Installing Nextcloud All-in-One docker image in rootless mode
Running your own instance of Nextcloud is probably one of the best solutions for reclaiming some privacy and avoiding services hosted by Google, Apple or Microsoft. I tried to cover the task of installing Nextcloud on a Synology NAS here by using the archive file provided by Nextcloud. However, they also offer some very handy “AIO - all-in-one docker image” which will pretty much take care of everything.
I will try to guide through the installation process using Ubuntu 22.04 as example server OS. Usually, Docker images will run with root privileges which I don’t consider best practice. As Nextcloud AIO will also work with Docker’s rootless mode I will cover this as well.
I got most of the information from the official installation instructions, you can check them out here:
Prerequisites
As said, I will use Ubuntu 22.04 as example server OS. It can run on hardware or as virtualized KVM guest. (You will need to configure grub at one point, so you require a dedicated kernel). HINT: make sure the server’s FQDN is not pointing to any local IP in /etc/hosts
!
Install Docker
Assuming you have a fresh, secured and up-to-date installation of Ubuntu, let’s start by installing Docker first. You can either run their convenience-script or simply add their repository manually by following instructions given here. Once everything is installed we will disable dockerd right away (we will not need it once we set up rootless mode):
1
$ systemctl disable --now docker.service docker.socket
Setup Docker rootless mode
Create a user
Create an unprivileged user/group and lock the user:
1
2
3
4
$ MYUSER=ncuser
$ groupadd ${MYUSER}
$ useradd -m -d /home/${MYUSER} -s /bin/bash ${MYUSER}
$ passwd -l ${MYUSER}
Now switch to that user and add some variables to its ~/.bashrc
:
1
2
3
export XDG_RUNTIME_DIR=/run/user/$(id -u)
export DOCKER_HOST=unix:///run/user/$(id -u)/docker.sock
export PATH=/usr/bin:$PATH
Switch back to root.
Install Docker in rootless mode
We need some packages installed for rootless mode to work:
1
$ apt install uidmap dbus-user-session
Switch back to the previously created user and run Docker’s script:
1
$ /usr/bin/dockerd-rootless-setuptool.sh install
In the end you should have Docker daemon running and be able to control it via systemctl --user
:
1
systemctl --user [start|status|stop] docker
Switch back to user root and make user services autostart on boot:
1
$ loginctl enable-linger ncuser
You should now have Docker installed in rootless mode!
Disable cgroups (Ubuntu 22.04)
There is an issue with cgroups and Ubuntu 22.04 which will prevent Nextcloud containers from starting in rootless mode. To disable cgroups execute as root:
1
2
3
$ echo "GRUB_CMDLINE_LINUX=systemd.unified_cgroup_hierarchy=false" >> /etc/default/grub.d/cgroup.cfg
$ update-grub
$ reboot
Allow to open privileged ports for non-root
As Nextcloud containers require to open privileged ports as non-root user, run as root:
1
$ setcap cap_net_bind_service=ep $(which rootlesskit)
Switch to ncuser and restart dockerd:
1
$ systemctl --user restart docker
HINT: make sure to repeat the above upon each Docker update!
Open firewall ports
Open TCP ports 80, 443, 8443 and UDP/TCP port 3478. In case of ufw:
1
2
3
4
5
$ ufw allow 80/tcp
$ ufw allow 443/tcp
$ ufw allow 8443/tcp
$ ufw allow 3478/tcp
$ ufw allow 3478/udp
Create a directory for Nextcloud data
We will need a directory outside the Docker container, which will host our user data. The directory needs to be owned by ncuser and others should NOT have access, i.e. (as root):
1
2
3
$ mkdir -p /nc/ncdata
$ chown ncuser:ncuser /nc/ncdata
$ chmod 750 /nc/ncdata
Install Nextcloud AIO
Now we’re actually ready to install Nextcloud AIO. As ncuser run (default settings, replace /nc/ncdata
with whatever directory you’ve created before):
1
2
3
4
5
6
$ docker run --sig-proxy=false --name nextcloud-aio-mastercontainer --restart always \
--publish 80:80 --publish 8080:8080 --publish 8443:8443 \
--volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config \
--volume $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro \
--env WATCHTOWER_DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock \
--env NEXTCLOUD_DATADIR="/nc/ncdata" nextcloud/all-in-one:latest
Keep it running.
Point your DNS to the IP of your server and open https://<YOUR_URL>:8443
in a browser. It might take a moment but you should be greeted by the password for your AIO container and the site having a valid certificate (I had to refresh the page manually once). Write down the password and login. Follow the instructions given on the following page. You can now choose, which containers to download. It’s ok to keep the defaults here. Once all containers are up, you can follow the link to login to your new Nextcloud instance as user admin. I’d recommend logging in once as admin, create a new admin user from there, then login with your new admin user and delete the old one.
That’s it, you’ve got Nextcloud running!
Postinstallation tweaks
Remove “missing default phone region” warning
On the security check page you will probably find a warning: “missing default phone region”. To fix that, execute as ncuser:
1
$ docker exec --user www-data nextcloud-aio-nextcloud php occ config:system:set default_phone_region --value="<YOUR_COUNTRY_CODE>"
See here.
Logrotate
I’d also recommend configuring logrotate by following this. However, as we’re running in rootless mode, you’ll have to modify the configuration file a little:
1
2
3
4
5
6
7
8
$ cat /etc/logrotate.d/docker-container
/home/ncuser/.local/share/docker/containers/*/*.log {
rotate 7
daily
compress
missingok
copytruncate
}
fail2ban
Checkout this to configure fail2ban for your AIO installation.
BorgBackup
AIO comes with BorgBackup, s. also here. I’d recommend scheduling a daily backup using AIO settings.
Running ‘occ’ commands
In case you need to run occ
commands, remember to run them as ncuser and omit sudo
of course! (See here on how to run occ
commands).
…and done
That should cover a basic installation. You should check all settings and tweak them to your needs, as well in Nextcloud as in Nextcloud AIO. The latter will reveal some more settings once the Nextcloud containers are stopped. Nextcloud AIO container will update itself and the other containers. Optionally, you can remove port 8443/tcp from your firewall again and just add it each time you want to connect to the AIO container.