Login error - Unable to initialise metadata client and find roles

[mybuntu-git2]

Describe the bug

owncloud docker v5.0.0 on arm Login does not work for previously working user and password

Steps to reproduce

1. Access reverse proxy at my.reverse.proxy:9200
2. Insert user and password
3. Get message Not logged in This could be because of a routine safety log out, or because your account is either inactive or not yet authorized for use. Please try logging in after a while or seek help from your Administrator

Expected behavior

Login should happen

Actual behavior

Return message at repro step 3 and login does not happen (see details for debug log)

Setup

Docker v5.0.0 docker-compose.yml:

version: "3.7"

services:
  ocis:
    image: owncloud/ocis:5.0.0 #old: 4.0.6
    ports:
      - "9200:9200"
    environment:
      OCIS_INSECURE: "false"
      PROXY_ENABLE_BASIC_AUTH: "true"
      OCIS_URL: "https://my.reverse.proxy.domain:9200"
      PROXY_ROLE_ASSIGNMENT_DRIVER: "default"
      OCIS_LOG_PRETTY: "false"
      OCIS_LOG_LEVEL: debug
      OCIS_LOG_FILE: "/etc/ocis/ocis_logfile.log"
      STORAGE_SYSTEM_CACHE_STORE: "redis"
      OCIS_CACHE_STORE_NODES: "xxx:d6379"
      OCIS_ADD_RUN_SERVICES: "antivirus"
      OCIS_EXCLUDE_RUN_SERVICES: "thumbnails,invitations,auth-b
earer,store,storage-publiclink,ocm"
      OCIS_ASYNC_UPLOADS: "true"
      POSTPROCESSING_STEPS: "virusscan"
      ANTIVIRUS_SCANNER_TYPE: "clamav"
      ANTIVIRUS_CLAMAV_SOCKET: "tcp://xxx:3310"
      ANTIVIRUS_INFECTED_FILE_HANDLING: "delete"
      ANTIVIRUS_MAX_SCAN_SIZE: "1GB"
      WEBDAV_DISABLE_PREVIEWS: "true"
      STORAGE_USERS_UPLOAD_EXPIRATION: "86400"
STORAGE_USERS_PURGE_TRASH_BIN_PERSONAL_DELETE_BEFORE: "72
0h0m0s"
STORAGE_USERS_PURGE_TRASH_BIN_PROJECT_DELETE_BEFORE: "720
h0m0s"
    volumes:
      - "./config:/etc/ocis"
      - "./data_symlink:/var/lib/ocis"
    logging:
      driver: local
 driver
      options:
        max-size: "100MB" # limit the size of the log file
        max-file: "5" # limit the count of the log files
    restart: unless-stopped 

< {"level":"debug","service":"proxy","claims":"marshaling error: json: unsupported type: map[interface {}]interface {}","time":" 2024-03-26T06:05:57Z","line":"github.com/owncloud/ocis/v2/servi ces/proxy/pkg/middleware/oidc_auth.go:69","message":"cache hit for userinfo"} {"level":"error","service":"ocis","error":"internal error: crea te container:decomposedfs: Wrap: readlink error: readlink /var/ lib/ocis/storage/metadata/spaces/f1/bdd61a-da7c-49fc-8203-05581 09d1b4f/nodes/f1/bd/d6/1a/-da7c-49fc-8203-0558109d1b4f/settings : invalid argument","time":"2024-03-26T06:05:57Z","line":"githu b.com/owncloud/ocis/v2/services/settings/pkg/store/metadata/sto re.go:69","message":"error initializing metadata client"} {"level":"error","service":"proxy","error":"{\"id\":\"go.micro. server\",\"code\":500,\"detail\":\"panic recovered: runtime err or: invalid memory address or nil pointer dereference\",\"statu s\":\"Internal Server Error\"}","time":"2024-03-26T06:05:57Z"," line":"github.com/owncloud/ocis/v2/services/proxy/pkg/userroles /defaultrole.go:38","message":"Could not load roles"} {"level":"error","service":"proxy","error":"{\"id\":\"go.micro. server\",\"code\":500,\"detail\":\"panic recovered: runtime err or: invalid memory address or nil pointer dereference\",\"statu s\":\"Internal Server Error\"}","time":"2024-03-26T06:05:57Z"," line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middlewar e/account_resolver.go:140","message":"Could not get user roles" } {"level":"debug","service":"proxy","claims":"marshaling error: json: unsupported type: map[interface {}]interface {}","time":" 2024-03-26T06:06:32Z","line":"github.com/owncloud/ocis/v2/servi ces/proxy/pkg/middleware/oidc_auth.go:69","message":"cache hit for userinfo"} {"level":"error","service":"proxy","error":"{\"id\":\"com.owncl oud.api.settings\",\"code\":502,\"detail\":\"circuit breaker is open\",\"status\":\"Bad Gateway\"}","time":"2024-03-26T06:06:3 2Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/user roles/defaultrole.go:38","message":"Could not load roles"} {"level":"error","service":"proxy","error":"{\"id\":\"com.owncl oud.api.settings\",\"code\":502,\"detail\":\"circuit breaker is open\",\"status\":\"Bad Gateway\"}","time":"2024-03-26T06:06:3 2Z","line":"github.com/owncloud/ocis/v2/services/proxy/pkg/midd leware/account_resolver.go:140","message":"Could not get user r oles"} {"level":"debug","service":"web","allowed_origins":"*","allowed _methods":"OPTIONS, HEAD, GET, PUT, PATCH, POST, DELETE, MKCOL, PROPFIND, PROPPATCH, MOVE, COPY, REPORT, SEARCH","allowed_head ers":"Origin, Accept, Content-Type, Depth, Authorization, Ocs-A pirequest, If-None-Match, If-Match, Destination, Overwrite, X-R equest-Id, X-Requested-With, Tus-Resumable, Tus-Checksum-Algori thm, Upload-Concat, Upload-Length, Upload-Metadata, Upload-Defe r-Length, Upload-Expires, Upload-Checksum, Upload-Offset, X-HTT P-Method-Override","allow_credentials":true,"time":"2024-03-26T 06:07:23Z","line":"github.com/owncloud/ocis/v2/ocis-pkg/middlew are/header.go:33","message":"setup cors middleware"} {"level":"debug","service":"proxy","claims":{"aud":"web","email ":"redacted@gmail.com","email_verified":false,"exp":17114333 24,"family_name":"myname","iat":1711433024,"iss":"https://back upper.synology.me:9200","jti":"iAFTCzJve9Xp5x6DBtJOa48m-_cpPnob ","lg.i":{"dn":"silvano","id":"ownCloudUUID=e73ea472-e350-453d- ba37-7e6d33a8621b","un":"myname"},"lg.p":"identifier-ldap","lg .t":"1","name":"myname","preferred_username":"myname","scp":" openid profile email","sub":"PdEVdMUHkp1uBffr@B7R52RCK6vw4cCc1C qEIZ-pkeB9cPejXMb3bkx-6Ri-vDSIzDQxFYVQQScZHwfz0hRU5ZA"},"time": "2024-03-26T06:07:27Z","line":"github.com/owncloud/ocis/v2/serv ices/proxy/pkg/middleware/oidc_auth.go:130","message":"extracte d claims"} {"level":"error","service":"ocis","error":"internal error: crea te container:decomposedfs: Wrap: readlink error: readlink /var/ lib/ocis/storage/metadata/spaces/f1/bdd61a-da7c-49fc-8203-05581 09d1b4f/nodes/f1/bd/d6/1a/-da7c-49fc-8203-0558109d1b4f/settings : invalid argument","time":"2024-03-26T06:07:27Z","line":"githu b.com/owncloud/ocis/v2/services/settings/pkg/store/metadata/sto re.go:69","message":"error initializing metadata client"} {"level":"error","service":"proxy","error":"{\"id\":\"go.micro. server\",\"code\":500,\"detail\":\"panic recovered: runtime err or: invalid memory address or nil pointer dereference\",\"statu s\":\"Internal Server Error\"}","time":"2024-03-26T06:07:27Z"," line":"github.com/owncloud/ocis/v2/services/proxy/pkg/userroles /defaultrole.go:38","message":"Could not load roles"} {"level":"error","service":"proxy","error":"{\"id\":\"go.micro. server\",\"code\":500,\"detail\":\"panic recovered: runtime err or: invalid memory address or nil pointer dereference\",\"statu s\":\"Internal Server Error\"}","time":"2024-03-26T06:07:27Z"," line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middlewar e/account_resolver.go:140","message":"Could not get user roles" } {"level":"debug","service":"proxy","claims":"marshaling error: json: unsupported type: map[interface {}]interface {}","time":" 2024-03-26T06:07:38Z","line":"github.com/owncloud/ocis/v2/servi ces/proxy/pkg/middleware/oidc_auth.go:69","message":"cache hit for userinfo"} {"level":"error","service":"ocis","error":"internal error: crea te container:decomposedfs: Wrap: readlink error: readlink /var/ lib/ocis/storage/metadata/spaces/f1/bdd61a-da7c-49fc-8203-05581 09d1b4f/nodes/f1/bd/d6/1a/-da7c-49fc-8203-0558109d1b4f/settings : invalid argument","time":"2024-03-26T06:07:38Z","line":"githu b.com/owncloud/ocis/v2/services/settings/pkg/store/metadata/sto re.go:69","message":"error initializing metadata client"} {"level":"error","service":"proxy","error":"{\"id\":\"go.micro. server\",\"code\":500,\"detail\":\"panic recovered: runtime err or: invalid memory address or nil pointer dereference\",\"statu s\":\"Internal Server Error\"}","time":"2024-03-26T06:07:38Z"," line":"github.com/owncloud/ocis/v2/services/proxy/pkg/userroles /defaultrole.go:38","message":"Could not load roles"} {"level":"error","service":"proxy","error":"{\"id\":\"go.micro. server\",\"code\":500,\"detail\":\"panic recovered: runtime err or: invalid memory address or nil pointer dereference\",\"statu s\":\"Internal Server Error\"}","time":"2024-03-26T06:07:38Z"," line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middlewar e/account_resolver.go:140","message":"Could not get user roles" } {"level":"debug","service":"proxy","claims":{"aud":"web","email ":"mymail@gmail.com","email_verified":false,"exp": 17114335 60,"family_name":"myname","iat":1711433260,"iss":"https://my.reverse.proxy.domain:9200","jti":"25qONbe6DlEjvplyMGn7yaoKi-pT7C_R ","lg.i":{"dn":"myname","id":"ownCloudUUID=e73ea472-e350-453d- ba37-7e6d33a8621b","un":"myname"},"lg.p":"identifier-ldap","lg .t":"1","name":"myname","preferred_username":"myname","scp":" openid profile email","sub":"PdEVdMUHkp1uBffr@B7R52RCK6vw4cCc1C qEIZ-pkeB9cPejXMb3bkx-6Ri-vDSIzDQxFYVQQScZHwfz0hRU5ZA"},"time": "2024-03-26T06:07:41Z","line":"github.com/owncloud/ocis/v2/serv ices/proxy/pkg/middleware/oidc_auth.go:130","message":"extracte d claims"} {"level":"error","service":"ocis","error":"internal error: crea te container:decomposedfs: Wrap: readlink error: readlink /var/ lib/ocis/storage/metadata/spaces/f1/bdd61a-da7c-49fc-8203-05581 09d1b4f/nodes/f1/bd/d6/1a/-da7c-49fc-8203-0558109d1b4f/settings : invalid argument","time":"2024-03-26T06:07:41Z","line":"githu b.com/owncloud/ocis/v2/services/settings/pkg/store/metadata/sto re.go:69","message":"error initializing metadata client"} {"level":"error","service":"proxy","error":"{\"id\":\"go.micro. server\",\"code\":500,\"detail\":\"panic recovered: runtime err or: invalid memory address or nil pointer dereference\",\"statu s\":\"Internal Server Error\"}","time":"2024-03-26T06:07:41Z"," line":"github.com/owncloud/ocis/v2/services/proxy/pkg/userroles /defaultrole.go:38","message":"Could not load roles"} {"level":"error","service":"proxy","error":"{\"id\":\"go.micro. server\",\"code\":500,\"detail\":\"panic recovered: runtime err or: invalid memory address or nil pointer dereference\",\"statu s\":\"Internal Server Error\"}","time":"2024-03-26T06:07:41Z"," line":"github.com/owncloud/ocis/v2/services/proxy/pkg/middlewar e/account_resolver.go:140","message":"Could not get user roles" } >

Additional context

Add any other context about the problem here.

[micbar]

Hi!

1. Was that an upgraded ocis or a fresh install?
2. What is the intention of OCIS_EXCLUDE_RUN_SERVICES: "thumbnails,invitations,auth-b earer,store,storage-publiclink,ocm"?
3. You are enabling basic auth, which is not supported for production installations. Is that the reason why you are trying to disable the auth-bearer service? I doubt that this is possible.

[mybuntu-git2]

Hi micbar, Thanks for your reply. Update from 4.0.2 to 4.0.6 to 5.0.0 The goal of OCIS_EXCLUDE_RUN_SERVICES was to remove “things that I do not need” as I want to minimise resource consumption The auth-bearer is indeed disabled for that reason

[kobergj]

Hi @mybuntu-git2

In general you a right, ocis should work without the services you excluded. I can run it fine locally without.

Here something goes utterly wrong during login. Can you try disabling the redis cache and retry? I can see a cache hit log just before things go downward. Maybe something is stuck in there that doesn't play well with 5.0.

Additional info: ocis5 uses the included natsjs as cache, so if you want to save resources you do not need to run redis any more.

[mybuntu-git2]

Hi, Thanks again for your help. Commented out the redis setup and re-enabled ocm and auth-bearer.

now I get

{"level":"fatal","service":"nats","time":"2024-03-28T13:00:12Z"
,"line":"github.com/owncloud/ocis/v2/services/nats/pkg/logging/
nats.go:33","message":"Can't start JetStream: storage directory is not a directory"}

I guess this could be an ownership issue and have 2 questions:

• where is the folder tree/file in question to which I can change ownership and execution ?
• In previous versions the user variable in docker_compose was not taking effect (I was trying 0:0) and it was still needed to have the folders passed to the container, owned by 1000:1000. do you know if that now works, do you experience the same problem?

[micbar]

I guess this could be an ownership issue and have 2 questions:

• where is the folder tree/file in question to which I can change ownership and execution ?
• In previous versions the user variable in docker_compose was not taking effect (I was trying 0:0) and it was still needed to have the folders passed to the container, owned by 1000:1000. do you know if that now works, do you experience the same problem?

Ocis uses user:group 1000:1000 in the container to run "root-less"

Your docker-compose shows that the ocis data directory uses a bind mount data_symlink. This needs to be writable by the ocis process.