-r--r--    1 xfs      xfs            377 Mar 25  2022 apps.config.php
-rw-rw----    1 xfs      xfs           2025 Dec 29 08:34 config.php
-rw-r--r--    1 xfs      xfs          66350 Mar 25  2022 config.sample.php
-rw-r--r--    1 xfs      xfs              0 Aug  1 14:51 d7DgoxbqklIkNJtXkdh54S2azgA7+t5I550xMCKQO5grs96k,
-rw-r--r--    1 xfs      xfs              0 Aug  1 14:51 db,
-rw-r--r--    1 xfs      xfs              0 Aug  1 14:51 false,
-rw-r--r--    1 xfs      xfs             78 Dec 28 16:55 mimetypealiases.json
-rw-r--r--    1 xfs      xfs            160 Dec 28 16:55 mimetypemapping.json
-rw-r--r--    1 xfs      xfs              0 Aug  1 14:51 mysql,
-rw-r--r--    1 xfs      xfs              0 Aug  1 14:51 nextcloud,
-rw-r--r--    1 xfs      xfs              0 Aug  1 14:51 oc_,
-rw-r--r--    1 xfs      xfs              0 Aug  1 14:51 ocst4wxqk0vi,
-rw-r--r--    1 xfs      xfs              0 Aug  1 14:51 qgG_maWUIQB,
-rw-r--r--    1 xfs      xfs              0 Aug  1 14:51 redis,
-rw-r--r--    1 xfs      xfs            484 Mar 25  2022 redis.config.php
-rw-r--r--    1 xfs      xfs            798 Mar 25  2022 reverse-proxy.config.php
-rw-r--r--    1 xfs      xfs           1330 Mar 25  2022 s3.config.php
-rw-r--r--    1 xfs      xfs              0 Aug  1 14:51 my.server.com,
-rw-r--r--    1 xfs      xfs            944 Mar 25  2022 smtp.config.php
-rw-r--r--    1 xfs      xfs           1103 Mar 25  2022 swift.config.php
-rw-r--r--    1 xfs      xfs              0 Aug  1 14:51 true,

[user@nuc nextcloud]$ docker-compose exec app ls -al /var/www/html/config/config.php
-rw-rw----    1 xfs      xfs           2025 Dec 29 08:34 /var/www/html/config/config.php
Sie haben neue Post in /var/mail/root.
[user@nuc nextcloud]$ sudo ls -la /var/lib/docker/volumes/nextcloud_nextcloud/_data/config/config.php
-rw-rw---- 1 http http 2025 29. Dez 09:34 /var/lib/docker/volumes/nextcloud_nextcloud/_data/config/config.php

So you can see, in the docker container the user xfs:xfs is owner of the files. On my system the user is called http. I checked the UID which is important here:
xfs is 33, http is 33.

So this is correct. Before i used apache, the user inside the container was www-data because his UID was 33.

Also if i try to set up some stuff in the container with the xfs user, it’s working:

[user@nuc nextcloud]$ docker exec --user xfs -it nextcloud_app php occ config:system:set trusted_proxies 0 --value="localhost"
System config value trusted_proxies => 0 set to string localhost

There is no error regarding permissions.

So i am not sure where the problem is?

Edit: also found this one but it doesn’t make difference if i give 660 to config.php or even to all files in config folder.

Edit 2: Weird:

[user@nuc nextcloud]$ docker exec --user xfs nextcloud_app ls -l /var/www/html/config/config.php
ls: /var/www/html/config/config.php: Permission denied

[user@nuc nextcloud]$ docker exec -it nextcloud_app /bin/sh
/var/www/html # ls

/var/www/html # cd config

/var/www/html/config # ls -l ./config.php
-rw-rw----    1 xfs      xfs           2061 Dec 29 11:05 ./config.php

So i guess there is a issue with this xfs user. Normally it should be ok to use this user as the UID is 33, but i have a weird feeling, i need to still use the www-data user and create a new user on my host with the UID 82, as this is the one of the www-data user inside the container?

[user@nuc nextcloud]$ sudo docker exec --user www-data nextcloud_app id
uid=82(www-data) gid=82(www-data) groups=82(www-data)
[user@nuc nextcloud]$ sudo docker exec --user xfs nextcloud_app id
uid=33(xfs) gid=33(xfs) groups=33(xfs)
[user@nuc nextcloud]$ grep "http" /etc/passwd
http:x:33:33::/srv/http:/usr/bin/nologin

Edit 3: So i created a new user on my host system with UID 82 and make him owner of nextcloud files:

[user@nuc]$ sudo useradd -u 82 -g 82 nextcloud-user
[user@nuc]$ sudo groupmod -g 82 nextcloud-user
[user@nuc]$ chown -R nextcloud-user:nextcloud-user /var/lib/docker/volumes/nextcloud_nextcloud/_data/config

I did the same inside the container for www-datauser, so www-data:www-datais now owner of this whole nextcloud staff inside the docker container (so www-data is UID 82 and nextcloud-user is also UID 82):

[nuc _data]# docker exec -it nextcloud_app /bin/sh
/var/www/html # chown -R www-data:www-data.

The web interface is greeting me with

Internal Server Error

The server encountered an internal error and was unable to complete your request.
Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.
More details can be found in the webserver log.


Fatal error: Uncaught TypeError: flock(): Argument #1 ($stream) must be of type resource, bool given in /var/www/html/lib/private/Config.php:228
Stack trace:
#0 /var/www/html/lib/private/Config.php(228): flock(false, 1)
#1 /var/www/html/lib/private/Config.php(71): OC\Config->readData()
#2 /var/www/html/lib/base.php(149): OC\Config->__construct(‘/var/www/html/c…’)
#3 /var/www/html/lib/base.php(616): OC::initPaths()
#4 /var/www/html/lib/base.php(1200): OC::init()
#5 /var/www/html/index.php(37): require_once(‘/var/www/html/l…’)
#6 {main}
thrown in /var/www/html/lib/private/Config.php on line 228

Quite hard to figure out how to use the alpine-fpm with correct user permission on this one.

Edit: 4 I also found this old issue on Github. The solution was docker-compose exec app chown -R www-data:root /var/www or chown -R 82:0 /var/www (which is doing the same). But this is exactly what i did: The user with the UID 82 (which is www-data) has permission for all files inside the container. Outside the container (on my host) is the new nextcloud-user which also has the UID 82. But all i get is this
The server encountered an internal error and was unable to complete your request. error

Edit 5: Ok now all files under /var/lib/docker/volumes/nextcloud/nextcloud belongs to nextclouduser:root. Also alle files in my mounted drives which is for my personal data. Same. Also all files under /var/www/html belongs to www-data:root. Still this The server encountered an internal error and was unable to complete your request. error.