search

pducharme / UniFi-Video-Controller

Docker for Unifi-Video Controller (Ubiquiti Networks)
199 stars 105 forks source link

permissions #121

Closed HedgeShot closed 5 years ago

HedgeShot commented 5 years ago

Hi,

I struggle to fix permission issues. I read the various issues already raised but can't fix it. I am running the docker container on Ubuntu and my NFS shares are on Synology. On the first build I get this message:

ERROR: for nvr  Cannot start service unifi-video-controller: error while creating mount source path '/nfs/Multimedia/Cam/data': chown /nfs/Multimedia/Cam/data: invalid argument

On the second run, the error is on /videos. And on the third run, no error but container is constantly restarting and the error logs is the one below. Here is my docker-compose:

    image: "pducharme/unifi-video-controller"
    container_name: "nvr"
    ports:
      - 1935:1935
      - 6666:6666
      - 7004:7004
      - 7080:7080
      - 7442:7442
      - 7443:7443
      - 7444:7444
      - 7445:7445
      - 7446:7446
      - 7447:7447
    volumes:
      - /nfs/Multimedia/Cam/data:/var/lib/unifi-video
      - /nfs/Multimedia/Cam/videos:/var/lib/unifi-video/videos
    environment:
      - TZ=${TZ}
      - DEBUG=1
      - PUID=${PUID}
      - PGID=${PGID}
    cap_add:
      - SYS_ADMIN
      - DAC_READ_SEARCH
    restart: unless-stopped
    networks:
      - traefik_proxy
    labels:
      - "traefik.enable=true"
      - "traefik.backend=nvr"
      - "traefik.frontend.rule=Host:nvr.${DOMAINNAME}"
      - "traefik.docker.network=traefik_proxy"
      - "traefik.frontend.headers.SSLRedirect=true"
      - "traefik.frontend.headers.STSSeconds=315360000"
      - "traefik.frontend.headers.browserXSSFilter=true"
      - "traefik.frontend.headers.contentTypeNosniff=true"
      - "traefik.frontend.headers.forceSTSHeader=true"
      - "traefik.frontend.headers.SSLHost=DOMAIN.COM"
      - "traefik.frontend.headers.STSIncludeSubdomains=true"
      - "traefik.frontend.headers.STSPreload=true"
      - "traefik.frontend.headers.frameDeny=false"
    security_opt:
      - apparmor:unconfined

and here is the log:

2018-12-30 17:22:49.738588 [info] PUID defined as '1000'
2018-12-30 17:22:49.771793 [info] PGID defined as '999'
2018-12-30 17:22:49.816549 [info] Permissions already set for volume mappings
[debug] Running unifi-video service with --debug.
Starting unifi-video... (unifi-video) Java Runtime: /usr/lib/jvm/java-8-openjdk-amd64/jre
(unifi-video) JSVC: /usr/bin/jsvc
(unifi-video) 
JVM options:  -Dav.tempdir=/var/cache/unifi-video -Djava.security.egd=file:/dev/./urandom   -Xmx2047M  -Djava.library.path=/usr/lib/unifi-video/lib  -Djava.awt.headless=true  -Djavax.net.ssl.trustStore=/usr/lib/unifi-video/data/ufv-truststore  -Dfile.encoding=UTF-8        -Dcom.sun.management.jmxremote          -Dcom.sun.management.jmxremote.ssl=false        -Dcom.sun.management.jmxremote.authenticate=false       -Dcom.sun.management.jmxremote.port=7654 -Djava.rmi.server.hostname=172.18.0.13
(unifi-video) 
JSVC options:  -cwd /usr/lib/unifi-video -debug  -user unifi-video  -home /usr/lib/jvm/java-8-openjdk-amd64/jre  -cp /usr/share/java/commons-daemon.jar:/usr/lib/unifi-video/lib/airvision.jar  -pidfile /var/run/unifi-video/unifi-video.pid  -procname unifi-video   -Dav.tempdir=/var/cache/unifi-video  -Djava.security.egd=file:/dev/./urandom   -Xmx2047M  -Djava.library.path=/usr/lib/unifi-video/lib  -Djava.awt.headless=true  -Djavax.net.ssl.trustStore=/usr/lib/unifi-video/data/ufv-truststore  -Dfile.encoding=UTF-8          -Dcom.sun.management.jmxremote          -Dcom.sun.management.jmxremote.ssl=false        -Dcom.sun.management.jmxremote.authenticate=false       -Dcom.sun.management.jmxremote.port=7654 -Djava.rmi.server.hostname=172.18.0.13
(unifi-video) checking for system.properties and truststore files...
chown: changing ownership of '/usr/lib/unifi-video/data/system.properties': Invalid argument
chown: changing ownership of '/usr/lib/unifi-video/data/ufv-truststore': Invalid argument
failed.

Any ideas?

fryfrog commented 5 years ago

It has to be permissions in your volumes.

    volumes:
      - /nfs/Multimedia/Cam/data:/var/lib/unifi-video
      - /nfs/Multimedia/Cam/videos:/var/lib/unifi-video/videos

Can you put an ls -alh /nfs/Multimedia/Cam/data and ls -alh /nfs/Multimedia/Cam/videos here? And tell us what PUID and PGID you're passing in and the user/group that is on your system.

tonyskapunk commented 5 years ago

@HedgeShot I had the same scenario, my volumes are on NFS, running the container as the same user as the permissions on them:

Running the container with:

  -e PUID=1000 \
  -e PGID=1000 \
  -v /path/to/unifi:/var/lib/unifi-video \
  -v /path/to/unifi/videos:/var/lib/unifi-video/videos \

The container logs:

2019-03-31 12:43:13.961494 [info] PUID defined as '1000'
2019-03-31 12:43:13.998544 [info] PGID defined as '1000'
mkdir: cannot create directory ‘/var/lib/unifi-video/logs’: Permission denied

Permissions for the volumes are:

$ ls -nd /path/tounifi/{,videos}
drwxrwxr-x 1 1000 1000 12 Mar 31 12:34 /path/to/unifi/
drwxrwxr-x 1 1000 1000  0 Mar 31 12:07 /path/to/unifi/videos

To allow ownership changes on the NFS you have to export your NFS share with no_root_squash (more details https://linux.die.net/man/5/exports), please be aware that from a security perspective this is not desirable as any client with root is able to write files in the share.

fryfrog commented 5 years ago

Ah, yes I think the software does some silly things as root before dropping down to the uid/gid provided. :(

fryfrog commented 5 years ago

@HedgeShot, it has been a long time... I'm just going to assume you got things sorted out and forgot to come back and tell us. :)

rolinux commented 4 years ago

Ah, yes I think the software does some silly things as root before dropping down to the uid/gid provided. :(

Tried to run it under kubernetes with:

securityContext: 
  runAsUser: 99
  runAsGroup: 100

And it fails.

It runs happily as root but this is a bit disappointing as the plan was to keep it as the UID and GID provided.