Post

Installing Nextcloud All-in-One docker image in rootless mode

Installing Nextcloud All-in-One docker image in rootless mode

Running your own instance of Nextcloud is probably one of the best solutions for reclaiming some privacy and avoiding services hosted by Google, Apple or Microsoft. I tried to cover the task of installing Nextcloud on a Synology NAS here by using the archive file provided by Nextcloud. However, they also offer some very handy “AIO - all-in-one docker image” which will pretty much take care of everything.

I will try to guide through the installation process using Ubuntu 22.04 as example server OS. Usually, Docker images will run with root privileges which I don’t consider best practice. As Nextcloud AIO will also work with Docker’s rootless mode I will cover this as well.

I got most of the information from the official installation instructions, you can check them out here:

Prerequisites

As said, I will use Ubuntu 22.04 as example server OS. It can run on hardware or as virtualized KVM guest. (You will need to configure grub at one point, so you require a dedicated kernel). HINT: make sure the server’s FQDN is not pointing to any local IP in /etc/hosts!

Install Docker

Assuming you have a fresh, secured and up-to-date installation of Ubuntu, let’s start by installing Docker first. You can either run their convenience-script or simply add their repository manually by following instructions given here. Once everything is installed we will disable dockerd right away (we will not need it once we set up rootless mode):

1
$ systemctl disable --now docker.service docker.socket

Setup Docker rootless mode

Create a user

Create an unprivileged user/group and lock the user:

1
2
3
4
$ MYUSER=ncuser
$ groupadd ${MYUSER}
$ useradd -m -d /home/${MYUSER} -s /bin/bash ${MYUSER}
$ passwd -l ${MYUSER}

Now switch to that user and add some variables to its ~/.bashrc:

1
2
3
export XDG_RUNTIME_DIR=/run/user/$(id -u)
export DOCKER_HOST=unix:///run/user/$(id -u)/docker.sock
export PATH=/usr/bin:$PATH

Switch back to root.

Install Docker in rootless mode

We need some packages installed for rootless mode to work:

1
$ apt install uidmap dbus-user-session

Switch back to the previously created user and run Docker’s script:

1
$ /usr/bin/dockerd-rootless-setuptool.sh install

In the end you should have Docker daemon running and be able to control it via systemctl --user:

1
systemctl --user [start|status|stop] docker

Switch back to user root and make user services autostart on boot:

1
$ loginctl enable-linger ncuser

You should now have Docker installed in rootless mode!

Disable cgroups (Ubuntu 22.04)

There is an issue with cgroups and Ubuntu 22.04 which will prevent Nextcloud containers from starting in rootless mode. To disable cgroups execute as root:

1
2
3
$ echo "GRUB_CMDLINE_LINUX=systemd.unified_cgroup_hierarchy=false" >> /etc/default/grub.d/cgroup.cfg
$ update-grub
$ reboot

Allow to open privileged ports for non-root

As Nextcloud containers require to open privileged ports as non-root user, run as root:

1
$ setcap cap_net_bind_service=ep $(which rootlesskit)

Switch to ncuser and restart dockerd:

1
$ systemctl --user restart docker

HINT: make sure to repeat the above upon each Docker update!

Open firewall ports

Open TCP ports 80, 443, 8443 and UDP/TCP port 3478. In case of ufw:

1
2
3
4
5
$ ufw allow 80/tcp
$ ufw allow 443/tcp
$ ufw allow 8443/tcp
$ ufw allow 3478/tcp
$ ufw allow 3478/udp

Create a directory for Nextcloud data

We will need a directory outside the Docker container, which will host our user data. The directory needs to be owned by ncuser and others should NOT have access, i.e. (as root):

1
2
3
$ mkdir -p /nc/ncdata
$ chown ncuser:ncuser /nc/ncdata
$ chmod 750 /nc/ncdata

Install Nextcloud AIO

Now we’re actually ready to install Nextcloud AIO. As ncuser run (default settings, replace /nc/ncdata with whatever directory you’ve created before):

1
2
3
4
5
6
$ docker run --sig-proxy=false --name nextcloud-aio-mastercontainer --restart always \
--publish 80:80 --publish 8080:8080 --publish 8443:8443 \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro \
--env WATCHTOWER_DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock \
--env NEXTCLOUD_DATADIR="/nc/ncdata" nextcloud/all-in-one:latest

Keep it running.

Point your DNS to the IP of your server and open https://<YOUR_URL>:8443 in a browser. It might take a moment but you should be greeted by the password for your AIO container and the site having a valid certificate (I had to refresh the page manually once). Write down the password and login. Follow the instructions given on the following page. You can now choose, which containers to download. It’s ok to keep the defaults here. Once all containers are up, you can follow the link to login to your new Nextcloud instance as user admin. I’d recommend logging in once as admin, create a new admin user from there, then login with your new admin user and delete the old one.

That’s it, you’ve got Nextcloud running!

Postinstallation tweaks

Remove “missing default phone region” warning

On the security check page you will probably find a warning: “missing default phone region”. To fix that, execute as ncuser:

1
$ docker exec --user www-data nextcloud-aio-nextcloud php occ config:system:set default_phone_region --value="<YOUR_COUNTRY_CODE>"

See here.

Logrotate

I’d also recommend configuring logrotate by following this. However, as we’re running in rootless mode, you’ll have to modify the configuration file a little:

1
2
3
4
5
6
7
8
$ cat /etc/logrotate.d/docker-container
/home/ncuser/.local/share/docker/containers/*/*.log {
  rotate 7
  daily
  compress
  missingok
  copytruncate
}

fail2ban

Checkout this to configure fail2ban for your AIO installation.

BorgBackup

AIO comes with BorgBackup, s. also here. I’d recommend scheduling a daily backup using AIO settings.

Running ‘occ’ commands

In case you need to run occ commands, remember to run them as ncuser and omit sudo of course! (See here on how to run occ commands).

…and done

That should cover a basic installation. You should check all settings and tweak them to your needs, as well in Nextcloud as in Nextcloud AIO. The latter will reveal some more settings once the Nextcloud containers are stopped. Nextcloud AIO container will update itself and the other containers. Optionally, you can remove port 8443/tcp from your firewall again and just add it each time you want to connect to the AIO container.

This post is licensed under CC BY-SA 4.0 by the author.