Permission denied on ubuntu 14.04 host

[Fenkiou]

This image works fine on Mac OS El Capitan with Docker:

Client:
 Version:      1.12.1-rc1
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   7889dc7
 Built:        Fri Aug 12 18:35:53 2016
 OS/Arch:      darwin/amd64
 Experimental: true

Server:
 Version:      1.12.1-rc1
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   7889dc7
 Built:        Fri Aug 12 18:35:53 2016
 OS/Arch:      linux/amd64
 Experimental: true

I can mount volumes from my host to my container and read/write to the volume without issue.

However with an ubuntu 14.04 with docker:

Client:
 Version:      1.12.1
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   23cf638
 Built:        Thu Aug 18 05:22:43 2016
 OS/Arch:      linux/amd64

Server:
 Version:      1.12.1
 API version:  1.24
 Go version:   go1.6.3
 Git commit:   23cf638
 Built:        Thu Aug 18 05:22:43 2016
 OS/Arch:      linux/amd64

I can mount volume too, but can't write on them.. In fact the issue is especially about the volume mounted to override the openerp-server.conf, this volume is not writable and not readable, so the odoo container is not using my own config file.

I thought this was related to the chown command in the Dockerfile but as my others volumes are mounted in /mnt/my_other_volume, this path isn't chowned to odoo so this it not the problem.

This is not an issue with my host system as I tried to mount and write file to volume mounted to the postgres container and it works.

Any ideas ?

[jaredkipe]

That particular folder should only need read access, which is fairly liberal.
Can you show an example docker run command that gives you the error?

Can you show the output of something like docker run --rm odoo:9.0 ls -lah /etc/odoo

[Fenkiou]

On Mac OS and Ubuntu, I run:
docker run -v /path/to/openerp-server.conf:/etc/odoo -v /path/to/addon1:/mnt/extra-addons/addon1 -p 8069:8069 --name odoo --link db:db -t odoo:8

I forgot to mention that I only use odoo 8 for now (at least on ubuntu) I tried odoo 9 on my mac without issue.

I will show you the output of your command tomorrow as it's on my work laptop and I didn't have with me right now.

[jaredkipe]

Is that first path "/path/to/openerp-server.conf" a folder? (i.e. not a specific openerp-server.conf file)

You might want to run my above command with and without your volume mount to sport any difference.

[Fenkiou]

On Mac OS:

% docker exec -it odoo8 bash
odoo@acf9689560fe:/$ ls -lah /etc/odoo/
total 12K
drwxr-xr-x  2 root root 4.0K Aug  1 20:01 .
drwxr-xr-x 71 root root 4.0K Aug 23 16:18 ..
-rw-------  1 odoo odoo  993 Aug 23 16:18 openerp-server.conf

No it's not a folder but the config file and this is a mistake, thanks. I will try to put the config file in a folder and load it as volume.

BUT on ubuntu, I tried yesterday: docker run -v /some/path/to/empty/folder/:/mnt/blah -p 8069:8069 --name odoo --link db:db -t odoo:8 and I couldn't have write access inside /mnt/blah on the container neither have a read access on /etc/odoo/openerp-server.conf..

[jaredkipe]

Yes, that would almost certainly be the problem.
docker run -v /path/to:/etc/odoo -v /path/to/addon1:/mnt/extra-addons/addon1 -p 8069:8069 --name odoo --link db:db -t odoo:8 would almost certainly fix the issue, though introduce some security concerns.

[Fenkiou]

I'll try tomorrow and I'll tell you.

If this is the problem, do you know why this works on Mac OS and not on Ubuntu ?

Anyway, thanks for your help, I'll keep you in touch.

[Fenkiou]

On Ubuntu the command executed is:
docker run -v /path/to/addons/web:/mnt/extra-addons/web -v /path/to/config:/etc/odoo -p 8069:8069 --link db:db --name odoo -t odoo:8

/path/to/config is the folder containing the config file.

% docker exec -it odoo bash
odoo@27dadeff1f69:/$ ls -lah /etc/odoo
total 12K
drwxrwxr-x  2 1000 1000 4.0K Aug 24 06:53 .
drwxr-xr-x 71 root root 4.0K Aug 24 06:53 ..
-rw-------  1 1000 1000  902 Aug 24 06:53 openerp-server.conf

My configuration file is not used.

odoo@27dadeff1f69:/mnt/extra-addons$ ls -lah
total 12K
drwxr-xr-x  3 odoo root 4.0K Aug 24 06:53 .
drwxr-xr-x  3 root root 4.0K Aug  1 20:01 ..
drwxrwxr-x 69 1000 1000 4.0K Aug 17 06:58 web

odoo@27dadeff1f69:/mnt/extra-addons/web$ touch bleh.txt
touch: cannot touch 'bleh.txt': Permission denied

But I can read the README.md of the repo. The web addon is from OCA.

You can see that the owner of those files / folders is 1000, not odoo or root, I think this is the issue but don't know why.

[jaredkipe]

Because the running user doesn't have the UID of 1000. Off the top of my head, I believe you want to chown to 104 outside the container. You can cat /etc/passwd to find the user id inside the container.

The same thing would happen to your Postgres container if user 1000 owned its data directory.

It is OS X that isn't doing the right thing here by being overly permissive.

[Fenkiou]

If I understand correctly, you're telling me that I should chown folder on my host to 104 which is the uid of the odoo user ?

[jaredkipe]

Correct.
See how when you're running the container in bash, you get 'odoo@xxxx', processes running in this container only have the permissions of that user. Since that user does not have read privileges to the file /etc/odoo/openerp-server.conf, there is no way that odoo could read that config file to use it at all.

Likewise to add ons and filestore locations.
docker run --rm odoo bash -c "cat /etc/passwd | grep odoo"

This is basic docker stuff, its just that the 'native OS X Docker' gets around all of the usual file permissions things.

[Fenkiou]

Your answer makes me search a lot on the web and I now understand that when I mount a volume owned by me (uid 1000, gid 1000), it will be mounted with this uid/gid and that's why I can't read files from the container as you said

But I can't chown my folder to 104 (odoo user) as on my host machine, this uid is affected to an existing user (dnsmasq in my case) and in fact, it's still mounting the volume with uid 1000..

Do you have an example of a config file on your host with its owner/group mounted in a container with the odoo's uid ?

[jaredkipe]

Well for the config file, you don't need to, you just need to grant everyone read privileges.

However, for a volume that needs write privileges, you will need to chown the folder, or heavily relax the permissions (i.e. everyone has rwx).

It doesn't really matter wether or not you already have a user that has 104, you can still chown the folder to that UID and the process inside the Odoo container running as odoo will have the correct permissions.

This is how it works for basically every Docker image that doesn't run as root, needs to access files permanently, works.

FWIW, my docker image 'hibou/odoo' creates the odoo user with the same UID, but adds them to the default group of 'www-data' (gid 33), so thats another work around. Chown the group to 33, and give group rwx).

You could also overwrite the implicit user, and run the container as root to get around these things. (but I don't recommend it). docker run -u 0

[Fenkiou]

I had to chown my folder to 104:1000 then chmod 777 to be able to get it working.

Not sure if it's the best way but now it works.

Thanks for your help, you really help me understand some parts of docker that I didn't as on Mac OS, this is hidden behind some magic.

[tejastank]

Cannot open resource "/opt/odoo_8/extra-addons/masters/libon_no/logo/logo2.jpg"

We face same issue, some permission issues, unable to solve even 777 permission given

[jaredkipe]

tejastank: There are a lot of reasons why this may fail, but I assure you it won't be fixed in this project (meaning it is usage or configuration specific).

What OS are you on? If you're in MacOS using the 'Native' Docker, I've noticed weird behavior if the running user does not own the files -- regardless of what the group/other bits are set.

I can help you troubleshoot, lets say that you have a docker container running named 'odoo_1'.
docker exec odoo_1 bash -c "id"
docker exec odoo_1 bash -c "ls -lah /opt/odoo_8/extra-addons/masters/libon_no/logo/logo2.jpg"
docker exec odoo_1 bash -c "stat /opt/odoo_8/extra-addons/masters/libon_no/logo/logo2.jpg"

[tejastank]

@jaredkipe great thanks for quick answer on issue.

I had resolve it, but don't know how it happen.
/opt/odoo_8/extra-addons/masters/libon_no/logo/logo2.jpg this is correct path.
but with docker
/mnt/extra-addons/masters/libon_no/logo/logo2.jpg as this works

I don't know how this happen, but I resolve at the moment.

I feel odoo without docker & traditional way to use odoo make more better, becuase docker documentation is additional knowldege and expense in hours.

Thanks again for your tips on docker.

[jaredkipe]

@tejastank
Using Docker certainly has a learning curve, but I feel like it is completely worth it. If you haven't done so already, I'd suggest looking at using docker-compose to declaratively define the way containers/services interact and behave.

Personally, I've started using Docker for everything. Once you use enough Docker, deploying any system becomes the same thing: State the dependencies up front (files, network sockets, environment variables), run everything in containers. This is basically how I use Odoo with Docker https://hibou.io/blog/news-info-1/post/docker-odoo-blueprint-4

[moorthi07]

Because the running user doesn't have the UID of 1000. Off the top of my head, I believe you want to chown to 104 outside the container. You can cat /etc/passwd to find the user id inside the container.

The same thing would happen to your Postgres container if user 1000 owned its data directory.

It is OS X that isn't doing the right thing here by being overly permissive.

I did use the odoo user id (in my case 227) , this below passed this error ' grep: /etc/odoo/odoo.conf: Permission denied'

drwxr-xr-x 2 root root 4.0K Aug 23 22:33 .
drwxr-xr-x 104 root root 4.0K Aug 23 22:19 ..
-rw-r----- 1 odoo odoo 227 Aug 23 21:01 odoo.conf
ubuntu@docker-dev:~$ sudo chmod 227 /etc/odoo/odoo.conf