Good afternoon,
I had to migrated my docker volumes to a new host (well, same host, reinstalled host OS). I had made tar backup of my compose directory, which had all the docker volumes within.

I reinstalled the host OS (Fedora 42), reinstalled docker, and now for the life of me, I can’t get any of the containers to run. I’m using the same compose.yaml file, all the same directories, but I’m getting all sorts of permissions issues that I can’t seem to resolve.

For instance, with Plex:

tmorgenthaler@hal:/compose$ sudo docker compose up plex
[sudo] password for tmorgenthaler: 
Attaching to plex
plex  | [migrations] started
plex  | [migrations] no migrations found
plex  | usermod: no changes
plex  | ───────────────────────────────────────
plex  | 
plex  |       ██╗     ███████╗██╗ ██████╗
plex  |       ██║     ██╔════╝██║██╔═══██╗
plex  |       ██║     ███████╗██║██║   ██║
plex  |       ██║     ╚════██║██║██║   ██║
plex  |       ███████╗███████║██║╚██████╔╝
plex  |       ╚══════╝╚══════╝╚═╝ ╚═════╝
plex  | 
plex  |    Brought to you by linuxserver.io
plex  | ───────────────────────────────────────
plex  | 
plex  | To support LSIO projects visit:
plex  | https://www.linuxserver.io/donate/
plex  | 
plex  | ───────────────────────────────────────
plex  | GID/UID
plex  | ───────────────────────────────────────
plex  | 
plex  | User UID:    1000
plex  | User GID:    1000
plex  | ───────────────────────────────────────
plex  | Linuxserver.io version: 1.41.9.9961-46083195d-ls275
plex  | Build-date: 2025-07-28T09:35:39+00:00
plex  | ───────────────────────────────────────
plex  |     
plex  | /usr/bin/find: ‘/config/*’: No such file or directory
plex  | **** Permissions could not be set. This is probably because your volume mounts are remote or read-only. ****
plex  | **** The app may not work properly and we will not provide support for it. ****
plex  | Temporarily starting Plex Media Server.
plex  | Waiting for Plex to generate its config
plex  | PMS: failure detected. Read/write access is required for path: /config/Library/Application Support/Plex Media Server

Here is the the portion of the compose.yml file for Plex.

  plex:
    image: lscr.io/linuxserver/plex:latest
    container_name: plex
    network_mode: host
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=America/New_York
      - VERSION=docker
      - PLEX_CLAIM= "claim-REDACTED"
    volumes:
      - ./plex/library:/config:rw
      - ./plex/transcode:/transcode:rw
      - /mnt/unas:/media
    devices:
      - /dev/dri:/dev/dri
    restart: unless-stopped

and the directory that the volumes point to:

tmorgenthaler@hal:/compose/plex$ pwd
/compose/plex
tmorgenthaler@hal:/compose/plex$ ls -al
total 0
drwxrwxrwx. 1 tmorgenthaler tmorgenthaler 32 Apr 23 10:11 .
drwxrwxrwx. 1 tmorgenthaler tmorgenthaler 356 Jul 31 15:18 ..
drwxrwxrwx. 1 tmorgenthaler tmorgenthaler 14 May 29 11:48 library
drwxrwxrwx. 1 tmorgenthaler tmorgenthaler 18 May 29 10:58 transcode

Any ideas?

[mod update: claim token redacted]

Could be file or selinux permissions issues.

I don’t have SE linux enabled, and I’ve changed the ownership and permissions to my own username and 777, running as su. I think there may be some permission issue within the container, but I’m unsure how to troubleshoot that.

Just to get it right: you suspect permission issues that origin inside the container?

It should work,

• if the host files/folders have the right ownership, and no selinux, apparmor, or acls add an extra security layer on top than of the unix file permission,
• and you installed docker-ce according to the installation instructions,
• and this is the actual compose file you use (no cap_drop: ALL).

You are using binds, which determine the inode of the source folder, and mount the inode into the target container folder. There is no magic in-between. It pretty much does what mount --bind /src /target does.

If you’d be using Ubuntu, I would have said "uninstall the snap package and use docker-ce from the repos

I supsect permission issues inside the container, because of the “permissions could not be set” I’m seeing in the Plex instance.

Another container I use, called reactor, is throwing nothing but EACCESS: permission denied errors:

reactor  | Error: EACCES: permission denied, open '/var/reactor/logs/reactor.log'
reactor  |     at Object.openSync (node:fs:561:18)
reactor  |     at FileLogStream.reopen (/opt/reactor/server/lib/Logger.js:312:45)
reactor  |     at new FileLogStream (/opt/reactor/server/lib/Logger.js:303:102)
reactor  |     at Logger.addStream (/opt/reactor/server/lib/Logger.js:692:39)
reactor  |     at Logger._configure_streams (/opt/reactor/server/lib/Logger.js:723:39)
reactor  |     at new Logger (/opt/reactor/server/lib/Logger.js:411:44)
reactor  |     at Logger.getLogger (/opt/reactor/server/lib/Logger.js:431:43)
reactor  |     at Logger.getDefaultLogger (/opt/reactor/server/lib/Logger.js:444:39)
reactor  |     at Object.<anonymous> (/opt/reactor/server/lib/Logger.js:727:543)
reactor  |     at Module._compile (node:internal/modules/cjs/loader:1565:14) {
reactor  |   errno: -13,
reactor  |   code: 'EACCES',
reactor  |   syscall: 'open',
reactor  |   path: '/var/reactor/logs/reactor.log'
reactor  | }

Please confirm that the points I made in “it should work” are followed.

Furthermore, please share the output of these commands run as root:

docker info
id tmorgenthaler 
stat /compose
mount | grep /compose
sestatus
getfacl /compose
apparmor_status

If the last two commands are not found, then neither acl, nor apparmor is installed, and can be ruled out as cause.

You were right initially. Turns out SELinux was the culprit. I don’t remember having to turn it off previously, but maybe I did. In any case, all my containers are back up. I should have just checked sestatus from the start. Lesson learned

Thanks.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.