Permission Problems with persistent Docker Volumes stored at ./

dankrue80 · July 8, 2023, 11:06am

Checklist
I have read intro post: About the Installation Issues category
I have read the tutorials, help and searched for similar issues
I provide relevant information about my server (component names and versions, etc.)
I provide a copy of my logs and healthcheck
I describe the steps I have taken to trouble shoot the problem
I describe the steps on how to reproduce the issue

Hey guys,

I am trying to setup Passbolt CE using the following tutorial without any problems on my VPS mashine which is running Ubuntu 2204 with Docker and Docker Compose.
Passbolt Help | Docker passbolt installation

So far so good - this all worked perfctly fine!

What I am now trying to achieve is, having the persistent volumes database/ gpg-volume/ jwt-volume/ stored inside my Passbolt folder located here:
~/docker/passbolt

Having all docker volumes inside my personal docker folder is kinda part of my personal backup strategy. I like having everything in place and handy.

My docker compose file looks like this. Nothing big changed so far, just the persistent volumes at ./.

version: "3.9"
services:
  db:
    image: mariadb:10.11
    restart: unless-stopped
    environment:
      MYSQL_RANDOM_ROOT_PASSWORD: "true"
      MYSQL_DATABASE: "passbolt"
      MYSQL_USER: "passbolt"
      MYSQL_PASSWORD: "P4ssb0lt"
    volumes:
      - ./database:/var/lib/mysql

  passbolt:
    image: passbolt/passbolt:4.1.0-1-ce
    #Alternatively you can use rootless:
    #image: passbolt/passbolt:latest-ce-non-root
    restart: unless-stopped
    depends_on:
      - db
    environment:
      APP_FULL_BASE_URL: https://passbolt.blubb.duckdns.org
      DATASOURCES_DEFAULT_HOST: "db"
      DATASOURCES_DEFAULT_USERNAME: "passbolt"
      DATASOURCES_DEFAULT_PASSWORD: "P4ssb0lt"
      DATASOURCES_DEFAULT_DATABASE: "passbolt"
    volumes:
      - ./gpg-volume:/etc/passbolt/gpg
      - ./jwt-volume:/etc/passbolt/jwt
    command:
      [
        "/usr/bin/wait-for.sh",
        "-t",
        "0",
        "db:3306",
        "--",
        "/docker-entrypoint.sh",
      ]
    ports:
      - 8084:80
      - 4434:443
    #Alternatively for non-root images:
    # - 80:8080
    # - 443:4433

volumes:
  database_volume:
  gpg_volume:
  jwt_volume:

Unfortunately, I get the following error when starting the containers.
-bash: line 1: /etc/passbolt/gpg/serverkey_private.asc: Permission denied

The folders for the persistent volumes where created but I don’t really know if the permissions are set correctly.

Any help will be highly appreciated.

Best regards
Daniel

dankrue80 · July 10, 2023, 5:10pm

Hey frens, really nobody? Is there anything more that I can provide to get some help? I just want to store the persistent docker volumes inside my passbolt folder. Any help will be highly appreciated.

Best, Daniel

TheReptile · July 10, 2023, 5:31pm

This is most likely the easiest way to determine the correct permissions:

Do a chmod 777 gpg-volume jwt-volume NOTE: This is TEMPORARY!
Restart the container, everything should work now and the files in the volumes should be created.
Stop the container and check the owner of the files in the directories.
Do a chown <user>:<group> <directory> with the same user:group as the created files.
Afterwards do a chmod 755 gpg-volume jwt-volume to restore the default permissions.
Finally restart the container and everything should keep working.

Hope this helps.

dankrue80 · July 10, 2023, 5:50pm

Hey there, thanks for getting back. I am not in front of my mashine right now, but will work myself through your steps later tonight.

AnatomicJC · July 10, 2023, 7:47pm

Hi,

I think jwt and gpg directories are owned by www-data user.

There is chances www-data user doesn’t exists on your host so the chown step will fail with unknown user error.

Inside the passbolt container, www-data userid should be 33.

$ id www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Even if www-data doesn’t exists in your system, you can use chown with userid:groupid:

chown -R 33:33 gpg_directory

You must use the same id than in the container.

Hope this helps.

dankrue80 · July 12, 2023, 5:09pm

Thanks @TheReptile and @AnatomicJC for getting back. Your approaches brought me to the solution.

I inspected, where the default docker compose installation was storing the docker volumes. The mount path for gpg_volume/ and jwt_volume/ is here:
/var/lib/docker/volumes/

I than easily identified the permissions set by the default docker compose installation on these volumes (drwxrwx--- root www-data) and applied the same to my volumes stored inside my passbolt installation folder:
~/docker/passbolt

like this:
sudo chmod 770 gpg-volume/ jwt-volume/ && sudo chown root:www-data gpg-volume/ jwt-volume/

Passbolt installation now went through easily and the persistent volumes are stored inside my passbolt folder.