OpenHands icon indicating copy to clipboard operation
OpenHands copied to clipboard

Published 20 hours ago • verified publisher icon All-Hands-AI

[Bug]: Permission denied when making changes

Open quangamedev opened this issue 5 months ago • 3 comments

Is there an existing issue for the same bug? (If one exists, thumbs up or comment on the issue instead).

  • [x] I have checked the existing issues.

Describe the bug and reproduction steps

I'm getting this error:

17:26:23 - openhands:WARNING: settings.py:173 - Something went wrong storing settings: [Errno 13] Permission denied: '/.openhands-state/settings.json'
INFO:     172.17.0.1:38752 - "POST /api/settings HTTP/1.1" 500 Internal Server Error

Command & log:

docker pull docker.all-hands.dev/all-hands-ai/runtime:0.43-nikolaik

export SANDBOX_VOLUMES=/mnt/c/Users/[redacted]:/workspace:rw

docker run -it --rm --pull=always \
    -e SANDBOX_RUNTIME_CONTAINER_IMAGE=docker.all-hands.dev/all-hands-ai/runtime:0.43-nikolaik \
    -e LOG_ALL_EVENTS=true \
    -e SANDBOX_USER_ID=$(id -u) \
    -e SANDBOX_VOLUMES=$SANDBOX_VOLUMES \
    -v /var/run/docker.sock:/var/run/docker.sock \
    -v ~/.openhands-state:/.openhands-state \
    -p 3000:3000 \
    --add-host host.docker.internal:host-gateway \
    --name openhands-app \
    docker.all-hands.dev/all-hands-ai/openhands:0.43
...
Starting OpenHands...
Setting up enduser with id 1000
Docker socket group id: 1001
Creating group with id 1001
...

When I remove the line SANDBOX_USER_ID=$(id -u) from the below referenced issue, the problem dissapears.

A) results of ls -Al ~/.openhands-state B) try without SANDBOX_USER_ID=$(id -u) for now

Originally posted by @jmtatsch in #6056

And now the log is a bit different:

...
Starting OpenHands...
Running OpenHands as root
...

I got OpenHands running before with Windows Command Prompt when docker-desktop was the only and default distro in WSL (using wsl -l -v) and had no issue. Now when I run in WSL2 I get this issue, there might be problems related to OpenHands being installed and ran as root user before in Windows CLI while it should have been WSL.

Is there a quick way to fix this or should I do a clean installation. If so, how should I do it, I am not too familiar with WSL or Docker, thanks in advance.

OpenHands Installation

Docker command in README

OpenHands Version

main

Operating System

WSL on Windows

Logs, Errors, Screenshots, and Additional Context

docker pull docker.all-hands.dev/all-hands-ai/runtime:0.43-nikolaik

export SANDBOX_VOLUMES=/mnt/c/Users/[redacted]:/workspace:rw

docker run -it --rm --pull=always
-e SANDBOX_RUNTIME_CONTAINER_IMAGE=docker.all-hands.dev/all-hands-ai/runtime:0.43-nikolaik
-e LOG_ALL_EVENTS=true
-e SANDBOX_USER_ID=$(id -u)
-e SANDBOX_VOLUMES=$SANDBOX_VOLUMES
-v /var/run/docker.sock:/var/run/docker.sock
-v ~/.openhands-state:/.openhands-state
-p 3000:3000
--add-host host.docker.internal:host-gateway
--name openhands-app
docker.all-hands.dev/all-hands-ai/openhands:0.43 0.43-nikolaik: Pulling from all-hands-ai/runtime Digest: sha256:a95c96cc98d06bb87a2ea10c50d62518e6196b2c6520e2ad9c4ca3dc45ec4613 Status: Image is up to date for docker.all-hands.dev/all-hands-ai/runtime:0.43-nikolaik docker.all-hands.dev/all-hands-ai/runtime:0.43-nikolaik 0.43: Pulling from all-hands-ai/openhands Digest: sha256:7975cc5bc6cc4b54a361bf3f228a130e912d467ca2f0907f48468f098d05bca3 Status: Image is up to date for docker.all-hands.dev/all-hands-ai/openhands:0.43 Starting OpenHands... Setting up enduser with id 1000 Docker socket group id: 1001 Creating group with id 1001 Running as enduser /app/.venv/lib/python3.12/site-packages/pydub/utils.py:170: RuntimeWarning: Couldn't find ffmpeg or avconv - defaulting to ffmpeg, but may not work warn("Couldn't find ffmpeg or avconv - defaulting to ffmpeg, but may not work", RuntimeWarning) 17:21:37 - openhands:INFO: server_config.py:53 - Using config class None INFO: Started server process [40] INFO: Waiting for application startup. INFO: Application startup complete. INFO: Uvicorn running on http://0.0.0.0:3000 (Press CTRL+C to quit) INFO: 172.17.0.1:35912 - "GET / HTTP/1.1" 200 OK INFO: 172.17.0.1:35912 - "GET /locales/en/translation.json HTTP/1.1" 200 OK INFO: 172.17.0.1:35912 - "GET /api/options/config HTTP/1.1" 200 OK INFO: 172.17.0.1:35912 - "GET /api/options/config HTTP/1.1" 200 OK INFO: 172.17.0.1:35912 - "GET /api/settings HTTP/1.1" 404 Not Found INFO: 172.17.0.1:35912 - "GET /api/options/models HTTP/1.1" 200 OK INFO: 172.17.0.1:35912 - "GET /api/options/agents HTTP/1.1" 200 OK INFO: 172.17.0.1:35912 - "GET /api/options/security-analyzers HTTP/1.1" 200 OK INFO: 172.17.0.1:35912 - "GET /api/settings HTTP/1.1" 404 Not Found INFO: 172.17.0.1:35912 - "GET /api/settings HTTP/1.1" 404 Not Found INFO: 172.17.0.1:33376 - "GET /api/options/config HTTP/1.1" 200 OK INFO: 172.17.0.1:33382 - "GET /api/options/models HTTP/1.1" 200 OK INFO: 172.17.0.1:33382 - "GET /api/options/agents HTTP/1.1" 200 OK INFO: 172.17.0.1:33382 - "GET /api/options/security-analyzers HTTP/1.1" 200 OK INFO: 172.17.0.1:33382 - "GET /settings HTTP/1.1" 200 OK INFO: 172.17.0.1:33382 - "GET /favicon.ico HTTP/1.1" 200 OK INFO: 172.17.0.1:33376 - "GET /locales/en/translation.json HTTP/1.1" 200 OK INFO: 172.17.0.1:33376 - "GET /api/options/config HTTP/1.1" 200 OK INFO: 172.17.0.1:33376 - "GET /api/options/config HTTP/1.1" 200 OK INFO: 172.17.0.1:33382 - "GET /api/options/models HTTP/1.1" 200 OK INFO: 172.17.0.1:33382 - "GET /api/options/agents HTTP/1.1" 200 OK INFO: 172.17.0.1:33382 - "GET /api/options/security-analyzers HTTP/1.1" 200 OK INFO: 172.17.0.1:33382 - "GET /api/settings HTTP/1.1" 404 Not Found 17:24:01 - openhands:WARNING: settings.py:173 - Something went wrong storing settings: [Errno 13] Permission denied: '/.openhands-state/settings.json'

quangamedev avatar Jun 17 '25 17:06 quangamedev

I think this only occurs if you have previous sessions setup, you can try to chown the openhands folder back to your own user, or delete it and start over.

Splizard avatar Jun 18 '25 03:06 Splizard

I think this only occurs if you have previous sessions setup, you can try to chown the openhands folder back to your own user, or delete it and start over.

@Splizard I tried all commands from the related issue and none seem to work. I also tried to delete the docker image but to no avail. What should I do to have a clean start?

quangamedev avatar Jun 19 '25 17:06 quangamedev

What is the permissions and ownership of the .openhands directory inside your home folder, the one being mounted into the Docker container?

Splizard avatar Jun 19 '25 20:06 Splizard

What is the permissions and ownership of the .openhands directory inside your home folder, the one being mounted into the Docker container?

@Splizard it is actually owned by the root user for some reason when I use -e SANDBOX_USER_ID=$(id -u). I had to use sudo chown -R groot:~/.openhands-state to transfer ownership back to my current user (id 1000) for the command to work!

I think this problem also has something to do with these lines in the log:

Setting up enduser with id 1000
Docker socket group id: 1001
Creating group with id 1001
Running as enduser

Nevertheless, this shouldn't be a problem or should be mentioned in documentation. Thank you for your help.

quangamedev avatar Jun 21 '25 04:06 quangamedev

Yeah this is sort of a known issue documented here: https://docs.all-hands.dev/usage/troubleshooting/troubleshooting#permission-error

The issue is that the README docker command doesn't have the -e SANDBOX_USER_ID=$(id -u) which means it will run as root and create the folder as root. But then if you run with -e SANDBOX_USER_ID=$(id -u) afterwards, it won't be able to access that folder.

mamoodi avatar Jul 01 '25 15:07 mamoodi

@mamoodi you're right, I've managed to fix this issue by changing directory ownership. Not sure what the next steps of the issue should be, though.

quangamedev avatar Jul 03 '25 16:07 quangamedev

Not sure. @xingyaoww is there a reason why in the README we run OpenHands as root but in CLI and Headless we give it -e SANDBOX_USER_ID=$(id -u)?

Did we run into other permission issues if it wasn't run as root?

mamoodi avatar Jul 03 '25 18:07 mamoodi

@mamoodi i remember we run into some issue ealier for -e SANDBOX_USER_ID=$(id -u) so we remove it from main README?

But i think maybe we should bring it back to the main readme so ppl won't run into this issue later? WDYT?

xingyaoww avatar Jul 06 '25 21:07 xingyaoww

If it works, consistency would be good here so we don't run into issues like this.

mamoodi avatar Jul 07 '25 13:07 mamoodi

@mamoodi Let's do that then?

xingyaoww avatar Jul 07 '25 18:07 xingyaoww

This issue is stale because it has been open for 30 days with no activity. Remove stale label or comment or this will be closed in 7 days.

github-actions[bot] avatar Aug 07 '25 02:08 github-actions[bot]

This issue is stale because it has been open for 40 days with no activity. Remove the stale label or leave a comment, otherwise it will be closed in 10 days.

github-actions[bot] avatar Sep 17 '25 02:09 github-actions[bot]

This issue was automatically closed due to 50 days of inactivity. We do this to help keep the issues somewhat manageable and focus on active issues.

github-actions[bot] avatar Oct 06 '25 02:10 github-actions[bot]