docker icon indicating copy to clipboard operation
docker copied to clipboard

Published 20 hours ago verified publisher icon nextcloud

Conform to the Docker standard

Open dbergloev opened this issue 1 year ago • 6 comments

Hi.

Docker has to standard environment variables PUID and GUID. These are meant to be used to allow one to select the user and group for the containers main process. This is a great help when you share volumes with a container that has specific user/group permissions. However this is not being used by the NextCloud docker image for some reason and I had to make an entrypoint wrapper to fix it on my setup.

#!/bin/bash

groupadd --gid $GUID nextcloud >/dev/null 2>/dev/null
useradd --uid $PUID --gid $GUID nextcloud --system >/dev/null 2>/dev/null

sed -i 's/^User .*/User nextcloud/' /etc/apache2/apache2.conf
sed -i 's/^Group .*/Group nextcloud/' /etc/apache2/apache2.conf

/entrypoint.sh "$@"

Using the www-data user may be fine for a small closed container, but it really is not very useful when sharing volumes with the host.

dbergloev avatar Jul 13 '23 07:07 dbergloev

Funny you say that as I only came to this unofficial docker image because there were problems with the NextCloud-AIO official - with problems along those lines (ownership/root/UID).
"Docker socket is not available. Cannot continue." https://help.nextcloud.com/t/help-with-aio-docker-docker-socket-is-not-available-error-macos/136354/2 (Using Docker Desktop on mac) There seems to be no fix in lastest Docker and even suggestions of rolling back docker etc to fix the problem.

But this repo/image worked at least. Fixing the other seemed beyond me for the minute.

robz0 avatar Jul 14 '23 16:07 robz0

Hi @dk-zero-cool - See https://github.com/nextcloud/docker/pull/1812 (though it doesn't appear to have made it into the docs - oops).

Re: PUID/GUID: There is no standard I'm aware of (feel free to provide a reference). There are some container maintainers (@linuxserver comes to mind) that use these variables - e.g. https://docs.linuxserver.io/general/understanding-puid-and-pgid - but that's all.

Using the www-data user may be fine for a small closed container, but it really is not very useful when sharing volumes with the host.

I assume you are referring to - and using - bind mounts rather than volumes. This is not an issue at all when using volumes for persistent data. This issue arises with bind mounts because the filesystem ends up being shared with the host and not at all managed by Docker. Both, however, are persistent data stores and not at all limited to "small closed containers".

https://docs.docker.com/storage/volumes/ https://docs.docker.com/storage/bind-mounts/

joshtrichards avatar Jul 18 '23 22:07 joshtrichards

Yes I am talking about bind-mounts. NextCloud is used to synchronize personal data between devices, and as such will in many cases not be confined just to a random volume on the server. In my case I have NFS setup via autofs to a server running a ZFS Raid configuration that is used to store everything, not just the data being shared with NextCloud. Using www-data is not a user or group that I would assign to things like documents, videos, images etc on a storage disk. For hosting the actual website sure, but unless NextCloud adds a separate daemon to deal with the actual data, running the server as a different user is the next best thing.

And yes, apparently this is not an official Docker standard, but a lot of, and not just some, maintainers do conform to it.

dbergloev avatar Jul 18 '23 22:07 dbergloev

Is there a solution for that ? I want a subfolder of my data folder to be a bind mount, and I need it to be in 1000:1000. How do I achieve that ?

Fratt avatar Dec 02 '23 21:12 Fratt

Has there ever been found a solution to this? I think my issue is related: https://github.com/nextcloud/docker/issues/2179

RononDex avatar Mar 12 '24 10:03 RononDex

@Fratt and @RononDex

There is always the option, until this is addressed, to change the entrypoint manually. Now I did change this after I created this issue, because the group and user is exported before entrypoint is executed. So all you need to do is change the variables.

init.sh

#!/bin/bash

PUNAME=nc_puid
PGNAME=nc_pgid

##
# Create the user and group
if grep -qE "^([^:]+:){2}$PGID:" /etc/group; then
    # Group already exists with another name
    PGNAME=$(grep -qE "^([^:]+:){2}$PGID:" /etc/group | awk -F: '{print $1}')
else
    groupadd --gid $PGID $PGNAME &>/dev/null
fi

if grep -qE "^([^:]+:){2}$PUID:" /etc/passwd; then
    # User already exists with another name
    PUNAME=$(grep -qE "^([^:]+:){2}$PUID:" /etc/passwd | awk -F: '{print $1}')
else
    useradd --uid $PUID --gid $PGID $PUNAME --system &>/dev/null
fi

##
# Force Apache (thereby Nextcloud) to run as the custom user and group
export APACHE_RUN_USER=$PUNAME
export APACHE_RUN_GROUP=$PGNAME

##
# Execute the original entrypoint script and launch Nextcloud
/entrypoint.sh "$@"

Now just add this file to your instance and change the entrypoint.

docker create \
    --env PUID=1000
    --env PGID=1000
    --volume $TARGET/init.sh:/init.sh
    --entrypoint /init.sh
    ...

After that your Nextcloud instance will run as your defined user and create files and directories with the prefered ownership.

dbergloev avatar Apr 12 '24 20:04 dbergloev