Permission Denied on Folder

I am running syncthing inside a docker container. I am getting this error message: " Error on folder “p7 Camera” (pixel_7_tw32-photos): stat /mnt/qnap/syncthing/p7/.stfolder: permission denied". On the host, here are the file permissions: drwxrwxr-x 2 ansible root 4096 May 18 13:34 .stfolder The docker service is running as root. Why is syncthing unable to access this directory?

So the folder is owned by user ansible in the group root (the ownership seems kind of odd).

It’s not a Syncthing issue, as other programs/apps would also be affected.

When using Docker, think of it like a set of nested boxes:

[QNAP OS [ Docker Engine [ Container OS [ Syncthing ] ] ] ]

(Things are even more complicated with Docker on Windows/macOS.)

  • Syncthing is running inside the inner-most “box” under a user that only exists inside the container OS.
  • The container OS (most commonly a Linux distro), is running inside a virtual sandbox provided by Docker Engine.
  • Docker Engine, in turn, is running within QNAP OS.

Your directory /mnt/qnap/syncthing/p7/, exists on a filesystem managed by the QNAP OS. So in order for Syncthing to access it, requires passing thru the container OS → Docker Engine → QNAP OS.

It also requires that the ownership and/or permissions for /mnt/qnap/syncthing/p7/ to be compatible with the user that’s running Syncthing inside the container.

The Docker service itself always runs as root because it needs to be able to access low-level subsystems, but the Docker container doesn’t run with the same privileges, so Syncthing is just a normal user.

There’s currently not enough info about which Docker image is being used, the Docker compose parameters and other details to be more specific with what steps to take. There are also different ways to sort out the permissions depending on the individual QNAP and container setup, so:

1 Like

Here is how it is being created: docker run --network=host -p 8384:8384 -p 22000:22000/tcp -p 22000:22000/udp -p 21027:21027/udp -v /root/docker/syncthing:/var/syncthing -v /mnt/qnap/syncthing:/mnt/qnap/syncthing --hostname=syncthing syncthing/syncthing:latest

So, given the docker run parameters, the two simplest options are…

On the QNAP side, change the user:group on /mnt/qnap/syncthing from ansible:root to match what Syncthing is running under inside the container.

syncthing/syncthing is Syncthing’s official Docker image, so that means inside the container, Syncthing defaults to running under UID 1000 and GID 1000 (written shorthand as 1000:1000).

Second option is to override the run parameters for the container to tell Syncthing to use a different UID:GID pair.

Syncthing’s Docker image checks two environment variables named “PUID” and “PGID” that can be passed via the -e switch like so:

docker run -e PUID=1234 -e PGID=0 --network=host -p 8384:8384 -p 22000:22000/tcp -p 22000:22000/udp -p 21027:21027/udp -v /root/docker/syncthing:/var/syncthing -v /mnt/qnap/syncthing:/mnt/qnap/syncthing --hostname=syncthing syncthing/syncthing:latest

On a Unix/Linux system, root is UID 0 and GID 0, but I don’t know what UID is assigned by QNAP for user “ansible”, but it’s very likely below 1000.

So you just need to find out what UID belongs to user “ansible” on the QNAP and substitute it for the 1234 placeholder I put into the docker run command above.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.