Storage Template with NFS -- Permissions issue | Immich | Page 1

pallid scarab May 6, 2024, 11:06 PM

#

I keep running into this issue:

[Nest] 7  - 05/06/2024, 3:36:53 PM   ERROR [StorageTemplateService] Problem applying storage template
[Nest] 7  - 05/06/2024, 3:36:53 PM   ERROR [StorageTemplateService] Error: EACCES: permission denied, mkdir 'upload/library/admin/2023/05'
    at mkdirSync (node:fs:1373:26)

Looks like it cant write to my NFS share with these settings:

# in /etc/exports...
/home/cakedayy/docker_apps/immich/mount my_client_ip(rw,sync,no_root_squash,no_subtree_check,insecure)

The permissions (from the client in the mount folder) using ls -l:

➜   ls -l
total 3
drwxr-xr-x  1 caleb  staff  112 May  6 11:40 encoded-video
drwxr-xr-x  1 root   wheel    0 May  3 16:09 library
drwxr-xr-x  1 caleb  staff   72 May  6 11:34 thumbs
drwxr-xr-x  1 root   wheel   72 May  6 11:34 upload

The permissions (from the server in the mount folder) using ls -l:

cakedayy@potato:~/docker_apps/immich/mount$ ls -l
total 0
drwxr-xr-x 1  501 dialout 112 May  6 18:40 encoded-video
drwxr-xr-x 1 root root      0 May  3 23:09 library
drwxr-xr-x 1  501 dialout  72 May  6 18:34 thumbs
drwxr-xr-x 1 root root     72 May  6 18:34 upload

sick rampartBOT May 6, 2024, 11:06 PM

#

:wave: Hey @pallid scarab,

Thanks for reaching out to us. Please follow the recommended actions below; this will help us be more effective in our support effort and leave more time for building Immich immich .

References

Container Logs: docker compose logs docs
Container Status: docker compose ps docs
Reverse Proxy: https://immich.app/docs/administration/reverse-proxy

Checklist

:ballot_box_with_check: I have verified I'm on the latest release(note that mobile app releases may take some time).
:ballot_box_with_check: I have read applicable release notes.
:blue_square: I have reviewed the FAQs for known issues.
:blue_square: I have reviewed Github for known issues.
:blue_square: I have tried accessing Immich via local ip (without a custom reverse proxy).
:blue_square: I have uploaded the relevant logs, docker compose, and .env files using the buttons below or the /upload command.
:blue_square: I have tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable

(an item can be marked as "complete" by reacting with the appropriate number)

If this ticket can be closed you can use the /close command, and re-open it later if needed.

pallid scarab May 6, 2024, 11:53 PM

#

Solved this by just chowning the directories on the server

eg:

sudo chown -R 501:dialout ./library
sudo chown -R 501:dialout ./upload

cakedayy@potato:~/docker_apps/immich/mount$ ls -l
total 0
drwxr-xr-x 1 501 dialout 112 May  6 18:40 encoded-video
drwxr-xr-x 1 501 dialout  10 May  6 23:49 library
drwxr-xr-x 1 501 dialout  72 May  6 18:34 thumbs
drwxr-xr-x 1 501 dialout  72 May  6 18:34 upload

#

Storage Template with NFS -- Permissions issue (SOLVED)

#

(SOLVED) Storage Template with NFS -- Permissions issue

pallid scarab May 8, 2024, 6:00 PM

#

Storage Template with NFS -- Permissions issue

#

ok just kidding -- the server has root privileges, but the microservices container does not (501:dialout).

I dont think periodically going in and chowning everything is the right approach.

pallid scarab May 8, 2024, 7:20 PM

#

microservice container logs

📎 message.txt

pallid scarab May 8, 2024, 7:58 PM

#

Ok, I think I solved this by setting default permission from the server for the upload directory:

# Own everything recursively first...
sudo chown -R 501:dialout ./upload

# Set default permissions (make sure 501:default always has rw access (and inherits x))
sudo chmod g+s /path/to/directory
sudo setfacl -d -m u:501:rwX /path/to/directory
sudo setfacl -d -m g:dialout:rwX /path/to/directory

pallid scarab May 9, 2024, 5:04 PM

#

ok this didnt work either

tranquil tinsel May 9, 2024, 6:23 PM

#

pallid scarab Ok, I think I solved this by setting default permission from the server for the ...

Wouldn’t this only apply to the host and not to containers?

#

Oh never mind, it does work on non-ancient versions of docker https://stackoverflow.com/a/22715283

Stack Overflow

How to use setfacl within a Docker container?

It seems like within the container the filesystem is mounted without 'acl', therefore 'setfacl' won't work. And it won't let me remount it either, and I can't even run 'df -h'.

I need setfacl beca...

#

But possibly depends on the OS? https://github.com/moby/moby/issues/38674

pallid scarab May 9, 2024, 6:39 PM

#

Am I thinking about the problem wrong though?

On the NFS server (Linux), the server container writes all files and folders as root.

On the NFS client (MacOS), where I'm also running the microservice container, it writes all files/folders as my user, which appears as "501:dialout" on the NFS server (Linux).

Should I just be running the server container on the NFS server (Linux) as 501:dialout?

#

the thing that I dont get is why 501:dialout doesnt get root privileges since docker on the Mac is running containers as root + I have no_root_squash (which allows root from NFS client to act as root on the NFS server) as an option on the NFS server...

tranquil tinsel May 9, 2024, 6:48 PM

#

Sorry, I’m not that knowledgeable about setting up permissions. I was just thinking it could be a quirk of how Docker mounts are handled on Mac. Hopefully someone else can be of more help

#Storage Template with NFS -- Permissions issue

References

Checklist