Mounted volumes are owned by root

[kromsam]

Describe the bug
When making the Etherpad container, I created a volume to make sure data is persisted. The problem is that the folders that are made for the container, are owned by root. This means that the container, which is run by user etherpad, cannot access this directory.

This led to an issue like this: #4598

To Reproduce
This is my docker-compose file.

version: '2.2'
services:

# Let's Encrypt
  letsencrypt:
    container_name: letsencrypt
    image: linuxserver/swag
    restart: always
    environment:
      - PUID=${PUID}
      - PGID=${PGID}
      - TZ=${TZ}
      - URL=${TLD}
      - SUBDOMAINS=${SUBS}
      - EXTRA_DOMAINS=${EXTRADOM}
      - VALIDATION=http
      - EMAIL=${MAILADRES}
    volumes:
      - ${APPDATA}/Letsencrypt:/config
    networks:
      - etherpad_net
    ports:
      - 443:443
      - 80:80
    cap_add:
      - NET_ADMIN

# Etherpad
  etherpad:
    container_name: etherpad
    image: etherpad/etherpad
    restart: always
    volumes:
      - ${APPDATA}/Etherpad:/opt/etherpad-lite/var
    environment:
      - DB_TYPE=postgres
      - DB_HOST=etherpad_db
      - DB_PORT=5432
      - DB_NAME=${EPDB_NAME}
      - DB_USER=${EPDB_USER}
      - DB_PASS=${EPDB_PASS}
      - ADMIN_PASSWORD=${EPDB_ADMIN}
    networks:
      - etherpad_net      
  postgres:
    container_name: etherpad_db
    image: postgres
    restart: always
    environment:
      - POSTGRES_DB=${EPDB_NAME}
      - POSTGRES_USER=${EPDB_USER}
      - POSTGRES_PASSWORD=${EPDB_PASS}
    volumes:
     - ${APPDATA}/Etherpad_DB:/var/lib/postgresql/data
    networks:
      - etherpad_net
    
networks:
  etherpad_net:
    driver: bridge

Additional context
This is the situation inside the container. As you can see, the mounted /var folder is owned by root.

$ ls -l
total 624
-rw-r--r-- 1 etherpad etherpad     64 Dec 21 15:17 APIKEY.txt
-rw-rw-r-- 1 etherpad root      36008 Dec 20 23:35 CHANGELOG.md
-rw-rw-r-- 1 etherpad root       8217 Dec 20 23:35 CONTRIBUTING.md
-rw-rw-r-- 1 etherpad root      11353 Dec 20 23:35 LICENSE
-rw-rw-r-- 1 etherpad root        837 Dec 20 23:35 Makefile
-rw-rw-r-- 1 etherpad root       8202 Dec 20 23:35 README.md
-rw-rw-r-- 1 etherpad root        118 Dec 20 23:35 SECURITY.md
-rw-r--r-- 1 etherpad etherpad     64 Dec 21 15:17 SESSIONKEY.txt
drwxrwxr-x 1 etherpad root       4096 Dec 20 23:35 bin
drwxrwxr-x 1 etherpad root       4096 Dec 20 23:35 doc
drwxrwxr-x 1 etherpad root       4096 Dec 20 23:35 node_modules
-rw-rw-r-- 1 etherpad root     453622 Dec 20 23:35 package-lock.json
-rw-rw-r-- 1 etherpad root       2312 Dec 20 23:35 package.json
-rw-rw-r-- 1 etherpad root      20033 Dec 20 23:35 settings.json
-rw-rw-r-- 1 etherpad root      20033 Dec 20 23:35 settings.json.docker
-rw-rw-r-- 1 etherpad root      18686 Dec 20 23:35 settings.json.template
drwxrwxr-x 1 etherpad root       4096 Dec 21 15:17 src
-rw-rw-r-- 1 etherpad root         51 Dec 20 23:35 start.bat
drwxrwxr-x 1 etherpad root       4096 Dec 20 23:35 tests
drwxr-xr-x 2 root     root       4096 Dec 21 15:17 var

This comment #3674 (comment) by @pierreprinetti seems to hint at what is happening here.

I am using 5001 this time (totally made up). Unfortunately, this means that we again introduce annoyance to volume users.

It also seems to be a Docker-wide problem: moby/moby#2259 . Although most containers I use (the LinuxServer ones for instance: https://github.com/linuxserver) don't seem to have this problem. So there must be a solution for this issue. LinuxServer uses ENV variables that let's users map PUID and PGID of the host user and container user.

In this example I only mounted /opt/etherpad-live/var. But I think I would prefer to be able to mount /opt/etherpad-lite, so that settings also will be persistent.

[pierreprinetti]

In order to make the volume accessible by the unprivileged user running Etherpad, you can change the owner of the files with this command:

podman run --rm -it -v ${your_volume}:/volume alpine chown -R 5001:5001 /volume

Replace podman with docker if you prefer that.

Please let me know if this works for you!

[kromsam]

Hi @pierreprinetti this is a good start. Now I am able to get the /opt/etherpad-lite/var folder mounted as a directory. The command I use is:

docker run --rm -it -v ${APPDATA}/Etherpad/var:/opt/etherpad-lite/var alpine chown -R 5001 /opt/etherpad-lite/var

But I would want to do this for the whole /opt/etherpad-lite folder. The problem is that I cannot do this, as the container won't even start if I set /opt/etherpad-lite as a volume. So I can't make changes to the container either.

Thus there should be a way for the container to access the volume files from the start of the container.

[pierreprinetti]

If you mount the volume on path /opt/etherpad-lite/var, then /opt/etherpad-lite exists on hosting container, rather than the volume.

Also, it looks like what you're trying to mount is a path on your local filesystem, rather than a docker volume. This is not recommended, as you will end up with weird file ownerships in your host system. Please use volumes (docker volume create etherpad-data), or even better, a real database.

[kromsam]

I am already using a database for the Etherpad data (as you can see in the docker-compose file), but I want to also persist the Etherpad configuration!

I'll try creating the volume manually. But wouldn't it be nice if this was 'built in' the dockerimage?

[pierreprinetti]

I want to also persist the Etherpad configuration! [...] Wouldn't it be nice if this was 'built in' the dockerimage

OK, now I understand this better. The traditional way to pass configuration to a container is via environment variables. For doing that in Etherpad, the settings.json included in the Docker image defers the configuration precisely to the environment variables detailed in the docs.

Essentially, you should be able to persist your Etherpad configuration right in the environment section of your docker-compose file.

[kromsam]

Hm, I get it. But I am more used to being able to tweaking my configuration settings 'on the fly'. To set up the container just once with some basic ENV variables, and then start tweaking it from there. This is how I run basically all off my other containers. Though it's not just the settings, it would also be nice to be able to persist the minified cache.

I think it would be nice if there'd be two persistable volumes: /config and /cache. One with the tweakable settings files and one with the created cache files. All the other binaries and dependencies you wouldn't really want to store on the host filesystem.

[pierreprinetti]

I believe you should be able to mount an individual config file from your host filesystem using docker-compose:

volumes:
      - ${APPDATA}/Etherpad:/opt/etherpad-lite/var
      - ./myconfig.json:/opt/etherpad-lite/settings.json

That would be more manageable than an entire folder; moreover, you don't need it the file to be writable from the container.

[kromsam]

:/ , that ship didn't sail

ERROR: for 2bd694e594e7_etherpad  Cannot start service etherpad: OCI runtime create failed: container_linux.go:370: starting container process caused: process_linux.go:459: container init caused: rootfs_linux.go:59: mounting "[REDACTED]/Etherpad/config/settings.json" to rootfs at "/var/lib/docker/overlay2/ff73a16d6622a2fd3f3f643fc9a91d0957f19879d5b7b5537321c0bb6ad220d7/merged/opt/etherpad-lite/settings.json" caused: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type

ERROR: for etherpad  Cannot start service etherpad: OCI runtime create failed: container_linux.go:370: starting container process caused: process_linux.go:459: container init caused: rootfs_linux.go:59: mounting "[REDACTED]/Etherpad/config/settings.json" to rootfs at "/var/lib/docker/overlay2/ff73a16d6622a2fd3f3f643fc9a91d0957f19879d5b7b5537321c0bb6ad220d7/merged/opt/etherpad-lite/settings.json" caused: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type

The docker-compose piece:

    volumes:
      - ${APPDATA}/Etherpad/config/settings.json:/opt/etherpad-lite/settings.json
      - ${APPDATA}/Etherpad/cache:/opt/etherpad-lite/var

[pierreprinetti]

Please make sure that ${APPDATA}/Etherpad/config/settings.json exists, is a file and is an absolute path

[kromsam]

I really still believe in the 'LinuxServer' approach.

two persistable volumes: /config and /cache.

But for want of better: here is how I pulled it off.

---

1. Take this docker-compose file:

version: '2.2'
services:

# Etherpad
  etherpad:
    container_name: etherpad
    image: etherpad/etherpad
    restart: always
    depends_on:
      - etherpad_db
    environment:
      - DB_TYPE=postgres
      - DB_HOST=etherpad_db
      - DB_PORT=5432
      - DB_NAME=${EPDB_NAME}
      - DB_USER=${EPDB_USER}
      - DB_PASS=${EPDB_PASS}
      - ADMIN_PASSWORD=${EPDB_ADMIN}
    volumes:
      - ${APPDATA}/Etherpad/cache:/opt/etherpad-lite/var

2. 'Up' it.
3. In your ${APPDATA} folder on host run:

• sudo mkdir Etherpad/config
• sudo docker cp etherpad:/opt/etherpad-lite/settings.json Etherpad/config
• sudo chown -R 5001 Etherpad

3. Now edit the docker-compose file and add this line under volumes::
   - ${APPDATA}/Etherpad/config/settings.json:/opt/etherpad-lite/settings.json
4. 'Up' it!

---

@pierreprinetti Now I wonder if with this I'll persist all relevant caches and configs, or could there be more. What about the APIKEY and SESSIONKEY for instance, won't they still change with every container startup with this approach?

[kromsam]

And if i'd install a plugin. How would I make sure that it will be there the next time I restart the container?

One should be able to get the container running with simple configurations once and than never have to tweak the docker-compose file again, because all further tweaks and configurations are saved on host.

[JohnMcLear]

Etherpad plugins are constantly being updated. Having them stale in your image could be a problem.

Afaik you specify your plugins in your docker image as an npm install command.

[kromsam]

It is not really that uncommon to do it like this. Basically my whole Nextcloud (https://github.com/linuxserver/docker-nextcloud) installation lives on host without any problems.

[JohnMcLear]

I can't comment on docker but I can be an authority on Etherpad
(And plugins) and I'm confident frequent updates are absolutely required.

We are making awesome progress here btw so thanks!