Open devent opened 2 years ago
Does this still happen today using the latest version of this helm chart? I know that config may always be owned by root, as per this issue, https://github.com/nextcloud/helm/issues/335, however, I'm not sure that's related. You could try setting this:
nextcloud:
podSecurityContext:
runAsUser: 33
runAsGroup: 33
runAsNonRoot: true
fsGroup: 33
However, that may already get set here:
Note: Since this issue was introduced, we've modified the available securityContext
parameters. We have nextcloud.securityContext
, nginx.securityContext
(for the containers) and nextcloud.podSecurityContext
(for the pod).
@jessebot Still having the issue when trying your YAML snippet. Also can't use the example from the chart's values.yaml as they are invalid values:
Have to revert to last known working version, which for me is 3.5.19 of the chart.
@jilleJr or @devent could you please provide your whole values.yaml after anonymizing any sensitive data?
Also can't use the example from the chart's values.yaml as they are invalid values
Could you explain what you mean by invalid and where you're seeing the error? Those are the default values that are applied if you're using the non-alpine containers.
@jilleJr or @devent could you please provide your whole values.yaml after anonymizing any sensitive data?
Also can't use the example from the chart's values.yaml as they are invalid values
Sure:
Could you explain what you mean by invalid and where you're seeing the error? Those are the default values that are applied if you're using the non-alpine containers.
The readOnlyRootFilesystem
is not a valid pod-level securityContext field.
Given that they're just copy-pasted from each other, I don't know how credible they are.
will this ever be fixed? or are we doomed to run nextcloud as root in kubernetes for ever?
I updated my nextcloud docker installation to 27.1.3 today and it failed with this similar error. I am running non-root user as well. I found this thread: https://forums.unraid.net/topic/88504-support-knex666-nextcloud/page/20/ where robbenmu suggests that removing the redis config from the docker container makes it work. I tried that and it also worked for me (without disabling/removing the redis configuration in config.php
) but I doubt my nextcloud is using redis now.
EDIT
I found quickly that the mobile uploads wouldn't work: Malformed Server Configuration with Redis configured in the config.php but no Redis server defined. So, I added a bind volume to my docker container with a pointer to a local and editable redis-session.ini
so that nextcloud could edit it inside /usr/local/etc/php/conf.d/redis-session.ini
. This is a super dumb problem that should be fixed...
@provokateurin or @tvories Are you running redis and a non-root container?
I see that this does indeed try to write to /usr/local/etc/php/conf.d/redis-session.ini
, which would actually be a root owned directory I think. Would the correct thing to do be raising this with nextcloud/docker or nextcloud/server? Why is this being written here and could we maybe make it configurable?
Any plans to make it work rootless? I am also failing for running nextcloud with redis enabled with a non-root user.
Would really appreciate it, when there would be an option to run it rootless.
@98jan can you please try asking in the upstream repo about this? This seems to be a nextcloud/docker issue.
there is already an issue upstream.. and its more than 4 years old :D but the maintainers seems not to care about that
and its more than 4 years old :D but the maintainers seems not to care about that
Please be nice. I know you're all frustrated, but it's not that the maintainers dislike you or your particular GitHub Issue. We're unpaid volunteers that do this in our free time.
I left a comment on that issue: https://github.com/nextcloud/docker/issues/763#issuecomment-1855485793
One of the contributors there suggested:
Don't set redis host. Configure it with occ
If we can figure out the occ command, I'm open to a PR to remove the ConfigMap and instead have a job that has post-install helm hook annotations to set the redis host that way. As long as it doesn't break anything, that seems like a win-win situation, yes?
@stavros-k responded and helped us out by providing the scripts we need here:
here is the redis script, you will also find other utils in this dir https://github.com/stavros-k/containers/blob/master/apps/nextcloud-fpm/configure-scripts/occ-redis.sh
Please feel free to test out the suggested solution and submit a PR.
also, I played with the docker hooks feature a bit, but couldn't seem to get it to work? :thinking: you can see more details in https://github.com/nextcloud/docker/issues/763#issuecomment-1857453976 but until that's resolved (https://github.com/nextcloud/docker/pull/2115), we still need to do this via a job with a helm hook rather than using the docker hooks feature.
May I ask what's the altest on this ? Trying to use redis with my k3s deployment and it fails with the same error (i'm not even running it as nonRoot for now...)
@R-Nabil, sorry for the extreme delay here, but this shouldn't occur for non-root usage. If it's still happening, could you please open a separate issue?
Need to run a non-root container. I set the
securityContext
as following:Get the error:
Of course a non-root can not write to
/usr/local/etc/php/conf.d
Source https://github.com/nextcloud/docker/blob/master/22/apache/entrypoint.sh#L77