Extra volume mounts have root permissions, nextcloud can't access them.

nextcloud / helm

A community maintained helm chart for deploying Nextcloud on Kubernetes.

GNU Affero General Public License v3.0

332 stars 269 forks source link

Extra volume mounts have root permissions, nextcloud can't access them. #101

Open Couto opened 3 years ago

Couto commented 3 years ago

Extra volumes declared in the values.yml file are successfully mounted in the nextcloud container, however, they are mounted with root:root permissions, therefore the Nextcloud instance can't access those folders, resulting in a popup notification saying "This operation is forbidden".

This simple configuration:

  # Extra mounts for the pods. Example shown is for connecting a legacy NFS volume
  # to NextCloud pods in Kubernetes. This can then be configured in External Storage
  extraVolumes:
    - name: nfs-shared-files
      nfs:
        server: "<REDACTED>"
        path: "/volume1/Shared Files/"
        readOnly: false
  extraVolumeMounts:
    - name: nfs-shared-files
      mountPath: "/mnt/shared_files"

Results in the following:

Is there any property that I'm missing?

ghost commented 3 years ago

Make sure your directory is RW and it's parent directories are accessible to user www-data(or other web server username). localhost:~/# ls -al /mnt/shared_file

drwxr-xr-x  3 www-data www-data 4096 Apr  5 13:07 .
drwxr-xr-x 15  root root 4096 Apr  5 13:07 ..
-rw-r--r--  1 www-data www-data 4096 Apr 5 13:07 fileToShare
drwxr-xr-x  www-data www-data  4096 Apr 5 13:07 folderToShare

Couto commented 3 years ago

@HouraisanNEET This might be a completely noob question from me but how? Inside the container there's no sudo, and su doesn't seem to work.

chown: changing ownership of '/mnt/shared_files': Operation not permitted
chown: changing ownership of '/mnt/shared_files/TV Shows/REDACTED': Operation not permitted

chrisingenhaag commented 3 years ago

Hi, for the nfs use case you want to integrate it´s special. See kubernetes spec https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#nfsvolumesource-v1-core with NFS volumes do not support ownership management or SELinux relabeling.. So the helm chart config stuff for setting a fsGroup to containers www-data uid 33 doesn´t work here.

You have to make sure by yourself that the files are accessible to www-data (uid=33). Maybe you can search issues here in the project. People used init-containers to set correct permissions.

Couto commented 3 years ago

You have to make sure by yourself that the files are accessible to www-data (uid=33). Maybe you can search issues here in the project. People used init-containers to set correct permissions.

Maybe it's because it's still too early in here, or I'm missing my coffee, but I can't find any examples of people using init containers with helm.

Also, if this is a common problem, maybe it's worth it to integrate the solution here in this repo?

PuzzleFoco commented 3 years ago

Don't find here a possibility to use an initContainer either. Would be if there was a possibility for an initContainer besides the ones for the databases.

jessebot commented 1 year ago

Hoi! I'm coming into this pretty late, but support for initContainers was added here: https://github.com/nextcloud/helm/commit/6e09f8f01547558ba8bab1bb021aa8a69508c49b

Is the original issue still happening though?