Immich•4mo ago

mmich_postgres container crashes with “permission denied” on /etc/postgresql/postgresql.conf after u

SOLVED! https://discord.com/channels/979116623879368755/1376486772900499487/1376899119364178112 I’ve followed the Breaking Changes guide for Immich v1.133.0, updated my Compose file as documented, and switched the database image to ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0. My Compose snippet for the database service is:

  database:
    container_name: immich_postgres
    image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      POSTGRES_INITDB_ARGS: '--data-checksums'
    volumes:
      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
    restart: always

  database:
    container_name: immich_postgres
    image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      POSTGRES_INITDB_ARGS: '--data-checksums'
    volumes:
      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
    restart: always

When I run: docker compose down && docker compose pull && docker compose up -d && docker compose logs -f the immich_postgres container repeatedly exits with: LOG: could not open configuration file "/etc/postgresql/postgresql.conf": Permission denied FATAL: configuration file "/etc/postgresql/postgresql.conf" contains errors and then the Immich server fails to resolve the database host: Error: getaddrinfo ENOTFOUND database What I’ve tried so far: Verified file ownership & permissions on the host under /var/lib/docker/bindmounts/immich/postgres: -rw-------+ 1 lxd docker 29K Jun 2 2024 postgresql.conf Commented out the custom healthcheck and command: sections, as per the Breaking Changes. Ensured the .env settings point to the correct DB_DATA_LOCATION. Expected behavior: The Postgres container starts normally, migrates the database (VectorChord), and Immich server connects to it. Actual behavior: Postgres crashes with a permission error on its own postgresql.conf, preventing the server from ever resolving the database host.

67 Replies

Immich•4mo ago

:wave: Hey @palpatine, Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:. References - Container Logs: docker compose logs docs - Container Status: docker ps -a docs - Reverse Proxy: https://immich.app/docs/administration/reverse-proxy - Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA Checklist I have... 1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time). 2. :ballot_box_with_check: read applicable release notes. 3. :ballot_box_with_check: reviewed the FAQs for known issues. 4. :ballot_box_with_check: reviewed Github for known issues. 5. :ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy). 6. :ballot_box_with_check: uploaded the relevant information (see below). 7. :ballot_box_with_check: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable (an item can be marked as "complete" by reacting with the appropriate number) Information In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider: - Your docker-compose.yml and .env files. - Logs from all the containers and their status (see above). - All the troubleshooting steps you've tried so far. - Any recent changes you've made to Immich or your system. - Details about your system (both software/OS and hardware). - Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h). - The version of the Immich server, mobile app, and other relevant pieces. - Any other information that you think might be relevant. Please paste files and logs with proper code formatting, and especially avoid blurry screenshots. Without the right information we can't work out what the problem is. Help us help you ;) If this ticket can be closed you can use the /close command, and re-open it later if needed. Successfully submitted, a tag has been added to inform contributors. :white_check_mark:

palpatineOP•4mo ago

I was trying pulling last image but get the same issue:

immich_postgres          | 
immich_postgres          | PostgreSQL Database directory appears to contain a database; Skipping initialization
immich_postgres          | 
immich_postgres          | 2025-05-26 09:21:46.454 GMT [1] LOG:  could not open configuration file "/etc/postgresql/postgresql.conf": Permission denied
immich_postgres          | 2025-05-26 09:21:46.454 GMT [1] FATAL:  configuration file "/etc/postgresql/postgresql.conf" contains errors
immich_postgres exited with code 1
immich_server            | [Nest] 6  - 05/26/2025, 9:21:49 AM     LOG [Microservices:EventRepository] Initialized websocket server
immich_server            | [Nest] 6  - 05/26/2025, 9:21:49 AM     LOG [Microservices:EventRepository] Initialized websocket server
immich_server            | microservices worker error: Error: getaddrinfo ENOTFOUND database, stack: Error: getaddrinfo ENOTFOUND database
immich_server            |     at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
immich_server            | microservices worker error: Error: getaddrinfo ENOTFOUND database, stack: Error: getaddrinfo ENOTFOUND database
immich_server            |     at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
immich_server            | microservices worker exited with code 1
immich_server            | Killing api process
immich_server            | microservices worker exited with code 1
immich_server            | Killing api process

immich_postgres          | 
immich_postgres          | PostgreSQL Database directory appears to contain a database; Skipping initialization
immich_postgres          | 
immich_postgres          | 2025-05-26 09:21:46.454 GMT [1] LOG:  could not open configuration file "/etc/postgresql/postgresql.conf": Permission denied
immich_postgres          | 2025-05-26 09:21:46.454 GMT [1] FATAL:  configuration file "/etc/postgresql/postgresql.conf" contains errors
immich_postgres exited with code 1
immich_server            | [Nest] 6  - 05/26/2025, 9:21:49 AM     LOG [Microservices:EventRepository] Initialized websocket server
immich_server            | [Nest] 6  - 05/26/2025, 9:21:49 AM     LOG [Microservices:EventRepository] Initialized websocket server
immich_server            | microservices worker error: Error: getaddrinfo ENOTFOUND database, stack: Error: getaddrinfo ENOTFOUND database
immich_server            |     at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
immich_server            | microservices worker error: Error: getaddrinfo ENOTFOUND database, stack: Error: getaddrinfo ENOTFOUND database
immich_server            |     at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
immich_server            | microservices worker exited with code 1
immich_server            | Killing api process
immich_server            | microservices worker exited with code 1
immich_server            | Killing api process

Zack•4mo ago

Hmmm, this is the second report we have seen of this, you took these permissions from the host but this folder isn't bind mounted -rw-------+ 1 lxd docker 29K Jun 2 2024 postgresql.conf I am confused where you're pulling this from in this instance Do the permissions look the same for this within the container?

Zack•4mo ago

This is what I expect to see in /etc/postgresql when running the container as root

Zack•4mo ago

I'm unsure why some people are getting different permissions there Maybe it's an LXC thing?

palpatineOP•4mo ago

Im confused too, i was undo the changes and start the container. See log file and immich is running

message.txt

Zack•4mo ago

Undo what changes?

palpatineOP•4mo ago

original compose file with

database:
    container_name: immich_postgres
    image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
    #image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      POSTGRES_INITDB_ARGS: '--data-checksums'
    volumes:
      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
    healthcheck:
      test: pg_isready --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' || exit 1; Chksum="$$(psql --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' --tuples-only --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ "$$Chksum" = '0' ] || exit 1
      interval: 5m
      start_interval: 30s
      start_period: 5m
    command:
      [
        'postgres',
        '-c',
        'shared_preload_libraries=vectors.so',
        '-c',
        'search_path="$$user", public, vectors',
        '-c',
        'logging_collector=on',
        '-c',
        'max_wal_size=2GB',
        '-c',
        'shared_buffers=512MB',
        '-c',
        'wal_compression=on',
      ]
    restart: always

database:
    container_name: immich_postgres
    image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
    #image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      POSTGRES_INITDB_ARGS: '--data-checksums'
    volumes:
      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
    healthcheck:
      test: pg_isready --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' || exit 1; Chksum="$$(psql --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' --tuples-only --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ "$$Chksum" = '0' ] || exit 1
      interval: 5m
      start_interval: 30s
      start_period: 5m
    command:
      [
        'postgres',
        '-c',
        'shared_preload_libraries=vectors.so',
        '-c',
        'search_path="$$user", public, vectors',
        '-c',
        'logging_collector=on',
        '-c',
        'max_wal_size=2GB',
        '-c',
        'shared_buffers=512MB',
        '-c',
        'wal_compression=on',
      ]
    restart: always

immich_compose_file....

Zack•4mo ago

Ah, yes version 1.133.1 can run with the old image, but that doesn't really solve the problem We need to figure out why some people are having these permissions issues

palpatineOP•4mo ago

ahhh okay i understood okay if i switch back i get the same issue currently i have this permissions:

ls -lsha -n
total 104K
4,0K drwx------  21 999 999 4,0K Mai 26 11:25 .
   0 drwxr-xr-x+  9   0   0  116 Nov  7  2024 ..
   0 drwxr-xr-x   7 999 999   71 Jun  2  2024 base
4,0K -rw-------   1 999 999   44 Mai 26 11:25 current_logfiles
4,0K drwxr-xr-x   2 999 999 4,0K Mai 26 11:25 global
 28K drwxr-xr-x   2 999 999  24K Mai 26 11:25 log
   0 drwxr-xr-x   2 999 999    6 Jun  2  2024 pg_commit_ts
   0 drwxr-xr-x   2 999 999    6 Jun  2  2024 pg_dynshmem
8,0K -rw-r--r--   1 999 999 4,8K Jun  2  2024 pg_hba.conf
4,0K -rw-r--r--   1 999 999 1,6K Jun  2  2024 pg_ident.conf
   0 drwxr-xr-x   4 999 999   68 Mai 26 11:30 pg_logical
   0 drwxr-xr-x   4 999 999   36 Jun  2  2024 pg_multixact
   0 drwxr-xr-x   2 999 999    6 Jul 14  2024 pg_notify
   0 drwxr-xr-x   2 999 999    6 Jun  2  2024 pg_replslot
   0 drwxr-xr-x   2 999 999    6 Jun  2  2024 pg_serial
   0 drwxr-xr-x   2 999 999    6 Jun  2  2024 pg_snapshots
   0 drwxr-xr-x   2 999 999    6 Jun  2  2024 pg_stat
   0 drwxr-xr-x   2 999 999    6 Jun  2  2024 pg_stat_tmp
   0 drwxr-xr-x   2 999 999   18 Feb  2 12:32 pg_subtrans
   0 drwxr-xr-x   2 999 999    6 Jun  2  2024 pg_tblspc
   0 drwxr-xr-x   2 999 999    6 Jun  2  2024 pg_twophase
   0 drwxr-xr-x   4 999 999   52 Jun  2  2024 pg_vectors
4,0K -rw-r--r--   1 999 999    3 Jun  2  2024 PG_VERSION
4,0K drwxr-xr-x   3 999 999 4,0K Mai 26 11:26 pg_wal
   0 drwxr-xr-x   2 999 999   66 Jul  5  2024 pg_xact
4,0K -rw-r--r--   1 999 999   88 Jun  2  2024 postgresql.auto.conf
 32K -rw-r--r--   1 999 999  29K Jun  2  2024 postgresql.conf
4,0K -rw-r--r--   1 999 999  229 Mai 26 11:25 postmaster.opts
4,0K -rw-------   1 999 999   94 Mai 26 11:25 postmaster.pid

ls -lsha -n
total 104K
4,0K drwx------  21 999 999 4,0K Mai 26 11:25 .
   0 drwxr-xr-x+  9   0   0  116 Nov  7  2024 ..
   0 drwxr-xr-x   7 999 999   71 Jun  2  2024 base
4,0K -rw-------   1 999 999   44 Mai 26 11:25 current_logfiles
4,0K drwxr-xr-x   2 999 999 4,0K Mai 26 11:25 global
 28K drwxr-xr-x   2 999 999  24K Mai 26 11:25 log
   0 drwxr-xr-x   2 999 999    6 Jun  2  2024 pg_commit_ts
   0 drwxr-xr-x   2 999 999    6 Jun  2  2024 pg_dynshmem
8,0K -rw-r--r--   1 999 999 4,8K Jun  2  2024 pg_hba.conf
4,0K -rw-r--r--   1 999 999 1,6K Jun  2  2024 pg_ident.conf
   0 drwxr-xr-x   4 999 999   68 Mai 26 11:30 pg_logical
   0 drwxr-xr-x   4 999 999   36 Jun  2  2024 pg_multixact
   0 drwxr-xr-x   2 999 999    6 Jul 14  2024 pg_notify
   0 drwxr-xr-x   2 999 999    6 Jun  2  2024 pg_replslot
   0 drwxr-xr-x   2 999 999    6 Jun  2  2024 pg_serial
   0 drwxr-xr-x   2 999 999    6 Jun  2  2024 pg_snapshots
   0 drwxr-xr-x   2 999 999    6 Jun  2  2024 pg_stat
   0 drwxr-xr-x   2 999 999    6 Jun  2  2024 pg_stat_tmp
   0 drwxr-xr-x   2 999 999   18 Feb  2 12:32 pg_subtrans
   0 drwxr-xr-x   2 999 999    6 Jun  2  2024 pg_tblspc
   0 drwxr-xr-x   2 999 999    6 Jun  2  2024 pg_twophase
   0 drwxr-xr-x   4 999 999   52 Jun  2  2024 pg_vectors
4,0K -rw-r--r--   1 999 999    3 Jun  2  2024 PG_VERSION
4,0K drwxr-xr-x   3 999 999 4,0K Mai 26 11:26 pg_wal
   0 drwxr-xr-x   2 999 999   66 Jul  5  2024 pg_xact
4,0K -rw-r--r--   1 999 999   88 Jun  2  2024 postgresql.auto.conf
 32K -rw-r--r--   1 999 999  29K Jun  2  2024 postgresql.conf
4,0K -rw-r--r--   1 999 999  229 Mai 26 11:25 postmaster.opts
4,0K -rw-------   1 999 999   94 Mai 26 11:25 postmaster.pid

for /var/lib/docker/bindmounts/immich/postgres

Zack•4mo ago

I see, that's not the location of the file having the error though The file that is having the problem exists only within the container at /etc/postgresql Can you add command: tail -f /dev/null to your compose, this should stop it trying to boot postgres and allow you to exec into the container

palpatineOP•4mo ago

is that useful inside container ?

message.txt

Zack•4mo ago

Can you go into /etc/postgresql and look at the permissions of the files in there? Oh, you did There's no files? 🤔 Just to confirm, this was 100% the new container? Because it should be impossible for the /etc/postgresql folder to be empty

palpatineOP•4mo ago

oh no sorry! one sec

Zack•4mo ago

Ah good :KEKW:

palpatineOP•4mo ago

noits the old image. I switch back

Zack•4mo ago

If you could switch to the new image again, and then try to exec in, as I said before you may need to add command: tail -f /dev/null to your postgres docker compose section as the container will probably automatically shutdown after it fails to read the config So you won't be able to exec in

palpatineOP•4mo ago

i start new with:

database:
    container_name: immich_postgres
    image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
    command: tail -f /dev/null
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      POSTGRES_INITDB_ARGS: '--data-checksums'
    volumes:
      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
    restart: always

database:
    container_name: immich_postgres
    image: ghcr.io/immich-app/postgres:14-vectorchord0.3.0-pgvectors0.2.0
    command: tail -f /dev/null
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      POSTGRES_INITDB_ARGS: '--data-checksums'
    volumes:
      # Do not edit the next line. If you want to change the database storage location on your system, edit the value of DB_DATA_LOCATION in the .env file
      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
    restart: always

docker compose logs -f

message.txt

palpatineOP•4mo ago

docker exec -it immich_postgres ls -l /etc/postgresql/postgresql.conf -rw-r-----+ 1 root root 470 May 26 09:46 /etc/postgresql/postgresql.conf docker exec -it immich_postgres cat /etc/postgresql/postgresql.conf

include_if_exists '/var/lib/postgresql/data/postgresql.conf'

shared_preload_libraries = 'vchord.so, vectors.so'
search_path = '"$user", public, vectors'
max_wal_size = 5GB
shared_buffers = 512MB
wal_compression = on
work_mem = 16MB
autovacuum_vacuum_scale_factor = 0.1
autovacuum_analyze_scale_factor = 0.05
autovacuum_vacuum_cost_limit = 1000
effective_io_concurrency = 200
random_page_cost = 1.2

include_if_exists '/var/lib/postgresql/data/postgresql.override.conf'

include_if_exists '/var/lib/postgresql/data/postgresql.conf'

shared_preload_libraries = 'vchord.so, vectors.so'
search_path = '"$user", public, vectors'
max_wal_size = 5GB
shared_buffers = 512MB
wal_compression = on
work_mem = 16MB
autovacuum_vacuum_scale_factor = 0.1
autovacuum_analyze_scale_factor = 0.05
autovacuum_vacuum_cost_limit = 1000
effective_io_concurrency = 200
random_page_cost = 1.2

include_if_exists '/var/lib/postgresql/data/postgresql.override.conf'

Zack•4mo ago

Can you run this in the container? grep UMASK /etc/login.defs Can I get both of docker exec -it immich_postgres ls -l /etc/postgresql and docker exec -it immich_postgres grep UMASK /etc/login.defs

palpatineOP•4mo ago

with command: grep UMASK /etc/login.defs; tail -f /dev/null

message.txt

Zack•4mo ago

Ah, I didn't mean put it in the command second 🤣 You only need the tail -f /dev/null in there so that you can exec into the container 🙂 It did still show me what I needed though, which looks fine, making it even more confusing Could you run this one for me? docker exec -it immich_postgres ls -l /etc/postgresql

palpatineOP•4mo ago

Yes I need a bit. I need to handle my daughter currently

Zack•4mo ago

No worries 🙂

palpatineOP•4mo ago

docker exec -it immich_postgres ls -l /etc/postgresql
total 12
-rw-r-----+ 1 root root 470 May 26 10:37 postgresql.conf
-rw-r--r--+ 1 root root 384 May 24 15:39 postgresql.hdd.conf
-rw-r--r--+ 1 root root 438 May 24 15:39 postgresql.ssd.conf

docker exec -it immich_postgres ls -l /etc/postgresql
total 12
-rw-r-----+ 1 root root 470 May 26 10:37 postgresql.conf
-rw-r--r--+ 1 root root 384 May 24 15:39 postgresql.hdd.conf
-rw-r--r--+ 1 root root 438 May 24 15:39 postgresql.ssd.conf

docker exec -it immich_postgres grep UMASK /etc/login.defs
#       UMASK           Default "umask" value.
# UMASK is the default umask value for pam_umask and is used by
# 022 is the "historical" value in Debian for UMASK
# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
UMASK           022
# If HOME_MODE is not set, the value of UMASK is used to create the mode.

docker exec -it immich_postgres grep UMASK /etc/login.defs
#       UMASK           Default "umask" value.
# UMASK is the default umask value for pam_umask and is used by
# 022 is the "historical" value in Debian for UMASK
# If USERGROUPS_ENAB is set to "yes", that will modify this UMASK default value
UMASK           022
# If HOME_MODE is not set, the value of UMASK is used to create the mode.

If I can help with any Future information let me know. I think if it a big problem I could thinking about a remote session if it is useful 👍

Zack•4mo ago

That may be helpful, I have a fix that should work but I really am trying to understand the root cause of this before just applying a fix, don't want it to bite us again in future Can you check where your data root lives? It might show you in this file: /etc/docker/daemon.json

palpatineOP•4mo ago

Good morning Yes, I will check it now

sudo cat /etc/docker/daemon.json
{
  "dns": ["8.8.8.8", "8.8.4.4"]
}

sudo cat /etc/docker/daemon.json
{
  "dns": ["8.8.8.8", "8.8.4.4"]
}

btw. nice tip command: tail -f /dev/null to hold container 🙂

palpatineOP•4mo ago

immich-server-inspec...

postgres14-vectorcho...

Zack•4mo ago

Ok so your data should be in /var/lib/docker then So could you run getfacl /var/lib/docker and let me know the output?

palpatineOP•4mo ago

getfacl /var/lib/docker
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker
# owner: root
# group: root
user::rwx
user:rene:rwx                   #effective:--x
group::--x
mask::--x
other::---
default:user::rwx
default:user:rene:rwx
default:group::--x
default:mask::rwx
default:other::---

getfacl /var/lib/docker
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker
# owner: root
# group: root
user::rwx
user:rene:rwx                   #effective:--x
group::--x
mask::--x
other::---
default:user::rwx
default:user:rene:rwx
default:group::--x
default:mask::rwx
default:other::---

Zack•4mo ago

So I believe the other::--- means that it removes all permissions from the other bit by default If you're willing, you could try the following

sudo setfacl -m default:other::r-- /var/lib/docker

sudo setfacl -m default:other::r-- /var/lib/docker

This should change the other section to allow read by default, alternatively you can remove the other override entirely which will mean whatever is set for other won't be overridden by the ACL

palpatineOP•4mo ago

message.txt

palpatineOP•4mo ago

Same

2025-05-27 08:55:20.401 GMT [1] LOG:  could not open configuration file "/etc/postgresql/postgresql.conf": Permission denied

docker-compose.yml

docker_compose_pull_...

palpatineOP•4mo ago

getfacl /var/lib/docker/bindmounts/immich/postgres
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker/bindmounts/immich/postgres
# owner: lxd
# group: docker
user::rwx
group::---
other::---

getfacl /var/lib/docker/bindmounts/immich/postgres
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker/bindmounts/immich/postgres
# owner: lxd
# group: docker
user::rwx
group::---
other::---

my .env:

# You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables

# The location where your uploaded files are stored
UPLOAD_LOCATION=/var/lib/docker/bindmounts/immich
# The location where your database files are stored
DB_DATA_LOCATION=/var/lib/docker/bindmounts/immich/postgres

# To set a timezone, uncomment the next line and change Etc/UTC to a TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
# TZ=Etc/UTC

# The Immich version to use. You can pin this to a specific version like "v1.71.0"
IMMICH_VERSION=release

# Connection secret for postgres. You should change it to a random password
# Please use only the characters `A-Za-z0-9`, without special characters or spaces
DB_PASSWORD=postgres

# The values below this line do not need to be changed
###################################################################################
DB_USERNAME=postgres
DB_DATABASE_NAME=immich

# You can find documentation for all the supported env variables at https://immich.app/docs/install/environment-variables

# The location where your uploaded files are stored
UPLOAD_LOCATION=/var/lib/docker/bindmounts/immich
# The location where your database files are stored
DB_DATA_LOCATION=/var/lib/docker/bindmounts/immich/postgres

# To set a timezone, uncomment the next line and change Etc/UTC to a TZ identifier from this list: https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
# TZ=Etc/UTC

# The Immich version to use. You can pin this to a specific version like "v1.71.0"
IMMICH_VERSION=release

# Connection secret for postgres. You should change it to a random password
# Please use only the characters `A-Za-z0-9`, without special characters or spaces
DB_PASSWORD=postgres

# The values below this line do not need to be changed
###################################################################################
DB_USERNAME=postgres
DB_DATABASE_NAME=immich

This one is not working too: sudo setfacl -m default:other::r-- /var/lib/docker/bindmounts/immich/postgres

Zack•4mo ago

Can you confirm it actually changed the ACL correctly by running getfacl again?

palpatineOP•4mo ago

yes:

getfacl /var/lib/docker
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker
# owner: root
# group: root
user::rwx
user:rene:rwx                   #effective:--x
group::--x
mask::--x
other::---
default:user::rwx
default:user:rene:rwx
default:group::--x
default:mask::rwx
default:other::r--

getfacl /var/lib/docker
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker
# owner: root
# group: root
user::rwx
user:rene:rwx                   #effective:--x
group::--x
mask::--x
other::---
default:user::rwx
default:user:rene:rwx
default:group::--x
default:mask::rwx
default:other::r--

getfacl /var/lib/docker/bindmounts/immich/postgres
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker/bindmounts/immich/postgres
# owner: lxd
# group: docker
user::rwx
group::---
other::---
default:user::rwx
default:group::---
default:other::r--

getfacl /var/lib/docker/bindmounts/immich/postgres
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker/bindmounts/immich/postgres
# owner: lxd
# group: docker
user::rwx
group::---
other::---
default:user::rwx
default:group::---
default:other::r--

sorry @Zack notifications are not working currently :/

Zack•4mo ago

Hmmm, I see other:: is still there Maybe you need to change that one too Let me grab the command for removing an ACL Lets try running these two sudo setfacl -x default:other /var/lib/docker I'm trying to get my head around reading these ACLs, I haven't got any experience with them myself

palpatineOP•4mo ago

I will try it. same

immich_postgres          | PostgreSQL Database directory appears to contain a database; Skipping initialization
immich_postgres          |
immich_postgres          | 2025-05-27 10:31:48.996 GMT [1] LOG:  could not open configuration file "/etc/postgresql/postgresql.conf": Permission denied
immich_postgres          | 2025-05-27 10:31:48.996 GMT [1] FATAL:  configuration file "/etc/postgresql/postgresql.conf" contains errors
immich_postgres          | Using SSD storage
immich_postgres          |
immich_postgres          | PostgreSQL Database directory appears to contain a database; Skipping initialization
immich_postgres          |
immich_postgres          | 2025-05-27 10:32:49.321 GMT [1] LOG:  could not open configuration file "/etc/postgresql/postgresql.conf": Permission denied
immich_postgres          | 2025-05-27 10:32:49.321 GMT [1] FATAL:  configuration file "/etc/postgresql/postgresql.conf" contains errors
immich_postgres          | Using SSD storage
immich_postgres          |
immich_postgres          | PostgreSQL Database directory appears to contain a database; Skipping initialization
immich_postgres          |
immich_postgres          | 2025-05-27 10:33:49.622 GMT [1] LOG:  could not open configuration file "/etc/postgresql/postgresql.conf": Permission denied
immich_postgres          | 2025-05-27 10:33:49.622 GMT [1] FATAL:  configuration file "/etc/postgresql/postgresql.conf" contains errors

immich_postgres          | PostgreSQL Database directory appears to contain a database; Skipping initialization
immich_postgres          |
immich_postgres          | 2025-05-27 10:31:48.996 GMT [1] LOG:  could not open configuration file "/etc/postgresql/postgresql.conf": Permission denied
immich_postgres          | 2025-05-27 10:31:48.996 GMT [1] FATAL:  configuration file "/etc/postgresql/postgresql.conf" contains errors
immich_postgres          | Using SSD storage
immich_postgres          |
immich_postgres          | PostgreSQL Database directory appears to contain a database; Skipping initialization
immich_postgres          |
immich_postgres          | 2025-05-27 10:32:49.321 GMT [1] LOG:  could not open configuration file "/etc/postgresql/postgresql.conf": Permission denied
immich_postgres          | 2025-05-27 10:32:49.321 GMT [1] FATAL:  configuration file "/etc/postgresql/postgresql.conf" contains errors
immich_postgres          | Using SSD storage
immich_postgres          |
immich_postgres          | PostgreSQL Database directory appears to contain a database; Skipping initialization
immich_postgres          |
immich_postgres          | 2025-05-27 10:33:49.622 GMT [1] LOG:  could not open configuration file "/etc/postgresql/postgresql.conf": Permission denied
immich_postgres          | 2025-05-27 10:33:49.622 GMT [1] FATAL:  configuration file "/etc/postgresql/postgresql.conf" contains errors

getfacl /var/lib/docker
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker
# owner: root
# group: root
user::rwx
user:rene:rwx                   #effective:--x
group::--x
mask::--x
other::---
default:user::rwx
default:user:rene:rwx
default:group::--x
default:mask::rwx
default:other::---

getfacl /var/lib/docker
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker
# owner: root
# group: root
user::rwx
user:rene:rwx                   #effective:--x
group::--x
mask::--x
other::---
default:user::rwx
default:user:rene:rwx
default:group::--x
default:mask::rwx
default:other::---

Zack•4mo ago

I'm currently trying to spin up a debian VM so I can test this out myself So, spun up my own debian 12 VM with docker and I can't reproduce this problem Could you run getfacl /var/lib/docker/overlay2 please?

palpatineOP•4mo ago

Yes sure

Zack•4mo ago

I'm really struggling to reproduce this 😅

palpatineOP•4mo ago

I don't know the reason bro sorry 😅 Maybe it's a Ubuntu cis server level 1 problem ? But my understanding is that this kind of issue should be there in past not only for this new container

getfacl /var/lib/docker/overlay2
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker/overlay2
# owner: root
# group: root
user::rwx
user:rene:rwx                   #effective:--x
group::--x
mask::--x
other::---
default:user::rwx
default:user:rene:rwx
default:group::--x
default:mask::rwx
default:other::---

getfacl /var/lib/docker/overlay2
getfacl: Removing leading '/' from absolute path names
# file: var/lib/docker/overlay2
# owner: root
# group: root
user::rwx
user:rene:rwx                   #effective:--x
group::--x
mask::--x
other::---
default:user::rwx
default:user:rene:rwx
default:group::--x
default:mask::rwx
default:other::---

Zack•4mo ago

in the overlay2 directory, can you run find -name postgresql.conf -exec ls -la {} \;

palpatineOP•4mo ago

find -name postgresql.conf -exec ls -la {} \;
-rw-r--r--+ 1 messagebus sgx 28345 Sep 22  2024 ./a80b5dc8c9ff6d2f1d17615a9ef9417423b2a9412f801644082c104782fd9511/diff/etc/postgresql/13/main/postgresql.conf
-rw-r--r--+ 1 systemd-network systemd-network 28345 Jan 17 11:44 ./dc7990ea4a387642835ec0dfb8fa20094e6020ea4838585739d9fe139a3fcb31/diff/etc/postgresql/13/main/postgresql.conf
-rw-r--r--+ 1 root root 172 Okt  2  2023 ./dc7990ea4a387642835ec0dfb8fa20094e6020ea4838585739d9fe139a3fcb31/diff/usr/lib/tmpfiles.d/postgresql.conf
-rw-r--r--+ 1 systemd-timesync input 28345 Jan 17 11:44 ./e58a93bfd7ba1534a9797056d3b5e40ba53940bcf451f0300374cd1664c35803/diff/etc/postgresql/13/main/postgresql.conf
-rw-r--r--+ 1 messagebus sgx 28345 Jan 15 14:45 ./71bbf805f996b2f3792ba6872b49cb72b07d0fb18619f3cff70bef2bfe104b65/diff/etc/postgresql/13/main/postgresql.conf
-rw-r-----+ 1 root root 470 Mai 27 13:52 ./ef780817ad917adeed9657a41592d614505983fc842176d775184a1ca7277a9e/diff/etc/postgresql/postgresql.conf

find -name postgresql.conf -exec ls -la {} \;
-rw-r--r--+ 1 messagebus sgx 28345 Sep 22  2024 ./a80b5dc8c9ff6d2f1d17615a9ef9417423b2a9412f801644082c104782fd9511/diff/etc/postgresql/13/main/postgresql.conf
-rw-r--r--+ 1 systemd-network systemd-network 28345 Jan 17 11:44 ./dc7990ea4a387642835ec0dfb8fa20094e6020ea4838585739d9fe139a3fcb31/diff/etc/postgresql/13/main/postgresql.conf
-rw-r--r--+ 1 root root 172 Okt  2  2023 ./dc7990ea4a387642835ec0dfb8fa20094e6020ea4838585739d9fe139a3fcb31/diff/usr/lib/tmpfiles.d/postgresql.conf
-rw-r--r--+ 1 systemd-timesync input 28345 Jan 17 11:44 ./e58a93bfd7ba1534a9797056d3b5e40ba53940bcf451f0300374cd1664c35803/diff/etc/postgresql/13/main/postgresql.conf
-rw-r--r--+ 1 messagebus sgx 28345 Jan 15 14:45 ./71bbf805f996b2f3792ba6872b49cb72b07d0fb18619f3cff70bef2bfe104b65/diff/etc/postgresql/13/main/postgresql.conf
-rw-r-----+ 1 root root 470 Mai 27 13:52 ./ef780817ad917adeed9657a41592d614505983fc842176d775184a1ca7277a9e/diff/etc/postgresql/postgresql.conf

Zack•4mo ago

Hmmm, so your overlay folders are getting the ACLs applied to them, mine are not Curious

palpatineOP•4mo ago

maybe ?

pro status
SERVICE          ENTITLED  STATUS       DESCRIPTION
anbox-cloud      yes       disabled     Scalable Android in the cloud
esm-apps         yes       enabled      Expanded Security Maintenance for Applications
esm-infra        yes       enabled      Expanded Security Maintenance for Infrastructure
fips-preview     yes       disabled     Preview of FIPS crypto packages undergoing certification with NIST
fips-updates     yes       disabled     FIPS compliant crypto packages with stable security updates
livepatch        yes       enabled      Canonical Livepatch service
realtime-kernel* yes       disabled     Ubuntu kernel with PREEMPT_RT patches integrated
usg              yes       enabled      Security compliance and audit tools

 * Service has variants

pro status
SERVICE          ENTITLED  STATUS       DESCRIPTION
anbox-cloud      yes       disabled     Scalable Android in the cloud
esm-apps         yes       enabled      Expanded Security Maintenance for Applications
esm-infra        yes       enabled      Expanded Security Maintenance for Infrastructure
fips-preview     yes       disabled     Preview of FIPS crypto packages undergoing certification with NIST
fips-updates     yes       disabled     FIPS compliant crypto packages with stable security updates
livepatch        yes       enabled      Canonical Livepatch service
realtime-kernel* yes       disabled     Ubuntu kernel with PREEMPT_RT patches integrated
usg              yes       enabled      Security compliance and audit tools

 * Service has variants

cis_level1_server

Zack•4mo ago

Alright, I still personally can't reproduce it because I can't get the merged overlayfs to inherit the ACLs However, we can try this on your system setfacl -m default:other::r-- /var/lib/docker/overlay2 setfacl -m default:mask::rwx /var/lib/docker/overlay2

palpatineOP•4mo ago

(node:dns:120:26)
immich_server            | microservices worker exited with code 1
immich_server            | Killing api process
immich_server            | Initializing Immich v1.133.1
immich_server            | Detected CPU Cores: 4
immich_server            | Starting api worker
immich_server            | Starting microservices worker
immich_server            | [Nest] 8  - 05/27/2025, 12:18:40 PM     LOG [Microservices:EventRepository] Initialized websocket server
immich_server            | microservices worker error: Error: getaddrinfo ENOTFOUND database, stack: Error: getaddrinfo ENOTFOUND database
immich_server            |     at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
immich_server            | microservices worker exited with code 1
immich_server            | Killing api process
immich_postgres          |
immich_postgres          | PostgreSQL Database directory appears to contain a database; Skipping initialization
immich_postgres          |
immich_postgres          | 2025-05-27 12:18:50.768 GMT [1] LOG:  could not open configuration file "/etc/postgresql/postgresql.conf": Permission denied
immich_postgres          | 2025-05-27 12:18:50.768 GMT [1] FATAL:  configuration file "/etc/postgresql/postgresql.conf" contains errors
immich_postgres exited with code 1

(node:dns:120:26)
immich_server            | microservices worker exited with code 1
immich_server            | Killing api process
immich_server            | Initializing Immich v1.133.1
immich_server            | Detected CPU Cores: 4
immich_server            | Starting api worker
immich_server            | Starting microservices worker
immich_server            | [Nest] 8  - 05/27/2025, 12:18:40 PM     LOG [Microservices:EventRepository] Initialized websocket server
immich_server            | microservices worker error: Error: getaddrinfo ENOTFOUND database, stack: Error: getaddrinfo ENOTFOUND database
immich_server            |     at GetAddrInfoReqWrap.onlookupall [as oncomplete] (node:dns:120:26)
immich_server            | microservices worker exited with code 1
immich_server            | Killing api process
immich_postgres          |
immich_postgres          | PostgreSQL Database directory appears to contain a database; Skipping initialization
immich_postgres          |
immich_postgres          | 2025-05-27 12:18:50.768 GMT [1] LOG:  could not open configuration file "/etc/postgresql/postgresql.conf": Permission denied
immich_postgres          | 2025-05-27 12:18:50.768 GMT [1] FATAL:  configuration file "/etc/postgresql/postgresql.conf" contains errors
immich_postgres exited with code 1

Zack•4mo ago

:monkaHmm:

palpatineOP•4mo ago

 
2035  setfacl -m default:other::r-- /var/lib/docker/overlay2
 2036  sudo setfacl -m default:other::r-- /var/lib/docker/overlay2
 2037  sudo setfacl -m default:mask::rwx /var/lib/docker/overlay2
 2038  docker compose pull && docker compose up -d && docker compose logs -f

 
2035  setfacl -m default:other::r-- /var/lib/docker/overlay2
 2036  sudo setfacl -m default:other::r-- /var/lib/docker/overlay2
 2037  sudo setfacl -m default:mask::rwx /var/lib/docker/overlay2
 2038  docker compose pull && docker compose up -d && docker compose logs -f

Zack•4mo ago

So your ACLs for your overlays must be coming from somewhere else... I think I might've figured it out REPRODUCED IT

palpatineOP•4mo ago

WOHA!

Zack•4mo ago

Ok ok So, my changes to overlay2 are correct The problem and why it didn't fix it for you is that overlayfs is merging two different folders The base image, that already got pulled, and the changes made in the container The ACL for the base image is set when the image is pulled, so any changes we made to ACL weren't applying It seems overlayfs takes the ACL from the image, rather than the new layer So to fix this now your ACL is correct, we need to remove the old image, and re-pull it So, if you docker compose down your immich stack Then docker image prune --all Then docker compose up the immich stack I think the new ACL changes will get applied, and your postgres will start 👀

palpatineOP•4mo ago

sounds logical....a little bit 😄 there where some old images .... Total reclaimed space: 38.23GB

Zack•4mo ago

Wew

palpatineOP•4mo ago

seems running

message.txt

Zack•4mo ago

Thank the lords

palpatineOP•4mo ago

yeps its up awwsome!

Zack•4mo ago

Awesome!

palpatineOP•4mo ago

awsome

Zack•4mo ago

Now I will apply the fix to our postgres image so this isn't a problem in future :KEKW:

palpatineOP•4mo ago

Thank you very much! You're much better than chatgpt 😄

Zack•4mo ago

Thanks so much for your help running commands and such on your system 🙂 Haha, I actually was getting some assistance from Gemini, it's a good brainstorm partner 😛

palpatineOP•4mo ago

Nono, i need to say Thank oyu! You and all of immichs team doing great work!

Zack•4mo ago

Have a great rest of your day, we'll have a new image out soon to fix this problem, if you want to revert your ACLs to disallow other again then, that should be fine 🙂

Mraedis•4mo ago

What a wild ride 👀

palpatineOP•4mo ago

u2 🙂

Gaming

Programming

mmich_postgres container crashes with “permission denied” on /etc/postgresql/postgresql.conf after u

Did you find this page helpful?