Non-root container and APACHE_DISABLE_REWRITE_IP cause "Could not remove /etc/apache2/conf-enabled/remoteip.conf: Permission denied"

[spikeygg]

I've been trying to get this image working and I've run into a snag. I want to use my own account internally so that the files created by the docker are owned and manageable by my user so I've included the user directive in the docker-compose. However, I also need to use the APACHE_DISABLE_REWRITE_IP environment keyword to make the docker work in my network topology. I have found that when I use the user directive and the APACHE_DISABLE_REWRITE_IP=1 environment definition the docker container fails to start only reporting this log entry:

Could not remove /etc/apache2/conf-enabled/remoteip.conf: Permission denied
Could not remove /etc/apache2/conf-enabled/remoteip.conf: Permission denied
Could not remove /etc/apache2/conf-enabled/remoteip.conf: Permission denied
... and so on

Here is what my simplified docker-compose looks like:

version: '2.1'

services:
  app:
    hostname: nc_machine
    container_name: nextcloud
    image: nextcloud
    restart: unless-stopped
    sysctls:
      - net.ipv4.ip_unprivileged_port_start=0
    user: 1000:100
    ports:
      - 8081:80
    volumes:
      - /vol/nextcloud/www_html:/var/www/html
      - /vol/nextcloud/photos:/photos
    environment:
      - APACHE_DISABLE_REWRITE_IP=1
      - TRUSTED_PROXIES=192.168.10.6

If I comment out either the user: 1000:100 OR the - APACHE_DISABLE_REWRITE_IP=1 the docker container starts up fine.

I found some instances where people were using APACHE_RUN_USER and APACHE_RUN_GROUP but defining those didn't seem to help.

[Akruidenberg]

Same problem for me. How to fix this problem with another user?

[ricardomga]

@spikeygg @Akruidenberg Have you found a solution to this problem?

[spikeygg]

I have not. I think I ended up not using the APACHE_DISABLE_REWRITE_UP=1 option and figuring some other way around the problem. It's been so long that I forgot exactly what I did to work around this. :-/

[GoodiesHQ]

I'm running into this exact problem. Any help would be much appreciated. I am ready to say screw the containers and just set up a full on VM.

[SaswatPadhi]

Same problem for me as well.

I ended up creating an empty remoteip.conf file and mounting it to the container:

nextcloud:
  ...
  environment:
    ...
    # Use the `remoteip.conf` workaround below instead
    #APACHE_DISABLE_REWRITE_IP: 1
  ...
  volumes:
  - ./remoteip.conf:/etc/apache2/conf-enabled/remoteip.conf:ro
  ...

Has the same effect as APACHE_DISABLE_REWRITE_IP: 1, as far as I can see, and doesn't generate any warnings or errors.

[joshtrichards]

I'm not really sure what we could do about this. That option obviously requires write access to the Apache config. There are always trade-offs with non-root containers. The only alternative I can think of is we make those files world writable, which just makes things less secure for everyone. This is the same as #763 and specifically #763 (comment)

I think the above workaround is a reasonable approach in this situation.