Storage error EACCES (Permission denied @ dir_s_mkdir - /rails/storage/)

[amitash]

Describe the bug

Using latest docker guide from https://github.com/maybe-finance/maybe/blob/main/docs/hosting/docker.md

I, [2024-06-30T07:21:37.383525 #1]  INFO -- : [cb798867-f05a-4afa-a44c-d1818bf41dc3] Started GET "/settings/profile" for 185.107.13.6 at 2024-06-30 07:21:37 +0000
I, [2024-06-30T07:21:37.384342 #1]  INFO -- : [cb798867-f05a-4afa-a44c-d1818bf41dc3] Processing by Settings::ProfilesController#show as HTML
I, [2024-06-30T07:21:37.399046 #1]  INFO -- : [cb798867-f05a-4afa-a44c-d1818bf41dc3]   Rendered layout layouts/with_sidebar.html.erb (Duration: 12.5ms | GC: 0.0ms)
I, [2024-06-30T07:21:37.407762 #1]  INFO -- : [cb798867-f05a-4afa-a44c-d1818bf41dc3] Completed 200 OK in 23ms (Views: 11.6ms | ActiveRecord: 6.7ms (5 queries, 0 cached) | GC: 0.0ms)
I, [2024-06-30T07:22:05.812034 #1]  INFO -- : [d0123ac9-b698-40ee-b2b4-86965a78a159] Started PATCH "/settings/profile" for 185.107.13.6 at 2024-06-30 07:22:05 +0000
I, [2024-06-30T07:22:05.813086 #1]  INFO -- : [d0123ac9-b698-40ee-b2b4-86965a78a159] Processing by Settings::ProfilesController#update as TURBO_STREAM
I, [2024-06-30T07:22:05.813169 #1]  INFO -- : [d0123ac9-b698-40ee-b2b4-86965a78a159]   Parameters: {"authenticity_token"=>"[FILTERED]", "user"=>{"profile_image"=>#<ActionDispatch::Http::UploadedFile:0x00007f15ae6b82b0 @tempfile=#<Tempfile:/tmp/RackMultipart20240630-1-uxnak.jpg>, @content_type="image/jpeg", @original_filename="image.jpg", @headers="Content-Disposition: form-data; name=\"user[profile_image]\"; filename=\"image.jpg\"\r\nContent-Type: image/jpeg\r\n">, "delete_profile_image"=>"false", "first_name"=>"FIRST NAME", "last_name"=>"LAST NAME"}, "commit"=>"Save"}
I, [2024-06-30T07:22:05.839707 #1]  INFO -- : [d0123ac9-b698-40ee-b2b4-86965a78a159]   Disk Storage (0.3ms) Uploaded file to key: 16evp3z8gjks6baxg5xcdstkfa3b (checksum: cL7tbKyS32xtumwXeWWevw==)
I, [2024-06-30T07:22:05.840003 #1]  INFO -- : [d0123ac9-b698-40ee-b2b4-86965a78a159] Completed 500 Internal Server Error in 27ms (ActiveRecord: 13.6ms (7 queries, 0 cached) | GC: 0.0ms)
E, [2024-06-30T07:22:05.841137 #1] ERROR -- : [d0123ac9-b698-40ee-b2b4-86965a78a159]
[d0123ac9-b698-40ee-b2b4-86965a78a159] Errno::EACCES (Permission denied @ dir_s_mkdir - /rails/storage/16):
[d0123ac9-b698-40ee-b2b4-86965a78a159]
[d0123ac9-b698-40ee-b2b4-86965a78a159] app/controllers/settings/profiles_controller.rb:17:in `update'

To Reproduce
Steps to reproduce the behavior:

1. Go to Account
2. In the Profile section, Click on Choose button to select a picture to upload
3. Click save
4. See error in docker container logs maybe -f

Expected behavior
Picture should upload successfully

Additional context
This also happens when uploading picture for financial institution.

[NOnooSS]

Same error for me loading a picture.

[hkamran80]

I had to change the permissions of the storage directory to be owned by my user rather than root using sudo chown user:user storage and chmod +rw storage.

[zachgoll]

Can someone confirm if adding the following to your Docker compose file solves the issue?

diff --git a/docker-compose.example.yml b/docker-compose.example.yml
index cbd5232..9b0fa88 100644
--- a/docker-compose.example.yml
+++ b/docker-compose.example.yml
@@ -37,6 +37,9 @@ services:
     ports:
       - 3000:3000
 
+    command: >
+      sh -c "chown -R rails:rails /rails/storage && ./bin/rails server"
+
     restart: unless-stopped
 
     environment:

[amitash]

sh -c "chown -R rails:rails /rails/storage && ./bin/rails server"

With this, the container fails to start with the following error.

chown: changing ownership of '/rails/storage': Operation not permitted

This probably needs to be done as sudo from the Dockerfile.

[hkamran80]

I think it would be better if it was added to the Dockerfile instead of a Compose command.

If the USER command is moved above this RUN command, would that fix the problem?

maybe/Dockerfile

Lines 53 to 57 in 0593d8f

	# Run and own only the runtime files as a non-root user for security
	RUN groupadd --system --gid 1000 rails && \
	useradd rails --uid 1000 --gid 1000 --create-home --shell /bin/bash && \
	chown -R rails:rails db log storage tmp
	USER 1000:1000

[zachgoll]

@amitash thanks for confirming! Could you try the solution I've posted below?

@hkamran80 I'm thinking that instead of altering the Dockerfile, we may be better off just using a named volume rather than a bind mount (which is dependent on the host machine's directory structure/permissions):

diff --git a/docker-compose.example.yml b/docker-compose.example.yml
index cbd5232..ad5220b 100644
--- a/docker-compose.example.yml
+++ b/docker-compose.example.yml
@@ -32,7 +32,7 @@ services:
     image: ghcr.io/maybe-finance/maybe:latest
 
     volumes:
-      - ./storage:/rails/storage
+      - app-storage:/rails/storage
 
     ports:
       - 3000:3000
@@ -70,4 +70,5 @@ services:
       retries: 5
 
 volumes:
+  app-storage:
   postgres-data:

[hkamran80]

@zachgoll That's a good idea. That should fix the issues.

[amitash]

@zachgoll indeed, it fixes the issue.

[zachgoll]

@amitash going to reopen this mainly as a reminder so I remember to update the docker-compose.example.yml file with this new config