jlesage
commented
1 year ago How do you create the container ? Can you share your docker run command or compose file, etc ?
Open NickSChristiansen opened 1 year ago
jlesage
commented
1 year ago How do you create the container ? Can you share your docker run command or compose file, etc ?
NickSChristiansen
commented
1 year ago Docker compose. This is the entire file - except "****" which indicates some info I've removed:
version: "3.8"
services:
jdownloader-2:
hostname: jdownloader2
container_name: jdownloader2
image: jlesage/jdownloader-2:v22.11.1
environment:
- DARK_MODE=1
- MYJDOWNLOADER_EMAIL=****
- MYJDOWNLOADER_PASSWORD=****
- MYJDOWNLOADER_DEVICE_NAME=****
- TZ=Europe/Berlin
- LANG=en_US.UTF-8
- USER_ID=3000
- GROUP_ID=3002
ports:
- "5800:5800"
volumes:
- type: volume
source: jdownloader2-config
target: /config
volume:
nocopy: true
- type: volume
source: download
target: /output
volume:
nocopy: true
networks:
LAN:
ipv4_address: ****
restart: unless-stopped
volumes:
jdownloader2-config:
driver_opts:
type: nfs
o: addr=****,nolock,soft,rw
device: :/mnt/Alpha/Docker/jdownloader2
download:
driver_opts:
type: nfs
o: addr=****,nolock,soft,rw
device: :/mnt/Alpha/Download/downloads
networks:
LAN:
external: trueThe error you get really seems to be related to NFS. The NFS server should allow access from both root and from the user defined by USER_ID/GROUP_ID. When starting, initialization is done by the root user. Then the remaining actions are done by the non-root, defined user.
Also, are you sure you get the exact same error when not using NFS ?
NickSChristiansen
commented
1 year ago I just can't see the error coming from NFS. I have 8 other containers that use the exact same permissions on the exact same shares, without issue.
But you are right, I'm not getting the same error when not using NFS. What I am getting is an error on the same file:
[cont-init ] 55-jdownloader2.sh: jq: error: Could not open file /config/cfg/org.jdownloader.api.myjdownloader.MyJDownloaderSettings.json: No such file or directoryEDIT: Why is initialization done by root user? Because then this is clearly the issue when using NFS. No other container I have does that and more to my NFS issue, root is not allowed. Only the nicksc user.
jlesage
commented
1 year ago Why is initialization done by root user?
Init scripts part of the startup of the container are run as root because they have to perform actions requiring root access. For example, they setup Linux users and groups, initialize system configuration files, install packages, etc.
Currently, init scripts don't behave differently if they write to /config or to another part of the system. One of the last init script makes sure that all files under /config are owned by the user defined by USER_ID.
jlesage
commented
1 year ago What NFS server are you using ? And what is the configuration you are using to restrict user?
crbon
commented
1 year ago I'm using an NFS share mapped to /mnt/nfs/media/.
This is my docker-compose.yml - nothing fancy
version: '3'
services:
jdownloader-2:
container_name: jdownloader-2
image: jlesage/jdownloader-2:latest
ports:
- "5800:5800"
- "8297:8297" #added for custom httpAPI
environment:
- PUID=1000 # make sure this matches your user UID
- PGID=1000 # make sure this matches your user GID
volumes:
- "./config:/config:rw"
- "/mnt/nfs/media/jdl:/output:rw"
restart: unless-stopped@crbon, not sure where PUID and PGID are coming from, both they are not used by this container. See https://github.com/jlesage/docker-jdownloader-2#environment-variables.
jlesage
commented
1 year ago @NickSChristiansen, I partially reproduced your issue by using a Linux NFS server with the following export:
/srv/nfs *(rw,sync,no_subtree_check,root_squash,insecure)However, because any action done by root is denied, the startup of the container fails much sooner than in your case. So I would still be interested in your NFS server configuration to make sure that a potential solution covers all cases.
NickSChristiansen
commented
1 year ago Theis is my export settings, with 3000 being the "nicksc" user.
(sec=sys,rw,anonuid=3000,no_subtree_check)Don't you need to also set anongid to 3002 to match your Docker group ?
The root_squash option is enabled by default, meaning that requests from root are mapped to the configured anonymous user (i.e. the one set by anonuid/anongid).
Without anongid, the anonymous group should default to nogroup (65534). This is what I see from my side.
jlesage
commented
1 year ago With this export (1000 being my user that I also use for USER_ID / GROUP_ID):
/srv/nfs *(sec=sys,rw,anonuid=1000,anongid=1000,no_subtree_check)I only get this message, which doesn't prevent the container from loading:
[cont-init ] 55-jdownloader2.sh: mv: can't preserve ownership of '/config/cfg/org.jdownloader.api.myjdownloader.MyJDownloaderSettings.json': Operation not permittedOn my TrueNAS NFS share, the group defaults to root evidently, as the file who's permission are taken over by root user are also taken over by the root group(0:0).
Is your user(1000) part of the root group? Or has root-like access? Because "nicksc" is only part of groups I created. No root nor admin groups.
Adding anongid=3002 gets me the same error as previously:
[cont-init ] 55-jdownloader2.sh: jq: error: Could not open file /config/cfg/org.jdownloader.api.myjdownloader.MyJDownloaderSettings.json: Permission deniedOn my TrueNAS NFS share, the group defaults to root evidently, as the file who's permission are taken over by root user are also taken over by the root group(0:0).
Adding anongid=3002 gets me the same error as previously:
Yeah this is strange. According to your export config, you should never have files owned by root in the NFS share.
Looks like the export config doesn't do anything ?
Is your user(1000) part of the root group? Or has root-like access? Because "nicksc" is only part of groups I created. No root nor admin groups.
No, this is a standard user that is only part of group 1000.
jlesage
commented
1 year ago Tried to reproduce with TrueNAS (Core and SCALE) without success.
I installed TrueNAS in a VM. A created dummy pool, a user test (1000/1000) and enabled NFS with the following settings:
On the client machine, I mounted the NFS share like this:
sudo mount -o nolock,soft,rw 192.168.2.142:/mnt/MyPool/NFSShare /mnt/local_nfs3Then I create and start the container:
docker run --rm -ti -e USER_ID=1000 -e GROUP_ID=1000 -e MYJDOWNLOADER_EMAIL=test@example.com -e MYJDOWNLOADER_PASSWORD=test -v /mnt/local_nfs3:/config:rw jlesage/jdownloader-2Also, make sure that on the server, the directory exposed to NFS is owned by 3000:3002(nicksc:Docker).
crbon
commented
1 year ago @crbon, not sure where
PUIDandPGIDare coming from, both they are not used by this container. See https://github.com/jlesage/docker-jdownloader-2#environment-variables.
Mistake on my end. Must have come across when I switched from another docker image
NickSChristiansen
commented
1 year ago The dataset, and the permissions:
The share:
And now the export looks like this with the group included:
(sec=sys,rw,anonuid=3000,anongid=3002,no_subtree_check)The mount is created by the docker compose file, which is the same as the one I posted before, but here it again just for good measure:
version: "3.8"
services:
jdownloader-2:
hostname: jdownloader2
container_name: jdownloader2
image: jlesage/jdownloader-2:latest
environment:
- DARK_MODE=1
- MYJDOWNLOADER_EMAIL=****
- MYJDOWNLOADER_PASSWORD=****
- MYJDOWNLOADER_DEVICE_NAME=****
- TZ=Europe/Berlin
- LANG=en_US.UTF-8
- USER_ID=3000
- GROUP_ID=3002
ports:
- "5800:5800"
volumes:
- type: volume
source: jdownloader2-config
target: /config
volume:
nocopy: true
- type: volume
source: download
target: /output
volume:
nocopy: true
networks:
LAN:
ipv4_address: ****
restart: unless-stopped
volumes:
jdownloader2-config:
driver_opts:
type: nfs
o: addr=****,nolock,soft,rw
device: :/mnt/Alpha/Docker/jdownloader2
download:
driver_opts:
type: nfs
o: addr=****,nolock,soft,rw
device: :/mnt/Alpha/Download/downloads
networks:
LAN:
external: trueI've also tried creating the mounts outside of the compose file, but I get the same result.
jlesage
commented
1 year ago And ls -ld /mnt/Alpha/Docker (server/TrueNAS side) shows the correct ownership?
NickSChristiansen
commented
1 year ago Yep
jlesage
commented
1 year ago Humm, don't we see that the owner of the folder has an ID if 770 instead of being nicksc ?
NickSChristiansen
commented
1 year ago Whoops, sorry!
I stripped the ACL's and forgot to reapply them... D'oh!
Here is the permission, after the ACLs are reapplied:
... Though I have no idea who user 770 is, as that user doesn't exist on TrueNAS...
jlesage
commented
1 year ago Ok and now that this is fixed, do you still have issue with the container not starting ? Make sure that all files have the correct owner before starting it...
NickSChristiansen
commented
1 year ago Yep, just like all the other times I've reset the ACLs, with the same error:
2023-02-03T13:45:59.668609005Z [init ] container is starting...
2023-02-03T13:45:59.668637238Z [cont-env ] loading container environment variables...
2023-02-03T13:45:59.670425404Z [cont-env ] APP_NAME: loading...
2023-02-03T13:45:59.671828513Z [cont-env ] DISPLAY: executing...
2023-02-03T13:45:59.674227412Z [cont-env ] DISPLAY: terminated successfully.
2023-02-03T13:45:59.674448500Z [cont-env ] DISPLAY: loading...
2023-02-03T13:45:59.675169461Z [cont-env ] DOCKER_IMAGE_PLATFORM: loading...
2023-02-03T13:45:59.676376590Z [cont-env ] DOCKER_IMAGE_VERSION: loading...
2023-02-03T13:45:59.677552660Z [cont-env ] GTK_THEME: executing...
2023-02-03T13:45:59.679886588Z [cont-env ] GTK_THEME: terminated successfully.
2023-02-03T13:45:59.680129366Z [cont-env ] GTK_THEME: loading...
2023-02-03T13:45:59.680854084Z [cont-env ] HOME: loading...
2023-02-03T13:45:59.682015386Z [cont-env ] INSTALL_PACKAGES_INTERNAL: executing...
2023-02-03T13:45:59.683395513Z [cont-env ] INSTALL_PACKAGES_INTERNAL: terminated successfully.
2023-02-03T13:45:59.683636548Z [cont-env ] INSTALL_PACKAGES_INTERNAL: loading...
2023-02-03T13:45:59.684357499Z [cont-env ] QT_STYLE_OVERRIDE: executing...
2023-02-03T13:45:59.686530001Z [cont-env ] QT_STYLE_OVERRIDE: terminated successfully.
2023-02-03T13:45:59.686757190Z [cont-env ] QT_STYLE_OVERRIDE: loading...
2023-02-03T13:45:59.687453485Z [cont-env ] TAKE_CONFIG_OWNERSHIP: loading...
2023-02-03T13:45:59.688597264Z [cont-env ] XDG_CACHE_HOME: loading...
2023-02-03T13:45:59.689751423Z [cont-env ] XDG_CONFIG_HOME: loading...
2023-02-03T13:45:59.690923285Z [cont-env ] XDG_DATA_HOME: loading...
2023-02-03T13:45:59.692121868Z [cont-env ] XDG_RUNTIME_DIR: loading...
2023-02-03T13:45:59.693249687Z [cont-env ] XDG_STATE_HOME: loading...
2023-02-03T13:45:59.694402064Z [cont-env ] container environment variables initialized.
2023-02-03T13:45:59.694412603Z [cont-secrets] loading container secrets...
2023-02-03T13:45:59.694460284Z [cont-secrets] container secrets loaded.
2023-02-03T13:45:59.694466656Z [cont-init ] executing container initialization scripts...
2023-02-03T13:45:59.695396611Z [cont-init ] 10-certs.sh: executing...
2023-02-03T13:45:59.697400686Z [cont-init ] 10-certs.sh: terminated successfully.
2023-02-03T13:45:59.697917821Z [cont-init ] 10-check-app-niceness.sh: executing...
2023-02-03T13:45:59.699046612Z [cont-init ] 10-check-app-niceness.sh: terminated successfully.
2023-02-03T13:45:59.699554432Z [cont-init ] 10-cjk-font.sh: executing...
2023-02-03T13:45:59.701509422Z [cont-init ] 10-cjk-font.sh: terminated successfully.
2023-02-03T13:45:59.702053911Z [cont-init ] 10-clean-logmonitor-states.sh: executing...
2023-02-03T13:45:59.703399441Z [cont-init ] 10-clean-logmonitor-states.sh: terminated successfully.
2023-02-03T13:45:59.703893033Z [cont-init ] 10-clean-tmp-dir.sh: executing...
2023-02-03T13:45:59.705315699Z [cont-init ] 10-clean-tmp-dir.sh: terminated successfully.
2023-02-03T13:45:59.705844828Z [cont-init ] 10-fontconfig-cache-dir.sh: executing...
2023-02-03T13:45:59.706951758Z [cont-init ] 10-fontconfig-cache-dir.sh: terminated successfully.
2023-02-03T13:45:59.707429780Z [cont-init ] 10-init-users.sh: executing...
2023-02-03T13:45:59.717983617Z [cont-init ] 10-init-users.sh: terminated successfully.
2023-02-03T13:45:59.718534627Z [cont-init ] 10-nginx.sh: executing...
2023-02-03T13:45:59.762675468Z [cont-init ] 10-nginx.sh: terminated successfully.
2023-02-03T13:45:59.763199628Z [cont-init ] 10-openbox.sh: executing...
2023-02-03T13:45:59.802240058Z [cont-init ] 10-openbox.sh: terminated successfully.
2023-02-03T13:45:59.802861241Z [cont-init ] 10-set-tmp-dir-perms.sh: executing...
2023-02-03T13:45:59.804130187Z [cont-init ] 10-set-tmp-dir-perms.sh: terminated successfully.
2023-02-03T13:45:59.804558946Z [cont-init ] 10-vnc-password.sh: executing...
2023-02-03T13:45:59.805543325Z [cont-init ] 10-vnc-password.sh: terminated successfully.
2023-02-03T13:45:59.805974028Z [cont-init ] 10-web-data.sh: executing...
2023-02-03T13:45:59.808500128Z [cont-init ] 10-web-data.sh: terminated successfully.
2023-02-03T13:45:59.809002125Z [cont-init ] 10-x11-unix.sh: executing...
2023-02-03T13:45:59.810487019Z [cont-init ] 10-x11-unix.sh: terminated successfully.
2023-02-03T13:45:59.810946727Z [cont-init ] 10-xdg-runtime-dir.sh: executing...
2023-02-03T13:45:59.812970608Z [cont-init ] 10-xdg-runtime-dir.sh: terminated successfully.
2023-02-03T13:45:59.813503705Z [cont-init ] 15-install-pkgs.sh: executing...
2023-02-03T13:45:59.814497571Z [cont-init ] 15-install-pkgs.sh: terminated successfully.
2023-02-03T13:45:59.814919609Z [cont-init ] 55-jdownloader2.sh: executing...
2023-02-03T13:45:59.838627630Z [cont-init ] 55-jdownloader2.sh: jq: error: Could not open file /config/cfg/org.jdownloader.api.myjdownloader.MyJDownloaderSettings.json: Permission denied
2023-02-03T13:45:59.839041723Z [cont-init ] 55-jdownloader2.sh: terminated with error 2.Humm, there is something wrong that I cannot identify.
During the container initialization, there are other files written to /config as root. So I'm not sure why /config/cfg/org.jdownloader.api.myjdownloader.MyJDownloaderSettings.json is more problematic than other files. The NFS server config is good and should translate all requests done by root to the correct user. If on the server side you still see the file as owned by root, then maybe there is an active ACL somewhere?
Could you try with another NFS share ?
NickSChristiansen
commented
1 year ago So I tried making a new dataset, applying nicksc:Docker with rwx and got the same error. Then I tried making a pool, with a new dataset and applying nicksc:Docker with rwx and now it works... (╯°□°)╯︵ ┻━┻
Sorry for the confusion. The issue is clearly on my end - maybe there was an ACL on the pool level overwritting the new ones I set on the dataset or something. I honestly have no idea. I'll nuke the pool, recreate it and hope that clears the issue.
rafaelmaeuer
commented
1 year ago I have a similar error on start after moving to from linux/amd64 to linux/arm64:
Openbox-Message: 16:11:29.496: Unable to make directory '/config/xdg/cache/openbox': Permission deniedAll files generated so far in config volume have root:root as owner, I think something is messed up there...
jlesage
commented
1 year ago Are you also using a NFS share for the config folder ?
rafaelmaeuer
commented
1 year ago I finally figured out what was causing the problem for me:
When re-using existing certificates by mounting them read-only in volumes like this:
volumes:
- "$CERT_PATH/key.pem:/config/certs/web-privkey.pem:ro"
- "$CERT_PATH/fullchain.pem:/config/certs/web-fullchain.pem:ro"It causes conflicts when docker-compose tries to take ownership as it is read-only.
This problem could be bypassed by providing TAKE_CONFIG_OWNERSHIP=0 as environment variable.
But if starting docker-compose with sudo it means the data-volume is created and owned by root.
This causes the error as described above.
A workaround is to stop the service when the error occurs and take ownership of the data-volume with the current user:
sudo chown -R $(id -u):$(id -g) <path/to/data-volume>
// or
sudo chown -R $(whoami):$(whoami) <path/to/data-volume>
// e.g. on ubuntu
sudo chown -R ubuntu:ubuntu <path/to/data-volume>Afterwards restart the service and the setup-process should work and continue.
I finally did fix the issue by running the service with domain-mapping behind a nginx-reverse proxy. It allows me to disable secure-connection by removing SECURE_CONNECTION=1 from docker-compose.yml as Nginx will handle SSL, my config:
# Connection upgrade for reverse proxy
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# web access to jDownloader2
server {
listen 80;
server_name <sub.domain.org>;
location / {
proxy_pass http://jdownloader:5800;
}
location /websockify {
proxy_pass http://jdownloader:5800;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_read_timeout 86400;
}
}
I'm getting this error no matter if I set the config to a local folder or a NFS share(both brand new dirs). I also seem to get it regardless of the image, as I have now tested the following images: 22.11.1 22.12.2 23.01.1
The file that throws the "Permission denied" error is always made by 0:0(root:root) when inspecting permissions, despite me setting the UID and GID to 3000:3002(nicksc:Docker). Manually changing the permission on the failing file does not fix the error.