Docker Volume Permissions Issue

J

Jon Dison

Cadet
Joined
Aug 4, 2013
Messages
9
Greetings,

I'm playing around with the option to fire up docker containers, like mentioned here.
For the most part I'm able to follow along and set things up the way I'd expect, but when I need to create a volume for persistent storage, there's a permissions issue inside the container.
Let's take Grafana as an example. I know there's a TrueChart for Grafana but let's just use it as an example, as the issue I'm running into is the same no matter which container I setup.
I'll setup a volume for Grafana as in this screenshot: https://imgur.com/a/6tTbZQB but when trying to run the container, there's always some mention of permissions issue with the path that that volume is mounted at. In the case of Grafana its:
2022-02-28 23:04:21.291123+00:00GF_PATHS_DATA='/var/lib/grafana' is not writable. 2022-02-28 23:04:21.291266+00:00You may have issues with file permissions, more information here: http://docs.grafana.org/installation/docker/#migrate-to-v51-or-later 2022-02-28 23:04:21.292553+00:00mkdir: can't create directory '/var/lib/grafana/plugins': Permission denied

Any suggestions are appreciated.
 
twk95

twk95

Dabbler
Joined
Oct 27, 2015
Messages
15
What are the permissions for the grafana-storage dataset? And what user is grafana running as?
 
J

Jon Dison

Cadet
Joined
Aug 4, 2013
Messages
9
You're on the right track. I recently found that the storage for the dataset were 755 and in most cases the docker containers do not run their processes as root, so if I relaxed the permissions on the dataset or created an equivalent user on the TrueNAS box and chowned the dataset to match the container then I could get it to work but it feels like a kludge. So basically I have to:
  • Build the container using the GUI
  • Let the container try to start but fail
  • Stop the container
  • Find the nested dataset buried beneath ix-applications
  • Fix/adjust permissions/ownership of said dataset
  • Start the container again
It works, but is there a way to adjust how the dataset permissions are created from the get-go so that the above isn't necessary?
 
S

soleous

Dabbler
Joined
Apr 14, 2021
Messages
30
Within the GUI there are options to view and set permissions on datasets.

Regarding docker permissions, I'm sure you have figured this out, but as the container to segmented, users UIDs and GIDs are separately defined within the image/container. You'll often find Environment Variables to set the ID's, usually called PUID and PGID, but not always for example Plex called them PLEX_UID and PLEX_GID. Details for this are normally documented in docker hub or complementary materials.

Unfortunately, not all containers do this, for example it looks like Grafana defines GF_UID=472 as an argument therefore its hard coded.

I'm not sure if the above helps, but you shouldn't need to mess with a container if you haven't set volumes, it should just work. It normally becomes a problem when a folder has been created with incorrect permissions.

Are you defining volumes, when building the container?

I am not currently using apps within scale, but my workflow looks like this for docker:
  1. Create Service account for the application/container
  2. Create data folders on a different dataset for the application and set permission on that folder for the Service account (normally 770)
  3. Create docker container with volumes to data folders
Hope this helps,
 
J

Jon Dison

Cadet
Joined
Aug 4, 2013
Messages
9
Within the GUI there are options to view and set permissions on datasets.
Click to expand...
Yes, if you make your own dataset. If you let the "launch docker image" wizard create it for you it doesn't. Not only that, but its nested within ix-applications, so it doesn't show up in the GUI, you have to SSH in and manually change the permissions.
Are you defining volumes, when building the container?
Click to expand...
Yes.

I know there are a number of ways to get things to work, but my reason for posting this is that the "launch docker image" doesn't seem to work in a way that fits with what I'm accustomed to, and that could be that I've just been doing things wrong all along. What I'm accustomed to is letting docker make a volume for the container using either:
docker volume create johndoe
or something like
Code:
containerxyz:
  image: maintainer/appxyz
  ...
  volumes:
    - johndoe_data:/path/in/container

within docker-compose

What I'm saying is if you do something similar whereas you have the "launch docker image" wizard create a volume for you like in my first screenshot, you end up with a volume you can't write to, until you go in and manually adjust the permissions
 
You must log in or register to reply here.

Similar threads

N
Launch Certbot Docker Image
Replies
0
Views
1K
Nicolas987654321
N
Z
Unable to reach TrueCharts Pods when using Wireguard VPN
Replies
2
Views
2K
Alnz
A
aardvark
SMB Share is not Accessible
Replies
5
Views
1K
aardvark
aardvark
RavenNAS
TrueNAS SCALE Docker with ich777 Sons of the forest can't get storage permissions to work
Replies
4
Views
979
RavenNAS
RavenNAS
briancmoses
Nextcloud App External Storage
Replies
7
Views
8K
awil95
awil95
Top