Nextcloud version (eg, 20.0.5): 20.0.8
(nextcloud:stable-fpm container)
Operating system and version (eg, Ubuntu 20.04): Ubuntu 20.04
Apache or nginx version (eg, Apache 2.4.25): nginx-1.19.8
PHP version (eg, 7.4): `n/a``
The issue you are facing:
I’m trying to mount external storage (/syncthing/fotky) in the container. The
OS directory is not owned by the user running nextcloud container (nextcloud)
but user nextcloud is in the group that can access and write that directory.
Is this the first time you’ve seen this error? (Y/N): y
Steps to replicate it:
- See below for the exact description.
The output of your Nextcloud log in Admin > Logging:
Error PHP Error: opendir(/syncthing/fotky/test/): failed to open dir: Permission denied at /var/www/html/lib/private/Files/Storage/Local.php#132 23 minutes ago
Error PHP Error: opendir(/syncthing/fotky/rodinka/): failed to open dir: Permission denied at /var/www/html/lib/private/Files/Storage/Local.php#132 an hour ago
Error PHP Error: opendir(/syncthing/fotky/rodinka/rok.osmy): failed to open dir: Permission denied at /var/www/html/lib/private/Files/Storage/Local.php#132 2 hours ago
Error PHP Error: file_put_contents(/syncthing/fotky/rodinka/rok.osmy/test.md): failed to open stream: Permission denied at /var/www/html/lib/private/Files/Storage/Local.php#276 2 hours ago
Error PHP Error: copy(//syncthing/fotky/rodinka/rok.osmy/test.md): failed to open stream: Permission denied at /var/www/html/lib/private/Files/Storage/Local.php#350 2 hours ago
Error PHP Error: fopen(/syncthing/fotky/rodinka/rok.osmy/test.md): failed to open stream: Permission denied at /var/www/html/lib/private/Files/Storage/Local.php#355 2 hours ago
Error PHP Error: file_put_contents(/syncthing/fotky/rodinka/rok.osmy/test.md): failed to open stream: Permission denied at /var/www/html/lib/private/Files/Storage/Local.php#276 2 hours ago
Error PHP Error: copy(//syncthing/fotky/rodinka/rok.osmy/test.md): failed to open stream: Permission denied at /var/www/html/lib/private/Files/Storage/Local.php#350 2 hours ago
Error PHP Error: file_get_contents(/syncthing/fotky/rodinka/rok.osmy/test.md): failed to open stream: Permission denied at /var/www/html/lib/private/Files/Storage/Local.php#272 2 hours ago
Error PHP Error: file_get_contents(/syncthing/fotky/rodinka/rok.osmy/test.md): failed to open stream: Permission denied at /var/www/html/lib/private/Files/Storage/Local.php#272 2 hours ago
The output of your config.php file in /path/to/nextcloud
(make sure you remove any identifiable information!):
$ podman exec -ti -u www-data nextcloud cat config/config.php
<?php
$CONFIG = array (
'memcache.local' => '\\OC\\Memcache\\APCu',
'apps_paths' =>
array (
0 =>
array (
'path' => '/var/www/html/apps',
'url' => '/apps',
'writable' => false,
),
1 =>
array (
'path' => '/var/www/html/custom_apps',
'url' => '/custom_apps',
'writable' => true,
),
),
'passwordsalt' => 'u+iHvc7zmz9yDqFo5lqGafbPWXQ6Sg',
'secret' => '5xAy1BkJFojqyuzVLsXGuVV1VN2j5X7dxis5T8f7oUfHBSak',
'trusted_domains' =>
array (
0 => 'cloud.misackovo.eu',
1 => '172.17.0.2',
),
'datadirectory' => '/var/www/html/data',
'dbtype' => 'mysql',
'version' => '20.0.8.1',
'overwrite.cli.url' => 'https://cloud.misackovo.eu',
'dbname' => 'nextcloud',
'dbhost' => '127.0.0.1',
'dbport' => '',
'dbtableprefix' => 'oc_',
'mysql.utf8mb4' => true,
'dbuser' => 'nextcloud',
'dbpassword' => 'nextcloud',
'installed' => true,
'instanceid' => 'ocxmh1y5sb2l',
'check_data_directory_permissions' => false,
);
$ podman exec -ti -u www-data nextcloud cat /usr/local/etc/php-fpm.d/www.conf
[www]
user = www-data
group = nogroup
; pid /var/html/html/data/php-fpm.pid
listen = 127.0.0.1:9000
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
The output of your Apache/nginx/system log in /var/log/____
:
IMHO irelevant to the issue.
I’m trying to run rootless nextcloud:fpm-stable + mariadb in a container using
podman. I’m using nginx as a proxy.
I’m trying to mount external storage (/syncthing/fotky) in the container. The
OS directory is not owned by the user running nextcloud container (nextcloud)
but user nextcloud is in the group that can access and write that directory.
Container is running as privileged and it’s www-data user running php-fpm group
is changed to “nogroup”. User www-data can create files in
/syncthing/fotky/test directory as it is writable by group “nogroup”. However
nextcloud is not able to do the same and says “Permission denied”.
My best guess would be that it is not able for some reason to write to
directory owned by the group it is running. Should it work?
More precisely, if php-fpm is running under group “nogroup” should it be able
to write to the directory writable by group “nogroup”? At the moment it seems
that it is not.
Changing volume directory permissions to “777” all seems to work fine which
seems to point towards that hypothesis as well.
See below for the exact commands I’m trying.
–
** System unit that runs the container.**
nextcloud@test-pi-priv:~$ systemctl --user cat container-nextcloud
# /home/nextcloud/.config/systemd/user/container-nextcloud.service
# container-nextcloud.service
# autogenerated by Podman 3.0.1
# Sun Mar 21 14:51:02 CET 2021
[Unit]
Description=Podman container-nextcloud.service
Documentation=man:podman-generate-systemd(1)
Wants=network.target
After=network-online.target
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
Restart=on-failure
TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/container-nextcloud.pid %t/container-nextcloud.ctr-id
ExecStart=/usr/bin/podman container run --conmon-pidfile %t/container-nextcloud.pid --cidfile %t/container-nextcloud.ctr-id --cgroups=no-conmon --replace --name nextcloud --privileged=True --an
notation run.oci.keep_original_groups=1 --env MYSQL_HOST=127.0.0.1 --env MYSQL_DATABASE=nextcloud --env MYSQL_USER=nextcloud --env NEXTCLOUD_ADMIN_USER=admin --env-file /home/nextcloud/containe
rs/conf/nextcloud/.env --pod nextcloud-pod --volume data_nextcloud:/var/www/html --volume /home/syncthing/syncthing:/syncthing:rw --volume /home/nextcloud/containers/conf/nextcloud/www.conf:/us
r/local/etc/php-fpm.d/www.conf --detach=True quay.io/misacek/nextcloud-custom:stable-fpm
ExecStop=/usr/bin/podman container stop --ignore --cidfile %t/container-nextcloud.ctr-id -t 10
ExecStopPost=/usr/bin/podman container rm --ignore -f --cidfile %t/container-nextcloud.ctr-id
PIDFile=%t/container-nextcloud.pid
Type=forking
[Install]
WantedBy=multi-user.target default.target
# /home/nextcloud/.config/systemd/user/container-nextcloud.service.d/override.conf
[Service]
After=container-mariadb network-online.target
# Requires=container-mariadb
BindsTo=container-mariadb
OS view of processes
$ ps axfu
nextclo+ 12574 0.0 0.1 21704 9224 ? Ss 08:11 0:02 /lib/systemd/systemd --user
nextclo+ 12575 0.0 0.0 106240 2692 ? S 08:11 0:00 \_ (sd-pam)
nextclo+ 12712 0.0 0.0 7108 3336 ? Ss 08:11 0:01 \_ /usr/bin/dbus-daemon --session --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
nextclo+ 13995 0.0 0.0 6048 2468 ? Ss 08:12 0:24 \_ /usr/bin/fuse-overlayfs -o ,lowerdir=/home/nextcloud/.local/share/containers/storage/overlay/l/BFY6B3MPUZWVAHV7AP7PWKMUES:
nextclo+ 13997 0.0 0.0 80516 2044 ? Ssl 08:12 0:00 \_ /usr/libexec/podman/conmon --api-version 1 -c 5bc48f680b13e7b5fb93033a880c75516e5c64394a6fe743b79bf83582eaf252 -u 5bc48f68
166534 14000 0.2 1.3 1895376 112092 ? Ssl 08:12 0:56 | \_ mysqld
nextclo+ 63359 0.0 0.0 7040 3388 ? Ss 14:51 0:00 \_ /usr/bin/fuse-overlayfs -o ,lowerdir=/home/nextcloud/.local/share/containers/storage/overlay/l/RWGCJ36AB3KQWACFQK2TYCDTOX:
nextclo+ 63361 0.0 0.0 80516 2108 ? Ssl 14:51 0:00 \_ /usr/libexec/podman/conmon --api-version 1 -c 77f176cb5ab6a7d054a3ed4ae28c3283cde8d32afd8308d6fc8d92ab508b7798 -u 77f176cb
nextclo+ 63364 0.0 0.4 276292 33660 ? Ss 14:51 0:00 \_ php-fpm: master process (/usr/local/etc/php-fpm.conf)
165568 63387 0.2 0.6 310984 54960 ? S 14:51 0:02 \_ php-fpm: pool www
165568 63388 0.2 0.7 313080 59704 ? S 14:51 0:01 \_ php-fpm: pool www
165568 66228 0.2 0.4 282708 39372 ? S 14:52 0:01 \_ php-fpm: pool www
Container view list of processes:
$ podman exec -ti nextcloud ps axfu
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 115 0.0 0.0 7636 2780 pts/0 Rs+ 14:04 0:00 ps axfu
root 1 0.0 0.4 276292 33660 ? Ss 13:51 0:00 php-fpm: master process (/usr/local/etc/php-fpm.conf)
www-data 14 0.2 0.6 310984 54960 ? S 13:51 0:02 php-fpm: pool www
www-data 15 0.2 0.7 313080 59704 ? S 13:51 0:01 php-fpm: pool www
www-data 109 0.2 0.4 282708 39372 ? S 13:52 0:01 php-fpm: pool www
** Container process is running as www-data/nogroup**
$ podman exec -ti -u www-data nextcloud stat -c ‘%u %g’ /proc/14
33 65534
$ podman exec -ti -u www-data nextcloud grep nogroup /etc/group
nogroup:x:65534:www-data
Container www-data user is in group nogroup:
$ podman exec -ti -u www-data nextcloud id
uid=33(www-data) gid=33(www-data) groups=33(www-data),0(root),65534(nogroup)
OS view of data directory:
$ ls -la /home/syncthing/syncthing
total 16
drwxrwsrwx+ 4 syncthing-user syncthing 4096 Mar 21 15:03 .
drwxrws–x+ 5 syncthing-user syncthing 4096 Mar 21 14:21 …
drwxrws—+ 2 syncthing-user syncthing 4096 Mar 21 15:03 test
Container view of data directory
$ podman exec -ti -u www-data nextcloud ls -la /syncthing/fotky
total 16
drwxrwsrwx+ 4 nobody nogroup 4096 Mar 21 14:03 .
drwxrws–x+ 5 nobody nogroup 4096 Mar 21 13:21 …
drwxrws—+ 2 nobody nogroup 4096 Mar 21 14:03 test
Adding the directory as an external storage it can be addded and verified:
$ podman exec -u www-data nextcloud /var/www/html/occ files_external:list
+----------+-------------+---------+---------------------+-------------------------------------+---------+------------------+-------------------+
| Mount ID | Mount Point | Storage | Authentication Type | Configuration | Options | Applicable Users | Applicable Groups |
+----------+-------------+---------+---------------------+-------------------------------------+---------+------------------+-------------------+
| 7 | /fotky | Local | None | datadir: "\/syncthing\/fotky\/test" | | admin | admini |
+----------+-------------+---------+---------------------+-------------------------------------+---------+------------------+-------------------+
$ podman exec -u www-data nextcloud /var/www/html/occ files_external:verify 7
- status: ok
- code: 0
- message
At this point all seemed good to me but trying to mount the External storage
tick as admin user I got red exclamation mark and I see the following in the
log:
Error: opendir(/syncthing/fotky/test/): failed to open dir: Permission denied at /var/www/html/lib/private/Files/Storage/Local.php#132
Trying to create file as www-data user works well
$ podman exec -ti -u www-data nextcloud ls -l /syncthing/fotky/test/test.file
ls: cannot access '/syncthing/fotky/test/test.file': No such file or directory
$ podman exec -ti -u www-data nextcloud touch /syncthing/fotky/test/test.file
$ podman exec -ti -u www-data nextcloud ls -l /syncthing/fotky/test/test.file
-rw-rw---- 1 www-data nogroup 0 Mar 21 14:22 /syncthing/fotky/test/test.file