ERROR: Directory /var/opt/jfrog/artifactory has bad permissions for user 'artifactory' (id 1030)

[marcuschaney]

Having an issue trying to run Artifactory. Seems to be a known issue, but was supposedly fixed in the lastest release..error below:

/var/opt/jfrog/artifactory DOES NOT have proper permissions for user 'artifactory' (id 1030) Directory: /var/opt/jfrog/artifactory, permissions: 755, owner: root, group: root Mounted directory must have read/write permissions for user 'artifactory' (id 1030) ########################################################### ERROR: Directory /var/opt/jfrog/artifactory has bad permissions for user 'artifactory' (id 1030)

I attempted the below command after executing "docker-compose -d up"

docker exec -d artifactory chown -R 1030:1030 /var/opt/jfrog/artifactory (this did not resolve the issue)

Am I missing something ?

[eldada]

Artifactory runs as user 1030:1030 by default. When passing a volume to the Artifactory container, this directory (on the host) must be writable by the Artifactory user. To test and validate this, just chmod 777 <host-dir> on the host and try again. Can you share the command or yaml used to deploy?

[marcuschaney]

artifactory:
    image: docker.bintray.io/jfrog/artifactory-pro:6.7.3
    container_name: artifactory
    ports:
     - 8081:8081
    volumes:
     - /data/artifactory:/var/opt/jfrog/artifactory
    environment:
     - DB_TYPE=postgresql
     # The following must match the POSTGRES_USER and POSTGRES_PASSWORD values passed to PostgreSQL
     - DB_USER=$${postgres_user)
     - DB_PASSWORD=$${postgres_password}
     - DB_HOST=$${postgres_endpoint}
     - DB_PORT=$${postgres_port}
     # https://github.com/docker/compose/issues/4485
     #You can use a $$ (double-dollar sign) when your configuration needs a literal dollar sign.
     #This also prevents Compose from interpolating a value, so a $$ allows you to refer to environment variables that you don’t want processed by Compose.
     # Add extra Java options by uncommenting the following line
     #- EXTRA_JAVA_OPTIONS=-Xmx4g
    restart: always
    ulimits:
      nproc: 65535
      nofile:
        soft: 32000
        hard: 40000

---

I tried the following, still no luck: docker exec -d artifactory chmod 777 /var/opt/jfrog/artifactory docker exec -d artifactory chown -R 1030:1030 /var/opt/jfrog/artifactory

[marcuschaney]

Found an article that mentioned "A workaround seems to be to set the user-id and group-id inside of the docker-compose.yml as described here."

user: "${UID}:${GID}"

Will try that.

[eldada]

You need that the directory in the host /data/artifactory will be writable by user id 1030. You can test it by just setting chmod -R 777 /data/artifactory and run again.

You suggested fix can also work as it makes the Artifactory entrypoint run as same user as the one on the host that created /data/artifactory.

[marcuschaney]

Thanks for the quick response. I tried that, but I get an "up less than a second" status but then it flaps and restarts.

docker.bintray.io/jfrog/artifactory-pro:6.7.3 "/entrypoint-artifac…" Restarting (1) 1 second ago artifactory

[eldada]

Can you share the error from docker logs? Is it the same?

[marcuschaney]

Yep, it's the same:

########################################################### /var/opt/jfrog/artifactory DOES NOT have proper permissions for user 'artifactory' (id 1030) Directory: /var/opt/jfrog/artifactory, permissions: 755, owner: root, group: root Mounted directory must have read/write permissions for user 'artifactory' (id 1030) ########################################################### ERROR: Directory /var/opt/jfrog/artifactory has bad permissions for user 'artifactory' (id 1030)

[marcuschaney]

Testing directory /var/opt/jfrog/artifactory has read/write permissions for user 'artifactory' (id 1030) 2019-02-14T16:00:38.171581614Z /entrypoint-artifactory.sh: line 179: /var/opt/jfrog/artifactory/test-permissions: Permission denied

Missed that part of it.

[eldada]

Something does not add up.... Let's try debugging in the following way:

1. On the host, run ls -la /data/artifactory and paste the output here.
2. Start the artifactory container with entrypoint override: docker run -it --entrypoint bash -v /data/artifactory:/var/opt/jfrog/artifactory docker.bintray.io/jfrog/artifactory-pro:6.7.3
3. In the container's prompt run ls -la /var/opt/jfrog/artifactory and paste the output here.

Let's see what we can figure out from this sequence.

[marcuschaney]

[root@ip-10-11-179-82 artifactory]# ls -la /data/artifactory total 0 drwxrwxrwx. 10 777 artifactory 129 Feb 14 15:50 . drwxr-xr-x. 3 root root 25 Feb 13 17:53 .. drwxrwxrwx. 3 777 artifactory 17 Feb 14 15:50 access drwxrwxrwx. 2 777 artifactory 6 Feb 14 15:50 artifactory_extra_conf drwxrwxrwx. 2 777 artifactory 6 Feb 14 15:50 backup drwxrwxrwx. 2 777 artifactory 6 Feb 14 15:50 data drwxrwxrwx. 3 777 artifactory 42 Feb 14 15:50 etc drwxrwxrwx. 3 777 artifactory 22 Feb 14 15:51 logs drwxrwxrwx. 2 777 artifactory 6 Feb 14 15:50 node drwxrwxrwx. 3 777 artifactory 17 Feb 14 15:50 replicator

artifactory@1779b6d32b88:/$ ls -la /var/opt/jfrog/artifactory total 0 drwxrwxrwx. 10 777 artifactory 129 Feb 14 15:50 . drwxr-xr-x. 3 root root 25 Feb 6 07:18 .. drwxrwxrwx. 3 777 artifactory 17 Feb 14 15:50 access drwxrwxrwx. 2 777 artifactory 6 Feb 14 15:50 artifactory_extra_conf drwxrwxrwx. 2 777 artifactory 6 Feb 14 15:50 backup drwxrwxrwx. 2 777 artifactory 6 Feb 14 15:50 data drwxrwxrwx. 3 777 artifactory 42 Feb 14 15:50 etc drwxrwxrwx. 3 777 artifactory 22 Feb 14 15:51 logs drwxrwxrwx. 2 777 artifactory 6 Feb 14 15:50 node drwxrwxrwx. 3 777 artifactory 17 Feb 14 15:50 replicator

[marcuschaney]

docker ps 1779b6d32b88 docker.bintray.io/jfrog/artifactory-pro:6.7.3 "bash" 33 minutes ago Up 33 minutes 8081/tcp priceless_brown

dffd4965630b docker.bintray.io/jfrog/artifactory-pro:6.7.3 "/entrypoint-artifac…" About an hour ago Restarting (1) 9 seconds ago artifactory

[eldada]

Looks like something is wrong with the permissions on /data/artifactory. The user id set is 777. What command did you use to set the permissions on /data/artifactory?

[marcuschaney]

[root@ip-10-11-179-82 centos]# \ls -la /data/artifactory total 0 drwxrwxrwx. 10 artifactory artifactory 129 Feb 14 15:50 . drwxr-xr-x. 3 root root 25 Feb 13 17:53 .. drwxrwxrwx. 3 artifactory artifactory 17 Feb 14 15:50 access drwxrwxrwx. 2 artifactory artifactory 6 Feb 14 15:50 artifactory_extra_conf drwxrwxrwx. 2 artifactory artifactory 6 Feb 14 15:50 backup drwxrwxrwx. 2 artifactory artifactory 6 Feb 14 15:50 data drwxrwxrwx. 3 artifactory artifactory 42 Feb 14 15:50 etc drwxrwxrwx. 3 artifactory artifactory 22 Feb 14 15:51 logs drwxrwxrwx. 2 artifactory artifactory 6 Feb 14 15:50 node drwxrwxrwx. 3 artifactory artifactory 17 Feb 14 15:50 replicator

artifactory@7bbc6c816cbd:/$ ls -la /var/opt/jfrog/artifactory total 0 drwxrwxrwx. 10 artifactory artifactory 129 Feb 14 15:50 . drwxr-xr-x. 3 root root 25 Feb 6 07:18 .. drwxrwxrwx. 3 artifactory artifactory 17 Feb 14 15:50 access drwxrwxrwx. 2 artifactory artifactory 6 Feb 14 15:50 artifactory_extra_conf drwxrwxrwx. 2 artifactory artifactory 6 Feb 14 15:50 backup drwxrwxrwx. 2 artifactory artifactory 6 Feb 14 15:50 data drwxrwxrwx. 3 artifactory artifactory 42 Feb 14 15:50 etc drwxrwxrwx. 3 artifactory artifactory 22 Feb 14 15:51 logs drwxrwxrwx. 2 artifactory artifactory 6 Feb 14 15:50 node drwxrwxrwx. 3 artifactory artifactory 17 Feb 14 15:50 replicator

Accidentally did a chown 777 ... doh! However, after doing " chown -R 1030:1030 /data/artifactory" and "chmod -R 777 /data/artifactory", I still get the same error.

[marcuschaney]

So, after creating a sub directory for /data/artifactory/ (/data/artifactory/artifactory_extra_conf) then binding that to /var/opt/jfrog/artifactory, I was able to successfully run Artifactory..

Now trying to figure out a web UI access issue.

[jainishshah17]

@marcuschaney Can you check browser's developer tool console and let us know what error you get for UI?

[marcuschaney]

Current status: 0.0.0.0:8181->8081/tcp (docker ps)

tcp6 0 0 :::8181 :::* LISTEN 12221/docker-proxy (netstat -tlpn)

Configs:

version: '2'
services:
  artifactory:
    image: docker.bintray.io/jfrog/artifactory-pro:6.7.3
    container_name: artifactory
    ports:
     - 8181:8081
    volumes:
     - /data/artifactory/artifactory_extra_conf:/var/opt/jfrog/artifactory
    environment:
     - DB_TYPE=postgresql
     # The following must match the POSTGRES_USER and POSTGRES_PASSWORD values passed to PostgreSQL
     - DB_USER=$${postgres_user)
     - DB_PASSWORD=$${postgres_password}
     - DB_HOST=$${postgres_endpoint}
     - DB_PORT=$${postgres_port}
     # https://github.com/docker/compose/issues/4485
     #You can use a $$ (double-dollar sign) when your configuration needs a literal dollar sign.
     #This also prevents Compose from interpolating a value, so a $$ allows you to refer to environment variables that you don’t want processed by Compose.
    restart: always
    ulimits:
      nproc: 65535
      nofile:
        soft: 32000
        hard: 40000

I'm seeing nothing under "console" when running developer tools, just getting a "ERR_CONNECTION_REFUSED". So I'm sure it's something I'm doing wrong. I ensured 8081 and 8181 was open on via firewalld, but still get: "Ncat: Connection refused." when attempting those ports.

curl http://localhost:8181/artifactory curl: (56) Recv failure: Connection reset by peer

curl http://localhost:8081/artifactory curl: (7) Failed connect to localhost:8081; Connection refused

Anything else I'm missing ?

[eldada]

@marcuschaney - are you sure Artifactory started up properly? Go in to the artifactory container and try curl -L http://localhost:8081/artifactory. If that's ok, it's surely a local Docker networking issue. I tried your yaml example and it works for me.

[deeco]

+1 for adding to docker compose file user: "${UID}:${GID}"

artifactory: image: docker.bintray.io/jfrog/artifactory-oss:latest user: "${UID}:${GID}"

works after adding to docker compose file

[eldada]

@deeco - users might not want to run the Artifactory as their own user id and might actually opt for a dedicated service account. So this is a great idea for local examples, but might mess up production setups. I agree this option should be made visible. How about adding it commented out with an explanation for it?

[subham371]

Came across the same issue a few days earlier, found that it was caused by Selinux, not allowing the volume mount. Executing the following command, resolved the issue for me:

chcon -Rt svirt_sandbox_file_t </path/to/volume/on/docker/host>

[daniyalj]

running into the same issue on openshift. the init-container setting permissions for 1030:1030 get permission denied

[joshbranham]

Just a heads up here I ran into this same issue. In my case I had a restore tar file/folder inside /var/opt/jfrog/artifactory that was owned by root. This script really should only look at what it cares about and not other files/folders?

[daniyalj]

Think this issue is good to close. I've done iterative testing of the deployment and I havent seen it after #148

[eldada]

I'm closing this. If anyone still has a problem, please open a new issue with the specific scenario. Thx.

[vrqq]

Two Points

Check whether your container service have subuid / subgid setting

[vrqq@localhost]$ cat /etc/subuid
vrqq:100000:65536

[vrqq@localhost]$ cat /etc/subgid
vrqq:100000:65536

Then The "user id=1030 in container" is 101029 in bare OS. The "root(id=0) in container" is the current user id in bare OS.

Another way to check the running UID in container is, run this image without -v. So it will run successful, then ps uax|grep artifactory to check the user id.

As the example below, you would run

sudo chown -Rf 101029:101029 /mnt/data/artifactory/var

Do not forget sudo while in normal user.

Check about SELinux Try to add :Z suffix after volume mapping parameter, for example.

podman run --name myrepo --rm -v /mnt/data/artifactory/var/:/var/opt/jfrog/artifactory:Z -p 8081:8081 -p 8082:8082 -i docker.bintray.io/jfrog/artifactory-cpp-ce:latest

Note: The docker distribution running on RHEL series is podman.