Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nextcloud: home parameter breaks nextcloud #81623

Closed
wants to merge 1 commit into from
Closed

nextcloud: home parameter breaks nextcloud #81623

wants to merge 1 commit into from

Conversation

mrVanDalo
Copy link
Contributor

Motivation for this change

This pull request shows, that setting services.nextcloud.home = "/home/nextcloud"; will break nextcloud. I just updated the test, and it fails when setting the parameter.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@FlorianFranzen
Copy link
Contributor

Does this still fail for you on current master? It does not seem to break the CI.

@mrVanDalo
Copy link
Contributor Author

@FlorianFranzen I don't know if the github CI ever turned red because of this pull request. I will test today and accordingly delete the pull request.

@mrVanDalo
Copy link
Contributor Author 

nextcloud: must succeed: curl -sSf http://nextcloud/login
nextcloud # [   31.025491] nginx[747]: 2020/03/25 00:01:19 [error] 751#751: *1 FastCGI sent in stderr: "PHP message: PHP Warning:  fileperms(): stat failed for /nix/store/yj5qh2nqpyb91xpnapqpfbfcrdd47i99-nextcloud-18.0.1/data/nextcloud.log in /nix/store/yj5qh2nqpyb91xpnapqpfbfcrdd47i99-nextcloud-18.0.1/lib/private/Log/File.php on line 83PHP message: {"reqId":"jdEBAnfH3JpRDRo1sRS4","level":3,"time":"2020-03-25T00:01:19+00:00","remoteAddr":"127.0.0.1","user":"--","app":"PHP","method":"GET","url":"/login","message":"touch(): Unable to create file /home/nextcloud/config/config.php because Permission denied at /nix/store/yj5qh2nqpyb91xpnapqpfbfcrdd47i99-nextcloud-18.0.1/lib/private/Config.php#241","userAgent":"curl/7.68.0","version":""}PHP message: PHP Warning:  fileperms(): stat failed for /nix/store/yj5qh2nqpyb91xpnapqpfbfcrdd47i99-nextcloud-18.0.1/data/nextcloud.log in /nix/store/yj5qh2nqpyb91xpnapqpfbfcrdd47i99-nextcloud-18.0.1/lib/private/Log/File.php on line 83PHP message: {"reqId":"jdEBAnfH3JpRDRo1sRS4","level":3,"time":"2020-03-25T00:01:19+00:00","remoteAddr":"127.0.0.1","user":"--","app":"PHP","method":"GET","url":"/login","message":"fopen(/home/nextcloud/config/config.php): failed to open stream: Permission denied at /nix/store/yj5qh2nqpyb91xpnapqpfbfcrdd47i99-nextcloud-18.0.1/lib/private/Config.php#242","userAgent":"curl/7.68.0","version":""}PHP message: PHP Warning:  fileperms(): stat failed for /nix/store/yj5qh2nqpyb91xpnapqpfbfcrdd47i99-nextcloud-18.0.1/data/nextcloud.log in /nix/store/yj5qh2nqpyb91xpnapqpfbfcrdd47i99-nextcloud-18.0.1/lib/private/Log/File.php on line 83PHP message: {"reqId":"jdEBAnfH3JpRDRo1sRS4","level":3,"time":"2020-03-25T00:01:19+00:00","remoteAddr":"127.0.0.1","user":"--","app":"PHP","method":"GET","url":"/login","message":"chmod(): No such file or directory at /nix/store/yj5qh2nqpyb91xpnapqpfbfcrdd47i99-nextcloud-18.0.1/lib/private/Config.php#245","userAgent":"curl/7.68.0","version":""}PHP message: PHP Warning:  fileperms(): stat failed for /nix/store/yj5qh2nqpyb91xpnapqpfbfcrdd47i99-nextcloud-18.0.1/data/nextcloud.logcurl: (22) The requested URL returned error: 500 Internal Server Error
nextcloud #
nextcloud # [   31.059299] nginx[747]: 2020/03/25 00:01:19 [error] 751#751: *1 FastCGI sent in stderr: "-nextcloud-18.0.1/lib/private/Log/File.php#83","userAgent":"curl/7.68.0","version":""}PHP message: {"reqId":"jdEBAnfH3JpRDRo1sRS4","level":3,"time":"2020-03-25T00:01:19+00:00","remoteAddr":"127.0.0.1","user":"--","app":"index","method":"GET","url":"/login","message":{"Exception":"Doctrine\\DBAL\\DBALException","Message":"Failed to connect to the database: An exception occurred in driver: SQLSTATE[HY000] [14] unable to open database file","Code":0,"Trace":[{"file":"/nix/store/yj5qh2nqpyb91xpnapqpfbfcrdd47i99-nextcloud-18.0.1/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Connection.php","line":1040,"function":"connect","class":"OC\\DB\\Connection","type":"->","args":[]},{"file":"/nix/store/yj5qh2nqpyb91xpnapqpfbfcrdd47i99-nextcloud-18.0.1/lib/private/DB/Connection.php","line":220,"function":"executeUpdate","class":"Doctrine\\DBAL\\Connection","type":"->","args":["PRAGMA read_uncommitted = 1",[],[]]},{"file":"/nix/store/yj5qh2nqpyb91xpnapqpfbfcrdd47i99-nextcloud-18.0.1/3rdparty/doctrine/dbal/lib/Doctrine/DBAL/Connection.php","line":683,"function":"executeUpdate","class":"OC\\DB\\Connection" while reading response header from upstream, client: 127.0.0.1, server: nextcloud, request: "GET /login HTTP/1.1", upstream: "fastcgi://unix:/run/phpfpm/nextcloud.sock:", host: "nextcloud"
nextcloud: output:
error: command `curl -sSf http://nextcloud/login` failed (exit code 22)
cleaning up
killing client (pid 9)
killing nextcloud (pid 21)
(0.00 seconds)
builder for '/nix/store/675f723j8v94yc23z6a2wgkprzmy5ff5-vm-test-run-nextcloud-basic.drv' failed with exit code 1
error: build of '/nix/store/675f723j8v94yc23z6a2wgkprzmy5ff5-vm-test-run-nextcloud-basic.drv' failed

Still failing

@Ma27
Copy link
Member

Ma27 commented Apr 9, 2020

Just took a brief look at this. This seems to happen since the phpfpm-nextcloud.service unit has the setting ProtectHome set to true. To quote systemd.exec(5):

       ProtectHome=
           Takes a boolean argument or the special values "read-only" or "tmpfs". If true, the directories /home, /root, and /run/user are made inaccessible and empty for processes invoked by this unit. If
           set to "read-only", the three directories are made read-only instead. If set to "tmpfs", temporary file systems are mounted on the three directories in read-only mode. The value "tmpfs" is useful
           to hide home directories not relevant to the processes invoked by the unit, while still allowing necessary directories to be made visible when listed in BindPaths= or BindReadOnlyPaths=.

Due to this, PHPFpm can't read the config file in /home/nextcloud/config and Nextcloud sets the log dir to the nginx-root (which is a store-path) and fails after that.

@mrVanDalo
Copy link
Contributor Author

I guess the simple solution would be to just add documentation to the home parameter, right?

@Ma27
Copy link
Member

Ma27 commented Apr 18, 2020

Hmm, how about writing an assertion that checks if dataDir starts with /home? But I'd be fine with adding documentation about this as well :)

@stale
Copy link

stale bot commented Oct 16, 2020

Hello, I'm a bot and I thank you in the name of the community for your contributions.

Nixpkgs is a busy repository, and unfortunately sometimes PRs get left behind for too long. Nevertheless, we'd like to help committers reach the PRs that are still important. This PR has had no activity for 180 days, and so I marked it as stale, but you can rest assured it will never be closed by a non-human.

If this is still important to you and you'd like to remove the stale label, we ask that you leave a comment. Your comment can be as simple as "still important to me". But there's a bit more you can do:

If you received an approval by an unprivileged maintainer and you are just waiting for a merge, you can @ mention someone with merge permissions and ask them to help. You might be able to find someone relevant by using Git blame on the relevant files, or via GitHub's web interface. You can see if someone's a member of the nixpkgs-committers team, by hovering with the mouse over their username on the web interface, or by searching them directly on the list.

If your PR wasn't reviewed at all, it might help to find someone who's perhaps a user of the package or module you are changing, or alternatively, ask once more for a review by the maintainer of the package/module this is about. If you don't know any, you can use Git blame on the relevant files, or GitHub's web interface to find someone who touched the relevant files in the past.

If your PR has had reviews and nevertheless got stale, make sure you've responded to all of the reviewer's requests / questions. Usually when PR authors show responsibility and dedication, reviewers (privileged or not) show dedication as well. If you've pushed a change, it's possible the reviewer wasn't notified about your push via email, so you can always officially request them for a review, or just @ mention them and say you've addressed their comments.

Lastly, you can always ask for help at our Discourse Forum, or more specifically, at this thread or at #nixos' IRC channel.

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Oct 16, 2020
@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Feb 3, 2021
@mrVanDalo
Copy link
Contributor Author

@Ma27 I took quite some time :D but I found some time to create the assertions.

@stale
Copy link

stale bot commented Jan 6, 2022

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jan 6, 2022
@mrVanDalo
Copy link
Contributor Author

This issue be closed in my opinion

@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jan 6, 2022
@lheckemann
Copy link
Member

Agreed, while it's annoying, I think adding assertions for this specific service (while this can happen with any that have hardening) isn't a good solution.

@lheckemann lheckemann closed this Jan 26, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lheckemann lheckemann lheckemann approved these changes

Assignees
No one assigned
Labels
2.status: merge conflict 6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 0
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@mrVanDalo @FlorianFranzen @Ma27 @lheckemann @SuperSandro2000