[IMPORTANT] Migration to the new image
Wonderfall opened this issue ยท 16 comments
Hello, if you're reading this you're probably using my Docker image wonderfall/nextcloud. First and foremost, thanks for your interest! As you may already know, the current image is being deprecated. Let me first explain you why (in details) and then I'll give you some suggestions about your options.
I first made this image some years ago (late 2015 if I recall), back in the time when it was still ownCloud (I mean before the hard fork) and there was not even an Alpine-based image. Since then I kept maintaining the image, it has been 5 years already! Of course, I know sometimes I was not fast to update, due to life being life.
I've also said this: don't use third-party images when there's an official one. And at the time, there wasn't, but since 2016 (around that) there is. So if you're not willing to maintain your images, you should probably use official images. If that doesn't work for you, you can take inspiration but really pay attention to the maintenance of your images. Outdated images are security holes and a container is certainly not bulletproof: there is massive attack surface which can be exploited to gain privilege on the host - unless you use alternative runtimes such as gVisor.
Now, back to my image, I kept maintaining it despite the official one being a thing. I wanted it to be very simple to use, e.g. no extra containers for nginx, cron - everything you need is running inside. It's not great for scalability, but it was never meant to be, it's just meant for single-users who want to take back their data. Docker once said "you should run only one process in a container" (not to mention it's rarely the case, technically speaking, but you get the idea), but containers are not defined by that rule, you can do whatever you want as long as it suits your needs.
However, the current image as it is has some flaws:
- The current image is based on
wonderfall/nginx-php, a base Alpine image which builds PHP and nginx from source. Great, but painful to maintain. I made the switch from Alpine packages in 2017 because there were some obscure issues I don't recall well, and it's great to have fine-grained versioning. It's still working, currently with PHP 8! - Since I wanted the image to be "simple to use", I made extensive use of privilege degrading (with
su-exec) so permissions are transparent to the end-user. The issues are: it's best to never use root even at startup, and chown has terrible performance on overlayfs (not on btrfs, which I use, but overlayfs is the default). I mean, flexibility is great and all, but users should just learn to fix permissions of their volumes themselves, no?
These are the two main reasons I wanted a complete refactor. Now as you can see on the testing branch, several changes were made to the new image:
- Fetching PHP/nginx from their official images.
- Does not use any privilege at any time, even at startup.
- Much easier to maintain thanks to multi-stages build.
- Includes hardened_malloc, a hardened memory allocator.
- Does not include imagick, samba, etc. by default.
Goals are still to provide a simple image to use, but now with less attack surface, and more maintainability. Migration should be painless except for exotic use-cases. The things to keep in mind when migrating are the changes of volumes:
/datais now/nextcloud/data/datafor now/configis now/nextcloud/config/apps2is now/nextcloud/apps2
Changes should be made in your docker-compose.yml and in config.php to reflect the volume changes. Other than that, it should run like before. This is still in testing, but I made the change myself on my personal server and it's running flawlessly. It's already available in Docker Hub with the next tag.
The plan is to:
- Announce deprecation of the current image
- Maintain the current image for one more major version
- Document migration to the new image
- Eventually make the current image obsolete
- Possibly distribute with ghcr.io
Feel free to discuss the topic here, but keep in mind I got many other things to do so I can't help if you're migrating to another image, official or third-party. Also keep in mind to back up your data in any case. Any migration should be possible, though.
Thanks for all your hard work and for continuing to make such a great and easy to use image
I'd like to thank you too!
I'm using your image for a long time now for several instances. I was considering a switch to the official image a few times, but in the end i always decided against it and never regret that so far. It proved to be very stable, it is so easy to use and maintain. So I'm very happy to hear that you took the time to "modernize" your image. The next branch looks very promising, I will check it out soon.
Thanks again, Patrick
Hey! The new image should be ready for every day use:
nextbranch has been renamedmainwhich is now the new default branch- Packages will now be distributed with GitHub Container Registry :
ghcr.io/wonderfall/mastodon - Trivy will scan the image for OS vulnerabilities every day and warns me if I have to take action
- No matter what, the image will be automatically built every Friday (weekly)
- Instructions for migrations are available here
- The new README still needs some work, please be patient
Beware the last Nextcloud update (21.0.2) broke 2FA for me, but it's not likely due to the new image since I was using the testing 21.0.1 image without issues. If this happens to you too, don't panic and disable 2FA with occ:
sudo docker exec -ti nextcloud occ twofactorauth:disable user twofactor_webauthn
I'll investigate this another day, but it's also possible it won't happen to you.
As I said above, the main source of distribution will be ghcr.io (GitHub Registry). The legacy image will soon be removed from Docker Hub, I see no point in leaving an unmaintained image available for download. Users should be encouraged to upgrade as soon as possible, and the removal will likely trigger an error so they'll be informed something is going on.
Tell me here if you're encountering issues with the upgrade. Don't forget to backup your data before doing so.
See you! :)
I took the initiative and removed all the images from the Docker Hub. There was no point in keeping them online despite being deprecated, and now obsolete. This will likely trigger an error when users will attempt to upgrade, and I hope they can see this.
- Regarding the FIDO/Webauthn issue, it turned out to be an upstream issue, nothing to do on my end...
- A fix for making the prebuilt images compatible with all x64 CPUs was made.
Last thing to do is finishing the documentation for brand new installs. I'd like to keep it simple, nothing too fancy.
I'm also potentially interested in making the image compatible with the so-called "high performance backend". That would be an optional feature, but I've yet to evaluate the usefulness of this. If someone knows more about it, feel free to convince me. :)
Hi,
I just wanted to share that I was able to upgrade my complete setup to use the new image without any major issues. Currently I'm running 2 of my biggerst instances on the new image for 5 days without issues.
So thank you very much again for your effort and the smooth upgrade path. Using the new images I was also able to nearly completely remove my adjustments I made to the old one (mostly permission related).
I also would be interested in trying/using the "high performance backend".
Best regards, Patrick
Hi @Wonderfall , thanks for your great work. I just want to raise a minor issue I had during the upgrade process, but not sure if I was the only one who faced this issue.
I had to manually modify the file config/config.php by upgrading the apps2 folder to make the new image works.
<?php
$CONFIG = array (
'datadirectory' => '/data',
'apps_paths' =>
array (
0 =>
array (
'path' => '/nextcloud/apps',
'url' => '/apps',
'writable' => false,
),
1 =>
array (
'path' => '/apps2', # needs to be updated to /nextcloud/apps2
'url' => '/apps2',
'writable' => true,
),
),Glad the migration went well.
I had to manually modify the file
config/config.phpby upgrading theapps2folder to make the new image works.
Indeed, it's a breaking change, but it's covered in the migration steps. It's really just some volume renaming in docker-compose.yml and config.php. Maybe the latter change should be more emphasized just in case, I'll see what I can do.
I try to migrate to the new image. I updated docker-compose.yml and config.php. However, when the nexcloud is started, it shows an error of
fatal allocator error: getrandom failed | stderr
Can you please help?
I try to migrate to the new image. I updated docker-compose.yml and config.php. However, when the nexcloud is started, it shows an error of
fatal allocator error: getrandom failed | stderr
Can you please help?
What's your kernel version?
I am using synology docker. I believe that the kernel daemon version is 20.10.3.
Sorry, meant your Linux kernel version. FYI the getrandom() syscall is available since Linux 3.17. You're probably using an old version of Linux, and at this point it's highly recommended that you find a way to update your kernel to patch major security flaws.
I don't recommend it and this is merely a workaround, but you can disable the hardened memory allocator by running the container with an empty LD_PRELOAD environment variable. Like LD_PRELOAD="".
Thank you for your detailed response. I checked the synology. It seems that the linux kernal version is 3.10.105. I am not sure whether synology allows the update for linux kernel. I will try the temnporary fix first.
Alright, it's been a year so I think the majority of the userbase has had the occasion to either migrate to the newer image or evaluate their other options.
Dear @Wonderfall , I have an running instance of the old "wonderfall/nextcloud" on version 19. The minor version of the new path is 21 so I cannot upgrade directly as major multiple upgrades are not possible with nextcloud.
The old repo is destroyed, the old dockerhub tags removed, I cannot find an image of wonderfall/nextcloud:20 that would allow me the upgrade or compile it myself.
Any idea to save my server ?
Dear @Wonderfall , I have an running instance of the old "wonderfall/nextcloud" on version 19. The minor version of the new path is 21 so I cannot upgrade directly as major multiple upgrades are not possible with nextcloud. The old repo is destroyed, the old dockerhub tags removed, I cannot find an image of wonderfall/nextcloud:20 that would allow me the upgrade or compile it myself.
Any idea to save my server ?
Not gonna lie it's going to be a bit painful since Nextcloud only supports direct major version upgrades (e.g. 19 => 20, 20 => 21), but it's definitely doable.
What I suggest is:
- Finding the commit on this repo so you get the files for the next major version
- Building the image yourself
- Running the upgrade, making sure it went fine
- Repeat until you can upgrade to Nextcloud 25
For instance, say you want to upgrade to Nextcloud 20. First get the files:
git checkout b6468f3f534df83c378343fc1613e463a0a50972
Then, build the image:
docker build -t wonderfall/nextcloud:20 -f Dockerfile.20 .
At the time, there were two supported major versions, but now there is a single Dockerfile, so obviously change this accordingly. Starting Nextcloud 21 (or even a later Nextcloud 20 commit), you will need to proceed with the manual image migration involving the steps described in this issue.
Hi @Wonderfall, I really appreciate your instructive feedback. As wonderfall/nginx-php:7.4 is the main image for wonderfall/nextcloud and is not available anymore on dockerhub, I had to compile it myself the same way you told me before.
I had to launch the following commands:
git clone https://github.com/Wonderfall/docker-nginx-php.git
git clone https://github.com/Wonderfall/docker-nextcloud.git
cd docker-nginx-php
docker build -t wonderfall/nginx-php:7.4 -f Dockerfile.7.4 .
cd ..
cd docker-nextcloud
git checkout b6468f3f534df83c378343fc1613e463a0a50972
docker build -t wonderfall/nextcloud:20 -f Dockerfile.20 .
cd ..Now I migrated to version 20, I can continue on the path.
A great thank you !