{{tag>linux docker nextcloud mysql mariadb}}
======Nextcloud Container======
Nextcloud publishes their own Docker container of [[https://hub.docker.com/_/nextcloud|Nextcloud]]. The Nextcloud image on Docker hub is maintained by the Nextcloud community, and is not officially supported by Nextcloud! Linuxserver.io, as well as some others also have Nextcloud containers on Docker Hub.
Nextcloud needs a number of services to run; the main Nextcloud server, a database and Redis. In addition, there needs to be a proxy server or similar to forward on common domain requests to sub-domains as well as handling certificates, however this is required for all the various services and can be considered separately.
Refer to Nextcloud's [[https://docs.nextcloud.com/server/latest/admin_manual/maintenance/index.html|Maintenace]] section on instructions to backup, restore and migrate Nextcloud. Also as I am using the official Nextcloud container it has additional instructions to [[https://github.com/docker-library/docs/blob/master/nextcloud/README.md#migrating-an-existing-installation:migrate]] Nextcloud to Docker.
* uid: www-data / 33, gid: www-data / 33. This seems to be Debian standard. Alpine linux seems to use 82 for www-data. Just stick with uid/gid as per the image supplied, 82 for Alpine and ignore the names.
* ''%%docker exec -u www-data nextcloud-app-1 php /var/www/html/cron.php%%'' runs the cron.php
* ''%%docker exec -u www-data nextcloud-app-1 php occ maintenance:mode --off|on%%'' to turn maintenance mode off or on from the containers host shell
=====Nextcloud with supervisord=====
The base [[https://hub.docker.com/_/nextcloud|Nextcloud]] image does not directly support cron. So it needs to be added, for the nextcloud-fpm.alpine version see [[https://github.com/nextcloud/docker/tree/master/.examples/dockerfiles/cron/fpm-alpine|github nextcloud docker fpm-apline cron dockerfile examples]]
++tl;dr;|Today (2024-04-27) after upgrading to Nextcloud 29 I finally got rid of all my administration security and setup page warnings and errors. This included some issues with nginx configuration that magically went away with version 29 and adding imagemagick-svg to the image as just noted. As well as cleaning up [[https://wiki.kptree.net/doku.php?id=docker_notes:docker-nextcloud#file_integrity_check|file integrity error messages]]. This is the first time since moving to Nextcloud on Docker and quite some time before that.++
As docker adminstartion warns about missing php imagemagick-svg support I also added the Apline package to the updated image to rectify this warning.
++++ Dockerfile|
#FROM nextcloud:stable-fpm-alpine
FROM nextcloud:fpm-alpine
# See https://hub.docker.com/_/nextcloud/
# stable-fpm-alpine or production-fpm-alpine give the
# latest stable / production version versus fpm-alpine
# that give the latest release
RUN apk add --no-cache imagemagick-svg supervisor \
&& mkdir /var/log/supervisord /var/run/supervisord
COPY supervisord.conf /
ENV NEXTCLOUD_UPDATE=1
CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]
++++
++++supervisord.conf|
[supervisord]
nodaemon=true
logfile=/var/log/supervisord/supervisord.log
pidfile=/var/run/supervisord/supervisord.pid
childlogdir=/var/log/supervisord/
logfile_maxbytes=50MB ; maximum size of logfile before rotation
logfile_backups=10 ; number of backed up logfiles
loglevel=error
[program:php-fpm]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=php-fpm
[program:cron]
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0
stderr_logfile=/dev/stderr
stderr_logfile_maxbytes=0
command=/cron.sh
++++
++++docker-compose.yml|
---
services:
app:
build: ./
image: nextcloud-fpm-cron:latest
# image: nextcloud:fpm-alpine
restart: always
depends_on:
- db
- redis
volumes:
- /mnt/docker_store/nextcloud/data/html/data:/var/www/html/data
- /mnt/docker_store/nextcloud/data/html/custom_apps:/var/www/html/custom_apps
- /mnt/docker_store/nextcloud/data/html/config:/var/www/html/config
- /mnt/docker_store/nextcloud/data/html/themes:/var/www/html/themes
- ./data/opcache-recommended.ini:/usr/local/etc/php/conf.d/opcache-recommended.ini
- ./data/php-adjust.ini:/usr/local/etc/php/conf.d/php-adjust.ini
networks:
- proxy
environment:
- MYSQL_PASSWORD=kpb1670
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_HOST=db
- REDIS_HOST=redis
- PHP_MEMORY_LIMIT=1024M
db:
image: mariadb:11.3
restart: always
command: --transaction-isolation=READ-COMMITTED --log-bin=binlog --binlog-format=ROW
volumes:
- /mnt/docker_store/nextcloud/data/db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=kpb8487
- MYSQL_PASSWORD=kpb1670
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MARIADB_AUTO_UPGRADE=1
networks:
- proxy
redis:
image: redis:alpine
restart: always
networks:
- proxy
web:
image: nginx
restart: always
ports:
- 8180:80
depends_on:
- app
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
volumes_from:
- app
networks:
- proxy
volumes:
nextcloud:
db:
networks:
proxy:
external: true
++++
====php/php-fpm setting====
++++php.ini configuration files|
The files are added to ''/usr/local/etc/php/conf.d/''.
To check actual php setting from cli: ''php -i''.
**opcache-recommended.ini**:
opcache.enable=1
opcache.interned_strings_buffer=32
opcache.max_accelerated_files=10000
opcache.memory_consumption=512
opcache.save_comments=1
opcache.revalidate_freq=60
opcache.jit=1255
opcache.jit_buffer_size=128M
The pm.max_children parameter need to be adjusted in php-fpm NOT php. So the file below does not add any functionality and is NOT used.
**php-adjust.ini**:
pm = ondemand
pm.max_children = 50
++++
++++php-fmp configuration files|
The files are added to ''/usr/local/etc/php-fpm.d/''.
To check actual lphp-fpm setting from cli ''php-fpm -tt''
**www.conf**:
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[www]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or NONE) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of the child processes. This can be used only if the master
; process running user is root. It is set after the child process is created.
; The user and group can be specified either by their name or by their numeric
; IDs.
; Note: If the user is root, the executable needs to be started with
; --allow-to-run-as-root option to work.
; Default Values: The user is set to master process running user by default.
; If the group is not set, the user's group is used.
user = www-data
group = www-data
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
;listen = 127.0.0.1:9000
; Set listen(2) backlog.
; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions. The owner
; and group can be specified either by name or by their numeric IDs.
; Default Values: Owner is set to the master process running user. If the group
; is not set, the owner's group is used. Mode is set to 0660.
;listen.owner = www-data
;listen.group = www-data
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Set the associated the route table (FIB). FreeBSD only
; Default Value: -1
;listen.setfib = 1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
; or group is different than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; pm.max_spawn_rate - the maximum number of rate to spawn child
; processes at once.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 50
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: (min_spare_servers + max_spare_servers) / 2
pm.start_servers = 3
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 2
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 10
; The number of rate to spawn child processes at once.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
; Default Value: 32
;pm.max_spawn_rate = 32
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following information:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then information is related to the
; last request the process has served. Otherwise information is related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/local/share/php/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The address on which to accept FastCGI status request. This creates a new
; invisible pool that can handle requests independently. This is useful
; if the main pool is busy with long running requests because it is still possible
; to get the status before finishing the long running requests.
;
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Default Value: value of the listen option
;pm.status_listen = 127.0.0.1:9001
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{milliseconds}d
; - %{milli}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some examples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsulated in a %{}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsulated in a %{}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %u: basic auth user if specified in Authorization header
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
; A list of request_uri values which should be filtered from the access log.
;
; As a security precaution, this setting will be ignored if:
; - the request method is not GET or HEAD; or
; - there is a request body; or
; - there are query parameters; or
; - the response code is outwith the successful range of 200 to 299
;
; Note: The paths are matched against the output of the access.format tag "%r".
; On common configurations, this may look more like SCRIPT_NAME than the
; expected pre-rewrite URI.
;
; Default Value: not set
;access.suppress_path[] = /ping
;access.suppress_path[] = /health_check.php
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; The timeout set by 'request_terminate_timeout' ini option is not engaged after
; application calls 'fastcgi_finish_request' or when application has finished and
; shutdown functions are being called (registered via register_shutdown_function).
; This option will enable timeout limit to be applied unconditionally
; even in such cases.
; Default Value: no
;request_terminate_timeout_track_finished = no
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environment, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Decorate worker output with prefix and suffix containing information about
; the child that writes to the log and if stdout or stderr is used as well as
; log level and time. This options is used only if catch_workers_output is yes.
; Settings to "no" will output data as written to the stdout or stderr.
; Default value: yes
;decorate_workers_output = no
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr/local)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M
++++
I noticed that these changes I made improved the performance of the Nextcloud. Some of the intermittent errors stop and the page response improved significantly.
====RedirectRegex====
I get a redirect error in Nextcloud that I have not been able to track down to date. Does not seem much info in this on the net, and the little there is also indicates a problem without and easy solution. Nextcloud main support looks Apache web server based with little Nginx support and even less Traefik support.
Some resources related to this:
*Traefik:
*[[https://doc.traefik.io/traefik/middlewares/http/redirectregex/#permanent|RedirectRegex]]
*[[https://doc.traefik.io/traefik/middlewares/http/replacepathregex/|ReplacePathRegex]]
*[[https://github.com/traefik/traefik/issues/723|Multiple entry regex redirects #723 ]
====References====
*docs nextcloud
* [[https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/config_sample_php_parameters.html#default-parameters|Configuration Parameters]]
*[[https://help.nextcloud.com/t/is-there-a-safe-and-reliable-way-to-move-data-directory-out-of-web-root/3642|is-there-a-safe-and-reliable-way-to-move-data-directory-out-of-web-root]]
*[[https://help.nextcloud.com/t/howto-change-move-data-directory-after-installation/17170|help.nextcloud.com/t/howto-change-move-data-directory-after-installation]]
*[[https://github.com/nextcloud|github.com/nextcloud]]
*[[https://hub.docker.com/_/nextcloud/| Docker Hub Nextcloud]]
*[[https://github.com/docker-library/docs/blob/master/nextcloud/README.md|Github Docker Hub Nextcloud]]
*[[https://github.com/linuxserver/docker-nextcloud/issues/189|Your web server is not properly set up to resolve "/.well-known/webfinger"]]
=====mysql=====
*[[https://hub.docker.com/_/mariadb|Dockerhub mariadb]]
*[[https://wiki.kptree.net/doku.php|github mariadb]]
*mariadb
*[[https://mariadb.com/kb/en/upgrading/|Upgrading MariaDB]]
*[[https://mariadb.com/kb/en/mariadb-upgrade/|mariadb-upgrade]]
*[[https://mariadb.com/kb/en/error-log/|Error Log]]
====Installing and Using MariaDB via Docker====
[[https://mariadb.com/kb/en/installing-and-using-mariadb-via-docker/|Installing and Using MariaDB via Docker]]
====Incorrect row format found in your database====
First step is to backup database.
*[[https://help.nextcloud.com/t/upgrade-to-nextcloud-hub-10-31-0-0-incorrect-row-format-found-in-your-database/218366/8|Nextcloud Incorrect row format found in your database]]
*[[https://techoverflow.net/2025/03/12/how-to-convert-nextcloud-mariadb-mysql-tables-to-row-format-dynamic/|How to convert Nextcloud MariaDB/MySQL tables to ROW_FORMAT=Dynamic]]
====logging====
The db logs seem to redirected to be handled by Docker container and can be access using: ''docker container logs nextcloud-db-1''
*[[https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/logging_configuration.html|Nextcloud configuration Logging]]
*[[https://docs.docker.com/engine/reference/commandline/container_logs/|docker container logs]]
====backup====
The Nextcloud [[https://docs.nextcloud.com/server/stable/admin_manual/maintenance/backup.html|Backup]] instruction are reasonably comprehensive. There are 2 backup that need to be made, both the Nextcloud data and configuration and the related mysql/mariadb data(base).
Step 0 is to gain shell access to relevant container
*Confirm required user, default login is as ''root'', for next cloud easier to use ''www-data''
*Confirm shell type, bash is more comprehensive, whereas sh or ash are better supported across different container types
*Using portainer or similar just select the container and use the terminal login, ''>''
*From terminal on host running docker container use ''%%docker exec -it --user www-data nextcloud-app-1 ash%%'', where:
*''%%--user www-data%%'' would login as user ''www-data''. If omitted will default login to ''root''
*''nextcloud-app-1'' is the container name. This can be found using the ''docker ps'' command. Should also be able to use the container ID.
*''ash'' is the shell to use when accessing the container.
Step 1 is to place Nextcloud into mainteance mode ''%%sudo -u www-data php occ maintenance:mode --on%%''\
*In Portainer I usually log into shell using "sh" or ash" shells as "Bash" shell is not setup in the Alpine Nextcloud image I use.
*I also set user to ''www-data'' which is what Nextcloud has been set as user.
*I then use the command ''%%php occ maintenance:mode --on%%''
*From CLI
*''%%docker exec -it --user www-data /bin/ash%%'' will provide a shell with user set as nominated into the container
*Some pointers:
* The shell enters into the directory ''/var/html/www'', where the ''occ'' executable is located.
* The command ''whoami'' confirms current logged in user.
* The user list can be seen with ''cat /etc/passwd'' where the user various users and their ids can be seen
Step 2 is to backup the Nextcloud data and configuration.
*Nextcloud recommends ''%%rsync -Aavx nextcloud/ nextcloud-dirbkp_`date +"%Y%m%d"`/%%''
*I backup the entire docker directory weekly. The main concern is the dynamic nature of the back-up when running and alignment with database.
Step 3 is to back up the Nextcloud database:
*Nextcloud recommends the following for Mysql/MAriadb:
* ''%%mysqldump --single-transaction -h [server] -u [username] -p[password] [db_name] > nextcloud-sqlbkp_`date +"%Y%m%d"`.bak%%''
* ''%%mysqldump --single-transaction --default-character-set=utf8mb4 -h [server] -u [username] -p[password] [db_name] > nextcloud-sqlbkp_`date +"%Y%m%d"`.bak%%''
The simplest solution for me is to shutdown the Docker-compose for the Nextcloud instance, including all containers that make the stack and then run my Restic back up with a tag to keep this snapshot.
[[https://wiki.kptree.net/doku.php?id=home_server:home_server_setup:other_services:back-up_server#tag|back-up server#tag]]
====NGINX configuration====
Nextcloud documentation (stable) on [[https://docs.nextcloud.com/server/stable/admin_manual/installation/nginx.html|NGINX configuration]]
Nextcloud documentation (stable) on general installation [[https://docs.nextcloud.com/server/stable/admin_manual/installation/index.html| installation index]].
====Reverse Proxy====
Nextcloud documentation (stable) for [[https://docs.nextcloud.com/server/stable/admin_manual/configuration_server/reverse_proxy_configuration.html|reverse proxies]], such as traefik.
====cron====
*''docker-compose exec -u www-data nextcloud php cron.php'' to run cron in Nextcloud Docker
*[[https://help.nextcloud.com/t/nextcloud-docker-container-best-way-to-run-cron-job/157734|https://help.nextcloud.com/t/nextcloud-docker-container-best-way-to-run-cron-job/157734]]
*[[https://github.com/nextcloud/docker/tree/master/.examples|nextcloud github docker examples section]]
=====CLI Use of Nextcloud=====
Sometime it is necessary to get direct CLI (command line interface) access to Nextcloud for updating, turning of maintenance mode and similar.
* Access tips:
* Use www-data when working with php occ
* Use root when working with php or php-fpm directly
* The nextcloud image is based upon Alpine Linux, so shell type is ash (not BASH).
* ''%%docker exec -it --user www-data nextcloud-app-1 ash%%'' gain terminal access to Nextcloud
* Nextcloud is running in the nextcloud-fpm Docker container, to access the cli in Portainer need to select ''/bin/sh'' shell and user ''www-data''. The working directory is ''/var/www/html''
* Manually upgrade command: ''php occ upgrade''
* To check maintenance mode status: ''php occ maintenance:mode''
* To turn off maintenance mode: ''%%php occ maintenance:mode --off%% '' If all goes well Nextcloud web interface should be functional
* To turn on maintenance mode: ''%%php occ maintenance:mode --on%%'' Nextcloud web interface should show that it is in maintenance mode
Listing of: ++++ php occ|
KPTree Nextcloud 27.1.3
Usage:
command [options] [arguments]
Options:
-h, --help Display help for the given command. When no command is given display help for the list command
-q, --quiet Do not output any message
-V, --version Display this application version
--ansi|--no-ansi Force (or disable --no-ansi) ANSI output
-n, --no-interaction Do not ask any interactive question
--no-warnings Skip global warnings, show command output only
-v|vv|vvv, --verbose Increase the verbosity of messages: 1 for normal output, 2 for more verbose output and 3 for debug
Available commands:
check check dependencies of the server environment
completion Dump the shell completion script
help Display help for a command
list List commands
status show some status information
upgrade run upgrade routines after installation of a new release. The release has to be installed before.
activity
activity:send-mails Sends the activity notification mails
app
app:disable disable an app
app:enable enable an app
app:getpath Get an absolute path to the app directory
app:install install an app
app:list List all available apps
app:remove remove an app
app:update update an app or all apps
background
background:ajax Use ajax to run background jobs
background:cron Use cron to run background jobs
background:webcron Use webcron to run background jobs
background-job
background-job:execute Execute a single background job manually
background-job:list List background jobs
bookmarks
bookmarks:clear-previews Clear all cached bookmarks previews so that they have to be regenerated
broadcast
broadcast:test test the SSE broadcaster
circles
circles:check Checking your configuration
circles:maintenance Clean stuff, keeps the app running
circles:manage:config edit config/type of a Circle
circles:manage:create create a new circle
circles:manage:destroy destroy a circle by its ID
circles:manage:details get details about a circle by its ID
circles:manage:edit edit displayName or description of a Circle
circles:manage:join emulate a user joining a Circle
circles:manage:leave simulate a user joining a Circle
circles:manage:list listing current circles
circles:manage:setting edit setting for a Circle
circles:members:add Add a member to a Circle
circles:members:details get details about a member by its ID
circles:members:level Change the level of a member from a Circle
circles:members:list listing Members from a Circle
circles:members:remove remove a member from a circle
circles:members:search Change the level of a member from a Circle
circles:memberships index and display memberships for local and federated users
circles:remote remote features
circles:shares:files listing shares files
circles:sync Sync Circles and Members
circles:test testing some features
config
config:app:delete Delete an app config value
config:app:get Get an app config value
config:app:set Set an app config value
config:import Import a list of configs
config:list List all configs
config:system:delete Delete a system config value
config:system:get Get a system config value
config:system:set Set a system config value
dav
dav:create-addressbook Create a dav addressbook
dav:create-calendar Create a dav calendar
dav:delete-calendar Delete a dav calendar
dav:list-calendars List all calendars of a user
dav:move-calendar Move a calendar from an user to another
dav:remove-invalid-shares Remove invalid dav shares
dav:retention:clean-up
dav:send-event-reminders Sends event reminders
dav:sync-birthday-calendar Synchronizes the birthday calendar
dav:sync-system-addressbook Synchronizes users to the system addressbook
db
db:add-missing-columns Add missing optional columns to the database tables
db:add-missing-indices Add missing indices to the database tables
db:add-missing-primary-keys Add missing primary keys to the database tables
db:convert-filecache-bigint Convert the ID columns of the filecache to BigInt
db:convert-mysql-charset Convert charset of MySQL/MariaDB to use utf8mb4
db:convert-type Convert the Nextcloud database to the newly configured one
deck
deck:export Export a JSON dump of user data
deck:import Import data
deck:transfer-ownership Change owner of deck boards
encryption
encryption:change-key-storage-root Change key storage root
encryption:decrypt-all Disable server-side encryption and decrypt all files
encryption:disable Disable encryption
encryption:enable Enable encryption
encryption:encrypt-all Encrypt all files for all users
encryption:list-modules List all available encryption modules
encryption:migrate-key-storage-format Migrate the format of the keystorage to a newer format
encryption:set-default-module Set the encryption default module
encryption:show-key-storage-root Show current key storage root
encryption:status Lists the current status of encryption
files
files:cleanup cleanup filecache
files:delete Delete a file or folder
files:get Get the contents of a file
files:object:delete Delete an object from the object store
files:object:get Get the contents of an object
files:object:put Write a file to the object store
files:put Write contents of a file
files:reminders List file reminders
files:repair-tree Try and repair malformed filesystem tree structures
files:scan rescan filesystem
files:scan-app-data rescan the AppData folder
files:transfer-ownership All files and folders are moved to another user - outgoing shares and incoming user file shares (optionally) are moved as well.
group
group:add Add a group
group:adduser add a user to a group
group:delete Remove a group
group:info Show information about a group
group:list list configured groups
group:removeuser remove a user from a group
groupfolders
groupfolders:create Create a new group folder
groupfolders:delete Delete group folder
groupfolders:expire Trigger expiry of versions and trashbin for files stored in group folders
groupfolders:group Edit the groups that have access to a group folder
groupfolders:list List the configured group folders
groupfolders:permissions Configure advanced permissions for a configured group folder
groupfolders:quota Edit the quota of a configured group folder
groupfolders:rename Rename group folder
groupfolders:scan Scan a group folder for outside changes
groupfolders:trashbin:cleanup Empty the groupfolder trashbin
info
info:file get information for a file
info:file:space Summarize space usage of specified folder
integrity
integrity:check-app Check integrity of an app using a signature.
integrity:check-core Check integrity of core code using a signature.
integrity:sign-app Signs an app using a private key.
integrity:sign-core Sign core using a private key.
l10n
l10n:createjs Create javascript translation files for a given app
log
log:file manipulate logging backend
log:manage manage logging configuration
log:tail Tail the nextcloud logfile
log:watch Watch the nextcloud logfile
mail
mail:account:create creates IMAP account
mail:account:delete Delete an IMAP account
mail:account:diagnose Diagnose a user's IMAP connection
mail:account:export Exports a user's IMAP account(s)
mail:account:export-threads Exports a user's account threads
mail:account:sync Synchronize an IMAP account
mail:account:train Train the classifier of new messages
mail:account:update Update a user's IMAP account
mail:clean-up clean up all orphaned data
mail:repair:tags Create default tags for account. If no account ID given, all tag entries will be repaired
mail:tags:migration-jobs Creates a background job entry in the cron table for every user to migrate important labels to IMAP
mail:thread Build threads from the exported data of an account
maintenance
maintenance:data-fingerprint update the systems data-fingerprint after a backup is restored
maintenance:mimetype:update-db Update database mimetypes and update filecache
maintenance:mimetype:update-js Update mimetypelist.js
maintenance:mode set maintenance mode
maintenance:repair repair this installation
maintenance:repair-share-owner repair invalid share-owner entries in the database
maintenance:theme:update Apply custom theme changes
maintenance:update:htaccess Updates the .htaccess file
news
news:feed:add Add a feed
news:feed:delete Remove a feed
news:feed:list List all feeds
news:feed:read Read feed
news:folder:add Add a folder
news:folder:delete Remove a folder
news:folder:list List all folders
news:folder:read Read folder
news:generate-explore Prints a JSON string which represents the given feed URL and votes, e.g.: {"title":"Feed - Title","favicon":"www.web.com\/favicon.ico","url":"www.web.com","feed":"www.web.com\/rss.xml","description":"description is here","votes":100}
news:item:list List all items
news:item:list-feed List all items in a feed
news:item:list-folder List all items in a folder
news:item:read Read item
news:opml:export Print OPML file
news:show-feed Prints a JSON string which represents the given feed as it would be in the DB.
news:updater:after-update removes old read articles which are not starred
news:updater:before-update This is used to clean up the database. It deletes folders and feeds that are marked for deletion
news:updater:job Console API for checking the update job status and to reset it.
news:updater:update-feed Console API for updating a single user's feed
news:updater:update-user Console API for updating a single user's feed
notification
notification:generate Generate a notification for the given user
notification:test-push Generate a notification for the given user
onlyoffice
onlyoffice:documentserver Manage document server
photos
photos:map-media-to-place Reverse geocode media coordinates.
photos:update-1000-cities Update the list of 1000 and more inhabitant cities
preview
preview:generate generate a preview for a file
preview:repair distributes the existing previews into subfolders
preview:reset-rendered-texts Deletes all generated avatars and previews of text and md files
richdocuments
richdocuments:activate-config Activate config changes
richdocuments:convert-bigint Convert the ID columns of the richdocuments tables to BigInt
richdocuments:update-empty-templates Update empty template files
security
security:bruteforce:attempts resets bruteforce attempts for given IP address
security:bruteforce:reset resets bruteforce attempts for given IP address
security:certificates list trusted certificates
security:certificates:import import trusted certificate in PEM format
security:certificates:remove remove trusted certificate
serverinfo
serverinfo:update-storage-statistics Triggers an update of the counts related to storages used in serverinfo
sharing
sharing:cleanup-remote-storages Cleanup shared storage entries that have no matching entry in the shares_external table
sharing:delete-orphan-shares Delete shares where the owner no longer has access to the file
sharing:expiration-notification Notify share initiators when a share will expire the next day.
tag
tag:add Add new tag
tag:delete delete a tag
tag:edit edit tag attributes
tag:list list tags
text
text:reset Reset a text document
theming
theming:config Set theming app config values
trashbin
trashbin:cleanup Remove deleted files
trashbin:expire Expires the users trashbin
trashbin:restore Restore all deleted files according to the given filters
trashbin:size Configure the target trashbin size
twofactorauth
twofactorauth:cleanup Clean up the two-factor user-provider association of an uninstalled/removed provider
twofactorauth:disable Disable two-factor authentication for a user
twofactorauth:enable Enable two-factor authentication for a user
twofactorauth:enforce Enabled/disable enforced two-factor authentication
twofactorauth:state Get the two-factor authentication (2FA) state of a user
update
update:check Check for server and app updates
user
user:add adds a user
user:add-app-password Add app password for the named user
user:delete deletes the specified user
user:disable disables the specified user
user:enable enables the specified user
user:info show user info
user:lastseen shows when the user was logged in last time
user:list list configured users
user:report shows how many users have access
user:resetpassword Resets the password of the named user
user:setting Read and modify user settings
user:sync-account-data sync user backend data to accounts table for configured users
versions
versions:cleanup Delete versions
versions:expire Expires the users file versions
workflows
workflows:list Lists configured workflows
++++
====File Integrity Check====
This error is a bit painful. In the nextcloud instance (container)"
- Basically check the files that are called up as failing integrity.
- Judiciously delete files where they are not needed.
- Then run command: ''php occ integrity:check-core''.
Nextcloud runs ''integrety:check-core'' when starting. So if manually cleaning-up Nextcloud to remove errors Nextcloud needs to have command manually run or restarted.
=====Nextcloud Client and CLI client configuration=====
The basic Nextcloud client is a program installed for GUI use. You basically just install the gui program/app and use it, see [[https://nextcloud.com/install/|Nextcloud Install]]. OPtions to install include ''sudo apt install nextcloud-desktop'' or install via AppImage the release can be found here: [[https://download.nextcloud.com/desktop/releases/Linux/]]
There is also a CLI program included called ''nextcloudcmd'' there seems to be a method to use the AppImage package to access the command, see here: [[https://github.com/nextcloud/desktop/issues/1203|Where to download just nextcloudcmd?]] In debian ''sudo apt install nextcloud-desktop-cmd'' will down load nextcloudcmd, however it will also download the bulk of the dependencies for nextcloud desktop too.
Another possible option is to use webdav to access the Nextcloud repository and rsync latest files between these. See: [[https://wiki.archlinux.org/title/Davfs2|davfs2]]. The Nextcloud directory can be mounted locally and then use rsync to copy latest common files between local and Nextcloud. This can be used to sync two local computers.
====References====
*Matthias Schoettle [[https://mattsch.com/2020/01/16/notes-on-traefik-v2-nextcloud-etc/|Notes on traefik v2, Nextcloud, etc.]]
*Nextcloud Docs:
*[[https://docs.nextcloud.com/|Nextcloud Documentation Overview]]
*The [[https://docs.nextcloud.com/server/latest/admin_manual/maintenance/index.html|Maintenance]] section covers migrating to another server as well as backup, restore and upgrading.
*[[https://github.com/docker-library/docs/blob/master/nextcloud/README.md|docker library nextcloud]]
*[[https://docs.nextcloud.com/server/25/admin_manual/configuration_server/reverse_proxy_configuration.html|Nextcloud configuration Reverse proxy]]
*[[https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html?highlight=ssl|Configuration Parameters]]
*[[https://help.nextcloud.com/t/apache-docker-behind-reverse-proxy/151754|Apache Docker behind reverse proxy]]
*[[https://help.nextcloud.com/t/exit-maintanence-mode-in-docker/34434|Exit maintenance mode in docker]]
*smarthome beginner's [[https://www.smarthomebeginner.com/traefik-docker-nextcloud/|Nextcloud Docker with Traefik Reverse Proxy for Beginners]]
*Reddit[[https://www.reddit.com/r/docker/comments/njnvth/linuxserverio_nextcloud_dockercompoe_is_all_i_need/Linuxserver.io Nextcloud docker-compoe is all i need?]]
*[[https://help.nextcloud.com/t/collabora-setup-with-docker-linuxserver-ios-letsencrypt/79563|Collabora setup with docker (linuxserver.io’s letsencrypt)]]
*[[https://linuxhandbook.com/install-nextcloud-docker/|How to Install Nextcloud with Docker on Your Linux Server]]
*[[https://www.youtube.com/watch?v=aIBTbsk7rnA|Youtube - How to Install Nextcloud on Docker using Portainer]]
*linuxserver.io [[https://forum.libreelec.tv/thread/25327-install-nextcloud-linuxserver-io/|Install Nextcloud (LinuxServer.io)]]
*Nextcloud [[https://github.com/nextcloud/docker/blob/master/.examples/docker-compose/insecure/mariadb/apache/docker-compose.yml| docker/.examples/docker-compose/insecure/mariadb/apache/docker-compose.yml]]
*Christain Lempa [[https://github.com/ChristianLempa/boilerplates/blob/main/docker-compose/nextcloud/nextcloud.yaml| boilerplates/docker-compose/nextcloud/nextcloud.yaml]]
*[[https://www.smarthomebeginner.com/traefik-docker-nextcloud/|Nextcloud Docker with Traefik Reverse Proxy for Beginners]]
*[[https://chriswiegman.com/2020/01/running-nextcloud-with-docker-and-traefik-2/|Running Nextcloud With Docker and Traefik 2]]
*[[https://help.nextcloud.com/t/nextcloud-behind-traefik/161871|Nextcloud behind Traefik]]
=====Nextcloud Office / Collabora=====
Nextcloud can run an internal server for Collabora, a LibraOffice based online type office server, or a separate Collobora server. I never got the internal server working. I got a Collobora server operating in a Docker container and then managed to get Nextcloud to operate with the server. I have placed the Collabora server behind my Traefik server and given it a local address only. The local address means that the Nextcloud server can not access the Collabora server unless it is operating on the LAN. It is not difficult for me to setup the Collabora server for external access, but I need to think and investigate the potential security issued with this as a public facing server.
++++collabora docker-compose.yml|
---
services:
code:
image: collabora/code:latest
restart: always
#cap_add: MKNOD
environment:
- password=${COLLABORA_PASSWORD}
- username=${COLLABORA_USERNAME}
- domain=${COLLABORA_DOMAIN}
- extra_params=--o:ssl.enable=false --o:ssl.termination=true
ports:
- 9980:9980
networks:
- proxy
networks:
proxy:
external: true
The mean of the configuration file is mostly standard Docker syntax with explanation of the following:
* ''- extra_params=--o:ssl.enable=false --o:ssl.termination=true''
* ssl.enable=false means that the Collabora server does not need to use ssl, as this is performed by the edge router I am using, Traefik. The Collabora server is http only.
* ssl.termination=true means that the Collabora server has external ssl termination performed by upstream router, so the external addressing must be https.
* ''cap_add: MKNOD'' is not required in Linux based Docker as it is default configuration. Hence it is commented out.
++++
++++The sensitive data is stored in a file .env|
COLLABORA_USERNAME=user_name
COLLABORA_PASSWORD=PASSWD
COLLABORA_DOMAIN=collabora.local.kptree.net
++++
===Collabora References===
*[[https://collabora-online-for-nextcloud.readthedocs.io/en/latest/install/|Collabora on line Nextcloud Docs]]
*[[https://sdk.collaboraonline.com/docs/installation/Configuration.html|Collabora Configuration]]
*[[https://docs.nextcloud.com/server/latest/admin_manual/office/configuration.html#wopi-settings|Nextcloud Office App Settings]]
=====Whiteboard App=====
The official whiteboard app for Nextcloud. It allows users to create and share whiteboards with other users and collaborate in real-time.
*[[https://github.com/nextcloud/whiteboard|Nextcloud Whiteboard]]
=====Other Possible Apps/Images=====
*[[https://crazymax.dev/diun/|Diun]] is a tool to notify if docker images have been updated. (Reportedly better than automatic updates such as watchtower.)
*heindall a dashboard application. Low priority.....
*[[https://docs.linuxserver.io/general/awesome-lsio|linuxserver.io docker images]]
<- docker_notes:docker-dokuwiki|Back ^ docker_notes:index|Start page ^ docker_notes:docker-matrix|Next ->