[BUG] s6-rc: warning: unable to start service init-permissions: command exited 1

[giovannipapini]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Service keeps restarting ending with error related to init-permissions unable to start.

Expected Behavior

No response

Steps To Reproduce

• on raspberry pi
• starting from version lscr.io/linuxserver/swag:3.0.1-ls347
• docker compose spec

  server:
    image: 'lscr.io/linuxserver/swag:3.0.1-ls347'
    container_name: 'swag'
    restart: 'unless-stopped'
    healthcheck:
      test: [ 'CMD-SHELL', 'curl localhost:8000/healthcheck || exit 1' ]
      start_period: '300s'
      interval: '5s'
      timeout: '10s'
    hostname: 'swag'
    networks:
      proxy:
      cloudflared:
    ports:
      - '80:80'
      - '81:81'
      - '443:443'
    configs:
      - source: 'cloudflare.certbot.credentials'
        target: '/config/dns-conf/cloudflare.ini'
    volumes:
      #- 'server_config:/config/etc'
      - 'server_keys:/config/keys'
      - 'modcache:/modcache'
      - '$REMOTE_RESOURCES/swag/nginx.conf:/config/nginx/nginx.conf:ro'
      - '$REMOTE_RESOURCES/swag/proxy.conf:/config/nginx/proxy.conf:ro'
      - '$REMOTE_RESOURCES/swag/authelia.location.conf:/config/nginx/snippets/authelia/location.conf:ro'
      - '$REMOTE_RESOURCES/swag/authelia.authrequest.conf:/config/nginx/snippets/authelia/authrequest.conf:ro'
      - '$REMOTE_RESOURCES/swag/authelia.location.basic.conf:/config/nginx/snippets/authelia/location.basic.conf:ro'
      - '$REMOTE_RESOURCES/swag/authelia.authrequest.basic.conf:/config/nginx/snippets/authelia/authrequest.basic.conf:ro'
      - '$REMOTE_RESOURCES/swag/site-confs/default.conf:/config/nginx/site-confs/default.conf:ro'
      - '$REMOTE_RESOURCES/swag/site-confs/auth.conf:/config/nginx/site-confs/auth.conf:ro'
      - '$REMOTE_RESOURCES/swag/site-confs/subdomains.conf:/config/nginx/site-confs/subdomains.conf:ro'
      - '$REMOTE_RESOURCES/swag/site-confs/swag.dashboard.conf:/config/nginx/site-confs/swag.dashboard.conf:ro'
      - '$REMOTE_RESOURCES/swag/html/errors:/usr/share/nginx/html/errors:ro'
    environment:
      TZ: 'Europe/Rome'
      PUID: '1000'
      PGID: '1000'
      URL: '$CTX_DOMAIN'
      VALIDATION: 'dns'
      SUBDOMAINS: 'wildcard'
      DNSPLUGIN: 'cloudflare'
      DOCKER_MODS: 'linuxserver/mods:universal-cloudflared|linuxserver/mods:universal-stdout-logs|ghcr.io/linuxserver/mods:swag-crowdsec|linuxserver/mods:swag-maxmind|linuxserver/mods:swag-dashboard'
      CF_ZONE_ID: '$OP_CF_ZONE_ID'
      CF_ACCOUNT_ID: '$OP_CF_ACCOUNT_ID'
      CF_API_TOKEN: '$OP_CF_API_TOKEN'
      CF_TUNNEL_NAME: 'swag'
      CF_TUNNEL_PASSWORD: '$OP_CF_TUNNEL_PASSWORD'
      CF_TUNNEL_CONFIG: |
        originRequest:
          originServerName: gvpn.ovh

        ingress:
          - hostname: 'gvpn.ovh'
            service: 'https://localhost:443'
          - hostname: '*.gvpn.ovh'
            service: 'https://localhost:443'
          - service: 'http_status:404'
      TUNNEL_METRICS: ':8080'
      LOGS_TO_STDOUT: '/var/log/nginx/error.log|/config/log/nginx/access.log'
      CROWDSEC_API_KEY: '$OP_CROWDSEC_API_KEY'
      CROWDSEC_LAPI_URL: 'http://crowdsec:8080'
      CROWDSEC_SITE_KEY: '$OP_CROWDSEC_SITE_KEY'
      CROWDSEC_APPSEC_URL: 'http://crowdsec:7422'
      CROWDSEC_CAPTCHA_PROVIDER: 'turnstile'
      CROWDSEC_SECRET_KEY: '$OP_CROWDSEC_SECRET_KEY'
      CROWDSEC_F2B_DISABLE: 'false'
      MAXMINDDB_USER_ID: '$OP_MAXMIND_GEOLITE2_USER_ID'
      MAXMINDDB_LICENSE_KEY: '$OP_MAXMIND_GEOLITE2_LICENSE_KEY'

• docker compose up

Environment

~ ❯ cat /etc/os-release                                                                                                                                             with pi@pi at 11:28:51 pm
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"

~ ❯ uname -r                                                                                                                                                        with pi@pi at 11:27:56 pm
6.6.62+rpt-rpi-2712

~ ❯ docker version                                                                                                                                                  with pi@pi at 11:29:49 pm
Client: Docker Engine - Community
 Version:           27.5.0
 API version:       1.47
 Go version:        go1.22.10
 Git commit:        a187fa5
 Built:             Mon Jan 13 15:24:48 2025
 OS/Arch:           linux/arm64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          27.5.0
  API version:      1.47 (minimum version 1.24)
  Go version:       go1.22.10
  Git commit:       38b84dc
  Built:            Mon Jan 13 15:24:48 2025
  OS/Arch:          linux/arm64
  Experimental:     false
 containerd:
  Version:          1.7.25
  GitCommit:        bcc810d6b9066471b0b6fa75f557a15a1cbf31bb
 runc:
  Version:          1.2.4
  GitCommit:        v1.2.4-0-g6c52b3f
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

CPU architecture

arm64

Docker creation

services:
  #
  server:
    image: 'lscr.io/linuxserver/swag:3.1.0-ls354'
    container_name: 'swag'
    restart: 'unless-stopped'
    healthcheck:
      test: [ 'CMD-SHELL', 'curl localhost:8000/healthcheck || exit 1' ]
      start_period: '300s'
      interval: '5s'
      timeout: '10s'
    hostname: 'swag'
    networks:
      proxy:
      cloudflared:
    ports:
      - '80:80'
      - '81:81'
      - '443:443'
    configs:
      - source: 'cloudflare.certbot.credentials'
        target: '/config/dns-conf/cloudflare.ini'
    volumes:
      #- 'server_config:/config/etc'
      - 'server_keys:/config/keys'
      - 'modcache:/modcache'
      - '$REMOTE_RESOURCES/swag/nginx.conf:/config/nginx/nginx.conf:ro'
      - '$REMOTE_RESOURCES/swag/proxy.conf:/config/nginx/proxy.conf:ro'
      - '$REMOTE_RESOURCES/swag/authelia.location.conf:/config/nginx/snippets/authelia/location.conf:ro'
      - '$REMOTE_RESOURCES/swag/authelia.authrequest.conf:/config/nginx/snippets/authelia/authrequest.conf:ro'
      - '$REMOTE_RESOURCES/swag/authelia.location.basic.conf:/config/nginx/snippets/authelia/location.basic.conf:ro'
      - '$REMOTE_RESOURCES/swag/authelia.authrequest.basic.conf:/config/nginx/snippets/authelia/authrequest.basic.conf:ro'
      - '$REMOTE_RESOURCES/swag/site-confs/default.conf:/config/nginx/site-confs/default.conf:ro'
      - '$REMOTE_RESOURCES/swag/site-confs/auth.conf:/config/nginx/site-confs/auth.conf:ro'
      - '$REMOTE_RESOURCES/swag/site-confs/subdomains.conf:/config/nginx/site-confs/subdomains.conf:ro'
      - '$REMOTE_RESOURCES/swag/site-confs/swag.dashboard.conf:/config/nginx/site-confs/swag.dashboard.conf:ro'
      - '$REMOTE_RESOURCES/swag/html/errors:/usr/share/nginx/html/errors:ro'
    environment:
      TZ: 'Europe/Rome'
      PUID: '1000'
      PGID: '1000'
      URL: '$CTX_DOMAIN'
      VALIDATION: 'dns'
      SUBDOMAINS: 'wildcard'
      DNSPLUGIN: 'cloudflare'
      DOCKER_MODS: 'linuxserver/mods:universal-cloudflared|linuxserver/mods:universal-stdout-logs|ghcr.io/linuxserver/mods:swag-crowdsec|linuxserver/mods:swag-maxmind|linuxserver/mods:swag-dashboard'
      CF_ZONE_ID: '$OP_CF_ZONE_ID'
      CF_ACCOUNT_ID: '$OP_CF_ACCOUNT_ID'
      CF_API_TOKEN: '$OP_CF_API_TOKEN'
      CF_TUNNEL_NAME: 'swag'
      CF_TUNNEL_PASSWORD: '$OP_CF_TUNNEL_PASSWORD'
      CF_TUNNEL_CONFIG: |
        originRequest:
          originServerName: gvpn.ovh

        ingress:
          - hostname: 'gvpn.ovh'
            service: 'https://localhost:443'
          - hostname: '*.gvpn.ovh'
            service: 'https://localhost:443'
          - service: 'http_status:404'
      TUNNEL_METRICS: ':8080'
      LOGS_TO_STDOUT: '/var/log/nginx/error.log|/config/log/nginx/access.log'
      CROWDSEC_API_KEY: '$OP_CROWDSEC_API_KEY'
      CROWDSEC_LAPI_URL: 'http://crowdsec:8080'
      CROWDSEC_SITE_KEY: '$OP_CROWDSEC_SITE_KEY'
      CROWDSEC_APPSEC_URL: 'http://crowdsec:7422'
      CROWDSEC_CAPTCHA_PROVIDER: 'turnstile'
      CROWDSEC_SECRET_KEY: '$OP_CROWDSEC_SECRET_KEY'
      CROWDSEC_F2B_DISABLE: 'false'
      MAXMINDDB_USER_ID: '$OP_MAXMIND_GEOLITE2_USER_ID'
      MAXMINDDB_LICENSE_KEY: '$OP_MAXMIND_GEOLITE2_LICENSE_KEY'
[...]

### Container logs

```bash
[mod-init] Running Docker Modification Logic
[mod-init] Adding linuxserver/mods:universal-cloudflared to container
[mod-init] linuxserver/mods:universal-cloudflared at sha256:cf89fc333e9c392a333d35c7809ddcf6309de708df9a79be763c68a076c7b158 found in modcache, applying
[mod-init] Installing linuxserver/mods:universal-cloudflared
[mod-init] linuxserver/mods:universal-cloudflared applied to container
[mod-init] Adding linuxserver/mods:universal-stdout-logs to container
[mod-init] linuxserver/mods:universal-stdout-logs at sha256:8c18e44b783915bb2856e54651657df8a0dd799c71a41a1943d8c43a1300d274 found in modcache, applying
[mod-init] Installing linuxserver/mods:universal-stdout-logs
[mod-init] linuxserver/mods:universal-stdout-logs applied to container
[mod-init] Adding linuxserver/mods:swag-crowdsec to container
[mod-init] linuxserver/mods:swag-crowdsec at sha256:f81f99add5c5de7ff505f71a8fe96f93407df1943f77c0d785aa9cee06641e4a found in modcache, applying
[mod-init] Installing linuxserver/mods:swag-crowdsec
[mod-init] linuxserver/mods:swag-crowdsec applied to container
[mod-init] Adding linuxserver/mods:swag-maxmind to container
[mod-init] linuxserver/mods:swag-maxmind at sha256:4f920f4949af13674bd0fdcb6010af441b51577e4096a28887e3fce10915415c found in modcache, applying
[mod-init] Installing linuxserver/mods:swag-maxmind
[mod-init] linuxserver/mods:swag-maxmind applied to container
[mod-init] Adding linuxserver/mods:swag-dashboard to container
[mod-init] linuxserver/mods:swag-dashboard at sha256:7923509263d7e4a92b693ed23c60d8d35e8e24a97bf06ea549be910c99256d7d found in modcache, applying
[mod-init] Installing linuxserver/mods:swag-dashboard
[mod-init] linuxserver/mods:swag-dashboard applied to container
[migrations] started
[migrations] 01-nginx-site-confs-default: skipped
[migrations] 02-swag-old-certbot-paths: skipped
[migrations] done
───────────────────────────────────────

      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝

   Brought to you by linuxserver.io
───────────────────────────────────────

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/

───────────────────────────────────────
GID/UID
───────────────────────────────────────

User UID:    1000
User GID:    1000
───────────────────────────────────────
Linuxserver.io version: 3.1.0-ls354
Build-date: 2025-01-11T03:29:52+00:00
───────────────────────────────────────
    
sed: can't move '/config/nginx/nginx.confbopojm' to '/config/nginx/nginx.conf': Resource busy
using keys found in /config/keys
chmod: changing permissions of '/config/nginx/nginx.conf': Read-only file system
chmod: changing permissions of '/config/nginx/snippets/authelia/authrequest.basic.conf': Read-only file system
chmod: changing permissions of '/config/nginx/snippets/authelia/location.basic.conf': Read-only file system
chmod: changing permissions of '/config/nginx/snippets/authelia/location.conf': Read-only file system
chmod: changing permissions of '/config/nginx/snippets/authelia/authrequest.conf': Read-only file system
chmod: changing permissions of '/config/nginx/site-confs/default.conf': Read-only file system
chmod: changing permissions of '/config/nginx/site-confs/subdomains.conf': Read-only file system
chmod: changing permissions of '/config/nginx/site-confs/swag.dashboard.conf': Read-only file system
chmod: changing permissions of '/config/nginx/site-confs/auth.conf': Read-only file system
chmod: changing permissions of '/config/nginx/proxy.conf': Read-only file system
s6-rc: warning: unable to start service init-permissions: command exited 1
/run/s6/basedir/scripts/rc.init: warning: s6-rc failed to properly bring all the services up! Check your logs (in /run/uncaught-logs/current if you have in-container logging) for more information.
/run/s6/basedir/scripts/rc.init: fatal: stopping the container.

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[j0nnymoe]

Read-only file system

Issues with your file system? Full disk?

[aptalca]

They're bind mounting a bunch of individual config files as read only, which is something we do not support.

Config folder belongs to the container and needs to be writeable by the container.

[thespad]

Same hare after little maintance of services, QNAP:

NAME="QTS"
VERSION="5.2.2 (20241121)"
ID=qts
PRETTY_NAME="QTS 5.2.2 (20241121)"
VERSION_ID="5.2.2"

device is TS-453D

Your issue is unrelated to OP and is due to #514

[giovannipapini]

Solved by following @aptalca suggestion: mounted the entire nginx configuration directory instead of single files.

Thank you.