FOUNDRY_UID crashes running chown

Question

FOUNDRY_UID crashes running chown

jeffrules opened this issue a year ago · 6 comments

Bug description

I added a user (uid 1001) to the system and chown'd my foundry data volume to that user. When I run the container, I get this:

foundry-lovecraft-foundry-1      | chown: /data/Data/worlds/lovecraft/data/macros/LOG.old: Operation not permitted
foundry-lovecraft-foundry-1      | chown: /data/Data/worlds/lovecraft/data/macros/LOCK: Operation not permitted
foundry-lovecraft-foundry-1      | chown: /data/Data/worlds/lovecraft/data/macros/CURRENT: Operation not permitted
foundry-lovecraft-foundry-1      | chown: /data/Data/worlds/lovecraft/data/macros/LOG: Operation not permitted
foundry-lovecraft-foundry-1      | chown: /data/Data/worlds/lovecraft/data/macros/000015.log: Operation not permitted
foundry-lovecraft-foundry-1      | chown: /data/Data/worlds/lovecraft/data/macros/MANIFEST-000014: Operation not permitted
foundry-lovecraft-foundry-1      | chown: /data/Data/worlds/lovecraft/data/cards: Operation not permitted
foundry-lovecraft-foundry-1      | chown: /data/Data/worlds/lovecraft/data/cards/LOG.old: Operation not permitted
foundry-lovecraft-foundry-1      | chown: /data/Data/worlds/lovecraft/data/cards/LOCK: Operation not permitted
foundry-lovecraft-foundry-1      | chown: /data/Data/worlds/lovecraft/data/cards/CURRENT: Operation not permitted
foundry-lovecraft-foundry-1      | chown: /data/Data/worlds/lovecraft/data/cards/LOG: Operation not permitted
foundry-lovecraft-foundry-1      | chown: /data/Data/worlds/lovecraft/data/cards/000015.log: Operation not permitted
foundry-lovecraft-foundry-1      | chown: /data/Data/worlds/lovecraft/data/cards/MANIFEST-000014: Operation not permitted
foundry-lovecraft-foundry-1      | chown: /data/Data/worlds/lovecraft/scenes: Operation not permitted
foundry-lovecraft-foundry-1      | chown: /data/Data/worlds/lovecraft/dhole-images: Operation not permitted
foundry-lovecraft-foundry-1      | chown: /data/Data/worlds/lovecraft/world.json: Operation not permitted

the user for 1001 is named foundry and file permissions are:

drwxr-xr-x. 6 foundry foundry 67 Oct 29 15:47 .
drwxrwxr-x. 4 foundry foundry 65 Oct 31 23:39 ..
drwxr-xr-x. 3 foundry foundry 88 Oct 29 15:47 Config
drwxr-xr-x. 2 foundry foundry 64 Oct 29 15:25 container_cache
drwxr-xr-x. 5 foundry foundry 90 Oct 29 15:25 Data
drwxr-xr-x. 2 foundry foundry 81 Oct 29 15:49 Logs

Steps to reproduce

I am utilizing this docker-compose setup

https://github.com/adventurermonthly/foundry-cloudflared

on fedora 38. setup user (foundry) and chown'd data directory to be owned by foundry.

set FOUNDRY_UID=1001

sudo docker compose up

Expected behavior

expected the container to start with that user, instead it is tryin to chown all the files and cannot.

Container metadata

org.opencontainers.image.authors = "markf+github@geekpad.com"
org.opencontainers.image.created = "2023-10-04T18:50:35.076Z"
org.opencontainers.image.description = "An easy-to-deploy Dockerized Foundry Virtual Tabletop server."
org.opencontainers.image.licenses = "MIT"
org.opencontainers.image.revision = "97183097680741b87e1171aa638a3491c59bd46d"
org.opencontainers.image.source = "https://github.com/felddy/foundryvtt-docker"
org.opencontainers.image.title = "foundryvtt-docker"
org.opencontainers.image.url = "https://github.com/felddy/foundryvtt-docker"
org.opencontainers.image.vendor = "Geekpad"
org.opencontainers.image.version = "11.313.0"

Relevant log output

No response

Code of Conduct

I agree to follow this project's Code of Conduct

Answer 1 · 2023-11-01T17:41:23.000Z

Please provide the verbose container log output. Especially the start where it outputs the environment variables and uid/gid.

It looks like the user the container is running as doesn't have the required permissions for the volume. If you have permissions the way you want them you can always disable the permission check as a work-around.

See:

#153

Answer 2 · 2023-11-01T18:18:04.000Z

thank you for the prompt reply!! Just tried that and mostly there, but it looks like it is still trying to change group. Is there an option to ignore that as well?

Answer 3 · 2023-11-01T18:31:00.000Z

I'd be able to help you more if the logs were in verbose mode. CONTAINTER_VERBOSE=true. I'm looking for the first log lines when the container starts. For example:

foundryvtt-mine-foundry-1  | Entrypoint | 2023-10-31 20:43:01 | [debug] Timezone set to: US/Eastern
foundryvtt-mine-foundry-1  | Entrypoint | 2023-10-31 20:43:01 | [info] Starting felddy/foundryvtt container v11.313.0
foundryvtt-mine-foundry-1  | Entrypoint | 2023-10-31 20:43:01 | [debug] CONTAINER_VERBOSE set.  Debug logging enabled.
foundryvtt-mine-foundry-1  | Entrypoint | 2023-10-31 20:43:01 | [debug] Running as: uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

The su-exec: setgroups(421) line is the container trying to switch it uid:gid. Again it doesn't have permissions to do that.

It looks like you have a specific uid and gid you want to use. If that is the case set the FOUNDRY_GID and FOUNDRY_UID environment variables to those numeric values.

See:

https://github.com/felddy/foundryvtt-docker?tab=readme-ov-file#optional-variables

Answer 4 · 2023-11-02T01:52:24.000Z

thank you again for your prompt replies

I set these variables

FOUNDRY_UID=1001
FOUNDRY_GID=1001
CONTAINER_PRESERVE_OWNER=/*

and ran CONTAINTER_VERBOSE=true docker compose up

foundry-lovecraft-foundry-1      | Entrypoint | 2023-11-02 01:48:12 | [info] Foundry Virtual Tabletop 11.307 is installed.
foundry-lovecraft-foundry-1      | Entrypoint | 2023-11-02 01:48:12 | [info] Not modifying existing installation license key.
foundry-lovecraft-foundry-1      | Entrypoint | 2023-11-02 01:48:12 | [info] Setting data directory permissions.
foundry-lovecraft-foundry-1      | Entrypoint | 2023-11-02 01:48:12 | [info] Starting launcher with uid:gid as 1001:1001.
foundry-lovecraft-foundry-1      | su-exec: setgroups(1001): Operation not permitted
foundry-lovecraft-foundry-1      | Entrypoint | 2023-11-02 01:48:11 | [error] Launcher exited with error code: 1
foundry-lovecraft-foundry-1 exited with code 0
foundry-lovecraft-foundry-1      | Entrypoint | 2023-11-02 01:48:12 | [info] Foundry Virtual Tabletop 11.307 is installed.
foundry-lovecraft-foundry-1      | Entrypoint | 2023-11-02 01:48:12 | [info] Not modifying existing installation license key.
foundry-lovecraft-foundry-1      | Entrypoint | 2023-11-02 01:48:12 | [info] Setting data directory permissions.
foundry-lovecraft-foundry-1      | Entrypoint | 2023-11-02 01:48:12 | [info] Starting launcher with uid:gid as 1001:1001.
foundry-lovecraft-foundry-1      | su-exec: setgroups(1001): Operation not permitted
foundry-lovecraft-foundry-1      | Entrypoint | 2023-11-02 01:48:12 | [error] Launcher exited with error code: 1
foundry-lovecraft-foundry-1 exited with code 0

ls of data directory root

ls -al foundry-data/

drwxr-xr-x. 6 foundry foundry 67 Oct 29 15:47 .
drwxrwxr-x. 4 foundry foundry 65 Oct 31 23:39 ..
drwxr-xr-x. 3 foundry foundry 88 Oct 29 15:47 Config
drwxr-xr-x. 2 foundry foundry 64 Oct 29 15:25 container_cache
drwxr-xr-x. 5 foundry foundry 90 Oct 29 15:25 Data
drwxr-xr-x. 2 foundry foundry 81 Oct 29 15:49 Logs

and id -u foundry

Answer 5 · 2023-11-02T11:14:20.000Z

After you change the configuration of your container you need to bring it down, and then back up. Then the changes you made should take effect. At that point the logs should be verbose.

Answer 6 · 2023-11-13T23:50:25.000Z

I am not sure for the life of me what is up with this machine and it's docker setup. I have migrated to podman to resolve this, as it supports rootless much better. I am going to assume I screwed something up along the way and close this out.

Thanks again for your help and prompt replies.