Permission denied for /config/openvpn

[Jannomag]

Information

Whenever I try to run it on Ubuntu 20.04.3 (amd64) the container logs say following:

2022-01-10 20:31:32 cd to '/config/openvpn' failed: Permission denied (errno=13)
2022-01-10 20:31:32 Exiting due to fatal error

The /config/openvpn directory is set to 700 and owned by the correct user with the id 1000.

Current setup

Ubuntu Server 20.04.3 on an amd64 machine.

Latest docker image.

docker-compose.yml file or docker run command

how did you start the container? (don't forget to use backticks for creating a proper code block)

docker run --cap-add=NET_ADMIN -d \
              --name alpine-qbittorrent-openvpn \
              -v /pladde/Downloads:/downloads \
              -v /pladde/Downloads/qbittorrent:/config \
              -v /etc/localtime:/etc/localtime:ro \
              -e OPENVPN_PROVIDER=WINDSCRIBE \
              -e OPENVPN_CONFIG=Copenhagen-LEGO-tcp \
              -e OPENVPN_USERNAME=USER \
              -e OPENVPN_PASSWORD=PASS \
              -e PUID=1000 \
              -e PGID=1000 \
              -e LAN=192.168.1.0/24 \
              -p 8080:8080 \
              guillaumedsde/alpine-qbittorrent-openvpn:latest

Attempted Fix(es)

I tried to chmod the /config/openvpn (/pladde/qbittorrent/openvpn) directory to 770 or even 777.
After every restart of the docker container it's back to 700.

I created a directory for vuetorrent inside /config/openvpn and this won't get touched at all.

When I remove the whole /config/openvpn directory and restart the container, the directory permissions are set to 755 owned by root:root.
But as soon as I restart the container again, it's back on 700 and owned by my local user and group and stops working.

I absolutely can't determine what causes this.

[Jannomag]

(Temporary) fix:
I run this container as systemd Service with this .service file:

[Unit]
Description=guillaumedsde/alpine-qbittorrent-openvpn docker container
After=docker.service
Requires=docker.service

[Service]
User=USER
Group=USER
Type=simple
TimeoutStartSec=0
ExecStartPre=-/usr/bin/docker kill alpine-qbittorrent-openvpn
ExecStartPre=-/usr/bin/docker rm alpine-qbittorrent-openvpn
ExecStartPre=/usr/bin/docker pull guillaumedsde/alpine-qbittorrent-openvpn
ExecStart=/usr/bin/docker run \
        --name alpine-qbittorrent-openvpn \
        --cap-add=NET_ADMIN -d \
        -v /pladde/Downloads:/downloads \
        -v /pladde/Downloads/qbittorrent:/config:rw \
        -v /etc/localtime:/etc/localtime:ro \
        -e OPENVPN_PROVIDER=WINDSCRIBE \
        -e OPENVPN_CONFIG=Copenhagen-LEGO-tcp \
        -e OPENVPN_USERNAME=USER \
        -e OPENVPN_PASSWORD=PASS \
        -e LAN=192.168.1.0/24 \
        -p 8080:8080 \
        -e PUID=1000 \
        -e GUID=1000 \
        guillaumedsde/alpine-qbittorrent-openvpn
ExecStartPost=/bin/sleep 5
ExecStartPost=/usr/bin/docker exec -d alpine-qbittorrent-openvpn chmod -R 755 /config
ExecStop=/usr/bin/docker kill alpine-qbittorrent-openvpn
ExecStopPost=-/usr/bin/docker rm alpine-qbittorrent-openvpn
RemainAfterExit=yes
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target

By using

ExecStartPost=/bin/sleep 5
ExecStartPost=/usr/bin/docker exec -d alpine-qbittorrent-openvpn chmod -R 755 /config

I set the correct permissions after a 5 second wait, which is needed to wait for the container to be started completely.

This works well but it's just a workaround.

[ndizazzo]

I have this issue too. For me, it seems like the openvpn/ directory isn't getting PGID and PUID applied, even though those are being specified as environment variables for the image:

drwx------ 1 systemd-network systemd-journal  46 Oct 31 20:54 openvpn
drwx------ 1 myuser         mygroup            0 Oct 31 20:54 qBittorrent
drwxrwxr-x 1 myuser         mygroup           36 Oct 31 20:54 .
drwxrwxrwx 1 myuser         mygroup          264 Oct 31 03:39 ..

computer1% sudo cat /etc/group | grep systemd
systemd-journal:x:101:
systemd-network:x:102:
systemd-resolve:x:103:
systemd-timesync:x:106:

computer1% sudo cat /etc/passwd | grep systemd
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:103:106:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin

So IIUC, the default UID (100) and GID (101) inside the container are still being applied to openvpn/.