Please note: Due to a bug in Collabora is the Collabora container currently in rootless mode not working. See CollaboraOnline/online#2800. In that case, you need to run a separate Collabora instance on your own if you want to use this feature. The following flag will be useful https://github.com/nextcloud/all-in-one#how-to-keep-disabled-apps.
You can run AIO with docker rootless by following the steps below.
-
If docker is already installed, you should consider disabling it first: (
sudo systemctl disable --now docker.service docker.socket
) -
Install docker rootless by following the official documentation: https://docs.docker.com/engine/security/rootless/#install. The easiest way is installing it Without packages (
curl -fsSL https://get.docker.com/rootless | sh
). Further limitations, distribution specific hints, etc. are discussed on the same site. Also do not forget to enable the systemd service, which may not be enabled always by default. See https://docs.docker.com/engine/security/rootless/#usage. (systemctl --user enable docker
) -
If you need ipv6 support, you should enable it by following https://github.com/nextcloud/all-in-one/blob/main/docker-ipv6-support.md.
-
Do not forget to set the mentioned environmental variables
PATH
andDOCKER_HOST
and in best case add them to your~/.bashrc
file as shown! -
Also do not forget to run
loginctl enable-linger USERNAME
(and substitute USERNAME with the correct one) in order to make sure that user services are automatically started after every reboot. -
Expose the privileged ports by following https://docs.docker.com/engine/security/rootless/#exposing-privileged-ports. (
sudo setcap cap_net_bind_service=ep $(which rootlesskit); systemctl --user restart docker
) -
Use the official AIO startup command but use
--volume $XDG_RUNTIME_DIR/docker.sock:/var/run/docker.sock:ro
instead of--volume /var/run/docker.sock:/var/run/docker.sock:ro
and also add--env WATCHTOWER_DOCKER_SOCKET_PATH=$XDG_RUNTIME_DIR/docker.sock
to the initial container startup (which is needed for mastercontainer updates to work correctly). When you are using Portainer to deploy AIO, the variable$XDG_RUNTIME_DIR
is not available. In this case, it is necessary to manually add the path (e.g./run/user/1000/docker.sock
) to the Docker compose file to replace the$XDG_RUNTIME_DIR
variable. If you are not sure how to get the path, you can run on the host:echo $XDG_RUNTIME_DIR
. -
Now everything should work like without docker rootless. You can consider using docker-compose for this or running it behind a reverse proxy. Basically the only thing that needs to be adjusted always in the startup command or compose.yaml file (after installing docker rootles) are things that are mentioned in point 3.
Please note: All files outside the containers get created, written to and accessed as the user that is running the docker daemon or a subuid of it. So for the built-in backup to work you need to allow this user to write to the target directory. E.g. with sudo chown -R USERNAME:GROUPNAME /mnt/backup
. The same applies when changing Nextcloud's datadir. E.g. sudo chown -R USERNAME:GROUPNAME /mnt/ncdata
. When you want to use the NEXTCLOUD_MOUNT option for local external storage, you need to adjust the permissions of the chosen folders to be accessible/writeable by the userid 100032:100032
(if running grep ^$(whoami): /etc/subuid
as the user that is running the docker daemon returns 100000 as first value).
sudo docker ...
. Since sudo
is not needed in case of docker rootless, you simply remove sudo
from the commands and they should work.