Permisions errors with "./launcher rebuild app" on fresh install

Installation
1

I did:

git clone https://github.com/discourse/discourse_docker.git /var/discourse
cd /var/discourse
chmod 700 containers

then my copied my old app.yml into containers and tried rebuilding the app:


[root@two discourse]# ./launcher rebuild app
x86_64 arch detected.
Ensuring launcher is up to date
Launcher is up-to-date
Stopping old container
+ /usr/bin/docker stop -t 600 app
app
2.0.20250722-0020: Pulling from discourse/base
Digest: sha256:3b975c30ef85e9742e2d7f6093450867e67dae204c93d22cc38d043dcbf530b3
Status: Image is up to date for discourse/base:2.0.20250722-0020
docker.io/discourse/base:2.0.20250722-0020
/usr/local/lib/ruby/gems/3.3.0/gems/pups-1.3.0/lib/pups.rb
/usr/local/bin/pups --stdin
I, [2025-09-12T19:05:09.283821 #1]  INFO -- : Reading from stdin
I, [2025-09-12T19:05:09.296585 #1]  INFO -- : File > /etc/service/postgres/run  chmod: +x  chown: 
I, [2025-09-12T19:05:09.301579 #1]  INFO -- : File > /etc/service/postgres/log/run  chmod: +x  chown: 
I, [2025-09-12T19:05:09.307391 #1]  INFO -- : File > /etc/runit/3.d/99-postgres  chmod: +x  chown: 
I, [2025-09-12T19:05:09.313597 #1]  INFO -- : File > /root/install_postgres  chmod: +x  chown: 
I, [2025-09-12T19:05:09.319914 #1]  INFO -- : File > /root/upgrade_postgres  chmod: +x  chown: 
I, [2025-09-12T19:05:09.320255 #1]  INFO -- : Replacing data_directory = '/var/lib/postgresql/15/main' with data_directory = '/shared/postgres_data' in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.323526 #1]  INFO -- : Replacing (?-mix:#?listen_addresses *=.*) with listen_addresses = '*' in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.324153 #1]  INFO -- : Replacing (?-mix:#?synchronous_commit *=.*) with synchronous_commit = $db_synchronous_commit in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.324577 #1]  INFO -- : Replacing (?-mix:#?shared_buffers *=.*) with shared_buffers = $db_shared_buffers in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.324945 #1]  INFO -- : Replacing (?-mix:#?work_mem *=.*) with work_mem = $db_work_mem in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.325369 #1]  INFO -- : Replacing (?-mix:#?default_text_search_config *=.*) with default_text_search_config = '$db_default_text_search_config' in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.325759 #1]  INFO -- : Replacing (?-mix:#?checkpoint_segments *=.*) with checkpoint_segments = $db_checkpoint_segments in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.329467 #1]  INFO -- : Replacing (?-mix:#?logging_collector *=.*) with logging_collector = $db_logging_collector in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.330304 #1]  INFO -- : Replacing (?-mix:#?log_min_duration_statement *=.*) with log_min_duration_statement = $db_log_min_duration_statement in /etc/postgresql/15/main/postgresql.conf
I, [2025-09-12T19:05:09.330761 #1]  INFO -- : Replacing (?-mix:^#local +replication +postgres +peer$) with local replication postgres  peer in /etc/postgresql/15/main/pg_hba.conf
I, [2025-09-12T19:05:09.331823 #1]  INFO -- : Replacing (?-mix:^host.*all.*all.*127.*$) with host all all 0.0.0.0/0 md5 in /etc/postgresql/15/main/pg_hba.conf
I, [2025-09-12T19:05:09.332230 #1]  INFO -- : Replacing (?-mix:^host.*all.*all.*::1\/128.*$) with host all all ::/0 md5 in /etc/postgresql/15/main/pg_hba.conf
I, [2025-09-12T19:05:09.332621 #1]  INFO -- : > if [ -f /root/install_postgres ]; then
  /root/install_postgres && rm -f /root/install_postgres
elif [ -e /shared/postgres_run/.s.PGSQL.5432 ]; then
  socat /dev/null UNIX-CONNECT:/shared/postgres_run/.s.PGSQL.5432 || exit 0 && echo postgres already running stop container ; exit 1
fi

mkdir: cannot create directory ‘/shared/postgres_run’: Permission denied
chown: cannot access '/shared/postgres_run': No such file or directory
chmod: cannot access '/shared/postgres_run': No such file or directory
mkdir: cannot create directory ‘/shared/postgres_run’: Permission denied
chown: cannot access '/shared/postgres_run/15-main.pg_stat_tmp': No such file or directory
install: cannot change owner and permissions of ‘/shared/postgres_data’: No such file or directory
initdb: error: could not create directory "/shared/postgres_data": Permission denied
find: ‘/shared/postgres_data’: No such file or directory
chown: cannot dereference '/var/run/postgresql': No such file or directory
cat: /shared/postgres_data/PG_VERSION: No such file or directory
du: cannot access '/shared/postgres_data': No such file or directory
/root/upgrade_postgres: line 7: * 2: syntax error: operand expected (error token is "* 2")
I, [2025-09-12T19:05:12.122891 #1]  INFO -- : Generating locales (this might take a while)...
  en_US.UTF-8... done
Generation complete.
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.UTF-8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

creating directory /shared/postgres_data ... Upgrading PostgreSQL from version to 15



FAILED
--------------------
Pups::ExecError: if [ -f /root/install_postgres ]; then
  /root/install_postgres && rm -f /root/install_postgres
elif [ -e /shared/postgres_run/.s.PGSQL.5432 ]; then
  socat /dev/null UNIX-CONNECT:/shared/postgres_run/.s.PGSQL.5432 || exit 0 && echo postgres already running stop container ; exit 1
fi
 failed with return #<Process::Status: pid 18 exit 1>
Location of failure: /usr/local/lib/ruby/gems/3.3.0/gems/pups-1.3.0/lib/pups/exec_command.rb:131:in `spawn'
exec failed with the params {"tag"=>"db", "cmd"=>"if [ -f /root/install_postgres ]; then\n  /root/install_postgres && rm -f /root/install_postgres\nelif [ -e /shared/postgres_run/.s.PGSQL.5432 ]; then\n  socat /dev/null UNIX-CONNECT:/shared/postgres_run/.s.PGSQL.5432 || exit 0 && echo postgres already running stop container ; exit 1\nfi\n"}
bootstrap failed with exit code 1
** FAILED TO BOOTSTRAP ** please scroll up and look for earlier error messages, there may be more than one.
./discourse-doctor may help diagnose the problem.
c9c7badf83b119a15b40255ae48a05182f72663cc870ca85e867c1f9a218bb83

Apparently there is a permissions problem inside the container right at the outset:

mkdir: cannot create directory ‘/shared/postgres_run’: Permission denied

What could be causing this?

2

Apparently I need to run docker with the --privileged flag, as that solves the problem:

./launcher rebuild app --docker-args '--privileged'

It’s not clear to me why this is the case. (This is on Fedora 42.) I’d love to understand what’s happening here.

3

Because in Discourse those files are owned by root (or the parent directory is?).

Perhaps it’s set by default in Ubuntu. I don’t know what might be different in Ubuntu.

You could try setting /var/discourse/shared to world writable and see if it works? Or maybe you could see if it works without ``–privileged` now?

Ubuntu is what’s recommended and Debian is what is inside the container (and may now be what CDCK uses for their host OS?). Fedora has a bunch of stuff locked down that Ubuntu doesn’t. If you’d love to understand, you’re likely to be largely on your own, though I think I remember at least one person here with some frequency likes Fedora CentOS (which is closer to Fedora than Ubuntu is!). This might have clues: MKJ's Opinionated Discourse Deployment Configuration

4

I wonder what the effective uid is at the point where the bootstrap script is trying to make subdirectories in /var/discourse/shared; I had thought it would be root, since docker is being run as root, but apparently not?

I see nothing there about using --privileged, sadly, though I share his desire to do this all with podman instead of docker.

1 Like
5

Yeah, I haven’t tried running production Discourse on Fedora, only done Discourse development on Fedora, and that not on 42. My Discourse servers now are on AlmaLinux 9 and I don’t need --privileged there. I don’t have Docker installed on any of my Fedora systems.

1 Like
6

I think I’m going to try determining what the owner of those directories needs to be without --privileged when I have the time.

1 Like
7

Looking at --privileged I see that it disables SELinux process labels.

I’m not disabling SELinux on my Discourse server, and in fact have instructions in my guide how to adapt to keeping SELinux enabled while using external nginx. You can also check your avc logs for relevant denials and write local policy using audit2allow. But that can be a long iterative process. I would start from scratch (wiping out /var/discourse) to make sure it’s a valid test and see whether you still need --permissive with SELinux disabled (e.g. setenforce 0). Then if that works, you can use audit2allow because setenforce 0 still writes avc entries, but is no longer stopped at the first gate, so you will get to a working policy faster.

I don’t think I’d keep using --privileged on a production system if I could help it.

1 Like