Error: lock /data/ipfs/repo.lock: permission denied

[eMCeee89]

Checklist

• This is a bug report, not a question. Ask questions on discuss.ipfs.tech.
• I have searched on the issue tracker for my bug.
• I am running the latest kubo version or have an issue updating.

Installation method

docker image

Version

v0.33.0

Querying /version endpoint: {"version":"1.1.2+gitcf12d12d196efa364b3642954107b3f37642f487"}

Config

Description

Hello IPFS team,
I am running IPFS in AWS ECS using EFS as a permanent store. It is a development-environment setup with only one container running at a time. I am facing an issue when the container crashes and a consecutive try to start a new container by ECS scheduler fails as follows:

2025-02-03T14:28:27.889Z
Changing user to ipfs
2025-02-03T14:28:28.053Z
ipfs version 0.33.0
2025-02-03T14:28:28.059Z
Found IPFS fs-repo at /data/ipfs
2025-02-03T14:28:28.106Z
Initializing daemon...
2025-02-03T14:28:28.106Z
Kubo version: 0.33.0-8b65738
2025-02-03T14:28:28.106Z
Repo version: 16
2025-02-03T14:28:28.106Z
System version: amd64/linux
2025-02-03T14:28:28.106Z
Golang version: go1.23.5
2025-02-03T14:28:28.110Z
Error: lock /data/ipfs/repo.lock: permission denied

I can see that the file /data/ipfs/repo.lock is owned by root user, removing of the file does not help because the file is re-created again with the root file permissions.It is an ENTRYPOINT command that runs under root and incorrectly initializes IPFS in my understanding.

I may have it misconfigured, please suggest a proper solution if so.

In a meantime, I have managed to "fix" the aforementioned issue by creating my own Docker image with a following Dockerfile:

FROM ipfs/kubo:latest

# https://github.com/ipfs/kubo/blob/6927f4fe54b15d17bf61861dc405d85fd7f7201d/Dockerfile
# added USER directive for entrypoint and following directives
USER ipfs

# This just makes sure that:
# 1. There's an fs-repo, and initializes one if there isn't.
# 2. The API and Gateway are accessible from outside the container.
ENTRYPOINT ["/sbin/tini", "--", "/usr/local/bin/start_ipfs"]

# Healthcheck for the container
# QmUNLLsPACCz1vLxQVkXqqLX5R1X345qqfHbsf67hvA3Nn is the CID of empty folder
HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
  CMD ipfs --api=/ip4/127.0.0.1/tcp/5001 dag stat /ipfs/QmUNLLsPACCz1vLxQVkXqqLX5R1X345qqfHbsf67hvA3Nn || exit 1

# Execute the daemon subcommand by default
CMD ["daemon", "--migrate=true", "--agent-version-suffix=docker"]

I have added USER directive and just copied everything else from your Dockerfile from the ENTRYPOINT onward. This way, I made sure that all runs under a correct ipfs user. I also deleted the lock file and all started to work again.

Is there any reason why you do not use USER directive? Are there any unwanted implications introduced by my fix? This way, you would be also able to get rid of gosu dependency and remove an user-switching logic from container_daemon script.