Permission denied issue even though the permission is set correctly

[Rhiig]

I'm currently trying setup my Opencloud instance with docker compose.
Maybe important note: I'm using docker in rootless mode.

After editing the .env (my config) and the external-proxy/opencloud.yml (from 127.0.0.1:9200 to 0.0.0.0:9200 due to some weird port opening issues) I started the containers for the first time (I created the opencloud-config and opencloud-data directories as the user 1000:1000 and assigned them).

Now it says

2026/02/02 15:39:55 Could not create config: open /etc/opencloud/opencloud.yaml: permission denied
The jwt_secret has not been set properly in your config for opencloud. Make sure your /etc/opencloud config contains the proper values (e.g. by using 'opencloud init --diff' and applying the patch or setting a value manually in the config/corresponding environment variable).
The jwt_secret has not been set properly in your config for opencloud. Make sure your /etc/opencloud config contains the proper values (e.g. by using 'opencloud init --diff' and applying the patch or setting a value manually in the config/corresponding environment variable).

I've not seen the jwt_secret in the .env example but okay, that'd be an easy fix. The concern is the permission denied. After making the application sleep instead of run I tried writing through the docker exec command or listing with ls -ln. It shows that the directory is owned by either root:root or none:none.
If I now check the owner myself by doing ls -ln opencloud-config/ it show the files "banned-password-list.txt" and "csp.yml" both being owned by 1000:1000.

-rw-r--r-- 1 1000 1000 0 Feb  2 16:39 banned-password-list.txt
-rw-r--r-- 1 1000 1000 0 Feb  2 16:39 csp.yaml

Why does this not work?

[micbar]

2026/02/02 15:39:55 Could not create config: open /etc/opencloud/opencloud.yaml: permission denied

Are you sure that there is no file already present?

If not, i think it might be tricky because of the rootless mode.

[paulcdb-backup]

I have the same error but I've tried root and permissions are 1000:1000

This is a default debian 13, default docker with no other containers in a new proxmox vm.

docker-compose.xml has the following lines...

      - ./config/opencloud/csp.yaml:/etc/opencloud/csp.yaml
      - ./config/opencloud/banned-password-list.txt:/etc/opencloud/banned-password-list.txt

However, if I copy one of the config lines above and modify to link the opencloud.yaml file:
- ./config/opencloud/opencloud.yaml:/etc/opencloud/opencloud.yaml

I then get the error
Error: read etc/opencloud/opencloud.yaml: is a directory

I've tried removing the /mnt/opencloud/config folder, deleted and recreated the container and even deleted and recreated the proxmox container and used https://docs.opencloud.eu/docs/admin/getting-started/container/docker-compose/docker-compose-base/ for the instructions.

OC_CONFIG_DIR=/mnt/opencloud/config
OC_DATA_DIR=/mnt/opencloud/data
sudo mkdir -p /mnt/opencloud/{config,data}
sudo chown -R 1000:1000 /mnt/opencloud

So this 'should' be fairly easy to reproduce but it clearly creates the csp.yaml and banned-password.yaml files, so I don't see how it's a permission issue but there's no folder named opencloud.yaml so no idea why it thinks there is. shrugs

[bransoned]

I am not even getting the "Could not create config" that @Rhiig sees. I simply get:

The jwt_secret has not been set properly in your config for opencloud. Make sure your /etc/opencloud config contains the proper values (e.g. by using 'opencloud init --diff' and applying the patch or setting a value manually in the config/corresponding environment variable).

Likewise, everything is chowned by user 1000 properly. Here is the relevant part of my compose:

    user: "1000:1000"
    volumes:
      - ./config/opencloud/csp.yaml:/etc/opencloud/csp.yaml
      - ./config/opencloud/opencloud-config:/etc/opencloud
      - ./config/opencloud/opencloud-data:/var/lib/opencloud

Inside of the ./config/opencloud/opencloud-config directory, the copy of the csp.yaml file that is created is owned by root, though. So why does it seem like permissions are not being set correctly in the container?

ls -la config/opencloud/opencloud-config/
total 8
drwxrwxr-x 2 myuser myuser 4096 Feb  6 17:50 .
drwxrwxr-x 4 myuser myuser 4096 Feb  6 17:28 ..
-rw-r--r-- 1 root  root     0 Feb  6 17:50 csp.yaml

[paulcdb-backup]

The jwt_secret has not been set properly in your config for opencloud. Make sure your /etc/opencloud config contains the proper values (e.g. by using 'opencloud init --diff' and applying the patch or setting a value manually in the config/corresponding environment variable).

Ugh, I battled that for like 2 days but switching to su - and doing the git clone under root and running the docker run command also under root fixed it for me. No idea why, but both the issues seem to be opencloud.yaml generation issue but I don’t know enough to fix it, lol

[Rhiig]

2026/02/02 15:39:55 Could not create config: open /etc/opencloud/opencloud.yaml: permission denied

Are you sure that there is no file already present?

If not, i think it might be tricky because of the rootless mode.

No, the csp.yml and the banned-password-list.txt exist and have the correct owner as seen here:

rootless@publ-cloud:~/docker-rootless/opencloud-compose$ ls -ln application/
total 8
drwxrwxr-x 2 1000 1000 4096 Feb  2 16:31 config
drwxrwxr-x 3 1000 1000 4096 Feb  2 16:29 data
rootless@publ-cloud:~/docker-rootless/opencloud-compose$ ls -ln application/config/
total 0
-rw-r--r-- 1 1000 1000 0 Feb  2 16:29 banned-password-list.txt
-rw-r--r-- 1 1000 1000 0 Feb  2 16:29 csp.yaml

I can't execute commands due to the constant restarting. Therefore I changed the command from ["-c", "opencloud init || true; opencloud server"] to ["-c", "sleep infinity"]. Then I execute docker exec -it opencloud-compose-opencloud-1 sh -c 'ls -ld /etc/opencloud; stat -c "%U %G %a %A" /etc/opencloud || true; touch /etc/opencloud/.canwrite 2>&1' and that returns:

drwxrwxr-x    2 root     root          4096 Feb  2 15:39 /etc/opencloud
root root 775 drwxrwxr-x
touch: /etc/opencloud/.canwrite: Permission denied

I just dont get it. I think that opencloud doesnt correctly use the user 1000:1000 even though it says it does. I believe it tries to do root for the generation of the opencloud.yml for some reason instead of 1000:1000 like for the csp.yml or banned-password-list.txt

[micbar]

Let me explain:

This is docker and a little bit confusing.

When you are running docker as root, openCloud runs as user 1000 and the opencloud.yaml is writable.

When you run docker rootless, for example as user 1000, then you need to change openCloud to start as user 0 (root) because docker runs as user 1000.

If both are running with user 1000, it cannot work.

I admit, that this is confusing and a reason why people struggle with docker.

[bransoned]

I added this to my compose file:

  opencloud-app:
    container_name: opencloud-app
    image: opencloudeu/opencloud-rolling:latest
    entrypoint:
      - /bin/sh
    command: ["-c", "opencloud init || true; opencloud server"]
    restart: no

On the first run, it will create the opencloud.yaml file. Here I also make sure my csp.yaml file is populated with data. If permissions are wrong, I then just chown -R 1000:1000 ./config/opencloud/ to make sure all permissions are set for my user. This seemed to fix the issue.

After this, set restart back to whatever you want it to and the container should properly boot after that. Also on first boot, optionally set the IDM_ADMIN_PASSWORD variable. Not needed after first run of the container.

[Rhiig]

Let me explain:

This is docker and a little bit confusing.

When you are running docker as root, openCloud runs as user 1000 and the opencloud.yaml is writable.

When you run docker rootless, for example as user 1000, then you need to change openCloud to start as user 0 (root) because docker runs as user 1000.

If both are running with user 1000, it cannot work.

I admit, that this is confusing and a reason why people struggle with docker.

Thank you so much, that fixed the issue for me!