Docker Run: ERR: /data/ipfs is not writable for user 'ipfs' (UID 1000)

[VertigoRay]

I'm not a linux guru and I'm new to docker. I did try searching this before posting here, but this is driving me nuts. I should note that centurylink/watchtower seems to be running fine on my system.

Getting an error using docker and cannot attach into the container because it stops immediately.

Steps Taken

This is a summary of what I'm doing.

Docker Run

$ echo $ipfs_staging
/mnt/ipfs/staging/
$ echo $ipfs_data
/mnt/ipfs/data/
$ docker run -d --name v-ipfs -v $ipfs_staging:/export -v $ipfs_data:/data/ipfs -p 8080:8080 -p 4001:4001 -p 5001:5001 jbenet/go-ipfs:latest
0c54<snip>a75e

Docker Logs

$ docker logs v-ipfs
ERR: /data/ipfs is not writable for user 'ipfs' (UID 1000)

Docker PS

$ docker ps -a
CONTAINER ID        IMAGE                    COMMAND                  CREATED             STATUS                     PORTS               NAMES
b8171bbe7559        jbenet/go-ipfs:latest    "/usr/local/bin/start"   7 seconds ago       Exited (1) 6 seconds ago                       v-ipfs

Testing

I thought maybe it was a permissions issue with my mount at /mnt/ipfs, but the /mnt/ipfs/staging and /mnt/ipfs/data folders were successfully created. I did try changing the the targets to /tmp as shown:

$ docker run -d --name v-ipfs -v /tmp/ipfs/staging/:/export -v /tmp/ipfs/data/:/data/ipfs -p 8080:8080 -p 4001:4001 -p 5001:5001 jbenet/go-ipfs:latest
703c009e04fa8a70902de6da4e048d0c485917030c486a09eeab46ff62ff2606

The /tmp/ipfs/staging and /tmp/ipfs/data folders did not exist before executing docker run and did after. However, I got the same error in the log:

$ docker logs v-ipfs
ERR: /data/ipfs is not writable for user 'ipfs' (UID 1000)

I assume that's the UID within the docker container because the ipfs user on the host is 1002:

$ grep 'ipfs' /etc/passwd
ipfs:x:1002:1002::/home/ipfs:/bin/bash

[Patagonicus]

Because you specified /mnt/ipfs/staging and /mnt/ipfs/data as volumes the docker daemon will create them for you. However they will be owned by root (UID 0) and the IPFS user in the container (UID 1000) won't be able to write there.

To fix this simply run chmod 1000 /mnt/ipfs/staging /mnt/ipfs/data or chmod 755 /mnt/ipfs/staging /mnt/ipfs/data. Note that with the first option whoever happens to have UID 1000 on the host will be able to read and write those folders (usually the first user that was added) and with the second option everyone can. If you don't want to you can keep the defaults for /mnt/ipfs/staging, then IPFS will still be able to import data from that volume, but it won't be able to write to it.

It might be useful to have the container startup script set those permissions and to be able to specify which UID/GID to use (sameersbn's GitLab image supports that via env flags) so that you can prevent normal users from reading your IPNS keys or changing your data.

[VertigoRay]

Thank you for your reply, @Patagonicus. I did as you advised ...

$ docker logs v-ipfs
====================8<-----------------------------------------
Gateway (readonly) server listening on /ip4/0.0.0.0/tcp/8080
Daemon is ready

Thanks!!

[whyrusleeping]

Looks like this has been resolved, thanks @Patagonicus!

[ghost]

Reopening because this is still an issue in case you start the container without mounting a volume (i.e. with an ephemeral repo). Fix incoming.

[ghost]

Okay fixed in #2256

[OliverUv]

I suggest re-opening this and fixing it. mysql's Dockerfile solves this by doing a chown -R. Is there a good reason for go-ipfs to not do this? People expect the file to be read and written by ipfs since they have explicitly specified it on docker command line or in a compose file.

[Stebalien]

This has been fixed in master: #6040.

[jsdevel]

seems to be an issue still with the latest docker-compose.yml file in the ipfs-cluster quickstart guide