Docker container has permission issues when deployed through Nomad, but not when deployed through Docker CLI on same host

efstajas · January 4, 2025, 5:13pm

Pretty confused here, must be missing something obvious.

Trying to deploy Nextcloud on my cluster, without persistent storage for now, even.

Here’s my jobspec:

job "nextcloud" {
  region = "global"
  datacenters = ["dc1"]
  namespace   = "default"
  type        = "service"
  
  group "nextcloud" {
    network {
      mode = "bridge"
      port "http" {
        to = 80
      }
      port "db" {
        to = 5432
      }
    }

    task "nextcloud" {
      driver = "docker"

      config {
        image = "lscr.io/linuxserver/nextcloud:latest"
      }

      resources {
        cpu    = 2000
        memory = 4048
      }

      env {
        NEXTCLOUD_TRUSTED_DOMAINS = "[redacted]"
        TRUSTED_PROXIES = "192.168.1.216"
        TZ = "Europe/Berlin"
        PGID = "1000"
        PUID = "1000"
      }

      service {
        name = "nextcloud"
        port = "http"

        tags = [
          "traefik.enable=true",
          "traefik.http.routers.nextcloud.rule=Host(`[redacted]`)",
          "traefik.http.routers.nextcloud.tls=true",
          "traefik.http.routers.nextcloud.tls.certresolver=myresolver",
        ]
      }
    }
  }
}

Immediately after deploying through nomad, it fails with:

chown: changing ownership of '/app': Operation not permitted
chown: changing ownership of '/config': Operation not permitted
chown: changing ownership of '/defaults': Operation not permitted
mkdir: cannot create directory ‘/var/lib/nginx’: Permission denied
s6-rc: warning: unable to start service init-folders: command exited 1
chown: changing ownership of '/etc/crontabs/abc': Operation not permitted
crontab: setegid: Operation not permitted

… which is quite confusing to me, because all those folders are obviously within the container. Why are there permission issues?

Even when I change the container’s PGID and PUID env vars (which affect the user the process within the container runs as) to 0:0, I get another permission error:

mkdir: cannot create directory ‘/var/lib/nginx’: Permission denied
s6-rc: warning: unable to start service init-folders: command exited 1

… which is even more confusing to me.

And here’s the thing: When I start it using the Docker CLI on the same host, with the same config, like this:

docker run -d \
  --name=nextcloud \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Etc/UTC \
  -p 443:443 \
  --restart unless-stopped \
  lscr.io/linuxserver/nextcloud:latest

… everything works fine! So, same host, same config, same Docker daemon, same image… but it doesn’t work through Nomad. Docker / the container itself is running as root in both cases too.

What could this be? I must really be missing something obvious here.

shantanugadgil · January 8, 2025, 5:27pm

What user is the Noamd agent running as?

Can you force the user to root for the docker driver to see if the error goes away?

just-an-idea

Topic		Replies	Views
Struggling with filesystem permissions for Nextcloud Nomad	4	50	December 17, 2024
Intro Tutorial Not Working On M1 MacOSX 14.2 With Docker Desktop 4.26.1 Nomad 1.7.2 Nomad	2	219	December 21, 2023
Docker cap SYS_ADMIN and connect Nomad connect	0	901	January 2, 2022
Permission error with template stanza Nomad	4	295	August 1, 2023
An Issue with Nomad on Kubernetes: "Failed to mount shared directory for task" Nomad	2	384	February 16, 2023

Docker container has permission issues when deployed through Nomad, but not when deployed through Docker CLI on same host

Related topics