agent: Problem creating a filemkdir open .data/snapshots/.test permission denied
When I start my containers using Docker Compose I receive the following errors in the log:
$ docker compose --file /srv/kerberos-agent/docker-compose.yml logs
ka-garage-south | {"level":"fatal","msg":"Problem creating a file: open ./data/snapshots/.test: permission denied","time":"2022-12-19T20:37:39+01:00"}
ka-garage-south | {"level":"fatal","msg":"Problem creating a file: open ./data/snapshots/.test: permission denied","time":"2022-12-19T20:37:42+01:00"}
ka-garage-north | {"level":"fatal","msg":"Problem creating a file: open ./data/snapshots/.test: permission denied","time":"2022-12-19T20:37:39+01:00"}
ka-garage-north | {"level":"fatal","msg":"Problem creating a file: open ./data/snapshots/.test: permission denied","time":"2022-12-19T20:37:42+01:00"}
Here is my sanitised docker-compose.yml configuration:
$ docker compose --file /srv/kerberos-agent/docker-compose.yml config
name: kerberos-agent
services:
ka-garage-north:
container_name: ka-garage-north
environment:
AGENT_AUTO_CLEAN: "true"
AGENT_AUTO_CLEAN_MAX_SIZE: "102400"
AGENT_CAPTURE_CONTINUOUS: "false"
AGENT_CAPTURE_FRAGMENTED: "false"
AGENT_CAPTURE_FRAGMENTED_DURATION: "8"
AGENT_CAPTURE_IPCAMERA_RTSP: rtsp://[user]:[pass]@192.168.1.84:554/cam/realmonitor?channel=1&subtype=0
AGENT_CAPTURE_IPCAMERA_SUB_RTSP: rtsp://[user]:[pass]@192.168.1.84:554/cam/realmonitor?channel=1&subtype=1
AGENT_CAPTURE_MAXLENGTH: "600"
AGENT_CAPTURE_PIXEL_CHANGE: "150"
AGENT_CAPTURE_POSTRECORDING: "40"
AGENT_CAPTURE_PRERECORDING: "20"
AGENT_KEY: ""
AGENT_MQTT_PASSWORD: ""
AGENT_MQTT_URI: tcp://195.168.1.95:1883
AGENT_MQTT_USERNAME: ""
AGENT_NAME: garage-north
AGENT_OFFLINE: "false"
AGENT_PASSWORD: [password]
AGENT_TIMEZONE: America/Edmonton
AGENT_USERNAME: admin
hostname: [hostname]
image: kerberos/agent:latest
networks:
default: null
ports:
- mode: ingress
target: 80
published: "8083"
protocol: tcp
restart: unless-stopped
user: 1000:1000
volumes:
- type: bind
source: /srv/kerberos-agent/garage-north/config
target: /home/agent/data/config
bind:
create_host_path: true
- type: bind
source: /media/nvr/kerberos/garage-north/recordings
target: /home/agent/data/recordings
bind:
create_host_path: true
ka-garage-south:
container_name: ka-garage-south
environment:
AGENT_AUTO_CLEAN: "true"
AGENT_AUTO_CLEAN_MAX_SIZE: "102400"
AGENT_CAPTURE_CONTINUOUS: "false"
AGENT_CAPTURE_FRAGMENTED: "false"
AGENT_CAPTURE_FRAGMENTED_DURATION: "8"
AGENT_CAPTURE_IPCAMERA_RTSP: rtsp://[user]:[pass]@192.168.1.83:554/cam/realmonitor?channel=1&subtype=0
AGENT_CAPTURE_IPCAMERA_SUB_RTSP: rtsp://[user]:[pass]@192.168.1.83:554/cam/realmonitor?channel=1&subtype=1
AGENT_CAPTURE_MAXLENGTH: "600"
AGENT_CAPTURE_PIXEL_CHANGE: "150"
AGENT_CAPTURE_POSTRECORDING: "40"
AGENT_CAPTURE_PRERECORDING: "20"
AGENT_KEY: ""
AGENT_MQTT_PASSWORD: ""
AGENT_MQTT_URI: tcp://195.168.1.95:1883
AGENT_MQTT_USERNAME: ""
AGENT_NAME: garage-south
AGENT_OFFLINE: "false"
AGENT_PASSWORD: [password]
AGENT_TIMEZONE: America/Edmonton
AGENT_USERNAME: admin
hostname: [hostname]
image: kerberos/agent:latest
networks:
default: null
ports:
- mode: ingress
target: 80
published: "8082"
protocol: tcp
restart: unless-stopped
user: 1000:1000
volumes:
- type: bind
source: /srv/kerberos-agent/garage-south/config
target: /home/agent/data/config
bind:
create_host_path: true
- type: bind
source: /media/nvr/kerberos/garage-south/recordings
target: /home/agent/data/recordings
bind:
create_host_path: true
networks:
default:
name: kerberos-agent_default
The mount points for these two services are as follows:
$ docker container inspect ka-garage-south -f '{{range .Mounts}}{{.Type}}:{{.Source}}:{{.Destination}}{{println}}{{ end }}'
bind:/srv/kerberos-agent/garage-south/config:/home/agent/data/config
bind:/media/nvr/kerberos/garage-south/recordings:/home/agent/data/recordings
$ docker container inspect ka-garage-east -f '{{range .Mounts}}{{.Type}}:{{.Source}}:{{.Destination}}{{println}}{{ end }}'
bind:/srv/kerberos-agent/garage-east/config:/home/agent/data/config
bind:/media/nvr/kerberos/garage-east/recordings:/home/agent/data/recordings
I am running the services under User idsvc:
$ id $user
uid=1000(idsvc) gid=1000(idsvc) groups=1000(idsvc),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),104(input),106(render),108(netdev),995(docker),997(gpio),998(i2c),999(spi)
Before starting the containers I ran the following commands:
$ mkdir /srv/kerberos-agent/garage-north /srv/kerberos-agent/garage-north/config
$ mkdir /srv/kerberos-agent/garage-south /srv/kerberos-agent/garage-south/config
$ sudo chown idsvc:idsvc /srv/kerberos-agent/ -R
$ sudo chmod 777 /srv/kerberos-agent/ -R
$ mkdir /media/nvr/kerberos/garage-north
$ mkdir /media/nvr/kerberos/garage-south
$ sudo chown idsvc:idsvc /media/nvr/kerberos/ -R
$ sudo chmod 777 /media/nvr/kerberos -R
The file permissions for the /home/agent/data/config mount look like this:
$ ls -la /srv/kerberos-agent/garage-north/
total 12
drwxrwxrwx 3 idsvc idsvc 4096 Dec 19 11:32 .
drwxrwxrwx 7 idsvc idsvc 4096 Dec 19 12:30 ..
drwxrwxrwx 2 idsvc idsvc 4096 Dec 19 12:56 config
$ ls -la /srv/kerberos-agent/garage-north/config/
total 8
drwxrwxrwx 2 idsvc idsvc 4096 Dec 19 12:56 .
drwxrwxrwx 3 idsvc idsvc 4096 Dec 19 11:32 ..
$ ls -la /srv/kerberos-agent/garage-south/
total 12
drwxrwxrwx 3 idsvc idsvc 4096 Dec 19 11:32 .
drwxrwxrwx 7 idsvc idsvc 4096 Dec 19 12:30 ..
drwxrwxrwx 2 idsvc idsvc 4096 Dec 19 12:56 config
$ ls -la /srv/kerberos-agent/garage-south/config/
total 8
drwxrwxrwx 2 idsvc idsvc 4096 Dec 19 12:56 .
drwxrwxrwx 3 idsvc idsvc 4096 Dec 19 11:32 ..
The file permissions for the /home/agent/data/recordings mount look like this:
$ ls -la /media/nvr/kerberos/garage-north/
total 16
drwxrwxrwx 4 idsvc idsvc 4096 Dec 19 12:37 .
drwxrwxrwx 7 idsvc idsvc 4096 Dec 19 11:32 ..
drwxrwxrwx 2 idsvc idsvc 4096 Dec 19 12:56 recordings
drwxrwxrwx 2 idsvc idsvc 4096 Dec 19 12:37 snapshots
$ ls -la /media/nvr/kerberos/garage-north/recordings/
total 8
drwxrwxrwx 2 idsvc idsvc 4096 Dec 19 12:56 .
drwxrwxrwx 4 idsvc idsvc 4096 Dec 19 12:37 ..
$ ls -la /media/nvr/kerberos/garage-south/
total 16
drwxrwxrwx 4 idsvc idsvc 4096 Dec 19 12:37 .
drwxrwxrwx 7 idsvc idsvc 4096 Dec 19 11:32 ..
drwxrwxrwx 2 idsvc idsvc 4096 Dec 19 12:56 recordings
drwxrwxrwx 2 idsvc idsvc 4096 Dec 19 12:37 snapshots
$ ls -la /media/nvr/kerberos/garage-south/recordings/
total 8
drwxrwxrwx 2 idsvc idsvc 4096 Dec 19 12:56 .
drwxrwxrwx 4 idsvc idsvc 4096 Dec 19 12:37 ..
My versions for reference:
$ docker --version
Docker version 20.10.21, build baeda1f
$ docker compose version
Docker Compose version v2.12.2
I have tried adding user: 1000:1000 to the services entries in the compose file, running the docker compose elevated, and I am stuck.
What incredibly obvious thing have I missed?
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 24 (13 by maintainers)
If using specific mount points in docker compose, the original issue is resolved using the following steps:
This will resolve the “permission denied” error caused by the lack of a specified “snapshots” volume.
Thank you to @cedricve for confirming this.
Adding the
/snapshotsmount, removing theuserentry, and grabbing a base configuration file enabled the container to start.Before I document the process, I have a question for you, @cedricve - you said in your previous reply I could remove the config binding as I override it in the environment variables. I see in the example you included that
ka-garage-northincludes theuserentry andka-garage-southdoes not, but I cannot see anything else that has changed.