Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Problem creating a filemkdir open .data/snapshots/.test permission denied

See original GitHub issue

When I start my containers using Docker Compose I receive the following errors in the log:

$ docker compose --file /srv/kerberos-agent/docker-compose.yml logs
ka-garage-south  | {"level":"fatal","msg":"Problem creating a file: open ./data/snapshots/.test: permission denied","time":"2022-12-19T20:37:39+01:00"}
ka-garage-south  | {"level":"fatal","msg":"Problem creating a file: open ./data/snapshots/.test: permission denied","time":"2022-12-19T20:37:42+01:00"}
ka-garage-north     | {"level":"fatal","msg":"Problem creating a file: open ./data/snapshots/.test: permission denied","time":"2022-12-19T20:37:39+01:00"}
ka-garage-north     | {"level":"fatal","msg":"Problem creating a file: open ./data/snapshots/.test: permission denied","time":"2022-12-19T20:37:42+01:00"}

Here is my sanitised docker-compose.yml configuration:

$ docker compose --file /srv/kerberos-agent/docker-compose.yml config
name: kerberos-agent
services:
  ka-garage-north:
    container_name: ka-garage-north
    environment:
      AGENT_AUTO_CLEAN: "true"
      AGENT_AUTO_CLEAN_MAX_SIZE: "102400"
      AGENT_CAPTURE_CONTINUOUS: "false"
      AGENT_CAPTURE_FRAGMENTED: "false"
      AGENT_CAPTURE_FRAGMENTED_DURATION: "8"
      AGENT_CAPTURE_IPCAMERA_RTSP: rtsp://[user]:[pass]@192.168.1.84:554/cam/realmonitor?channel=1&subtype=0
      AGENT_CAPTURE_IPCAMERA_SUB_RTSP: rtsp://[user]:[pass]@192.168.1.84:554/cam/realmonitor?channel=1&subtype=1
      AGENT_CAPTURE_MAXLENGTH: "600"
      AGENT_CAPTURE_PIXEL_CHANGE: "150"
      AGENT_CAPTURE_POSTRECORDING: "40"
      AGENT_CAPTURE_PRERECORDING: "20"
      AGENT_KEY: ""
      AGENT_MQTT_PASSWORD: ""
      AGENT_MQTT_URI: tcp://195.168.1.95:1883
      AGENT_MQTT_USERNAME: ""
      AGENT_NAME: garage-north
      AGENT_OFFLINE: "false"
      AGENT_PASSWORD: [password]
      AGENT_TIMEZONE: America/Edmonton
      AGENT_USERNAME: admin
    hostname: [hostname]
    image: kerberos/agent:latest
    networks:
      default: null
    ports:
    - mode: ingress
      target: 80
      published: "8083"
      protocol: tcp
    restart: unless-stopped
    user: 1000:1000
    volumes:
    - type: bind
      source: /srv/kerberos-agent/garage-north/config
      target: /home/agent/data/config
      bind:
        create_host_path: true
    - type: bind
      source: /media/nvr/kerberos/garage-north/recordings
      target: /home/agent/data/recordings
      bind:
        create_host_path: true
  ka-garage-south:
    container_name: ka-garage-south
    environment:
      AGENT_AUTO_CLEAN: "true"
      AGENT_AUTO_CLEAN_MAX_SIZE: "102400"
      AGENT_CAPTURE_CONTINUOUS: "false"
      AGENT_CAPTURE_FRAGMENTED: "false"
      AGENT_CAPTURE_FRAGMENTED_DURATION: "8"
      AGENT_CAPTURE_IPCAMERA_RTSP: rtsp://[user]:[pass]@192.168.1.83:554/cam/realmonitor?channel=1&subtype=0
      AGENT_CAPTURE_IPCAMERA_SUB_RTSP: rtsp://[user]:[pass]@192.168.1.83:554/cam/realmonitor?channel=1&subtype=1
      AGENT_CAPTURE_MAXLENGTH: "600"
      AGENT_CAPTURE_PIXEL_CHANGE: "150"
      AGENT_CAPTURE_POSTRECORDING: "40"
      AGENT_CAPTURE_PRERECORDING: "20"
      AGENT_KEY: ""
      AGENT_MQTT_PASSWORD: ""
      AGENT_MQTT_URI: tcp://195.168.1.95:1883
      AGENT_MQTT_USERNAME: ""
      AGENT_NAME: garage-south
      AGENT_OFFLINE: "false"
      AGENT_PASSWORD: [password]
      AGENT_TIMEZONE: America/Edmonton
      AGENT_USERNAME: admin
    hostname: [hostname]
    image: kerberos/agent:latest
    networks:
      default: null
    ports:
    - mode: ingress
      target: 80
      published: "8082"
      protocol: tcp
    restart: unless-stopped
    user: 1000:1000
    volumes:
    - type: bind
      source: /srv/kerberos-agent/garage-south/config
      target: /home/agent/data/config
      bind:
        create_host_path: true
    - type: bind
      source: /media/nvr/kerberos/garage-south/recordings
      target: /home/agent/data/recordings
      bind:
        create_host_path: true
networks:
  default:
    name: kerberos-agent_default

The mount points for these two services are as follows:

$ docker container inspect ka-garage-south -f '{{range .Mounts}}{{.Type}}:{{.Source}}:{{.Destination}}{{println}}{{ end }}'
bind:/srv/kerberos-agent/garage-south/config:/home/agent/data/config
bind:/media/nvr/kerberos/garage-south/recordings:/home/agent/data/recordings

$ docker container inspect ka-garage-east -f '{{range .Mounts}}{{.Type}}:{{.Source}}:{{.Destination}}{{println}}{{ end }}'
bind:/srv/kerberos-agent/garage-east/config:/home/agent/data/config
bind:/media/nvr/kerberos/garage-east/recordings:/home/agent/data/recordings

I am running the services under User idsvc:

$ id $user
uid=1000(idsvc) gid=1000(idsvc) groups=1000(idsvc),4(adm),20(dialout),24(cdrom),27(sudo),29(audio),44(video),46(plugdev),60(games),100(users),104(input),106(render),108(netdev),995(docker),997(gpio),998(i2c),999(spi)

Before starting the containers I ran the following commands:

$ mkdir /srv/kerberos-agent/garage-north /srv/kerberos-agent/garage-north/config
$ mkdir /srv/kerberos-agent/garage-south /srv/kerberos-agent/garage-south/config
$ sudo chown idsvc:idsvc /srv/kerberos-agent/ -R
$ sudo chmod 777 /srv/kerberos-agent/ -R

$ mkdir /media/nvr/kerberos/garage-north
$ mkdir /media/nvr/kerberos/garage-south
$ sudo chown idsvc:idsvc /media/nvr/kerberos/ -R
$ sudo chmod 777 /media/nvr/kerberos -R

The file permissions for the /home/agent/data/config mount look like this:

$ ls -la /srv/kerberos-agent/garage-north/
total 12
drwxrwxrwx 3 idsvc idsvc 4096 Dec 19 11:32 .
drwxrwxrwx 7 idsvc idsvc 4096 Dec 19 12:30 ..
drwxrwxrwx 2 idsvc idsvc 4096 Dec 19 12:56 config
$ ls -la /srv/kerberos-agent/garage-north/config/
total 8
drwxrwxrwx 2 idsvc idsvc 4096 Dec 19 12:56 .
drwxrwxrwx 3 idsvc idsvc 4096 Dec 19 11:32 ..
$ ls -la /srv/kerberos-agent/garage-south/
total 12
drwxrwxrwx 3 idsvc idsvc 4096 Dec 19 11:32 .
drwxrwxrwx 7 idsvc idsvc 4096 Dec 19 12:30 ..
drwxrwxrwx 2 idsvc idsvc 4096 Dec 19 12:56 config
$ ls -la /srv/kerberos-agent/garage-south/config/
total 8
drwxrwxrwx 2 idsvc idsvc 4096 Dec 19 12:56 .
drwxrwxrwx 3 idsvc idsvc 4096 Dec 19 11:32 ..

The file permissions for the /home/agent/data/recordings mount look like this:

$ ls -la /media/nvr/kerberos/garage-north/
total 16
drwxrwxrwx 4 idsvc idsvc 4096 Dec 19 12:37 .
drwxrwxrwx 7 idsvc idsvc 4096 Dec 19 11:32 ..
drwxrwxrwx 2 idsvc idsvc 4096 Dec 19 12:56 recordings
drwxrwxrwx 2 idsvc idsvc 4096 Dec 19 12:37 snapshots
$ ls -la /media/nvr/kerberos/garage-north/recordings/
total 8
drwxrwxrwx 2 idsvc idsvc 4096 Dec 19 12:56 .
drwxrwxrwx 4 idsvc idsvc 4096 Dec 19 12:37 ..

$ ls -la /media/nvr/kerberos/garage-south/
total 16
drwxrwxrwx 4 idsvc idsvc 4096 Dec 19 12:37 .
drwxrwxrwx 7 idsvc idsvc 4096 Dec 19 11:32 ..
drwxrwxrwx 2 idsvc idsvc 4096 Dec 19 12:56 recordings
drwxrwxrwx 2 idsvc idsvc 4096 Dec 19 12:37 snapshots
$ ls -la /media/nvr/kerberos/garage-south/recordings/
total 8
drwxrwxrwx 2 idsvc idsvc 4096 Dec 19 12:56 .
drwxrwxrwx 4 idsvc idsvc 4096 Dec 19 12:37 ..

My versions for reference:

$ docker --version
Docker version 20.10.21, build baeda1f
$ docker compose version
Docker Compose version v2.12.2

I have tried adding user: 1000:1000 to the services entries in the compose file, running the docker compose elevated, and I am stuck.

What incredibly obvious thing have I missed?

Issue Analytics

State:
Created 9 months ago
Comments:24 (13 by maintainers)

Top GitHub Comments

1reaction

instantdreamscommented, Dec 21, 2022

If using specific mount points in docker compose, the original issue is resolved using the following steps:

Create mount points for configuration (if using a targeted mount for configuration)

cd [location of docker-compose.yml]
mkdir [camera] [camera]/config
wget https://raw.githubusercontent.com/kerberos-io/agent/master/machinery/data/config/config.json -O [camera]/config
sudo chown [user running docker]:[group running docker] [location of docker-compose.yml] -R
sudo chmod 777 [location of docker-compose.yml] -R

Create mount points for media

mkdir [media location]/[camera] [media location]/[camera]/recordings [media location]/[camera]/snapshots
sudo chown [user running docker]:[group running docker]  [media location] -R
sudo chmod 777 [media location]/[camera] -R

Use the correct targets in the volumes section of docker-compose.yml

    volumes:
      - [location of docker-compose.yml]/[camera]/config:/home/agent/data/config:rw
      - [media location]/[camera]/recordings:/home/agent/data/recordings:rw
      - [media location]/[camera]/snapshots:/home/agent/data/snapshots:rw

This will resolve the “permission denied” error caused by the lack of a specified “snapshots” volume.

Thank you to @cedricve for confirming this.

1reaction

instantdreamscommented, Dec 20, 2022

Adding the /snapshots mount, removing the user entry, and grabbing a base configuration file enabled the container to start.

Before I document the process, I have a question for you, @cedricve - you said in your previous reply I could remove the config binding as I override it in the environment variables. I see in the example you included that ka-garage-north includes the user entry and ka-garage-south does not, but I cannot see anything else that has changed.