Nextcloud with podman rootless containers and user systemd services. Part III - NFS gotchas

Jan 28, 2021 08:30 · 563 words · 3 minute read

Nextcloud in container user IDs 🔗

The nextcloud process running in the container runs as the www-data user which in fact is the user id 82:

$ podman exec -it nextcloud-app /bin/sh
/var/www/html # ps auxww | grep php-fpm
    1 root      0:10 php-fpm: master process (/usr/local/etc/php-fpm.conf)
   74 www-data  0:16 php-fpm: pool www
   75 www-data  0:15 php-fpm: pool www
   76 www-data  0:07 php-fpm: pool www
   84 root      0:00 grep php-fpm
/var/www/html # grep www-data /etc/passwd
www-data:x:82:82:Linux User,,,:/home/www-data:/sbin/nologin

NFS and user IDs 🔗

NFS exports can be configured to have a forced uid/gid using the anonuid, anongid and all_squash parameters. For Nextcloud then:


To configure those settings in ZFS I configured my export as:

zfs set sharenfs="rw=@,all_squash,anonuid=82,anongid=82" tank/nextcloud

Then, I chowned all the files to match that user in the NFS server as well:

shopt -s dotglob
chown -R 82:82 /tank/nextcloud/html/
shopt +s dotglob

I did used shopt -s dotglob for chown to also change the user/group for the hidden folders (the ones where the name starts with a dot, such as ~/.ssh)

Then in the NFS client, the following line was added to the /etc/fstab so the share is available at boot: /home/edu/containers/nextcloud/data/html nfs rw,relatime,user 0 0

Tweaks 🔗

With everything in place it should work… but it didn’t.

There are a few places where Nextcloud tries to change some files' modes or check file permissions and it fails otherwise.

Fortunately, those can be bypased. But let’s take a look at the details first.

console.php 🔗

The console.php file has a check to ensure the ownership :

if ($user !== $configUser) { 
  echo "Console has to be executed with the user that owns the file config/config.php" . PHP_EOL; 
  echo "Current user id: " . $user . PHP_EOL; 
  echo "Owner id of config.php: " . $configUser . PHP_EOL; 
  echo "Try adding 'sudo -u #" . $configUser . "' to the beginning of the command (without the single quotes)" .  PHP_EOL; 
  echo "If running with 'docker exec' try adding the option '-u " . $configUser . "' to the docker comman (without  the single quotes)" . PHP_EOL; 

I opened a github issue but meanwhile, the fix I did was basically delete that check

cron.php 🔗

Same problem :

$configUser = fileowner(OC::$configDir . 'config.php');
if ($user !== $configUser) {
  echo "Console has to be executed with the user that owns the file config/config.php" . PHP_EOL;
  echo "Current user id: " . $user . PHP_EOL;
  echo "Owner id of config.php: " . $configUser . PHP_EOL;

Same fix and another github issue opened. 🔗

The container entrypoint script runs an rsync process when Nextcloud is updated. As part of that rsync process, it uses --chown , which is then forbidden by the NFS server:

rsync: chown "/var/www/html/whatever" failed: Operation not permitted (1)

The github issue and the fix is basically ignore the chown. 🔗

Meanwhile those issues are fixed (not sure if they will), I keep a container image that includes those fixes and that I try to keep it updated for my own sake in

The image is already available at so feel free to use it if you are having the same issues.

Next post 🔗

In the next post I will explain how to expose your Nextcloud instance using bunkerized-nginx and how to create proper systemd unit files to be able to treat the pods and containers as services.

You can read it here