Permission issues for rootless container running with Podman

[dmarcoux]

Hello,

Thank you for beaverhabits 🙂!

I am running the application in a rootless container with Podman. I set the user and group of the container to the Podman user. As for the host path which is mounted as a volume, its owner is also the same Podman user. This setup works for other applications on my server.

Even with the changes from #18, I am still having permission issues.

This is what I get:

INFO:     Starting BeaverHabits...
INFO:     Started server process [4]
INFO:     Waiting for application startup.
INFO:     Application startup complete.
INFO:     Uvicorn running on http://0.0.0.0:8080 (Press CTRL+C to quit)
ERROR:nicegui:[Errno 13] Permission denied: '/app/.nicegui'
Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/nicegui/events.py", line 432, in handle_event
    result = cast(Callable[[], Any], handler)()
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/nicegui/storage.py", line 68, in backup
    self.filepath.parent.mkdir(exist_ok=True)
  File "/usr/local/lib/python3.12/pathlib.py", line 1311, in mkdir
    os.mkdir(self, mode)
PermissionError: [Errno 13] Permission denied: '/app/.nicegui'

I believe the issue is that /app still belongs to nobody:root as we can see here from within the container:

podman-user@habits:~$ ls -la /
total 64
dr-xr-xr-x   1 root   root 4096 Dec  6 09:18 .
dr-xr-xr-x   1 root   root 4096 Dec  6 09:18 ..
drwxrwxr-x   1 nobody root 4096 Dec  6 09:18 app

It should instead be just like /app/.user (again from within the container):

podman-user@habits:~$ ls -la /app/.user
total 36
drwxr-xr-x 2 podman-user users  4096 Dec  6 09:09 .
drwxrwxr-x 1 nobody      root   4096 Dec  6 09:18 ..
-rw-r--r-- 1 podman-user users 28672 Dec  6 09:09 habits.db

[daya0576]

Thanks for reporting this issue, I do reproduce it locally and will do some research and fix it.

[daya0576]

@dmarcoux Please try the latest image (0.3.5) to resolve this issue.

[dmarcoux]

Thank you @daya0576 for having a look. This is working now!

[adamjt]

I think my issue is related to this one, but updating to 0.3.5 did not solve the issue for me. I'm running the container on a NAS and after updating to the latest image today, I am seeing errors on startup. Unfortunately I do not know which specific tag I was upgrading from, it was the latest tag pulled about 3 weeks ago.

2024/12/12 08:39:17,stdout,�[32mINFO�[0m:     172.17.0.1:49310 - "�[1mGET / HTTP/1.1�[0m" �[33m307 Temporary Redirect�[0m

2024/12/12 08:39:17,stdout,PermissionError: [Errno 13] Permission denied: '/app/.user/.nicegui'

2024/12/12 08:39:17,stdout,"    os.mkdir(self, mode)
"
2024/12/12 08:39:17,stdout,"  File \"/usr/local/lib/python3.12/pathlib.py\", line 1311, in mkdir
"
2024/12/12 08:39:17,stdout,    self.filepath.parent.mkdir(exist_ok=True)

2024/12/12 08:39:17,stdout,"  File \"/opt/pysetup/.venv/lib/python3.12/site-packages/nicegui/storage.py\", line 68, in backup
"
2024/12/12 08:39:17,stdout,             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

2024/12/12 08:39:17,stdout,"    result = cast(Callable[[], Any], handler)()
"
2024/12/12 08:39:17,stdout,"  File \"/opt/pysetup/.venv/lib/python3.12/site-packages/nicegui/events.py\", line 432, in handle_event
"
2024/12/12 08:39:17,stdout,Traceback (most recent call last):

2024/12/12 08:39:17,stdout,ERROR:nicegui:[Errno 13] Permission denied: '/app/.user/.nicegui'

2024/12/12 08:39:09,stdout,�[32mINFO�[0m:     172.17.0.1:49304 - "�[1mGET / HTTP/1.1�[0m" �[33m307 Temporary Redirect�[0m

2024/12/12 08:39:09,stdout,PermissionError: [Errno 13] Permission denied: '/app/.user/.nicegui'

2024/12/12 08:39:09,stdout,"    os.mkdir(self, mode)
"
2024/12/12 08:39:09,stdout,"  File \"/usr/local/lib/python3.12/pathlib.py\", line 1311, in mkdir
"
2024/12/12 08:39:09,stdout,    self.filepath.parent.mkdir(exist_ok=True)

2024/12/12 08:39:09,stdout,"  File \"/opt/pysetup/.venv/lib/python3.12/site-packages/nicegui/storage.py\", line 68, in backup
"
2024/12/12 08:39:09,stdout,             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

2024/12/12 08:39:09,stdout,"    result = cast(Callable[[], Any], handler)()
"
2024/12/12 08:39:09,stdout,"  File \"/opt/pysetup/.venv/lib/python3.12/site-packages/nicegui/events.py\", line 432, in handle_event
"
2024/12/12 08:39:09,stdout,Traceback (most recent call last):

2024/12/12 08:39:09,stdout,ERROR:nicegui:[Errno 13] Permission denied: '/app/.user/.nicegui'

2024/12/12 08:39:07,stdout,�[32mINFO�[0m:     Uvicorn running on �[1mhttp://0.0.0.0:8080�[0m (Press CTRL+C to quit)

2024/12/12 08:39:07,stdout,�[32mINFO�[0m:     Application startup complete.

2024/12/12 08:39:07,stdout,�[32mINFO�[0m:     Waiting for application startup.

2024/12/12 08:39:07,stdout,�[32mINFO�[0m:     Started server process [�[36m9�[0m]

2024/12/12 08:39:07,stdout,�[32mINFO�[0m:     Starting BeaverHabits...

2024/12/12 08:38:48,stdout,NICEGUI_STORAGE_PATH not set. Using default value: .user/.nicegui

2024/12/12 08:38:48,stdout,Starting Uvicorn server in production mode...

Here are the permissions:

# ls -la /
total 16
drwxr-xr-x   1 root   root  158 Dec 12 13:38 .
drwxr-xr-x   1 root   root  158 Dec 12 13:38 ..
-rwxr-xr-x   1 root   root    0 Dec 12 13:38 .dockerenv
drwxrwxr-x   1 nobody root   64 Dec 12 13:38 app
lrwxrwxrwx   1 root   root    7 Dec  2 00:00 bin -> usr/bin
drwxr-xr-x   1 root   root    0 Oct 31 11:04 boot
drwxr-xr-x   5 root   root  360 Dec 12 13:38 dev
drwxr-xr-x   1 root   root 1274 Dec 12 13:38 etc
drwxr-xr-x   1 root   root    0 Oct 31 11:04 home
lrwxrwxrwx   1 root   root    7 Dec  2 00:00 lib -> usr/lib
lrwxrwxrwx   1 root   root    9 Dec  2 00:00 lib64 -> usr/lib64
drwxr-xr-x   1 root   root    0 Dec  2 00:00 media
drwxr-xr-x   1 root   root    0 Dec  2 00:00 mnt
drwxr-xr-x   1 root   root   14 Dec  8 16:00 opt
dr-xr-xr-x 421 root   root    0 Dec 12 13:38 proc
drwx------   1 root   root   80 Dec  4 20:36 root
drwxr-xr-x   1 root   root    8 Dec  2 00:00 run
lrwxrwxrwx   1 root   root    8 Dec  2 00:00 sbin -> usr/sbin
drwxr-xr-x   1 root   root    0 Dec  2 00:00 srv
dr-xr-xr-x  12 root   root    0 Dec 12 13:46 sys
drwxrwxrwt   1 root   root    0 Dec  2 00:00 tmp
drwxr-xr-x   1 root   root   94 Dec  2 00:00 usr
drwxr-xr-x   1 root   root   90 Dec  2 00:00 var

# ls -la /app/.user
total 28
drwxr-xr-x 1   1026 users    18 Dec 11 19:09 .
drwxrwxr-x 1 nobody root     64 Dec 12 13:38 ..
-rwxr-xr-x 1 root   root  28672 Dec 11 19:09 habits.db

[daya0576]

@adamjt Thanks for reaching out, here is the root cause of this permission issue: #23

The old image started by default as root, so it was always able to write to any filesystem. With the new configuration, it starts by default as user nobody, which doesn't have any permissions on the user's filesystem.

---

Please try these two options below to fix this issue:

Option1: Update the permission of the volumn

# Step1: Find current container user
$ docker run --rm daya0576/beaverhabits:0.3.5 cat /etc/passwd | id -u
1000

# Step2: Change folder permissions and ownership
$ sudo chown -R 1000 .user

Option2: Running Docker containers as current host user

docker run -d --name beaverhabits \
  -u $(id -u):$(id -g) \
  ...

[adamjt]

Thank you, I apologize for reopening the wrong issue. After applying the fix I am back to tracking habits!

# docker exec -it 841c sh
$ cat /etc/passwd | id -u
65534

# docker exec -it -u root 841c sh
# cd /app
# chown -R 65534 .user

# docker exec -it 841c sh
$ ls -la /app/.user
total 28
drwxr-xr-x 1 nobody users      34 Dec 12 15:09 .
drwxrwxr-x 1 nobody root       64 Dec 12 13:38 ..
drwxr-xr-x 1 nobody nogroup   756 Dec 12 15:13 .nicegui
-rwxr-xr-x 1 nobody root    28672 Dec 11 19:09 habits.db
$ whoami
nobody
$ ls -la /app
total 4
drwxrwxr-x 1 nobody root   64 Dec 12 13:38 .
drwxr-xr-x 1 root   root  158 Dec 12 13:38 ..
drwxr-xr-x 1 nobody users  34 Dec 12 15:09 .user
drwxrwxr-x 1 nobody root  210 Dec  8 15:59 beaverhabits
-rwxrwxr-x 1 nobody root  975 Dec  8 15:59 start.sh
drwxrwxr-x 1 nobody root   26 Dec  8 15:59 statics
$ whoami
nobody

[daya0576]

You're welcome! Glad to hear that this solution is working for you.