Closed cguentherTUChemnitz closed 3 months ago
Hi, @cguentherTUChemnitz !
Thank you for your report!
Could you please provide more information, the docker-socket-proxy
logs you've sent are the startup plain logs which are printing the haproxy.cfg, is there any logs on the failing request for volume creation that could give some hints on what's going wrong.
Please capture the new docker-socket-proxy
logs after test deploy issue reproduction.
Also check sudo journalctl -u docker.service
system logs during test deploy if there any error message related to the docker volume creation issue.
I had just today time to gather further information. I upadted my rolling arch and rebooted, to get a clean journalctl -b to easier filter down here. Also i run a docker system prune --volumes, since i was discovering, that docker ps -a showed an earlier deactivated nextcloud service of imaginary.
Then i retried just now the app api deploy test and it worked fine now. I don't know what fixed it here, but it works now ;)
Describe the bug
using nextcloud aio in as close as possible default config is setting up the app-api automatically in a broken way, where the test-deploy fails.
previously reported here: https://github.com/nextcloud/all-in-one/discussions/4901
Steps/Code to Reproduce
Steps to reproduce
docker compose
```docker-compose.yml # https://github.com/nextcloud/all-in-one/blob/main/compose.yaml services: nextcloud-aio-mastercontainer: image: nextcloud/all-in-one:latest init: true restart: always container_name: nextcloud-aio-mastercontainer # This line is not allowed to be changed as otherwise AIO will not work correctly volumes: - nextcloud_aio_mastercontainer:/mnt/docker-aio-config # This line is not allowed to be changed as otherwise the built-in backup solution will not work - /var/run/docker.sock:/var/run/docker.sock:ro # May be changed on macOS, Windows or docker rootless. See the applicable documentation. If adjusting, don't forget to also set 'WATCHTOWER_DOCKER_SOCKET_PATH'! ports: # - 80:80 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md - 8080:8080 # - 8443:8443 # Can be removed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md environment: # Is needed when using any of the options below # AIO_DISABLE_BACKUP_SECTION: false # Setting this to true allows to hide the backup section in the AIO interface. See https://github.com/nextcloud/all-in-one#how-to-disable-the-backup-section APACHE_PORT: 11000 # Is needed when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else). See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md APACHE_IP_BINDING: 127.0.0.1 # Should be set when running behind a web server or reverse proxy (like Apache, Nginx, Cloudflare Tunnel and else) that is running on the same host. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md # BORG_RETENTION_POLICY: --keep-within=7d --keep-weekly=4 --keep-monthly=6 # Allows to adjust borgs retention policy. See https://github.com/nextcloud/all-in-one#how-to-adjust-borgs-retention-policy # COLLABORA_SECCOMP_DISABLED: false # Setting this to true allows to disable Collabora's Seccomp feature. See https://github.com/nextcloud/all-in-one#how-to-disable-collaboras-seccomp-feature NEXTCLOUD_DATADIR: /mnt/data/ncdata # Allows to set the host directory for Nextcloud's datadir. ⚠️⚠️⚠️ Warning: do not set or adjust this value after the initial Nextcloud installation is done! See https://github.com/nextcloud/all-in-one#how-to-change-the-default-location-of-nextclouds-datadir # NEXTCLOUD_MOUNT: /mnt/ # Allows the Nextcloud container to access the chosen directory on the host. See https://github.com/nextcloud/all-in-one#how-to-allow-the-nextcloud-container-to-access-directories-on-the-host NEXTCLOUD_UPLOAD_LIMIT: 10G # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-upload-limit-for-nextcloud NEXTCLOUD_MAX_TIME: 7200 # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-max-execution-time-for-nextcloud NEXTCLOUD_MEMORY_LIMIT: 2048M # Can be adjusted if you need more. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-php-memory-limit-for-nextcloud # NEXTCLOUD_TRUSTED_CACERTS_DIR: /path/to/my/cacerts # CA certificates in this directory will be trusted by the OS of the nexcloud container (Useful e.g. for LDAPS) See See https://github.com/nextcloud/all-in-one#how-to-trust-user-defined-certification-authorities-ca NEXTCLOUD_STARTUP_APPS: previewgenerator groupfolders deck twofactor_totp tasks calendar contacts notes # Allows to modify the Nextcloud apps that are installed on starting AIO the first time. See https://github.com/nextcloud/all-in-one#how-to-change-the-nextcloud-apps-that-are-installed-on-the-first-startup NEXTCLOUD_ADDITIONAL_APKS: perl imagemagick # This allows to add additional packages to the Nextcloud container permanently. Default is imagemagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-os-packages-permanently-to-the-nextcloud-container # NEXTCLOUD_ADDITIONAL_PHP_EXTENSIONS: imagick # This allows to add additional php extensions to the Nextcloud container permanently. Default is imagick but can be overwritten by modifying this value. See https://github.com/nextcloud/all-in-one#how-to-add-php-extensions-permanently-to-the-nextcloud-container # NEXTCLOUD_ENABLE_DRI_DEVICE: true # This allows to enable the /dev/dri device in the Nextcloud container. ⚠️⚠️⚠️ Warning: this only works if the '/dev/dri' device is present on the host! If it should not exist on your host, don't set this to true as otherwise the Nextcloud container will fail to start! See https://github.com/nextcloud/all-in-one#how-to-enable-hardware-transcoding-for-nextcloud # NEXTCLOUD_KEEP_DISABLED_APPS: false # Setting this to true will keep Nextcloud apps that are disabled in the AIO interface and not uninstall them if they should be installed. See https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps # TALK_PORT: 3478 # This allows to adjust the port that the talk container is using. See https://github.com/nextcloud/all-in-one#how-to-adjust-the-talk-port # WATCHTOWER_DOCKER_SOCKET_PATH: /var/run/docker.sock # Needs to be specified if the docker socket on the host is not located in the default '/var/run/docker.sock'. Otherwise mastercontainer updates will fail. For macos it needs to be '/var/run/docker.sock' # networks: # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file # - nextcloud-aio # Is needed when you want to create the nextcloud-aio network with ipv6-support using this file, see the network config at the bottom of the file # security_opt: ["label:disable"] # Is needed when using SELinux depends_on: - caddy # # Optional: Caddy reverse proxy. See https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md # # You can find further examples here: https://github.com/nextcloud/all-in-one/discussions/588 caddy: image: caddy container_name: caddy restart: unless-stopped volumes: - caddy-data:/data - caddy-config:/config configs: - source: caddyfile target: /etc/caddy/Caddyfile network_mode: "host" configs: caddyfile: file: /docker/caddy/configs/Caddyfile volumes: # If you want to store the data on a different drive, see https://github.com/nextcloud/all-in-one#how-to-store-the-filesinstallation-on-a-separate-drive nextcloud_aio_mastercontainer: name: nextcloud_aio_mastercontainer # This line is not allowed to be changed as otherwise the built-in backup solution will not work caddy-data: caddy-config: # # Optional: If you need ipv6, follow step 1 and 2 of https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md first and then uncomment the below config in order to activate ipv6 for the internal nextcloud-aio network. # # Please make sure to uncomment also the networking lines of the mastercontainer above in order to actually create the network with docker-compose # networks: # nextcloud-aio: # name: nextcloud-aio # This line is not allowed to be changed as otherwise the created network will not be used by the other containers of AIO # driver: bridge # enable_ipv6: true # ipam: # driver: default # config: # - subnet: fd12:3456:789a:2::/64 # IPv6 subnet to use ```Caddyfile
```Caddyfile # https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md#caddy-recommended { # debug } https://My nextcloud aio container selection: Containers Apache (Running) Database (Running) Nextcloud (Running) Notify Push (Running) Redis (Running) Collabora (Running) Talk (Running) Talk Recording (Running) Docker Socket Proxy (Running)
Expected Results
app api test deploy work
Actual Results
app api trest deploy fails in volume creation step
socket proxy container log
```log nc: bad address 'nextcloud-aio-nextcloud' Waiting for Nextcloud to start... Waiting for Nextcloud to start... Waiting for Nextcloud to start... Waiting for Nextcloud to start... Waiting for Nextcloud to start... + dig nextcloud-aio-nextcloud IN A +short +search + grep '^[0-9.]\+$' + sort + head -n1 + IPv4_ADDRESS_NC=172.28.0.9 + sed 's|NC_IPV4_PLACEHOLDER|172.28.0.9|' /haproxy.cfg + HAPROXYFILE='# Inspiration: https://github.com/Tecnativa/docker-socket-proxy/blob/master/haproxy.cfg global maxconn 10 defaults timeout connect 10s timeout client 10s timeout server 10s frontend http mode http bind :::2375 v4v6 http-request deny unless { src 127.0.0.1 } || { src ::1 } || { src 172.28.0.9 } || { src NC_IPV6_PLACEHOLDER } # docker system _ping http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } METH_GET # container inspect: GET containers/%s/json http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/json } METH_GET # container inspect: GET containers/%s/logs http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/logs } METH_GET # container start/stop: POST containers/%s/start containers/%s/stop http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((start)|(stop)) } METH_POST # container rm: DELETE containers/%s http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+ } METH_DELETE # container create: POST containers/create?name=%s # ACL to restrict container name to nc_app_[a-zA-Z0-9_.-]+ acl nc_app_container_name url_param(name) -m reg -i "^nc_app_[a-zA-Z0-9_.-]+" # ACL to restrict the number of Mounts to 1 acl one_mount_volume req.body -m reg -i "\"Mounts\"\s*:\s*\[\s*(?:(?!\"Mounts\"\s*:\s*\[)[^}]*)}[^}]*\]" # ACL to deny if there are any binds acl binds_present req.body -m reg -i "\"HostConfig\"\s*:.*\"Binds\"\s*:" # ACL to restrict the type of Mounts to volume acl type_not_volume req.body -m reg -i "\"Mounts\":\s*\[[^\]]*(\"Type\":\s*\"(?!volume\b)\w+\"[^\]]*)+\]" http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !one_mount_volume binds_present type_not_volume METH_POST # ACL to restrict container creation, that it has HostConfig.Privileged not set acl no_privileged_flag req.body -m reg -i "\"HostConfig\":\s?{[^}]*\"Privileged\"" # ACL to allow mount volume with strict pattern for name: nc_app_[a-zA-Z0-9_.-]+_data acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\":\s?\[\s?{[^}]*\"Source\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\"" http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !no_privileged_flag nc_app_volume_data_only METH_POST # end of container create # volume create: POST volumes/create # restrict name acl nc_app_volume_data req.body -m reg -i "\"Name\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\"" # do not allow to use "device" word e.g., "--opt device=:/path/to/dir" acl volume_no_device req.body -m reg -i "\"device\"" http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/create } nc_app_volume_data !volume_no_device METH_POST # volume rm: DELETE volumes/%s http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/nc_app_[a-zA-Z0-9_.-]+_data } METH_DELETE # image pull: POST images/create?fromImage=%s http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/create } METH_POST http-request deny default_backend dockerbackend backend dockerbackend mode http server dockersocket /var/run/docker.sock' + echo '# Inspiration: https://github.com/Tecnativa/docker-socket-proxy/blob/master/haproxy.cfg global maxconn 10 defaults timeout connect 10s timeout client 10s timeout server 10s frontend http mode http bind :::2375 v4v6 http-request deny unless { src 127.0.0.1 } || { src ::1 } || { src 172.28.0.9 } || { src NC_IPV6_PLACEHOLDER } # docker system _ping http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } METH_GET # container inspect: GET containers/%s/json http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/json } METH_GET # container inspect: GET containers/%s/logs http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/logs } METH_GET # container start/stop: POST containers/%s/start containers/%s/stop http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((start)|(stop)) } METH_POST # container rm: DELETE containers/%s http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+ } METH_DELETE # container create: POST containers/create?name=%s # ACL to restrict container name to nc_app_[a-zA-Z0-9_.-]+ acl nc_app_container_name url_param(name) -m reg -i "^nc_app_[a-zA-Z0-9_.-]+" # ACL to restrict the number of Mounts to 1 acl one_mount_volume req.body -m reg -i "\"Mounts\"\s*:\s*\[\s*(?:(?!\"Mounts\"\s*:\s*\[)[^}]*)}[^}]*\]" # ACL to deny if there are any binds acl binds_present req.body -m reg -i "\"HostConfig\"\s*:.*\"Binds\"\s*:" # ACL to restrict the type of Mounts to volume acl type_not_volume req.body -m reg -i "\"Mounts\":\s*\[[^\]]*(\"Type\":\s*\"(?!volume\b)\w+\"[^\]]*)+\]" http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !one_mount_volume binds_present type_not_volume METH_POST # ACL to restrict container creation, that it has HostConfig.Privileged not set acl no_privileged_flag req.body -m reg -i "\"HostConfig\":\s?{[^}]*\"Privileged\"" # ACL to allow mount volume with strict pattern for name: nc_app_[a-zA-Z0-9_.-]+_data acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\":\s?\[\s?{[^}]*\"Source\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\"" http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !no_privileged_flag nc_app_volume_data_only METH_POST # end of container create # volume create: POST volumes/create # restrict name acl nc_app_volume_data req.body -m reg -i "\"Name\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\"" # do not allow to use "device" word e.g., "--opt device=:/path/to/dir" acl volume_no_device req.body -m reg -i "\"device\"" http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/create } nc_app_volume_data !volume_no_device METH_POST # volume rm: DELETE volumes/%s http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/nc_app_[a-zA-Z0-9_.-]+_data } METH_DELETE # image pull: POST images/create?fromImage=%s http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/create } METH_POST http-request deny default_backend dockerbackend backend dockerbackend mode http server dockersocket /var/run/docker.sock' + dig nextcloud-aio-nextcloud AAAA +short +search + grep '^[0-9a-f:]\+$' + sort + head -n1 + IPv6_ADDRESS_NC= + '[' -n ] + sed 's# || { src NC_IPV6_PLACEHOLDER }##g' /tmp/haproxy.cfg + HAPROXYFILE='# Inspiration: https://github.com/Tecnativa/docker-socket-proxy/blob/master/haproxy.cfg global maxconn 10 defaults timeout connect 10s timeout client 10s timeout server 10s frontend http mode http bind :::2375 v4v6 http-request deny unless { src 127.0.0.1 } || { src ::1 } || { src 172.28.0.9 } # docker system _ping http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } METH_GET # container inspect: GET containers/%s/json http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/json } METH_GET # container inspect: GET containers/%s/logs http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/logs } METH_GET # container start/stop: POST containers/%s/start containers/%s/stop http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((start)|(stop)) } METH_POST # container rm: DELETE containers/%s http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+ } METH_DELETE # container create: POST containers/create?name=%s # ACL to restrict container name to nc_app_[a-zA-Z0-9_.-]+ acl nc_app_container_name url_param(name) -m reg -i "^nc_app_[a-zA-Z0-9_.-]+" # ACL to restrict the number of Mounts to 1 acl one_mount_volume req.body -m reg -i "\"Mounts\"\s*:\s*\[\s*(?:(?!\"Mounts\"\s*:\s*\[)[^}]*)}[^}]*\]" # ACL to deny if there are any binds acl binds_present req.body -m reg -i "\"HostConfig\"\s*:.*\"Binds\"\s*:" # ACL to restrict the type of Mounts to volume acl type_not_volume req.body -m reg -i "\"Mounts\":\s*\[[^\]]*(\"Type\":\s*\"(?!volume\b)\w+\"[^\]]*)+\]" http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !one_mount_volume binds_present type_not_volume METH_POST # ACL to restrict container creation, that it has HostConfig.Privileged not set acl no_privileged_flag req.body -m reg -i "\"HostConfig\":\s?{[^}]*\"Privileged\"" # ACL to allow mount volume with strict pattern for name: nc_app_[a-zA-Z0-9_.-]+_data acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\":\s?\[\s?{[^}]*\"Source\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\"" http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !no_privileged_flag nc_app_volume_data_only METH_POST # end of container create # volume create: POST volumes/create # restrict name acl nc_app_volume_data req.body -m reg -i "\"Name\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\"" # do not allow to use "device" word e.g., "--opt device=:/path/to/dir" acl volume_no_device req.body -m reg -i "\"device\"" http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/create } nc_app_volume_data !volume_no_device METH_POST # volume rm: DELETE volumes/%s http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/nc_app_[a-zA-Z0-9_.-]+_data } METH_DELETE # image pull: POST images/create?fromImage=%s http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/create } METH_POST http-request deny default_backend dockerbackend backend dockerbackend mode http server dockersocket /var/run/docker.sock' + echo '# Inspiration: https://github.com/Tecnativa/docker-socket-proxy/blob/master/haproxy.cfg global maxconn 10 defaults timeout connect 10s timeout client 10s timeout server 10s frontend http mode http bind :::2375 v4v6 http-request deny unless { src 127.0.0.1 } || { src ::1 } || { src 172.28.0.9 } # docker system _ping http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } METH_GET # container inspect: GET containers/%s/json http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/json } METH_GET # container inspect: GET containers/%s/logs http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/logs } METH_GET # container start/stop: POST containers/%s/start containers/%s/stop http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((start)|(stop)) } METH_POST # container rm: DELETE containers/%s http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+ } METH_DELETE # container create: POST containers/create?name=%s # ACL to restrict container name to nc_app_[a-zA-Z0-9_.-]+ acl nc_app_container_name url_param(name) -m reg -i "^nc_app_[a-zA-Z0-9_.-]+" # ACL to restrict the number of Mounts to 1 acl one_mount_volume req.body -m reg -i "\"Mounts\"\s*:\s*\[\s*(?:(?!\"Mounts\"\s*:\s*\[)[^}]*)}[^}]*\]" # ACL to deny if there are any binds acl binds_present req.body -m reg -i "\"HostConfig\"\s*:.*\"Binds\"\s*:" # ACL to restrict the type of Mounts to volume acl type_not_volume req.body -m reg -i "\"Mounts\":\s*\[[^\]]*(\"Type\":\s*\"(?!volume\b)\w+\"[^\]]*)+\]" http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !one_mount_volume binds_present type_not_volume METH_POST # ACL to restrict container creation, that it has HostConfig.Privileged not set acl no_privileged_flag req.body -m reg -i "\"HostConfig\":\s?{[^}]*\"Privileged\"" # ACL to allow mount volume with strict pattern for name: nc_app_[a-zA-Z0-9_.-]+_data acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\":\s?\[\s?{[^}]*\"Source\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\"" http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !no_privileged_flag nc_app_volume_data_only METH_POST # end of container create # volume create: POST volumes/create # restrict name acl nc_app_volume_data req.body -m reg -i "\"Name\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\"" # do not allow to use "device" word e.g., "--opt device=:/path/to/dir" acl volume_no_device req.body -m reg -i "\"device\"" http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/create } nc_app_volume_data !volume_no_device METH_POST # volume rm: DELETE volumes/%s http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/nc_app_[a-zA-Z0-9_.-]+_data } METH_DELETE # image pull: POST images/create?fromImage=%s http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/create } METH_POST http-request deny default_backend dockerbackend backend dockerbackend mode http server dockersocket /var/run/docker.sock' + set +x ```docker container name that is started: nextcloud-aio-docker-socket-proxy
test-deploy-logs
Setup configuration
linux arch standart docker daemon installation hosthardware does not have any gpu --> no /dev/dri device existing
nextcloud aio latest --> 9.0.1
tested on both, latest and beta