docker-nextcloud icon indicating copy to clipboard operation
docker-nextcloud copied to clipboard
verified publisher icon crazy-max

Cannot login, Refused to execute inline script because it violates the following Content Security Policy directive

Open arminus opened this issue 3 years ago • 2 comments

Behaviour

Nextcloud appears to be installed and configured fine, no obvious errors in the docker logs, but I can't login.

Steps to reproduce this issue

  1. Installed everything from scratch, using https://github.com/crazy-max/docker-nextcloud/blob/master/examples/compose/docker-compose.yml
  2. Successfully ran the pre-configiuration (i.e. register admin user, waited for "Installing..." completion
  3. Tried to login

Expected behaviour

Being able to actually log in

Actual behaviour

After clicking login, I just get back to the login screen again. Error in the console:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'nonce-VzdtY3lOL0Zia1BrNnBvYjJ3Y2xOZWFlOERsYm1OMEhyVnRSNVl6K0Yrbz06Yk5QbWpvMldXbWlOck5STjRtaFNUYlBYczJ3MXFhNVI1eUZvb2NyTldvOD0='". Either the 'unsafe-inline' keyword, a hash ('sha256-rwMOiOeVICH7/Cjy5SkreID3OOi5HTrit357k22hUDQ='), or a nonce ('nonce-...') is required to enable inline execution.

Removing RP_HEADER from .env and restarting the containers didn't make a difference. Happens in Firefox, Brave and Chrome - all most current version.

Configuration

  • Docker version (type docker --version) : 20.10.5+dfsg1, build 55c4c88
  • Docker compose version if applicable (type docker-compose --version) : 1.25.0
  • Platform (Debian 9, Ubuntu 18.04, ...) : Raspberry Debian 11 Bullseye
  • System info (type uname -a) : Linux pi4 5.15.32-v8+ #1538 SMP PREEMPT Thu Mar 31 19:40:39 BST 2022 aarch64 GNU/Linux
  • Include all necessary configuration files : docker-compose.yml, .env, ... -> basically the same as in examples, just changed the volumes

Docker info

Client:
 Context:    default
 Debug Mode: false

Server:
 Containers: 17
  Running: 17
  Paused: 0
  Stopped: 0
 Images: 68
 Server Version: 20.10.5+dfsg1
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 1.4.13~ds1-1~deb11u1
 runc version: 1.0.0~rc93+ds1-5+b2
 init version: 
 Security Options:
  seccomp
   Profile: default
  cgroupns
 Kernel Version: 5.15.32-v8+
 Operating System: Debian GNU/Linux 11 (bullseye)
 OSType: linux
 Architecture: aarch64
 CPUs: 4
 Total Memory: 3.706GiB
 Name: pi4
 ID: TPZD:GIGK:IEF6:ESYA:RNI3:VFDE:HIDT:F7NB:72EA:EE7P:TFCP:Q2I5
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: false

WARNING: No memory limit support
WARNING: No swap limit support
WARNING: Support for cgroup v2 is experimental

Logs

> Container logs (set LOG_LEVEL to debug if applicable)

arminus avatar Apr 10 '22 11:04 arminus

@arminus What's the output of docker-compose exec nextcloud occ config:list system?

crazy-max avatar Apr 10 '22 17:04 crazy-max

Your command returns this:

❯ docker-compose exec nextcloud occ config:list system
Console has to be executed with the user that owns the file config/config.php
Current user id: 1000
Owner id of config.php: 1024
Try adding 'sudo -u #1024' to the beginning of the command (without the single quotes)
If running with 'docker exec' try adding the option '-u 1024' to the docker command (without the single quotes)

Since I think the user in the container is actually nextcloud, I tried this:

❯ docker exec -it --user nextcloud nextcloud bash
bash-5.1$ ps -ef
PID   USER     TIME  COMMAND
    1 root      0:00 s6-svscan -t0 /var/run/s6/services
   36 root      0:00 s6-supervise s6-fdholderd
  534 root      0:00 s6-supervise php-fpm
  535 root      0:00 s6-supervise nginx
  536 root      0:00 s6-supervise socklog/log
  537 root      0:00 s6-supervise socklog
  538 nextclou  0:00 php-fpm: master process (/etc/php8/php-fpm.conf)
  540 nobody    0:00 s6-log -bp - +^cron\. T /var/log/socklog/cron - +^daemon\. T /var/log/socklog/daemon - +^\.debug: T /var/log/socklog/debu
  541 nextclou  0:00 nginx: master process nginx -g daemon off;
  543 nobody    0:00 socklog unix /dev/log
  565 nextclou  0:00 nginx: worker process
  566 nextclou  0:00 nginx: worker process
  567 nextclou  0:00 nginx: worker process
  568 nextclou  0:00 nginx: worker process
  719 nextclou  0:00 php-fpm: pool www
  720 nextclou  0:00 php-fpm: pool www
 1152 nextclou  0:00 bash
 1168 nextclou  0:00 ps -ef
bash-5.1$ occ config:list system
error: failed switching to "nextcloud:nextcloud": operation not permitted

same error with --user 1024:

❯ docker exec -it --user 1024 nextcloud bash
bash-5.1$ occ config:list system
error: failed switching to "nextcloud:nextcloud": operation not permitted
bash-5.1$ ls -al config/config.php
lrwxrwxrwx    1 nextclou nextclou        23 Apr 10 19:43 config/config.php -> /data/config/config.php
bash-5.1$ ls -al /data/config/config.php
-rw-r--r--    1 1024     users         1101 Apr 10 19:43 /data/config/config.php

I don't have a user defined in the docker-compose.yml

What might play a role here: the data volume is like this:

    volumes:
      - "/mnt/sshfs/nextcloud:/data"

This is mounted like this on the docker host:

sshfs -o allow_other -o idmap=user [email protected]:/2TB /mnt/sshfs

There are no file permission errors anywhere in the docker logs, so I assumed everything is ok.

arminus avatar Apr 10 '22 17:04 arminus