Docker volume permissions

[pikeas]

Thanks for the project! The Docker image works only with a mount, the container user can't otherwise access /config:

$ docker run --rm -it --entrypoint bash ghcr.io/recyclarr/recyclarr:latest
bash-5.1$ recyclarr radarr
System.UnauthorizedAccessException: Access to the path '/config/repo' is denied.
 ---> System.IO.IOException: Permission denied
   --- End of inner exception stack trace ---
   at System.IO.FileSystem.CreateDirectory(String fullPath)
   at System.IO.DirectoryInfo.Create()
   at System.IO.Abstractions.DirectoryInfoWrapper.Create()
   at Recyclarr.Command.BaseCommand.ExecuteAsync(IConsole console) in D:\a\recyclarr\recyclarr\src\Recyclarr\Command\BaseCommand.cs:line 44
   at Recyclarr.Command.ServiceCommand.ExecuteAsync(IConsole console) in D:\a\recyclarr\recyclarr\src\Recyclarr\Command\ServiceCommand.cs:line 43
bash-5.1$ ls -al /config
total 8
drwxr-xr-x    2 root     root          4096 Aug 28 15:06 .
drwxr-xr-x    1 root     root          4096 Aug 28 15:06 ..
bash-5.1$ touch /config/foo
touch: /config/foo: Permission denied
bash-5.1$ whoami
whoami: unknown uid 1000

[rcdailey]

Recently the official container was made rootless. Basically this means root user is never used inside the container. In your situation, I see that your volume data is owned by root. It's the user's responsibility to chown as needed to ensure the data in your volume is owned by the same user you specify in the --user argument to docker.

Unfortunately, this isn't something that can (or should) be fixed by me. There's also a section in the wiki specifically about ownership / permission issues that you should review.

[pikeas]

Thanks for the quick response!

I opened an issue because the Docker image is broken by default - the default user does not have permission to access the default volume. The volume is owned by root because the Dockerfile VOLUME instruction creates it.

Everything works well when bind-mounting a volume with correct permissions. Try either the direct command I posted (docker run --rm -it ghcr.io/recyclarr/recyclarr:latest radarr) or docker-compose with no volume.

[rcdailey]

Ah, I apologize. I assumed that the volume would inherit the permissions of the USER value since I put it after that in my Dockerfile:

USER 1000:1000
VOLUME /config

However, I'll admit I have not tested it. Let me reopen this and investigate on my side and see if I can reproduce. Thank you for clarifying!

[rcdailey]

I have a fix for this, which I plan to commit, but in the meantime I wanted to understand a little more about your use case. You're the first (and only) person I've come across that doesn't use bind mounts for the /config volume. What is your use case for this? Why do you choose not to use bind mounts? And how do you plan to edit files inside of the volume? Once you get past the permission issue, your next one will be not having a /config/recyclarr.yml file. How do you plan to provide that?

Having more information about your situation will help me make sure that I'm supporting all usage scenarios. Thanks!

[pikeas]

Sure!

I am using bind mounts for my live installation of Recyclarr. I saw some significant TRaSH updates and wanted a fresh Recyclarr config file, so I started a throwaway container (docker run --rm) with no bind mount to see what had changed.

This was also the case as a new user - I don't generally bind mount into a container until I've explored the image and know what it's doing.

[pikeas]

As a fix, RUN mkdir /config, chown/chmod as needed, and remove the VOLUME instruction - everything should work as before for people who bind mount, and also work on fresh containers with no bind.

[rcdailey]

Are you suggesting I remove the VOLUME instruction? Because I have it there for a reason; mainly for those that choose not to use a bind mount.

[rcdailey]

This is fixed on master and should be available in the next edge build.