SOLVED OpenProject docker stack permission problem

R

ragametal

Contributor
Joined
May 4, 2021
Messages
188
I’m almost certain that my problem is not related to truenas but maybe somebody here can point me to a helpful resource that can help me.

I’ve been trying to install openproject in a docker container for the last 3 weeks but it keeps failing.

In my environment Docker is installed in a Debian VM in truenas Core 13.0-U2.

I created a user and group named “docker” in truenas and in the VM, with the same UID and GID in both places.

I created an NFS share in truenas and the owner of the dataset is docker:docker.

I can mount the NFS share from the vm and the user docker can create, delete, modify, change permissions and ownership (with the use of "sudo") of files created in the NFS share (so full privileges).

From within the VM, I deployed portainer with a volume pointing to the NFS share for persistent data. This went without a hickup.

When i try to install the openproject Stack i’m getting a lot of permission errors. After investigating i realized that this Stack creates an user named “APP:APP” with UID 1000 and GID 1000.

So, when openproject creates a file in the volume (which is pointing to the NFS share), that file is owned by 1000:1000 which doesn’t exist i the VM but in TrueNAS those are the UID:GID of a user that has no privileges in the NFS share. Therefore, openproject cannot modify or change permissions of this file after it is created.

I think this is the culprit of my problem.

I tried using the docker user namepaces ro map the user inside the docker container to my user “docker” in the vm/truenas but as soon as i create the file /etc/docker/daemon/json and restart the VM portainer fails and gives me permission errors.

Do any of you know how to solve this problem so i can run openproject?
 
R

ragametal

Contributor
Joined
May 4, 2021
Messages
188
Please note that i deployed openproject in a single docker container as opposed to deploying it with one container per process (i.e. docker stack). I honestly couldn’t troubleshoot why the stack didn’t want to work in my environment.

Problem:
The official docker image will create a new user named “app” which belongs to the group “app” and they will get the first UID and GUI available in their environment which in Linux is 1000. This UID/GUI information is “baked” into the image and cannot be changed.

Solution:
Build a new openproject image indicating the desired UID/GUI at the time of the build. The new image will be based on the official openproject image.

To do so, SSH into the debian VM and create a new Dockerfile somewhere (maybe put it inside a folder called openproject if you like). The Docker file should have the following content.

Code:
FROM openproject/community:12

ARG UID=1000
ARG GID=1000

RUN groupmod -g "${GID}" app && usermod -u "${UID}" -g "${GID}" app

Next, build the new docker image indicating the desired UID/GID (In my case these would be 1004/1016). I decided to call the new image “openproject-myimage”.
docker build -t openproject-myimage --build-arg UID=1004 --build-arg GID=1016 .

Now, to deploy openoffice, first create the folders for the persistent data inside the NFS share
mkdir -p /mnt/nfs/openproject/{db,assets} && chmod g+w -R /mnt/nfs/openproject

And finally, deploy the new docker image for openproject as follows
docker run -d -p 8080:80 --name openproject -e OPENPROJECT_HOST__NAME=YOUR.FQDN -e SECRET_KEY_BASE=YOUR-UNIQUE-SUPER-SECRET -e OPENPROJECT_HTTPS=false -e OPENPROJECT_HSTS=false --restart=unless-stopped -v /mnt/nfs/openproject/db:/var/openproject/pgdata -v /mnt/nfs/openproject/assets:/var/openproject/assets openproject-myimage:latest
I’m just starting my docker journey (i got used to the jails system in trueNAS core) but my understanding is that a lot of docker images out there have this problem. This solution should work with all of them, just adjust the Dockerfile to indicate the source of your docker image (in this case it was “openproject/community:12“) and the user inside the docker container (in this case “app”).

I hope this help somebody else as this information was very difficult for me to find and understand.

Note, by far this video was the best source i could find in case you are interested in learning more
https://www.youtube.com/watch?v=sXfaogNlc7Y
 
H

heisian

Dabbler
Joined
Oct 3, 2020
Messages
21
ragametal said:
Please note that i deployed openproject in a single docker container as opposed to deploying it with one container per process (i.e. docker stack). I honestly couldn’t troubleshoot why the stack didn’t want to work in my environment.

Problem:
The official docker image will create a new user named “app” which belongs to the group “app” and they will get the first UID and GUI available in their environment which in Linux is 1000. This UID/GUI information is “baked” into the image and cannot be changed.

Solution:
Build a new openproject image indicating the desired UID/GUI at the time of the build. The new image will be based on the official openproject image.

To do so, SSH into the debian VM and create a new Dockerfile somewhere (maybe put it inside a folder called openproject if you like). The Docker file should have the following content.

Code:
FROM openproject/community:12

ARG UID=1000
ARG GID=1000

RUN groupmod -g "${GID}" app && usermod -u "${UID}" -g "${GID}" app

Next, build the new docker image indicating the desired UID/GID (In my case these would be 1004/1016). I decided to call the new image “openproject-myimage”.
docker build -t openproject-myimage --build-arg UID=1004 --build-arg GID=1016 .

Now, to deploy openoffice, first create the folders for the persistent data inside the NFS share
mkdir -p /mnt/nfs/openproject/{db,assets} && chmod g+w -R /mnt/nfs/openproject

And finally, deploy the new docker image for openproject as follows
docker run -d -p 8080:80 --name openproject -e OPENPROJECT_HOST__NAME=YOUR.FQDN -e SECRET_KEY_BASE=YOUR-UNIQUE-SUPER-SECRET -e OPENPROJECT_HTTPS=false -e OPENPROJECT_HSTS=false --restart=unless-stopped -v /mnt/nfs/openproject/db:/var/openproject/pgdata -v /mnt/nfs/openproject/assets:/var/openproject/assets openproject-myimage:latest
I’m just starting my docker journey (i got used to the jails system in trueNAS core) but my understanding is that a lot of docker images out there have this problem. This solution should work with all of them, just adjust the Dockerfile to indicate the source of your docker image (in this case it was “openproject/community:12“) and the user inside the docker container (in this case “app”).

I hope this help somebody else as this information was very difficult for me to find and understand.

Note, by far this video was the best source i could find in case you are interested in learning more
https://www.youtube.com/watch?v=sXfaogNlc7Y
Click to expand...
thank you for posting this, it helped me immensely!!
 
R

ragametal

Contributor
Joined
May 4, 2021
Messages
188
heisian said:
thank you for posting this, it helped me immensely!!
Click to expand...
I'm glad this was helpful to somebody else.
Let me know if you were able to deploy the STACK instead of the single container.
 
H

heisian

Dabbler
Joined
Oct 3, 2020
Messages
21
ragametal said:
I'm glad this was helpful to somebody else.
Let me know if you were able to deploy the STACK instead of the single container.
Click to expand...
Well I am running SCALE BlueFin, so I used the kubernetes apps UI to launch the docker image, which created the stack. I kept running into permissions problems until I just stopped using the “runAsUser/Group” options. So now I think the container runs as root.. I am still having a hard time with how SCALE does permissions with kubernetes, docker, and the processes running inside docker..

So there is a possibility that SCALE can run the image without modification, I’ll have to test.

But after a couple days and some motivation from your post I have a functional production openproject instance running for my small business.
 
R

ragametal

Contributor
Joined
May 4, 2021
Messages
188
heisian said:
Well I am running SCALE BlueFin, so I used the kubernetes apps UI to launch the docker image, which created the stack. I kept running into permissions problems until I just stopped using the “runAsUser/Group” options. So now I think the container runs as root.. I am still having a hard time with how SCALE does permissions with kubernetes, docker, and the processes running inside docker..

So there is a possibility that SCALE can run the image without modification, I’ll have to test.

But after a couple days and some motivation from your post I have a functional production openproject instance running for my small business.
Click to expand...
Yes, i do run SCALE at home and I'm not a huge fan of IXSystem's implementation of kubernetes to deploy simple docker containers. I really wish they just had something like portainer instead of re-inventing the wheel creating yet another interface to deploy docker containers.
But that is a discussion for another thread.

Glad it's finally working for you.
 
You must log in or register to reply here.

Similar threads

lopr
  • Locked
OpenProject in a jail (or how to change the standard linker)
Replies
5
Views
2K
lopr
lopr
L
  • Locked
Permissions for nextcloud container in VM on F11
Replies
2
Views
2K
LotLits
L
M
Docker in docker + portainer
Replies
1
Views
4K
sretalla
sretalla
R
Truenas & VM Docker Ownership Confusion
Replies
1
Views
645
nutrient2314
nutrient2314
lopr
  • Locked
openproject in a jail
Replies
1
Views
3K
jclendineng
J
Top