Permissions on the userdata dir

psyciknz · June 19, 2019, 7:03am

I may have chown’d my userdata dir, and now I’m noticing:

java.io.FileNotFoundException: /openhab/userdata/cache/org.eclipse.osgi/10/data/state.json (Permission denied)

On a bunch of places.

What should it be set to? I’m using docker and have the user set to environment:
- USER_ID=1001
Which I think is the id of my main user.

rlkoshak · June 19, 2019, 2:14pm

The files need to be owned and read/write able for what ever user openHAB is running as.

I recommend that if you are going to be running with just plain old Docker, you should create an openhab user on your host with limited permissions (e.g. no login shell) and pass that UID to the container. Just because we are running in a container doesn’t negate the best practice that services should run under separate and limited accounts.

psyciknz · June 19, 2019, 6:15pm

I did work it out. The user being passed in was the wrong id. I need to figure out the group though. That’s not set so it’s choosing something random.

rlkoshak · June 19, 2019, 6:46pm

The container uses 9001 as the user and group ID. If you are seeing a name for the group instead of just the number when you ls -l, that means that you already have a group with the GID of 9001 on your host. In order to keep the file permissions sane, I strongly recommend creating an openhab user on the host and pass both the UID and GID of that user to the container using the environment variables. That way the file permissions you see on the host will match those in the container.

psyciknz · June 19, 2019, 7:37pm

I know in the ENV that USER= for the user, is GROUP the other one? I used to make an openhab user on machines, I should do that again. But also handy if it’s owned by me, as makes committing to git easier.

rlkoshak · June 19, 2019, 8:32pm

Actually the env is USER_ID. Group is GROUP_ID.

https://hub.docker.com/r/openhab/openhab/#user-and-group-identifiers

psyciknz · June 19, 2019, 9:16pm

Yeah I thought I read there was another USER parm built in to docker. I’d used it for something else and it is actually doing the job. But I’ll switch to the ones that openhab understands.

rlkoshak · June 19, 2019, 10:30pm

From Docker’s docs:

USER

root (id = 0) is the default user within a container. The image developer can create additional users. Those users are accessible by name. When passing a numeric ID, the user does not have to exist in the container.

The developer can set a default user to run the first process with the Dockerfile USER instruction. When starting a container, the operator can override the USER instruction by passing the -u option.

-u="", --user="": Sets the username or UID used and optionally the groupname or GID for the specified command.

The followings examples are all valid:
--user=[ user | user:group | uid | uid:gid | user:gid | uid:group ]

Note: if you pass a numeric uid, it must be in the range of 0-2147483647.

But that presupposes that the entry point script in the container doesn’t switch to another user from root when the container starts up. The openHAB image’s entry point script does change from root to user 9001.

So, in this case if you use the --user option, that only changes the user who starts the entrypoint script. then the entrypoint script changes to user 9001 and you’ve not accomplished anything.

Every Docker Image provider has a different method for controlling the user that the service inside the container runs under. You must read and understand the readme from github or dockerhub to understand what this means to you and how to make it work how you want.

Personally, I really like how PostgresSQL does it, having you mount your /etc/passwd file into the container.