Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

volume path mount fails due to hosts 755 permission #1267

Open
equivalent opened this issue Nov 30, 2024 · 2 comments
Open

volume path mount fails due to hosts 755 permission #1267

equivalent opened this issue Nov 30, 2024 · 2 comments

Comments

@equivalent
Copy link

equivalent commented Nov 30, 2024

New Rails 8.0.0 app (with SQLite Active Storage) with Kamal 2 only thing I change in config/deploy.yml is volume as described bellow 👇( + IP addresses and proxy host) deployed to new unconfigured Hetzner VM Ubuntu 22.04

Given:

volumes:
  - "/var/apps/myapp/storage:/rails/storage"

(so I'm mounting folder that does not exist yet on the host

When I run kamal setup it fails

 ERROR Failed to boot web on 128.140.50.80
....
 ERROR 2024-11-30T22:21:40.327271452Z bin/rails aborted!
2024-11-30T22:21:40.327536598Z ActiveRecord::StatementInvalid: SQLite3::ReadOnlyException: attempt to write a readonly database: (ActiveRecord::StatementInvalid)
.....
Releasing the deploy lock...
  Finished all in 52.6 seconds
  ERROR (SSHKit::Command::Failed): Exception while executing on host 128.140.50.80: docker exit status: 1
docker stdout: Nothing written
docker stderr: Error: target failed to become healthy

This is due to fact that newly created folder on host by Kamal 2 /var/apps/myapp/storage has 755 permissions on root:root:

ls -la drwxr-xr-x 4 rails docker 4096 Nov 30 21:55 storage
drwxr-xr-x 4 rails docker 4096 Nov 30 21:55 storage

To solve this I can simply do chmod 777 -R /var/apps/myapp/storage and subsequent kamal setup works 👍

✋ However I would like to keep that host folder 755.

So my question is: what folder permission or user:group owner should I change for that host folder so the mount works under 755 🤔
Question 2 shouldn't Kamal do this automatically ? 🤔

I've seen something like this in the past working under docker-compose with volumes(independent of Kamal) and it may be related to the fact that Dockerfile manages everything under rails:rails user/group and host volume permission is under root:root. Sure, Docker should translate this permission inconsistency but for some to me unknown reason it does not. 🤷‍♂️

BTW This may look like duplicate of #897 except I'm root user on the host

@equivalent
Copy link
Author

equivalent commented Nov 30, 2024

So my question is: what folder permission or user:group owner should I change for that host folder so the mount works under 755 🤔

I've found the answer for this question. Once I've 777 the host dir, any other folder/file inside has 755 1000:docker. user:group

$ ls -la /var/app/myapp
drwxr-xr-x  2 1000 docker. 4096 Nov 30 23:37 storage

note: yes the group it docker. not just docker 🤔I don't know why as host has only docker group

that means, given /var/apps/myapp is 755 root:root all I need to do is :

cd /var/apps/
chown -R 1000 myapp
chgrp -R docker  myapp

and kamal deploy works 😲

now to the seccond question "shouldn't Kamal do this automatically ? 🤔" - I will dig into kamal source tomorrow and hopefully open a PR. However I'm 90% sure Docker is to blame here

in the meantime any helpful note welcome 🙏


one more note - this will not help

# after you ssh to root@123.456.789.123  a.k.a host machine
mkdir /var/apps
chown 1000  /var/apps
chgrp  docker   /var/apps

as after kamal setup / kamal deploy a foder /var/apps/myapp is (again) created as root:root even if parent is 1000:docker

@goose3228
Copy link

goose3228 commented Dec 5, 2024

The problem comes from the way kamal handles docker run command. It runs something like that on server by default:

/usr/bin/env docker run ... --volumes blog_storage:/rails/storage ...

If you specify /var/apps/blog insted of blog_storage, kamal just replaces it in command:

/usr/bin/env docker run ... --volumes /var/apps/blog:/rails/storage ...

These two commands seem to be the same, but they actually do different things. If you specify an absolute path for -volumes option, docker creates bind mount, which is known for permission troubles unless you run app as root.
But the first command creates named volume, which is more complicated and managed by docker to prevent these permission issues.

There were a few edits and attempts to make docker store data where i want, but seems like it is still not possible without plugins. If no one figures it out, adequate PR would be to at least warn user when volume is specified as path.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants