Always get 403 Forbidden

montagesepp · 8 September 2022 19:56

Hi,
no matter what I try, I always get 403 Forbidden when trying to access the Piwigo ui via a local port.
I’ve tried chmod -R 777 on the folder and made sure folder is owned by current user. I’ve also tried replacing docker secrets with plain text for the Piwigo container. I’ve successfully run the container a while back, so I really don’t know what could be wrong. Here’s my docker compose.
Someone has an idea what could be wrong?

piwigo:
    container_name: piwigo
    image: lscr.io/linuxserver/piwigo:arm64v8-latest
    restart: unless-stopped
    networks:
      - t2_proxy #want to run behind traefik once it works
    ports:
      - "8007:80"
    security_opt:
      - no-new-privileges:true
    environment:
      - PUID=$PUID #1000
      - PGID=$PGID #1000
      - TZ=$TZ
      - PIWIGO_DB_HOST=photo-db
      - FILE__PIWIGO_DB_USER=/run/secrects/photo_db_user
      - FILE__PIWIGO_DB_PASSWORD=/run/secrects/photo_db_password
      - FILE__PIWIGO_DB_NAME=/run/secrects/photo_db_name

    volumes:
      - $USERDIR/docker/photo/app/config:/config
      - $USERDIR/docker/photo/gallery:/config/www/gallery/galleries
    secrets:
      - photo_db_name
      - photo_db_user
      - photo_db_password

### Photo database
  photo-db:
    image: mariadb:latest
    container_name: photo-db
    networks:
      t2_proxy:
        ipv4_address: 192.168.90.239
    security_opt:
      - no-new-privileges:true
    restart: unless-stopped
    volumes:
      - "$USERDIR/docker/photo/db:/var/lib/mysql"
    environment:
      PUID: "$PUID"
      PGID: "$PGID"
      TZ: "$TZ"
      MYSQL_ROOT_PASSWORD_FILE: "/run/secrets/mysql_root_password"
      MYSQL_DATABASE_FILE: "/run/secrets/photo_db_name"
      MYSQL_USER_FILE: "/run/secrets/photo_db_user"
      MYSQL_PASSWORD_FILE: "/run/secrets/photo_db_password"
    secrets:
      - mysql_root_password
      - photo_db_name
      - photo_db_user
      - photo_db_password

Appreciate any feedback

Student · 8 September 2022 22:21

Jusr curious. Where do you set values for $PUID and $PGID ?

montagesepp · 9 September 2022 08:28

In my .env file in $USERDIR/docker

Student · 9 September 2022 13:59

Few things I would do…

I am assuing their (PUID and PGID) values are 1000. can you please run a ‘grep 1000 /etc/passwd’ and ‘grep 1000 /etc/group’ on the host and verify they do exist ?

Als, what happens if you hardcode a value of 0 to those variables in the docker-compose file itself and run ? do you still get 403 error ?

Also can you run a ‘ls -lR $USERDIR/docker/photo’ and confirm that’s right path ?

driz · 9 September 2022 14:19

Great call, this is often an issue

Please do not do this, we do not support ever using a puid/pgid of 0.

Please pastebin (or similar) your container logs (they start with our ascii logo)

Student · 9 September 2022 14:29

My suggestion for setting 0 to PUID and PGID is only for debugging purpose Also, I would first hardcode all the values defined in .env file in the docker-compose file itself, make sure it runs as expected, and then move them to .env file. Nothing suggesting that’s the right approach but that’s just me

montagesepp · 9 September 2022 19:39

Thanks for the suggestions!
Yes, PUID and PGID are both 1000

$ grep 1000 /etc/passwd
odroid:x:1000:1000:,,,:/home/odroid:/bin/bash

$ grep 1000 /etc/group
odroid:x:1000:

$ ls -IR photo
app  db  gallery

I had also already thought of running the container as root for debugging, but as @driz already pointed out the container didn’t like that.
By the way, I forgot to mention that the nginx error.log says something like ‘directory index of gallery forbidden’ and there’s only one folder in /config/www/gallery and that’s called /galleries, which is empty, and nothing else.
As for hardcoding all the .env values into the docker-compose file itself: I have a lot of other containers running successfully with similar configurations. After failing to get Piwigo running, I successfully setup photoprism and pigallery2.

Here’s the container log:

today at 21:33:18s6-rc: info: service s6rc-oneshot-runner: starting
today at 21:33:18s6-rc: info: service s6rc-oneshot-runner successfully started
today at 21:33:18s6-rc: info: service fix-attrs: starting
today at 21:33:18s6-rc: info: service 00-legacy: starting
today at 21:33:18s6-rc: info: service 00-legacy successfully started
today at 21:33:18s6-rc: info: service fix-attrs successfully started
today at 21:33:18s6-rc: info: service legacy-cont-init: starting
today at 21:33:18cont-init: info: running /etc/cont-init.d/01-envfile
today at 21:33:18cont-init: info: /etc/cont-init.d/01-envfile exited 0
today at 21:33:18cont-init: info: running /etc/cont-init.d/02-tamper-check
today at 21:33:18cont-init: info: /etc/cont-init.d/02-tamper-check exited 0
today at 21:33:18cont-init: info: running /etc/cont-init.d/10-adduser
today at 21:33:18
today at 21:33:18-------------------------------------
today at 21:33:18          _         ()
today at 21:33:18         | |  ___   _    __
today at 21:33:18         | | / __| | |  /  \
today at 21:33:18         | | \__ \ | | | () |
today at 21:33:18         |_| |___/ |_|  \__/
today at 21:33:18
today at 21:33:18
today at 21:33:18Brought to you by linuxserver.io
today at 21:33:18-------------------------------------
today at 21:33:18
today at 21:33:18To support LSIO projects visit:
today at 21:33:18https://www.linuxserver.io/donate/
today at 21:33:18-------------------------------------
today at 21:33:18GID/UID
today at 21:33:18-------------------------------------
today at 21:33:18
today at 21:33:18User uid:    1000
today at 21:33:18User gid:    1000
today at 21:33:18-------------------------------------
today at 21:33:18
today at 21:33:18cont-init: info: /etc/cont-init.d/10-adduser exited 0
today at 21:33:18cont-init: info: running /etc/cont-init.d/20-config
today at 21:33:18cont-init: info: /etc/cont-init.d/20-config exited 0
today at 21:33:18cont-init: info: running /etc/cont-init.d/30-keygen
today at 21:33:18generating self-signed keys in /config/keys, you can replace these with your own keys if required
today at 21:33:18Generating a RSA private key
today at 21:33:18...+++++
today at 21:33:19.............................................+++++
today at 21:33:19writing new private key to '/config/keys/cert.key'
today at 21:33:19-----
today at 21:33:19cont-init: info: /etc/cont-init.d/30-keygen exited 0
today at 21:33:19cont-init: info: running /etc/cont-init.d/40-install
today at 21:33:19cont-init: info: /etc/cont-init.d/40-install exited 0
today at 21:33:19cont-init: info: running /etc/cont-init.d/90-custom-folders
today at 21:33:19cont-init: info: /etc/cont-init.d/90-custom-folders exited 0
today at 21:33:19cont-init: info: running /etc/cont-init.d/99-custom-files
today at 21:33:19[custom-init] no custom files found exiting...
today at 21:33:19cont-init: info: /etc/cont-init.d/99-custom-files exited 0
today at 21:33:19s6-rc: info: service legacy-cont-init successfully started
today at 21:33:19s6-rc: info: service init-mods: starting
today at 21:33:19s6-rc: info: service init-mods successfully started
today at 21:33:19s6-rc: info: service init-mods-package-install: starting
today at 21:33:19s6-rc: info: service init-mods-package-install successfully started
today at 21:33:19s6-rc: info: service init-mods-end: starting
today at 21:33:19s6-rc: info: service init-mods-end successfully started
today at 21:33:19s6-rc: info: service init-services: starting
today at 21:33:19s6-rc: info: service init-services successfully started
today at 21:33:19s6-rc: info: service legacy-services: starting
today at 21:33:19services-up: info: copying legacy longrun cron (no readiness notification)
today at 21:33:19services-up: info: copying legacy longrun nginx (no readiness notification)
today at 21:33:19services-up: info: copying legacy longrun php-fpm (no readiness notification)
today at 21:33:19s6-rc: info: service legacy-services successfully started
today at 21:33:19s6-rc: info: service 99-ci-service-check: starting
today at 21:33:19[ls.io-init] done.
today at 21:33:19s6-rc: info: service 99-ci-service-check successfully started

Student · 9 September 2022 20:18

Since the container be will running under user ‘odroid’ (because of PUID and PGID being 1000), I would think, the directories and subdirectories under $USERDIR should also be owned by ‘odroid’.

Under what your user account have you logged into and running your docker-compose ? odroid ?

Can you please provide the following output :

echo $USERDIR

ls -lR $USERDIR/docker/photo

montagesepp · 9 September 2022 21:53

Thanks! But like I said, I already tried ‘chown odroid’ on the whole ‘photo’ directory, as well as chmod 777 and 775.
I’m logged in as odroid, correct.
The variable $USERDIR is only defined in the docker .env file, so my shell doesn’t know it (is that the correct expression?). The output of ls -IR photo (with current directory being $USERDIR/docker = /media/sdcard/docker) I already posted above (it’s just the names of the three folders in ‘photo’). What would you hope to see from that?

Student · 9 September 2022 22:41

If the directories and subdirectories (which you pass as bind mount) are owned by the user ‘odroid’, and if you are running your program as user ‘odroid’, and if the directories and subdirectories are owned by 1000:1000 (which is odroid) within the container’s point of view, I am not sure why there is a 403 forbidden error. My apologies. I too am at lost

Student · 10 September 2022 05:02

sorry…what I meant was the value of $USERDIR assigned in .env file.

montagesepp · 10 September 2022 18:46

Thanks for you effort in trying to understand it. Maybe the problem is with the container itself.

Student · 11 September 2022 01:53

I think I am now getting obsessed with this problem I am trying to understand the role of /media/sdcard/docker ? Does it mean you are having all your pictures in your sdcard and then trying to use Piwigo to show the picture gallery ? I would still be interested in seeing of this command’s output when issued on host as an odroid user - ‘ls -lR /media/sdcard/docker.’ or ‘ls -l /media/sdcard/docker.’ (the exact output)

I still believe file persmissions are the root cause of 403 error though I am not able to prove it

montagesepp · 11 September 2022 20:40

Oh that’s a lower-case “l” in the command! I had always read it as a capital “i”
The location /media/sdcard/docker is where I have all my docker related stuff (volumes, docker-compose,…).
I won’t paste the output of ‘ls -lR’ from that folder (too much and not sure what it all contains) but from the folder with the piwigo volumes inside:

$ ls -lR /media/sdcard/docker/photo1
/media/sdcard/docker/photo1:
total 12
drwxr-xr-x+ 3 root   root   4096 Sep  9 21:33 app
drwxr-xr-x+ 6    999 docker 4096 Sep 10 23:02 db
drwxrwxr-x+ 2 odroid odroid 4096 Sep  9 21:33 gallery

/media/sdcard/docker/photo1/app:
total 4
drwxr-xr-x+ 9 odroid odroid 4096 Sep  9 21:33 config

/media/sdcard/docker/photo1/app/config:
total 28
drwxrwxr-x+ 2 root   root   4096 Sep  9 21:33 custom-cont-init.d
drwxrwxr-x+ 2 root   root   4096 Sep  9 21:33 custom-services.d
drwxrwxr-x+ 2 odroid odroid 4096 Sep  9 21:33 keys
drwxrwxr-x+ 4 odroid odroid 4096 Sep 10 02:00 log
drwxrwxr-x+ 3 odroid odroid 4096 Sep  9 21:33 nginx
drwxrwxr-x+ 2 odroid odroid 4096 Sep  9 21:33 php
drwxrwxr-x+ 3 odroid odroid 4096 Sep  9 21:33 www

/media/sdcard/docker/photo1/app/config/custom-cont-init.d:
total 0

/media/sdcard/docker/photo1/app/config/custom-services.d:
total 0

/media/sdcard/docker/photo1/app/config/keys:
total 8
-rw-rw-r--+ 1 odroid odroid 1342 Sep  9 21:33 cert.crt
-rw-------+ 1 odroid odroid 1704 Sep  9 21:33 cert.key

/media/sdcard/docker/photo1/app/config/log:
total 12
-rw-------+ 1 odroid odroid  203 Sep 10 02:00 logrotate.status
drwxrwxr-x+ 2 odroid odroid 4096 Sep  9 21:33 nginx
drwxrwxr-x+ 2 odroid odroid 4096 Sep  9 21:33 php

/media/sdcard/docker/photo1/app/config/log/nginx:
total 8
-rw-r--r--+ 1 odroid odroid 513 Sep  9 21:40 access.log
-rw-r--r--+ 1 odroid odroid 368 Sep  9 21:40 error.log

/media/sdcard/docker/photo1/app/config/log/php:
total 4
-rw-------+ 1 odroid odroid 420 Sep 10 23:00 error.log

/media/sdcard/docker/photo1/app/config/nginx:
total 8
-rw-rw-r--+ 1 odroid odroid 1408 Sep  9 21:33 nginx.conf
drwxrwxr-x+ 2 odroid odroid 4096 Sep  9 21:33 site-confs

/media/sdcard/docker/photo1/app/config/nginx/site-confs:
total 4
-rw-rw-r--+ 1 odroid odroid 581 Sep  9 21:33 default

/media/sdcard/docker/photo1/app/config/php:
total 8
-rw-rw-r--+ 1 odroid odroid 105 Sep  9 21:33 php-local.ini
-rw-rw-r--+ 1 odroid odroid 112 Sep  9 21:33 www2.conf

/media/sdcard/docker/photo1/app/config/www:
total 8
drwxrwxr-x+ 3 odroid odroid 4096 Sep  9 21:33 gallery
-rw-rw-r--+ 1 odroid odroid  988 Sep  9 21:33 index.html

/media/sdcard/docker/photo1/app/config/www/gallery:
total 4
drwxr-xr-x+ 2 root root 4096 Sep  9 21:33 galleries

/media/sdcard/docker/photo1/app/config/www/gallery/galleries:
total 0

/media/sdcard/docker/photo1/db:
total 126960
-rw-rw----+ 1 999 docker  16719872 Sep 10 23:02 aria_log.00000001
-rw-rw----+ 1 999 docker        52 Sep 10 23:02 aria_log_control
-rw-rw-r--+ 1 999 docker       872 Sep 10 23:02 ib_buffer_pool
-rw-rw----+ 1 999 docker 100663296 Sep 10 21:06 ib_logfile0
-rw-rw----+ 1 999 docker  12582912 Sep 10 21:06 ibdata1
-rw-rw----+ 1 999 docker         0 Sep  9 21:33 multi-master.info
drwx------+ 2 999 docker      4096 Sep  9 21:33 mysql
-rw-rw-r--+ 1 999 docker        14 Sep  9 21:33 mysql_upgrade_info
drwx------+ 2 999 docker      4096 Sep  9 21:33 performance_schema
drwx------+ 2 999 docker      4096 Sep  9 21:33 photo1
drwx------+ 2 999 docker      8192 Sep  9 21:33 sys
ls: cannot open directory '/media/sdcard/docker/photo1/db/mysql': Permission denied
ls: cannot open directory '/media/sdcard/docker/photo1/db/performance_schema': Permission denied
ls: cannot open directory '/media/sdcard/docker/photo1/db/photo1': Permission denied
ls: cannot open directory '/media/sdcard/docker/photo1/db/sys': Permission denied

/media/sdcard/docker/photo1/gallery:
total 0

Before you point out the ‘permission denied’ stuff, consider that I have several other instances of mariadb running, which work just fine with the exact same settings.
Also consider that I already tried ‘sudo chmod -R 777’ and ‘sudo chown -R odroid:odroid’ on the whole /media/sdcard/docker/photo’ folder (in the output above it’s now called photo1).
If it really is a faulty permission setting on my side, then something must have gone really weird. Although I don’t have any in-depth skills concerning docker (or linux for that matter), all my other containers run without problems.
Unless this matter is now of personal importance to you, I’m going to stop looking into this (I tried photoprism as an alternative and I’m super satisfied)

Student · 11 September 2022 22:15

I agree it’s a wise decision to let it pass and move on Thanks for sharing about photoprism. I am no expert by any means. Just an average docker user. Thanks again.