Permission denied to Docker container accessing NFS share - Docker Compose - docker

I have a problem mounting a WD MyCloud EX2 NAS as an NFS share for a Nextcloud and MariaDB container combination, using Docker Compose. When I run docker-compose up -d, here's the error I get:
Creating nextcloud_app_1 ... error
ERROR: for nextcloud_app_1 Cannot create container for service app: b"error while mounting volume with options: type='nfs' device=':/mnt/HD/HD_a/nextcloud' o='addr=192.168.1.73,rw': permission denied"
ERROR: for app Cannot create container for service app: b"error while mounting volume with options: type='nfs' device=':/mnt/HD/HD_a/nextcloud' o='addr=192.168.1.73,rw': permission denied"
ERROR: Encountered errors while bringing up the project.
Here's docker-compose.yml (all sensitive info replaced with <brackets>:
Version: '2'
volumes:
nextcloud:
driver: local
driver_opts:
type: nfs
o: addr=192.168.1.73,rw
device: ":/mnt/HD/HD_a/nextcloud"
db:
services:
db:
image: mariadb
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
restart: always
volumes:
- db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=<****>
- MYSQL_PASSWORD=<****>
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- NEXTCLOUD_ADMIN_USER=<****>
- NEXTCLOUD_ADMIN_PASSWORD=<****>
app:
image: nextcloud
ports:
- 8080:80
links:
- db
volumes:
- nextcloud:/var/www/html
restart: always
I SSHd into the NAS box to check /etc/exports and sure enough, it was using all_squash, so I changed that.
Here's the /etc/exports file on the NAS box:
"/nfs/nextcloud" 192.168.1.73(rw,no_root_squash,sync,no_wdelay,insecure_locks,insecure,no_subtree_check,anonuid=501,anongid=1000)
"/nfs/Public" 192.168.1.73(rw,no_root_squash,sync,no_wdelay,insecure_locks,insecure,no_subtree_check,anonuid=501,anongid=1000)
Then, I refreshed the service with exportfs -a
Nothing changed - docker-compose throws the same error. And I'm deleting all containers and images and redownloading the image every time I attempt the build.
I've read similar questions and done everything I can think of. I also know this is a container issue because I can access the NFS share quite happily from the command line thanks to my settings in /etc/fstabs.
What else should I be doing here?

In our case, we are mounting the nfs volume localy on the docker host, then mounting the folder inside the containers.
We are running with oracle-linux 7, with SElinux enable.
We fixed by adding the following parameter inside /etc/fstab in the fs_mntops block (see https://man7.org/linux/man-pages/man5/fstab.5.html):
defaults,context="system_u:object_r:svirt_sandbox_file_t:s0"

Try to check with the command line ini nextcloud folder "ls -l /var/www/html", see groups and users who can access it

I fixed it by removing the anonuid=501,anongid=1000 entries in the NAS box's /etc/exports file, and I also managed to enter the wrong IP - the NAS box wasn't granting access to the Ubuntu computer that was trying to connect with it.

Related

I am trying to connect to an SMB share via Docker Compose and it will not give write permissions

I am new to docker. I am attempting run a docker server on a raspberry pi and have the volumes point to a network share so I can avoid persistent files directly on the pi. I am using docker compose and am attempting to mount an SMB share from my Unraid server to the docker containers utilizing volumes.
This is how I have tried mounting the SMB shares:
volumes:
downloads:
driver_opts:
type: cifs
o: username=COOLUSERNAMEHERE,password=SUPERSECRETPASSWORD,vers=3
device: //192.168.0.110/downloads
I then mount this volume inside the container as follows:
services:
myservicename:
image: theplaceigetmyimagefrom
container_name: myservice
environment:
- PUID=1000
- PGID=1000
- TZ=America/Toronto
volumes:
- downloads:/downloads
ports:
- 1234:1234
restart: unless-stopped
This volume mounts just fine however it mounts as read only. No matter what I do I cannot get it to have write permissions. I again am new to docker. So I am probably trying the wrong stuff. I have tried adding privileged: true to the container but that didn't change anything. The SMB share I am connecting to is set to public and shared so there shouldn't be any user issues, however I have also logged in with a user that has "read/write"access to that folder as setup in Unraid itself.
Any ideas on next steps would be appreciated.
Figured this out. I changed the version to 3.0 (not sure if that did anything at all) and I added GID and UID and the rw option:
volumes:
downloads:
driver_opts:
type: cifs
o: username=COOLUSERNAMEHERE,password=SUPERSECRETPASSWORD,uid=1000,gid-1000,vers=3.0,rw
device: //192.168.0.110/downloads
it now connects as expected.

Content of docker bind mount is not showing inside the container

EDITED:
Rclone has a bucket mounted to the host directory /home/user/rclone. I want to access the contents of this directory inside nextcloud docker instance. So I would bind mount it to /var/www/html/data. With the option shared, any changes made in the container will be reflected in the host, and vice versa.
I have set the permission of /home/user/rclone to be 777. And the content is visible with a ls command from the host. Once the docker container is restarted, a ls command from within the container does not show any files. Rclone is still running properly.
I am suspecting that because the volume nextcloud is mounted at /var/www/html, the mount of the bind mount at /var/www/html/data is covered up.
So then I picked another directory inside the container, namely /mnt and tried it. Still no files show up with a ls command.
My nextcloud docker compose: (mysql does not have anything to do with this; showing the /var/www/html/data mount version only.)
version: '2'
volumes:
nextcloud:
db:
services:
db:
image: mariadb
restart: always
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
volumes:
- db:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=xxx
- MYSQL_PASSWORD=xxx
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
network_mode: npm_default
container_name: db
app:
image: nextcloud:latest
restart: always
links:
- db
volumes:
- nextcloud:/var/www/html
- /home/user/rclone:/var/www/html/data:shared
environment:
- MYSQL_PASSWORD=xxx
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
- MYSQL_HOST=db
- NEXTCLOUD_TRUSTED_DOMAINS=xxx
network_mode: npm_default
container_name: nextcloud
Another way of putting it:
rclone cloud storage --> host --> —> docker —-> nextcloud external storage
So the reason why the nextcloud service cannot view the content is due to permission problems.
If you do exec -it nextcloud bash to check the contents, they are there because you are root.
So the proper solution if you want to use a shared bind mount with the host directory, is to set permission to 666 so the others in the container can view the file.
But at the end, I have figured that volume plugins are a way better solution, thus this is somewhat deprecated.

Nexcloud installation on raspberry-pi failing with docker compose

Trying to install nextcloud on rpi4.
I'm getting below error when trying to install nextcloud on rpi4 running buster
Initializing nextcloud 23.0.4.1 ...,
touch: setting times of '/var/www/html/nextcloud-init-sync.lock': Operation not permitted,
Initializing nextcloud 23.0.4.1 ...,
Another process is initializing Nextcloud. Waiting 10 seconds...,
My docker-compose looks like this
version: '2'
services:
db:
image: yobasystems/alpine-mariadb:latest
command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
restart: always
volumes:
- /nextcloud:/var/lib/mysql
environment:
- MYSQL_ROOT_PASSWORD=YOURROOTPASSWORD
- MYSQL_PASSWORD=YOURPASSWORD
- MYSQL_DATABASE=nextcloud
- MYSQL_USER=nextcloud
app:
image: nextcloud
ports:
- 8181:80
links:
- db
volumes:
- /nextcloud:/var/www/html
restart: always
Please help!
Remove /var/www/html/nextcloud-init-sync.lock to unlock the installation process
I had the same issue and I could fixed it by mounting /var/www/html to a separate nextcloud volume. On the same level like service add this:
volumes:
nextcloud:
in your app volumes set the volume like this:
- nextcloud:/var/www/html
Recently I had the same problem with nextcloud 25.0.3.2 on Raspberry Pi 4 and did some research.
This causes the problem:
Unfortunately Raspbian uses some very old
packages. There is nothing we can fix in our image. 😕
Source: https://github.com/nextcloud/docker/issues/1589#issuecomment-923371168
There is a workaround, by giving extended privileges to the nextcloud container:
I did another investigation and deleted the lock file many times.
After some time I found out that if I run the nextcloud container as
priviliged, the error touch: setting times of
'/var/www/html/nextcloud-init-sync.lock': Operation not permitted does
not happen again and I could upgrade to 23.0.4.
Source: https://github.com/nextcloud/docker/issues/1742#issuecomment-1133837814
But beware:
The --privileged flag gives all capabilities to the container. When
the operator executes docker run --privileged, Docker will enable
access to all devices on the host as well as set some configuration in
AppArmor or SELinux to allow the container nearly all the same access
to the host as processes running outside containers on the host.
Additional information about running with --privileged is available on
the Docker Blog.
Source: https://docs.docker.com/engine/reference/run/
tl;dr: Give extended privileges to nextcloud container
...
app:
image: nextcloud
privileged: true

Docker volume mariadb has root permission

I stumbled across a problem with docker volumes while starting docker containers with a docker compose file (MariaDB, RabbitMQ, Maven). I start them simply with docker-compose up -d (WITHOUT SUDO)
My volumes are definied like this:
...
volumes:
- ./production/mysql:/var/lib/mysql:z
...
Everything is working fine and the ./production directory is created (where the volumes are mapped)
But when I again try to restart the docker containers with down/up, I get following error:
error checking context: 'no permission to read from '…/production/mysql/aria_log.00000001'
When I check the mentioned file I saw that it needs root:root permission. This is because the file is generated with the root user inside the container. So I tried to use namespace as mentioned in the docs.
Anyway the error still occurs. Any ideas or references?
Thanks.
Docker Compose File:
version: '3.8'
services:
mysql:
image: mariadb:latest
restart: always
env_file:
- config.env
volumes:
- ./production/mysql:/var/lib/mysql:z
environment:
MYSQL_DATABASE: ${DATABASE_NAME}
MYSQL_USER: ${DATABASE_USER}
MYSQL_PASSWORD: ${DATABASE_PASSWORD}
MYSQL_ROOT_PASSWORD: ${DATABASE_PASSWORD}
networks:
- testnetwork
networks:
testnetwork:
The issue comes from the mapping between the host user/group IDs and the ones inside the container. One of the solutions is to use a named volume and avoid all this hassle, but you can also do the following:
Add user: ${UID}:${GID} to your service inside the docker-compose file.
Run UID=${id -u} GID=${id -g} docker-compose up. This way you make sure that the user in the container will have the same UID/GID as the user on the host and files created in the container will have proper permissions.
NOTE: Docker for Mac (using the osxfs driver) does this behind the scenes and you don't need to worry about users and groups.
Run the Docker daemon as a non-root user this can be helpfull for your purpose.
all document are here.

Permission denied issue when persist redis data inside docker container

I want to create a redis container and need to mount the rdp and log file inside the container to host machine. I have a docker-compose file as below,
version: '2'
services:
redis:
image: xxxx/redis
container_name: redis
restart: unless-stopped
volumes:
- /redis/data:/var/lib/redis
- /redis/log:/var/log/redis
ports:
- "6379:6379"
If it mount the volume as above, redis is not running inside the container and sometimes i am getting unable to save rdb file due to permission denied error. If i create a container without volume mount, everything is working fine.
After doing some search i found that the permission inside redis for /var/lib/redis and /var/log/redis folder is redis:redis but the permission for the mounted volume in host machine is root:root. I cant change the permission as redis in host machine because the redis user will not be available. If i change the permission as root:root inside container, rdp files are not getting saved.
Can anyone please suggest how to fix this issue.?

Resources