[SOLVED] Docker image fails to spin up if specifying a user/group

Help
1 
version: "3.7"
services:

   ### other services

  bitwarden:
    image: bitwardenrs/server
    restart: always
    environment:
      ROCKET_PORT: '8080'
      WEBSOCKET_ENABLED: 'true' # Required to use websockets
      SIGNUPS_ALLOWED: 'true'   # set to false to disable signups
      DOMAIN: '<my.domain.tld>'
      ADMIN_TOKEN: 'temptoken'
    user: "1000:1000"
    networks:
      lan:
        ipv4_address: "10.100.0.4"

networks:
  lan:
    ipam:
      config:
      - subnet: '10.100.0.0/24'
      driver: 'default'

I spun up a docker container the other day, worked out reverse proxying w/ tls, my backup solution, and now trying to do some basic hardening. The default config works without issue, but the second I try to assign user/group the container seizes with:

[2020-09-18 17:43:59.897][panic][ERROR] thread 'main' panicked at 'Can't connect to DB: BadConnection("Unable to open the database file")': src/main.rs:229

Things I’ve tried:
I originally had a data volume; I tried using chown to change ownership to the 1000:1000 user:group. When that didn’t work I tried with a different user/group 1001:1001. I’ve since started with a scratch contianer and nuking between config changes via:

docker container stop testing_bitwarden_1 && echo 'y' | docker container prune && docker-compose up bitwarden

If I comment out user: "1000:1000" then the container launches fine.

Minor edit: with and without quotes around 1000:1000 yields that same issue, I’ve added quotes because IIRC yml does some funky interpretation for octal numbers or some such and strings are safe.

2

Update: tried amd64 images (1.15.0, 1.16.1, 1.16.3) (originally was on arm32v7) and getting the same result:

# docker-compose.yml
version: '3'

services:
  bitwarden:
    image: bitwardenrs/server:1.15.0
    container_name: bitwarden
    user: 1000:1000
    environment:
      WEBSOCKET_ENABLED: 'true' # Required to use websockets
      SIGNUPS_ALLOWED: 'true'   # set to false to disable signups
      ROCKET_PORT: '8080'
    ports:
      - '8080:8080'
3

The user the container process runs as needs to be able to read/write the database file and the directory it’s in. It’s simplest to create a data directory with the appropriate uid:gid ownership (1000:1000 if that’s what you’re using) and bind-mounting it into the container. This is what’s shown under https://github.com/dani-garcia/bitwarden_rs/wiki/Starting-a-Container.

If you really want to use a data volume, that will be owned by root:root by default, so you’ll need to change permissions on it manually.

4

This helped me understand my issue. I specifying a path to a bind mount and letting docker auto create it. Manually creating the path or running sudo chown -R 1000:1000 <directory here> on an existing directory (init’d by running a bitwarden container run as root) fixes the issue.

Thank you for the clarification!