group_add issue (cannot add to the right group) when deploying Node-RED

[Sheng2216]

my environment:

Platform/OS: raspberrypi4b/ Raspberry Pi OS bullseye 64 bit

Browser:chrome

Screenshots for stack and containers

What happens? Problems with group_add. Using the same docker-compose.yml for docker-compose up vs deploying a stack in portiner, but different result. In portainer stack I wont be added to the the group I defined in the stack/docker-compsoe file.

I want to use Portainer to deploy a Node-RED image, then use it to control some i2c/modbus. However, I found that the same docker-compose file works just as expected when using docker-compose up, but when I use the stack features in Portainer, I lost the permission to i2c/modbus devices.

Steps to reproduce Here is the docker-compose.yml** file I use:

version: '3.7'

services:

  pigpiod:
    image: zinen2/alpine-pigpiod
    container_name: pigpiod
    restart: unless-stopped
    privileged: true
    ports:
        - "8888:8888/tcp"
    networks:
      - node-red

  nodered:
    image: nodered/node-red
    container_name: NodeRed
    restart: unless-stopped
    user: node-red
    group_add:
        - 998
        - dialout
    environment:
      - NODE_RED_ENABLE_PROJECTS=false
      - PUID=1000
      - PGID=100
      - TZ=Europe/London
    volumes:
        - 'node-red-data:/data'
    ports:
        - "1880:1880/tcp"
    devices:
        - "/dev/i2c-1:/dev/i2c-1"
        - "/dev/ttyUSB0:/dev/ttyUSB0"
        - "/dev/ttyUSB1:/dev/ttyUSB1"
    networks:
      - node-red

volumes:
  node-red-data:

networks:
  node-red:

998 is the group id for i2c group in raspberrypi image, and dialout group is for modbus communication. I installed a very basic i2c node called node-red-contrib-i2c, you can install this node by run the following command in the NodeRed container: npm install --unsafe-perm node-red-contrib-i2c or you can go to the menu bar on the top right, and under ”manage palette“, search for this node and then install it. Then you can search for node i2c Scan on the left sidebar and build a basic flow, or you can just use copy-paste my example flow:

[
    {
        "id": "2ae8adc326824a4c",
        "type": "tab",
        "label": "Flow 1",
        "disabled": false,
        "info": "",
        "env": []
    },
    {
        "id": "bf4f8970861a428a",
        "type": "i2c scan",
        "z": "2ae8adc326824a4c",
        "name": "",
        "busno": "1",
        "x": 360,
        "y": 140,
        "wires": [
            [
                "5f5bd31b562b4d32"
            ],
            []
        ]
    },
    {
        "id": "de79403d5e7d0a6d",
        "type": "inject",
        "z": "2ae8adc326824a4c",
        "name": "",
        "props": [
            {
                "p": "payload"
            },
            {
                "p": "topic",
                "vt": "str"
            }
        ],
        "repeat": "",
        "crontab": "",
        "once": false,
        "onceDelay": 0.1,
        "topic": "",
        "payload": "",
        "payloadType": "date",
        "x": 180,
        "y": 140,
        "wires": [
            [
                "bf4f8970861a428a"
            ]
        ]
    },
    {
        "id": "5f5bd31b562b4d32",
        "type": "debug",
        "z": "2ae8adc326824a4c",
        "name": "",
        "active": true,
        "tosidebar": true,
        "console": false,
        "tostatus": false,
        "complete": "false",
        "statusVal": "",
        "statusType": "auto",
        "x": 570,
        "y": 140,
        "wires": []
    }
]

What do I expect to happen this** flow reads all the i2c devices on i2c bus 1, and the result should be like this as you can see, I can read a total of 6 devices on bus 1, perfect! and the current user (node-red) is added in the 998(i2c group in raspberry pi image) & dialout group:

What went wrong? When I try to do the same thing in the Portainer way (use the stack feature), I cannot read the i2c devices as you can see on the right debug window, the payload array returned is always empty. run ls /dev/i2c-1 -l and you can see that user node-red is not added to the groups I defined in the stack/docker-compose file, thus current user (node-red) don't have access to the i2c devices anymore. One workaround is to force Portainer to use root as the default container user(just delete the lineuser:node-red in the docker-compose.yml, but for safety concerns, I want to avoid doing it this way. How to get rid of this permission issue without changing the Node-Red docker image? Any ideas or assistance would be appreciated! Thank you!

[hardillb]

I'm not sure this is a problem with the Node-RED Docker container, because as you say it works with raw docker-compose, just not with Portainer. At first glance this sounds like a bug with Portainer.

As the Contribution Guide and the Issue template point out usage questions should be asked on the Forum, Slack or on Stack Overflow (suitably tagged) so it's not just the core team that can help answering. If after investigation it turns out to be something we need to fix then an issue can be raised.

[Sheng2216]

I'm not sure this is a problem with the Node-RED Docker container, because as you say it works with raw docker-compose, just not with Portainer. At first glance this sounds like a bug with Portainer.

As the Contribution Guide and the Issue template point out usage questions should be asked on the Forum, Slack or on Stack Overflow (suitably tagged) so it's not just the core team that can help answering. If after investigation it turns out to be something we need to fix then an issue can be raised.

Thank you for your suggestions, I found the support I need in Portainer's slack channel, and this seems to relate to a typo bug, hopefully, it will get fixed in Portainer in near future, and this is the link to this bug: https://github.com/docker/compose/issues/8810