From 48efe87d6f98b619dec49335fc728d041aab4951 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Thu, 30 Mar 2023 21:59:12 -0400 Subject: [PATCH 1/4] [IT-91] Switch to Mount Options Recommened by Azure for SMB - `file_mode=0660` prevents uploaded files from being executable. - `vers=3.1.1` uses the most optimal, modern protocol available. - `nosharesock` prevents a mount from being reused by multiple containers and avoids a bug in the SMB CSI driver that causes mounts to never be released (https://github.com/kubernetes-sigs/azurefile-csi-driver/issues/1137). - `cache=strict` ensures that SMB cache consistency rules are followed strictly. --- .../00-sample/configure-storage.nextcloud.yaml | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/overlays/00-sample/configure-storage.nextcloud.yaml b/overlays/00-sample/configure-storage.nextcloud.yaml index 27dadf2..16a3afd 100644 --- a/overlays/00-sample/configure-storage.nextcloud.yaml +++ b/overlays/00-sample/configure-storage.nextcloud.yaml @@ -51,8 +51,10 @@ spec: - uid=33 - gid=33 - dir_mode=0770 - - file_mode=0770 - - actimeo=2 + - file_mode=0660 + - vers=3.1.1 + - nosharesock + - cache=strict name: prefix: "pv-nextcloud-sample-" suffix: ~ @@ -124,8 +126,10 @@ spec: - uid=33 - gid=33 - dir_mode=0770 - - file_mode=0770 - - actimeo=2 + - file_mode=0660 + - vers=3.1.1 + - nosharesock + - cache=strict name: prefix: "pv-nextcloud-sample-" suffix: ~ @@ -201,8 +205,10 @@ spec: - uid=33 - gid=33 - dir_mode=0770 - - file_mode=0770 - - actimeo=2 + - file_mode=0660 + - vers=3.1.1 + - nosharesock + - cache=strict name: prefix: "pv-nextcloud-sample-" suffix: ~ From 30a3e93bdeaddcbe16607a22d9237095633c384c Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Thu, 30 Mar 2023 22:22:01 -0400 Subject: [PATCH 2/4] [IT-91] QF: Disable Use of `flock()` for SMB-mounted Configs After upgrading to K8s 1.25.x, Nextcloud is suddenly sporadically failing to acquire locks on config files. As a quick fix, this patch disables file locking for config files until we can get to a root cause. --- .../config-disable-flock.patch | 90 +++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 docker/nextcloud-common/bundled-patches/config-disable-flock.patch diff --git a/docker/nextcloud-common/bundled-patches/config-disable-flock.patch b/docker/nextcloud-common/bundled-patches/config-disable-flock.patch new file mode 100644 index 0000000..cb84328 --- /dev/null +++ b/docker/nextcloud-common/bundled-patches/config-disable-flock.patch @@ -0,0 +1,90 @@ +From c2ac41b7911a75c7b46eddad48e083a31d176281 Mon Sep 17 00:00:00 2001 +From: Guy Elsmore-Paddock +Date: Thu, 30 Mar 2023 11:01:59 -0400 +Subject: [PATCH] [IT-91] QF: Disable `flock()` on Config Files + +After upgrading to K8s from `1.23.9` to `1.25.5` and the SMB CSI driver +from `1.9.0` to `1.10.0`, `flock()` appears to be causing this error on +cron runs and on any Nextcloud pod other than the first one that +launches: + +``` +Uncaught Error: Call to a member function getLogger() on null in /var/www/html/index.php:71 +``` + +Caused by: +``` +Exception: Could not acquire a shared lock on the config file /var/www/html/config/apcu.config.php in /var/www/html/lib/private/Config.php:216 +``` + +File locking on config files was added in 2014 and was recently removed +and then re-added in Nextcloud so I doubt a change in Nextcloud caused +this issue to appear. +--- + lib/private/Config.php | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +diff --git a/lib/private/Config.php b/lib/private/Config.php +index 0e3a9b22a7..e1420d55b5 100644 +--- a/lib/private/Config.php ++++ b/lib/private/Config.php +@@ -224,10 +224,13 @@ class Config { + continue; + } + ++ // GAP on 2023-03-30: File locking does not appear to work reliably on ++ // SMB-mounted volumes in AKS. ++ // + // Try to acquire a file lock +- if (!flock($filePointer, LOCK_SH)) { +- throw new \Exception(sprintf('Could not acquire a shared lock on the config file %s', $file)); +- } ++ //if (!flock($filePointer, LOCK_SH)) { ++ // throw new \Exception(sprintf('Could not acquire a shared lock on the config file %s', $file)); ++ //} + + unset($CONFIG); + include $file; +@@ -235,8 +238,11 @@ class Config { + $this->cache = array_merge($this->cache, $CONFIG); + } + ++ // GAP on 2023-03-30: File locking does not appear to work reliably on ++ // SMB-mounted volumes in AKS. ++ // + // Close the file pointer and release the lock +- flock($filePointer, LOCK_UN); ++ //flock($filePointer, LOCK_UN); + fclose($filePointer); + } + +@@ -277,16 +283,22 @@ class Config { + 'This can usually be fixed by giving the webserver write access to the config directory.'); + } + ++ // GAP on 2023-03-30: File locking does not appear to work reliably on ++ // SMB-mounted volumes in AKS. ++ // + // Try to acquire a file lock +- if (!flock($filePointer, LOCK_EX)) { +- throw new \Exception(sprintf('Could not acquire an exclusive lock on the config file %s', $this->configFilePath)); +- } ++ //if (!flock($filePointer, LOCK_EX)) { ++ // throw new \Exception(sprintf('Could not acquire an exclusive lock on the config file %s', $this->configFilePath)); ++ //} + ++ // GAP on 2023-03-30: File locking does not appear to work reliably on ++ // SMB-mounted volumes in AKS. ++ // + // Write the config and release the lock + ftruncate($filePointer, 0); + fwrite($filePointer, $content); + fflush($filePointer); +- flock($filePointer, LOCK_UN); ++ //flock($filePointer, LOCK_UN); + fclose($filePointer); + + if (function_exists('opcache_invalidate')) { +-- +2.40.0.windows.1 + From 79f6b482f6c5d1b48fbb0a6034722dca7feff953 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Thu, 30 Mar 2023 22:25:13 -0400 Subject: [PATCH 3/4] Update to NR Agent `10.8.0.323` --- overlays/00-sample/publish.profile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/overlays/00-sample/publish.profile b/overlays/00-sample/publish.profile index 9d270e3..6d42d15 100644 --- a/overlays/00-sample/publish.profile +++ b/overlays/00-sample/publish.profile @@ -70,7 +70,7 @@ NEW_RELIC_KEY="" # # Leave blank if you do not use New Relic monitoring. # -NEW_RELIC_AGENT_URL="https://download.newrelic.com/php_agent/release/newrelic-php5-10.2.0.314-linux.tar.gz" +NEW_RELIC_AGENT_URL="https://download.newrelic.com/php_agent/release/newrelic-php5-10.8.0.323-linux.tar.gz" ## # The name by which you would like Nextcloud to identify itself in New Relic. From 71b9cca68d1813bbc3bb2304652f6dd4f97a9883 Mon Sep 17 00:00:00 2001 From: Guy Elsmore-Paddock Date: Thu, 30 Mar 2023 23:03:00 -0400 Subject: [PATCH 4/4] [10.2.1] Bump Version to `10.2.1` in Sample --- overlays/00-sample/kustomization.yaml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/overlays/00-sample/kustomization.yaml b/overlays/00-sample/kustomization.yaml index 4938e4d..a40f905 100644 --- a/overlays/00-sample/kustomization.yaml +++ b/overlays/00-sample/kustomization.yaml @@ -6,7 +6,7 @@ # folder and customize manifests in each one to match your environments. # # @author Guy Elsmore-Paddock (guy@inveniem.com) -# @copyright Copyright (c) 2022, Inveniem +# @copyright Copyright (c) 2022-2023, Inveniem # @license GNU AGPL version 3 or any later version # apiVersion: kustomize.config.k8s.io/v1beta1 @@ -96,20 +96,20 @@ images: - name: inveniem/nextcloud-cron newName: your-acr-instance.azurecr.io/inveniem/nextcloud-cron - newTag: 10.2.0 + newTag: 10.2.1 - name: inveniem/nextcloud-apache newName: your-acr-instance.azurecr.io/inveniem/nextcloud-apache - newTag: 10.2.0 + newTag: 10.2.1 - name: inveniem/nextcloud-fpm newName: your-acr-instance.azurecr.io/inveniem/nextcloud-fpm - newTag: 10.2.0 + newTag: 10.2.1 - name: inveniem/nextcloud-nginx-middleware newName: your-acr-instance.azurecr.io/inveniem/nextcloud-nginx-middleware - newTag: 10.2.0 + newTag: 10.2.1 - name: inveniem/sftp-ws-server newName: your-acr-instance.azurecr.io/inveniem/sftp-ws-server - newTag: 10.2.0 + newTag: 10.2.1