Docker Compose file modify permissions

Hello all,

I am having an issue with TrueNAS Scale’s Portainer app. The end goal is to run two modded minecraft servers, and what I am having trouble with here is just the first one so I will limit the scope to this one. I am new to TrueNAS and Docker, so please correct me if I misunderstood something or haven’t used best practices.

The really short TL;DR is I’d like for someone to help me figure out how to grant the Portainer docker the appropriate permissions to just read and write as it pleases in my dataset pool0/applications. Why I think this is the case, is explained below (but again please correct me if I am barking up the wrong tree).

I have an existing MC server, from which I would like to import the game’s world save files into this docker instance running on TrueNAS. I am using this docker repo inside of Portainer.
I created a Samba share under the path /pool0/applications/mc_vanilla, such that the following docker compose script would create all necessary game files in a dataset that I can access from my Windows machine:

# Generated by setupmc.com on 2025-02-01T09:59:22.644Z

services:
  mc:
    image: itzg/minecraft-server:latest
    tty: true
    stdin_open: true
    ports:
      - "25565:25565"
    environment:
      EULA: "TRUE"
      VERSION: "1.21.4"
    volumes:
      - "/mnt/pool0/applications/mc_vanilla:/data"

Now, a brand new game world is created just fine at /pool0/applications/mc_vanilla - but the container really doesn’t like it when I try to start the container using existing (imported) game files. I have tried various flavours of this docker compose script, with and without extra arguments, but they all error out in one way or another. In the case of this script (which I have stripped to about as barebones as I want to), the following appears in the container’s console:

[init] Running as uid=1000 gid=1000 with /data as 'drwxrwx--- 8 1000 1000 17 Feb  1 10:44 /data'
[init] Resolving type given VANILLA
[init] Resolved version given 1.21.4 into 1.21.4
[mc-image-helper] 10:48:05.357 INFO  : Created/updated 1 property in /data/server.properties
[init] Setting initial memory to 1G and max to 1G
[init] Starting the Minecraft server...
Starting net.minecraft.server.Main
[10:48:08] [ServerMain/INFO]: Environment: Environment[sessionHost=https://sessionserver.mojang.com, servicesHost=https://api.minecraftservices.com, name=PROD]
[10:48:08] [ServerMain/ERROR]: Failed to start the minecraft server
java.nio.file.AccessDeniedException: ./world
	at java.base/sun.nio.fs.UnixException.translateToIOException(Unknown Source) ~[?:?]
	at java.base/sun.nio.fs.UnixException.asIOException(Unknown Source) ~[?:?]
	at java.base/sun.nio.fs.UnixFileSystemProvider.newDirectoryStream(Unknown Source) ~[?:?]
	at java.base/java.nio.file.Files.newDirectoryStream(Unknown Source) ~[?:?]
	at java.base/java.nio.file.FileTreeWalker.visit(Unknown Source) ~[?:?]
	at java.base/java.nio.file.FileTreeWalker.walk(Unknown Source) ~[?:?]
	at java.base/java.nio.file.Files.walkFileTree(Unknown Source) ~[?:?]
	at java.base/java.nio.file.Files.walkFileTree(Unknown Source) ~[?:?]
	at far.b(SourceFile:65) ~[server-1.21.4.jar:?]
	at far.a(SourceFile:60) ~[server-1.21.4.jar:?]
	at evg.d(SourceFile:349) ~[server-1.21.4.jar:?]
	at net.minecraft.server.Main.main(SourceFile:139) ~[server-1.21.4.jar:?]
	at net.minecraft.bundler.Main.lambda$run$0(Main.java:54) ~[?:?]
	at java.base/java.lang.Thread.run(Unknown Source) [?:?]
2025-02-01T10:48:08.395Z	INFO	mc-server-runner	Done

Where it is plain to see that the docker container app cannot access the ./world file.

As far as I can understand, there is a permissions issue that Java can’t read(?) or modify the files that the docker script didn’t itself create. I was able to verify at least one case of this when the script couldn’t modify an existing server.properties options file but could create and modify a new one just fine.
Of course, I cannot do the same for the ./world file I’m importing to the container, which I really need to persist from my previous Ubuntu Desktop jank-server.

Many thanks for any advice!!

Have you given this uid r/w perms on the dataset?

I did notice the uid=1000 and gid=1000 in the log. I went to /pool0/applications/mc_vanilla in my TrueNAS dataset manager. It would not let me apply any permissions for uid=1000 (I think TrueNAS complained of a non-existent user). I was able to apply permissions for gid=1000, but the outcome was still the same as in the original thread, unable to use imported ./world files.

I’ll give it one more go just in case I messed up the first time though :slight_smile:

You can create a local user with that UID/GID if not - it’s very common for containers to use uid=1000 (homedir /var/empty, shell nologin, no home directory)

1 Like

Depending on how you set your dataset up, it’s quite possible it’s set to ACL Mode = Restricted, as that’s the default for smb-shares. If it is, chmod and similar commands are typically going to fail no matter the user they run as.

1 Like

I tried as you suggested, making a group with GID 1000 and a user of that group with UID 1000. Unfortunately, the docker process still get the access denied exception for ./world

Hi Neo,

I followed essinghigh’s advice to create a UID/GID of 1000.

I then followed your advice to change access control list behaviour. I just deleted the NFS/Samba share options I had for /pool0/applications (it’s a new NAS system with nothing running so I’m not worried about a drastic change to share policy like this right now). In addition, I made sure that both the applications and mc_vanilla datasets inherited their ACL type from pool0 which is set to POSIX.

The docker now successfully opens the world files and the game runs as I expect it to. Thank you both for your help :slight_smile: