I created a dir Storj to keep the dbs-es on the boot NVME.
I chown and chmod like /home/user1/Storj, to user1:user1 and drwxrwxr-x, for all the dirs, subdirs and files in the storage location, aka /mnt/hdd1part1/Storj1.
I started docker run... without sudo, from user1@sys1:~$ and with --user $(id -u):$(id -g) parameter.
Now I can’t stop the container.
It seems that I’m not the only one. The AppArmor is the culprit. There are several solution on internet, that propose to uninstall or stop the apparmor service. I will test to see which one works.
sudo aa-remove-unknown did the trick. Now I can stop the containers. I wonder if it’s a recuring thing, like after storagenode or docker update, I will have to imput that again…?
That was only temporary. After reboot and stop restart container, again I get permission denied.
So I uninstalled apparmor and get rid off the stress.
“sudo apt --purge autoremove apparmor”
It removed also some dependencies, but it seems that the system is working fine.
Is it OK to keep apparmor uninstalled?
Yes, it’s a security system on top of usual linux permissions that enforces access control rules on what users and programs can access what resources, and embraces principle of least privilege – only minimum rights required to function are granted.
So, just like SELinux, but, evidently, more annoying.
SELinux has “learning” mode: in that mode, all operations are allowed, and the system records the permissions that would be required to for these operations to succeed. Then you re-enable it, and those operations continue to be allowed. I’m sure app armor has sometihing similar .
So, if you want to make it work – you would need to put it to “permissive” mode (I don’t know what AppArmor calls it), do everything you usually do, and then put it back to “enforcing” mode.
I don’t do anything else on this machine, only running storagenodes and learning basic Linux. I think these protections are useless in my case. But I will look into it.
Now I have to figure out how can I setup SMART, SSD whear and free space monithoring to receive mails in case problems appear, like on Synology.
Start with the distribution that is designed to do what you want to do and already has all of that ready. Like TrueNAS Scale. Otherwise you will likely end up building your own version of TrueNAS Scale.
(I would of course go with TrueNAS Core instead, because it’s freebsd and not linux; but it’s my personal preference)
Personally, myself, having used almost all of those filesystems to various degrees, won’t even consider anything but ZFS going forward. Especially not a filesystem that lacks checksumming or snapshotting. Ext4 is obsolete.
I was going to write “ext4 is fine to use for …” and could not come up with one example of when it will be justified when ZFS is available.
Apparmor is a MAC implementation chosen by Canonical to be the default one on Ubuntu. And I think only Canonical chose it. I recall they had some good arguments for it to better fit their usual use cases, and I think they made the choice before SELinux became popular.
