starred/ArchiveBox
1
0
Fork 0
mirror of https://github.com/ArchiveBox/ArchiveBox.git synced 2026-04-25 09:06:02 +03:00
Code Issues 624 Projects Releases 5 Packages Wiki Activity

[GH-ISSUE #1304] Bug: ArchiveBox doesn't work on NFS/SMB/FUSE drives that disallow root ownership or have root_squash set #800

New issue
Closed
opened 2026-03-01 14:46:24 +03:00 by kerem · 6 comments
kerem commented 2026-03-01 14:46:24 +03:00
Owner
Copy link

Originally created by @gnattu on GitHub (Dec 30, 2023).
Original GitHub issue: https://github.com/ArchiveBox/ArchiveBox/issues/1304

Describe the bug

If the docker-entry point failed to chown the archive folder, it quits immediately, so that the container does not run at all, make it impossible to run archivebox with an nfs-mounted volume as the archive folder.

I'm currently using this with a modified entrypoint which removed the line to chmod everything under DATA dir.

Steps to reproduce

  1. Create an NFS volume with docker: docker volume create --driver local --opt type=nfs --opt o=addr=[ip-address],rw --opt device=:[path-to-directory] [volume-name]

  2. Use this as the archivefolder in docker-compose.yml: - volume-name:/data/archive

  3. Start container. The conatiner quit right after it failed to chown the nfs mounted folder

Screenshots or log output

[+] Creating 1/0
 ✔ Container archivebox-sonic-1  Running                                                                     0.0s
chown: changing ownership of '/data/archive': Operation not permitted

ArchiveBox version

[+] Creating 1/0
 ✔ Container archivebox-sonic-1  Running                                                                     0.0s
0.7.1
ArchiveBox v0.7.1+editable BUILD_TIME=2023-12-18 06:57:08 1702882628
IN_DOCKER=True IN_QEMU=False ARCH=aarch64 OS=Linux PLATFORM=Linux-6.5.13-orbstack-00121-ge428743e4e98-aarch64-with-glibc2.36 PYTHON=Cpython
FS_ATOMIC=True FS_REMOTE=True FS_USER=1000:1000 FS_PERMS=644
DEBUG=False IS_TTY=True TZ=UTC SEARCH_BACKEND=sonic LDAP=False

[i] Dependency versions:
 √  PYTHON_BINARY         v3.11.7         valid     /usr/local/bin/python3.11                                     
 √  SQLITE_BINARY         v2.6.0          valid     /usr/local/lib/python3.11/sqlite3/dbapi2.py                   
 √  DJANGO_BINARY         v3.1.14         valid     /usr/local/lib/python3.11/site-packages/django/__init__.py    
 √  ARCHIVEBOX_BINARY     v0.7.1          valid     /usr/local/bin/archivebox                                     

 √  CURL_BINARY           v8.4.0          valid     /usr/bin/curl                                                 
 √  WGET_BINARY           v1.21.3         valid     /usr/bin/wget                                                 
 √  NODE_BINARY           v21.4.0         valid     /usr/bin/node                                                 
 √  SINGLEFILE_BINARY     v1.1.18         valid     /app/node_modules/single-file-cli/single-file                 
 √  READABILITY_BINARY    v0.0.9          valid     /app/node_modules/readability-extractor/readability-extractor 
 √  MERCURY_BINARY        v1.0.0          valid     /app/node_modules/@postlight/parser/cli.js                    
 √  GIT_BINARY            v2.39.2         valid     /usr/bin/git                                                  
 √  YOUTUBEDL_BINARY      v2023.11.16     valid     /usr/local/bin/yt-dlp                                         
 √  CHROME_BINARY         v120.0.6099.28  valid     /browsers/chromium-1091/chrome-linux/chrome                   
 √  RIPGREP_BINARY        v13.0.0         valid     /usr/bin/rg                                                   

[i] Source-code locations:
 √  PACKAGE_DIR           24 files        valid     /app/archivebox                                               
 √  TEMPLATES_DIR         4 files         valid     /app/archivebox/templates                                     
 -  CUSTOM_TEMPLATES_DIR  -               disabled  None                                                          

[i] Secrets locations:
 -  CHROME_USER_DATA_DIR  -               disabled  None                                                          
 -  COOKIES_FILE          -               disabled  None                                                          

[i] Data locations:
 √  OUTPUT_DIR            9 files @       valid     /data                                                         
 √  SOURCES_DIR           77 files        valid     ./sources                                                     
 √  LOGS_DIR              1 files         valid     ./logs                                                        
 √  ARCHIVE_DIR           361 files @     valid     ./archive                                                     
 √  CONFIG_FILE           162.0 Bytes     valid     ./ArchiveBox.conf                                             
 √  SQL_INDEX             4.7 MB          valid     ./index.sqlite3       ```
<!-- Tickets without full version info will closed until it is provided,
we need the full output here to help you solve your issue -->
Originally created by @gnattu on GitHub (Dec 30, 2023). Original GitHub issue: https://github.com/ArchiveBox/ArchiveBox/issues/1304 <!-- Please fill out the following information, feel free to delete sections if they're not applicable or if long issue templates annoy you. (the only required section is the version information) --> #### Describe the bug <!-- A description of what the bug is, what you expected to happen, and any relevant context about issue. --> If the docker-entry point failed to chown the archive folder, it quits immediately, so that the container does not run at all, make it impossible to run archivebox with an nfs-mounted volume as the archive folder. I'm currently using this with a modified entrypoint which removed the line to chmod everything under DATA dir. #### Steps to reproduce <!-- For example: 1. Ran ArchiveBox with the following config '...' 2. Saw this output during archiving '....' 3. UI didn't show the thing I was expecting '....' --> 1. Create an NFS volume with docker: `docker volume create --driver local --opt type=nfs --opt o=addr=[ip-address],rw --opt device=:[path-to-directory] [volume-name]` 2. Use this as the archivefolder in docker-compose.yml: `- volume-name:/data/archive` 3. Start container. The conatiner quit right after it failed to chown the nfs mounted folder #### Screenshots or log output <!-- If applicable, post any relevant screenshots or copy/pasted terminal output from ArchiveBox. If you're reporting a parsing / importing error, **you must paste a copy of your redacted import file here**. --> ``` [+] Creating 1/0 ✔ Container archivebox-sonic-1 Running 0.0s chown: changing ownership of '/data/archive': Operation not permitted ``` #### ArchiveBox version <!-- Run the `archivebox version` command locally then copy paste the result here: --> ```logs [+] Creating 1/0 ✔ Container archivebox-sonic-1 Running 0.0s 0.7.1 ArchiveBox v0.7.1+editable BUILD_TIME=2023-12-18 06:57:08 1702882628 IN_DOCKER=True IN_QEMU=False ARCH=aarch64 OS=Linux PLATFORM=Linux-6.5.13-orbstack-00121-ge428743e4e98-aarch64-with-glibc2.36 PYTHON=Cpython FS_ATOMIC=True FS_REMOTE=True FS_USER=1000:1000 FS_PERMS=644 DEBUG=False IS_TTY=True TZ=UTC SEARCH_BACKEND=sonic LDAP=False [i] Dependency versions: √ PYTHON_BINARY v3.11.7 valid /usr/local/bin/python3.11 √ SQLITE_BINARY v2.6.0 valid /usr/local/lib/python3.11/sqlite3/dbapi2.py √ DJANGO_BINARY v3.1.14 valid /usr/local/lib/python3.11/site-packages/django/__init__.py √ ARCHIVEBOX_BINARY v0.7.1 valid /usr/local/bin/archivebox √ CURL_BINARY v8.4.0 valid /usr/bin/curl √ WGET_BINARY v1.21.3 valid /usr/bin/wget √ NODE_BINARY v21.4.0 valid /usr/bin/node √ SINGLEFILE_BINARY v1.1.18 valid /app/node_modules/single-file-cli/single-file √ READABILITY_BINARY v0.0.9 valid /app/node_modules/readability-extractor/readability-extractor √ MERCURY_BINARY v1.0.0 valid /app/node_modules/@postlight/parser/cli.js √ GIT_BINARY v2.39.2 valid /usr/bin/git √ YOUTUBEDL_BINARY v2023.11.16 valid /usr/local/bin/yt-dlp √ CHROME_BINARY v120.0.6099.28 valid /browsers/chromium-1091/chrome-linux/chrome √ RIPGREP_BINARY v13.0.0 valid /usr/bin/rg [i] Source-code locations: √ PACKAGE_DIR 24 files valid /app/archivebox √ TEMPLATES_DIR 4 files valid /app/archivebox/templates - CUSTOM_TEMPLATES_DIR - disabled None [i] Secrets locations: - CHROME_USER_DATA_DIR - disabled None - COOKIES_FILE - disabled None [i] Data locations: √ OUTPUT_DIR 9 files @ valid /data √ SOURCES_DIR 77 files valid ./sources √ LOGS_DIR 1 files valid ./logs √ ARCHIVE_DIR 361 files @ valid ./archive √ CONFIG_FILE 162.0 Bytes valid ./ArchiveBox.conf √ SQL_INDEX 4.7 MB valid ./index.sqlite3 ``` <!-- Tickets without full version info will closed until it is provided, we need the full output here to help you solve your issue -->
kerem closed this issue 2026-03-01 14:46:24 +03:00
kerem commented 2026-03-01 14:46:25 +03:00
Author
Owner
Copy link

@pirate commented on GitHub (Jan 1, 2024):

This only happens if your NFS volume disables or remaps permissions. The solution is not to remove the chmod but rather to set PUID & PGID environment variables to the same values that your NFS server enforces.

<!-- gh-comment-id:1873119706 --> @pirate commented on GitHub (Jan 1, 2024): This only happens if your NFS volume disables or remaps permissions. The solution is not to remove the chmod but rather to set PUID & PGID environment variables to the same values that your NFS server enforces.
kerem commented 2026-03-01 14:46:25 +03:00
Author
Owner
Copy link

@gnattu commented on GitHub (Jan 1, 2024):

set PUID & PGID environment variables to the same values that your NFS server enforces.

This is not always do-able because my server enforces the owner group id to 0 for all files and in this case, you cannot just set PGID=0 in env to fix this issue because you will have to allow root access for this NFS client as well. The PUID is already set to the correct value and that PUID does have read/write permission in the mounted dir. (And actually, the owner of the folder)

<!-- gh-comment-id:1873381660 --> @gnattu commented on GitHub (Jan 1, 2024): > set PUID & PGID environment variables to the same values that your NFS server enforces. This is not always do-able because my server enforces the owner group id to 0 for all files and in this case, you cannot just set PGID=0 in env to fix this issue because you will have to allow root access for this NFS client as well. The PUID is already set to the correct value and that PUID does have read/write permission in the mounted dir. (And actually, the owner of the folder)
kerem commented 2026-03-01 14:46:25 +03:00
Author
Owner
Copy link

@pirate commented on GitHub (Jan 3, 2024):

hmm that's somewhat usual but I guess I can allow PGID=0.

I just pushed a commit to :dev to remove the PGID!=0 check, can you try it out?

You can get it with docker pull archivebox/archivebox:dev or follow these instructions: https://github.com/ArchiveBox/ArchiveBox#install-and-run-a-specific-github-branch

<!-- gh-comment-id:1874740754 --> @pirate commented on GitHub (Jan 3, 2024): hmm that's somewhat usual but I guess I can allow PGID=0. I just pushed a commit to `:dev` to remove the PGID!=0 check, can you try it out? You can get it with `docker pull archivebox/archivebox:dev` or follow these instructions: https://github.com/ArchiveBox/ArchiveBox#install-and-run-a-specific-github-branch
kerem commented 2026-03-01 14:46:25 +03:00
Author
Owner
Copy link

@gnattu commented on GitHub (Jan 3, 2024):

The strange thing is, even after set PGID=0 using archivebox/archivebox:dev, the container still failed with chown: changing ownership of '/data/archive': Operation not permitted.

<!-- gh-comment-id:1875017533 --> @gnattu commented on GitHub (Jan 3, 2024): The strange thing is, even after set `PGID=0` using `archivebox/archivebox:dev`, the container still failed with `chown: changing ownership of '/data/archive': Operation not permitted`.
kerem commented 2026-03-01 14:46:25 +03:00
Author
Owner
Copy link

@pirate commented on GitHub (Jan 3, 2024):

Ah it looks like you're using the root_squash option on the server. This prevents all chown calls from working, and is unfortunately not easily supported by ArchiveBox at the moment.

AB in Docker starts running as root to create the data dir and set it up correctly, so when it drops down to a sub-user with fewer permissions it wont be able to modify the root_squashed files it just created as they'll now be owned by the NFS anonymous/nobody user. If you're able to disable that option on the server or set no_root_squash, it should work.

The security benefit that root_squash provides is limited anyway, as root on NFS is effectively able to impersonate any UID. root_squashing only prevents a specific SUID escalation attack but doesn't stop clients from impersonating other users.

https://superuser.com/questions/1737302/root-squashing-for-nfs-and-smb-clarification
https://serverfault.com/questions/88114/cant-modify-or-chown-files-on-readynas-nfs-share

<!-- gh-comment-id:1876077999 --> @pirate commented on GitHub (Jan 3, 2024): Ah it looks like you're using the `root_squash` option on the server. This prevents all `chown` calls from working, and is unfortunately not easily supported by ArchiveBox at the moment. AB in Docker starts running as root to create the data dir and set it up correctly, so when it drops down to a sub-user with fewer permissions it wont be able to modify the `root_squashed` files it just created as they'll now be owned by the NFS anonymous/nobody user. If you're able to disable that option on the server or set `no_root_squash`, it should work. The security benefit that `root_squash` provides is limited anyway, as root on NFS is effectively able to impersonate any UID. root_squashing only prevents a specific SUID escalation attack but doesn't stop clients from impersonating other users. https://superuser.com/questions/1737302/root-squashing-for-nfs-and-smb-clarification https://serverfault.com/questions/88114/cant-modify-or-chown-files-on-readynas-nfs-share
kerem commented 2026-03-01 14:46:25 +03:00
Author
Owner
Copy link

@jamesob commented on GitHub (Jan 4, 2024):

In my case, the fix here was to disable root_squash on my NFS-via-ZFS share (on the NAS server), like so:

zfs set sharenfs="no_root_squash,rw=@10.8.1.0/24,rw=@10.222.0.0/24" tank/nas

and then verify that the NFS server exports reflects the new option with # exportfs -v. I then recreated the archivebox docker container and stopped getting this permission error.

<!-- gh-comment-id:1877515982 --> @jamesob commented on GitHub (Jan 4, 2024): In my case, the fix here was to disable `root_squash` on my NFS-via-ZFS share (on the NAS server), like so: ``` zfs set sharenfs="no_root_squash,rw=@10.8.1.0/24,rw=@10.222.0.0/24" tank/nas ```` and then verify that the NFS server exports reflects the new option with `# exportfs -v`. I then recreated the archivebox docker container and stopped getting this permission error.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
dev
main
abx-dl-refactor
claude/issue-1688-20251229-2233
claude/s3-support-migration-JZQcf
claude/review-snapshot-archive-RJOkr
claude/review-code-quality-macdO
claude/reduce-chrome-duplication-JgWVr
fix/chrome-args-comma-parsing
claude/issue-668-20251229-2145
claude/issue-1664-20251229-2236
v086
claude/improve-test-suite-xm6Bh
claude/typescript-archivebox-rewrite-011CUmPyEmECnkXwyHRT9RPF
claude/archivebox-schema-orm-comparison-011CUn26GurEpLiBUq4zjVLJ
stable
logfire
plugins-browsertrix
v072
link-removal2
v0.8.6rc1
v0.7.3
v0.8.6rc0
v0.8.5rc53
v0.8.5rc51
v0.8.5rc50
v0.8.5rc49
v0.8.5rc48
v0.8.5rc47
v0.8.5rc46
v0.8.5rc45
v0.8.5rc44
v0.8.5rc43
v0.8.5rc42
v0.8.5rc41
v0.8.5rc40
v0.8.5rc39
v0.8.5rc38
v0.8.5rc37
v0.8.5rc36
v0.8.5rc35
v0.8.5rc34
v0.8.5rc33
v0.8.5rc32
v0.8.5rc31
v0.8.5rc30
v0.8.5rc29
v0.8.5rc28
v0.8.5rc27
v0.8.5rc26
v0.8.5rc25
v0.8.5rc24
v0.8.5rc23
v0.8.5rc22
v0.8.5rc13
v0.8.5rc12
v0.8.5rc11
v0.8.5rc10
v0.8.5rc9
v0.8.5rc8
v0.8.5rc6
v0.8.5rc5
v0.8.5rc4
v0.8.5rc3
v0.8.5rc2
v0.8.5-rc
v0.8.4-rc
v0.8.3-rc
v0.8.2-rc
v0.8.0-rc
v0.7.2
v0.7.1
v0.7.0
v0.6.2
v0.6.0
v0.5.6
v0.5.4
v0.5.3
v0.4.24
v0.4.21
v0.4.20
v0.4.19
v0.4.18
v0.4.17
v0.4.16
v0.4.15
v0.4.14
v0.4.13
v0.4.12
v0.4.11
v0.4.9
v0.2.4
v0.2.3
v0.2.2
v0.2.1
v0.2.0
v0.1.0
v0.0.3
v0.0.2
v0.0.1
Labels
Clear labels   
expected: maybe someday

   
expected: next release

   
expected: release after next

   
expected: unlikely unless contributed

   
good first ticket

   
help wanted

   
pull-request

Mirrored from GitHub Pull Request

  
scope: all users

   
scope: windows users

   
size: easy

   
size: hard

   
size: medium

   
size: medium

   
status: backlog

   
status: blocked

   
status: done

   
status: idea-phase

   
status: needs followup

   
status: wip

   
status: wontfix

   
touches: API/CLI/Spec

   
touches: configuration

   
touches: data/schema/architecture

   
touches: dependencies/packaging

   
touches: docs

   
touches: js

   
touches: views/replayers/html/css

   
why: correctness

   
why: functionality

   
why: performance

   
why: security
No labels
expected: maybe someday
expected: next release
expected: release after next
expected: unlikely unless contributed
good first ticket
help wanted
pull-request
scope: all users
scope: windows users
size: easy
size: hard
size: medium
size: medium
status: backlog
status: blocked
status: done
status: idea-phase
status: needs followup
status: wip
status: wontfix
touches: API/CLI/Spec
touches: configuration
touches: data/schema/architecture
touches: dependencies/packaging
touches: docs
touches: js
touches: views/replayers/html/css
why: correctness
why: functionality
why: performance
why: security
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/ArchiveBox#800
No description provided.