Docker Docs Outdated: Permission denied on '.signing.key'

[kenodressel]

Description

When using the docker documentation to run new a matrix server on v1.99.0 it fails with [Errno 13] Permission denied: '/data/localhost.signing.key'

This is because of the changes in 10ada2f which adjusts the file permissions to 0640 instead of the previous 0644 which in itself is a great change but leaves this documentation broken. The docker container runs with a UID and GID of 991 but the generate steps run as root, therefore neither the group nor the user sufficiently overlaps with the generated files permissions.

The fix is to adjust the permissions of the volume / folder before generating the files and to use the right user when generating the files (eg. -u 991:991). Or another simple fix is to run chown -R 991:991 ./your-data-dir after the files have been generated.

This should be noted somewhere in the documentation.

Steps to reproduce

docker run -it --rm \
    --mount type=volume,src=synapse-data,dst=/data \
    -e SYNAPSE_SERVER_NAME=my.matrix.host \
    -e SYNAPSE_REPORT_STATS=yes \
    matrixdotorg/synapse:latest generate

docker run -d --name synapse \
    --mount type=volume,src=synapse-data,dst=/data \
    -p 8008:8008 \
    matrixdotorg/synapse:latest

Homeserver

Synapse Version

v1.99.0

Installation Method

Docker (matrixdotorg/synapse)

Database

SQLite

Workers

Single process

Platform

Arch

Configuration

No response

Relevant log output

$ docker run -it --rm \
    --mount type=volume,src=synapse-data,dst=/data \
    -e SYNAPSE_SERVER_NAME=my.matrix.host \
    -e SYNAPSE_REPORT_STATS=yes \
    matrixdotorg/synapse:latest generate
Setting ownership on /data to 991:991
Creating log config /data/my.matrix.host.log.config
Generating config file /data/homeserver.yaml
Generating signing key file /data/my.matrix.host.signing.key
A config file has been generated in '/data/homeserver.yaml' for server name 'my.matrix.host'. Please review this file and customise it to your needs.

$ docker run --name synapse \ 
    --mount type=volume,src=synapse-data,dst=/data \
    -p 8008:8008 \
    matrixdotorg/synapse:latest
Starting synapse with args -m synapse.app.homeserver --config-path /data/homeserver.yaml

Error in configuration at 'signing_key':
  Error accessing file '/data/my.matrix.host.signing.key':
    [Errno 13] Permission denied: '/data/my.matrix.host.signing.key'

Anything else that would be useful to know?

No response

[lacafjh]

#15202 also has the same issue and can be solved with the solution by kenodressel, but the issue mentioned in #13709 occurred after following the solution.

[0KayKay]

Thank you a lot @kenodressel, this way I finally got my setup to run. It took me longer than I'm willing to admit 😅

[sanjsingh07]

docker run -it --rm \
    --mount type=volume,src=synapse-data,dst=/data \
    -e SYNAPSE_SERVER_NAME=my.matrix.host \
    -e SYNAPSE_REPORT_STATS=yes \
    -u 1000:1001 \
    matrixdotorg/synapse:latest generate

when I tried with -u flag, I'm getting this error:

Traceback (most recent call last):
  File "/start.py", line 284, in <module>
    main(sys.argv, os.environ)
  File "/start.py", line 214, in main
    return run_generate_config(environ, ownership)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/start.py", line 172, in run_generate_config
    convert("/conf/log.config", log_config_file, environ)
  File "/start.py", line 40, in convert
    with open(dst, "w") as outfile:
         ^^^^^^^^^^^^^^
PermissionError: [Errno 13] Permission denied: '/data/my.matrix.host.log.config'

I tried in two different environments i.e. MacOS and Ubuntu (WSL2) and getting same issue in both of them

[fsackur]

Here's the relevant bit of code, as of v1.102.0rc1: https://github.com/element-hq/synapse/blob/v1.102.0rc1/docker/start.py#L202-L208

I got around this by passing UID=0 and GID=0 in the environment (running as root for now).

[alariej]

I've installed Synapse with Docker about 10 times, always without issue. And now I've just spent a day on this, thinking my VM setup was wrong :-( Fixed with sudo chown -R 991:991 /var/lib/docker/volumes/synapse-data. Thanks for the hint!

[aknyzsd]

how to fix the bug with Docker on Windows(qwq)

[p9tnblwko]

how to fix the bug with Docker on Windows(qwq)

docker compose down -v

and then:

docker run --rm -v matrix_synapse_data:/data alpine:latest sh -c "
mkdir -p /data
chown -R 991:991 /data
chmod -R 755 /data
echo 'Permissions set successfully'
"