Mount volume for just data

[ulrikstrid]

I want to mount a volume that is just for my data (images, documents etc...) so that it lives outside of docker.
I tried to do something like this:

  app:  
    image: nextcloud:fpm
    restart: always
    volumes:
      - nextcloud:/var/www/html
      - /mnt/nas/nextcloud/data:/var/www/html/data
    environment:
      - POSTGRES_HOST=db
    env_file:
      - db.env
    depends_on:
      - db

But I'm getting the following message

Your data directory is readable by other users

Please change the permissions to 0770 so that the directory cannot be listed by other users.

The most important use case for this is to put the data on my NAS instead of on the server running nextcloud. And as it's just for personal use I don't care if anyone can see my files outside of nextcloud.

[ulrikstrid]

So I did a "workaround" for this and mounted my /mnt/nas/nextcloud/data to a different place in the container and then added a "external storage" from local and now I can put my shared images there.

So I guess this is mostly solved for me but maybe someone else needs this? Feel free to close if not.

Final snippet that I used:

  app:  
    image: nextcloud:fpm
    restart: always
    volumes:
      - nextcloud:/var/www/html
      - /mnt/nas/nextcloud/data:/mnt/nas/nextcloud/data:rw
    environment:
      - POSTGRES_HOST=db
    env_file:
      - db.env
    depends_on:
      - db

[tilosp]

@ulrikstrid
There are two options to fix this problem.
You can either fix the permissions of your mount point. If you use smb take a look at the mount options. (https://linux.die.net/man/8/smbmount)
Or you can use the new config option to disable the permission check 'check_data_directory_permissions' => false,(https://docs.nextcloud.com/server/12/admin_manual/configuration_server/config_sample_php_parameters.html)

[ulrikstrid]

I'm not sure how I should do the second, would love a environment variable to set it.
But maybe the first option is what I should do anyway

[topas-rec]

I'm doing the same I think:
Using nextcloud docker (apache + mariadb + reverse proxy nginx) with a a separate hard drive of the host mounted inside the container. In nextcloud this drive is an external storage. Its file system is NTFS.
I did this by mounting the drive in the container as you did.
Just for information. If you want to see my docker compose file - let me know.

[mrjester888]

@topas-rec I am running into the same problem, but not sure how to solve it. Would you post your compose file?

[topas-rec]

version: '3'

services:
  db:
    image: mariadb
    # image: mysql
    restart: always
    volumes:
      - db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=[...]
    env_file:
      - db.env

  app:  
    image: nextcloud:apache
    restart: always
    volumes:
      - nextcloud:/var/www/html
      - /mnt/DATA:/usr/local/DATA
    environment:
      - VIRTUAL_HOST=[...]
      - LETSENCRYPT_HOST=[...]
      - LETSENCRYPT_EMAIL=[...]
      - MYSQL_HOST=db
    env_file:
      - db.env
    depends_on:
      - db
    networks:
      - proxy-tier
      - default

  proxy:
    build: ./proxy
    restart: always
    ports:
      - 80:80
      - 443:443
    labels:
      com.github.jrcs.letsencrypt_nginx_proxy_companion.nginx_proxy: "true"
    volumes:
      - certs:/etc/nginx/certs:ro
      - conf.d:/etc/nginx/conf.d
      - vhost.d:/etc/nginx/vhost.d
      - html:/usr/share/nginx/html
      - /var/run/docker.sock:/tmp/docker.sock:ro
    networks:
      - proxy-tier

  letsencrypt-companion:
    image: jrcs/letsencrypt-nginx-proxy-companion
    restart: always
    volumes:
      - certs:/etc/nginx/certs
      - conf.d:/etc/nginx/conf.d
      - vhost.d:/etc/nginx/vhost.d
      - html:/usr/share/nginx/html
      - /var/run/docker.sock:/var/run/docker.sock:ro
    networks:
      - proxy-tier
    depends_on:
      - proxy

volumes:
  db:
  nextcloud:
  certs:
  conf.d:
  vhost.d:
  html:

networks:
  proxy-tier:

My local drive path is /mnt/DATA

[Xarkam]

Hello,
Have same problem.
This is my docker-compose file:

version: '2'

services:
  db:
    image: postgres
    restart: always
    volumes:
      - db:/var/lib/postgresql/data
    env_file:
      - db.env

  app:
    image: nextcloud:apache
    restart: always
    ports:
      - 8181:80
    volumes:
      - nextcloud:/var/www/html
      - ./data:/usr/local/DATA:rw
    environment:
      - POSTGRES_HOST=db
    env_file:
      - db.env
    depends_on:
      - db

volumes:
  db:
  nextcloud:
  data:

In nextcloud: the folder say this: You do not have permission to send or create files here
How to make good link with docker-configuration and nextcloud ?

thank.

[bertbesser]

Hi folks,

I also mount some host folder into NC's container in order to use it as NC external storage and access files from outside of the container.

However, since NC is running as user www-data inside the container, outside of the container file permissions do not allow me to write/delete/... files with my regular host user account. How did you solve this problem? Do you even care and edit files from within NC only?

Thanks+Cheers

[tilosp]

@bbesser
This is not a common use case. And even without docker this would cause some problems. Nextcloud itself forces the permission of the date directory to be 0770 to allow only the web-server access to the data. (It would also require you to set-up a occ files:scan cronjob)

But i agree that it would be nice to have a way to change the UID.
I would be happy to accept a pull request adding this functionality.

[bertbesser]

@tilosp
I would guess that the use case is likely to be important for anybody running NC on their home server, e.g. for sharing files with friends.

I have a occ files:scan job running, indeed :-D

External storage in NC can also reside in some SFTP account (among WebDAV, local folder, ...). Using SFTP lets me log into my host user's account. Another approach would be to use an sshfs docker volume (vieux driver) and mount it into NC's container, such that external storage could be configured using a local folder.

Both approaches have upsides and downsides:
Good: takes care of ownership/permission translation.
Bad: Huge performance overhead (but might still be ok in case of low overall load on NC).

Do you see any pitfalls?

Thanks!

[topas-rec]

For everyone having problems currently:

I built the setup (mount my dual boot ntfs hard drive into NC by mounting the drive into the NC container (shown above)) the second time now.
I did it using Ubuntu and now on Linux Mint.
I have never used extra configurations like cron jobs. Just mounted it.
I never had problems (except of rare file locking errors - which seem to happen also on regular installs)

I use this NC more or less because of this setup because it's simple and data goes direct to my hard drive. I am not aware of security issues, though.

For everyone's information...

[bertbesser]

@topas-rec

I have never used extra configurations like cron jobs. Just mounted it.

I suppose you're responding to the scan-job @tilosp and I mentioned.

[mounting] is simple and data goes direct to my hard drive.

Your setup is fine if you're modifying files only from within NC and consequently data only has to travel from NC to your hard drive. If you also need to modify files on your hard drive ('outside modifications') and need outside modifications to be reflected in NC, then NC won't recognize those by itself: you have to tell NC about outside modifications--hence the scan cron job.

There is no need, however, to tell NC about outside modifications in case you're using external storage. Therefore I'm taking this approach.

Problem remaining to be solved: External storage in form of a local folder (mounted within NC's container) is read/written with NC's user and according permissions, which prevents outside modifications with my actual user account. This problem can be solved by explicitly logging into my user account, e.g. with sshfs. At this point there are the options to configure sshfs from within NC or to use an sshfs docker volume (quite large performance overhead due to sshfs, but ok for my personal use case).

EDIT: Option two does also suffer from ownership-mappping problems. File owner in the mounted volume is not www-data, in general.

[topas-rec]

I suppose you're responding to the scan-job @tilosp and I mentioned.

Yes you're right.

Thanks for your detailed explanation. I wasn't aware that the outside-modifications which I definitely do are reflected in NC just because I use the external storage.

I think I should also have the issue that you described and which is still not solved because my setup is the same as yours. The only difference seems to be that I use an external folder with NTFS filesystem. (The filesystem does not take care of user and owners I guess. Ntfs-3g makes all files belonging to root, doesn't it?)

[danyill]

Problem remaining to be solved: External storage in form of a local folder (mounted within NC's container) is read/written with NC's user and according permissions, which prevents outside modifications with my actual user account. This problem can be solved by explicitly logging into my user account, e.g. with sshfs. At this point there are the options to configure sshfs from within NC or to use an sshfs docker volume (quite large performance overhead due to sshfs, but ok for my personal use case).

I had exactly this problem. I wanted to access my existing data with nextcloud but had UID/GID problems between the docker container and the host system. Docker doesn't provide (currently) very good options for this so I used a workaround with bindfs.

bindfs --map=<user>/www-data:@<group>/@www-data <original source path> <docker volume path>

Where <docker volume path> refers to in my docker-compose.yml file:

     volumes:
      - nextcloud:/var/www/html
      - <docker volume path>:/var/www/html/data/admin/files/<pathname>

I have not performance tested this but as I use Nextcloud only for personal access to files it seems entirely adequate for this.

[bertbesser]

@danyill
Thanks for your contib! Today I have also setup a solution using bindfs, since my sshfs-volume approach did not work as I thought it would.

I do not use a bind mount thought, but an extra docker volume with the local driver.

[mattie47]

Just curious, but is there a reason why no one in here followed @tilosp suggestion of modifying check_data_directory_permissions and setting it to false?

I'm also running nextcloud in docker, and did the following:

Attach to container

matt@server:~/docker/nextcloud$ docker exec -it nextcloud_app_1 bash
root@fb9f144c428b:/var/www/html#

edit nextcloud config file

root@fb9f144c428b:/var/www/html# nano config/config.php

and then added the required config:

....
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'sqlite3',
  'version' => '15.0.0.10',
  'overwrite.cli.url' => 'http://xxxx:9006',
  'installed' => true,
+ 'check_data_directory_permissions' => false,
  'maintenance' => false,
);

I stopped getting the original log @ulrikstrid posted after doing this.

However I then ran into another issue. Because I'm accessing my nextcloud via proxy_pass with nginx, I also had to add my external domain into the trusted_domains option in the config.php file:

  'trusted_domains' =>
  array (
    0 => 'internal-server-hostname:9006',
+   1 => 'nextcloud.externalserver.com',
  ),

After doing above it's all working for me now :-).

bonus tip

For anyone setting this up for the first time, and wanting to add their filesystems they've attached to the docker container e.g. my docker-compose file

version: '2'

volumes:
  nextcloud:
  db:

services:
  db:
    image: mariadb
    restart: always
    volumes:
      - db:/var/lib/mysql
    environment:
      - MYSQL_ROOT_PASSWORD=xxxx
      - MYSQL_PASSWORD=xxxx
      - MYSQL_DATABASE=xxxx
      - MYSQL_USER=xxxx

  app:
    build: .
    ports:
      - 9006:80
    links:
      - db
    volumes:
      - nextcloud:/var/www/html
      - /media/mydrive/4TB/nextcloud:/var/www/html/data:rw <---------- my nextcloud config is also on my mounted drive.
      - /media/mydrive/4TB/Media:/media/4TB/Media:rw <------------ actual mounted drive

You need to enable "External storage support" app from within nextcloud. After doing so, navigate to settings from an admin account, and click on external storage:

From here simply add it into nextcloud, and specify the location where it is mounted within the docker container:

Hope that helps someone...

Thanks,

Matt

[EfimovIB]

Hello,
Have the same problem. There is some troubleshooting that works for me.
I'm using just docker:

docker run -d -p 8080:80 -v /mnt/data/:/var/www/html/data nextcloud

than change owner of /var/www/html/data/ in container

docker exec {your_container_name} chown -R www-data:www-data /var/www/html/data/

and add permission to access on host machine

sudo chmod u+rwx /mnt/data

[klerai]

Hi,
experimenting with different docker images, I determined the following procedure to adjust the ownership for my data volume at the docker server level:

• first determine the nextcloud user-/group-id inside the container:

  docker exec -ti --user www-data {nextcloud-container} grep www-data /etc/passwd /etc/group
  /etc/passwd:www-data:x:82:82:Linux User,,,:/home/www-data:/bin/false
  /etc/group:www-data:x:82:www-data

• then adjust the file tree from the external data path with the UID/GID:

  sudo chown -R 82:82 /my/data/path/* - or - {docker-path}/volumes/{UserData}/_data/*

(the second one applies to data inside a docker managed volume)

[beningodfrey4]

@mattie47 , the external storage solution seems to be the cleanest. Are there any downsides to this compared to mounting at /var/www/html/data?

[J0WI]

The main question seems to be answered, so I'll close this.
Please use https://help.nextcloud.com/ for further discussions, we use this issue tracker just for the Docker image itself.

[Francewhoa]

Related discussion, resolution, and screenshot at https://help.nextcloud.com/t/add-storage-mounted-volume/23606/4