[Bug] Nginx Permission Denied /var/tmp/nginx/default_site.conf

[pops64]

Current Behavior

On docker compose up Nginx returns a permission denied when trying to open /var/tmp/nginx/default_site.conf and exits code 1

Expected Behavior

For handbrake docker to launch succesfully

Steps To Reproduce

Run docker compose fresh with latest image

Environment

• OS: Arch
• OS version: Rolling, Linux Kernel Version 6.6.9
• CPU: AMD i7
• Docker version:
• Device model:
• Browser/OS:
  Docker Info Output

Container creation

Docker compose

version: '3'
services:
  handbrake:
    image: jlesage/handbrake
    ports:
      - "5800:5800"
    volumes:
      - "./appdata:/config:rw"
      - "/mnt//*****//Videos:/storage:ro"
      - "/mnt/*****/Videos/HandBrake/watch:/watch:rw"
      - "/mnt//*****//Videos/HandBrake/output:/output:rw"
    environment:
      - PUID = 1000
      - PGID = 1000
    devices:
      - /dev/dri:/dev/dri
    deploy:
      resources:
          limits:
            cpus: '6'
            memory: 4G

Container log

Attaching to handbrake-1
handbrake-1  | [init        ] container is starting...
handbrake-1  | [cont-env    ] loading container environment variables...
handbrake-1  | [cont-env    ] APP_NAME: loading...
handbrake-1  | [cont-env    ] APP_VERSION: loading...
handbrake-1  | [cont-env    ] DISPLAY: executing...
handbrake-1  | [cont-env    ] DISPLAY: terminated successfully.
handbrake-1  | [cont-env    ] DISPLAY: loading...
handbrake-1  | [cont-env    ] DOCKER_IMAGE_PLATFORM: loading...
handbrake-1  | [cont-env    ] DOCKER_IMAGE_VERSION: loading...
handbrake-1  | [cont-env    ] GTK2_RC_FILES: executing...
handbrake-1  | [cont-env    ] GTK2_RC_FILES: terminated successfully.
handbrake-1  | [cont-env    ] GTK2_RC_FILES: loading...
handbrake-1  | [cont-env    ] GTK_THEME: executing...
handbrake-1  | [cont-env    ] GTK_THEME: terminated successfully.
handbrake-1  | [cont-env    ] GTK_THEME: loading...
handbrake-1  | [cont-env    ] HOME: loading...
handbrake-1  | [cont-env    ] INSTALL_PACKAGES_INTERNAL: executing...
handbrake-1  | [cont-env    ] INSTALL_PACKAGES_INTERNAL: terminated successfully.
handbrake-1  | [cont-env    ] INSTALL_PACKAGES_INTERNAL: loading...
handbrake-1  | [cont-env    ] QT_STYLE_OVERRIDE: executing...
handbrake-1  | [cont-env    ] QT_STYLE_OVERRIDE: terminated successfully.
handbrake-1  | [cont-env    ] QT_STYLE_OVERRIDE: loading...
handbrake-1  | [cont-env    ] SUP_GROUP_IDS_INTERNAL: executing...
handbrake-1  | [cont-env    ] SUP_GROUP_IDS_INTERNAL: terminated successfully.
handbrake-1  | [cont-env    ] SUP_GROUP_IDS_INTERNAL: loading...
handbrake-1  | [cont-env    ] TAKE_CONFIG_OWNERSHIP: loading...
handbrake-1  | [cont-env    ] XDG_CACHE_HOME: loading...
handbrake-1  | [cont-env    ] XDG_CONFIG_HOME: loading...
handbrake-1  | [cont-env    ] XDG_DATA_HOME: loading...
handbrake-1  | [cont-env    ] XDG_RUNTIME_DIR: loading...
handbrake-1  | [cont-env    ] XDG_STATE_HOME: loading...
handbrake-1  | [cont-env    ] container environment variables initialized.
handbrake-1  | [cont-secrets] loading container secrets...
handbrake-1  | [cont-secrets] container secrets loaded.
handbrake-1  | [cont-init   ] executing container initialization scripts...
handbrake-1  | [cont-init   ] 10-certs.sh: executing...
handbrake-1  | [cont-init   ] 10-certs.sh: terminated successfully.
handbrake-1  | [cont-init   ] 10-check-app-niceness.sh: executing...
handbrake-1  | [cont-init   ] 10-check-app-niceness.sh: terminated successfully.
handbrake-1  | [cont-init   ] 10-clean-logmonitor-states.sh: executing...
handbrake-1  | [cont-init   ] 10-clean-logmonitor-states.sh: terminated successfully.
handbrake-1  | [cont-init   ] 10-clean-tmp-dir.sh: executing...
handbrake-1  | [cont-init   ] 10-clean-tmp-dir.sh: terminated successfully.
handbrake-1  | [cont-init   ] 10-fontconfig-cache-dir.sh: executing...
handbrake-1  | [cont-init   ] 10-fontconfig-cache-dir.sh: terminated successfully.
handbrake-1  | [cont-init   ] 10-init-users.sh: executing...
handbrake-1  | [cont-init   ] 10-init-users.sh: terminated successfully.
handbrake-1  | [cont-init   ] 10-nginx.sh: executing...
handbrake-1  | [cont-init   ] 10-nginx.sh: terminated successfully.
handbrake-1  | [cont-init   ] 10-openbox.sh: executing...
handbrake-1  | [cont-init   ] 10-openbox.sh: terminated successfully.
handbrake-1  | [cont-init   ] 10-pkgs-mirror.sh: executing...
handbrake-1  | [cont-init   ] 10-pkgs-mirror.sh: terminated successfully.
handbrake-1  | [cont-init   ] 10-set-tmp-dir-perms.sh: executing...
handbrake-1  | [cont-init   ] 10-set-tmp-dir-perms.sh: terminated successfully.
handbrake-1  | [cont-init   ] 10-vnc-password.sh: executing...
handbrake-1  | [cont-init   ] 10-vnc-password.sh: terminated successfully.
handbrake-1  | [cont-init   ] 10-web-data.sh: executing...
handbrake-1  | [cont-init   ] 10-web-data.sh: terminated successfully.
handbrake-1  | [cont-init   ] 10-x11-unix.sh: executing...
handbrake-1  | [cont-init   ] 10-x11-unix.sh: terminated successfully.
handbrake-1  | [cont-init   ] 10-xdg-runtime-dir.sh: executing...
handbrake-1  | [cont-init   ] 10-xdg-runtime-dir.sh: terminated successfully.
handbrake-1  | [cont-init   ] 15-cjk-font.sh: executing...
handbrake-1  | [cont-init   ] 15-cjk-font.sh: terminated successfully.
handbrake-1  | [cont-init   ] 15-install-pkgs.sh: executing...
handbrake-1  | [cont-init   ] 15-install-pkgs.sh: terminated successfully.
handbrake-1  | [cont-init   ] 54-check-optical-drive.sh: executing...
handbrake-1  | [cont-init   ] 54-check-optical-drive.sh: looking for usable optical drives...
handbrake-1  | [cont-init   ] 54-check-optical-drive.sh: no usable optical drive found.
handbrake-1  | [cont-init   ] 54-check-optical-drive.sh: terminated successfully.
handbrake-1  | [cont-init   ] 54-check-qsv.sh: executing...
handbrake-1  | [cont-init   ] 54-check-qsv.sh: Processor: AMD Ryzen 7 5700X 8-Core Processor             
handbrake-1  | [cont-init   ] 54-check-qsv.sh: Microarchitecture: AMD_ZEN3�
handbrake-1  | [cont-init   ] 54-check-qsv.sh: Kernel: 6.6.9-arch1-1
handbrake-1  | [cont-init   ] 54-check-qsv.sh: Intel Quick Sync Video may not be supported: processor not QSV capable.
handbrake-1  | [cont-init   ] 54-check-qsv.sh: terminated successfully.
handbrake-1  | [cont-init   ] 54-check-trash-dir.sh: executing...
handbrake-1  | [cont-init   ] 54-check-trash-dir.sh: terminated successfully.
handbrake-1  | [cont-init   ] 55-handbrake.sh: executing...
handbrake-1  | [cont-init   ] 55-handbrake.sh: core dump file location: |/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h
handbrake-1  | [cont-init   ] 55-handbrake.sh: core dump file size: unlimited (blocks)
handbrake-1  | [cont-init   ] 55-handbrake.sh: terminated successfully.
handbrake-1  | [cont-init   ] 85-take-config-ownership.sh: executing...
handbrake-1  | [cont-init   ] 85-take-config-ownership.sh: terminated successfully.
handbrake-1  | [cont-init   ] 89-info.sh: executing...
handbrake-1  |     ╭――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――╮
handbrake-1  |     │                                                                      │
handbrake-1  |     │ Application:           HandBrake                                     │
handbrake-1  |     │ Application Version:   1.7.2                                         │
handbrake-1  |     │ Docker Image Version:  23.12.2                                       │
handbrake-1  |     │ Docker Image Platform: linux/amd64                                   │
handbrake-1  |     │                                                                      │
handbrake-1  |     ╰――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――――╯
handbrake-1  | [cont-init   ] 89-info.sh: terminated successfully.
handbrake-1  | [cont-init   ] all container initialization scripts executed.
handbrake-1  | [init        ] giving control to process supervisor.
handbrake-1  | [supervisor  ] loading services...
handbrake-1  | [supervisor  ] loading service 'default'...
handbrake-1  | [supervisor  ] loading service 'app'...
handbrake-1  | [supervisor  ] loading service 'gui'...
handbrake-1  | [supervisor  ] loading service 'nginx'...
handbrake-1  | [supervisor  ] loading service 'xvnc'...
handbrake-1  | [supervisor  ] loading service 'certsmonitor'...
handbrake-1  | [supervisor  ] service 'certsmonitor' is disabled.
handbrake-1  | [supervisor  ] loading service 'openbox'...
handbrake-1  | [supervisor  ] loading service 'logrotate'...
handbrake-1  | [supervisor  ] loading service 'logmonitor'...
handbrake-1  | [supervisor  ] service 'logmonitor' is disabled.
handbrake-1  | [supervisor  ] loading service 'autovideoconverter'...
handbrake-1  | [supervisor  ] all services loaded.
handbrake-1  | [supervisor        ] starting services...
handbrake-1  | [supervisor        ] starting service 'xvnc'...
handbrake-1  | [xvnc              ] Xvnc TigerVNC 1.13.1 - built Nov 10 2023 13:43:39
handbrake-1  | [xvnc              ] Copyright (C) 1999-2022 TigerVNC Team and many others (see README.rst)
handbrake-1  | [xvnc              ] See https://www.tigervnc.org for information on TigerVNC.
handbrake-1  | [xvnc              ] Underlying X server release 12014000
handbrake-1  | [xvnc              ] Tue Jan  9 01:44:17 2024
handbrake-1  | [xvnc              ]  vncext:      VNC extension running!
handbrake-1  | [xvnc              ]  vncext:      Listening for VNC connections on /tmp/vnc.sock (mode 0660)
handbrake-1  | [xvnc              ]  vncext:      Listening for VNC connections on all interface(s), port 5900
handbrake-1  | [xvnc              ]  vncext:      created VNC server for screen 0
handbrake-1  | [supervisor        ] starting service 'nginx'...
handbrake-1  | [nginx             ] Listening for HTTP connections on port 5800.
handbrake-1  | [nginx             ] nginx: [emerg] open() "/var/tmp/nginx/default_site.conf" failed (13: Permission denied) in /opt/base/etc/nginx/nginx.conf:76
handbrake-1  | [supervisor        ] service 'nginx' failed to be started: not ready after 5000 msec, giving up.
handbrake-1  | [supervisor        ] stopping service 'nginx'...
handbrake-1  | [supervisor        ] service 'nginx' exited (with status 1).
handbrake-1  | [supervisor        ] stopping service 'xvnc'...
handbrake-1  | [xvnc              ] Tue Jan  9 01:44:23 2024
handbrake-1  | [xvnc              ]  ComparingUpdateTracker: 0 pixels in / 0 pixels out
handbrake-1  | [xvnc              ]  ComparingUpdateTracker: (1:-nan ratio)
handbrake-1  | [supervisor        ] service 'xvnc' exited (with status 0).
handbrake-1  | [finish      ] executing container finish scripts...
handbrake-1  | [finish      ] all container finish scripts executed.
handbrake-1 exited with code 1

Container inspect

No response

Anything else?

Tried running with differnt UID and GIDs. Attempted with local admin(Not Root) user ID and Group, Tried with SMB GID and admin UID that has RWX to all files and folders docker host volumes being stored in. Tried with docker UID and GID. Haven't tried root would prefer to avoid using that. Tried removing the image and re-downloading. Did a chown to ensure file and folder directories are set correctly. From browsing google this seems to be an issue related to image and permissions set. I need to set UID and GID as I was getting a chmod permission denied to the host volume location. I need handbrake as ffmpeg doesn't fully support av1_qsv and my headless server has my only av1_qsv capable card(ARC A380). Any help would be much appreciated.

[jlesage]

First, the user is set via USER_ID and GROUP_ID environment variables.

But I'm not sure this will fix the issue you are seeing. Do you see the same problem if your run docker run --rm jlesage/handbrake ?

[pops64]

Yeah its a permission issue on my end sorry for the bug report

[pops64]

Re opening this. I have tried setting it to my user id. I have tried leaving out the user id. No such luck it doesn't want to give permissions to launch nginx. I even tried your command. I confirmed the appdata directory has the correct ownership
Here is my docker compose file. In case I have an obvious error. The GID is a group that has access to everything. I am interacting with SMB shares. And the group add is the render group for the passthrough of the gpu

version: '3'
services:
  handbrake:
    image: jlesage/handbrake
    container_name: handbrake
    ports:
      - "5800:5800"
    volumes:
      - "./appdata:/config:rw"
      - "/mnt/tank/Videos:/storage:ro"
      - "/mnt/tank/Videos/HandBrake/watch:/watch:rw"
      - "/mnt/tank/Videos/HandBrake/output:/output:rw"
    group_add:
      - "989"
    environment:
      - PUID = 1000
      - PGID = 1001
    devices:
      - /dev/dri:/dev/dri
    deploy:
      resources:
          limits:
            cpus: '6'
            memory: 4G

[jlesage]

Are you saying that docker run --rm jlesage/handbrake gives the same error ?

[pops64]

Yes. It doesn't have permission regardless of the UID/GID set or if i run docker run --rm jlesage/handbrake or docker run --rm --privileged jlesage/handbrake I am on Arch and have a bare install. Is their some weird docker dependency needed that is missing on Arch?

[jlesage]

docker run --rm jlesage/handbrake should definitely work. Looks like files copied are not respecting the defined umask. On what kind of file system Docker is running ?

While docker run --rm --name handbrake jlesage/handbrake is executing, are you able to run docker exec handbrake ls -l /var/tmp/nginx/default_site.conf multiple times in another shell ? I would like to see permissions on this created file.

[pops64]

Sorry for the late reply. It is running on top of ZFS for my docker storage and ext4 is the OS. The docker binaries are on the OS filesystem. the Docker data is on a ZFS share with root:root as the owner. Host volumes are on a separate ZFS share with a different owner and group. I have added root user to the group I have set to have access to this separate share

[***@***]$ docker exec handbrake ls -l /var/tmp/nginx/default_site.conf
-rw-r-----+ 1 root root 1008 Jul 15 16:23 /var/tmp/nginx/default_site.conf
[***@***]$ docker exec handbrake ls -l /var/tmp/nginx/default_site.conf
-rw-r-----+ 1 root root 1008 Jul 15 16:23 /var/tmp/nginx/default_site.conf