[BUG] Migrating from *-ng: "usermod: UID '0' already exists"

[TheDarthFather]

Describe the bug I am trying to migrate my docker paperless-ng to ngx, by changing the image used in portainer. However while starting I am getting this error usermod: UID '0' already exists.

To Reproduce Use ghcr.io/paperless-ngx/paperless-ngx:latest instead of the NG one

Expected behavior NA

Screenshots NA

Webserver logs

usermod: UID '0' already exists.

Relevant information

• Proxmox -> VM -> Portainer

[stumpylog]

What are you setting USERMAP_UID and USERMAP_GID to in the docker environment?

[TheDarthFather]

0 for both ... @stumpylog

[stumpylog]

Is there a reason its set to 0 instead of either your user's uid/gid or a dedicated service user's uid/gid?

I think what is happening is the paperless user inside the container (created as 1000/1000) is trying to be modified to be 0/0, but root has those values and the operation fails.

[addich]

a quick and dirty fix in docker-entrypoint.sh

change from: usermod -u "${USERMAP_NEW_UID}" paperless

to: usermod -o -u "${USERMAP_NEW_UID}" paperless

the "-o" will allow using duplicate (non-unique) UID. mean we can modify the paperless user to uid 33 even there is already an existing user with that uid. i test it on my end with mapping uid:gid 33:33, 0:0 and without. in all cases the files and process are under correct uid

fun fact for the group command on line below the "-o" is already there.

[TheDarthFather]

Is there a reason its set to 0 instead of either your user's uid/gid or a dedicated service user's uid/gid?

I think what is happening is the paperless user inside the container (created as 1000/1000) is trying to be modified to be 0/0, but root has those values and the operation fails.

Not realy. TBH I did not understand well what user should I add there ... and portainer creates the volumes owned by root, so felt is easy to use root (0,0). Is this suppose to be the user under wich the docker container operates ? Should I create a separate user for each of my containers, change the access right of the mapped folders to this as owner ? Is this the intended way ?

PS: Will be a small hassle every time I create a new container to change the volumes ownership from root to the new user .. or maybe I shoudl create 1 user for portainer and olll containers ?!

[TheDarthFather]

a quick and dirty fix in docker-entrypoint.sh

change from: usermod -u "${USERMAP_NEW_UID}" paperless

to: usermod -o -u "${USERMAP_NEW_UID}" paperless

the "-o" will allow using duplicate (non-unique) UID. mean we can modify the paperless user to uid 33 even there is already an existing user with that uid. i test it on my end with mapping uid:gid 33:33, 0:0 and without. in all cases the files and process are under correct uid

fun fact for the group command on line below the "-o" is already there.

Thank you - I will test this as well!

[stumpylog]

It's always hard to say what's normal or usual with containers. What I personally do is map user IDs for a container or stack to a dedicated service user who is locked down (ie no login, minimized permissions). Then my own user is in that group, to allow me to view files, etc, they create.

Another option is running with your uid/gid. This would mean files created by the paperless container will be owned on the host by you, also allowing viewing, etc.

Users and containers can always be a confusing subject for what it means and the permissions debacle that can ensue.

I'll have to look at the command and maybe find a best practice doc or two, but perhaps adding the -o will be a good other solution

[addich]

in my case i have some other application which will uplaod the files for paperless and it run with a sepcific user. to be able to process them I need to have paperless using the same. in my case i use www-data with uid 33 and gid 33.

the containter has already a user and group called paperless with uid and gui 1000 the entryscript check then if the enviroment variable are set to different numbers. if yes, it will modify the uid and gid of the user paperless in our docker container before it change the file permissions (chown paperless:paperless {}) and start the process under the user paperless (gosu paperless python3 manage.py "$@")

to get things fixed the user and group paperless need to point on linux level to the requested ids. when we use the option "-o" it will do that and ingoring having other existing users with same id.

and i think we cant run the the container with the desired uid/gid, as then the entryscript will not have the permissions to change the uid and gid of the pre installed paperless user (uid and gid 1000).

[TheDarthFather]

in my case i have some other application which will uplaod the files for paperless and it run with a sepcific user. to be able to process them I need to have paperless using the same. in my case i use www-data with uid 33 and gid 33.

the containter has already a user and group called paperless with uid and gui 1000 the entryscript check then if the enviroment variable are set to different numbers. if yes, it will modify the uid and gid of the user paperless in our docker container before it change the file permissions (chown paperless:paperless {}) and start the process under the user paperless (gosu paperless python3 manage.py "$@")

to get things fixed the user and group paperless need to point on linux level to the requested ids. when we use the option "-o" it will do that and ingoring having other existing users with same id.

Stupid question .. where is docker-entrypoint.sh ?

PS: I use QuickScan and webdav to the consume folder to add files from my phone ... as the mobile way ...

[addich]

the docker-entrypoint.sh is part of the docker image ( /sbin/docker-entrypoint.sh )

[TheDarthFather]

the docker-entrypoint.sh is part of the docker image ( /sbin/docker-entrypoint.sh )

Ah ... I suppose to build an image myself ?

[TheDarthFather]

I see this is acutaly part of a new dev version! Nice and thank you!

[addich]

is it correct that that the fix is not yet part of 1.7.0-rc0 ?

[qcasey]

No, #440 is included in the release candidate

[addich]

oh. you are right. seams my docker downgraded back to 1.6.0 and i tested with the old version.

after changing tag from latest to beta. it was upgrading again to 1.7.0-rc1. I am happy to confirm it works as expected, and issue is fixed!

[shamoon]

Sweet thanks for reporting back. Closing as fixed in branch by https://github.com/paperless-ngx/paperless-ngx/commit/e8a073d538f2cfb2eb4d9702e1112cec93c9ecc7

[github-actions[bot]]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new discussion or issue for related concerns.