[Bug Report] After docker container update Server failed to start with permission denied

[Pretender1988]

Have you read the Important information text above

• [X] Yes i did

Current behavior

We were successfully running the docker container for about 2 Month.

After restarting the Server today we got the following behavior: Connecting anonymously to Steam Public...OK palworld_dedicated_server | Waiting for client config...OK palworld_dedicated_server | Waiting for user info...OK palworld_dedicated_server | Update state (0x5) verifying install, progress: 0.14 (3145728 / 2237883871) palworld_dedicated_server | Update state (0x5) verifying install, progress: 11.53 (258063380 / 2237883871) palworld_dedicated_server | Update state (0x5) verifying install, progress: 23.73 (531022725 / 2237883871) palworld_dedicated_server | Update state (0x5) verifying install, progress: 36.18 (809584176 / 2237883871) palworld_dedicated_server | Update state (0x5) verifying install, progress: 48.60 (1087537169 / 2237883871) palworld_dedicated_server | Update state (0x5) verifying install, progress: 60.69 (1358069777 / 2237883871) palworld_dedicated_server | Update state (0x5) verifying install, progress: 73.01 (1633845265 / 2237883871) palworld_dedicated_server | Update state (0x5) verifying install, progress: 85.25 (1907847333 / 2237883871) palworld_dedicated_server | Update state (0x5) verifying install, progress: 97.55 (2182984951 / 2237883871) palworld_dedicated_server | Success! App '2394010' fully installed. palworld_dedicated_server | >>> Done updating and validating the gameserver files palworld_dedicated_server | >>> Adding crons to Supercronic palworld_dedicated_server | > Added backup cron palworld_dedicated_server | >>> Supercronic started palworld_dedicated_server | /includes/server.sh: line 8: cd: /palworld: Permission denied palworld_dedicated_server exited with code 1

We are not sure if that is based on the docker Image or the dedicated server. But it looks like it is setting all files to permission 1000:1000 and wondering if it can not access the folder /palworld anymore. This happens directly after the first client connection.

My team members can easily reproduce the issue on their server. Maybe you can have a look or have an idea where to look at?

If you need more information please let us know.

Kind Regards, Pretender

Desired behavior

it is running with my local docker user in my case 1040:100

we haven't changed other env. variables and using your example of docker-compose.yml and default.env

Links to screenshots

No response

To Reproduce

1. copy your docker-compose.yml
2. copy your default.env
3. change puid and guide to your docker user ids
4. mkdir game
5. docker-compose up
6. try to connect and watch

Software setup

• OS: synologylinux
• Docker: Docker version 20.10.23, build 876964a

Hardware setup

• vCPU: 8
• RAM: 32GB
• Disk: 5

Additional context

No response

[Callum027]

Did you change the user by setting the user attribute (Docker user) on your Docker Compose service, or setting the PUID and PGID environment variables?

You need to set the UID/GID you want using the environment variables, and leave user unset (or set to root:root) on the Docker Compose service itself.

[jammsen]

Also do not set UID or GID in any other way, as Callum wrote, you need to use the the first 2 variables in the https://github.com/jammsen/docker-palworld-dedicated-server/blob/develop/default.env file. Everything else does the work for you in the background.

Testing example for me is this: Dev-User on User and Group ID 1000

# Container-setttings
PUID=1002
PGID=1002

And the game directory now is owned by 1002:

-rwxr-xr-x  1 jammsen jammsen    3256 Feb 20 12:23 docker-compose-verywrong.yml
-rwxr-xr-x  1 jammsen jammsen     742 Apr  4 23:13 docker-compose.yml
drwxr-xr-x  2 jammsen jammsen    4096 Feb 27 18:43 docs
-rw-r--r--  1 jammsen jammsen    1164 Mar 15 17:12 entrypoint.sh
drwxr-xr-x  7 testme  testme     4096 Apr  4 23:38 game
-rwxr-xr-x  1 jammsen jammsen 2712093 Feb 21 19:40 gosu-amd64
drwxr-xr-x  2 jammsen jammsen    4096 Apr  4 22:45 includes

$ id testme
uid=1002(testme) gid=1002(testme) groups=1002(testme)

[Pretender1988]

yes i did that ... for me it is the user 1040.

you can see in the beginning of the logs:

Current steam user PUID is '1000' and PGID is '1000' palworld_dedicated_server | > Setting new steam user PUID to '1040' and PGID to '100' palworld_dedicated_server | groupmod: GID '100' already exists palworld_dedicated_server | > id steam: uid=1000(steam) gid=1000(steam) groups=1000(steam) palworld_dedicated_server | >>> Starting server manager palworld_dedicated_server | > Started at: 2024-04-08 16:14:09

so no clue so far

after a min it looks again like that: Connecting anonymously to Steam Public...OK palworld_dedicated_server | Waiting for client config...OK palworld_dedicated_server | Waiting for user info...OK palworld_dedicated_server | Update state (0x5) verifying install, progress: 0.09 (2099239 / 2237883871) palworld_dedicated_server | Update state (0x5) verifying install, progress: 10.69 (239234004 / 2237883871) palworld_dedicated_server | Update state (0x5) verifying install, progress: 23.21 (519488389 / 2237883871) palworld_dedicated_server | Update state (0x5) verifying install, progress: 35.71 (799098416 / 2237883871) palworld_dedicated_server | Update state (0x5) verifying install, progress: 48.08 (1076002833 / 2237883871) palworld_dedicated_server | Update state (0x5) verifying install, progress: 60.50 (1353875473 / 2237883871) palworld_dedicated_server | Update state (0x5) verifying install, progress: 73.01 (1633845265 / 2237883871) palworld_dedicated_server | Update state (0x5) verifying install, progress: 85.25 (1907847333 / 2237883871) palworld_dedicated_server | Update state (0x5) verifying install, progress: 97.55 (2182984951 / 2237883871) palworld_dedicated_server | Success! App '2394010' fully installed. palworld_dedicated_server | >>> Done updating and validating the gameserver files palworld_dedicated_server | >>> Adding crons to Supercronic palworld_dedicated_server | > Added backup cron palworld_dedicated_server | >>> Supercronic started palworld_dedicated_server | /includes/server.sh: line 8: cd: /palworld: Permission denied palworld_dedicated_server exited with code 1

can I provide any information?

[jammsen]

yes i did that ... for me it is the user 1040.

you can see in the beginning of the logs:

Current steam user PUID is '1000' and PGID is '1000' palworld_dedicated_server | > Setting new steam user PUID to '1040' and PGID to '100' palworld_dedicated_server | groupmod: GID '100' already exists palworld_dedicated_server | > id steam: uid=1000(steam) gid=1000(steam) groups=1000(steam) palworld_dedicated_server | >>> Starting server manager palworld_dedicated_server | > Started at: 2024-04-08 16:14:09

so no clue so far

If you look at your logs you can see its not getting adapted, there in lies the error. We use a oneliner to setup user and groups all together, but that oneliner returns to you, "that your group 100 already exists", so i doesnt do anything, which is evidenced by the next line, it still says its 1000 for both. Try changing your groupid to something that doesnt bug around.

It should look like this:

palworld-dedicated-server  | > Current steam user PUID is '1000' and PGID is '1000'
palworld-dedicated-server  | > Setting new steam user PUID to '1002' and PGID to '1002'
palworld-dedicated-server  | > id steam: uid=1002(steam) gid=1002(steam) groups=1002(steam)
palworld-dedicated-server  | >>> Starting server manager
palworld-dedicated-server  | > Started at: 2024-04-08 17:10:56

[jammsen]

To clarify, what i just said, because i feel like its not that obvious.

The error occours because groupmod tries to setup an id for the steam user and group, but the one you are givem is already present, therefore it errors out and not does anything, after that the problems just cascades ?downline?downstream?. You cant have 2 groups with the same id.

See: https://github.com/jammsen/docker-palworld-dedicated-server/blob/develop/entrypoint.sh#L18

[Sakujakira]

Hello there,

I am one of the mentioned team members of Pretender1988. You have put me on the right track. The PGID used is the standard Linux user group for unprivileged users.

root@SynologyNAS:/volume2/docker/compose/palworld# docker exec -it palworld-dedicated-server /bin/bash
root@SynologyNAS:/home/steam/steamcmd# more /etc/group | grep 100
users:x:100:

As a workaround, I created another group on the host and used this PGID. Now this unassigned PGID can be used to successfully access the server.

Do you think that there is a way to re-use the ID of the group?

Edit: I took a closer look at the man-pages, groupmod -g changes the ID of a group, so it is clear that this cannot happen and the failure is imminent. The exit error in this case should be 4. In this case, it should be possible to catch the error and use groupmod -a instead.

[jammsen]

If you add a user on Linux Derivates, you normally add a group too, just use that one. Also the 100 Groupid is internal in the base-image and the container, not on your host.

[Sakujakira]

If you add a user on Linux Derivates, you normally add a group too, just use that one.

The Group ID 100 is the default user group for unprivileged users, at least on Debian, Ubuntu, Linux Mint and Synology. A reuse of the ID therefore seems obvious, especially on multi-user systems.

Also the 100 Groupid is internal in the base-image and the container, not on your host.

This does not make any sense to me. The ID is used on both sides, inside the container and on the host, because its the default user group on all these systems.

Yes, creating and using a different group id is possible, but im running 2 dozen containers, non had problems with the group id 100 so far.

[jammsen]

If you add a user on Linux Derivates, you normally add a group too, just use that one.

The Group ID 100 is the default user group for unprivileged users, at least on Debian, Ubuntu, Linux Mint and Synology. A reuse of the ID therefore seems obvious, especially on multi-user systems.

I dont see what this has to do anything with what i wrote, but yeah might be, up to youm its your choice.

Also the 100 Groupid is internal in the base-image and the container, not on your host.

This does not make any sense to me. The ID is used on both sides, inside the container and on the host, because its the default user group on all these systems.

This was more like an example and explainer together.

My point was: You could use any other id too, its still only in your container that this group is actively hold/needed. And yes the "ID" is used inside and outside of the container for that file. But this doesnt mean you have to create the group outside of the container on the host. Its the same as doing this:

touch testfile
sudo chown 1234:1234 testfile

The file accepts it and as root you can read it, but everyone else cant, depending on your chmod permissions.

Yes, creating and using a different group id is possible, but im running 2 dozen containers, non had problems with the group id 100 so far.

Im not sure what you trying to say or maybe im failing to see your point. Are you running 2 dozen of Palworld-Containers or whats your point? That "no other container" did had this problem doesnt change the fact that not every image/container is equal. This container does things in a way to comply with not only Docker and Docker-Compose but also Portainer, QNAP, Synology and many other weird China NAS'es.

Whats your expectation here? I also dont understand why and how your Team and Team-Member status is relevant here? Please help me to understand.

[Radical-Egg]

Hi, I think what is happening is that users group with gid 100 is a group that ships with many Linux distros as a means to share files and directories. This is an edge case where it could make sense to have the application run as a GID that already exists inside of the container.

Doing something like this might work (I have only tested that the server will start up successfully and not much else):

# entrypoint.sh

if [[ "${PUID}" -eq 0 ]] || [[ "${PGID}" -eq 0 ]]; then
    ee ">>> Running Palworld as root is not supported, please fix your PUID and PGID!"
    exit 1
elif [[ "$(id -u steam)" -ne "${PUID}" ]] || [[ "$(id -g steam)" -ne "${PGID}" ]]; then
    ew "> Current $APP_USER user PUID is '$(id -u steam)' and PGID is '$(id -g steam)'"
    ew "> Setting new $APP_USER user PUID to '${PUID}' and PGID to '${PGID}'"

    if getent group "${PGID}" &>/dev/null; then
        ew "> Group with GID ${PGID} exists. Change primary APP_GROUP"
        APP_GROUP=$(getent group "${PGID}" | cut -d: -f1)
        ew "> APP_GROUP is now $APP_GROUP"
    else
        groupmod -g "${PGID}" "$APP_GROUP"
    fi

    usermod -u "${PUID}" -g "${PGID}" "$APP_USER"
else 
    ew "> Current $APP_USER user PUID is '$(id -u steam)' and PGID is '$(id -g steam)'"
    ew "> PUID and PGID matching what is requested for user $APP_USER"
fi

output:

palworld-dedicated-server-test | > Current steam user PUID is '1000' and PGID is '1000' palworld-dedicated-server-test | > Setting new steam user PUID to '1040' and PGID to '100' palworld-dedicated-server-test | > Group with GID 100 exists. Change primary APP_GROUP palworld-dedicated-server-test | > APP_GROUP is now users palworld-dedicated-server-test | > id steam: uid=1040(steam) gid=100(users) groups=100(users)

[jammsen]

Thanks @Radical-Egg for the thoughts, but i feel like they dont made their case and didnt answer me on my open questions for 3 weeks now, im gonna inacticity close this now. (Also the team aspect here, confused me, am i now suppose the give support to a game-server hosting company? Feels weird without any context.)

And please also dont forget: IF you dont like the way "we" do things here, because we think and value the cosmos of people who use this and want support for, its an MIT License, just fork the code and make your own adaptations, there is no problems with that.