PermissionError: [Errno 13] Permission denied: '/omd/sites/cmk/etc/environment'

MickyRooster · December 3, 2023, 4:58pm

I tried getting checkmk to launch with 1000:1000 and I had issues.
When I reset all ownership to root:root, I am getting this error and I can’t start the container anymore. It just keeps trying to restart over and over again.

Heavy · December 4, 2023, 12:42pm

Can you show the full commandline used to start the container?

Did you follow the documentation Installation as a Docker container?

MickyRooster · December 4, 2023, 12:55pm

version: '3'
services:
  checkmk:
    image: checkmk/check-mk-cloud:2.2.0p14
    container_name: checkmk
    restart: unless-stopped
    environment:
      MAIL_RELAY_HOST: localhost
    networks:
      - proxy
    tmpfs:
      - /opt/omd/sites/cmk/tmp:uid=1000,gid=1000
    ulimits:
      nofile: 1024      
    volumes:
      - /home/micky/docker-volumes/checkmk:/omd/sites
      - /etc/localtime:/etc/localtime:ro
    labels:
      traefik.enable: true
      traefik.http.routers.checkmk.rule: Host(`checkmk`)
      traefik.http.routers.checkmk.entrypoints: websecure
      traefik.http.routers.checkmk.tls.certresolver: myresolver
      traefik.http.services.checkmk.loadbalancer.server.port: 5000
      
networks:
  proxy:
    external: true

Heavy · December 4, 2023, 10:50pm

It is hard to guess what happened if you do not provide the details on what you tried, and which issues you ran into.

If this means that you manually changed the ownership of the files that Checkmk created in the volume: don’t do that. The Checkmk Docker images automatically create a new Checkmk site cmk using the UID 1000 and GID 1000. All the created files and directories have this ownership. There is no reason to modify them.

MickyRooster · December 5, 2023, 6:04pm

They all have 100999: 100999 for me, which means I can’t back them up without root. 100999 doesn’t even exist on my system as a user or a group.

andreas-doehler · December 5, 2023, 9:06pm

That is perfectly fine if you run a rootless docker daemon.
Here are a nice explanation for this problem.
It is for podman but the problem is the same as with docker.
https://blog.christophersmart.com/2021/01/26/user-ids-and-rootless-containers-with-podman/

Solution for docker

The solution
Set the uid/gid in your docker-compose to 0. Then the container starts inside as root which maps to your outside rootless user who started the process.

MickyRooster · December 5, 2023, 9:10pm

using user: 0:0 or puid: 0 and guid: 0?

I tried changing to 1000:1000 and it screwed up my instance and I couldn’t get it working again, it just kept crashing on start saying it has no permissions.

I was moving to a new host anyway so I just started from scratch. But I’d like to backup with restic without having to use root, it was a big reason I moved everything to rootless docker as well as the security.

andreas-doehler · December 5, 2023, 9:16pm

If you use bind mounts with rootless docker then it is every time pain.

MickyRooster · December 5, 2023, 9:22pm

    tmpfs:
      - /opt/omd/sites/cmk/tmp:uid=1000,gid=1000
    ulimits:
      nofile: 1024      
    volumes:
      - /opt/docker-volumes/checkmk:/omd/sites
      - /etc/localtime:/etc/localtime:ro

This is how I have it setup now, with no user or puid/guid. When I tried using puid/guid everything broke, but I also changed permissions on the files to my user which is equivilent to 1000:1000 which I guess was my big mistake.

MickyRooster · December 6, 2023, 1:50am

How do you handle backups with this wacky permissions?