Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

config folder permission #114

Open
steled opened this issue May 1, 2021 · 4 comments
Open

config folder permission #114

steled opened this issue May 1, 2021 · 4 comments
Labels
Persistence Anything to do with external storage or persistence. This is also where we triage things like NFS.

Comments

@steled
Copy link

steled commented May 1, 2021
edited by jessebot
Loading

Describe the bug
When I configure configs for the first start in my values.yaml file the permissions of the config folder are set to root:root

Version of Helm and Kubernetes:

$ kubectl version
Client Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.0", GitCommit:"cb303e613a121a29364f75cc67d3d580833a7479", GitTreeState:"clean", BuildDate:"2021-04-08T16:31:21Z", GoVersion:"go1.16.1", Compiler:"gc", Platform:"linux/arm64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.0", GitCommit:"cb303e613a121a29364f75cc67d3d580833a7479", GitTreeState:"clean", BuildDate:"2021-04-08T16:25:06Z", GoVersion:"go1.16.1", Compiler:"gc", Platform:"linux/arm64"}

$ helm version
version.BuildInfo{Version:"v3.5.3", GitCommit:"041ce5a2c17a58be0fcd5f5e16fb3e7e95fea622", GitTreeState:"dirty", GoVersion:"go1.15.8"}

Which chart:
nextcloud:2.6.1

What happened:
I wanted to set overwritehost and overwriteprotocol via an extra config file created in /var/www/html/config/.

What you expected to happen:
nextcloud starts with config.php and custom.config.php

How to reproduce it (as minimally and precisely as possible):
Put the following lines of code into the values.yaml file:

  configs:
    custom.config.php: |-
      <?php
      $CONFIG = array (
         'overwritehost' => '***.duckdns.org',
         'overwriteprotocol' => 'https',
      );

Anything else we need to know:
The following error is seen in logs:

$ kubectl logs -n nextcloud nextcloud-dcc4678d9-gk9pd -f
Initializing nextcloud 19.0.3.1 ...
Initializing finished
New nextcloud instance
Installing with PostgreSQL database
starting nextcloud installation
Cannot write into "config" directory!
This can usually be fixed by giving the webserver write access to the config directory

Or, if you prefer to keep config.php file read only, set the option "config_is_read_only" to true in it.
See https://docs.nextcloud.com/server/19/go.php?to=admin-config
setting trusted domains…
Cannot write into "config" directory!
This can usually be fixed by giving the webserver write access to the config directory

Or, if you prefer to keep config.php file read only, set the option "config_is_read_only" to true in it.
See https://docs.nextcloud.com/server/19/go.php?to=admin-config

After applying the configuration the file/folder permissions looks like:

$ ls -la /ext/persistent/nextcloud/server/
total 36
drwxr-xr-x 9     1000 1000 4096 May  1 22:03 .
drwxr-xr-x 5     1000 1000 4096 May  1 20:11 ..
drwxr-xr-x 2 root     root 4096 May  1 22:03 config
drwxr-xr-x 2 root     root 4096 May  1 22:03 custom_apps
drwxr-xr-x 2 root     root 4096 May  1 22:03 data
drwxr-xr-x 8 www-data root 4096 May  1 22:03 html
drwxr-xr-x 4 root     root 4096 May  1 22:03 root
drwxr-xr-x 2 root     root 4096 May  1 22:03 themes
drwxr-xr-x 2 root     root 4096 May  1 22:03 tmp

$ ls -la /ext/persistent/nextcloud/server/config/
total 8
drwxr-xr-x 2 root root 4096 May  1 22:03 .
drwxr-xr-x 9 1000 1000 4096 May  1 22:03 ..
-rwx------ 1 root root    0 May  1 22:03 .htaccess
-rwx------ 1 root root    0 May  1 22:03 apache-pretty-urls.config.php
-rwx------ 1 root root    0 May  1 22:03 apcu.config.php
-rwx------ 1 root root    0 May  1 22:03 apps.config.php
-rwx------ 1 root root    0 May  1 22:03 autoconfig.php
-rwx------ 1 root root    0 May  1 22:03 custom.config.php
-rwx------ 1 root root    0 May  1 22:03 redis.config.php
-rwx------ 1 root root    0 May  1 22:03 smtp.config.php

As a workaroung I can set the values via extraEnv:

  extraEnv:
    - name: OVERWRITEHOST
      value: "***.duckdns.org"
    - name: OVERWRITEPROTOCOL
      value: https

But this is not how I expect that it should work like.
@steled steled mentioned this issue May 1, 2021
Closed
@benedikt-bartscher
Copy link

same here

@jessebot
Copy link
Collaborator

AHA! I have been trying to figure this out for months, and this has to be the cause! I understand how frustrating this is, because it can also affect your backups. I don't have a fix, but maybe a workaround. 🤔

So, I don't know why it's created as root, but I do know that recently the community introduced a securityContext feature, that should let you force the container and/or pod to run as a different user, for instance 33 (this is the UID of the www-data user). You can check out the change in #269.

I currently have an issue open where I'm troubleshooting this in #335 if you have issues with it.

@jessebot
Copy link
Collaborator

@steled and @benedikt-bartscher how are you both deploying k8s? Are you using k3s? Are you using NFS?

@jessebot jessebot mentioned this issue Apr 16, 2023
Open
@jessebot jessebot added the Persistence Anything to do with external storage or persistence. This is also where we triage things like NFS. label Jul 26, 2024
@steled
Copy link
Author

steled commented Oct 18, 2024
edited
Loading

Hi @jessebot,

sorry for the late response.
I'm depüloying nextcloud via Helm Chart on a plain Kubernetes installation.
I'm using local storage on the host directly as persistent storage.

I'm starting with a fresh new installation of the helm release 6.1.0 and the problem still exists.
I also tried to set the following values in values.yaml:

nextcloud:
  securityContext:
    runAsGroup: 33
    runAsUser: 33
    runAsNonRoot: true
    readOnlyRootFilesystem: false

  podSecurityContext:
    fsGroup: 33

But this also didn't helped.

My workaround is to create the folder before running nextcloud installation:

sudo mkdir --mode 0755 -p /ext/persistent/nextcloud-staging/backup
sudo chown 1001:1001 -R /ext/persistent/nextcloud-staging/backup/
sudo mkdir --mode 0755 -p /ext/persistent/nextcloud-staging/server
sudo chown 1000:1000 -R /ext/persistent/nextcloud-staging/server/
sudo mkdir --mode 0755 -p /ext/persistent/nextcloud-staging/server/config
sudo chown www-data:www-data -R /ext/persistent/nextcloud-staging/server/config/
sudo mkdir --mode 0755 -p /ext/persistent/nextcloud-staging/server/custom_apps
sudo chown www-data:www-data -R /ext/persistent/nextcloud-staging/server/custom_apps/
sudo mkdir --mode 0755 -p /ext/persistent/nextcloud-staging/server/data
sudo chown www-data:www-data -R /ext/persistent/nextcloud-staging/server/data/
sudo mkdir --mode 0755 -p /ext/persistent/nextcloud-staging/server/html
sudo chown www-data:www-data -R /ext/persistent/nextcloud-staging/server/html/
sudo mkdir --mode 0755 -p /ext/persistent/nextcloud-staging/server/themes
sudo chown www-data:www-data -R /ext/persistent/nextcloud-staging/server/themes/
sudo mkdir --mode 0755 -p /ext/persistent/nextcloud-staging/postgresql
sudo chown 1001:1001 -R /ext/persistent/nextcloud-staging/postgresql/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Persistence Anything to do with external storage or persistence. This is also where we triage things like NFS.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jessebot @benedikt-bartscher @steled