Permission issues when replacing the default Orthanc.json file in DOcker

Trying to use Postgres indexing, as per the book example here https://book.orthanc-server.com/users/docker.html

The example line shows this

 **sudo docker run -p 4242:4242 -p 8042:8042 --rm -v /tmp/orthanc.json:/etc/orthanc/orthanc.json:ro jodogne/orthanc**

with the /tmp version replacing the /etc/orthanc one**.** Problem is when I do this I get this

 **default: W0705 16:13:46.836633 OrthancConfiguration.cpp:113] Scanning folder "/etc/orthanc/" for configuration files**
 **default: E0705 16:13:46.837426 main.cpp:1485] Uncaught exception, stopping now: [boost::filesystem::status: Permission denied: "/etc/orthanc/orthanc.json"]**
 **default: W0705 16:13:46.837621 main.cpp:1501] Orthanc has stopped**

How do I set the permissions on the file to be something that Orthanc will read?

thx,
Steve

Steve,
Ideally you would want to install Orthanc using it’s own user and then apply the permissions accordingly. I don’t use docker so am unsure as to how that affects the container, but certainly on an Ubuntu system, this is what’s suggested. I also posted a script (https://groups.google.com/forum/#!topic/orthanc-users/EYW0Z2DksF4) that I use to install Orthanc and that may assist you (script has 1.5.6 listed, but it’s just a variable that can be altered to the latest and greatest).

Thats the rub though. I don’t have the source Docker file to force the install to a known user. So when the line in my first post sends the Jason file over, how can I set it to match what is required?

Get BlueMail for Android

I believe you could do this:

  1. Create a user named “orthanc” (with associated group)
  2. Ensure that the tmp file is owned by “orthanc”
  3. Obtain the UID and GID (I typically “more /etc/passwd” for a quick review of those UIDs)
  4. Run docker with --user UID:GID
    Alternatively, here it states that you probably don’t need to create the user, but use your currently logged in user ID as the user.

Thanks Dave. the --user switch was the missing part.

Get BlueMail for Android

Steve,
Just out of interest - and for future reference within this group - did you create the user and then use that to start docker, or use your (logged in) user credentials?

So, still not solved. More background. I’ve built a VM on vagrant. I install Docker on the VM. I can launch Orthanc Docker Core as per here
https://book.orthanc-server.com/users/docker.html#running-the-orthanc-core with no problem

I then follow the instructions here
https://book.orthanc-server.com/users/docker.html#fine-tuning-the-configuration

to capture the custom orthanc.json on my VM. It generates without error, but when I get it in /tmp it has owner/group = vagrant/vagrant. I take that -exact file- (with no modification) and try to do this

 sudo docker run -p 4242:4242 -p 8042:8042 --rm -v /tmp/orthanc.json:/etc/orthanc/orthanc.json:ro jodogne/orthanc

and I get the boost:filesystem error "

**Uncaught exception, stopping now: [boost::filesystem::status: Permission denied: "/etc/orthanc/orthanc.json"]**

"

I change the owner/group to root/root (as it was on the working Docker instance in /etc/orthanc) and get the same results. I am stumped

For good measure I did all the below as user Vagrant on the VM, so then I became root and performed the run line again as root, same results. Given that Sebastien’s Docker file creates the DOcker as root, and the /etc/orthanc/orthanc.json is root/root, I don’t know what else to try

Hi,

I don’t have any issue when trying on my laptop running Ubuntu 19.4, and Docker version 18.09.7, build 2d0083d.

Also my user is part of the docker group.
What gives you the command groups in the terminal, what OS is your VM running, and which version of Docker?

Michel

You need to consider the full access control model of your system, not
just the basic UNIX permissions model (e.g. if it uses MAC like SELinux
you may need to label the file or create a policy rule). Most systems
have "security" or "audit" logs which you can inspect to figure out
exactly why the process is denied access.

Also make sure you understand that only user IDs matter to the system
when doing access control and that only IDs are stored on the
filesystem (especially relevant when mapping IDs between host and
container), usernames are just convenience mappings (often set in
/etc/passwd, which will differ between host and container). It could be
that different names in and out the container map to the same ID or
that the same name maps to different IDs in and out of the container
for example.

In general, I'd say I would discourage using the filesystem for
communication between containers or between the host and the container
(especially if you consider that the Docker host can be remote), and
that often eliminates the need for user remapping (which I would also
generally discourage). All of this very often brings way too much
artificial complexity. Instead, you should consider modifying your
configuration in the container, commit the layer and tag it so you can
reuse it easily, and forget about host bindmounting altogether. Use a
container image builder (e.g. docker-build with a Dockerfile as in this
setup[1]) to rebuild the layer easily (say when the base image is
updated).

You should also consider the "twelve-factor"[2] methodology and use
environment variables whenever possible (and purpose-built file-based
configuration mechanisms[3][4] from container orchestrators otherwise).
Since Orthanc doesn't support environment variables, the canonical
approach is to use a custom container entrypoint[5].

If you don't want to create one yourself, check out the Osimis Orthanc
Bundle[6] which may do what you want already (and feel free to send a
pull request or open an issue if it doesn't!). Your initial question is
about PG indexing, see and try this setup[7] as an example.

[1]
https://bitbucket.org/osimis/orthanc-setup-samples/src/master/docker/postgresql/
[2] https://12factor.net/
[3] https://docs.docker.com/engine/reference/commandline/config/
[4]
https://kubernetes.io/docs/tasks/configure-pod-container/configure-pod-configmap/
[5]
https://success.docker.com/article/use-a-script-to-initialize-stateful-container-data
[6]
https://osimis.atlassian.net/wiki/spaces/OKB/pages/26738689/How+to+use+osimis+orthanc+Docker+images
[7]
https://bitbucket.org/osimis/orthanc-setup-samples/src/master/docker/postgresql-easy/

Thx everyone for your help. I finally got Sebastien’s example to work after going to this link and getting an up to date Docker

https://www.digitalocean.com/community/tutorials/how-to-install-and-use-docker-on-centos-7