@ -1,31 +1,282 @@
#!/bin/sh
set -eu
# version_greater A B returns whether A > B
###############################################################################
# Entrypoint script for Nextcloud Docker container
###############################################################################
#
# Handles container-specific operations such as initialization, automatic configuration,
# user/group ID management, and setup checks. Also runs Nextcloud Server’
# installation and upgrade routines in a way that fits the container environment.
#
# Supports environment-based configuration injection at install time for all key
# parameters (see README for details). After installation, allows reconfiguration
# of select parameters via environment variables - except NEXTCLOUD_TRUSTED_DOMAINS
# and those set by the Nextcloud installer.
#
# See README.md for more details and usage examples:
# https://github.com/nextcloud/docker?tab=readme-ov-file
#
# REMINDER (to modifiers/contributors): This script must work with non-interactive,
# POSIX-compliant shells used in our images. Do not use Bash-specific syntax ("bashisms"):
# /bin/sh is always either 'ash' (BusyBox) or 'dash' (Debian), not Bash. Stick to standard
# POSIX shell features. Resources for writing portable shell scripts:
# - checkbashisms (Alpine: checkbashisms; Debian: devscripts)
# - https://mywiki.wooledge.org/Bashism
# - https://www.shellcheck.net/
# Same also applies to any commands called too (e.g., GNU find versus Busybox find).
###############################################################################
# Supported Environment Variables
#
# NEXTCLOUD_ADMIN_USER - Username for initial admin account (install only)
# NEXTCLOUD_ADMIN_PASSWORD - Password for initial admin account (install only)
# NEXTCLOUD_TRUSTED_DOMAINS - Space-separated list of trusted domains
# NEXTCLOUD_DATA_DIR - Path to Nextcloud data directory
# MYSQL_DATABASE, MYSQL_USER, MYSQL_PASSWORD, MYSQL_HOST
# POSTGRES_DB, POSTGRES_USER, POSTGRES_PASSWORD, POSTGRES_HOST
# SQLITE_DATABASE
# REDIS_HOST, REDIS_HOST_USER, REDIS_HOST_PASSWORD, REDIS_HOST_PORT
# APACHE_RUN_USER, APACHE_RUN_GROUP
# APACHE_DISABLE_REWRITE_IP - If present, disables Apache remoteip module
# NEXTCLOUD_UPDATE - If set (e.g., to 1), forces update logic
# NEXTCLOUD_INIT_HTACCESS - If set, runs htaccess maintenance after upgrade
# *_FILE variants for secrets - For sensitive values, use *_FILE pattern with Docker secrets
###############################################################################
###############################################################################
# Utility Functions
###############################################################################
# The entrypoint command's first argument
ENTRYPOINT_ARGV1 = " ${ 1 :- } "
# OCC
# Command for running `occ`
OCC = "php /var/www/html/occ"
###############################################################################
# version_greater
# Compare two version strings (A and B).
# Arguments:
# $1: Version string A
# $2: Version string B
# Returns: 0 (true) if version A is greater than B; 1 (false) otherwise.
###############################################################################
version_greater( ) {
[ " $( printf '%s\n' " $@ " | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1) " != " $1 " ]
}
# return true if specified directory is empty
###############################################################################
# version_greater_major
# Compare major version numbers of two version strings.
# Arguments:
# $1: Version string A (e.g., "18.0.4")
# $2: Version string B (e.g., "16.0.7")
# $3: Delta (e.g., 1 for "at most one major ahead")
# Returns: 0 (true) if major version of A > major version of B + delta; 1 (false) otherwise.
###############################################################################
version_greater_major( ) {
major_a = " ${ 1 %%.* } "
major_b = " ${ 2 %%.* } "
delta = " ${ 3 :- 0 } "
[ " $major_a " -gt " $(( major_b + delta)) " ]
}
###############################################################################
# directory_empty
# Check if a directory is empty.
# Arguments:
# $1: Directory path.
# Returns: 0 (true) if directory is empty; 1 (false) otherwise.
###############################################################################
directory_empty( ) {
[ -z " $( ls -A " $1 / " ) " ]
}
###############################################################################
# is_root
# Check if the current process is running as root.
# Arguments: none (uses $uid global).
# Returns: 0 (true) if running as root (UID 0), 1 (false) otherwise.
###############################################################################
is_root( ) {
[ " $uid " -eq 0 ]
}
###############################################################################
# is_apache
# Check if the script's first argument indicates Apache.
# Arguments: none (uses ENTRYPOINT_ARGV1).
# Returns: 0 (true) if $1 matches "apache" or starts with "apache2", 1 (false) otherwise.
###############################################################################
is_apache( ) {
case " $ENTRYPOINT_ARGV1 " in
apache| apache2*)
return 0
; ;
*)
return 1
; ;
esac
}
###############################################################################
# is_php_fpm
# Check if the script's first argument indicates PHP-FPM.
# Arguments: none (uses ENTRYPOINT_ARGV1).
# Returns: 0 (true) if $1 starts with "php-fpm", 1 (false) otherwise.
###############################################################################
is_php_fpm( ) {
case " $ENTRYPOINT_ARGV1 " in
php-fpm*)
return 0
; ;
*)
return 1
; ;
esac
}
###############################################################################
# set_user_group
# Sets global $user and $group variables according to the entrypoint command and UID/GID context.
# Arguments: none. Uses is_root, is_apache, is_php_fpm, $APACHE_RUN_USER, $APACHE_RUN_GROUP, $uid, $gid.
# Sets: $user, $group, $uid, $gid.
###############################################################################
set_user_group( ) {
user = 'www-data'
group = 'www-data'
uid = " $( id -u) "
gid = " $( id -g) "
if is_root; then
if is_apache; then
user = " ${ APACHE_RUN_USER :- www -data } "
group = " ${ APACHE_RUN_GROUP :- www -data } "
# Apache config may specify user/group as "#1000", so remove leading '#' if present
user = " ${ user # '#' } "
group = " ${ group # '#' } "
elif is_php_fpm; then
user = 'www-data'
group = 'www-data'
fi
else
user = " $uid "
group = " $gid "
fi
}
###############################################################################
# configure_redis_session_handler
# Configures PHP sessions to use Redis if REDIS_HOST is set.
# Arguments: none. Uses env vars.
###############################################################################
configure_redis_session_handler( ) {
if [ -n " ${ REDIS_HOST +x } " ] ; then
echo "Configuring Redis as session handler"
file_env REDIS_HOST_PASSWORD
# Determine the prefix for REDIS_HOST to decide between Unix socket and TCP connection
first_char = $( printf '%s' " $REDIS_HOST " | cut -c1-1)
if [ " $first_char " = "/" ] ; then
# Using Unix socket for Redis connection
if [ -n " ${ REDIS_HOST_PASSWORD +x } " ] ; then
if [ -n " ${ REDIS_HOST_USER +x } " ] ; then
redis_save_path = " unix:// ${ REDIS_HOST } ?auth[]= ${ REDIS_HOST_USER } &auth[]= ${ REDIS_HOST_PASSWORD } "
else
redis_save_path = " unix:// ${ REDIS_HOST } ?auth= ${ REDIS_HOST_PASSWORD } "
fi
else
redis_save_path = " unix:// ${ REDIS_HOST } "
fi
elif [ -n " ${ REDIS_HOST_PASSWORD +x } " ] ; then
# Using TCP connection with password
if [ -n " ${ REDIS_HOST_USER +x } " ] ; then
redis_save_path = " tcp:// ${ REDIS_HOST } : ${ REDIS_HOST_PORT : =6379 } ?auth[]= ${ REDIS_HOST_USER } &auth[]= ${ REDIS_HOST_PASSWORD } "
else
redis_save_path = " tcp:// ${ REDIS_HOST } : ${ REDIS_HOST_PORT : =6379 } ?auth= ${ REDIS_HOST_PASSWORD } "
fi
else
# Using TCP connection without password
redis_save_path = " tcp:// ${ REDIS_HOST } : ${ REDIS_HOST_PORT : =6379 } "
fi
# Write the configuration file using a heredoc.
cat > /usr/local/etc/php/conf.d/redis-session.ini <<EOF
session.save_handler = redis
session.save_path = " ${ redis_save_path } "
redis.session.locking_enabled = 1
redis.session.lock_retries = -1
# redis.session.lock_wait_time is specified in microseconds.
# Wait 10ms before retrying the lock rather than the default 2ms.
redis.session.lock_wait_time = 10000
EOF
fi
}
###############################################################################
# get_nextcloud_versions
# Sets installed_version and image_version variables.
# - installed_version: detected from /var/www/html/version.php or set to 0.0.0.0 if not present
# - image_version: detected from /usr/src/nextcloud/version.php
# Arguments: none
# Globals set: installed_version, image_version
###############################################################################
get_nextcloud_versions( ) {
# Default value used to indicate a new install
installed_version = "0.0.0.0"
if [ -f /var/www/html/version.php ] ; then
# TODO: Improve error handling in case of syntax errors/missing $OC_Version/etc
# shellcheck disable=SC2016
installed_version = " $( php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);' ) "
fi
# TODO: Improve error handling here too (though far less likely to fail)
# shellcheck disable=SC2016
image_version = " $( php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);' ) "
}
###############################################################################
# is_installed
# Returns 0 (true) if Nextcloud is installed (installed_version is not 0.0.0.0), else 1 (false)
# Arguments: none. Uses global $installed_version.
###############################################################################
is_installed( ) {
[ " $installed_version " != "0.0.0.0" ]
}
###############################################################################
# run_as
# Run a command as the specified user if running as root, otherwise as current user.
# Arguments:
# $1: Command string to execute.
# Globals:
# user - Username to switch to (when running as root).
# Returns: the exit code of the executed command.
###############################################################################
run_as( ) {
if [ " $( id -u) " = 0 ] ; then
if is_root ; then
su -p " $user " -s /bin/sh -c " $1 "
else
sh -c " $1 "
fi
}
# Execute all executable files in a given directory in alphanumeric order
###############################################################################
# run_path
# Execute all executable .sh files in the specified hook folder, in alphanumeric order.
# Arguments:
# $1: Name of the hook folder inside /docker-entrypoint-hooks.d/
# Returns: 0 on success; exits the script on any hook failure.
###############################################################################
run_path( ) {
local hook_folder_path = " /docker-entrypoint-hooks.d/ $1 "
local return_code = 0
local found = 0
hook_folder_path = " /docker-entrypoint-hooks.d/ $1 "
return_code = 0
found = 0
echo " => Searching for hook scripts (*.sh) to run, located in the folder \" ${ hook_folder_path } \" "
echo " => Searching for hook scripts (*.sh) to run in \"${ hook_folder_path } \" "
if ! [ -d " ${ hook_folder_path } " ] || directory_empty " ${ hook_folder_path } " ; then
echo " ==> Skipped: the \" $1 \" folder is empty (or does not exist) "
@ -35,40 +286,46 @@ run_path() {
find " ${ hook_folder_path } " -maxdepth 1 -iname '*.sh' '(' -type f -o -type l ')' -print | sort | (
while read -r script_file_path; do
if ! [ -x " ${ script_file_path } " ] ; then
echo " ==> The script \" ${ script_file_path } \" was skipped , because it lacks the executable flag"
echo " ==> The script \" ${ script_file_path } \" was skipped : lacks exec flag"
found = $(( found-1))
continue
fi
echo " ==> Running the script (cwd: $( pwd ) ): \" ${ script_file_path } \" "
echo " ==> Running script (cwd: $( pwd ) ): \" ${ script_file_path } \" "
found = $(( found+1))
run_as " ${ script_file_path } " || return_code = " $? "
if [ " ${ return_code } " -ne "0" ] ; then
echo " ==> Failed at executing script \"${ script_file_path } \". Exit code: ${ return_code } "
echo " ==> Failed executing \"${ script_file_path } \". Exit code: ${ return_code } "
exit 1
fi
echo " ==> Finished executing the script : \"${ script_file_path } \" "
echo " ==> Finished executing : \"${ script_file_path } \" "
done
if [ " $found " -lt "1" ] ; then
echo " ==> Skipped: the \" $1 \" folder does not contain any valid scripts"
echo " ==> Skipped: the \" $1 \" folder contains no valid scripts"
else
echo " => Completed executing scripts in the \"$1 \" folder "
echo " => Completed executing scripts in \"$1 \" "
fi
)
}
# usage: file_env VAR [DEFAULT]
# ie: file_env 'XYZ_DB_PASSWORD' 'example'
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
###############################################################################
# file_env
# Load an environment variable from a file if available (supporting Docker secrets).
# Arguments:
# $1: Name of the environment variable.
# $2: (Optional) Default value if not set.
# Returns: Sets the environment variable named by $1.
# Supports Docker secrets by allowing *_FILE environment variables for sensitive values.
###############################################################################
file_env( ) {
local var = " $1 "
local fileVar = " ${ var } _FILE "
local def = " ${ 2 :- } "
local varValue = $( env | grep -E " ^ ${ var } = " | sed -E -e " s/^ ${ var } =// " )
local fileVarValue = $( env | grep -E " ^ ${ fileVar } = " | sed -E -e " s/^ ${ fileVar } =// " )
var = " $1 "
fileVar = " ${ var } _FILE "
def = " ${ 2 :- } "
varValue = $( env | grep -E " ^ ${ var } = " | sed -E -e " s/^ ${ var } =// " )
fileVarValue = $( env | grep -E " ^ ${ fileVar } = " | sed -E -e " s/^ ${ fileVar } =// " )
if [ -n " ${ varValue } " ] && [ -n " ${ fileVarValue } " ] ; then
echo >& 2 " error: both $var and $fileVar are set (but are exclusive) "
exit 1
@ -83,204 +340,408 @@ file_env() {
unset " $fileVar "
}
if expr " $1 " : "apache" 1>/dev/null; then
if [ -n " ${ APACHE_DISABLE_REWRITE_IP +x } " ] ; then
a2disconf remoteip
###############################################################################
# rsync
# Helper to invoke rsync with the appropriate options depending on user/group.
# Arguments:
# $@ - Additional rsync arguments and paths.
# Globals:
# user - Username to use for chown (when running as root).
# Returns: the exit code of the rsync command.
#
# Handles:
# - SC2086 and word-splitting safely
# - DRY invocation of rsync for all sync operations
###############################################################################
rsync( ) {
if is_root; then
set -- -rlDog --chown " $user : $group " " $@ "
else
set -- -rlD " $@ "
fi
command rsync " $@ "
}
###############################################################################
# copy_if_missing_or_empty
# Copy a directory from source to destination if missing or empty.
# Arguments:
# $1: Directory name
# $2: Source base path
# $3: Destination base path
# We only copy these directories if they're missing or empty, to avoid overwriting
# user data. This is especially important for config and data directories.
###############################################################################
copy_if_missing_or_empty( ) {
dir = " $1 "
src = " $2 "
dest = " $3 "
if [ ! -d " $dest / $dir " ] || directory_empty " $dest / $dir " ; then
rsync --include " / $dir / " --exclude '/*' " $src / " " $dest / "
fi
}
###############################################################################
# set_trusted_domains
# Configure Nextcloud trusted domains from environment variable.
# Arguments: none (uses NEXTCLOUD_TRUSTED_DOMAINS global)
# Trusted domains are set during installation. Changing them after install may break existing clients.
###############################################################################
set_trusted_domains( ) {
if [ -n " ${ NEXTCLOUD_TRUSTED_DOMAINS +x } " ] ; then
# turn off glob
set -f
NC_TRUSTED_DOMAIN_IDX = 1
for DOMAIN in ${ NEXTCLOUD_TRUSTED_DOMAINS } ; do
DOMAIN = $( echo " ${ DOMAIN } " | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' )
run_as \
" $OCC config:system:set trusted_domains $NC_TRUSTED_DOMAIN_IDX --value=\" ${ DOMAIN } \" "
NC_TRUSTED_DOMAIN_IDX = $(( NC_TRUSTED_DOMAIN_IDX+1))
done
# turn glob back on
set +f
fi
}
###############################################################################
# show_disabled_apps
# Display apps disabled after upgrade.
# Arguments: none (uses /tmp/list_before and /tmp/list_after)
###############################################################################
show_disabled_apps( ) {
echo "The following apps have been disabled:"
diff /tmp/list_before /tmp/list_after \
| grep '<' | cut -d- -f2 | cut -d: -f1
rm -f /tmp/list_before /tmp/list_after
}
###############################################################################
# warn_config_diffs
# Warn if config files in persistent storage differ from image defaults.
# Arguments: none.
###############################################################################
warn_config_diffs( ) {
for cfgPath in /usr/src/nextcloud/config/*.php; do
cfgFile = $( basename " $cfgPath " )
if [ " $cfgFile " != "config.sample.php" ] \
&& [ " $cfgFile " != "autoconfig.php" ] ; then
if ! cmp -s " /usr/src/nextcloud/config/ $cfgFile " " /var/www/html/config/ $cfgFile " ; then
echo " Warning: /var/www/html/config/ $cfgFile differs from the image default at "
echo " /usr/src/nextcloud/config/ $cfgFile "
fi
fi
done
}
###############################################################################
# assemble_db_install_options
# Sets database related install_options for the Nextcloud installer, and set trigger_installer flag if config is sufficient.
# Arguments: none (uses env vars)
# Sets: install_options (global), trigger_installer (global)
# TODO: More properly handle arguments/splitting (will require some refactoring elsewhere including run_as/run_as calls)
# TODO: Switch to using more proper `=` instead of whitespace between long options and their respective values
###############################################################################
assemble_db_install_options( ) {
# Handle database configuration (if specified)
file_env MYSQL_DATABASE
file_env MYSQL_PASSWORD
file_env MYSQL_USER
file_env POSTGRES_DB
file_env POSTGRES_PASSWORD
file_env POSTGRES_USER
if [ -n " ${ SQLITE_DATABASE +x } " ] ; then
echo "Installing with SQLite database"
install_options = " $install_options \
--database-name \" $SQLITE_DATABASE \" "
# We have enough for the automated installer; indicate we can bypass the Installation Wizard
trigger_installer = true
elif [ -n " ${ MYSQL_DATABASE +x } " ] && [ -n " ${ MYSQL_USER +x } " ] && [ -n " ${ MYSQL_PASSWORD +x } " ] && [ -n " ${ MYSQL_HOST +x } " ] ; then
echo "Installing with MySQL database"
install_options = " $install_options \
--database mysql \
--database-name \" $MYSQL_DATABASE \" \
--database-user \" $MYSQL_USER \" \
--database-pass \" $MYSQL_PASSWORD \" \
--database-host \" $MYSQL_HOST \" "
# We have enough for the automated installer; indicate we can bypass the Installation Wizard
trigger_installer = true
elif [ -n " ${ POSTGRES_DB +x } " ] && [ -n " ${ POSTGRES_USER +x } " ] && [ -n " ${ POSTGRES_PASSWORD +x } " ] && [ -n " ${ POSTGRES_HOST +x } " ] ; then
echo "Installing with PostgreSQL database"
install_options = " $install_options \
--database pgsql \
--database-name \" $POSTGRES_DB \" \
--database-user \" $POSTGRES_USER \" \
--database-pass \" $POSTGRES_PASSWORD \" \
--database-host \" $POSTGRES_HOST \" "
# We have enough for the automated installer; indicate we can bypass the Installation Wizard
trigger_installer = true
fi
}
###############################################################################
# run_nextcloud_installer
# Runs the Nextcloud command-line installer with retry logic for DB startup delays.
# Arguments:
# $1: install options string (quoted)
# Globals:
# OCC, user
###############################################################################
run_nextcloud_installer( ) {
echo "Starting nextcloud installation"
# Retry Nextcloud installation up to 10 times to handle possible database startup delays
# TODO:
# - Handle this better somehow and/or handle upstream.
# - Confirm these retries are still even needed.
max_retries = 10
try = 0
until [ " $try " -gt " $max_retries " ] || run_as \
" $OCC maintenance:install $1 "
do
echo "Retrying install..."
try = $(( try+1))
sleep 10s
done
if [ " $try " -gt " $max_retries " ] ; then
echo "Installation of nextcloud failed!"
exit 1
fi
}
###############################################################################
# Main Entrypoint Logic
###############################################################################
# Permit disabling of the Apache remoteip configuration.
if is_apache && [ -n " ${ APACHE_DISABLE_REWRITE_IP +x } " ] ; then
echo "Disabling Apache IP rewrite (APACHE_DISABLE_REWRITE=1 specified)"
echo "See https://github.com/nextcloud/docker?tab=readme-ov-file#using-the-image-behind-a-reverse-proxy-and-specifying-the-server-host-and-protocol"
a2disconf remoteip
fi
if expr " $1 " : "apache" 1>/dev/null || [ " $1 " = "php-fpm" ] || [ " ${ NEXTCLOUD_UPDATE :- 0 } " -eq 1 ] ; then
uid = " $( id -u) "
gid = " $( id -g) "
if [ " $uid " = '0' ] ; then
case " $1 " in
apache2*)
user = " ${ APACHE_RUN_USER :- www -data } "
group = " ${ APACHE_RUN_GROUP :- www -data } "
# Warn if default entrypoint cmd parameter was overriden since it disables upgrades
# TODO: This belongs above the prior block, but this avoids a possible BC (though unlikely).
if ! is_apache && ! is_php_fpm && [ " ${ NEXTCLOUD_UPDATE :- 0 } " -eq 0 ] ; then
echo "NOTICE: Skipping upgrades and installation because default command overridden and NEXTCLOUD_UPDATE is not set to 1."
echo "See https://github.com/nextcloud/docker/?tab=readme-ov-file#image-specific"
fi
# strip off any '#' symbol ('#1000' is valid syntax for Apache)
user = " ${ user # '#' } "
group = " ${ group # '#' } "
; ;
*) # php-fpm
user = 'www-data'
group = 'www-data'
; ;
esac
else
user = " $uid "
group = " $gid "
fi
# As long as we're running normally (or NEXTCLOUD_UPDATE was specified), proceed as normal
if is_apache || is_php_fpm || [ " ${ NEXTCLOUD_UPDATE :- 0 } " -eq 1 ] ; then
if [ -n " ${ REDIS_HOST +x } " ] ; then
# Populate global $user / $group / $uid / $gid variables according to the entrypoint command and UID/GID context.
set_user_group
# Configure PHP sessions to use Redis if configured
configure_redis_session_handler
echo "Configuring Redis as session handler"
{
file_env REDIS_HOST_PASSWORD
echo 'session.save_handler = redis'
# check if redis host is an unix socket path
if [ " $( echo " $REDIS_HOST " | cut -c1-1) " = "/" ] ; then
if [ -n " ${ REDIS_HOST_PASSWORD +x } " ] ; then
if [ -n " ${ REDIS_HOST_USER +x } " ] ; then
echo " session.save_path = \"unix:// ${ REDIS_HOST } ?auth[]= ${ REDIS_HOST_USER } &auth[]= ${ REDIS_HOST_PASSWORD } \" "
else
echo " session.save_path = \"unix:// ${ REDIS_HOST } ?auth= ${ REDIS_HOST_PASSWORD } \" "
fi
else
echo " session.save_path = \"unix:// ${ REDIS_HOST } \" "
fi
# check if redis password has been set
elif [ -n " ${ REDIS_HOST_PASSWORD +x } " ] ; then
if [ -n " ${ REDIS_HOST_USER +x } " ] ; then
echo " session.save_path = \"tcp:// ${ REDIS_HOST } : ${ REDIS_HOST_PORT : =6379 } ?auth[]= ${ REDIS_HOST_USER } &auth[]= ${ REDIS_HOST_PASSWORD } \" "
else
echo " session.save_path = \"tcp:// ${ REDIS_HOST } : ${ REDIS_HOST_PORT : =6379 } ?auth= ${ REDIS_HOST_PASSWORD } \" "
fi
else
echo " session.save_path = \"tcp:// ${ REDIS_HOST } : ${ REDIS_HOST_PORT : =6379 } \" "
fi
echo "redis.session.locking_enabled = 1"
echo "redis.session.lock_retries = -1"
# redis.session.lock_wait_time is specified in microseconds.
# Wait 10ms before retrying the lock rather than the default 2ms.
echo "redis.session.lock_wait_time = 10000"
} > /usr/local/etc/php/conf.d/redis-session.ini
fi
# If another process is syncing the html folder, wait for
# it to be done, then escape initalization.
# Guard against starting if another instance is running and already upgrading/initializing Nextcloud
# - This may happen in Kubernetes or other orchestrated environments with parallel startup.
(
# Use flock to prevent concurrent initialization.
if ! flock -n 9; then
# If we couldn't get it immediately, show a message, then wait for real
echo "Another process is initializing Nextcloud. Waiting..."
flock 9
fi
installed_version = "0.0.0.0"
if [ -f /var/www/html/version.php ] ; then
# shellcheck disable=SC2016
installed_version = " $( php -r 'require "/var/www/html/version.php"; echo implode(".", $OC_Version);' ) "
fi
# shellcheck disable=SC2016
image_version = " $( php -r 'require "/usr/src/nextcloud/version.php"; echo implode(".", $OC_Version);' ) "
# Get Nextcloud versions (installed and image)
get_nextcloud_versions
if version_greater " $installed_version " " $image_version " ; then
echo " Can't start Nextcloud because the version of the data ( $installed_version ) is higher than the docker image version ( $image_version ) and downgrading is not supported. Are you sure you have pulled the newest image version? "
# Guard against Downgrading.
# - Prevent container startup if persisted code version is newer than image version.
# - This indicates a downgrade attempt, which is not supported by image / Nextcloud.
if is_installed && version_greater " $installed_version " " $image_version " ; then
echo " Can't start Nextcloud: data version ( $installed_version ) is higher than "
echo " image version ( $image_version ); downgrading is not supported. "
echo "Are you sure you pulled a newer image version?"
echo "See: https://github.com/nextcloud/docker/#update-to-a-newer-version"
exit 1
fi
if version_greater " $image_version " " $installed_version " ; then
# Guard against major version jumps.
# - Prevent container startup if image version is more than one major version higher than persisted code version.
# - This indicates an overly aggressive major version jump attempt, which is not supported by image / Nextcloud.
if is_installed && version_greater_major " $image_version " " $installed_version " 1; then
echo " ERROR: Can't start Nextcloud: upgrading from $installed_version to $image_version is not supported. "
echo "You can upgrade only one major version at a time."
echo "E.g., to upgrade from 14 to 16, first upgrade 14 to 15, then 15 to 16."
echo "See: https://docs.nextcloud.com/server/latest/admin_manual/maintenance/upgrade.html"
echo "See: https://github.com/docker-library/docs/tree/master/nextcloud#supported-tags-and-respective-dockerfile-links"
exit 1
fi
# Instalization block.
# - Initialization is only for new installs or (valid) upgrade scenarios.
# - Bypassed if there's nothing to do (or blocked above before we even get here)
if ! is_installed || version_greater " $image_version " " $installed_version " ; then
echo " Initializing nextcloud $image_version ... "
if [ " $installed_version " != "0.0.0.0" ] ; then
if [ " ${ image_version %%.* } " -gt " $(( ${ installed_version %%.* } + 1 )) " ] ; then
echo " Can't start Nextcloud because upgrading from $installed_version to $image_version is not supported. "
echo "It is only possible to upgrade one major version at a time. For example, if you want to upgrade from version 14 to 16, you will have to upgrade from version 14 to 15, then from 15 to 16."
exit 1
fi
# A prior version is already installed, and has been deemed within allowed upgrade jump range so proceed.
if is_installed; then
echo " Upgrading nextcloud from $installed_version ... "
run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before
fi
if [ " $( id -u) " = 0 ] ; then
rsync_options = " -rlDog --chown $user : $group "
else
rsync_options = "-rlD"
# Save pre-upgrade enabled/disabled apps list
# TODO: Determine if tracking app list is still relevant
run_as " $OCC app:list " | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_before
fi
rsync $rsync_options --delete --exclude-from= /upgrade.exclude /usr/src/nextcloud/ /var/www/html/
# Code deployment block.
# - Deploys image code onto the persistent storage volume
# TODO: Move code deployment block (below) to its own function(s)
##########################################################################################
# Why we copy Nextcloud code from the image to persistent storage...
#
# Nextcloud's application directory needs to be on persistent storage, not just inside
# the container's writable/read-only layers. This ensures:
# - All code and changes survive container restarts and replacements.
# - Clustering (using multiple containers with shared data) functions as expected.
# - Nextcloud can safely modify, add, or remove files (mainly under config/, data/, apps/,
# custom_apps/) during normal operation.
# - Upgrades, apps, and troubleshooting work reliably.
#
# The container’
# are lost if the container is removed and are not shared between containers.
#
# This approach follows Nextcloud's official installation conventions and is necessary for
# robust container deployments.
#
# Note:
# - Actual file changes are typically limited to config/, data/, apps/, and custom_apps/
# in a standard setup (so there may be some room for improvement here).
#
# TODO:
# - Consider ways to further streamline this process upstream.
# - Investigate separating truly read-only folders from writable ones.
##########################################################################################
# Replace installed code with newer image code except for exclusions.
#
# Risks & Considerations:
# - Deleting files not listed in the exclusions file could remove legitimate Nextcloud data
# if users overlook documentation or misconfigure persistent storage.
# - Using rsync (cp would be similar) are slow on NFS and other network filesystems,
# sometimes merely annoyingly; sometimes unacceptably.
#
# Alternative Approaches:
# - Warn if we detect unexpected files that would be deleted, but avoid a hard error to
# allow legitimate Nextcloud files/folders.
# - A dry-run mode with a hard error would prevent mistakes, but also block valid upgrades.
# - Batching files with tar on both ends of a pipe might help with performance.
#
# TODO:
# - Print a warning if non-excluded files are detected for deletion.
# - Investigate a middle ground between safety (preventing accidental deletion)
# and usability (supporting easy upgrades).
# - Consider batching file transfers for better performance on network filesystems.
#
# Notes:
# - The current rsync approach works for local filesystems but may be slow or appear
# to hang on networked storage.
rsync \
--delete \
--exclude-from= /upgrade.exclude \
/usr/src/nextcloud/ \
/var/www/html/
# Copy newer image code for the following directories ONLY if they do not exist or are empty:
# - config/
# - data/
# - custom_apps/
# - themes/
#
# We only copy these directories if they're missing or empty, to avoid overwriting
# user data. This is especially important for config and data directories.
#
# TODO:
# - Consider updating only 'themes/' here, and move handling of 'config/', 'data/', and 'custom_apps/'
# into the install block. These directories should not be modified during a regular update/upgrade.
# - Review whether modifying these directories outside of installation could cause data loss or unexpected behavior.
for dir in config data custom_apps themes; do
if [ ! -d " /var/www/html/ $dir " ] || directory_empty " /var/www/html/ $dir " ; then
rsync $rsync_options --include " / $dir / " --exclude '/*' /usr/src/nextcloud/ /var/www/html/
fi
copy_if_missing_or_empty \
" $dir " \
"/usr/src/nextcloud" \
"/var/www/html"
done
rsync $rsync_options --include '/version.php' --exclude '/*' /usr/src/nextcloud/ /var/www/html/
# Install
if [ " $installed_version " = "0.0.0.0" ] ; then
# Replace installed code's version.php with newer image code version
rsync \
--include '/version.php' \
--exclude '/*' \
/usr/src/nextcloud/ \
/var/www/html/
# Install block for fresh instances.
# TODO: Consider moving install block to a dedicated function
if ! is_installed; then
echo "New nextcloud instance"
file_env NEXTCLOUD_ADMIN_PASSWORD
# Base options for Nextcloud's command-line installer
# TODO: Consider enabling verbose mode too
install_options = "--no-interaction"
# Tracks whether we have enough automatic configuration parameters to bypass the Installation Wizard
trigger_installer = false
# Handle initial admin credentials (if provided)
file_env NEXTCLOUD_ADMIN_USER
file_env NEXTCLOUD_ADMIN_PASSWORD
install = false
if [ -n " ${ NEXTCLOUD_ADMIN_USER +x } " ] && [ -n " ${ NEXTCLOUD_ADMIN_PASSWORD +x } " ] ; then
# shellcheck disable=SC2016
install_options = '-n --admin-user "$NEXTCLOUD_ADMIN_USER" --admin-pass "$NEXTCLOUD_ADMIN_PASSWORD"'
install_options = " $install_options \
--admin-user \" $NEXTCLOUD_ADMIN_USER \" \
--admin-pass \" $NEXTCLOUD_ADMIN_PASSWORD \" "
if [ -n " ${ NEXTCLOUD_DATA_DIR +x } " ] ; then
# shellcheck disable=SC2016
install_options = $install_options ' --data-dir "$NEXTCLOUD_DATA_DIR"'
install_options = " $install_options \
--data-dir \" $NEXTCLOUD_DATA_DIR \" "
fi
file_env MYSQL_DATABASE
file_env MYSQL_PASSWORD
file_env MYSQL_USER
file_env POSTGRES_DB
file_env POSTGRES_PASSWORD
file_env POSTGRES_USER
# Assemble the database autoconfiguration options (if any)
assemble_db_install_options
if [ -n " ${ SQLITE_DATABASE +x } " ] ; then
echo "Installing with SQLite database"
# shellcheck disable=SC2016
install_options = $install_options ' --database-name "$SQLITE_DATABASE"'
install = true
elif [ -n " ${ MYSQL_DATABASE +x } " ] && [ -n " ${ MYSQL_USER +x } " ] && [ -n " ${ MYSQL_PASSWORD +x } " ] && [ -n " ${ MYSQL_HOST +x } " ] ; then
echo "Installing with MySQL database"
# shellcheck disable=SC2016
install_options = $install_options ' --database mysql --database-name "$MYSQL_DATABASE" --database-user "$MYSQL_USER" --database-pass "$MYSQL_PASSWORD" --database-host "$MYSQL_HOST"'
install = true
elif [ -n " ${ POSTGRES_DB +x } " ] && [ -n " ${ POSTGRES_USER +x } " ] && [ -n " ${ POSTGRES_PASSWORD +x } " ] && [ -n " ${ POSTGRES_HOST +x } " ] ; then
echo "Installing with PostgreSQL database"
# shellcheck disable=SC2016
install_options = $install_options ' --database pgsql --database-name "$POSTGRES_DB" --database-user "$POSTGRES_USER" --database-pass "$POSTGRES_PASSWORD" --database-host "$POSTGRES_HOST"'
install = true
fi
if [ " $install " = true ] ; then
# If all required configuration values are provided, run the Nextcloud command-line installer
# automatically. Otherwise, skip the installer and require the user to complete setup through
# the web-based Installation Wizard. Any missing configuration must be entered in the web UI.
if [ " $trigger_installer " = true ] ; then
# Trigger pre-installation hook scripts (if any)
run_path pre-installation
echo "Starting nextcloud installation"
max_retries = 10
try = 0
until [ " $try " -gt " $max_retries " ] || run_as " php /var/www/html/occ maintenance:install $install_options "
do
echo "Retrying install..."
try = $(( try+1))
sleep 10s
done
if [ " $try " -gt " $max_retries " ] ; then
echo "Installing of nextcloud failed!"
exit 1
fi
if [ -n " ${ NEXTCLOUD_TRUSTED_DOMAINS +x } " ] ; then
echo "Setting trusted domains…"
set -f # turn off glob
NC_TRUSTED_DOMAIN_IDX = 1
for DOMAIN in ${ NEXTCLOUD_TRUSTED_DOMAINS } ; do
DOMAIN = $( echo " ${ DOMAIN } " | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//' )
run_as " php /var/www/html/occ config:system:set trusted_domains $NC_TRUSTED_DOMAIN_IDX --value=\" ${ DOMAIN } \" "
NC_TRUSTED_DOMAIN_IDX = $(( NC_TRUSTED_DOMAIN_IDX+1))
done
set +f # turn glob back on
fi
# Run the Nextcloud command-line installer
run_nextcloud_installer " $install_options "
# Configure trusted domains (if specified).
# TODO: This could probably be moved elsewhere to permit reconfiguration within existing installs.
set_trusted_domains
# Trigger post-installation hook scripts (if any)
run_path post-installation
fi
fi
fi
# not enough specified to do a fully automated installation
if [ " $install " = false ] ; then
# Not enough parameters specified to do an automated installation.
if [ " $trigger_installer " = false ] ; then
echo "Next step: Access your instance to finish the web-based installation!"
echo "Hint: You can specify NEXTCLOUD_ADMIN_USER and NEXTCLOUD_ADMIN_PASSWORD and the database variables _prior to first launch_ to fully automate initial installation."
echo "Hint: Set NEXTCLOUD_ADMIN_USER, NEXTCLOUD_ADMIN_PASSWORD, and DB vars"
echo "before first launch to fully automate initial installation."
fi
# Upgrade
else
# Upgrade path for existing instances.
# TODO: Consider moving upgrade block to a dedicated function.
else # (i.e. is_installed)
# Trigger pre-upgrade hook scripts (if any)
run_path pre-upgrade
run_as 'php /var/www/html/occ upgrade'
# Run Nextcloud database upgrades (and other non-code changes)
run_as " $OCC upgrade "
run_as 'php /var/www/html/occ app:list' | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after
echo "The following apps have been disabled:"
diff /tmp/list_before /tmp/list_after | grep '<' | cut -d- -f2 | cut -d: -f1
rm -f /tmp/list_before /tmp/list_after
# Save post-upgrade enabled/disabled apps list.
# This is used to determine if there were problematic app upgrades.
run_as " $OCC app:list " | sed -n "/Enabled:/,/Disabled:/p" > /tmp/list_after
# Show differences in post-upgrade enabled/disabled apps
show_disabled_apps
# Trigger post-upgrade hook scripts (if any)
run_path post-upgrade
fi
@ -288,23 +749,23 @@ if expr "$1" : "apache" 1>/dev/null || [ "$1" = "php-fpm" ] || [ "${NEXTCLOUD_UP
fi
# Update htaccess after init if requested
if [ -n " ${ NEXTCLOUD_INIT_HTACCESS +x } " ] && [ " $installed_version " != "0.0.0.0" ] ; then
run_as 'php /var/www/html/occ maintenance:update:htaccess'
if [ -n " ${ NEXTCLOUD_INIT_HTACCESS +x } " ] \
&& is_installed; then
run_as " $OCC maintenance:update:htaccess "
fi
) 9> /var/www/html/nextcloud-init-sync.lock
# warn if config files on persistent storage differ from the latest version of this image
for cfgPath in /usr/src/nextcloud/config/*.php; do
cfgFile = $( basename " $cfgPath " )
if [ " $cfgFile " != "config.sample.php" ] && [ " $cfgFile " != "autoconfig.php" ] ; then
if ! cmp -s " /usr/src/nextcloud/config/ $cfgFile " " /var/www/html/config/ $cfgFile " ; then
echo " Warning: /var/www/html/config/ $cfgFile differs from the latest version of this image at /usr/src/nextcloud/config/ $cfgFile "
fi
fi
done
# Check (and warn about) Nextcloud persistent storage `config/` files that are out-of-date with image version
warn_config_diffs
# Trigger before-starting hook scripts (if any)
run_path before-starting
fi
###############################################################################
# Handoff to Main Container Process
###############################################################################
set -x
echo " Handing off via exec: $@ "
exec " $@ "
