Rootless Podman Quadlet

[jennydaman]

This guide sets up Nextcloud-AIO using Podman in rootless mode and Quadlet behind a reverse proxy.

0. Install Podman

Podman version 4.8.0 or above is required. Older versions of Podman require workarounds, see edit history and discussion below.

1. Set up a reverse proxy

Consult the upstream documentation on how to do this: https://github.com/nextcloud/all-in-one/blob/main/reverse-proxy.md

An example Caddyfile might look like this:

cloud.example.com {
    reverse_proxy localhost:11000
}


https://cloud.example.com:8443 {
    reverse_proxy localhost:11001 {
        transport http {
            tls_insecure_skip_verify
        }
    }
}

2. Create Systemd Unit File

Create the file ~/.config/containers/systemd/nextcloud-aio-mastercontainer.container with the following content:

[Unit]
Description=Nextcloud AIO Master Container
Documentation=https://github.com/nextcloud/all-in-one/blob/main/docker-rootless.md
After=local-fs.target
Requires=podman.socket

[Container]
ContainerName=nextcloud-aio-mastercontainer
Image=docker.io/nextcloud/all-in-one:latest
PublishPort=127.0.0.1:11001:8080
Volume=nextcloud_aio_mastercontainer:/mnt/docker-aio-config
Volume=/run/user/1001/podman/podman.sock:/var/run/docker.sock:ro
Network=bridge
SecurityLabelDisable=true

Environment=APACHE_PORT=11000
Environment=APACHE_IP_BINDING=127.0.0.1
Environment=WATCHTOWER_DOCKER_SOCKET_PATH=/run/user/1001/podman/podman.sock

[Install]
WantedBy=multi-user.target default.target

Important notes:

• Change /run/user/1001/podman/podman.sock to the path of your Podman socket (podman info --format '{{ .Host.RemoteSocket.Path }}')
• Nextcloud-AIO wants to create and join itself to a network called nextcloud-aio. The option Network=bridge enables this behavior, for details see podman network connect not implemented for slirp4netns containers/podman#19577 (comment)

Also, create the file ~/.config/containers/systemd/nextcloud-aio-mastercontainer.volume:

[Volume]
VolumeName=nextcloud_aio_mastercontainer

3. Start the Services

systemctl --user daemon-reload
systemctl --user start nextcloud-aio-mastercontainer

4. (Optional) Configure Containers to Restart After Reboot

Podman is daemonless so unlike Docker, containers do not restart automatically after reboot.

To enable restart of Podman containers after reboot, see containers/podman#20418 (comment)

5. Business As Usual

Go to https://cloud.example.com:8443 to access the Nextcloud AIO interface and start the Nextcloud server.

Notes

Backups and mastercontainer self-updating might not work, these details have yet to been sorted out.

[jennydaman]

Known issues

I've encountered some problems, however it is unknown whether these are actual bugs related to Podman or just usage errors.

• Built-in backup solution with BorgBackup doesn't really work.
• Master container updates might not work.

For, now, you can manually update the mastercontainer by running

systemctl --user stop nextcloud-aio-mastercontainer.service
podman pull docker.io/nextcloud/all-in-one:latest
systemctl --user start nextcloud-aio-mastercontainer.service

[p-fruck]

FYI Podman 4.8.0 has been released a few days ago and is already present in the Fedora 39 repos. Should be only a matter of the CoreOS auto updater to pick that up.
@jennydaman could you please set Podman >= 4.8.0 as the required version in the top level discussion comment? This discussion has become quite complex to follow

[loeffelpan]

@jennydaman Your quick fix doesn't work anymore as @szaimen did this commit: f935993
Maybe you can pull latest commits from upstream to your repo for the fix?

[jennydaman]

@p-fruck and @loeffelpan done

[daniarla]

Is there any workarounds for borgBackup?
Right now it only fails with some error on the directory configured (probably because is running without root permissions) or at least is only what is stated in the logs.

In fact, the database always starts with:
chmod: /var/run/postgresql: Operation not permitted
in the logs

[rriemann]

Why don't you change appearances of the user UID in /run/user/1001/podman/podman.sock:/var/run/docker.sock:ro to %U? Then, people can just copy'n'paste and the setup becomes simpler.

[Verhoeckx]

Will this solution also work with a Podman compose file?

What is de advantage of using a systemd unit file?

[jennydaman]

podman-compose would probably work, how to use it is not documented here.

On the surface level, the main advantage of Quadlet is convenient for people who like systemd and are already comfortable with its syntax.
Other than that, there are a few technical advantages of systemd. For instance, the workflow for lifecycle management (creating, starting, restarting, removing) of podman containers using systemd is better than using podman directly (e.g. systemctl --user stop container both stops and removes the container). For deployment, it's nice to use systemd as the services manager directly because it's what controls everything else. In the case of Nextcloud-AIO, it's possible to specify nextcloud-aio-mastercontainer's dependence on podman.socket and have systemd make things work instead of having to start the socket and nextcloud-aio-mastercontainer manually.

[Verhoeckx]

@jennydaman: thanks for the clarification! I didn't know that it was possible to start containers (with Podman) in unit files! Seems like a clean/efficient solution!

[jennydaman]

Soft reset instructions

systemctl --user stop nextcloud-aio-mastercontainer
containers=$(podman ps -a -f 'name=^nextcloud-aio' --format='{{.Names}}')
podman stop $containers
podman rm $containers
systemctl --user start nextcloud-aio-mastercontainer

[loeffelpan]

Hey, I'm using podman (rootless) in favor of docker on FCOS. My first attempt to get this working like described above ended in an error at domain check. Maybe this is a networking issue as caddy is proxying to host-ip:11000 and the domaincheck-container is only listening at loopback interface.
So I tried to use curl from the host to domaincheck-container and that worked.

Next step was to skip domaincheck but that ended in an Slim Application Error.
Any help would be appreciated. Please feel fre to ask for more information. I will provide what you need.

Bonus:
How should the reverse proxy container be configured to allow domaincheck to be successful?
My Caddy is proxying to the host's IP as loopback with default slirp4netns is not working. Should I use bridged networking for other Containers? By now I understood that's a workaround for AIO, but in containers/podman#19577 they say that bridge networking will be default in podman 5. Any thoughts?

[p-fruck]

Hey there @loeffelpan, are you running behind cloudflare? If so, this might be the reason for your domaincheck issues. When disabling the domaincheck, do the application errors look similar to the ones described in this comment? #3487 (reply in thread) If so, this will be fixed in a newer version of podman. 4.7.0 doesn't contain this fix and I haven't tested 4.7.2 until yet, but I don't think it includes my fix already. Until the fixed podman version is released, you can also patch the source code of your nextcloud AIO as described by @jennydaman here: #3487 (reply in thread)

[kri164]

How do you turn off domaincheck? Can I use this?

Environment=SKIP_DOMAIN_VALIDATION=true

[loeffelpan]

@kri164 Yes. Correct.

[loeffelpan]

@p-fruck You're correct. With slirp4netns loopbacks are difficult. I got this now working with APACHE_IP_BINDING=0.0.0.0.
Thanks.

Is the need of Network=bridge also solved with podman 4.7.2? I understand containers/podman#19577 that podman network connect for slirp4netns will not be fixed? So bridged network is simply needed, not longer a workaround.

If I an correct this should be mentioned in the initial post for anyone who is joining this discussion.

[p-fruck]

Interestingly, my local setup is created with the network in bridge mode by default (podman 4.7.0). Might have to do with my system default (Fedora CoreOS 39 beta), though I did not check any further. @loeffelpan what exactly would you like to mention? Afaict the default network mode of podman might deviate depending on how the given linux distribution packages podman, so I would simply mention that bridge network must be used (as already done by @jennydaman )

[loeffelpan]

I think this should not differ between distros. I'm also on podman 4.7.0 with FCOS 38.
And for rootless containers slirp4netns is default. bridge is default for rootless containers. This is also mentioned in the docs of podman run:
slirp4netns[:OPTIONS,…]: use slirp4netns(1) to create a user network stack. This is the default for rootless containers.
bridge[:OPTIONS,…]: Create a network stack on the default bridge. This is the default for rootful containers.

I was pointing to this one from the initial post.

Important notes:

• Change /run/user/1001/podman/podman.sock to the path of your Podman socket (podman info --format '{{ .Host.RemoteSocket.Path }}')
• Network=bridge is a necessary workaround for a slirp4netns bug

There is Network=bridge mentioned as a workaround for a bug. But it turned out that this is not a bug and will not be changed.

Allover, I think @jennydaman should modify this as simply needed and not a workaround. Regardless of distro/package differences or rootful/rootless setups.

[kri164]

podman -v
podman version 4.7.2

podman logs nextcloud-aio-mastercontainer
[shortened]
NOTICE: PHP message: Slim Application Error
Type: GuzzleHttp\Exception\ServerException
Code: 500
Message: Server error: POST http://localhost/v1.41/networks/nextcloud-aio/connect resulted in a 500 Internal Server Error response:
{"cause":"network is already connected","message":"container ad680a72162f0b469da30b74ee46ed7a3d0948253f68905ca70bc843e7f (truncated...)
File: /var/www/docker-aio/php/vendor/guzzlehttp/guzzle/src/Exception/RequestException.php
Line: 113
Trace: #0 /var/www/docker-aio/php/vendor/guzzlehttp/guzzle/src/Middleware.php(72): GuzzleHttp\Exception\RequestException::create(Object(GuzzleHttp\Psr7\Request), Object(GuzzleHttp\Psr7\Response), NULL, Array, NULL)

[p-fruck]

This error seems like its the same I mentioned above, related to podman.

[loeffelpan]

I'm confused that this question has not beeing asked. Maybe I missed something.
With only the mastercontainer as quadlet unit file. All the other nextcloud containers are gone after reboot.
How to start/deploy them in this setup?

[loeffelpan]

Thats quite a good idea. Thanks! @szaimen
Another option would be something like this as cronjob (not tested yet).

@reboot containers=$(podman ps -a -f 'name=^nextcloud-aio' --format='{{.Names}}'); podman start $containers

[jennydaman]

@loeffelpan and @szaimen thanks for bringing podman-restart.service to my attention, I've made a comment to upstream containers/podman#20418 (comment) and also modified the instructions here.

[loeffelpan]

In my case (on FCOS) podman-restart.service is disabled on any reboot.
@p-fruck You are on FCOS as well. Is this default behaviour and I have to set it to enable with ignition?

[p-fruck]

Can confirm that its disabled by default. This should not be anything CoreOS specific though. You can enable it in the ignition file for new installations, but a simple systemctl --user enable podman-restart.service should be fine too, since the ignition is only applied once.

[loeffelpan]

I did this. But for some reason (maybe zincati update finaliziation?) its disabled again. Any idea?

[loeffelpan]

Anyone using collabora in this setup?
I tried but got tons of errors and login page was loading infinite.

[richdocuments] Fehler: GuzzleHttp\Exception\ConnectException: cURL error 28: Operation timed out after 45002 milliseconds with 0 bytes received (see https://curl.haxx.se/libcurl/c/libcurl-errors.html) for https://kbw3.de/hosting/capabilities at <<closure>>

 0. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php line 158
    GuzzleHttp\Handler\CurlFactory::createRejection("*** sensitive parameters replaced ***")
 1. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlFactory.php line 110
    GuzzleHttp\Handler\CurlFactory::finishError(["GuzzleHttp\\Handler\\CurlHandler"], "*** sensitive parameters replaced ***", ["GuzzleHttp\\Handler\\CurlFactory"])
 2. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Handler/CurlHandler.php line 47
    GuzzleHttp\Handler\CurlFactory::finish(["GuzzleHttp\\Handler\\CurlHandler"], "*** sensitive parameters replaced ***", ["GuzzleHttp\\Handler\\CurlFactory"])
 3. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Middleware.php line 137
    GuzzleHttp\Handler\CurlHandler->__invoke("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
 4. /var/www/html/lib/private/Http/Client/DnsPinMiddleware.php line 114
    GuzzleHttp\Middleware::GuzzleHttp\{closure}("*** sensitive parameters replaced ***")
 5. /var/www/html/3rdparty/guzzlehttp/guzzle/src/PrepareBodyMiddleware.php line 35
    OC\Http\Client\DnsPinMiddleware->OC\Http\Client\{closure}("*** sensitive parameters replaced ***")
 6. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Middleware.php line 31
    GuzzleHttp\PrepareBodyMiddleware->__invoke("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
 7. /var/www/html/3rdparty/guzzlehttp/guzzle/src/RedirectMiddleware.php line 71
    GuzzleHttp\Middleware::GuzzleHttp\{closure}("*** sensitive parameters replaced ***")
 8. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Middleware.php line 63
    GuzzleHttp\RedirectMiddleware->__invoke("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
 9. /var/www/html/3rdparty/guzzlehttp/guzzle/src/HandlerStack.php line 75
    GuzzleHttp\Middleware::GuzzleHttp\{closure}("*** sensitive parameters replaced ***")
10. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Client.php line 331
    GuzzleHttp\HandlerStack->__invoke("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
11. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Client.php line 168
    GuzzleHttp\Client->transfer("*** sensitive parameters replaced ***", "*** sensitive parameters replaced ***")
12. /var/www/html/3rdparty/guzzlehttp/guzzle/src/Client.php line 187
    GuzzleHttp\Client->requestAsync("*** sensitive parameters replaced ***")
13. /var/www/html/lib/private/Http/Client/Client.php line 230
    GuzzleHttp\Client->request("*** sensitive parameters replaced ***", "https://kbw3.de/hosting/capabilities", ["/mnt/ncdata/fi ... e])
14. /var/www/html/custom_apps/richdocuments/lib/Service/CapabilitiesService.php line 135
    OC\Http\Client\Client->get("https://kbw3.de/hosting/capabilities", [45,[true]])
15. /var/www/html/custom_apps/richdocuments/lib/Backgroundjobs/ObtainCapabilities.php line 40
    OCA\Richdocuments\Service\CapabilitiesService->refetch()
16. /var/www/html/lib/private/BackgroundJob/Job.php line 54
    OCA\Richdocuments\Backgroundjobs\ObtainCapabilities->run(null)
17. /var/www/html/lib/private/BackgroundJob/TimedJob.php line 60
    OC\BackgroundJob\Job->execute(["OC\\BackgroundJob\\JobList"], ["OC\\Log"])
18. /var/www/html/cron.php line 152
    OC\BackgroundJob\TimedJob->execute(["OC\\BackgroundJob\\JobList"], ["OC\\Log"])

at 2023-11-08T03:07:47+00:00

Without collabora nextcloud is working fine.

[p-fruck]

Not using collabora yet but I had some DNS issues trying to access my IdP when configuring OIDC for SSO. Can you try to curl https://kbw3.de and nslookup kbw3.de within your nextcloud-aio-nextcloud container? For me, the DNS started working again after invoking nslookup in the container manually, though this might have been an issue with my setup...

[loeffelpan]

curl https://kbw3.de from inside the nextcloud container is working fine. Seems not to be an DNS issue.

[p-fruck]

It depends. For me curl was working but the php request didn't until I executed nslookup for the domain once. Apparently the dns entry had to be cached first for some odd reason

[loeffelpan]

To solve this I started another discussion which brought me on the right track.
It seem that Collabora needs CAP_MKNOD to run. Unfortunately docker provides this capability by default. Podman does not.
But even when @szaimen adds this capability to his API commands for creating the collabora container it still needs root to use this capability.

So running collabora in our rootless setup isn't possible right now - regardless docker or podman.
And running collabora in AIO in a rootful setup is only possible with docker, not with podman as CAP_MKNOD is missing so far.

[bennypowers]

I followed the above steps on Fedora Silverblue 39 and was unable to start the nextcloud-aio-mastercontainer service

❯ podman info --format '{{ .Host.RemoteSocket.Path }}'
/run/user/1000/podman/podman.sock

❯ cat ~/.config/containers/systemd/nextcloud-aio-mastercontainer.container 
[Unit]
Description=Nextcloud AIO Master Container
Documentation=https://github.com/nextcloud/all-in-one/blob/main/docker-rootless.md
After=local-fs.target
Requires=podman.socket

[Container]
ContainerName=nextcloud-aio-mastercontainer
Image=docker.io/nextcloud/all-in-one:latest
PublishPort=127.0.0.1:11001:8080
Volume=nextcloud_aio_mastercontainer:/mnt/docker-aio-config
Volume=/run/user/1000/podman/podman.sock:/var/run/docker.sock:ro
Network=bridge

Environment=APACHE_PORT=11000
Environment=APACHE_IP_BINDING=127.0.0.1
Environment=WATCHTOWER_DOCKER_SOCKET_PATH=/run/user/1000/podman/podman.sock

[Install]
WantedBy=multi-user.target default.target

❯ cat ~/.config/containers/systemd/nextcloud-aio-mastercontainer.volume
[Volume]
VolumeName=nextcloud_aio_mastercontainer

❯ systemctl --user status nextcloud-aio-mastercontainer.service 
× nextcloud-aio-mastercontainer.service - Nextcloud AIO Master Container
     Loaded: loaded (/var/home/username/.config/containers/systemd/nextcloud-aio-mastercontainer.container;>
    Drop-In: /usr/lib/systemd/user/service.d
             └─10-timeout-abort.conf
     Active: failed (Result: exit-code) since Mon 2023-12-25 14:24:09 IST; 8s ago
   Duration: 963ms
       Docs: https://github.com/nextcloud/all-in-one/blob/main/docker-rootless.md
    Process: 2095 ExecStart=/usr/bin/podman run --name=nextcloud-aio-mastercontainer --cidfile=/run/user/1000/n>
    Process: 2154 ExecStopPost=/usr/bin/podman rm -v -f -i --cidfile=/run/user/1000/nextcloud-aio-mastercontain>
   Main PID: 2095 (code=exited, status=1/FAILURE)
        CPU: 2.406s

Dec 25 14:24:08 pi systemd[1814]: Started nextcloud-aio-mastercontainer.service - Nextcloud AIO Master Containe>
Dec 25 14:24:08 pi podman[1936]: 2023-12-25 14:24:08.738104124 +0200 IST m=+3.287549113 container start c7e1cfd>
Dec 25 14:24:08 pi nextcloud-aio-mastercontainer[2095]: Docker socket is not available. Cannot continue.
Dec 25 14:24:08 pi nextcloud-aio-mastercontainer[2095]: Please make sure to mount the docker socket into /var/r>
Dec 25 14:24:08 pi nextcloud-aio-mastercontainer[2095]: If you did this by purpose because you don't want the c>
Dec 25 14:24:08 pi nextcloud-aio-mastercontainer[1936]: c7e1cfdfa050b14d492a18ae4648d91ef8063c3d8ada0372831058f>
Dec 25 14:24:09 pi podman[2107]: 2023-12-25 14:24:09.606304183 +0200 IST m=+0.778314258 container remove c7e1cf>
Dec 25 14:24:09 pi systemd[1814]: nextcloud-aio-mastercontainer.service: Main process exited, code=exited, stat>
Dec 25 14:24:09 pi systemd[1814]: nextcloud-aio-mastercontainer.service: Failed with result 'exit-code'.
Dec 25 14:24:09 pi systemd[1814]: nextcloud-aio-mastercontainer.service: Consumed 2.406s CPU time.

[bennypowers]

no dice for me, unfortunately

❯ systemctl --user status podman.socket
● podman.socket - Podman API Socket
     Loaded: loaded (/usr/lib/systemd/user/podman.socket; enabled; preset: disabled)
     Active: active (listening) since Tue 2023-12-26 07:43:25 IST; 2 days ago
   Triggers: ● podman.service
       Docs: man:podman-system-service(1)
     Listen: /run/user/1000/podman/podman.sock (Stream)
     CGroup: /user.slice/user-1000.slice/[email protected]/app.slice/podman.socket

Dec 26 07:43:25 pi systemd[1789]: Listening on podman.socket - Podman API Socket.

❯ systemctl --user status nextcloud-aio-mastercontainer.service 
× nextcloud-aio-mastercontainer.service - Nextcloud AIO Master Container
     Loaded: loaded (/var/home/username/.config/containers/systemd/nextcloud-aio-mastercontainer.container;>
    Drop-In: /usr/lib/systemd/user/service.d
             └─10-timeout-abort.conf
     Active: failed (Result: exit-code) since Tue 2023-12-26 07:43:35 IST; 2 days ago
   Duration: 2.187s
       Docs: https://github.com/nextcloud/all-in-one/blob/main/docker-rootless.md
    Process: 2249 ExecStart=/usr/bin/podman run --name=nextcloud-aio-mastercontainer --cidfile=/run/user/1000/n>
    Process: 2505 ExecStopPost=/usr/bin/podman rm -v -f -i --cidfile=/run/user/1000/nextcloud-aio-mastercontain>
   Main PID: 2249 (code=exited, status=1/FAILURE)
        CPU: 2.522s

Dec 26 07:43:31 pi systemd[1789]: Started nextcloud-aio-mastercontainer.service - Nextcloud AIO Master Containe>
Dec 26 07:43:31 pi podman[1956]: 2023-12-26 07:43:31.564381165 +0200 IST m=+4.085842112 container start a26bba9>
Dec 26 07:43:31 pi nextcloud-aio-mastercontainer[1956]: a26bba9eb7db3df4f2594f8a261b24f1d9d334edd2051d63ff3f0ef>
Dec 26 07:43:31 pi nextcloud-aio-mastercontainer[2249]: Docker socket is not available. Cannot continue.
Dec 26 07:43:31 pi nextcloud-aio-mastercontainer[2249]: Please make sure to mount the docker socket into /var/r>
Dec 26 07:43:31 pi nextcloud-aio-mastercontainer[2249]: If you did this by purpose because you don't want the c>
Dec 26 07:43:33 pi podman[2262]: 2023-12-26 07:43:33.590328049 +0200 IST m=+1.897156009 container remove a26bba>
Dec 26 07:43:33 pi systemd[1789]: nextcloud-aio-mastercontainer.service: Main process exited, code=exited, stat>
Dec 26 07:43:35 pi systemd[1789]: nextcloud-aio-mastercontainer.service: Failed with result 'exit-code'.
Dec 26 07:43:35 pi systemd[1789]: nextcloud-aio-mastercontainer.service: Consumed 2.522s CPU time.
lines 1-22/22 (END)

[loeffelpan]

Is SELinux enabled on Silverblue? As it's basically Fedora, it should.
On FCOS I saw some AVC deny messages in the audit.log when sharing a socket to a container. My setup runs in permissive mode by now due to other issues and it works. I did not figure it out how to modify SELinux to allow sharing sockets with containers.

[szaimen]

Maybe this helps? https://github.com/nextcloud/all-in-one#are-there-known-problems-when-selinux-is-enabled

[loeffelpan]

Indeed that would help. But disabling security is not my way to go. I'm looking for a way to allow socket access by rule for SELinux instead.

[p-fruck]

Honestly, I feel like running with SELinux in enforcing mode and disabling security opts for the master container only might be the way to go. If you want to build your own SELinux policy, maybe this reply can help ;)

[kri164]

Some notes from my last install. Hope it helps.

cgroups

Running containers as rootless requires cgroups version 2. Version 1 or hybrid mode v1/v2 doesnt work. Check the status
mount | grep '^cgroup' | awk '{print $1}' | uniq
To change this add a kernel command line parameter to the boot loader and reboot
systemd.unified_cgroup_hierarchy=1

SELinux

Check the status with command
sestatus
If enabled you should mount volumes with big Z letter as option
Volume=/run/user/1000/podman/podman.sock:/var/run/docker.sock:Z

Netavark

Todays versions of Podman comes with Netavark module, but existing installations are configured for CNI. If you have problems with intercontainer DNS resolution, switch it.
Check current status
podman info | grep networkBackend
then install "aardvark-dns netavark" packages
and finally switch
podman system reset
WARNING: It will complete WIPE of your container environment, all networks, volumes, images will be erased!

Backup restore

Backup restore doesnt work during initial installation. Error is "Permission denied". Not sure if common bug or rootless install only. As a workaround, you can symlink backup directory to /tmp and use it for import
ln -s /home/aio/backup /tmp/backup
Regular backup works fine.

[bennypowers]

Thank you for these instructions. I was able to get this working through cloudflare tunnel by adding a "Bypass - include everyone" rule for the zero trust app. (Allow - include everyone did not work because it continued to ask for cloudflare OTP, which broke the mobile apps with "Malformed server configuration").

I will need to make modifications to config.php, namely default_phone_region and perhaps also trusted_proxies. Is there an environment variable I can declare in the nextcloud-aio-mastercontainer.container unit which will set those?

[p-fruck]

Hi, I don't think so but you could use some kind of script/init-container which executes the occ command as described here

[bennypowers]

For future reference, I solved this (from the host OS) by editing the file at ~/.local/share/containers/storage/volumes/nextcloud_aio_nextcloud/_data/config/config.php

[ghost]

Fedora 39 here.
It seems I need to put the capital Z: Volume=/run/user/1000/podman/podman.sock:/var/run/docker.sock:Z
However SELinux is getting in the way:

type=AVC msg=audit(1704703853.627:14274): avc: denied { connectto } for pid=37151 comm="docker" path="/run/user/1000/podman/podman.sock" scontext=system_u:system_r:container_t:s0:c287,c329 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=0 

Jan 08 09:55:30 fedora.smus.net systemd[35538]: Started nextcloud-aio-mastercontainer.service - Nextcloud AIO Master Container.
Jan 08 09:55:30 fedora.smus.net nextcloud-aio-mastercontainer[37842]: Trying to fix docker.sock permissions internally...
Jan 08 09:55:30 fedora.smus.net nextcloud-aio-mastercontainer[37842]: Adding internal www-data to group root
Jan 08 09:55:30 fedora.smus.net podman[37740]: 2024-01-08 09:55:30.628566465 +0100 CET m=+0.767446952 container start 2ac69323cd5d11ea278861715537c644b0b2926d4e00551ac6fe8efe51b09e>
Jan 08 09:55:30 fedora.smus.net nextcloud-aio-mastercontainer[37740]: 2ac69323cd5d11ea278861715537c644b0b2926d4e00551ac6fe8efe51b09ecd
Jan 08 09:55:30 fedora.smus.net nextcloud-aio-mastercontainer[37842]: Cannot connect to the docker socket. Cannot proceed.

Any ideas?

[kri164]

Maybe this one help https://github.com/dpw/selinux-dockersock

[p-fruck]

In case you do not want to deal with SELinux policies, you might want disable SELinux labeling for socket as explained in the docs

[ghost]

@p-fruck That seems to work.
So for Fedora you also need to set: SecurityLabelDisable=true

[Unit]
Description=Nextcloud AIO Master Container
Documentation=https://github.com/nextcloud/all-in-one/blob/main/docker-rootless.md
After=local-fs.target
Requires=podman.socket

[Container]
ContainerName=nextcloud-aio-mastercontainer
Image=docker.io/nextcloud/all-in-one:latest
PublishPort=127.0.0.1:11001:8080
Volume=nextcloud_aio_mastercontainer:/mnt/docker-aio-config
Volume=/run/user/1000/podman/podman.sock:/var/run/docker.sock:Z
Network=bridge
SecurityLabelDisable=true

Environment=APACHE_PORT=11000
Environment=APACHE_IP_BINDING=127.0.0.1
Environment=WATCHTOWER_DOCKER_SOCKET_PATH=/run/user/1000/podman/podman.sock

[Install]
WantedBy=multi-user.target default.target

[loeffelpan]

Any way to create a policy on Fedora Core OS? I can't figure it out.

[p-fruck]

I think this question should be asked in the podman discussions. There official answer seems to be disabling SELinux labels for the specified container though. Feel free to link to link your discussion here ;)

[loeffelpan]

On any mastercontainer update I got this error (in the logs of watchtower container):
crun: cannot set memory swappiness with cgroupv2

Same on starting newly created mastercontainer.
Any idea?

[loeffelpan]

Am I the only one with problems on updates (of mastercontainer or any other container of aio)?

[bennypowers]

for me, at the moment, automated updates always fail to restart containers, and occasionally crash the ncaio container as well.

[loeffelpan]

Yeah. Containers can be created but not started. Seems due to the above error concerning memory swapiness.
I found this issue but no solution.
containers/podman#13916

Maybe someone can take a look?

[bennypowers]

I'm not sure that I have the same issue as you, although the symptoms are similar (ncaio crashing or not starting containers)

here are my latest watchtower logs. note the date is feb 2 although just this morning (feb 4) I experienced aio stopping all containers and failing to start them

time="2024-02-02T04:00:37Z" level=debug msg="Sleeping for a second to ensure the docker api client has been properly initialized."
time="2024-02-02T04:00:38Z" level=debug msg="Making sure everything is sane before starting"
time="2024-02-02T04:00:38Z" level=info msg="Watchtower 1.7.1"
time="2024-02-02T04:00:38Z" level=info msg="Using no notifications"
time="2024-02-02T04:00:38Z" level=info msg="Only checking containers which name matches \"nextcloud-aio-mastercontainer\""
time="2024-02-02T04:00:38Z" level=info msg="Running a one time update."
time="2024-02-02T04:00:38Z" level=debug msg="Checking containers for updated images"
time="2024-02-02T04:00:38Z" level=debug msg="Retrieving running containers"
time="2024-02-02T04:00:39Z" level=debug msg="Trying to load authentication credentials." container=/nextcloud-aio-mastercontainer image="docker.io/nextcloud/all-in-one:latest"
time="2024-02-02T04:00:39Z" level=debug msg="No credentials for index.docker.io found" config_file=/config.json
time="2024-02-02T04:00:39Z" level=debug msg="Got image name: docker.io/nextcloud/all-in-one:latest"
time="2024-02-02T04:00:39Z" level=debug msg="Checking if pull is needed" container=/nextcloud-aio-mastercontainer image="docker.io/nextcloud/all-in-one:latest"
time="2024-02-02T04:00:39Z" level=debug msg="Built challenge URL" URL="https://index.docker.io/v2/"
time="2024-02-02T04:00:40Z" level=debug msg="Got response to challenge request" header="Bearer realm=\"https://auth.docker.io/token\",service=\"registry.docker.io\"" status="401 Unauthorized"
time="2024-02-02T04:00:40Z" level=debug msg="Checking challenge header content" realm="https://auth.docker.io/token" service=registry.docker.io
time="2024-02-02T04:00:40Z" level=debug msg="Setting scope for auth token" image=docker.io/nextcloud/all-in-one scope="repository:nextcloud/all-in-one:pull"
time="2024-02-02T04:00:40Z" level=debug msg="No credentials found."
time="2024-02-02T04:00:40Z" level=debug msg="Parsing image ref" host=index.docker.io image=nextcloud/all-in-one normalized=docker.io/nextcloud/all-in-one tag=latest
time="2024-02-02T04:00:40Z" level=debug msg="Doing a HEAD request to fetch a digest" url="https://index.docker.io/v2/nextcloud/all-in-one/manifests/latest"
time="2024-02-02T04:00:41Z" level=debug msg="Found a remote digest to compare with" remote="sha256:98e17c2da1870a879fc01160a675d634664d0ae9a2f92ed1d67d8809a9dc7fc1"
time="2024-02-02T04:00:41Z" level=debug msg=Comparing local="sha256:708b48efd2479ec97b7ffb59f3d30c134556b56f4d41f4ca60323cd2687d1c7d" remote="sha256:98e17c2da1870a879fc01160a675d634664d0ae9a2f92ed1d67d8809a9dc7fc1"
time="2024-02-02T04:00:41Z" level=debug msg=Comparing local="sha256:985050250dbfa4a88b7958dadf63ee85da85d3ec901bcfbee6dbc10765e546af" remote="sha256:98e17c2da1870a879fc01160a675d634664d0ae9a2f92ed1d67d8809a9dc7fc1"
time="2024-02-02T04:00:41Z" level=debug msg="Digests did not match, doing a pull."
time="2024-02-02T04:00:41Z" level=debug msg="Pulling image" container=/nextcloud-aio-mastercontainer image="docker.io/nextcloud/all-in-one:latest"
time="2024-02-02T04:01:10Z" level=info msg="Found new docker.io/nextcloud/all-in-one:latest image (de8ab1049901)"
time="2024-02-02T04:01:10Z" level=info msg="Stopping /nextcloud-aio-mastercontainer (8e0a3c13758f) with SIGTERM"
time="2024-02-02T04:01:21Z" level=debug msg="AutoRemove container 8e0a3c13758f, skipping ContainerRemove call."
time="2024-02-02T04:01:38Z" level=error msg="container /nextcloud-aio-mastercontainer (8e0a3c13758f) could not be removed"
time="2024-02-02T04:01:38Z" level=info msg="Session done" Failed=1 Scanned=1 Updated=0 notify=no
time="2024-02-02T04:01:38Z" level=info msg="Waiting for the notification goroutine to finish" notify=no

If the problem is docker.io limits, I can temporarily solve by authenticating, but it seems like something deeper is going on here

[loeffelpan]

You're right. Seems to be not the same error.
Mine is clearly related to swapiness like in the mentioned issue.

[daniarla]

Hey!
After a couple of days fighting with podman and nextcloud-aio on debian and getting the error:

NOTICE: PHP message: Could not start domaincheck container: Could not start container nextcloud-aio-domaincheck: Server error: `POST http://localhost/v1.41/containers/create?name=nextcloud-aio-domaincheck` resulted in a `500 Internal Server Error` response:

{"cause":"executable file not found in $PATH","message":"container create: lookup init binary: exec: \"catatonit\": exec (truncated...)

It seems that for some reason podman needs catatonit in order to create other containers. I didn't know that it could have saved a couple of days of troubleshooting.

I'm just documenting it here in case that someone has the same problem!

[PunkFleet]

I got stuck on the first step. I can't even install it successfully.

podman run -d --init  --sig-proxy=false --name nextcloud-aio-mastercontainer --restart always  --publish 8080:8080  --env APACHE_PORT=11000 --env APACHE_IP_BINDING=0.0.0.0 --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config --volume /var/run/docker.sock:/var/run/docker.sock:ro  nextcloud/all-in-one:latest

than i got error:

podman ps -a
CONTAINER ID  IMAGE                                  COMMAND               CREATED        STATUS                             PORTS                                                         NAMES
55b33152ef62  docker.io/nextcloud/all-in-one:latest                        5 seconds ago  Exited (1) Less than a second ago  0.0.0.0:8080->8080/tcp, 80/tcp, 8080/tcp, 8443/tcp, 9000/tcp  nextcloud-aio-mastercontainer
# podman logs nextcloud-aio-mastercontainer
Docker socket is not available. Cannot continue.
Please make sure to mount the docker socket into /var/run/docker.sock inside the container!
If you did this by purpose because you don't want the container to have access to the docker socket, see https://github.com/nextcloud/all-in-one/tree/main/manual-install.
Docker socket is not available. Cannot continue.
Please make sure to mount the docker socket into /var/run/docker.sock inside the container!
If you did this by purpose because you don't want the container to have access to the docker socket, see https://github.com/nextcloud/all-in-one/tree/main/manual-install.

[rexbron]

Re-read the instructions.

Specifically:

Change /run/user/1001/podman/podman.sock to the path of your Podman socket (podman info --format '{{ .Host.RemoteSocket.Path }}')

There is no --volume /var/run/docker.sock:/var/run/docker.sock:ro with podman.

[vwbusguy]

You actually can do this if you enable to podman socket as root and having the podman-docker package installed or just point directly to the podman socket. The problem seems to be that the socket doesn't work with SELinux enabled, even with passing :Z, so you need to --security-opt label:disable.

[vwbusguy]

Here's my currently working example:

sudo podman run --init --sig-proxy=false --name nextcloud-aio-mastercontainer --restart always -eAPACHE_PORT=8081 --publish 80:80 --publish 8080:8080 --publish 8443:8443 --replace  --security-opt label:disable --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config --volume /run/podman/podman.sock:/var/run/docker.sock:ro nextcloud/all-in-one:latest

[PunkFleet]

Here's my currently working example:

sudo podman run --init --sig-proxy=false --name nextcloud-aio-mastercontainer --restart always -eAPACHE_PORT=8081 --publish 80:80 --publish 8080:8080 --publish 8443:8443 --replace  --security-opt label:disable --volume nextcloud_aio_mastercontainer:/mnt/docker-aio-config --volume /run/podman/podman.sock:/var/run/docker.sock:ro nextcloud/all-in-one:latest

It's working for me --security-opt label:disable , Thank you @vwbusguy

[vwbusguy]

For context, I believe this is similar to why you also need to disable SELinux when you're doing podman in Kubernetes as well. I realize that it isn't ideal for everyone, but it is a reality for some similar podman deployment operations and not only a Nextcloud AIO issue.

(In this case, you do not need to disable SELinux on the host, but just disable it in the specific podman run!)

[Macr0Nerd]

Hello! I'm attempting to run Nextcloud in this fashion but I have some concerns. For context, my environment is is using Podman Quadlets on a Fedora VM. Users and permissions are managed using FreeIPA. All persistent volumes are stored on NFS shares that are also Kerberized. I am running this as a specific user using the above configurations (although I am heavily considering the manual installation in a Pod to allow this to run rootless under root). The reason I bring this up is that I can't actually start the Nextcloud container itself as it can't chown the data directory to www-data:root. This is because the data directory is on an NFS that has IDs mapped, and if I attempt to change the ownership to www-data:NCDATA_GID it ends up as nobody:root in the container. I will include my configurations below, but I believe I need more idmaps but I'm not entirely sure. The Nextcloud container runs under the service user ncdata which is centrally managed.

Note: nextcloud_data_dir was just an attempt to get perms right. That's why it hasn't been configured yet

ncdata@docker:~/.config/containers/systemd$ find /shared/data/nextcloud/ -ls
     1536      1 drwx------   4 ncdata   nobody          4 Oct  3 04:54 /shared/data/nextcloud/
     1664      1 drwxr-xr-x   2 ncdata   nobody          2 Oct  3 04:54 /shared/data/nextcloud/config
     1665      1 drwxr-x---   3 ncdata   nobody          3 Oct  3 19:21 /shared/data/nextcloud/data
     1537      1 drwxr-x---   2 nobody   services        2 Oct  3 19:21 /shared/data/nextcloud/data/nextcloud_data_dir
ncdata@docker:~/.config/containers/systemd$ podman unshare ls -la /shared/data/nextcloud/data/
total 2
drwxr-x---. 3 root   nobody 3 Oct  3 19:21 .
drwx------. 4 root   nobody 4 Oct  3 04:54 ..
drwxr-x---. 2 nobody root   2 Oct  3 19:21 nextcloud_data_dir

root@pve:/rpool/shared/data/nextcloud/data# ls -lA
total 1
drwxr-x--- 2 www-data services 2 Oct  3 19:21 nextcloud_data_dir

/home/ncdata/.config/containers/systemd/nextcloud-aio-mastercontainer.container

[Unit]
Description=Nextcloud AIO Master Container
Documentation=https://github.com/nextcloud/all-in-one/blob/main/docker-rootless.md
After=local-fs.target network.target network-online.target krb-renew-ncdata.timer
Wants=network-online.target krb-renew-ncdata.timer
Requires=podman.socket

[Service]
Restart=always

[Container]
ContainerName=nextcloud-aio-mastercontainer
Image=docker.io/nextcloud/all-in-one:latest
EnvironmentFile=/etc/nextcloud.env
PublishPort=8180:8080
Volume=nextcloud_aio_mastercontainer:/mnt/docker-aio-config
Volume=/etc/ncdata.keytab:/etc/krb5.keytab:ro,bind
Volume=/run/user/1238400022/podman/podman.sock:/var/run/docker.sock:Z
Network=bridge
SecurityLabelDisable=true
Pull=never #set so I don't get rate limited while testing
AutoUpdate=registry

[Install]
WantedBy=multi-user.target default.target

/home/ncdata/.config/containers/systemd/nextcloud-aio-mastercontainer.volume

[Volume]
VolumeName=nextcloud_aio_mastercontainer
Driver=local
Device=/shared/data/nextcloud/config/

/etc/nextcloud.env

KRB5CCNAME=FILE:/tmp/krb5cc_ncdata

APACHE_PORT=8181
APACHE_IP_BINDING=0.0.0.0
WATCHTOWER_DOCKER_SOCKET_PATH=/run/user/1238400022/podman/podman.sock
NEXTCLOUD_DATADIR=/shared/data/nextcloud/data
AIO_DISABLE_BACKUP_SECTION=true
SKIP_DOMAIN_VALIDATION=true

[Macr0Nerd]

Ok I think I just need to map UID 33 into the container, but I'm figuring out how to get NFS to export UID 33.

[vwbusguy]

Ref. https://www.redhat.com/sysadmin/rootless-podman-nfs but you have an extra complexity with sssd.

[vwbusguy]

Also, this discussion: containers/podman#16018

[rgolangh]

I created a tool to manage podman and quadlets from repositories, and with it this installation can be run like so:

pq install nextcloud

The tool is using git repositories with folders containing all the quadlet files. The default the tool works with is https://github.com/rgolangh/podman-quadlets , but you can use your own of course.

If you're interested please check-out https://github.com/rgolangh/pq - PRs or issues/discussions and feedback are welcomed.

[vwbusguy]

This is cool - it seems like a sort of helm chart way to deploy things with podman. Do you also have a way to update the existing deployment with newer image refs?

[rgolangh]

the beauty is that podman does that for you using podman auto-update.service and to opt-in just add this to the quadlet file:

[container]
AutoUpdate=registry

This should result in a label on the container podman creates to be picked up by auto-update.
See https://docs.podman.io/en/latest/markdown/podman-auto-update.1.html

[vwbusguy]

Excellent work! I love that you also have a repo ref for Valkey as well!

[mikwee]

When going into https://127.0.0.1:8443 I get an SSL_ERROR_INTERNAL_ERROR_ALERT error. Not sure what to do. I'm not sure how to get my custom Caddyfile in there tbh.

[rexbron]

Can you post your caddyfile?

[rexbron]

After updating to version 30.0.2, the AppAPI feature is flooding my logs with errors related to accessing the docker.sock.

[app_api] Error: Could not connect to Docker daemon
	POST /apps/app_api/daemons/verify_connection
	from <redacted> at Dec 1, 2024, 11:22:38 AM

Suggestions? Disable AppAPI? Point it in the right direction somehow?

[vwbusguy]

Install podman-docker and system enable --now podman.socket should get that to work

[rexbron]

Both were already installed prior to this update. Are you suggesting podman.socket needs to be enabled for the root user?

podman.socket is enabled as the podman user. My intent is to use podman as a rootless user.

[rgolangh]

Both were already installed prior to this update. Are you suggesting podman.socket needs to be enabled for the root user?

podman.socket is enabled as the podman user. My intent is to use podman as a rootless user.

Do you have DOCKER_HOST set?

$ env | grep DOCKER_HOST
DOCKER_HOST=unix:///run/user/1000/podman/podman.sock

and in the unit file of nextcloud:

[Unit]
Description=Nextcloud AIO Master Container
Documentation=https://github.com/nextcloud/all-in-one/blob/main/docker-rootless.md
After=local-fs.target
Requires=podman.socket
...

[Container]
...
Volume=/run/user/%U/podman/podman.sock:/var/run/docker.sock:ro
...
Environment=WATCHTOWER_DOCKER_SOCKET_PATH=/run/user/%U/podman/podman.sock

See here:
https://github.com/rgolangh/podman-quadlets/blob/918562aa47141e7defc5222c4198636371e5f81c/nextcloud/nextcloud-aio-master.container#L16

https://github.com/rgolangh/podman-quadlets/blob/918562aa47141e7defc5222c4198636371e5f81c/nextcloud/nextcloud-aio-master.container#L22

[rgolangh]

It is worth making sure podman.socket is active as the user

systemctl is-active --user  podman.socket 

[Extarys]

Anyone managed to make onlyoffice work? I cannot access the host from within the container.
curl -I https://host... is unreachable from within the mastercontainer.

[TvT82]

Hi ! Could you PLEASE provide a "caddy.container" file for your setup ?

EDIT: Guess i've got it: Did forget to set "network=host" in caddy.container 🤦

[rugk]

About self/automatic updates

self-updating might not work

Not tried in practice, yet, but is not this a solved problem in the podman world? podman-auto-update can take care of that?

To use it you basically just need to add a label to the containers (io.containers.autoupdate=registry) and enable the pre-shipped podman service for auto-updating (systemctl --user enable podman-auto-update, taken from here). That should be it!

(IMHO; this is also better than how the Docker world does it, it's all handled by podman – it could apparently even handle rollbacks.)

Maybe you can add this to the guide, @jennydaman?

[jennydaman]

I didn't know about podman-auto-update before, thanks for sharing!

As a sysadmin I'm not comfortable with the idea of automatic updates. Nextcloud-AIO has a self update feature, which is different from automatic updates:

• In Nextcloud AIO, the admin interface has a big blue button you can click to update itself. This is a manual, albeit simplified step.
• Automatic updates perform updates without manual steps.

People who are interested in auto-updates should be able to find your comment with a quick CTRL-F

[gsalvatella]

One can also add the AutoUpdate=registry parameter in ~/.config/containers/systemd/nextcloud-aio-mastercontainer.container. This allows only the AIO container to be updated, which you anyway need before manually updating the individual containers from the UI. I think this strikes a balance between convenience and stability.

You could add it as a commented out parameter in the description:

[Unit]
Description=Nextcloud AIO Master Container
Documentation=https://github.com/nextcloud/all-in-one/blob/main/docker-rootless.md
After=local-fs.target
Requires=podman.socket

[Container]
ContainerName=nextcloud-aio-mastercontainer
Image=docker.io/nextcloud/all-in-one:latest
PublishPort=127.0.0.1:11001:8080
Volume=nextcloud_aio_mastercontainer:/mnt/docker-aio-config
Volume=/run/user/1001/podman/podman.sock:/var/run/docker.sock:ro
Network=bridge
SecurityLabelDisable=true
# AutoUpdate=registry  # Uncomment if you want the AIO container to be automatically updated

Environment=APACHE_PORT=11000
Environment=APACHE_IP_BINDING=127.0.0.1
Environment=WATCHTOWER_DOCKER_SOCKET_PATH=/run/user/1001/podman/podman.sock

[Install]
WantedBy=multi-user.target default.target

[rexbron]

Updated the master container and can't start the container with the following error:

Mar 19 16:26:41 davincibox podman[6998]: 2025-03-19 16:26:41.862478602 -0400 EDT m=+0.293328611 container start 337ace62989b531b99ca228b4feec53e07a721839df9feaf5f250b5849e4879b (image=docker.io/nextcloud/all-in-one:latest, name=nextcloud-aio-mastercontainer, PODMAN_SYSTEMD_UNIT=nextcloud-aio-mastercontainer.service)
Mar 19 16:26:41 davincibox nextcloud-aio-mastercontainer[6998]: 337ace62989b531b99ca228b4feec53e07a721839df9feaf5f250b5849e4879b
Mar 19 16:27:07 davincibox nextcloud-aio-mastercontainer[7082]: Could not resolve the host nextcloud.com.
Mar 19 16:27:07 davincibox nextcloud-aio-mastercontainer[7082]: Most likely the DNS resolving does not work.
Mar 19 16:27:07 davincibox nextcloud-aio-mastercontainer[7082]: You should be able to fix this by following https://dockerlabs.collabnix.com/intermediate/networking/Configuring_DNS.html
Mar 19 16:27:07 davincibox nextcloud-aio-mastercontainer[7082]: Apart from that, there has been this: https://github.com/nextcloud/all-in-one/discussions/2065
Mar 19 16:27:07 davincibox podman[7365]: 2025-03-19 16:27:07.151086687 -0400 EDT m=+0.023784975 container died 337ace62989b531b99ca228b4feec53e07a721839df9feaf5f250b5849e4879b (image=docker.io/nextcloud/all-in-one:latest, name=nextcloud-aio-mastercontainer, PODMAN_SYSTEMD_UNIT=nextcloud-aio-mastercontainer.service)
Mar 19 16:27:07 davincibox podman[7365]: 2025-03-19 16:27:07.601525756 -0400 EDT m=+0.474224024 container remove 337ace62989b531b99ca228b4feec53e07a721839df9feaf5f250b5849e4879b (image=docker.io/nextcloud/all-in-one:latest, name=nextcloud-aio-mastercontainer, PODMAN_SYSTEMD_UNIT=nextcloud-aio-mastercontainer.service)
Mar 19 16:27:07 davincibox systemd[3084]: nextcloud-aio-mastercontainer.service: Main process exited, code=exited, status=1/FAILURE
Mar 19 16:27:07 davincibox systemd[3084]: nextcloud-aio-mastercontainer.service: Failed with result 'exit-code'.

Anyone else got issues or a fix?

[rexbron]

$ podman network inspect nextcloud-aio 
[
     {
          "name": "nextcloud-aio",
          "id": "bbaf5176ed8bede4fb8ae28589338040408f3040fe1cbefd310a23eaa4d90ad7",
          "driver": "bridge",
          "network_interface": "podman2",
          "created": "2024-07-19T14:27:03.452201355-04:00",
          "subnets": [
               {
                    "subnet": "10.89.1.0/24",
                    "gateway": "10.89.1.1"
               }
          ],
          "ipv6_enabled": false,
          "internal": false,
          "dns_enabled": true,
          "options": {
               "isolate": "true"
          },
          "ipam_options": {
               "driver": "host-local"
          },
          "containers": {}
     }
]

[rexbron]

Seems like the nextcloud-aio-mastercontainer is attaching to the default podman network?

$ podman network inspect podman
[
     {
          "name": "podman",
          "id": "2f259bab93aaaaa2542ba43ef33eb990d0999ee1b9924b557b7be53c0b7a1bb9",
          "driver": "bridge",
          "network_interface": "podman0",
          "created": "2025-03-20T11:29:15.20763929-04:00",
          "subnets": [
               {
                    "subnet": "10.88.0.0/16",
                    "gateway": "10.88.0.1"
               }
          ],
          "ipv6_enabled": false,
          "internal": false,
          "dns_enabled": false,
          "ipam_options": {
               "driver": "host-local"
          },
          "containers": {
               "62bca183f4273fa5d4950cc312a897a6ce220d82a275fc19ed0cab3b123d8ed0": {
                    "name": "nextcloud-aio-mastercontainer",
                    "interfaces": {
                         "eth0": {
                              "subnets": [
                                   {
                                        "ipnet": "10.88.0.21/16",
                                        "gateway": "10.88.0.1"
                                   }
                              ],
                              "mac_address": "3e:f3:32:15:1f:49"
                         }
                    }
               }
          }
     }
]

[rexbron]

$ podman unshare --rootless-netns
[root@davincibox ~]# ping 1.1.1.1
ping: connect: Network is unreachable
[root@davincibox ~]# curl nextcloud.com
curl: (6) Could not resolve host: nextcloud.com
[root@davincibox ~]# exit
exit

So something in the Rocky Linux update has broken rootless networking.

Network=slirp4netns

Gets me to the login page for the mastercontainer but results in a Slim application error on login.

[rexbron]

It was wireguard!

Rootless NetNS routing table was borked. Removing the wireguard interface from network manager and rebooting has restored internet.

Will investigate further when I have more time.

[Abastro]

Weird, I failed to make it work with APACHE_IP_BINDING=0.0.0.0, while APACHE_IP_BINDING=<Local IP> does work. What would be the reason for this?

[darkbroodzed]

Updating the AIO master container from version 10.9.0 to a newer version that uses ghcr.io breaks the installation.

Suspected reason: The new version of nextcloud-aio-mastercontainer does not join the nextcloud-aio network. Instead, it uses the default Podman network, which has no internet access.

This can be verified using the command:

podman ps --filter network=nextcloud-aio

Rolling back to the old master container version fixes the issue, so I suspect that changes in the master container Docker image have broken compatibility with Podman.

If someone have same issue and have solution - please share it :)

Client: Podman Engine
Version: 4.9.3
API Version: 4.9.3
Go Version: go1.22.2
Built: Thu Jan 1 00:00:00 1970
OS/Arch: linux/arm64

[darkbroodzed]

The issue was that during the update process, Podman did not remove the old master container when pulling the new image from the new image registry. As a result, two containers with the same name existed in the system. This broke Podman's network handling logic, causing the "second" container not to join the correct network — and this issue was not logged in any way.

Solution: Manually delete all containers downloaded from Docker Hub using the CLI.

[qupfer]

Thanks for this discussion.
More (or less) the initial example worked on my machine.
podman version 5.4.2 on archlinux (x64)

For me, no trouble with the network. Only one with "double" ports because a unifi quadlet already used them and nextcloud talk could not start. Disable talk and all works.

However, I can't see how on the initial post step 5 (Go to https://cloud.example.com:8443/ to access the Nextcloud AIO interface and start the Nextcloud server.) could work with the given examples. It should cloud.example.com:8080, shouldn't it???

My current container file:

[Unit]
Description=Nextcloud AIO Master Container
Documentation=https://github.com/nextcloud/all-in-one/blob/main/docker-rootless.md
After=local-fs.target
Requires=podman.socket

[Container]
ContainerName=nextcloud-aio-mastercontainer
#Image=docker.io/nextcloud/all-in-one:latest
Image=ghcr.io/nextcloud-releases/all-in-one:latest
PublishPort=18080:8080
#PublishPort=10080:80
#PublishPort=18443:8443

Volume=nextcloud_aio_mastercontainer:/mnt/docker-aio-config
Volume=/run/user/1000/podman/podman.sock:/var/run/docker.sock:ro
Network=bridge
SecurityLabelDisable=true

Environment=APACHE_PORT=11000
Environment=APACHE_IP_BINDING=0.0.0.0
Environment=WATCHTOWER_DOCKER_SOCKET_PATH=/run/user/1000/podman/podman.sock

[Install]
WantedBy=multi-user.target default.target

I used traefik with this config (just the nextcloud parts)

    router-aio2:
      rule: "Host(`aio2.mydomain.de`)"
      service: "aio2"
      tls: {}

    router-nc2:
      rule: "Host(`nc2.07q.de`)"
      service: "nc2"
      tls: {}


  services:
    nc2:
      loadBalancer:
        servers:
          - url: "http://192.168.178.2:11000"

    aio2:
      loadBalancer:
        serversTransport: insecuretransport
        servers:
          - url: "https://192.168.178.2:18080"

[rriemann]

I am using CoreOS, podman quadlets and caddy as a reverse proxy. My domain verification fails currently.

cloud.domain.be {
        reverse_proxy localhost:11000
}
https://cloud.domain.be:9380 {
        reverse_proxy localhost:11001 {
                transport http {
                        tls_insecure_skip_verify
                }
        }
}

in the AOI interface, I get this error when I want to confirm cloud.domain.be:

The domain is not reachable on Port 443 from within this container. Have you opened port 443/tcp in your router/firewall? If yes is the problem most likely that the router or firewall forbids local access to your domain. You can work around that by setting up a local DNS-server.

$ podman ps --filter network=nextcloud-aio
CONTAINER ID  IMAGE                                              COMMAND     CREATED         STATUS                   PORTS                                                  NAMES
02e6e9b64a27  ghcr.io/nextcloud-releases/all-in-one:latest                   27 minutes ago  Up 27 minutes (healthy)  127.0.0.1:11001->8080/tcp, 80/tcp, 8443/tcp, 9000/tcp  nextcloud-aio-mastercontainer
528bd637a7da  ghcr.io/nextcloud-releases/aio-domaincheck:latest              27 minutes ago  Up 27 minutes (healthy)  127.0.0.1:11000->11000/tcp                             nextcloud-aio-domaincheck

$ podman exec nextcloud-aio-domaincheck wget -O- http://cloud.domain.be
Connecting to cloud.domain.be ([external ipv4]:80)

wget: can't connect to remote host ([external ipv4]): Connection refused
$ podman exec nextcloud-aio-domaincheck wget -O- https://networkcheck.kde.org/
Connecting to networkcheck.kde.org (85.10.198.55:443)
writing to stdout
-                    100% |********************************|     3  0:00:00 ETA
written to stdout
OK

What's wrong here?

[MastaG]

Recent podman releases will default to pasta for rootless networking.
The problem with pasta is that it cannot connect with all interfaces on the host, only the one that has been selected as the parent for the rootless bridge network.

I had the same problem where the public ip for my domain lives on the same host as my rootless nextcloud setup, where I couldn't connect to it from within any container.

The workaround was to revert back to slirp4netns instead.

dnf install slirp4netns
cp /usr/share/containers/containers.conf /etc/containers

Now edit /etc/containers/containers.conf and set:

default_rootless_network_cmd = "slirp4netns"

Reboot and all of your rootless containers should be able to connect with all host interfaces.

[rriemann]

Thanks for the idea. I think how I could implement a smaller work around that may not impact my other podman containers.

1. Couldn't I leverage --add-host=host:ip docs to map cloud.domain.be to point to the internal host gateway IP?

   AddHost=cloud.domain.be:host-gateway

2. Couldn't I change to slirp4netns only in the context of nextcloud and otherwise keep using pasta?

Edit: I forgot that the domaincheck container is created automatically and I do not know how I could add AddHost here.

Edit2:

As I have setup a specific unix user for nextcloud, I could configure slirp4netns only for this user using a file .config/containers/containers.conf.d/05-use-slirp4netns.conf with content:

[network]

default_rootless_network_cmd = "slirp4netns"

Note that CoreOS comes with slirp4netns already installed.

Awesome!

[MastaG]

That's correct as the AddHost parameter is only passed to the master container which doesn't pass it on unfortunately.

Creating a separate user for nextcloud with a .config/containers/containers.conf.d/05-use-slirp4netns.conf file is actually a very good idea.

Because slirp4netns seems to perform a little worse compared to pasta in terms of CPU usage, it's good to limit it only to nextcloud and a couple of other containers which require connecting to the host interfaces.

[qupfer]

Not sure if helpfull
Maybe, you could (or already did?) run caddy inside a quadlet too.
Then use instead published ports, socket activation (https://caddy.community/t/demo-run-caddy-with-socket-activation-rootless-podman-quadlet-files/25918)

I use this setup with traefik instead caddy and I'm realy suprised how well it works.
Thanks to the socket actiovation, the proxy-container get the original tcp packages as it would run on the host, without pasta or slip4netns. And the proxy can reach all other containers through normal podman network routing.

[a40yostudent]

I feel a little bit suspicious by the use of

Volume=/run/user/1001/podman/podman.sock:/var/run/docker.sock:ro
Network=bridge
SecurityLabelDisable=true

As you can read on podman documentation this practice is discouraged if the container is listening on TCP. I don't know if this is the case because usually it's hidden behind a reverse proxy, so is this causing a security issue?

[jennydaman]

I think you misunderstand the documentation.

The Podman documentation you linked advises against exposing the Podman API over TCP, and it implies exposing the Podman API over a Unix socket is acceptable.

Here, the nextcloud-aio-mastercontainer is given access to the Podman API over a Unix socket, mounted as a volume, and the nextcloud-aio API is exposed over TCP. In other words, we are not exposing the Podman API over TCP.

[jennydaman]

In any case, keep in mind that Docker is insecure by default (dockerd runs as root), and the nextcloud-aio project targets Docker. When we use Podman as a substitute in projects meant for Docker, it is often necessary to cripple Podman’s security to have it mimic Docker’s behavior.

[a40yostudent]

@jennydaman thanks for this insight. I think I’ll try to set up Nextcloud manually, not with aio I mean, and put all in a pod. Did you try a similar setup?

[jennydaman]

Haven’t tried it myself. Sounds like a big improvement to efficiency at the cost of maintenance.