How I accidentally wiped my server by having a typo in my Nextcloud docker config
So, I moved my nextcloud directory from a local SATA drive to a NFS mount from a nvme array on a 10G network
"I just need to change /docker/nextcloud to /mnt/nfs/nextcloud in the docker-compose.yml, what's the issue, i do it live" - i tell myself
So i stop the container, copy /docker/nextcloud to /mnt/nfs/nextcloud, then edit the docker-compose.yml... and.... because I'm doing it during a phone call without paying too much attention i change the main directory to /docker
I rebuild the container and I immediately hear a flood of telegram notifications from my uptime-kuma bot.... oh oh...
Looks like the nextcloud docker image has an initialization script that if it doesn't find the files in the directory, it will delete everything and install a fresh copy of nextcloud... so it deleted everything on my server
Luckily i had a very recent full borg backup and i'm restoring it (i kinda love-hate borg, i always forget the restore commands when in panic and the docs are a bit cryptic for me)
Lessons learned:
always double check everything
offsite backups are a must (if i accidentally wrote / as path, i would have lost also the borg backups!)
offsite backups should not be permanently mounted, otherwise they would have been wiped as well
learn how to use and schedule filesystem snapshots, so the recovery wouldn't take ages like it's taking right now (2+ hours and i'm not even half way...)
Some years ago, being a linux noob, I have created a VM to setup aBitcoin Lightning node.
The blockchain is huge and my idea was to passthrough a 2 TB (/dev/sdc).
Had to restart my homeserver because of some hoste settings I've changed. Didn't see that sdc changed to sda and sdb (8TB fully encrpyted drive with my smb shares on it(seperate VM) to sdc.
So far no problem. Because I didnt't knew that the device names changed, I started the initilization process which formats the passthrouged HDD.
Oh boy, when I heared the 8TB HDD spin up and doing it's thing, the 2 TB HDD was still in spin-down, I panicked and shut down the server.
End of story, 8 TB data was unrecoverable (lost all of my photos since I was a kid (~100k), lots of redownloadable stuff, gladly everything sensitive was backuped, like private seeds, work stuff, docuements, ...)
Never use /dev/sdX device paths, use UUIDs. They exist for a reason.
You can label your devices. When formatting, do mkfs.ext4 -l my-descriptive-name /dev/whatever. Now, refer to it exclusively by /dev/disk/by-label/my-descriptive-name. Much harder to mix up home and swap than sdc2 and sdc3 (or, for that matter, two UUIDs).
After 8 hours the backup is restored (of course i stored it on a wd green...) but then nextcloud gave error 500 with lots of errors like:
Doctrine\DBAL\Exception: Failed to connect to the database: An exception occurred in the driver: SQLSTATE[HY000] [1129] Host '172.26.0.1' is blocked because of many connection errors; unblock with 'mariadb-admin flush-hosts' in /var/www/html....
DON'T PANIC. You didn't screw up the restore!
Just access your database with heidisql or your favorite tool and query FLUSH HOSTS;
I ham-fistedly use LXC to keep my services separate and out of dependancy hell, but would you go as far as putting docker run services in them as well just to keep them away from the host?
I'm currently setting up proxmox just for that. Since I'm still quite new to self hosting, I fuck up from time to time. Deleted my root file system once. Updated Nginx proxy manager and took down my services with it. I once fucked up iptables, scary stuff.
In the future, it'll be one click and everything works again. It's so easy on novices, once you get everything going.
I did the exact same thing 3 or so years ago. Thankfully I already had a backup but it was a bit nerve wracking to log in to next cloud and it was empty and then browsing the mount and having it also be empty
there's user error in this case, but imho it's a bug that the initialization scripts deletes hundreds of gb without any warning or an override command. Files weren't even owned by www-data! Ok to copy new install files, but not wipe clean...
if one day some web exploit manages to delete/rename/move the file that the script detects as "installation done", it could lead to a worldwide massive data loss when the server reboots
OP said he's been using a Docker image that it's "official by Docker", and not the AIO image official by Nextcloud. The issue here is a random contributor on GitHub's docker organization. Afaik those images are not carefully tested, docker, as many floss organizations rely primarily on contributors, and plenty of these are amateurs or students trying to build a profile..
I believe the --delete option is the problem here, it will delete all files in the target dir that aren't in the source dir.
Ironically, the script even has a directory_empty function it could use to double-check the target dir, but it doesn't use it for this particular dir. 😆
So, bottom line, a Nextcloud install will wipe out the target dir if you're not careful and I stand by my decision to not touch it with a ten-foot pole.
On an unrelated note: yeah it's confusing that the official Nextcloud AIO docker image is not on Docker Hub and what you get when you search for nextcloud is a "Docker official image" that's actually community-maintained. But as I said in my other comment in this particular case the problem exists in both images.
Was it the official container image or 3rd party? Whichever it was, they should get notified so that init script can get fixed to prevent similar happening to others.
Edit: official but from docker, not official from nextcloud, because I don't like AIO images, I like having everything separate
Edit 2: the documentation says to use named docker volumes. I don't like using volumes because I feel they're harder to backup, I want individual file control so I used mount points. Because they're assuming that everyone is using named volumes, they assume they can wipe without problems. But they don't specify to avoid using mount points and/or that's dangerous because of those assumptions.
3rd party, but the official image will do the same (rsync --delete). The 3rd party project has an issue open for it. I couldn't find a similar issue for the AIO image (but maybe I didn't search for the right thing).
Using snapshots on a copy-on-write filesystem such as zfs or btrfs is actually a very good idea. There exist auto-snapshot services that are quite easy to set up and take snapshots with different granularity and maximum number of kept snapshots e.g. every 15m, hour, day, week.
Please note that even snapshots and RAID never replace an off-site backup. When setting up Nextcloud I was even so paranoid and configured the backups to be pulled by the remote machine where they will be stored (and the Nextcloud machine does not even have credentials to access it).
The worst I did is wanting to replace the WAN interface on my Opnsense router. I didn't check properly and replaced my LAN interface instead, rendering the router inaccessible and fucking up my network. Luckily, its a VM on proxmox that was still accessible from IP. I just opened a console to the VM and found out that the whole configuration is in a file. Also, a copy is saved with every configuration change. I just found the right one to restore and voilà! My network was back up.