aiogram
permissions issue
everything appears to be working as intended, except the container hard-codes user configuration i think, because no matter what i try, the files that are downloaded are owned by the user with id 101 user instead of the default 1000. Which means i can't get access to them without complicated dance.
I need to access the files from my n8n instance by sharing the volume, n8n runs on 1000:1000 and i have no way of getting read/ write access here. Ive smashed my head against the wall today trying to get this working. But nothing to show for it.
I tried UMAP: 0022 USERNAME: 1000 UID: 1000 user: 1000:1000
i tried mounting a directory on the host with telegram_data being pre-created with the correct permissions, but it creates directories per bot and i cant prepare that...
the solution really should be that setting:
telegram-bot-api:
image: aiogram/telegram-bot-api:latest
container_name: telegram-bot-api
restart: unless-stopped
user: "1000:1000" # <<< THIS SETTING
environment:
TELEGRAM_API_ID: "${TELEGRAM_API_ID}"
TELEGRAM_API_HASH: "${TELEGRAM_API_HASH}"
TELEGRAM_LOCAL: "1"
TELEGRAM_MAX_WEBHOOK_CONNECTIONS: "100"
TELEGRAM_VERBOSITY: "1"
volumes:
- telegram_files:/var/lib/telegram-bot-api
should work. From there it should setup everything as the 1000:1000 user giving n8n and the user account im using on the host automatic ownership.
Absolutely agree — the current flow for working with /var/lib/telegram-bot-api is quite tricky.
jfi: my solution was to give read permission, so my bot can access files without changing container UID/GID:
# Allow read/execute access for already existing paths
sudo chmod -R a+rX /var/lib/telegram-bot-api
# And add default ACL so that newly created files are also readable
sudo setfacl -R -m u:gistrec:rX /var/lib/telegram-bot-api
sudo setfacl -R -m d:u:gistrec:rX /var/lib/telegram-bot-api
Thank you for your quick reply! After posting i put in yet more elbow grease and ended up with this:
telegram-bot-api/entrypoint-fix.sh
#!/bin/sh
set -e
echo "Fixing user permissions..."
# Delete existing user and recreate with UID 1000
deluser telegram-bot-api
addgroup -g 1000 telegram-bot-api
adduser -u 1000 -G telegram-bot-api -s /sbin/nologin -D -h /var/lib/telegram-bot-api telegram-bot-api
# Fix permissions on directories
chown -R telegram-bot-api:telegram-bot-api /var/lib/telegram-bot-api
mkdir -p /tmp/telegram-bot-api
chown -R telegram-bot-api:telegram-bot-api /tmp/telegram-bot-api
echo "Starting telegram-bot-api with UID 1000..."
# Start the original entrypoint
exec /docker-entrypoint.sh
docker-compose.yml
telegram-bot-api:
image: aiogram/telegram-bot-api:latest
container_name: telegram-bot-api
restart: unless-stopped
environment:
TELEGRAM_API_ID: "${TELEGRAM_API_ID}"
TELEGRAM_API_HASH: "${TELEGRAM_API_HASH}"
TELEGRAM_LOCAL: "1"
TELEGRAM_MAX_WEBHOOK_CONNECTIONS: "100"
TELEGRAM_VERBOSITY: "1"
volumes:
- telegram_files:/var/lib/telegram-bot-api # Change to named volume
- ./telegram-bot-api/entrypoint-fix.sh:/entrypoint-fix.sh:ro
entrypoint: ["/entrypoint-fix.sh"]
This script just ensures the container runs telegram-bot-api as UID 1000 so mounted volumes owned by your host user don’t have permission issues.
Deletes and recreates the telegram-bot-api user/group with UID/GID 1000
Fixes ownership of /var/lib/telegram-bot-api and /tmp/telegram-bot-api
Hands off to the original entrypoint to start the service