Not Able to Delete Files
ChrisJBurns opened this issue · 40 comments
I am getting quite a lot of issues trying to delete files / directories on a Samba share.
I am able to create them without issue, but deleting them is where I just cannot get it to work.
docker-compose.yaml
---
version: "3.9"
services:
samba:
image: docker.io/servercontainers/samba:latest
container_name: samba
restart: unless-stopped
# user: samba
# network_mode: host
# hostname: smb-server
environment:
GROUP_sambausers: 1500
ACCOUNT_samba: test
UID_samba: 1000
GROUPS_samba: sambausers
## Groups definition ##
SAMBA_GLOBAL_CONFIG_server_SPACE_min_SPACE_protocol: NT1
SAMBA_GLOBAL_CONFIG_ntlm_SPACE_auth: ntlmv1-permitted
SAMBA_VOLUME_CONFIG_shared_home: |
vfs objects = catia fruit streams_xattr
[home];
path=/shares/home
valid users = samba
browsable = yes
writeable = yes
read only = no
inherit owner = yes
create mask = 777
directory mask = 777
force create mode = 777
force directory mode = 777
force user = samba
force group = sambausers
volumes:
- ./shares/home:/shares/home
ports:
- 445:445
cap_add:
- CAP_NET_ADMIN
myubuntu:
image: ubuntu
container_name: ubuntu
stdin_open: true # docker run -i
tty: true # docker run -t
build:
dockerfile: Dockerfile
context: .
cap_add:
- SYS_ADMIN
- DAC_READ_SEARCHWhen I docker exec onto the samba container, I can see that the /shares/home is owned by root, I change this using
chown -R 1000:1500 shares/
I use a separate Ubuntu container in order to mount the Samba share so I can test it. I originally did this with my Macbook but I had problems there so I wanted to remove the possibility that my Macbook was the problem. This is what is in my Dockerfile for the Ubuntu image:
FROM ubuntu
RUN apt update && apt install -y samba smbclient vim iputils-ping cifs-utils
COPY --chmod=0600 smbcreds /home/.smbcredentials
RUN echo "//samba/home /mnt/home cifs credentials=/home/.smbcredentials,uid=1000,gid=1500 0 0" > /etc/fstab
RUN mkdir -p /mnt/home
# RUN mount -aOnce I do a docker-compose up --force-recreate --build, both samba and ubuntu containers are up. I exec onto my Ubuntu container and run mount -a, i then go to /mnt/home and I can see all of the files/folders there that exist on my Macbook. I can even create files.
root@ee4447359d43:/mnt/home# ls -al
total 32
drwxr-xr-x 2 1000 1500 0 Mar 14 15:07 .
drwxr-xr-x 1 root root 4096 Mar 14 14:08 ..
-rwxr-xr-x 1 1000 1500 0 Mar 14 14:59 .DS_Store
-rwxr-xr-x 1 1000 1500 0 Mar 14 14:53 .hi.file.swp
-rwxr-xr-x 1 1000 1500 0 Mar 14 14:53 .hi.file.swx
-rwxr-xr-x 1 1000 1500 0 Mar 14 15:07 .new.file.swp
-rwxr-xr-x 1 1000 1500 0 Mar 14 15:07 .new.file.swx
-rwxr-xr-x 1 1000 1500 0 Mar 14 14:18 .new.text.swp
-rwxr-xr-x 1 1000 1500 0 Mar 14 14:18 .new.text.swx
-rwxr-xr-x 1 1000 1500 4096 Mar 14 15:07 .newnew.swo
-rwxr-xr-x 1 1000 1500 0 Mar 14 15:07 .newnew.swp
-rwxr-xr-x 1 1000 1500 0 Mar 14 15:07 .newnew.swpx
-rwxr-xr-x 1 1000 1500 4 Mar 14 14:53 hi.file
-rwxr-xr-x 1 1000 1500 4096 Mar 14 14:53 hi_file.swp
-rwxr-xr-x 1 1000 1500 4 Mar 14 15:07 new.file
-rwxr-xr-x 1 1000 1500 5 Mar 14 14:18 new.text
-rwxr-xr-x 1 1000 1500 4096 Mar 14 15:07 new_file.swp
-rwxr-xr-x 1 1000 1500 4096 Mar 14 14:18 new_text.swp
They even show that they are owned by 1000:1500 - which is the samba uid (1000) and sambausers gid (1500). However, I just cannot delete any files/directories. The error I get is
root@375f455c0b84:/mnt/home# rm new.text
rm: cannot remove 'new.text': Operation not supported
The fact that I can write new ones shows that write access is fine, but I have been racking my brains for the last couple of days trying to figure out why deletes don't work. I have tried all sorts of combinations in the smb.conf file. From forcing users, to forcing groups, to using root, to creating 777 masks, nothing I do get's deletes to work.
Hi there,
long text, super strange issue - I never encountered a similiar issue to be honest.
can you check the filesystem on the host, the permissions should be the same (at least if you look at the ids)
also can you remove the files on the host?
it honestly doesn't make sense that you're not able to delete
can you reproduce this with a different client? like a mac, pc or desktop linux?
I suspect that maybe the ubuntu container has some issues - containers have a mutable filesystem which is stacked on top of each other - maybe this is some sort of security mechanism, although you should be able to delete files manually
can you check/list all your options? (i suspected read only mounts, but you said you can create files)
anything strange int the logs? have you tried an older version of this container?
also maybe you can rety this using this minimal configuration:
I also noted a issue with your configuration please use the vfs like that SAMBA_GLOBAL_STANZA: vfs objects = catia fruit streams_xattr
environment:
ACCOUNT_samba: test
UID_samba: 1000
SAMBA_GLOBAL_STANZA: vfs objects = catia fruit streams_xattr
SAMBA_VOLUME_CONFIG_shared_home: |
[home];
path=/shares/home
valid users = samba
browsable = yes
writeable = yes
and make sure on the host, that the folder which is created has permissions like chown -R 1000:1000 ./shares/home; chmod -R 700 ./shares/home
Hi @MarvAmBass loving the rapid reply ❤️
can you check the filesystem on the host, the permissions should be the same (at least if you look at the ids)
also can you remove the files on the host?
On my Macbook, this is the result fromls -al
drwxrwxrwx 3 chburns staff 96 14 Mar 14:02 shares
can you reproduce this with a different client? like a mac, pc or desktop linux?
Yep, so I've done it a couple of ways:
1) smbclient on my Mac
Within my Terminal and I connect to the share, it's a similar issue as the above, I can see files and can create directories, just not delete.
> smbclient //chburns-mbp-76/home -U samba
Can't load /usr/local/etc/smb.conf - run testparm to debug it
Password for [WORKGROUP\samba]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Mar 14 15:07:49 2024
.. D 0 Thu Mar 14 15:18:50 2024
.DS_Store H 6148 Thu Mar 14 15:13:41 2024
.hi.file.swp H 0 Thu Mar 14 14:53:07 2024
.hi.file.swx H 0 Thu Mar 14 14:53:07 2024
.new.file.swp H 0 Thu Mar 14 15:07:47 2024
.new.file.swx H 0 Thu Mar 14 15:07:47 2024
.new.text.swp H 0 Thu Mar 14 14:18:56 2024
.new.text.swx H 0 Thu Mar 14 14:18:56 2024
.newnew.swo H 4096 Thu Mar 14 15:07:41 2024
.newnew.swp H 0 Thu Mar 14 15:07:37 2024
.newnew.swpx H 0 Thu Mar 14 15:07:37 2024
hi.file N 4 Thu Mar 14 14:53:09 2024
hi_file.swp N 4096 Thu Mar 14 14:53:09 2024
new.file N 4 Thu Mar 14 15:07:49 2024
new.text N 5 Thu Mar 14 14:18:58 2024
new_file.swp N 4096 Thu Mar 14 15:07:49 2024
new_text.swp N 4096 Thu Mar 14 14:18:58 2024
488245288 blocks of size 1024. 154643048 blocks available
smb: \> rm new.text
NT_STATUS_NOT_SUPPORTED deleting remote file \new.text
smb: \>
2) Using Finder to connect to the server
Finder >> Connect to Server >> smb://127.0.0.2
Once connected, I can see files, just can't delete
3) Where I use a Linux / Ubuntu Container
This is what I've mentioned in the issue description where I've stood up a Ubuntu container in the same compose file, and mounted the Samba share via fstab. Can create files, view files, just not delete them or move them.
root@375f455c0b84:/mnt/home# rm new.text
rm: cannot remove 'new.text': Operation not supported
root@375f455c0b84:/mnt/home# mv new.text new.txt
mv: cannot move 'new.text' to '
I can't even edit existing files as I get the following error.
E325: ATTENTION
Found a swap file by the name "new_text.swp"
dated: Thu Mar 14 14:18:58 2024
file name: /mnt/home/new.text
modified: no
user name: root host name: a6031722724b
process ID: 23 (STILL RUNNING)
While opening file "new.text"
dated: Thu Mar 14 14:18:58 2024
(1) Another program may be editing the same file. If this is the case,
be careful not to end up with two different instances of the same
file when making changes. Quit, or continue with caution.
(2) An edit session for this file crashed.
If this is the case, use ":recover" or "vim -r new.text"
to recover the changes (see ":help recovery").
If you did this already, delete the swap file "new_text.swp"
to avoid this message.
Swap file "new_text.swp" already exists!
[O]pen Read-Only, (E)dit anyway, (R)ecover, (Q)uit, (A)bort:
Which options did you want specifically? I think I've outputted all of the ones I'm setting. Or did you want the smb.conf thats on the samba container?
What kind of hardware device is mounted on the docker host? It just doesn't make sense
You can remove the file on the host directly, am I right? The share is also not mounted in a special unusual way - am I right?
Maybe you have some special attributes active 'lsattr -a your/path'?
Also maybe some apparmor / selinux policies stand in your way and only allow creating / appending to files.
You can remove the file on the host directly, am I right? The share is also not mounted in a special unusual way - am I right?
Yes, I can remove the file on my host, and nope, I mount the folder on the host to the samba share via the docker compose:
volumes:
- ./shares/home:/shares/home
Maybe you have some special attributes active 'lsattr -a your/path'?
This is on the samba` docker container:
> docker exec -it samba sh
/ # lsattr -a /shares/
lsattr: reading /shares/home: Function not implemented
--------------e----- /shares/.
--------------e----- /shares/..
Also maybe some apparmor / selinux policies stand in your way and only allow creating / appending to files.
I don't think that is the case on my Macbook at least
In addition to the above, this is the results from running lsattr -a on the Ubuntu container where I am mounting the samba share via fstab.
root@1d00d8e4399a:/mnt/home# lsattr -a
lsattr: Operation not supported While reading flags on ./.
--------------e------- ./..
-uS-ia--c-jI---------m ./.hihi.text.swp
-uS-ia--c-jI---------m ./.hihi.text.swx
-uS-ia--c-jI---------m ./.text.txt.swp
-uS-ia--c-jI---------m ./.text.txt.swx
-uS-ia--c-jI---------m ./hi.text
-uS-ia--c-jI---------m ./hihi.text
-uS-ia--c-jI---------m ./hihi_tex.swp
-uS-ia--c-jI---------m ./text.txt
-uS-ia--c-jI---------m ./text_txt.swp
ahh so your system is a docker for mac system, right?
I'm going to test your setup on my mac, we will see what's wrong, or if I run into the same issue
ahh so your system is a docker for mac system, right?
That's correct.
I'm running Docker Desktop on my Macbook. I have a docker-compose file that sets up 1 samba container and another Ubuntu container that I'm using to access the samba share. However, I'm finding that just using smbclient on my Mac and pointing it at the samba share using my machine name (/usr/libexec/PlistBuddy -c "Print :NetBIOSName" /Library/Preferences/SystemConfiguration/com.apple.smb.server.plist), also returns the same resuls, so you may not even need to do the Ubuntu container.
My smbclient command: smbclient //my-machine-name/home -U samba.
Hi @MarvAmBass
Update from me, I have managed to get this to work, but I have removed the volume mounts in the docker-compose file and instead created that directory on the samba container myself manually after it starts up. I then exec into my Ubuntu container and I can now create and remove files.
So instead of:
- macbook:
shares/home/-> samba:/shares/home-> ubuntu:/mnt/home(via fstab)
I have changed to:
- samba:
/shares/home-> ubuntu:/mnt/home(via fstab)
And I can create and delete files within the Ubuntu /mnt/home.
So it seems that Macbook realllyy doesn't like something, and I'm not enough of a macbook expert to see what is going on. All of the permissions across the board looked fine to me. All I did was remove the volumes: section in the docker compose file and created the folder within the container myself and it all worked.
I might try a third container to somewhat "replicate" my macbook, but make it another Ubuntu container, just so I can put that volumes: line back into the docker-compose file (as it maybe something relating to the way docker mounts the volumes) to verify it definitely is the Macbook that is causing the problem.
Let me know what your investigations find, this is one of those mysteries that have really stumped me over the last couple of days and I'd really like to find out what it is about MacOS (or maybe even the way mine is configured) that doesn't allow this to work.
yeah I also needed some time to get the docker compose to work, and my ubuntu to mount the share of the samba container.
at the end I was able to mount it, but the permissions were different from the permissions my mac system. changing owner was successful but the chmod didn't fully map into the container.
But I wasn't even able to create a file on the samba share. Samba connections to a linux system running my container had no issues.
---
version: "3.3"
services:
samba:
image: docker.io/servercontainers/samba:latest
container_name: samba
restart: unless-stopped
environment:
ACCOUNT_myuser: test
UID_myuser: 1000
SAMBA_VOLUME_CONFIG_shared_home: |
[home];
path=/shares/home
valid users = myuser
browsable = yes
writeable = yes
volumes:
- ./home:/shares/home
myubuntu:
image: ubuntu
privileged: true
container_name: ubuntu
stdin_open: true # docker run -i
tty: true # docker run -t
build:
dockerfile: Dockerfile
context: .
I entered the ubuntu container and mounted the share using: mount.cifs //samba/home /mnt/home -o user=myuser,uid=1000,gid=1000
You have to keep in mind that Docker Desktop ist a very hacky solution for macOS and Windows - it runs some kind of virtual machine under the hood and mounts different ports, filesystem mounts etc. from and to the vm and inside the containers.
I'll stop the investigation at this point. I don't see a reason to use macos as a host system - they alread ship samba.
Yep no problems, thanks @MarvAmBass
I have also been able to connect to the single Samba container that is sharing the local /shares/home directory via running smbclient locally in a terminal on my mac. I was always able to ls files before and create new directories, but now I can do both. So it really does seem like the volume mounting of a directory that lives on a MacOS, into the samba container really doesn't go down well. A colleague of mine thinks it's something to do with the docker volume shim for MacOS. Perhaps a note in the docs for folks who may want to try a similar setup as me?
My setup by the way wasn't to host a long-term share, but instead write a Java / Spring application that reads/writes files to an SMB share, and we needed to be able to stand up a local samba share to do some local testing of the code. In our case, we will just roll a custom image that creates that /shares/home directory in order to save us from having do it manually all of the time.
Thanks again 👍
I added this issue to my TROUBLESHOOTING.md file. maybe it's helpful for others.
Hi averyone. I spend some time with this issue and now I can confirm the same problem on linux.
petrm@pc8:~$ uname -a
Linux pc8 6.5.0-1025-oem #26-Ubuntu SMP PREEMPT_DYNAMIC Tue Jun 18 12:35:22 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
petrm@pc8:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.4 LTS
Release: 22.04
Codename: jammy
samba:
image: ghcr.io/servercontainers/samba:latest
container_name: samba
restart: always
environment:
ACCOUNT_data: "data:1000:****"
UID_data: 1000
SAMBA_VOLUME_CONFIG_data: "[data]; path=/shares/data; valid users = data; browsable = yes; writable = yes; read only = no; public = no; guest ok = no"
volumes:
- ./data:/shares/data
- /etc/localtime:/etc/localtime:ro
ports:
- 0.0.0.0:137:137
- 0.0.0.0:138:138
- 0.0.0.0:139:139
- 0.0.0.0:445:445
cap_add:
- CAP_NET_ADMIN
petrm@pc8:~/docker/test$ docker context ls
NAME DESCRIPTION DOCKER ENDPOINT ERROR
default * Current DOCKER_HOST based configuration unix:///var/run/docker.sock
desktop-linux Docker Desktop unix:///home/petrm/.docker/desktop/docker.sock
petrm@pc8:~$ smbclient //10.10.10.8/data -U data%password
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Jul 18 13:35:44 2024
.. D 0 Thu Jul 18 13:35:44 2024
Smycky D 0 Fri Jul 21 11:17:14 2023
.system DH 0 Tue Jul 9 13:56:16 2024
Video D 0 Thu Jul 18 12:57:03 2024
Audio D 0 Tue Jul 9 16:33:11 2024
Gallery D 0 Fri Jun 28 15:09:48 2024
487861248 blocks of size 1024. 81144756 blocks available
smb: \> mkdir test
smb: \> ls
. D 0 Thu Jul 18 13:35:48 2024
.. D 0 Thu Jul 18 13:35:48 2024
Smycky D 0 Fri Jul 21 11:17:14 2023
.system DH 0 Tue Jul 9 13:56:16 2024
Video D 0 Thu Jul 18 12:57:03 2024
Audio D 0 Tue Jul 9 16:33:11 2024
Gallery D 0 Fri Jun 28 15:09:48 2024
test D 0 Thu Jul 18 13:35:48 2024
487861248 blocks of size 1024. 81144756 blocks available
smb: \> rmdir test
smb: \> ls
. D 0 Thu Jul 18 13:35:57 2024
.. D 0 Thu Jul 18 13:35:57 2024
Smycky D 0 Fri Jul 21 11:17:14 2023
.system DH 0 Tue Jul 9 13:56:16 2024
Video D 0 Thu Jul 18 12:57:03 2024
Audio D 0 Tue Jul 9 16:33:11 2024
Gallery D 0 Fri Jun 28 15:09:48 2024
487861248 blocks of size 1024. 81144756 blocks available
smb: \>
After switch to docker-dektop with the same compose file
petrm@pc8:~/docker/test$ docker context ls
NAME DESCRIPTION DOCKER ENDPOINT ERROR
default Current DOCKER_HOST based configuration unix:///var/run/docker.sock
desktop-linux * Docker Desktop unix:///home/petrm/.docker/desktop/docker.sock
petrm@pc8:~$ smbclient //10.10.10.8/data -U data%pass
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Jul 18 13:35:57 2024
.. D 0 Thu Jul 18 13:35:57 2024
Smycky D 0 Fri Jul 21 11:17:14 2023
.system DH 0 Tue Jul 9 13:56:16 2024
Video D 0 Thu Jul 18 12:57:03 2024
Audio D 0 Tue Jul 9 16:33:11 2024
Gallery D 0 Fri Jun 28 15:09:48 2024
487861248 blocks of size 1024. 81126896 blocks available
smb: \> mkdir test
NT_STATUS_ACCESS_DENIED making remote directory \test
smb: \>
If I found some solution, I will share it there. I will need it in future for some my customers solutions.
Now, Please @MarvAmBass update TROUBLESHOOTING.md file.
does the user data (id: 1000) have permissions to write to ./data?
Yes, UID is the same as OS.
The folder is managed by another my docker service with apache2 + i make chmod -R 775 /path/data
So
petrm@pc8:~/docker/test$ ls -al data
celkem 0
drwxrwxr-x 1 petrm www-data 60 čec 18 13:35 .
drwxrwxr-x 1 petrm petrm 332 čec 18 13:46 ..
drwxrwxr-x 1 petrm www-data 174 čec 9 16:33 Audio
drwxrwxr-x 1 petrm www-data 112 čen 28 15:09 Gallery
drwxrwxr-x 1 petrm www-data 62 čec 21 2023 Smycky
drwxrwxr-x 1 petrm www-data 204 čec 9 13:56 .system
drwxrwxr-x 1 petrm www-data 918 čec 18 12:57 Video
petrm@pc8:~/docker/test$ stat --format '%a' data
775
petrm@pc8:~/docker/test$ ls -al
celkem 1200552
drwxrwxr-x 1 petrm petrm 332 čec 18 13:46 .
drwxrwxr-x 1 petrm petrm 296 kvě 22 10:53 ..
drwxrwxr-x 1 petrm www-data 60 čec 18 13:35 data
petrm@pc8:~/docker/test$ stat --format '%a' data/Video/BigBuckBunny.mp4
775
petrm@pc8:~/docker/test$ ls -al data/Video/BigBuckBunny.mp4
-rwxrwxr-x 1 petrm www-data 158008374 led 7 2020 data/Video/BigBuckBunny.mp4
petrm@pc8:~/docker/test$ cat /etc/group
...
www-data:x:33:
...
petrm:x:1000:
I will try enable debug in docker desktop ;-)
EDIT: Noo, sorry i have not subsribed to docker Pro :(
okay that seems like it should work...
Hmm, I googling some time, problem is in virtualization solution and something with permissions.
I found partial solution, but it is ungly fo everyone.
After create group with UID 100999, create folder/files works, but when i try delete, still getting NT_STATUS_NOT_SUPPORTED.
EDIT: same situation, if i run samba container in privileged mode.
I'm not sure If I understand - I thought you're using ubuntu as a host - but I do get, that as soon as you play around with shared filesystems you might run into problems due to mapping problems of uid etc.
I'll be more specific. Yes, I use ubuntu as host + classic docker + docker dekstop for my comfort when debuging (switch docker context is annoying and tedious).
But, i am not sure, if you know, docker dekstop for linux runs in VM.
This docker container is for customers whitch use Windows on your desktops and server side run on linux (on proxmox sometimes). Samba is native way to upload files from windows PC to server with dockerized aplications.
ahhh I think that's the problem - with the extra vm it messes up your mapping from local machine into the container.
this is also what's an issue when you use the container from a macos.
Nice, that not the same problem. Docker desktop for linux run on VM, but for macOS runs almost natively, but only use use VirtioFS.
Finally, this make this issue with samba share and mapping permissions.
I found some issue on docker-dektop github.
Nice and good day. Finally i identify root of problem.
Docker desktop on Linux/macOS (in some cases in Windows if use VM or WLS2 installation option). Docker desktop use different UID and GID mapping than default docker and runs in its own namespace.
Docker desktop starts mapping UID and GID in host OS from 100000 (root with UID/GID 0 in docker cointainer mapped to UID/GID 100000 in host OS). In default desktop UID/GUID is the same.
I had my app in docker container and i need change file permission and files/folders owner (for generate video thumbmails). My bash script run with supervisord under root user.
./data is docker shared volume for my app and samba too.
volumes:
- ./mywwwapp:/var/www/html
- ./data:/var/www/html/data
I tested on:
Docker Desktop 4.32.0 (157355)
Docker version 27.1.0, build 6312585 #Docker engine = default context
Problem commands:
CHOWN_USER_UID=1000
APACHE_RUN_GROUP=33
CHMOD_DATA_DIR_PERMISSIONS=0775
ECHO_PREFIX="["$(basename "$0")"]: "
#thumbnail_dir example is: /var/www/html/data/Video/.thumbnails
if ! output=$(chown $CHOWN_USER_UID:$APACHE_RUN_GROUP "$thumbnail_dir" 2>&1); then
echo $ECHO_PREFIX"line $LINENO - $output" #LINE 34
fi
if ! output=$(chmod -R $CHMOD_DATA_DIR_PERMISSIONS "$thumbnail_dir" 2>&1); then
echo $ECHO_PREFIX"line $LINENO - $output" #LINE 38
fi
#thumbnail_path example is: /var/www/html/data/Video/.thumbnails/VolkswagenGTIReview.png
if ! output=$(chown $CHOWN_USER_UID:$APACHE_RUN_GROUP "$thumbnail_path" 2>&1); then
echo $ECHO_PREFIX"line $LINENO - $output" #LINE 56
fi
if ! output=$(chmod -R $CHMOD_DATA_DIR_PERMISSIONS "$thumbnail_path" 2>&1); then
echo $ECHO_PREFIX"line $LINENO - $output" #LINE 60
fi
This code generated errrors below only in docker desktop. In default docker works like a charm :-)
2024-07-23 10:21:46 [thumbnails_generate.sh]: Thumbnail created: /var/www/html/data/Video/.thumbnails/TearsOfSteel.png
2024-07-23 10:21:46 [thumbnails_generate.sh]: line 34 - chown: changing ownership of '/var/www/html/data/Video/.thumbnails': Operation not permitted
2024-07-23 10:21:46 [thumbnails_generate.sh]: line 38 - chmod: changing permissions of '/var/www/html/data/Video/.thumbnails/LoRaWAN_Flenexa.png': Operation not permitted
2024-07-23 10:21:46 [thumbnails_generate.sh]: line 56 - chown: changing ownership of '/var/www/html/data/Video/.thumbnails/VolkswagenGTIReview.png': Operation not permitted
So, I use chown/chmod check in my script and this indicate situation, that my cointainer run in docker desktop :-)
I cannot find better check.
Second problem in my case is use inotifywait in my script. If my cointainer ruuns in docker desktop, inotifywait not catch DELETE event. In default desktop works without problem.
inotifywait -q -e create -e modify -e move -e moved_to -e moved_from -e move_self -e delete_self -e delete -r /var/www/html/data
I found lot of information about daemon.json settings "userns-remap": "default", but this not work for me (docker desktop not suport it and not start if add this option)
Finally, this is all reasons why I will stop use docker desktop and why Your samba container not work correctly under docker desktop (in Linux/macOS, maybe in Windows too).
Second problem in your case is samba own, smb maps permissions too, so this generate one more layer of problem.
I mean, than problem can be close, because this cannot be fixed in this repo :-)
@petrmatula190 thanks, I'll add this info into the troubleshooting markdown file and maybe notice docker desktop problems in the readme!
I think I found the cause of this issue. I recreated a whole Samba container from the ground up just to dig into this.
I believe this has something to do with the following global config setting
vfs objects = catia fruit streams_xattr
Watching the samba logs (I happen to have logging set to level 3), I see a lot of errors like the ones shown below when I attempt to interact with the exported share
error reading meta xattr: Operation not supported
error reading meta xattr: Operation not supported
error reading meta xattr: Operation not supported
error reading meta xattr: Operation not supported
error reading meta xattr: Operation not supportedCreating files works still seems to work, but deleting files does not. When I remove the vfs objects setting shown above, I'm able to create/read/update/delete files as expected.
I thought that perhaps I could use SAMBA_GLOBAL_CONFIG_vfs_objects = fruit to override the setting you have baked into smb.conf, but it seems this just adds a second configuration option with the same name. It would be great if there was a way to modify settings.
can you give me some informations about the host filesystem and selinux etc.
seems like extended file attributes are not supported.
can you give me some informations about the host filesystem and selinux etc. seems like extended file attributes are not supported.
Certainly!
Host OS: macOS Sequoia version "15.4.1" running on Apple M2 Pro
Docker: Docker Desktop for Mac with Apple Silicon version "4.41.2 (191736)"
Container: ghcr.io/servercontainers/samba:smbd-wsdd2-a3.21.3-s4.20.6-r1
Note
Granted, Docker Desktop works by spinning up a VM (using Apple Virtualization Framework by default) that must be running some flavor of Linux. While SE Linux could be involved, it would have to be within that VM. I'm also not familiar enough with SE Linux to know if it has granularity to deny a process from accessing file attributes. It's also possible that macOS (or APFS file system) uses xattrs that Linux, POSIX, or Samba doesn't know what to do with?
Here's the samba section of my docker-compose.yaml file. Note that I'm mounting (e.g., docker -v) a folder from my macOS file system (APFS) into the container and letting Samba export that directory
samba:
image: ghcr.io/servercontainers/samba:${SAMBA_VERSION}
restart: unless-stopped
ports:
- "445:445"
expose:
- "445"
environment:
SAMBA_CONF_LOG_LEVEL: 3
ACCOUNT_sambauser: ${SAMBA_PASS}
UID_sambauser: ${UID}
GROUP_sambagroup: ${GID}
SAMBA_VOLUME_CONFIG_share: |
[sharename]
path = /data
read only = no
writable = yes
browsable = yes
create mode = 0660
directory mode = 0770
volumes:
- ${DATA_DIR}:/dataIn your docker compose .env file, you can define whatever you need to
DATA_DIR=/Users/<username>/share/me
SAMBA_PASS=*********
UID=1000
GID=1000
SAMBA_VERSION=smbd-wsdd2-a3.21.3-s4.20.6-r1Once the container is running, on macOS you can mount the samba share using
mkdir -p /tmp/sambashare
mount_smbfs //sambauser@0.0.0.0/sharename /tmp/sambashare
@tokeefe
Be carefull, macOS have only Docker desktop and problem will be very similar to my expirience with mapping UID and GID in! Check UID and GID.
My solution is put Docker desktop to trash and use only docker exngine as my all servers. But it is not solution for macOS.
EDIT:
Easy check will be run echo $UID in host and in docker container and compore it.
The main point is that if I remove the [global] Samba configuration setting
vfs objects = catia fruit streams_xattr
Then I am able to create, read, update, and delete files from the mount_smbfs mount of the samba share. From my perspective, that put aside anything having to do with UID/GID translations, but I could be mistaken.
ahhh I see, so you guys are using it on macos - I honeslty don't see why to use my container here - macos ships with a samba server which can be used.
yeah docker desktop does a lot of magic under the hood, magic which often breaks normal containers.
I'm thinking about adding a macos host mode/env flag, which might remove streams_xattr before the container starts
anyone else here with the problem on a macos host using docker desktop or similar?
or does this also happen on exotic filesystems?
maybe I'm able to check if attributes are working on the volumes, and if not I automatically remove the streams_xattr from the config - so nobody needs to do anything and it simply works in all cases
but I'm not sure yet
@MarvAmBass I'm in a new company now so I won't be able to test this. But the motivation for the container was that we were deploying in production on linux machines, but all engineers had macs, using the native samba capability for mac wouldn't have been much use as we needed that portability/reproducibility element to test locally before we shipped to prod.
I believe the issue here is not directly related to Samba or the container image configuration, but rather to how Docker Desktop for macOS (especially on Apple Silicon / M1/M2 chips) handles filesystem mounts.
When you run Samba inside a container on Docker Desktop for macOS, the mounted volumes (-v /host/path:/mount/path) are not native Linux filesystems. Instead, they are accessed through a translation layer (like VirtioFS or osxfs/FUSE depending on Docker version). These filesystems do not properly support extended attributes (xattr), Access Control Lists (ACLs), or other low-level Linux features required by:
ini
Zkopírovat
Upravit
vfs objects = catia fruit streams_xattr
These vfs objects, especially fruit and streams_xattr, are crucial for proper macOS support over SMB – for handling things like resource forks, file metadata, and compatibility with macOS Finder. Without working xattr or ACL support on the underlying filesystem, Samba cannot correctly emulate macOS-style file behavior.
Technical notes:
Samba requires xattr for streams_xattr, and proper filesystem ACLs if fruit is configured.
Docker Desktop mounts are limited in this regard and behave differently than native Linux filesystems (e.g., ext4, btrfs).
Even if you run the container as --user
UID/GID mismatches or the use of synthetic user mapping in Docker Desktop may also contribute to permission issues.
Suggestion:
To properly test and use this Samba setup with full macOS support (especially for Time Machine, Finder compatibility, etc.), run it on a real Linux host or in a Linux VM with native filesystem support (e.g., ext4 or zfs). This will ensure full xattr and ACL compatibility.
This analysis was partially assisted by ChatGPT (GPT-4), which helped clarify the differences between host filesystem behaviors and Samba requirements in containerized environments.
I just learned t is possible to set vfs objects from within a share/volume configuration section which will override whatever is set in the [global] section. Here's a concrete example
samba:
image: ghcr.io/servercontainers/samba:${SAMBA_VERSION}
restart: unless-stopped
ports:
- "445:445"
expose:
- "445"
environment:
SAMBA_CONF_LOG_LEVEL: 3
ACCOUNT_sambauser: ${SAMBA_PASS}
UID_sambauser: ${UID}
GROUP_sambagroup: ${GID}
SAMBA_VOLUME_CONFIG_share: |
[sharename]
vfs objects = catia fruit
path = /data
read only = no
writable = yes
browsable = yes
create mode = 0660
directory mode = 0770
volumes:
- ${DATA_DIR}:/dataWith this, there's at least a way to get this to work IF you're willing and able to trade possible issues with Finder, extended file metadata, etc. for the ability to delete files
(That said, it would still be helpful to understand what exactly is being traded away by removing streams_xattr)
I believe this has something to do with the following global config setting
vfs objects = catia fruit streams_xattr
I was having the exact same issue with a different configuration. I had been using the crazy-max/docker-samba docker container on my ubuntu server (bare metal) and had no issues.
Recently I changed the ubuntu OS to proxmox, and installed docker in a ubuntu VM. I was passing my home directories into the VM using virtiofs.
I could delete delete inside the samba container (ie docker exec rm), as I could on the host, so it wasn't a permission issue, as in the usual rwx).
Then I decided to run samba directly inside the ubuntu VM and discovered the same issue. When I changed the share to point to a folder not on a virtiofs share such as /tmp/test it worked.
When using lsattr -a on a file on the virtiofs share (being passed by proxmox into the VM), I saw a similar error lsattr: Operation not supported While reading flags on test1.
Commenting out that streams_xattr in my smb.conf made everything work.
I'm thinking it's safe to disable this https://www.samba.org/samba/docs/current/man-html/vfs_streams_xattr.8.html
Similar issue vagrant-libvirt/vagrant-libvirt#1829
I decided to drop the global setting of streams_xattr and updated the readme - docker.io and GitHub builds are running - fixed in a few minutes
I just thought i'd add I did get it working with Proxmox.
You just need to do either expose-acl=1 (expose-acl implies expose-xattr) or just expose-xattr.
Then for the zfs sets:
zfs set xattr=sa <dataset>
zfs set acltype=posixacl <dataset>
zfs set aclmode=passthrough <dataset>
This will work with streams_xattr enabled, you will see that the lsattr command will still say "Operation not supported" and that's because virtiofs does not support all of the xattrs (immutable, append-only, noatime).
I decided to drop the global setting of
streams_xattrand updated the readme - docker.io and GitHub builds are running - fixed in a few minutes
Eh, this may be more complicated than just removing the setting option.
I have samba (docker.io/servercontainers/samba:latest) running on an RPi/Bookworm host and using an iPhone via Files as a client. If I remove streams_xattr, the iPhone client can no longer create, rename, etc files and folders -- folders show as rw, but cannot write. When I re-add streams_xattr, it all works fine again. Just fyi for anyone else that stumbles into this problem.
okay this is a big problem - as I really like to fully support macos/ios - especially timemachine etc.
I'm going to read into this problem further and try to find a nice solution for everyone
Hi everyone, I've created a fix
my default container works as expected with a cleaned up fruit configuration (timemachine and apple client support is a big thing for this container - it's not as easy to configure for newbies)
I've read into it, and fruit needs the streams_xattr otherwise it's incorrectly configured - so I added it back in.
I also improved default values to have a better apple support for everyone
now for all of you who are affected by this, and might use some proxmox / special filesystems etc.
you can now disable the fruit plugin, which drops all those general settings to have a nice fruit configuration - but you end up with a nice samba config
so I will keep this open and you guys can try with the latest version and env variable DISABLE_FRUIT_DEFAULTS=yes
let me know if this works for you
update 1: looks good on my machine