derbynet icon indicating copy to clipboard operation
derbynet copied to clipboard
verified publisher icon jeffpiazza

Permissions when used with docker compose

Open OBoudreaux opened this issue 1 year ago • 7 comments

I'm having a heck of a time with permissions when running via a docker-compose file. Setup page loads fine but I get an error that the derbynet directory isn't writable. I have the host data directory at 775 permissions with the same owner and group that the container is run with. I can jump in a console as user 1000 in the container and create files in the directory. Perplexed.

  derbynet:
    image: jeffpiazza/derbynet_server
    container_name: derbynet
    profiles: ["apps", "all"]
    networks:
      - t2_proxy
    environment:
      - PUID=1000
      - PGID=1000
    volumes:
      - $DATADIR/db/derbynet:/var/lib/derbynet
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.derbynet-rtr.entrypoints=https"
      - "traefik.http.routers.derbynet-rtr.rule=Host(`$DERBYNET_SUBD.$DOMAINNAME_CLOUD_SERVER`)"
      ## Middlewares
      - "traefik.http.routers.derbynet-rtr.middlewares=chain-authen@file"
     ## HTTP Services
      - "traefik.http.routers.derbynet-rtr.service=derbynet-svc"
      - "traefik.http.services.derbynet-svc.loadbalancer.server.port=80"

OBoudreaux avatar Nov 22 '24 18:11 OBoudreaux

I'm afraid I don't have any experience with docker-compose, so can't offer any insights there.

The PHP scripts usually run as user www-data, and the relevant question is whether the directory is writable by that user. (/etc/php/8.2/fpm/pool.d/www.conf sets user and group.) User 1000 may well be more privileged than www-data.

If you're seeing the "The ... directory exists, but isn't writable" message, that's coming from here: https://github.com/jeffpiazza/derbynet/blob/5ad7312a9b133235449e5f571158d49d3e039d0e/website/inc/details-for-setup-page.inc#L228. You could change this message in your container to include relevant debugging information, if that helped.

jeffpiazza avatar Nov 22 '24 19:11 jeffpiazza

Weird, when I open a console in the container there is no www-data user

300e4ac716ce:/# cat /etc/passwd
root:x:0:0:root:/root:/bin/sh
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
nginx:x:100:101:nginx:/var/lib/nginx:/sbin/nologin

I've tried changing ownership of the data volume to nginx without success.

The image from mitchellriley/derbynet_server can write to the www-data owned volume and does have the www-data user inside Seems like he stopped updating with v6. Have there been substantial functional changes since then that would differ from the use documentation?

OBoudreaux avatar Dec 11 '24 16:12 OBoudreaux

Have the same issue with the docker image (not docker compose) on a fresh install of Debian 12. The repo packages work fine though so I'll just use those. Thanks!

OBoudreaux avatar Dec 12 '24 01:12 OBoudreaux

Have you tried creating a docker volume and mounting as /var/lib/derbynet to the volume? Then, you can access the volume on Linux at /var/lib/docker/volumes/$DOCKER_VOLUME_NAME as root. I did this 2 years ago, and it still works great, even after migrating to another server.

PorkChopExpress86 avatar Dec 12 '24 02:12 PorkChopExpress86

I believe so...

     volumes:
      - $DATADIR/db/derbynet:/var/lib/derbynet

OBoudreaux avatar Dec 12 '24 12:12 OBoudreaux

You are doing a bind to a directory on your Debian machine. You can create a docker volume with docker volume, create [volume name], or add volumes to the bottom and include the volume name. Compose will handle the creation of the volume, and it will be a persistent area that should have the correct permissions. To change the passwords, you need root access to /var/lib/docker/volumes/derbynet_data/_data/config-roles. You can use Nano or Vim to edit the file.

  derbynet:
    image: jeffpiazza/derbynet_server
    container_name: derbynet
    profiles: ["apps", "all"]
    networks:
      - t2_proxy
    environment:
      - PUID=1000
      - PGID=1000
    volumes:
      - derbynet_data:/var/lib/derbynet
      - /etc/localtime:/etc/localtime:ro
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.derbynet-rtr.entrypoints=https"
      - "traefik.http.routers.derbynet-rtr.rule=Host(`$DERBYNET_SUBD.$DOMAINNAME_CLOUD_SERVER`)"
      ## Middlewares
      - "traefik.http.routers.derbynet-rtr.middlewares=chain-authen@file"
     ## HTTP Services
      - "traefik.http.routers.derbynet-rtr.service=derbynet-svc"
      - "traefik.http.services.derbynet-svc.loadbalancer.server.port=80"

volumes:
  derbynet_data:

PorkChopExpress86 avatar Dec 12 '24 12:12 PorkChopExpress86

This works for me

compose.yaml
name: derbynet
services:
  derbynet:
    image: jeffpiazza/derbynet_server
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - type: bind
        source: /home/user/DerbyNet
        target: /var/lib/derbynet
    restart: unless-stopped
    environment:
      - PUID=100
      - PGID=101

Run command in directory with compose.yaml file

docker compose up -d

josiah47 avatar Mar 07 '25 19:03 josiah47