I am running syncthing inside a docker container. I am getting this error message: " Error on folder “p7 Camera” (pixel_7_tw32-photos): stat /mnt/qnap/syncthing/p7/.stfolder: permission denied". On the host, here are the file permissions: drwxrwxr-x 2 ansible root 4096 May 18 13:34 .stfolder The docker service is running as root. Why is syncthing unable to access this directory?
So the folder is owned by user
ansible in the group
root (the ownership seems kind of odd).
It’s not a Syncthing issue, as other programs/apps would also be affected.
When using Docker, think of it like a set of nested boxes:
[QNAP OS [ Docker Engine [ Container OS [ Syncthing ] ] ] ]
(Things are even more complicated with Docker on Windows/macOS.)
- Syncthing is running inside the inner-most “box” under a user that only exists inside the container OS.
- The container OS (most commonly a Linux distro), is running inside a virtual sandbox provided by Docker Engine.
- Docker Engine, in turn, is running within QNAP OS.
/mnt/qnap/syncthing/p7/, exists on a filesystem managed by the QNAP OS. So in order for Syncthing to access it, requires passing thru the container OS → Docker Engine → QNAP OS.
It also requires that the ownership and/or permissions for
/mnt/qnap/syncthing/p7/ to be compatible with the user that’s running Syncthing inside the container.
The Docker service itself always runs as root because it needs to be able to access low-level subsystems, but the Docker container doesn’t run with the same privileges, so Syncthing is just a normal user.
There’s currently not enough info about which Docker image is being used, the Docker compose parameters and other details to be more specific with what steps to take. There are also different ways to sort out the permissions depending on the individual QNAP and container setup, so:
Here is how it is being created:
docker run --network=host -p 8384:8384 -p 22000:22000/tcp -p 22000:22000/udp -p 21027:21027/udp -v /root/docker/syncthing:/var/syncthing -v /mnt/qnap/syncthing:/mnt/qnap/syncthing --hostname=syncthing syncthing/syncthing:latest
So, given the
docker run parameters, the two simplest options are…
On the QNAP side, change the
ansible:root to match what Syncthing is running under inside the container.
syncthing/syncthing is Syncthing’s official Docker image, so that means inside the container, Syncthing defaults to running under UID
1000 and GID
1000 (written shorthand as
Second option is to override the run parameters for the container to tell Syncthing to use a different UID:GID pair.
Syncthing’s Docker image checks two environment variables named “PUID” and “PGID” that can be passed via the
-e switch like so:
docker run -e PUID=1234 -e PGID=0 --network=host -p 8384:8384 -p 22000:22000/tcp -p 22000:22000/udp -p 21027:21027/udp -v /root/docker/syncthing:/var/syncthing -v /mnt/qnap/syncthing:/mnt/qnap/syncthing --hostname=syncthing syncthing/syncthing:latest
On a Unix/Linux system,
root is UID
0 and GID
0, but I don’t know what UID is assigned by QNAP for user “ansible”, but it’s very likely below
So you just need to find out what UID belongs to user “ansible” on the QNAP and substitute it for the
1234 placeholder I put into the
docker run command above.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.