-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for docker secrets on first initialization broken #1148
Comments
[ Docker issue :1148](nextcloud/docker#1148)
Can confirm. Using |
@ptoulouse in reply to #1201 states NEXTCLOUD_ADMIN_USER and NEXTCLOUD_ADMIN_PASSWORD are absolutely necessary to make DB auto-config work.. |
I can confirm this! It works perfectly when using regular environment variables, but not when using the @isdnfan I tried that as well, but couldn't reproduce the issue. For me it's working perfectly fine when specifying the values directly in environment variables, and doesn't work at all when a single one of them has the EDIT: Which is very weird, as the docker-entrypoint.sh suggests that the ADMIN variables are indeed a must. Maybe my setup wasn't entirely clean. I'll try again another day. |
Any updates? Currently, with 21.0.2, specifying Without |
Actually, everything works as intended (if I got the things correctly): docker/21.0/apache/entrypoint.sh Line 121 in 05026b0
This happens because in this case Nextcloud is being installed via Otherwise Nextcloud is not installed, and autoconfig.php is used:
Autoconfig reads only ordinary MYSQL_PASSWORD etc environment variables, which do not exist.
Solution:Change autoconfig.php so it will use docker secrets |
I'm actually not sure it's worth it. You can use a single It seems more useful to deprecate the |
Well, that seems to be good alternative as well. Probably the documentation should be updated. btw, would the environment variables remain in the container? From security point of view, isn't it better to remove sensitive ones from the |
I do not agree that .env gives you similar features but the environment variables aren’t obfuscated inside the container. |
it's definitely bad idea to skip secrets in favor of ENV variables. It is much more secure to use secrets rather then variables and this way should become preferred or at least remain open. whole story: https://diogomonica.com/2017/03/27/why-you-shouldnt-use-env-variables-for-secret-data/
|
For docker swarm or kubernetes-users we still need the _FILE functionality, otherwise we share secrets/passwords in clear type.. See also: I think it's enough to search for all *_FILE environments and write the password in the environment variable with removed _FILE from name: So you have an easy fix and compatibility with old docker-compose (not using docker secrets & _FILE). Sry I currently have no time creating a MR :( |
Hi, don't take it wrong but I just tried to install the project by following the README and the _FILE functionality should be removed from the README if it's broken for the moment. I was surprised to see an issue this old being the culprit in basically preventing an installation. |
Does #1516 work for you? |
Issue is still relevant. |
Nope I'm using "latest" images from Dockerhub. |
It's only available from DockerHub after docker-library/official-images#11418 is merged. |
From my testing I believe this to be resolved. I may have overlooked it in the docs, but for anyone else struggling. The use of You can see here it uses Line 9 in 9059726
MYSQL_HOST: db
MYSQL_USER_FILE: /run/secrets/db_username
MYSQL_DATABASE_FILE: /run/secrets/db_name
MYSQL_PASSWORD_FILE: /run/secrets/db_password Unfortunately for me, you can't set permissions without swarm (I use simple docker compose), so I'd have to make them public files so the permissions inside the container allow |
Despite all the helpful comments on this topic I'm sill struggling to get the initialisation running. Snippet from docker-compose.yml:
Secrets should be readable by www-data inside the Nextcloud container:
Result in config.php:
Apparently Log output:
I don't understand how the connection string is constructed. All other configuration options set via environment settings or secrets are applied to the corresponding config files without issues (STMP Password..). I'm aware that there are apparently some open issue regarding docker secrets. @PhilipWhiteside Do I understand you correctly, that you got this to work (apart from your remark about secrets being readable for everyone)? Any hint on what I might be missing? |
I did not get secrets to work, as I do not use Docker Swarm just standalone Docker Compose. What I did instead was put the credentials as plain text into a philip@nas~/appdata/nextcloud $ cat docker-compose.yml
version: "3.9"
services:
nextcloud:
...truncated output...
environment:
NEXTCLOUD_DATA_DIR: /data
MYSQL_HOST: db
MYSQL_USER: ${MYSQL_USERNAME}
MYSQL_DATABASE: ${MYSQL_DATABASE}
MYSQL_PASSWORD: ${MYSQL_PASSWORD}
REDIS_HOST: ${APP_NAME}-cache
NEXTCLOUD_TRUSTED_DOMAIN: ${NEXTCLOUD_DOMAIN_NAME}
TRUSTED_PROXIES: traefik
...truncated output...
philip@nas~/appdata/nextcloud $ ll -a
total 24K
drwxrwx--- 4 philip philip 4.0K Dec 12 16:28 .
drwxrwxr-x 15 philip philip 4.0K Jan 11 09:17 ..
drwxr-xr-x 4 philip philip 4.0K Dec 11 20:16 config
-rwxrwx--- 1 philip philip 4.0K Dec 12 08:48 docker-compose.yml
-rwx------ 1 philip philip 532 Dec 11 16:58 .env
drwxrwx--- 2 philip philip 4.0K Dec 12 16:31 systemd
lrwxrwxrwx 1 philip philip 4 Dec 11 10:35 variables.env -> .env
philip@nas~/appdata/nextcloud $ cat variables.env
APP_NAME=nextcloud
NEXTCLOUD_DOMAIN_NAME=nextcloud.lan
# Docker secrets does not support permissions without swarm. So have to be world readable. Using vars instead.
MYSQL_DATABASE=nextcloud
MYSQL_USERNAME=xxx
MYSQL_PASSWORD=yyy
MYSQL_ROOT_PASSWORD=zzz
philip@nas~/appdata/nextcloud $ |
This is still broken. I've followed all the help given. This was very useful, thanks @PhilipWhiteside ! Everything is parsed correctly except for the db user. It prepends the dbtableprefix to the file path instead of prepending it to the username! Any ideas, have I missed something? EDIT:Indeed, I had missed something. You also need to pass the NEXTCLOUD_ADMIN_PASSWORD and NEXTCLOUD_ADMIN_USER by file NOT in clear. ^^ I had forgotten to add the Now I just have a EDIT 2:I could not find the info in the Docker container's documentation but you can only use Postgres 14, not the latest. This has fixed everything now, yay! |
Hello all, The problem about accessing the secrets is directly related with secrets permissions, here the scenario: The code these commits will only work while the
From what is see the compose-spec admits remaping the
At the end a demo. The entrypoint in the image handles secrets files generating a I'll be working during my spare time in order to honor the precedence of secrets files over variable definition, as indicated in the README, but from the entrypoint which is executed as root. About the dependency on
https://github.com/nextcloud/docker/blob/75e1b80ba4d448e9bc82876d0be826e9c7fa2c9a/docker-entrypoint.sh#L190-L250
demoFiles:
```sh
$ ls -ln
total 12
-rw-r--r-- 1 1000 1000 1119 Aug 18 17:30 docker-compose.yml
-rw------- 1 1000 1000 20 Aug 18 17:08 mysql_root_password
-rw------- 1 1000 1000 20 Aug 18 17:08 mysql_user_password
```
---
version: '3.3'
services:
nextcloud-db:
image: mariadb
container_name: nextcloud-db
command: --transaction-isolation=READ-COMMITTED --log-bin=ROW
# networks:
# - nextcloud-db
restart: always
environment:
MYSQL_ROOT_PASSWORD_FILE: /run/secrets/mysql_root_password
MYSQL_PASSWORD_FILE: /run/secrets/mysql_user_password
# // commented out // MYSQL_PASSWORD: 345Test
MYSQL_DATABASE: nextcloud
MYSQL_USER: nextcloud
MYSQL_INITDB_SKIP_TZINFO: 1
secrets:
- mysql_root_password
- mysql_user_password
nextcloud-app:
image: nextcloud
container_name: nextcloud-app
restart: always
depends_on:
- nextcloud-db
ports:
- 80:80
environment:
MYSQL_HOST: nextcloud-db
MYSQL_USER: nextcloud
MYSQL_DATABASE: nextcloud
MYSQL_PASSWORD_FILE: /run/secrets/mysql_user_password
# // commented out // MYSQL_PASSWORD: 345Test
secrets:
- mysql_user_password
secrets:
mysql_root_password:
file: ./mysql_root_password
mysql_user_password:
file: ./mysql_user_password
Execution $ docker compose up -d
WARN[0000] /home/debian/nextcloud/nc2/docker-compose.yml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion
[+] Running 3/3
✔ Network nc2_default Created 0.1s
✔ Container nextcloud-db Started 2.3s
✔ Container nextcloud-app Started $ docker compose exec -it nextcloud-app /bin/bash -c 'curl -q http://localhost/' > /dev/null
WARN[0000] /home/debian/nextcloud/nc2/docker-compose.yml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 6655 100 6655 0 0 5903 0 0:00:01 0:00:01 --:--:-- 5905 $ docker compose exec -it nextcloud-app /bin/bash -c 'cat /var/www/html/data/nextcloud.log'
WARN[0000] /home/debian/nextcloud/nc2/docker-compose.yml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion
{"reqId":"UjaIPqzPiap1ZMsi7TG8","level":3,"time":"2024-08-18T17:50:30+00:00","remoteAddr":"127.0.0.1","user":"--","app":"PHP","method":"GET","url":"/","message":"fopen(/var/www/html/config/config.php): Failed to open stream: No such file or directory at /var/www/html/lib/private/Config.php#221","userAgent":"curl/7.88.1","version":"","data":{"app":"PHP"}} $ docker compose exec -it nextcloud-app /bin/bash -c 'ps faxu'
WARN[0000] /home/debian/nextcloud/nc2/docker-compose.yml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 117 5.5 0.3 8100 3940 pts/0 Rs+ 17:52 0:00 ps faxu
root 1 0.0 4.3 406012 43416 ? Ss 17:49 0:00 apache2 -DFOREGROUND
www-data 92 0.0 1.0 406052 10348 ? S 17:50 0:00 apache2 -DFOREGROUND
www-data 93 0.1 5.1 408640 51936 ? S 17:50 0:00 apache2 -DFOREGROUND
www-data 94 0.0 1.0 406052 10348 ? S 17:50 0:00 apache2 -DFOREGROUND
www-data 95 0.0 1.0 406052 10348 ? S 17:50 0:00 apache2 -DFOREGROUND
www-data 96 0.0 1.0 406052 10348 ? S 17:50 0:00 apache2 -DFOREGROUND
www-data 103 0.0 1.0 406052 10348 ? S 17:50 0:00 apache2 -DFOREGROUND $ docker compose exec -it nextcloud-app /bin/bash -c 'ls -l /run/secrets/'
WARN[0000] /home/debian/nextcloud/nc2/docker-compose.yml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion
total 4
-rw------- 1 1000 1000 20 Aug 18 17:08 mysql_user_password $ docker compose exec -u www-data -it nextcloud-app /bin/bash -c 'cat /run/secrets/mysql_user_password'
WARN[0000] /home/debian/nextcloud/nc2/docker-compose.yml: the attribute `version` is obsolete, it will be ignored, please remove it to avoid potential confusion
cat: /run/secrets/mysql_user_password: Permission denied {
"reqId": "UjaIPqzPiap1ZMsi7TG8",
"level": 3,
"time": "2024-08-18T17:50:30+00:00",
"remoteAddr": "127.0.0.1",
"user": "--",
"app": "PHP",
"method": "GET",
"url": "/",
"message": "fopen(/var/www/html/config/config.php): Failed to open stream: No such file or directory at /var/www/html/lib/private/Config.php#221",
"userAgent": "curl/7.88.1",
"version": "",
"data": {
"app": "PHP"
}
} |
Secrets files handled only in the entrypoint, converted during initial execuition. Solves nextcloud#1148
Secrets files handled only in the entrypoint, converted during initial execuition. Solves nextcloud#1148 Signed-off-by: Matías Pecchia <[email protected]>
Secrets files handled only in the entrypoint, converted during initial execuition. Solves nextcloud#1148 Signed-off-by: Matías Pecchia <[email protected]>
Secrets files handled only in the entrypoint, converted during initial execuition. Solves nextcloud#1148 Signed-off-by: Matías Pecchia <[email protected]>
Secrets files handled only in the entrypoint, converted during initial execuition. Solves nextcloud#1148 Signed-off-by: Matías Pecchia <[email protected]>
Secrets files handled only in the entrypoint, converted during initial execuition. Solves nextcloud#1148 Signed-off-by: Matías Pecchia <[email protected]>
Secrets files handled only in the entrypoint, converted during initial execuition. Solves nextcloud#1148 Signed-off-by: Matías Pecchia <[email protected]>
Secrets files handled only in the entrypoint, converted during initial execuition. Solves nextcloud#1148 Signed-off-by: Matías Pecchia <[email protected]>
Secrets files handled only in the entrypoint, converted during initial execuition. Solves nextcloud#1148 Signed-off-by: Matías Pecchia <[email protected]>
I created #2280 2 weeks ago, your feedback will be appreciated. |
Secrets files handled only in the entrypoint, converted during initial execuition. Solves nextcloud#1148 Signed-off-by: Matías Pecchia <[email protected]>
Unfortunately the problem described in #385 reappeared again...
The exact thing happens, that I describe in my comment on #385
I would be very glad if someone might help me or point me in the right direction!
The text was updated successfully, but these errors were encountered: