cannot create directory: Permission denied when using rootless

[Jan-Ka]

Describe the Bug

wolveix/satisfactory-server appears to not work correctly when setup to use a non-root user.
Dies on mkdir: cannot create directory ‘/home/steam’: Permission denied

I followed the tips to use uservariable for setting up rootless found in other issues and expected to have files on disk created as the specified user (and the server to start).

Your Runtime Command or Docker Compose File

services: 
  sat1:
    image: wolveix/satisfactory-server:v1.8.8
    container_name: satisfactory-server
    user: "1012:1012"
    restart: no
    volumes: 
      - "sat1:/config"
    ports:
      - 7777:7777/udp
      - 7777:7777/tcp
    environment:
      - MAXPLAYERS=4
      - PGID=1012
      - PUID=1012
      - ROOTLESS=true
      - STEAMBETA=false
#      - DEBUG=true

networks:
  proxy:
    external: true

volumes:
  sat1:
    driver: local-persist
    driver_opts:
      mountpoint: /usr/share/satisfactory/sat1      

Debug Output

declare -x MAXTICKRATE="30"
declare -x OLDPWD
declare -x PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
declare -x PGID="1012"
declare -x PUID="1012"
declare -x PWD="/config"
declare -x ROOTLESS="true"
declare -x SERVERGAMEPORT="7777"
declare -x SERVERSTREAMING="true"
declare -x SHLVL="1"
declare -x SKIPUPDATE="false"
declare -x STEAMAPPID="1690800"
declare -x STEAMBETA="false"
declare -x TIMEOUT="30"
declare -x USER="steam"
declare -x VERSION="1.8.8"
declare -x VMOVERRIDE="false"

<see below>

Current version:
1.8.8
Current user:
uid=1012 gid=1012 groups=1012
Proposed user:
uid=1012(?) gid=1012(?) groups=1012(?)

Exiting...

System Specs (please complete the following information):

OS: Linux f182d75e91eb 6.8.0-47-generic #47-Ubuntu SMP PREEMPT_DYNAMIC Fri Sep 27 21:40:26 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
CPU: AMD Ryzen 5 3600 6-Core Processor
RAM: 59GB/64GB
HDD: 33GB/436GB (8% used)

Logs

satisfactory-server_logs.txt

Additional Context

The user I want to use is satisfactory:x:1012:1012.

The mounted volume is accessible to the user at /usr/share/satisfactory/sat1. I tested this manually by doing su satisfactory and touch test.txt, the file was created.

I then started the container (with above docker-compose.yaml, it created these folders without problem:

And then stopped with mkdir: cannot create directory ‘/home/steam’: Permission denied

About the only way I can make this container work is to not use any of the user-related env vars (PGID/PUID), set ROOTLESS to false and remove the user parameter. On this server, this defaults to a user that happens to have the PGID/PUID 1000:1000, which lets the server start and players can connect.

[wolveix]

Hey @Jan-Ka, what version of Ubuntu are you running? Additionally, does it work when just setting PUID and PGID to 1012, without setting the user?

Additionally, please try with wolveix/satisfactory-server:v1.7.0

[Jan-Ka]

Hi, thanks for the quick reply.

I'm running Ubuntu 24.04.1 LTS.

It does not work when just setting PUID and PGID but it progresses further until it hits:

Refusing to run with the root privileges.

Here's the log:
satisfactory-server_logs (1).txt

Also, all new files are created with the root user:

With wolveix/satisfactory-server:v1.7.0 I get about as much as the first log I provided:

Checking available memory...59GB detected
The current user does not have write permissions for /config

I tried with just setting PUIDand PGID, without setting user in wolveix/satisfactory-server:v1.7.0, to the same result as with v1.8.8, here's the log:

satisfactory-server_logs (2).txt

folders are also created as root:

[Jan-Ka]

Tested wolveix/satisfactory-server:v1.7.0 without ROOTLESS=true and only setting PGID and PUID:

services: 
  sat1:
    image: wolveix/satisfactory-server:v1.7.0
    container_name: satisfactory-server
#    user: "1012:1012"
    restart: no
    volumes: 
      - "sat1:/config"
    ports:
      - 7777:7777/udp
      - 7777:7777/tcp
    labels:
      - "traefik.enable=true"
      # TCP Router for TCP traffic
      - "traefik.tcp.routers.sat1-tcp.rule=HostSNI(`sat1.servive.me`)"  # Using HostSNI for TCP
      - "traefik.tcp.routers.sat1-tcp.entrypoints=sat1"
      - "traefik.tcp.routers.sat1-tcp.service=sat1-tcp"
      - "traefik.tcp.services.sat1-tcp.loadbalancer.server.port=7777"
   
      # UDP Router for UDP traffic
      - "traefik.udp.routers.sat1-udp.entrypoints=sat1"  # UDP traffic on sat1 entrypoint
      - "traefik.udp.routers.sat1-udp.service=sat1-udp"
      - "traefik.udp.services.sat1-udp.loadbalancer.server.port=7777"
    environment:
      - MAXPLAYERS=4
      - PGID=1012
      - PUID=1012
#      - ROOTLESS=true
      - STEAMBETA=false
#      - DEBUG=true

This managed to spool up the server! And set the correct PGID/PUID in the FS.

satisfactory-server_logs (3).txt

Retested with wolveix/satisfactory-server:v1.8.8; and that works too?

Odd?

[wolveix]

Yes, I meant to say to test it without ROOTLESS. This likely means that the given user is struggling to create the directories on the host.

Given that you're using a Docker volume, that could explain some of the weirdness (I usually rely on bind mounts).

[Jan-Ka]

Strikes me a bit odd, I'm running other game & app container with that setup without that problem. And it manages to create folders.

I was wondering if perhaps d2f071e#L30

groupadd -r steam -g $PGID 

might solve this?

I'm not sure if the container dies here:

satisfactory-server/init.sh

Line 106 in b426a61

/home/steam/.steam/root \

or here:

satisfactory-server/Dockerfile

Line 8 in b426a61

&& useradd -ms /bin/bash steam \

or if the error is related to the FileSystem at all at this point?

[wolveix]

It can't be stopping during the Dockerfile as that happens during the build process, so before the build is even made available to you :)

It is most likely during the init.sh scipt. I don't believe the groupadd would make a difference here either.

Does it work if you use a host bound directory, rather than a Docker volume?

[Jan-Ka]

It can't be stopping during the Dockerfile as that happens during the build process, so before the build is even made available to you :)

That is very true. Sorry, It was late yesterday 😅

Anyway…

I tried with this setup

services: 
  sat2:
    image: wolveix/satisfactory-server:v1.8.8
    user: "1012:1012"
    restart: no
    volumes: 
      - "/usr/share/satisfactory/sat2:/config"
    ports:
      - 7778:7777/udp
      - 7778:7777/tcp

    environment:
      - MAXPLAYERS=4
      - PGID=1012
      - PUID=1012
      - ROOTLESS=true
      - STEAMBETA=false
#      - DEBUG=true


networks:
  proxy:
    external: true

Doesn't change the behaviour. Some folders get generated, but then it stops with the same error:

===== Satisfactory Server 1.8.8 =====
https://github.com/wolveix/satisfactory-server
Checking available memory: 59GB detected
Clearing old Satisfactory logs (set LOG=true to disable this)
mkdir: cannot create directory ‘/home/steam’: Permission denied
mkdir: cannot create directory ‘/home/steam’: Permission denied
mkdir: cannot create directory ‘/home/steam’: Permission denied

I've tried with wolveix/satisfactory-server:v1.7.0 but to the same, previously recorded outcome.

So it doesn't look like that has any impact on things.

[wolveix]

Thanks for the information. I'll find time to look into this :) ROOTLESS hasn't received the love it deserves recently