Does Trilium Docker installation support volume for persistant data?

[HubKing]

The YML file in the root directory seemed old, so, I created my own like the one below, but it fails because it cannot access the data directory. I have tried the YML file in the root directory and it had the same problem. In the documentation file, it seems be explaining how to use Trilium with what Docker calls "bind mount".

Is "volume" not supported? Is that a bug or is there any reason why volume cannot be used and only bind mount should be used? I do not know Docker well, but I read that the process in the container can get the root privilege. Can't this permission problem be fixed by changing the permission of TRILIUM_DATA_DIR inside of the container?

I navigated into /var/lib/docker/volumes... and modified the permission of the _data directory to 777 and then Trilum started. But this is probably not a recommended method, I think, because the volume is supposed to be managed by Docker.

version: "3.7"

name: trilium

volumes:
  data:
    driver: local

services:
  server:
    build:
      context: .
    image: zadam/trilium
    environment:
      - TRILIUM_DATA_DIR=/data
    restart: always
    volumes:
      - data:/data
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    ports:
      - "8080:8080"
      - "8022:22"

Output

 ⠿ Volume "trilium_data"       Created                                                                                                                                        0.0s
 ⠿ Container trilium-server-1  Created                                                                                                                                        0.0s
Attaching to trilium-server-1
trilium-server-1  | node:internal/fs/utils:344
trilium-server-1  |     throw err;
trilium-server-1  |     ^
trilium-server-1  |
trilium-server-1  | Error: EACCES: permission denied, mkdir '/data/log'
trilium-server-1  |     at Object.mkdirSync (node:fs:1336:3)
trilium-server-1  |     at Object.<anonymous> (/usr/src/app/src/services/log.js:8:8)
trilium-server-1  |     at Module._compile (node:internal/modules/cjs/loader:1103:14)
trilium-server-1  |     at Object.Module._extensions..js (node:internal/modules/cjs/loader:1157:10)
trilium-server-1  |     at Module.load (node:internal/modules/cjs/loader:981:32)
trilium-server-1  |     at Function.Module._load (node:internal/modules/cjs/loader:822:12)
trilium-server-1  |     at Module.require (node:internal/modules/cjs/loader:1005:19)
trilium-server-1  |     at require (node:internal/modules/cjs/helpers:102:18)
trilium-server-1  |     at Object.<anonymous> (/usr/src/app/src/app.js:1:13)
trilium-server-1  |     at Module._compile (node:internal/modules/cjs/loader:1103:14) {
trilium-server-1  |   errno: -13,
trilium-server-1  |   syscall: 'mkdir',
trilium-server-1  |   code: 'EACCES',
trilium-server-1  |   path: '/data/log'
trilium-server-1  | }
trilium-server-1 exited with code 1

[dousha]

I think it's inherently flawed that Trilium in docker would ask for 777 permission on the data directory. It seems that Trilium backend was run with a normal user privilege which is a bit unorthodox for containerized applications, which almost all run (at least start) with root privilege.

It might be better -- if we need to run the app with minimum privilege -- to set up file permissions with root; then run the app as the dedicated user. Applications (and users) from outside of the container won't be stomping into the volume by accident or by purpose.

[HubKing]

To be fair, "777" was just my attempt to easily prove that the permission of the volume was the reason why it did not start. It does not have to be 777; it would have also worked just to give read/write permission to the volume to the user account of the Trilium process, but I don't know how to set complex permissions on Linux (Windows has Advanced permission dialogue, but as far as I know, on Linux you would have to use some sort of ACL commands), so I just set 777.

What's the code that is first executed when running in Docker, the dockerfile? I really do not know much about Docker, but if you know well, could you add a few lines at the beginning, so that if it is inside of Docker, it would first set permissions to the data directory?

[dousha]

What comes to my mind is adding a bootstrap script for Docker builds. In the bootstrap script, we set up all the permissions and other stuff that has to be run as root; then invoke the application with the dedicated user. Maybe there are better approaches but this is how I bundled my applications (provided I need persistent storage that has to be managed by the application).