It’s Cybersecurity Awareness Month! Join our interactive training session, or learn about security and AI from 1Password experts.
 Forum Discussion
Former Member
4 years agoDocker (compose) Permission denied
I'm having trouble getting Connect up and running with Docker Compose. I believe my problems is somewhere related to a user and/or its rights. I am running Docker on my Synology NAS where I created a specific 'Shared Folder' named 1password. I also created an user (with has UID 1042) for further trial/error testing.
I currently have the following compose file:
```
version: "3.4"
services:
  1password-connect-api:
    image: 1password/connect-api:latest
    #user: "1042"
    ports:
      - "8888:8080"
    volumes:
      - /volume1/1password/1password-credentials.json:/home/opuser/.op/1password-credentials.json:ro
      - /volume1/1password/data:/home/opuser/.op/data
    restart: unless-stopped
1password-connect-sync:
    image: 1password/connect-sync:latest
    #user: "1042"
    ports:
      - "8881:8080"
    volumes:
      - /volume1/1password/1password-credentials.json:/home/opuser/.op/1password-credentials.json:ro
      - /volume1/1password/data:/home/opuser/.op/data
    restart: unless-stopped
```
This gives me the following error from both containers:
unspecified err: stat /home/opuser/.op/data/1password.sqlite: permission denied
This led me to configure a '1password' user (UID 1042) and tell the containers to run as that user using:
user: 1042
This does get me through the permission denied problems (which makes me assume the 'user' does indeed work and 'do something'). But now it doesn't seem to be able and/or create the database:
1password-connect-api_1 | {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-01-14T13:13:28.600675519Z","level":3}
1password-connect-sync_1 | {"log_message":"(I) no existing database found, will initialize at /.op/data/1password.sqlite","timestamp":"2022-01-14T13:13:27.719489908Z","level":3}
1password-connect-sync_1 | Error: Server: (failed to OpenDefault), Wrapped: (failed to open db), unable to open database file: no such file or directory
I also tried to change the permissions of the Shared Folder and it's subfolder in order for 'Everyone' to have read/write, but then I get an error like 'Permissions too broad' (which seems quite fair and indeed very unwanted)
I am currently out of ideas on how to get this running. Anyone who can point me in the right direction?
1Password Version: 7.9.2
Extension Version: Not Provided
OS Version: macOS 12.1
20 Replies
- Former MemberI am digging a bit deeper into my problems and I am wondering whether this Image Layer could be (partially) the cause of my issue: RUN RUN groupadd -g 999 opuser && useradd -r -u 999 -g opuser opuser && mkdir -p /home/opuser/.op/data && chown -R opuser /home/opuser && chmod -R 700 /home/opuser/.op # buildkit The folders are very specifically created by user opuser. No matter how I mount my volumes ( - "data:..."or- "./data:...") I will keep having mismatched between the docker user and the host/folder. Do you agree with my findings? If so, what could we do to work around it :)
- Former MemberHmm, that's a bummer. Some things you could try: 
 chown -R 1042 /home/opuser/.op
 Or if the Synology interface allows this, you could try making the 1passworduser the owner of that directory (I am not familiar with Synology enough to tell if this is possible).
- Former MemberError: Server: (failed to OpenDefault), Wrapped: (failed to defaultPath), failed to ConfigDir: Can't continue. We can't safely access "/home/opuser/.op" because it's not owned by the current user. Change the owner or logged in user and try again. 
 Usage:
 connect-api [flags]Flags: 
 -h, --help help for connect-api
 -v, --version version for connect-api
- Former MemberIt seems like something is going wrong now with determining the home directory. Connect says it is looking in /.op/data/1password.sqliteinstead of/home/opuser/.op/data/1password.sqlite.What we can give a try, is manually specifying the correct location by setting XDG_DATA_HOMEto/home/opuser/. You can do that by adding the following line to the specification of both containers (just abovevolumes:):
 environment:
 XDG_DATA_HOME: "/home/opuser/"
 PS. you can use inline codeblocks by wrapping the code in a single tilde, so: 
 
 `docker-compose down -v`
 
- Former MemberAfter: 
 1. properly removing the volume with docker-compose down -v (how do you use inline-quoting :) ?) and recreating the containers and 2. trying the different mounting path for the data volume (both show the same behaviour)api-container {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T13:05:54.588109833Z","level":3} 
 {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T13:05:55.589474492Z","level":3}
 {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T13:05:56.590461379Z","level":3}
 {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T13:05:57.591539601Z","level":3}
 {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T13:05:58.592468125Z","level":3}sync-container {"log_message":"(W) configured to use HTTP with no TLS","timestamp":"2022-02-09T13:05:54.889705141Z","level":2} 
 {"log_message":"(I) no existing database found, will initialize at /.op/data/1password.sqlite","timestamp":"2022-02-09T13:05:54.891449813Z","level":3}
 Error: Server: (failed to OpenDefault), Wrapped: (failed to open db), unable to open database file: no such file or directory
 Usage:
 connect-sync [flags]Flags: 
 -h, --help help for connect-sync
 -v, --version version for connect-sync
- Former Member- Removed the volume with docker-compose down -v and brought back up new containers:
 Logging from the api-container {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T12:46:37.725200632Z","level":3} 
 {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T12:46:38.725720387Z","level":3}
 {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T12:46:39.726815153Z","level":3}
 {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T12:46:40.726971703Z","level":3}
 {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T12:46:41.727477047Z","level":3}
 {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T12:46:42.727625419Z","level":3}Logging from the sync-container {"log_message":"(W) configured to use HTTP with no TLS","timestamp":"2022-02-09T12:46:37.759709242Z","level":2} 
 {"log_message":"(I) no existing database found, will initialize at /.op/data/1password.sqlite","timestamp":"2022-02-09T12:46:37.760142251Z","level":3}
 Error: Server: (failed to OpenDefault), Wrapped: (failed to open db), unable to open database file: no such file or directory
 {"log_message":"(I) [discovery-local] starting discovery, advertising endpoint 38321 /meta/message","timestamp":"2022-02-09T12:46:37.759784492Z","level":3}
 {"log_message":"(I) starting 1Password Connect Sync ...","timestamp":"2022-02-09T12:46:37.762771554Z","level":3}
 {"log_message":"(I) serving on :8080","timestamp":"2022-02-09T12:46:37.762822781Z","level":3}
 Usage:
 connect-sync [flags]
 Flags:
 -h, --help help for connect-sync
 -v, --version version for connect-sync- Using the compose file as suggested, with a data-folder within the same volume as where the credentials are stored:
 Logging from the api-container unspecified err: stat /home/opuser/.op/data/1password.sqlite: permission denied 
 unspecified err: stat /home/opuser/.op/data/1password.sqlite: permission denied
 unspecified err: stat /home/opuser/.op/data/1password.sqlite: permission deniedLogging from the sync-container Error: Server: (failed to OpenDefault), Wrapped: (failed to open db), unable to open database file: no such file or directory 
 {"log_message":"(W) configured to use HTTP with no TLS","timestamp":"2022-02-09T12:50:29.740318108Z","level":2}
 {"log_message":"(I) no existing database found, will initialize at /.op/data/1password.sqlite","timestamp":"2022-02-09T12:50:29.740786497Z","level":3}
 Usage:
 connect-sync [flags]
 Flags:
 -h, --help help for connect-sync
 -v, --version version for connect-sync
- Former MemberThanks for all the extra info, that is really helpful! What I think that happens, is that the datavolume (the second volume) has been created but is not accessible to the correct user. There are a few things we can try:
 - You could try deleting the volume. If you can rundocker-composecommands, that can be done withdocker-compose down -v. Then try bringing it up again.
 - Otherwise, you could also map the data volume to the same volume where the credentials are stored. For example:
 ```
 version: "3.4"services: 
 op-connect-api:
 image: 1password/connect-api:latest
 user: "1042"
 ports:
 - "8888:8080"
 volumes:
 - "./1password-credentials.json:/home/opuser/.op/1password-credentials.json"
 - "./data:/home/opuser/.op/data"
 op-connect-sync:
 image: 1password/connect-sync:latest
 user: "1042"
 volumes:
 - "./1password-credentials.json:/home/opuser/.op/1password-credentials.json"
 - "./data:/home/opuser/.op/data"volumes: 
 data:
 ```Let me know if this changes anything. 
- Former MemberJust to be sure: I removed 'Everyone' from the Permission-list of the Folder. My Docker-Compose file with the specified user-id: 
 ```
 version: "3.4"services: 
 op-connect-api:
 image: 1password/connect-api:latest
 user: "1042"
 ports:
 - "8888:8080"
 volumes:
 - "./1password-credentials.json:/home/opuser/.op/1password-credentials.json"
 - "data:/home/opuser/.op/data"
 op-connect-sync:
 image: 1password/connect-sync:latest
 user: "1042"
 volumes:
 - "./1password-credentials.json:/home/opuser/.op/1password-credentials.json"
 - "data:/home/opuser/.op/data"volumes: 
 data:``` 
 User '1password' having Read/Write access to my '1password' Shard Folder and (sub)files containing the docker-compose.yml and credentials file, including the UID of this user
 Logging from api-container {"log_message":"(W) configured to use HTTP with no TLS","timestamp":"2022-02-09T11:58:01.374531594Z","level":2} 
 {"log_message":"(I) starting 1Password Connect API ...","timestamp":"2022-02-09T11:58:01.375385141Z","level":3}
 {"log_message":"(I) serving on :8080","timestamp":"2022-02-09T11:58:01.376055616Z","level":3}
 {"log_message":"(I) [discovery-local] starting discovery, advertising endpoint 33709 /meta/message","timestamp":"2022-02-09T11:58:01.37452708Z","level":3}
 {"log_message":"(I) established incoming bus peer connection","timestamp":"2022-02-09T11:58:01.38045443Z","level":3}Logging from sync-container {"log_message":"(W) configured to use HTTP with no TLS","timestamp":"2022-02-09T11:58:01.27942699Z","level":2} 
 {"log_message":"(I) [discovery-local] starting discovery, advertising endpoint 35052 /meta/message","timestamp":"2022-02-09T11:58:01.279515199Z","level":3}
 {"log_message":"(I) starting 1Password Connect Sync ...","timestamp":"2022-02-09T11:58:01.285430604Z","level":3}
 {"log_message":"(I) serving on :8080","timestamp":"2022-02-09T11:58:01.285477533Z","level":3}
 {"log_message":"(I) database initialization complete","timestamp":"2022-02-09T11:58:01.381435241Z","level":3}
 {"log_message":"(I) ### syncer credentials bootstrap ### ","timestamp":"2022-02-09T11:58:01.3818318Z","level":3}
 {"log_message":"(E) Server: (unable to get credentials and initialize API, retrying in 500ms), Wrapped: (failed to FindCredentialsUniqueKey), Wrapped: (failed to loadCredentialsFile), Wrapped: (LoadLocalAuthV2 failed to credentialsDataFromDisk), open /home/opuser/.op/1password-credentials.json: permission denied","timestamp":"2022-02-09T11:58:01.381976897Z","level":1}
 {"log_message":"(I) ### syncer credentials bootstrap ### ","timestamp":"2022-02-09T11:58:01.882164464Z","level":3}
 {"log_message":"(E) Server: (unable to get credentials and initialize API, retrying in 1s), Wrapped: (failed to FindCredentialsUniqueKey), Wrapped: (failed to loadCredentialsFile), Wrapped: (LoadLocalAuthV2 failed to credentialsDataFromDisk), open /home/opuser/.op/1password-credentials.json: permission denied","timestamp":"2022-02-09T11:58:01.882328973Z","level":1}
 {"log_message":"(I) ### syncer credentials bootstrap ### ","timestamp":"2022-02-09T11:58:02.882528988Z","level":3}
 {"log_message":"(E) Server: (unable to get credentials and initialize API, retrying in 2s), Wrapped: (failed to FindCredentialsUniqueKey), Wrapped: (failed to loadCredentialsFile), Wrapped: (LoadLocalAuthV2 failed to credentialsDataFromDisk), open /home/opuser/.op/1password-credentials.json: permission denied","timestamp":"2022-02-09T11:58:02.882733291Z","level":1}
- Former MemberHi @miura, Thank you for reaching out. Sorry for my late reply, but I am glad you made some progress. What you are describing is indeed a less-than-ideal situation with docker-compose. I am not sure if this is something that we can address on a Synology NAS, but let's give it a try. The no database foundlog line you're seeing, is not necessarily an error. It indicates that the API container is waiting for the sync container to come online and create the shared database. Could you maybe share the logs of the sync container?
- Former MemberI am actually one step further. I tried to use the example Docker Compose file (https://github.com/1Password/connect/blob/main/examples/docker/compose/docker-compose.yaml) instead of my modified one. I guess I don't fully understand the usage of volumes yet. I got the containers running. 
 However, I had to give 'Everyone' permission to the folder, thus including access to the credantials-json. Not something I believe I want to continue using.When using the 'user: "1042"' config, the containers fail to create a database: {"log_message":"(I) no database found, will retry in 1s","timestamp":"2022-02-09T10:24:11.901908858Z","level":3} What is the proper way to run the containers from within a limited-access folder? 
