Permission denied starting openHAB with Docker/Podman

Hi everybody,
I’m trying to run openHAB v4.3.0 on a Podman container in my notebook with Fedora Workstation v41.

I’ve follower the guide on Docker | openHAB and I’ve created the openhab user and the configurations folders that now are empty:

sudo useradd -r -s /sbin/nologin openhab
sudo usermod -a -G openhab openhab
sudo mkdir -p /opt/openhab/{conf/ssh,userdata,addons}
sudo chown -R openhab:openhab /opt/openhab

I’m trying to start the container with:

user@fedora: podman run \
        --name openhab \
        --net=host \
        -v /etc/localtime:/etc/localtime:ro \
        -v /usr/share/zoneinfo/Europe/Rome:/etc/timezone:ro \
        -v /opt/openhab/conf:/openhab/conf \
        -v /opt/openhab/userdata:/openhab/userdata \
        -v /opt/openhab/addons:/openhab/addons \
        -e USER_ID=972 \
        -e GROUP_ID=972 \
        -e CRYPTO_POLICY=unlimited \
        openhab/openhab:4.3.0-debian

The output that I get is:

+ IFS='
	'
++ find /usr/lib/jvm -maxdepth 1 -name '*jdk*' -type d
+ export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
+ JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
+ '[' unlimited = unlimited ']'
Configuring Java unlimited strength cryptography policy...
+ echo 'Configuring Java unlimited strength cryptography policy...'
+ sed -i 's/^crypto.policy=limited/crypto.policy=unlimited/' /usr/lib/jvm/java-17-openjdk-amd64/conf/security/java.security
+ capsh --print
+ grep -E Current:.+,cap_net_admin,cap_net_raw,.+
+ rm -f '/var/lock/LCK..*'
+ rm -f /openhab/userdata/tmp/instances/instance.properties
+ NEW_USER_ID=972
+ NEW_GROUP_ID=972
Starting with openhab user id: 972 and group id: 972
+ echo 'Starting with openhab user id: 972 and group id: 972'
+ id -u openhab
++ getent group 972
+ '[' -z '' ']'
Create group openhab with id 972
+ echo 'Create group openhab with id 972'
+ groupadd -g 972 openhab
Create user openhab with id 972
+ echo 'Create user openhab with id 972'
+ adduser -u 972 --disabled-password --gecos '' --home /openhab --gid 972 openhab
adduser: Warning: The home dir /openhab you specified already exists.
Adding user `openhab' ...
Adding new user `openhab' (972) with group `openhab (972)' ...
useradd warning: openhab's uid 972 outside of the UID_MIN 1000 and UID_MAX 60000 range.
adduser: The home directory `/openhab' already exists.  Not touching this directory.
adduser: Warning: The home directory `/openhab' does not belong to the user you are currently creating.
Adding new user `openhab' to supplemental / extra groups `users' ...
Adding user `openhab' to group `users' ...
+ groupadd -g 11 audio2
+ groupadd -g 14 uucp2
+ groupadd -g 16 dialout2
+ groupadd -g 17 audio3
+ groupadd -g 18 dialout3
+ groupadd -g 32 uucp3
+ groupadd -g 63 audio4
+ groupadd -g 490 dialout4
+ groupadd -g 492 audio5
+ groupadd -g 997 gpio
+ adduser openhab audio
Adding user `openhab' to group `audio' ...
Done.
+ adduser openhab audio2
Adding user `openhab' to group `audio2' ...
Done.
+ adduser openhab audio3
Adding user `openhab' to group `audio3' ...
Done.
+ adduser openhab audio4
Adding user `openhab' to group `audio4' ...
Done.
+ adduser openhab audio5
Adding user `openhab' to group `audio5' ...
Done.
+ adduser openhab dialout
Adding user `openhab' to group `dialout' ...
Done.
+ adduser openhab dialout2
Adding user `openhab' to group `dialout2' ...
Done.
+ adduser openhab dialout3
Adding user `openhab' to group `dialout3' ...
Done.
+ adduser openhab dialout4
Adding user `openhab' to group `dialout4' ...
Done.
+ adduser openhab gpio
Adding user `openhab' to group `gpio' ...
Done.
+ adduser openhab uucp
Adding user `openhab' to group `uucp' ...
Done.
+ adduser openhab uucp2
Adding user `openhab' to group `uucp2' ...
Done.
+ adduser openhab uucp3
Adding user `openhab' to group `uucp3' ...
Done.
+ initialize_volume /openhab/conf /openhab/dist/conf
+ volume=/openhab/conf
+ source=/openhab/dist/conf
++ ls -A /openhab/conf
+ '[' -z ssh ']'
+ initialize_volume /openhab/userdata /openhab/dist/userdata
+ volume=/openhab/userdata
+ source=/openhab/dist/userdata
++ ls -A /openhab/userdata
+ '[' -z '' ']'
Initializing empty volume /openhab/userdata ...
+ echo 'Initializing empty volume /openhab/userdata ...'
+ cp -av /openhab/dist/userdata/. /openhab/userdata/
cp: cannot create directory '/openhab/userdata/./etc': Permission denied
cp: cannot create directory '/openhab/userdata/./logs': Permission denied
cp: cannot create directory '/openhab/userdata/./tmp': Permission denied
cp: preserving times for '/openhab/userdata/.': Permission denied

I don’t understand why I get permission denied. :upside_down_face:
Do I have to put some initial configuration inside my local folders /opt/openhab/conf, /opt/openhab/userdata and /opt/openhab/addons?

Anther question about uid and gid because I’ve also noticed the warning:
“useradd warning: openhab’s uid 972 outside of the UID_MIN 1000 and UID_MAX 60000 range.”

My userid and gid is 972 and if I type “id openhab”, I get:
uid=972(openhab) gid=972(openhab) groups=972(openhab)

Do I have to put 972 on uid and gid or have I to always put 9001 because "By default the openHAB user in the container is running with uid=9001(openhab) gid=9001(openhab) groups=9001(openhab)? :thinking:

Thanks for your help! :pray:

No, if they are empty the entrypoint script that runs when the container starts (that’s what’s generating the log you posted) will copy over the default set of files. The permission problem is preventing it from doing that.

That’s comming from useradd but it doesn’t seem to have prevented the creation of the new user. Right after that we see the script successfully adding the new user to the various groups it needs to belong to. I think you can ignore that warning or, you can see if it works better if you use a UID > 1000. The default UID is 9001.

When and where? On the host or in the container? It’s inside the container that matters.

I’ve always used 9001 for my UID. When I created the corresponding user on the host, I gave it the uid 9001. But I know that the container is supposed to be able to support any valid UID/GID. You should be able to use 972.

Ultimately though, the permission denied errors mean that the user that the entrypoint is running as (which I’m pretty sure is 972) doesn’t have permission to write to the volume mounted to /openhab/userdata. You can try touching a file there using sudo -u from the host and see if you get the same error.

1 Like

Hi @rlkoshak, now I’ve updated the host specific user “openhab” giving it 9001 as uid and gid, so now the warning is disappeared. :clap:

About the permission denied error, I’m not sure I understood what you wrote.
How can I touch a file that is inside the container (e.g. /openhab/userdata) from the host machine?
I didn’t get this step, thanks for your help! :person_tipping_hand: :pray:

You don’t. You touch the file in the folder mounted to the container from the host. We already know it won’t work from inside the container and I’m assuming the container is failing to come up anyway.

sudo -u openhab touch /opt/openhab/userdata/tmp

That will create an empty file named “tmp” in the folder you mounted into the container for userdata.

If that fails on the host that proves that the uid for openhab on the host doesn’t have permission to write to that folder. If it succeeds, it means that the UID of openhab inside the container isn’t what you think it is (maybe the USER_ID envirinment variable is not applying as expected.

But to answer your question, assuming the container is actually running:

docker exec -it openhab touch /openhab/userdata/tmp

But that will fail if the container isn’t actually running.

I’ve tried the command you wrote:

sudo -u openhab touch /opt/openhab/userdata/tmp

and the tmp file has been created succesfully :roll_eyes:

I’ve tried to delete both the openhab user and the openhab group from the host machine and I have created them again with the following commands:

sudo groupadd -g 9001 openhab
sudo useradd -u 9001 -g openhab -r -s /sbin/nologin openhab
sudo usermod -a -G openhab openhab

Now, if I run podman with the following command, the error has changed a bit:

user@fedora:/opt$ podman run         --name openhab         --net=host         -v /etc/localtime:/etc/localtime:ro         -v /usr/share/zoneinfo/Europe/Rome:/etc/timezone:ro         -v /opt/openhab/conf:/openhab/conf         -v /opt/openhab/userdata:/openhab/userdata         -v /opt/openhab/addons:/openhab/addons         -e USER_ID=9001         -e GROUP_ID=9001         -e CRYPTO_POLICY=unlimited         openhab/openhab:4.3.0-debian
+ IFS='
	'
++ find /usr/lib/jvm -maxdepth 1 -name '*jdk*' -type d
+ export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
+ JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
Configuring Java unlimited strength cryptography policy...
+ '[' unlimited = unlimited ']'
+ echo 'Configuring Java unlimited strength cryptography policy...'
+ sed -i 's/^crypto.policy=limited/crypto.policy=unlimited/' /usr/lib/jvm/java-17-openjdk-amd64/conf/security/java.security
+ capsh --print
+ grep -E Current:.+,cap_net_admin,cap_net_raw,.+
+ rm -f '/var/lock/LCK..*'
+ rm -f /openhab/userdata/tmp/instances/instance.properties
+ NEW_USER_ID=9001
+ NEW_GROUP_ID=9001
Starting with openhab user id: 9001 and group id: 9001
+ echo 'Starting with openhab user id: 9001 and group id: 9001'
+ id -u openhab
++ getent group 9001
+ '[' -z '' ']'
Create group openhab with id 9001
+ echo 'Create group openhab with id 9001'
+ groupadd -g 9001 openhab
Create user openhab with id 9001
+ echo 'Create user openhab with id 9001'
+ adduser -u 9001 --disabled-password --gecos '' --home /openhab --gid 9001 openhab
adduser: Warning: The home dir /openhab you specified already exists.
Adding user `openhab' ...
Adding new user `openhab' (9001) with group `openhab (9001)' ...
adduser: The home directory `/openhab' already exists.  Not touching this directory.
adduser: Warning: The home directory `/openhab' does not belong to the user you are currently creating.
Adding new user `openhab' to supplemental / extra groups `users' ...
Adding user `openhab' to group `users' ...
+ groupadd -g 11 audio2
+ groupadd -g 14 uucp2
+ groupadd -g 16 dialout2
+ groupadd -g 17 audio3
+ groupadd -g 18 dialout3
+ groupadd -g 32 uucp3
+ groupadd -g 63 audio4
+ groupadd -g 490 dialout4
+ groupadd -g 492 audio5
+ groupadd -g 997 gpio
+ adduser openhab audio
Adding user `openhab' to group `audio' ...
Done.
+ adduser openhab audio2
Adding user `openhab' to group `audio2' ...
Done.
+ adduser openhab audio3
Adding user `openhab' to group `audio3' ...
Done.
+ adduser openhab audio4
Adding user `openhab' to group `audio4' ...
Done.
+ adduser openhab audio5
Adding user `openhab' to group `audio5' ...
Done.
+ adduser openhab dialout
Adding user `openhab' to group `dialout' ...
Done.
+ adduser openhab dialout2
Adding user `openhab' to group `dialout2' ...
Done.
+ adduser openhab dialout3
Adding user `openhab' to group `dialout3' ...
Done.
+ adduser openhab dialout4
Adding user `openhab' to group `dialout4' ...
Done.
+ adduser openhab gpio
Adding user `openhab' to group `gpio' ...
Done.
+ adduser openhab uucp
Adding user `openhab' to group `uucp' ...
Done.
+ adduser openhab uucp2
Adding user `openhab' to group `uucp2' ...
Done.
+ adduser openhab uucp3
Adding user `openhab' to group `uucp3' ...
Done.
+ initialize_volume /openhab/conf /openhab/dist/conf
+ volume=/openhab/conf
+ source=/openhab/dist/conf
++ ls -A /openhab/conf
+ '[' -z ssh ']'
+ initialize_volume /openhab/userdata /openhab/dist/userdata
+ volume=/openhab/userdata
+ source=/openhab/dist/userdata
++ ls -A /openhab/userdata
+ '[' -z tmp ']'
++ cmp /openhab/userdata/etc/version.properties /openhab/dist/userdata/etc/version.properties
cmp: /openhab/userdata/etc/version.properties: No such file or directory
+ '[' '!' -z ']'
+ chown -R openhab:openhab /openhab
chown: changing ownership of '/openhab/addons': Permission denied
chown: changing ownership of '/openhab/conf/ssh': Permission denied
chown: changing ownership of '/openhab/conf': Permission denied
chown: changing ownership of '/openhab/userdata/tmp': Permission denied
chown: changing ownership of '/openhab/userdata': Permission denied

I’m trying to run the container with:

podman run \
        --name openhab \
        --net=host \
        -v /etc/localtime:/etc/localtime:ro \
        -v /usr/share/zoneinfo/Europe/Rome:/etc/timezone:ro \
        -v /opt/openhab/conf:/openhab/conf \
        -v /opt/openhab/userdata:/openhab/userdata \
        -v /opt/openhab/addons:/openhab/addons \
        -e USER_ID=9001 \
        -e GROUP_ID=9001 \
        -e CRYPTO_POLICY=unlimited \
        openhab/openhab:4.3.0-debian

@rlkoshak how we can check if the USER_ID and GROUP_ID are passed and applied as expected inside the container?

I can’t exec the command:

docker exec -it openhab touch /openhab/userdata/tmp

because the container doesn’t complete its startup, I can only see it with “podman container ls -a”

CONTAINER ID  IMAGE                                   COMMAND               CREATED         STATUS                                PORTS                                   NAMES
9417509db949  docker.io/openhab/openhab:4.3.0-debian  gosu openhab tini...  33 minutes ago  **Exited (1)** 33 minutes ago (starting)  5007/tcp, 8080/tcp, 8101/tcp, 8443/tcp  openhab

This line from the log:

Starting with openhab user id: 9001 and group id: 9001

I’ve never used podman, maybe it does sometime different with the volumes from Docker: e.g. by destiny that are read only it something.

I’ve tried to run with Docker with the following command and it started and it responds at localhost:8080.

sudo docker run \
        --name openhab \
        --net=host \
        -v /etc/localtime:/etc/localtime:ro \
        -v /usr/share/zoneinfo/Europe/Rome:/etc/timezone:ro \
        -v /opt/openhab/conf:/openhab/conf \
        -v /opt/openhab/userdata:/openhab/userdata \
        -v /opt/openhab/addons:/openhab/addons \
        -e USER_ID=9001 \
        -e GROUP_ID=9001 \
        -e CRYPTO_POLICY=unlimited \
        openhab/openhab:4.3.0-debian

sudo docker run  --name openhab         --net=host         -v /etc/localtime:/etc/localtime:ro         -v /usr/share/zoneinfo/Europe/Rome:/etc/timezone:ro         -v /opt/openhab/conf:/openhab/conf         -v /opt/openhab/userdata:/openhab/userdata         -v /opt/openhab/addons:/openhab/addons         -e USER_ID=9001         -e GROUP_ID=9001         -e CRYPTO_POLICY=unlimited         openhab/openhab:4.3.0-debian
+ IFS='
	'
++ find /usr/lib/jvm -maxdepth 1 -name '*jdk*' -type d
+ export JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
+ JAVA_HOME=/usr/lib/jvm/java-17-openjdk-amd64
+ '[' unlimited = unlimited ']'
+ echo 'Configuring Java unlimited strength cryptography policy...'
+ sed -i 's/^crypto.policy=limited/crypto.policy=unlimited/' /usr/lib/jvm/java-17-openjdk-amd64/conf/security/java.security
Configuring Java unlimited strength cryptography policy...
+ capsh --print
+ grep -E Current:.+,cap_net_admin,cap_net_raw,.+
+ rm -f '/var/lock/LCK..*'
+ rm -f /openhab/userdata/tmp/instances/instance.properties
Starting with openhab user id: 9001 and group id: 9001
+ NEW_USER_ID=9001
+ NEW_GROUP_ID=9001
+ echo 'Starting with openhab user id: 9001 and group id: 9001'
+ id -u openhab
++ getent group 9001
+ '[' -z '' ']'
+ echo 'Create group openhab with id 9001'
+ groupadd -g 9001 openhab
Create group openhab with id 9001
+ echo 'Create user openhab with id 9001'
+ adduser -u 9001 --disabled-password --gecos '' --home /openhab --gid 9001 openhab
Create user openhab with id 9001
adduser: Warning: The home dir /openhab you specified already exists.
Adding user `openhab' ...
Adding new user `openhab' (9001) with group `openhab (9001)' ...
adduser: The home directory `/openhab' already exists.  Not touching this directory.
adduser: Warning: The home directory `/openhab' does not belong to the user you are currently creating.
Adding new user `openhab' to supplemental / extra groups `users' ...
Adding user `openhab' to group `users' ...
+ groupadd -g 11 audio2
+ groupadd -g 14 uucp2
+ groupadd -g 16 dialout2
+ groupadd -g 17 audio3
+ groupadd -g 18 dialout3
+ groupadd -g 32 uucp3
+ groupadd -g 63 audio4
+ groupadd -g 490 dialout4
+ groupadd -g 492 audio5
+ groupadd -g 997 gpio
+ adduser openhab audio
Adding user `openhab' to group `audio' ...
Done.
+ adduser openhab audio2
Adding user `openhab' to group `audio2' ...
Done.
+ adduser openhab audio3
Adding user `openhab' to group `audio3' ...
Done.
+ adduser openhab audio4
Adding user `openhab' to group `audio4' ...
Done.
+ adduser openhab audio5
Adding user `openhab' to group `audio5' ...
Done.
+ adduser openhab dialout
Adding user `openhab' to group `dialout' ...
Done.
+ adduser openhab dialout2
Adding user `openhab' to group `dialout2' ...
Done.
+ adduser openhab dialout3
Adding user `openhab' to group `dialout3' ...
Done.
+ adduser openhab dialout4
Adding user `openhab' to group `dialout4' ...
Done.
+ adduser openhab gpio
Adding user `openhab' to group `gpio' ...
Done.
+ adduser openhab uucp
Adding user `openhab' to group `uucp' ...
Done.
+ adduser openhab uucp2
Adding user `openhab' to group `uucp2' ...
Done.
+ adduser openhab uucp3
Adding user `openhab' to group `uucp3' ...
Done.
+ initialize_volume /openhab/conf /openhab/dist/conf
+ volume=/openhab/conf
+ source=/openhab/dist/conf
++ ls -A /openhab/conf
+ '[' -z 'automation
ssh' ']'
+ initialize_volume /openhab/userdata /openhab/dist/userdata
+ volume=/openhab/userdata
+ source=/openhab/dist/userdata
++ ls -A /openhab/userdata
+ '[' -z 'cache
config
etc
jsondb
logs
secrets
tmp' ']'
++ cmp /openhab/userdata/etc/version.properties /openhab/dist/userdata/etc/version.properties
+ '[' '!' -z ']'
+ chown -R openhab:openhab /openhab
+ sync
+ '[' -d /etc/cont-init.d ']'
+ sync
+ '[' false == false ']'
++ IFS=' '
++ echo gosu openhab tini -s ./start.sh
+ '[' 'gosu openhab tini -s ./start.sh' == 'gosu openhab tini -s ./start.sh' ']'
+ command=($@ server)
+ exec gosu openhab tini -s ./start.sh server
Launching the openHAB runtime...

Launching it without sudo, does not work, is it normal? @rlkoshak do you always launch it with sudo?

docker run  --name openhab         --net=host         -v /etc/localtime:/etc/localtime:ro         -v /usr/share/zoneinfo/Europe/Rome:/etc/timezone:ro         -v /opt/openhab/conf:/openhab/conf         -v /opt/openhab/userdata:/openhab/userdata         -v /opt/openhab/addons:/openhab/addons         -e USER_ID=9001         -e GROUP_ID=9001         -e CRYPTO_POLICY=unlimited         openhab/openhab:4.3.0-debian
docker: permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Head "http://%2Fvar%2Frun%2Fdocker.sock/_ping": dial unix /var/run/docker.sock: connect: permission denied.
See 'docker run --help'.

Note the docker docs Post-installation steps | Docker Docs

We have also been trying to move from docker to podman, mainly to have better IPv6 handling in preparation for Matter, and these issues are a problem.

It is possible to start openhab using podman with no problem, even using Quadlets, but there is an issue with directory permissions. Even if the directories are created prior to starting the container, there are permission problems. Even declaring USER_ID and GROUP_ID in the environment, the container still changes the ownership of the conf, userdata and addons directories to 999, which in the case of podman translate to 100999 on the host machine. That does not happen with docker, docker compose, or any composer environment (portainer, yacht, dockge, etc.) . Any ideas as to why that happens?

Not really but it sounds like something that’s unique to the way podman works so asking on a podman forum might get you better help. We only officially support OH in Docker and have very limited expertise in Podman.

1 Like

Thank you. I will look for a podman forum and post the question there to see if anyone has any idea and if they provide any guidance I will post back here.

I did a bit more troubleshooting and it seems I identified the issue. I am still unsure why it does not happen in docker and only podman.

The problem happens in the entrypoint file in the line:

sed -i ‘s/^crypto.policy=limited/crypto.policy=unlimited/’ “${JAVA_HOME}/conf/security/java.security”

Podman fails by saying it cannot create the temporary file for the inline modification in the $JAVA_HOME path. I will try when I have the time to add -t to the sed command with a globally writable directory within the debian image and post the results later. That, if it works, should allow the same entrypoint for both docker and podman.