helm icon indicating copy to clipboard operation
helm copied to clipboard
verified publisher icon nextcloud

Extra volume mounts have root permissions, nextcloud can't access them.

Open couto opened this issue 4 years ago • 6 comments

Extra volumes declared in the values.yml file are successfully mounted in the nextcloud container, however, they are mounted with root:root permissions, therefore the Nextcloud instance can't access those folders, resulting in a popup notification saying "This operation is forbidden".

This simple configuration:

  # Extra mounts for the pods. Example shown is for connecting a legacy NFS volume
  # to NextCloud pods in Kubernetes. This can then be configured in External Storage
  extraVolumes:
    - name: nfs-shared-files
      nfs:
        server: "<REDACTED>"
        path: "/volume1/Shared Files/"
        readOnly: false
  extraVolumeMounts:
    - name: nfs-shared-files
      mountPath: "/mnt/shared_files"

Results in the following: Screenshot 2021-03-23 at 19 42 56 Screenshot 2021-03-23 at 19 43 08

Is there any property that I'm missing?

couto avatar Mar 23 '21 19:03 couto

Make sure your directory is RW and it's parent directories are accessible to user www-data(or other web server username). localhost:~/# ls -al /mnt/shared_file

drwxr-xr-x  3 www-data www-data 4096 Apr  5 13:07 .
drwxr-xr-x 15  root root 4096 Apr  5 13:07 ..
-rw-r--r--  1 www-data www-data 4096 Apr 5 13:07 fileToShare
drwxr-xr-x  www-data www-data  4096 Apr 5 13:07 folderToShare

ghost avatar Apr 05 '21 14:04 ghost

@HouraisanNEET This might be a completely noob question from me but how? Inside the container there's no sudo, and su doesn't seem to work.

chown: changing ownership of '/mnt/shared_files': Operation not permitted
chown: changing ownership of '/mnt/shared_files/TV Shows/REDACTED': Operation not permitted

couto avatar Apr 06 '21 06:04 couto

Hi, for the nfs use case you want to integrate it´s special. See kubernetes spec https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.20/#nfsvolumesource-v1-core with NFS volumes do not support ownership management or SELinux relabeling.. So the helm chart config stuff for setting a fsGroup to containers www-data uid 33 doesn´t work here.

You have to make sure by yourself that the files are accessible to www-data (uid=33). Maybe you can search issues here in the project. People used init-containers to set correct permissions.

chrisingenhaag avatar Apr 06 '21 07:04 chrisingenhaag

You have to make sure by yourself that the files are accessible to www-data (uid=33). Maybe you can search issues here in the project. People used init-containers to set correct permissions.

Maybe it's because it's still too early in here, or I'm missing my coffee, but I can't find any examples of people using init containers with helm.

Also, if this is a common problem, maybe it's worth it to integrate the solution here in this repo?

couto avatar Apr 06 '21 07:04 couto

Don't find here a possibility to use an initContainer either. Would be if there was a possibility for an initContainer besides the ones for the databases.

PuzzleFoco avatar Apr 14 '21 19:04 PuzzleFoco

Hoi! I'm coming into this pretty late, but support for initContainers was added here: https://github.com/nextcloud/helm/commit/6e09f8f01547558ba8bab1bb021aa8a69508c49b

Is the original issue still happening though?

jessebot avatar Jan 25 '23 17:01 jessebot