Permissions: operation not permitted in docker container logs

General
1

I am getting multiple operation not permitted errors in my docker container logs, qbittorrent, lidarr, sonarr.

My setup:

proxmox running truenas VM and a debian VM (that is exclusively used for docker)

on the truenas i set up a nfs share using my debian-docker user as the owner of the share 1000:1000.

on debian - i added my non-root user (debiandocker) to the docker user group and i have mounted the nfs share with fstab. in my docker-compose file I have set bind points for the various directories that the containers need.

This all worked for the setup without many hitches and my whole arr stack works okay.

But there are errors in the logs of many of the containers:

chown: changing ownership of '/config/extended/logs/downloaded': Operation not permitted
chown: changing ownership of '/config/extended/logs/downloaded/tidal': Operation not permitted
chown: changing ownership of '/config/extended/logs/downloaded/failed': Operation not permitted
chown: changing ownership of '/config/extended/logs/downloaded/failed/tidal': Operation not permitted
chown: changing ownership of '/config/extended/logs/downloaded/failed/deezer': Operation not permitted
chown: changing ownership of '/config/extended/logs/downloaded/deezer': Operation not permitted
chown: changing ownership of '/config/extended/logs/downloaded/deezer/75194562': Operation not permitted

Mostly the errors appear to be related to directories that are trying to be created or files that are modified in the normal operation of the containers.

Again the whole stack seems to function as normal right now but it is early days and I love a clean log

and i am getting scared off by this:

**** Permissions could not be set. This is probably because your volume mounts are remote or read-only. ****
**** The app may not work properly and we will not provide support for it. ****

docker version:

Client: Docker Engine - Community
 Version:           28.0.1
 API version:       1.48
 Go version:        go1.23.6
 Git commit:        068a01e
 Built:             Wed Feb 26 10:41:16 2025
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          28.0.1
  API version:      1.48 (minimum version 1.24)
  Go version:       go1.23.6
  Git commit:       bbd0a17
  Built:            Wed Feb 26 10:41:16 2025
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.7.25
  GitCommit:        bcc810d6b9066471b0b6fa75f557a15a1cbf31bb
 runc:
  Version:          1.2.4
  GitCommit:        v1.2.4-0-g6c52b3f
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

debian version:

Distributor ID:	Debian
Description:	Debian GNU/Linux 12 (bookworm)
Release:	12
Codename:	bookworm

things I have tried

  1. in my truenas shell I tried a chown -R 1000:1000 /mnt/place-where-this-is-happening
    this seems to work and clean a log file on a docker stop and then start as it seems to change the permissions for existing files but then when the container creates or modifies something new then the errors reappear

  2. I also have changed permissions in the nfs share in truenas to mapallusers back to the debiandocker user

Things I am not sure about:
I am not sure about group permissions or really how the docker container permissions work

2

What is the container that you are running? More importantly what is the image from which you ran it? And even more importantly, what is the user in the container that runs the process? does it have the same user ID that the files are owned by?

Where did this came from? From the daemon log or from the container? The daemon should not try to change ownership unless you are using NFS as a volume driver, but you say bind mount. If it is somehow a volume with a custom source path, Docker will copy files from the image to the volume when the container first mounts the empty folder. If it does not have right to do it, it can fail or possibly give the error message you got. But than you wouldn’t be able to change ownership from the host either

3

What is the container that you are running?

  • the container I gave the code from is lidarr, but I am getting the same error in qbittorrent and other ***arr stack containers.

More importantly what is the image from which you ran it?

I installed everything using the yams installer which I had to modify a bit but it pulled the latest images of all the containers at install which was roughly two weeks ago.

And even more importantly, what is the user in the container that runs the process?

Okay so I don’t understand the full implications of this question and dont have all the knowledge to respond with the correct terms. I know I need to learn more about permissions and I have read documentation and watched youtube videos about permissions but they are abstract and I don’t fully understand them here is what I did for permissions:

My docker runs on a debian VM inside proxmox. Inside the VM I created the non-root user debiandocker - that user is 1000:1000. That user I added to the docker group when I installed docker. That user does fine when I do a docker hello-world command.

My NFS share runs on truenas scale VM inside proxmox. I added a debiandocker user to that credentials user list and made in the NFS share settings I made that user the “mapalluser” and “mapallgroup”

When I am in my debian VM I set up the nfs share as a mount in my fstab and that does fine with the debiandocker user. I can access the mount, I can create files and create directories fine.

I did all of this before creating the containers and for the most part the containers all are “working”. So in some sense the permissions are working. The containers are writing and reading fine for a lot of the purposes of the qbittorrent, lidarr, sabnzbd they are doing fine.

BUT I am getting that error when I run:

docker logs (container)

for many of the containers named above.

All of the containers have environment variables set for PUID and PGID set to 1000 in the docker compose.yaml

I guess I don’t really understand why containers are trying to run chown commands, but those commands are failing. It does not seem like reading or writing commands are failing at least looking at the logs.

I dont really know enough about bind and volume in docker but I can tell you I did not do what this reddit posts suggests:

$ docker volume create --driver local \ 
--opt type=nfs \ 
--opt o=addr=192.168.1.1,rw \ 
--opt device=:/path/to/dir \ 
foo

Rather if you look at my docker-compose.yaml

for any container you will see a section like this:

> volumes:
>      - /mnt/pathtonfsshare/config:/config
>      - /mnt/pathtonfsshare/date:/data

Some containers have more volumes in the docker-compose but they all have that as the baseline.

So in my thinking since the containers have 1000:1000 and my nfs share is set to that and the containers are pointed to the nfsshare in the volumes section I don’t know why they fail on a chown command.

Thanks for the help and for reading and responding!!!

4

So now we know what software is inside, but can you share the exact image tag so we can check what and how it runs exactly?

What is yams? Did you mean the “yum” package manager on Red Hat based Linux distributions?
Since I asked about the image, does it mean you used a base image like centos or anything similar and installed everything in it? Since you mentioned env variables and that you couldn’t answer my question about user IDs , I wouldn’t think that you made your own image, so I’m not sure who yum would be relevant here.

So it is true that the containers want to change ownership and not Docker. I can only say more if I know exactly what image you used.

And can you run chown manually from the host?

And have you thought about trying? You can do that with compose as well if you want, but then you would directly share the files with the containers. I’m not sure it would solve your proble, but you could try.

5

the yams is the yams media server - it is a script that installs a bunch of docker containers at once.

Lets focus on the qbittorrent because I have been messing with the Lidarr container, here is what my docker logs qbittorent kicks out:

Linuxserver.io version: 5.0.4-r0-ls384
Build-date: 2025-03-09T06:52:18+00:00
chown: changing ownership of '/config/qBittorrent/qBittorrent-data.conf': Operation not permitted
chown: changing ownership of '/config/qBittorrent/qBittorrent.conf': Operation not permitted

yes i can no problem

I think I am invested in the way I am doing it now… i suppose I would backup my current VM before trying to mess with that.

6

Yet another media server which I didn’t know about :slight_smile: Thanks for the link.

Regarding qBittorrent, how do you mount the config files? do you mount the entire config folder or the files directly?

The exact image name would still be helpful, but based on the logs, I guess it is from LinuxServer.io: https://hub.docker.com/r/linuxserver/qbittorrent

The example mounts a folder so if you can chown the files from the host, you should be able to do it from the container with the same userid. On the other hand, the message is not permission denied but operation not permitted, which can indicate that the container needs some extra kernel capability. I don’t think I ever needed that, but I didn’t have to work with NFS for a long time with Docker containers. You cans till try at elast if adding “privileged: true” in compose to the service helps.

It is also possible that you have any security software enabled that blocks the request like SELinux, Apparmor or Seccomp.

7

thanks so much for your time and energy!!!

this is what my qbittorrent docker-compose.yaml looks like in terms of mounted volumes:

  volumes:
      - /etc/localtime:/etc/localtime:ro
      - ${MEDIA_DIRECTORY}:/data
      - ${INSTALL_DIRECTORY}/config/qbittorrent:/config

so the whole folder is mounted rather than the individual files

okay yeah so I picked one of the files in the log that wasnt working for chown and tried and failed as the user… then I looked up the permissions:

debiandocker@debiandocker:/mnt/yams/config/qbittorrent/qBittorrent$ ls -l
total 37
drwxr-xr-x 2 debiandocker debiandocker    3 Mar 14 20:42 BT_backup
-rw-r--r-- 1 debiandocker debiandocker  195 Mar 14 17:51 categories.json
drwxr-xr-x 2 debiandocker debiandocker    3 Mar  2 09:32 GeoDB
srwx------ 1 debiandocker         3000    0 Mar 17 11:21 ipc-socket
-rw-r--r-- 1 debiandocker         3000    0 Mar 17 11:21 lockfile
drwxr-xr-x 2 debiandocker debiandocker    3 Mar  2 09:32 logs
-rw-r--r-- 1 debiandocker         3000 1109 Mar 17 11:21 qBittorrent.conf
-rw-r--r-- 1 debiandocker         3000  196 Mar 18 20:55 qBittorrent-data.conf
drwxr-xr-x 3 debiandocker debiandocker    5 Mar 17 11:21 rss
-rw-r--r-- 1 debiandocker debiandocker    4 Mar  2 09:32 watched_folders.json
debiandocker@debiandocker:/mnt/yams/config/qbittorrent/qBittorrent$ chown 1000:1000 qBittorrent.conf
chown: changing ownership of 'qBittorrent.conf': Operation not permitted

So yeah something not right related to the group seems off I suppose

8

got it thanks!

there was a guid setting in yams that I didnt set correctly..

oh my thanks so much for helping!

9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.