Docker (compose) Permission denied

miura
miura
Community Member
in Secrets Automation

I'm having trouble getting Connect up and running with Docker Compose. I believe my problems is somewhere related to a user and/or its rights. I am running Docker on my Synology NAS where I created a specific 'Shared Folder' named 1password. I also created an user (with has UID 1042) for further trial/error testing.

I currently have the following compose file:

version: "3.4"

services:
  1password-connect-api:
    image: 1password/connect-api:latest
    #user: "1042"
    ports:
      - "8888:8080"
    volumes:
      - /volume1/1password/1password-credentials.json:/home/opuser/.op/1password-credentials.json:ro
      - /volume1/1password/data:/home/opuser/.op/data
    restart: unless-stopped

  1password-connect-sync:
    image: 1password/connect-sync:latest
    #user: "1042"
    ports:
      - "8881:8080"
    volumes:
      - /volume1/1password/1password-credentials.json:/home/opuser/.op/1password-credentials.json:ro
      - /volume1/1password/data:/home/opuser/.op/data
    restart: unless-stopped

This gives me the following error from both containers:

unspecified err: stat /home/opuser/.op/data/1password.sqlite: permission denied

This led me to configure a '1password' user (UID 1042) and tell the containers to run as that user using:

user: 1042

This does get me through the permission denied problems (which makes me assume the 'user' does indeed work and 'do something'). But now it doesn't seem to be able and/or create the database:

1password-connect-api_1 | {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-01-14T13:13:28.600675519Z","level":3}
1password-connect-sync_1 | {"log_message":"(I) no existing database found, will initialize at /.op/data/1password.sqlite","timestamp":"2022-01-14T13:13:27.719489908Z","level":3}
1password-connect-sync_1 | Error: Server: (failed to OpenDefault), Wrapped: (failed to open db), unable to open database file: no such file or directory

I also tried to change the permissions of the Shared Folder and it's subfolder in order for 'Everyone' to have read/write, but then I get an error like 'Permissions too broad' (which seems quite fair and indeed very unwanted)

I am currently out of ideas on how to get this running. Anyone who can point me in the right direction?

1Password Version: 7.9.2
Extension Version: Not Provided
OS Version: macOS 12.1

Comments

  • miura
    miura
    Community Member

    I am actually one step further. I tried to use the example Docker Compose file (https://github.com/1Password/connect/blob/main/examples/docker/compose/docker-compose.yaml) instead of my modified one. I guess I don't fully understand the usage of volumes yet. I got the containers running.
    However, I had to give 'Everyone' permission to the folder, thus including access to the credantials-json. Not something I believe I want to continue using.

    When using the 'user: "1042"' config, the containers fail to create a database:

    {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T10:24:11.901908858Z","level":3}

    What is the proper way to run the containers from within a limited-access folder?

  • Joris_1P
    Joris_1P

    Hi @miura,

    Thank you for reaching out. Sorry for my late reply, but I am glad you made some progress. What you are describing is indeed a less-than-ideal situation with docker-compose. I am not sure if this is something that we can address on a Synology NAS, but let's give it a try.

    The no database found log line you're seeing, is not necessarily an error. It indicates that the API container is waiting for the sync container to come online and create the shared database. Could you maybe share the logs of the sync container?

  • miura
    miura
    Community Member

    Just to be sure: I removed 'Everyone' from the Permission-list of the Folder. My Docker-Compose file with the specified user-id:

    version: "3.4"

services:
  op-connect-api:
    image: 1password/connect-api:latest
    user: "1042"
    ports:
      - "8888:8080"
    volumes:
      - "./1password-credentials.json:/home/opuser/.op/1password-credentials.json"
      - "data:/home/opuser/.op/data"
  op-connect-sync:
    image: 1password/connect-sync:latest
    user: "1042"
    volumes:
      - "./1password-credentials.json:/home/opuser/.op/1password-credentials.json"
      - "data:/home/opuser/.op/data"

volumes:
  data:

    User '1password' having Read/Write access to my '1password' Shard Folder and (sub)files containing the docker-compose.yml and credentials file, including the UID of this user

    Logging from api-container

    {"log_message":"(W) configured to use HTTP with no TLS","timestamp":"2022-02-09T11:58:01.374531594Z","level":2}
    {"log_message":"(I) starting 1Password Connect API ...","timestamp":"2022-02-09T11:58:01.375385141Z","level":3}
    {"log_message":"(I) serving on :8080","timestamp":"2022-02-09T11:58:01.376055616Z","level":3}
    {"log_message":"(I) [discovery-local] starting discovery, advertising endpoint 33709 /meta/message","timestamp":"2022-02-09T11:58:01.37452708Z","level":3}
    {"log_message":"(I) established incoming bus peer connection","timestamp":"2022-02-09T11:58:01.38045443Z","level":3}

    Logging from sync-container

    {"log_message":"(W) configured to use HTTP with no TLS","timestamp":"2022-02-09T11:58:01.27942699Z","level":2}
    {"log_message":"(I) [discovery-local] starting discovery, advertising endpoint 35052 /meta/message","timestamp":"2022-02-09T11:58:01.279515199Z","level":3}
    {"log_message":"(I) starting 1Password Connect Sync ...","timestamp":"2022-02-09T11:58:01.285430604Z","level":3}
    {"log_message":"(I) serving on :8080","timestamp":"2022-02-09T11:58:01.285477533Z","level":3}
    {"log_message":"(I) database initialization complete","timestamp":"2022-02-09T11:58:01.381435241Z","level":3}
    {"log_message":"(I) ### syncer credentials bootstrap ### ","timestamp":"2022-02-09T11:58:01.3818318Z","level":3}
    {"log_message":"(E) Server: (unable to get credentials and initialize API, retrying in 500ms), Wrapped: (failed to FindCredentialsUniqueKey), Wrapped: (failed to loadCredentialsFile), Wrapped: (LoadLocalAuthV2 failed to credentialsDataFromDisk), open /home/opuser/.op/1password-credentials.json: permission denied","timestamp":"2022-02-09T11:58:01.381976897Z","level":1}
    {"log_message":"(I) ### syncer credentials bootstrap ### ","timestamp":"2022-02-09T11:58:01.882164464Z","level":3}
    {"log_message":"(E) Server: (unable to get credentials and initialize API, retrying in 1s), Wrapped: (failed to FindCredentialsUniqueKey), Wrapped: (failed to loadCredentialsFile), Wrapped: (LoadLocalAuthV2 failed to credentialsDataFromDisk), open /home/opuser/.op/1password-credentials.json: permission denied","timestamp":"2022-02-09T11:58:01.882328973Z","level":1}
    {"log_message":"(I) ### syncer credentials bootstrap ### ","timestamp":"2022-02-09T11:58:02.882528988Z","level":3}
    {"log_message":"(E) Server: (unable to get credentials and initialize API, retrying in 2s), Wrapped: (failed to FindCredentialsUniqueKey), Wrapped: (failed to loadCredentialsFile), Wrapped: (LoadLocalAuthV2 failed to credentialsDataFromDisk), open /home/opuser/.op/1password-credentials.json: permission denied","timestamp":"2022-02-09T11:58:02.882733291Z","level":1}

  • Joris_1P
    Joris_1P

    Thanks for all the extra info, that is really helpful!

    What I think that happens, is that the data volume (the second volume) has been created but is not accessible to the correct user. There are a few things we can try:

    • You could try deleting the volume. If you can run docker-compose commands, that can be done with docker-compose down -v. Then try bringing it up again.
    • Otherwise, you could also map the data volume to the same volume where the credentials are stored. For example:
    version: "3.4"

services:
  op-connect-api:
    image: 1password/connect-api:latest
    user: "1042"
    ports:
      - "8888:8080"
    volumes:
      - "./1password-credentials.json:/home/opuser/.op/1password-credentials.json"
      - "./data:/home/opuser/.op/data"
  op-connect-sync:
    image: 1password/connect-sync:latest
    user: "1042"
    volumes:
      - "./1password-credentials.json:/home/opuser/.op/1password-credentials.json"
      - "./data:/home/opuser/.op/data"

volumes:
  data:

    Let me know if this changes anything.

  • miura
    miura
    Community Member
    1. Removed the volume with docker-compose down -v and brought back up new containers:

    Logging from the api-container

    {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T12:46:37.725200632Z","level":3}
    {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T12:46:38.725720387Z","level":3}
    {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T12:46:39.726815153Z","level":3}
    {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T12:46:40.726971703Z","level":3}
    {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T12:46:41.727477047Z","level":3}
    {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T12:46:42.727625419Z","level":3}

    Logging from the sync-container

    {"log_message":"(W) configured to use HTTP with no TLS","timestamp":"2022-02-09T12:46:37.759709242Z","level":2}
    {"log_message":"(I) no existing database found, will initialize at /.op/data/1password.sqlite","timestamp":"2022-02-09T12:46:37.760142251Z","level":3}
    Error: Server: (failed to OpenDefault), Wrapped: (failed to open db), unable to open database file: no such file or directory
    {"log_message":"(I) [discovery-local] starting discovery, advertising endpoint 38321 /meta/message","timestamp":"2022-02-09T12:46:37.759784492Z","level":3}
    {"log_message":"(I) starting 1Password Connect Sync ...","timestamp":"2022-02-09T12:46:37.762771554Z","level":3}
    {"log_message":"(I) serving on :8080","timestamp":"2022-02-09T12:46:37.762822781Z","level":3}
    Usage:
    connect-sync [flags]
    Flags:
    -h, --help help for connect-sync
    -v, --version version for connect-sync

    1. Using the compose file as suggested, with a data-folder within the same volume as where the credentials are stored:

    Logging from the api-container

    unspecified err: stat /home/opuser/.op/data/1password.sqlite: permission denied
    unspecified err: stat /home/opuser/.op/data/1password.sqlite: permission denied
    unspecified err: stat /home/opuser/.op/data/1password.sqlite: permission denied

    Logging from the sync-container

    Error: Server: (failed to OpenDefault), Wrapped: (failed to open db), unable to open database file: no such file or directory
    {"log_message":"(W) configured to use HTTP with no TLS","timestamp":"2022-02-09T12:50:29.740318108Z","level":2}
    {"log_message":"(I) no existing database found, will initialize at /.op/data/1password.sqlite","timestamp":"2022-02-09T12:50:29.740786497Z","level":3}
    Usage:
    connect-sync [flags]
    Flags:
    -h, --help help for connect-sync
    -v, --version version for connect-sync

  • miura
    miura
    Community Member

    After:
    1. properly removing the volume with docker-compose down -v (how do you use inline-quoting :) ?) and recreating the containers and 2. trying the different mounting path for the data volume (both show the same behaviour)

    api-container

    {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T13:05:54.588109833Z","level":3}
    {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T13:05:55.589474492Z","level":3}
    {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T13:05:56.590461379Z","level":3}
    {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T13:05:57.591539601Z","level":3}
    {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T13:05:58.592468125Z","level":3}

    sync-container

    {"log_message":"(W) configured to use HTTP with no TLS","timestamp":"2022-02-09T13:05:54.889705141Z","level":2}
    {"log_message":"(I) no existing database found, will initialize at /.op/data/1password.sqlite","timestamp":"2022-02-09T13:05:54.891449813Z","level":3}
    Error: Server: (failed to OpenDefault), Wrapped: (failed to open db), unable to open database file: no such file or directory
    Usage:
    connect-sync [flags]

    Flags:
    -h, --help help for connect-sync
    -v, --version version for connect-sync

  • Joris_1P
    Joris_1P
    edited February 2022

    It seems like something is going wrong now with determining the home directory. Connect says it is looking in /.op/data/1password.sqlite instead of /home/opuser/.op/data/1password.sqlite.

    What we can give a try, is manually specifying the correct location by setting XDG_DATA_HOME to /home/opuser/. You can do that by adding the following line to the specification of both containers (just above volumes:):

        environment:
      XDG_DATA_HOME: "/home/opuser/"

    PS. you can use inline codeblocks by wrapping the code in a single tilde, so:

    `docker-compose down -v`
  • miura
    miura
    Community Member

    Error: Server: (failed to OpenDefault), Wrapped: (failed to defaultPath), failed to ConfigDir: Can't continue. We can't safely access "/home/opuser/.op" because it's not owned by the current user. Change the owner or logged in user and try again.
    Usage:
    connect-api [flags]

    Flags:
    -h, --help help for connect-api
    -v, --version version for connect-api

  • Joris_1P
    Joris_1P

    Hmm, that's a bummer.

    Some things you could try:

    chown -R 1042 /home/opuser/.op

    Or if the Synology interface allows this, you could try making the 1password user the owner of that directory (I am not familiar with Synology enough to tell if this is possible).

  • miura
    miura
    Community Member

    I am digging a bit deeper into my problems and I am wondering whether this Image Layer could be (partially) the cause of my issue:

    RUN RUN groupadd -g 999 opuser && useradd -r -u 999 -g opuser opuser && mkdir -p /home/opuser/.op/data && chown -R opuser /home/opuser && chmod -R 700 /home/opuser/.op # buildkit

    The folders are very specifically created by user opuser. No matter how I mount my volumes (- "data:..." or - "./data:...") I will keep having mismatched between the docker user and the host/folder. Do you agree with my findings? If so, what could we do to work around it :)

  • miura
    miura
    Community Member

    One of the problems is, when using the - "data:.." volume mount, the containers exit before I can exec into them to do chown:

    op-connect-sync_1 | {"log_message":"(W) configured to use HTTP with no TLS","timestamp":"2022-02-10T07:46:10.515989241Z","level":2}
    op-connect-sync_1 | {"log_message":"(I) [discovery-local] starting discovery, advertising endpoint 43507 /meta/message","timestamp":"2022-02-10T07:46:10.516746882Z","level":3}
    op-connect-sync_1 | Error: Server: (failed to OpenDefault), Wrapped: (failed to defaultPath), failed to ConfigDir: Can't continue. We can't safely access "/home/opuser/.op" because it's not owned by the current user. Change the owner or logged in user and try again.
    op-connect-sync_1 | {"log_message":"(I) starting 1Password Connect Sync ...","timestamp":"2022-02-10T07:46:10.518789319Z","level":3}
    op-connect-sync_1 | {"log_message":"(I) serving on :8080","timestamp":"2022-02-10T07:46:10.518843407Z","level":3}
    op-connect-sync_1 | Usage:
    op-connect-sync_1 | connect-sync [flags]
    op-connect-sync_1 |
    op-connect-sync_1 | Flags:
    op-connect-sync_1 | -h, --help help for connect-sync
    op-connect-sync_1 | -v, --version version for connect-sync
    op-connect-sync_1 |
    1password_op-connect-sync_1 exited with code 0

    This gives me no time to run any command unfortunately.

  • Joris_1P
    Joris_1P

    The folders are very specifically created by user opuser. No matter how I mount my volumes (- "data:..." or - "./data:...") I will keep having mismatched between the docker user and the host/folder. Do you agree with my findings? If so, what could we do to work around it :)

    I think you're right here. Though that also suggests an alternative solution: what if you replace both volume mounts with this one: ./:/home/opuser/.op (make sure the 1password-credentials.json file is in ./). With a bit of luck, that works because the /home/opuser/.op is then owned by user 1042.

    Alternatively, it is possible to execute a command during startup by modifying the entrypoint of one of the containers:

    entrypoint: ["/bin/sh", "-c", "echo 'This text gets printed during startup' && connect-api"]

    or

    entrypoint: ["/bin/sh", "-c", "echo 'This text gets printed during startup' && connect-sync"]

    One final thing worth checking: is it possible to choose which ID gets assigned to the user you create in the Synology software? If so, could you create one with ID 999?

  • miura
    miura
    Community Member

    Using:
    entrypoint: ["/bin/sh", "-c", "chown -R 1042 /home/opuser/.op && connect-api"]
    Gives:

    op-connect-api_1 | chown: cannot read directory '/home/opuser/.op': Permission denied

    Using
    entrypoint: ["/bin/sh", "-c", "sudo chown -R 1042 /home/opuser/.op && connect-api"]
    Gives:

    op-connect-api_1 | /bin/sh: 1: sudo: not found

    Just to be sure, is this what you meant with your first suggestion?:

    version: "3.4"

services:
  op-connect-api:
    image: 1password/connect-api:latest
    user: "1042"
    ports:
      - "8888:8080"
    volumes:
      - "./:/home/opuser/.op"
  op-connect-sync:
    image: 1password/connect-sync:latest
    user: "1042"
    volumes:
      - "./:/home/opuser/.op"
  • Joris_1P
    Joris_1P

    Just to be sure, is this what you meant with your first suggestion?:

    Yes. Assuming that ./ is owned by user 1042 in the Synology interface.

  • miura
    miura
    Community Member
    edited February 2022

    Terminal screenshot from the host:

    Terminal screenshot from within the container:

    Showing that the folder are indeed owned by 1042, Unfortunately, still:

    Error: Server: (failed to OpenDefault), Wrapped: (failed to open db), unable to open database file: no such file or directory
    {"log_message":"(W) configured to use HTTP with no TLS","timestamp":"2022-02-10T11:27:18.774745586Z","level":2}
    {"log_message":"(I) no existing database found, will initialize at /.op/data/1password.sqlite","timestamp":"2022-02-10T11:27:18.77517923Z","level":3}
    {"log_message":"(I) [discovery-local] starting discovery, advertising endpoint 36900 /meta/message","timestamp":"2022-02-10T11:27:18.77483875Z","level":3}
    {"log_message":"(I) starting 1Password Connect Sync ...","timestamp":"2022-02-10T11:27:18.776127624Z","level":3}
    {"log_message":"(I) serving on :8080","timestamp":"2022-02-10T11:27:18.776165348Z","level":3}
    Usage:
    connect-sync [flags]

    Flags:
    -h, --help help for connect-sync
    -v, --version version for connect-sync

    and

    {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-10T11:27:19.263556135Z","level":3}
    {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-10T11:27:20.264476045Z","level":3}
    {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-10T11:27:21.265010184Z","level":3}
    {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-10T11:27:22.265173906Z","level":3}

    I did have some other findings though:
    I recreated the host folder from scratch, leaving root as the owner. I give usergroup 'SYSTEM' (id 1 I believe) access and left the user: "1042" out of the docker-compose, basically reverting back to the example provided from 1Password. This actually does work! ... ? What I am not 100% of, is whether this is any safe ...

  • Joris_1P
    Joris_1P

    I recreated the host folder from scratch, leaving root as the owner. I give usergroup 'SYSTEM' (id 1 I believe) access and left the user: "1042" out of the docker-compose, basically reverting back to the example provided from 1Password. This actually does work! ... ? What I am not 100% of, is whether this is any safe ...

    That's interesting and good to hear! I am inclined to say that that should be okay. Your main concern should be whether other users can access the directory (especially the credentials file) when accessing your NAS. I know too little about Synology or the exact setup to give a definitive answer, but but my feeling is that giving SYSTEM access should not be a problem. In fact, I'd expect that user to always have had access.

    For what it is still worth, the most recent logs seem to point at the same problem as here.

  • miura
    miura
    Community Member
    edited February 2022

    Just for the sake of testing, I tested with this compose-file:

    version: "3.4"

    services:
    op-connect-api:
    image: 1password/connect-api:latest
    user: "1042"
    ports:
    - "8888:8080"
    volumes:
    - "./:/home/opuser/.op"
    environment:
    XDG_DATA_HOME: "/home/opuser/"
    op-connect-sync:
    image: 1password/connect-sync:latest
    user: "1042"
    volumes:
    - "./:/home/opuser/.op"
    environment:
    XDG_DATA_HOME: "/home/opuser/"

    In combination with sudo chown -R 1042 1password to make sure the user 1042 is indeed the owner of the main folder and all of it's children. This results in the following:

    Error: Server: (failed to OpenDefault), Wrapped: (failed to defaultPath), failed to ConfigDir: Can't continue. We can't safely access "/home/opuser/.op" because it's not owned by the current user. Change the owner or logged in user and try again.

    I guess 1password still has some hard-coded user-config .. :) ?

  • Joris_1P
    Joris_1P

    I guess 1password still has some hard-coded user-config .. :) ?

    That's also what I thought, but I checked the code and that is not the case. The check uses the ID of the user that is running the process. So that should be 1042.

    One final idea, is that the root of the mountpoint gets treated differently by Docker. If that is the case, changing the mount to - "./:/home/opuser/" might work. That is something you could try for educational purposes, as you've already gotten it to work :)

  • miura
    miura
    Community Member

    I tried to play around a bit with your last suggestion. Also, instead of using the 'Shared Folder' as the root-folder I created a folder in the Shared Folder and run from this one. Perhaps Synology/Docker treats a Shared Folder a bit different as well.

    Unfortunately all end up with a:

    Error: Server: (failed to OpenDefault), Wrapped: (failed to defaultPath), failed to ConfigDir: Can't continue. We can't safely access "/home/opuser/.op" because it's not owned by the current user. Change the owner or logged in user and try again.

    I guess my (our ;) ) 'quest' ends here as I do have a working work-around/solution. Thanks a lot for your awesome support!

  • Joris_1P
    Joris_1P

    Thank you so much for thinking along and giving a lot of things a try!

This discussion has been closed.