Image upload permission denied

[derdeagle]

Current Behavior

I installed the docker containers via docker-compose up and as I try to upload an image I get the following error:

Server Error

A file permission error was detected while processing this request. Common causes include the following:
Insufficient write permission to the media root - The configured media root is . Ensure that the user NetBox runs as has access to write files to all locations within this path.

The complete exception is provided below:

<class 'PermissionError'>

[Errno 13] Permission denied: '/opt/netbox/netbox/media/image-attachments/device_1_test.png'

Expected Behavior

I expected the upload of the image to succeed.

Debug Information

The output of docker-compose version: docker-compose version 1.25.4, build unknown
The output of docker version: Version: 19.03.8
The output of git rev-parse HEAD: 5769684c98efaa66049189793e66998b217c5ffa
The command you used to start the project: docker-compose up -d

The output of docker inspect netboxcommunity/netbox:latest --format "{{json .Config.Labels}}":

{
    "NETBOX_GIT_BRANCH": "HEAD",
    "NETBOX_GIT_REF": "ccf8059452f532dcbae5a7975e9dcae3550306a5",
    "NETBOX_GIT_URL": "https://github.com/netbox-community/netbox.git",
    "ORIGINAL_TAG": "docker.io/netboxcommunity/netbox:latest",
    "org.label-schema.build-date": "2020-04-09T08:06+00:00",
    "org.label-schema.description": "A container based distribution of Netbox, the free and open IPAM and DCIM solution.",
    "org.label-schema.name": "Netbox Docker",
    "org.label-schema.schema-version": "1.0",
    "org.label-schema.url": "https://github.com/netbox-community/netbox-docker",
    "org.label-schema.usage": "https://github.com/netbox-community/netbox-docker/wiki",
    "org.label-schema.vcs-ref": "5769684c98efaa66049189793e66998b217c5ffa",
    "org.label-schema.vcs-url": "https://github.com/netbox-community/netbox-docker.git",
    "org.label-schema.vendor": "The netbox-docker contributors.",
    "org.label-schema.version": "0.23.0",
    "org.opencontainers.image.authors": "The netbox-docker contributors.",
    "org.opencontainers.image.created": "2020-04-09T08:06+00:00",
    "org.opencontainers.image.description": "A container based distribution of Netbox, the free and open IPAM and DCIM solution.",
    "org.opencontainers.image.documentation": "https://github.com/netbox-community/netbox-docker/wiki",
    "org.opencontainers.image.licenses": "Apache-2.0",
    "org.opencontainers.image.revision": "5769684c98efaa66049189793e66998b217c5ffa",
    "org.opencontainers.image.source": "https://github.com/netbox-community/netbox-docker.git",
    "org.opencontainers.image.title": "Netbox Docker",
    "org.opencontainers.image.url": "https://github.com/netbox-community/netbox-docker",
    "org.opencontainers.image.vendor": "The netbox-docker contributors.",
    "org.opencontainers.image.version": "0.23.0"
}

The output of docker-compose logs netbox:

netbox_1         | [2020-04-24 04:22:42 +0000] [70] [DEBUG] GET /dcim/devices/1/
netbox_1         | 172.20.0.7 - - [24/Apr/2020:04:22:42 +0000] "GET /dcim/devices/1/ HTTP/1.0" 200 126819 "http://localhost:8080/api/dcim/racks/1/elevation/?face=front&render=svg" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0"
netbox_1         | [2020-04-24 04:22:52 +0000] [71] [DEBUG] GET /dcim/devices/1/images/add/
netbox_1         | 172.20.0.7 - - [24/Apr/2020:04:22:52 +0000] "GET /dcim/devices/1/images/add/ HTTP/1.0" 200 39370 "http://localhost:8080/dcim/devices/1/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0"
netbox_1         | [2020-04-24 04:23:09 +0000] [71] [DEBUG] POST /dcim/devices/1/images/add/
netbox_1         | 172.20.0.7 - - [24/Apr/2020:04:23:09 +0000] "POST /dcim/devices/1/images/add/ HTTP/1.0" 500 2029 "http://localhost:8080/dcim/devices/1/images/add/" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0"
netbox_1         | [2020-04-24 04:23:09 +0000] [71] [DEBUG] GET /favicon.ico
netbox_1         | 172.20.0.7 - - [24/Apr/2020:04:23:09 +0000] "GET /favicon.ico HTTP/1.0" 404 37147 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:75.0) Gecko/20100101 Firefox/75.0"

The output of docker-compose logs nginx:

nginx_1          | 2020/04/24 04:05:07 [info] 6#6: epoll_wait() failed (4: Interrupted system call)
nginx_1          | 2020/04/24 04:07:09 [info] 6#6: *195 client 172.20.0.1 closed keepalive connection
nginx_1          | 2020/04/24 04:07:09 [info] 6#6: *196 client closed connection while waiting for request, client: 172.20.0.1, server: 0.0.0.0:8080
nginx_1          | 2020/04/24 04:07:15 [info] 6#6: *197 client closed connection while waiting for request, client: 172.20.0.1, server: 0.0.0.0:8080
nginx_1          | 2020/04/24 04:21:16 [info] 6#6: *198 client 172.20.0.1 closed keepalive connection
nginx_1          | 2020/04/24 04:21:43 [info] 6#6: *205 client closed connection while waiting for request, client: 172.20.0.1, server: 0.0.0.0:8080
nginx_1          | 2020/04/24 04:22:36 [info] 6#6: *214 client closed connection while waiting for request, client: 172.20.0.1, server: 0.0.0.0:8080
nginx_1          | 2020/04/24 04:43:37 [info] 6#6: *220 client 172.20.0.1 closed keepalive connection
nginx_1          | 2020/04/24 04:43:51 [info] 6#6: *225 client closed connection while waiting for request, client: 172.20.0.1, server: 0.0.0.0:8080

That's all for today.

I checked the processes running inside the NetBox container:

bash-5.0$ ps aux
PID   USER     TIME  COMMAND
    1 101       1:06 {gunicorn} /usr/local/bin/python /usr/local/bin/gunicorn -c /etc/netbox/config/gunicorn_config.py netbox.wsgi
   69 101       0:05 {gunicorn} /usr/local/bin/python /usr/local/bin/gunicorn -c /etc/netbox/config/gunicorn_config.py netbox.wsgi
   70 101       0:03 {gunicorn} /usr/local/bin/python /usr/local/bin/gunicorn -c /etc/netbox/config/gunicorn_config.py netbox.wsgi
   71 101       0:04 {gunicorn} /usr/local/bin/python /usr/local/bin/gunicorn -c /etc/netbox/config/gunicorn_config.py netbox.wsgi
  103 101       0:00 /bin/bash
  112 101       0:00 ps aux

NetBox seems to be run by the root user:

bash-5.0$ id
uid=101 gid=0(root)

The media directories are owned by the user root:

bash-5.0$ ls -ld /opt/netbox/netbox/media/{,devicetype-images,image-attachments}
drwxrwxr-x    4 root     root            56 Apr  5 19:35 /opt/netbox/netbox/media/
drwxr-xr-x    2 root     root            24 Apr  5 19:35 /opt/netbox/netbox/media/devicetype-images
drwxr-xr-x    2 root     root            24 Apr  5 19:35 /opt/netbox/netbox/media/image-attachments

There is also just about 19 GB of space left on the mountpoint.

/dev/mapper/my-lv        50.0G     30.9G     19.1G  62% /opt/netbox/netbox/media

[weisdd]

@derdeagle I think it's similar issue to the one described here: #252.
Basically, none of uid=101 and gid=0 has +w permissions on media folders. You can fix that for the root group by executing:

$ sudo chmod -R g+w /opt/netbox/netbox/media

In case a default docker volume is used, we can enforce correct permissions at image building stage. There's already a fix merged into a "develop" branch (#276). Thus, it should be fair to expect it in one of the upcoming releases, once the commit is cherry-picked into the "release" branch. Not sure when it'll happen though.

In case something else is used (your case), the story is different. E.g. if we have the entry listed below, docker will create the local folder with root:root 0755 (due to umask 022) upon netbox' start:
"- ./netbox-media-files:/opt/netbox/netbox/media:z"
As our user has uid=101 and belongs to gid=0, we have to manually change permissions to allow gid=0 to write data. Thus, "sudo chmod -R g+w OUR_MEDIA_FOLDER" comes handy.
Other ways:

• change uid to 0 => considered to be a bad practice;
• chown media folder to match uid 101 => there's no need to do that. Any user not added in /etc/passwd and /etc/group automatically belongs to root group (gid=0), thus chmod g+w assuming the owner is root:root should be sufficient.

[derdeagle]

Thank you very much. sudo cannot be used so I had to use this to login as root.
docker exec -it --user root <container_name> /bin/bash.

I'll wait for the next release then. Again, thank you!