Nextcloud fpm fails to initialize database on clean install

[djakupovic]

Hi,

I tried my best to find the issue, but no success. I also analyzed the Dockerfile in the Nextcloud image as well the php base image. The apache image works flawlessly. I tried nginx and caddy as web server for npm but both with same error. I tried MariaDB and Postgres with the same error. I run the docker compose on docker for windows on wsl2

Issue: I get this error after the login mask for initial installation after I enter the initial admin credentials:

There is no table with name "oc_nas.oc_comments" in the schema.

If I try again I get this:

Insufficient privilege: 7 ERROR: permission denied for table oc_migrations

Postgres log says this:

ERROR:  permission denied for table oc_migrations
2024-03-25 10:21:59.138 CET [91] STATEMENT:  SELECT "version" FROM "oc_migrations" WHERE "app" = $1 ORDER BY "version" ASC

I also logged the Postgres queries executed by Nextcloud and it hits to this error.
I also found this: https://help.nextcloud.com/t/permission-denied-for-table-oc-migrations-on-startup/185597 --> did not help and this: https://github.com/nextcloud/helm/issues/436 --> they have the same error but with the helm chart

What I also tried:

php occ maintenance:install \
--database='pgsql' --database-host='postgres' --database-name='nextcloud' \
--database-user='nextcloud' --database-pass='nextcloud' \
--admin-user='nextcloud' --admin-pass='nextcloud' 

And I hit the same error

I also tried to set the permissions manually with PSQL, but still no success.

I also tried to set the ADMIN ENV variables that it creates the initial user on first start but fails on the same error

Here is the docker compose file I created:

version: "3.8"

name: nextcloud

services:
  nextcloud-web:
    image: nginx:1.25.4-alpine3.18
    container_name: nextcloud-nginx
    restart: unless-stopped
    environment:
      - TZ=Europe/Berlin
    volumes:
      - "C:/Users/NAS/Docker/Volumes/nextcloud/data/html:/var/www/html:ro" #:z,ro on SELINUX
      - "C:/Users/NAS/Docker/Volumes/nextcloud/nginx.conf:/etc/nginx/nginx.conf:ro"
    networks:
      - nextcloud
    depends_on:
      - nextcloud-fpm

  nextcloud-fpm:
    image: nextcloud:28.0.3-fpm-alpine
    container_name: nextcloud
    restart: unless-stopped
    environment:
      - TZ=Europe/Berlin
      - POSTGRES_HOST=nextcloud-postgres
      - POSTGRES_DB=nextcloud
      - POSTGRES_USER=nextcloud
      - POSTGRES_PASSWORD=nextcloud
      - REDIS_HOST=nextcloud-redis
      - REDIS_HOST_PORT=6379
      - REDIS_HOST_PASSWORD=nextcloud
      - PHP_UPLOAD_LIMIT=0
      - PHP_MEMORY_LIMIT=1G
      - OVERWRITEPROTOCOL=https
      - NEXTCLOUD_TRUSTED_DOMAINS=mydns
      #- APACHE_DISABLE_REWRITE_IP=1
    volumes:
      - "C:/Users/NAS/Docker/Volumes/nextcloud/data/html:/var/www/html" #:z on linux with selinux
      - "C:/Users/NAS/Docker/Volumes/nextcloud/www.conf:/usr/local/etc/php-fpm.d/www.conf:ro"
    networks:
      - nextcloud
    depends_on:
      - nextcloud-postgres
      - nextcloud-redis

  nextcloud-postgres:
    image: postgres:16.2-bullseye
    container_name: nextcloud-postgres
    restart: unless-stopped
    environment:
      - TZ=Europe/Berlin
      - POSTGRES_DB=nextcloud
      - POSTGRES_USER=nextcloud
      - POSTGRES_PASSWORD=nextcloud
      - PGDATA=/var/lib/postgresql/data/pgdata #explicitly declare data directory volume
    volumes:
      - "C:/Users/NAS/Docker/Volumes/nextcloud/postgres:/var/lib/postgresql/data"
    networks:
      - nextcloud

  nextcloud-redis:
    image: redis:7.2.4-alpine
    container_name: nextcloud-redis
    restart: unless-stopped
    command: redis-server --requirepass nextcloud
    environment:
      - TZ=Europe/Berlin
      - PUID=1000
      - PGID=100
    volumes:
      - "C:/Users/NAS/Docker/Volumes/nextcloud/redis:/data"
    networks:
    - nextcloud

networks:
  nextcloud:
    name: nextcloud

config files, but also if not set, problem still there.

opcache.enable=1
opcache.interned_strings_buffer=64
opcache.max_accelerated_files=200000
opchace.max_wasted_percentage=15
opcache.memory_consumption=1024
opcache.save_comments=1
opcache.revalidate_freq=60
opcache.jit=1255
opcache.jit_buffer_size=256M

fpm-config:

[www]
user = www-data
group = www-data
listen = 127.0.0.1:9000
pm = dynamic
pm.max_children = 281
pm.start_servers = 140
pm.min_spare_servers = 93
pm.max_spare_servers = 187

nginx config:

worker_processes auto;

error_log  /var/log/nginx/nextcloud.error.log debug;
pid        /var/run/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    # Prevent nginx HTTP Server Detection
    server_tokens   off;

    keepalive_timeout  65;

    # Set the `immutable` cache control options only for assets with a cache busting `v` argument
    map $arg_v $asset_immutable {
        "" "";
    default "immutable";
    }

    #gzip  on;

    upstream php-handler {
        server nextcloud:9000;
    }

    server {
        listen 80;
        listen [::]:80;
        server_name nextcloud.djnas.vip;

        access_log /var/log/nginx/nextcloud.access.log;
        # HSTS settings
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;

        # set max upload size and increase upload timeout:
        client_max_body_size 512M;
        client_body_timeout 300s;
        fastcgi_buffers 64 4K;

        # The settings allows you to optimize the HTTP2 bandwidth.
        # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
        # for tuning hints
        client_body_buffer_size 512k;

        # Enable gzip but do not remove ETag headers
        gzip on;
        gzip_vary on;
        gzip_comp_level 4;
        gzip_min_length 256;
        gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
        gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

        # Pagespeed is not supported by Nextcloud, so if your server is built
        # with the `ngx_pagespeed` module, uncomment this line to disable it.
        #pagespeed off;

        # HTTP response headers borrowed from Nextcloud `.htaccess`
        add_header Referrer-Policy                      "no-referrer"       always;
        add_header X-Content-Type-Options               "nosniff"           always;
        add_header X-Frame-Options                      "SAMEORIGIN"        always;
        add_header X-Permitted-Cross-Domain-Policies    "none"              always;
        add_header X-Robots-Tag                         "noindex, nofollow" always;
        add_header X-XSS-Protection                     "1; mode=block"     always;

        # Remove X-Powered-By, which is an information leak
        fastcgi_hide_header X-Powered-By;

        # Path to the root of your installation
        root /var/www/html;

        include mime.types;
        #types {
        ##    text/javascript js mjs;
        #    application/wasm wasm;
        #}

        # Specify how to handle directories -- specifying `/index.php$request_uri`
        # here as the fallback means that Nginx always exhibits the desired behaviour
        # when a client requests a path that corresponds to a directory that exists
        # on the server. In particular, if that directory contains an index.php file,
        # that file is correctly served; if it doesn't, then the request is passed to
        # the front-end controller. This consistent behaviour means that we don't need
        # to specify custom rules for certain paths (e.g. images and other assets,
        # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
        # `try_files $uri $uri/ /index.php$request_uri`
        # always provides the desired behaviour.
        index index.php index.html /index.php$request_uri;

        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
        location = / {
            if ( $http_user_agent ~ ^DavClnt ) {
                return 302 /remote.php/webdav/$is_args$args;
            }
        }

        location = /robots.txt {
            allow all;
            log_not_found off;
            access_log off;
        }

        # Make a regex exception for `/.well-known` so that clients can still
        # access it despite the existence of the regex rule
        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
        # for `/.well-known`.
        location ^~ /.well-known {
            # The rules in this block are an adaptation of the rules
            # in `.htaccess` that concern `/.well-known`.

            location = /.well-known/carddav { return 301 /remote.php/dav/; }
            location = /.well-known/caldav  { return 301 /remote.php/dav/; }

            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }

            # Let Nextcloud's API for `/.well-known` URIs handle all other
            # requests by passing them to the front-end controller.
            return 301 /index.php$request_uri;
        }

        # Rules borrowed from `.htaccess` to hide certain paths from clients
        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }

        # Ensure this block, which passes PHP files to the PHP process, is above the blocks
        # which handle static assets (as seen below). If this block is not declared first,
        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
        # to the URI, resulting in a HTTP 500 error response.
        location ~ \.php(?:$|/) {
            # Required for legacy support
            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;

            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
            set $path_info $fastcgi_path_info;

            try_files $fastcgi_script_name =404;

            include fastcgi_params;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $path_info;
            #fastcgi_param HTTPS on;

            fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
            fastcgi_param front_controller_active true;     # Enable pretty urls
            fastcgi_pass php-handler;

            fastcgi_intercept_errors on;
            fastcgi_request_buffering off;

            fastcgi_max_temp_file_size 0;
        }

        # Javascript mimetype fixes for nginx
        # Note: The block below should be removed, and the js|mjs section should be
        # added to the block below this one. This is a temporary fix until Nginx 
        # upstream fixes the js mime-type
        location ~* \.(?:js|mjs)$ {
            types { 
                text/javascript js mjs;
            } 
            try_files $uri /index.php$request_uri;
            add_header Cache-Control "public, max-age=15778463, $asset_immutable";
            access_log off;
        }

        # Serve static files
        location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
            try_files $uri /index.php$request_uri;
            # HTTP response headers borrowed from Nextcloud `.htaccess`
            add_header Cache-Control                     "public, max-age=15778463$asset_immutable";
            add_header Referrer-Policy                   "no-referrer"       always;
            add_header X-Content-Type-Options            "nosniff"           always;
            add_header X-Frame-Options                   "SAMEORIGIN"        always;
            add_header X-Permitted-Cross-Domain-Policies "none"              always;
            add_header X-Robots-Tag                      "noindex, nofollow" always;
            add_header X-XSS-Protection                  "1; mode=block"     always;
            access_log off;     # Optional: Don't log access to assets
        }

        location ~ \.woff2?$ {
            try_files $uri /index.php$request_uri;
            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
            access_log off;     # Optional: Don't log access to assets
        }

        # Rule borrowed from `.htaccess`
        location /remote {
            return 301 /remote.php$request_uri;
        }

        location / {
            try_files $uri $uri/ /index.php$request_uri;
        }
    }
}

[tzerber]

I see a mix of Windows volumes and Linux volumes in the same compose file. On WSL2 the path to C:\ is /mnt/c/. Can you please fix your volumes and try again ? I am using WSL2 to test most of the changes or generic nextcloud experiments and never had any issues in all variants.

EDIT: i just ran your setup without the volumes and it gave me no errors.

nextcloud-postgres  | 2024-04-25 18:20:45.715 CEST [1] LOG:  database system is ready to accept connections
nextcloud           | New nextcloud instance
nextcloud           | Initializing finished
nextcloud           | => Searching for scripts (*.sh) to run, located in the folder: /docker-entrypoint-hooks.d/before-starting
nextcloud           | [25-Apr-2024 16:20:47] NOTICE: fpm is running, pid 1
nextcloud           | [25-Apr-2024 16:20:47] NOTICE: ready to handle connections

Edit2: You are also probably missing some configs on WSL2.

Add this to /etc/wsl.conf

[automount]
root = /mnt
options = "metadata"

Then open cmd as admin and type wsl --shutdown (or reboot your PC). Then reopen wsl, restart docker and it should be fine. You can google around how to make docker service autostart on wsl startup.

[joshtrichards]

  - "C:/Users/NAS/Docker/Volumes/nextcloud/postgres:/var/lib/postgresql/data"

[...] Insufficient privilege: 7 ERROR: permission denied for table oc_migrations

Can't reproduce this.

There's basically no way for the privileges to be wrong with that particular Compose file (assuming truly starting from scratch), since POSTGRES_PASSWORD is literally the PostgreSQL superuser:

https://github.com/docker-library/docs/tree/master/postgres#environment-variables

The Nextcloud installer initially creates an oc_blah* account with less privileges for Nextcloud to use then everything else happens within that account (and that account is what gets saved in your initial config.php).

Best guess: you started a prior postgresql container, stopped it, but didn't clear out the contents of C:/Users/NAS/Docker/Volumes/nextcloud/postgres in between test runs. But that's just a wild guess.

There's no need to speculate though. You can check the postgresql container. It will indicate whether it's starting from scratch or not, example.

[tzerber]

I believe the fella got his issue resolved. On WSL under Windows there's that problem with permissions on files and it just behaves a bit differently than a full Linux. I managed to reproduce it when I answered before and the problem lies in /etc/wsl.conf, you need to add this

options = "metadata"

as per my answer above. I'd say this issue is for closing.

[joshtrichards]

Gotcha.

I had to look that up since I haven't messed with WSL2 in awhile. :-) For future reference for those that end up here:

https://learn.microsoft.com/en-us/windows/wsl/wsl-config#automount-options

And, thanks @tzerber for looking into these matters to help sort them out!