Got some permission issues using docker compose installation and using bin mounts

[ovizii]

Followed these: https://github.com/marcpope/borgbackupserver/wiki/Docker-Installation
I mounted this volume:

    volumes:
      - ./bbs:/var/bbs

I created it beforehand, later on I even created all folders which are supposed to be directly inside this folder according to the linked docs.

I'm pretty sure this is a permission issue. What user is used on this docker image for the different services? i.e. mysql?

❯ docker compose up -d
WARN[0000] The "ADMIN_PASS" variable is not set. Defaulting to a blank string. 
[+] up 2/2
 ✔ Network bbs   Created                                                                                                                                                                0.1s
 ✔ Container bbs Started                                                                                                                                                                0.5s
❯ docker compose logs -f
WARN[0000] The "ADMIN_PASS" variable is not set. Defaulting to a blank string. 
bbs exited with code 1 (restarting)
bbs  | === BBS Container Starting ===
bbs  | Version: 2.24.10
bbs  | Restoring SSH host keys from volume...
bbs  | Starting MariaDB...
bbs  | Initializing MariaDB data directory...
bbs  | === BBS Container Starting ===
bbs  | Version: 2.24.10
bbs  | Restoring SSH host keys from volume...
bbs  | Starting MariaDB...
bbs  | Initializing MariaDB data directory...
bbs  | === BBS Container Starting ===
bbs  | === BBS Container Starting ===
bbs  | Version: 2.24.10
bbs  | Version: 2.24.10
bbs  | Restoring SSH host keys from volume...
bbs  | Restoring SSH host keys from volume...
bbs  | Starting MariaDB...
bbs  | Initializing MariaDB data directory...
bbs  | Starting MariaDB...
bbs  | Initializing MariaDB data directory...
bbs exited with code 1 (restarting)
bbs  | === BBS Container Starting ===
bbs  | Version: 2.24.10
bbs  | Restoring SSH host keys from volume...
bbs  | Starting MariaDB...
bbs  | Initializing MariaDB data directory...
bbs exited with code 1 (restarting)
bbs  | === BBS Container Starting ===
bbs  | Version: 2.24.10
bbs  | Restoring SSH host keys from volume...
bbs  | Starting MariaDB...

[ovizii]

Seems fixed with: chown 100:101 bbs/mysql

[ovizii]

OK, I would really like to use bind mounts instead of named volumes. Unfortunately, the docs are unclear, which folder needs what permissions. Have a look at this auto-generated mess. 1000 is my user, I then had to change ownership of bbs folder to root to even get started.
To fix the mysql permissions, I had to give ID 100 ownership of the bbs/bbs folder.
Now mysql works but when accessing the dashboard for the first setup, I see the welcome wizard but also permissions issues showing up on the page:

Warning: session_start(): open(/var/bbs/tmp/sess_dadd49283ce7a9369a757a5689c1c1e0, O_RDWR) failed: Permission denied (13) in /var/www/bbs/src/Setup/SetupWizard.php on line 17

Warning: session_start(): Failed to read session data: files (path: ) in /var/www/bbs/src/Setup/SetupWizard.php on line 17

As you can see, ID 33 is now also involved. I'm going back to named volumes for these first tests but would really appreciate any pointer on how to switch to bind volumes and what folder needs which ownership.

❯ ls -aln
total 20
drwxrwx---  3 1000 1000 4096 Apr 12 14:15 .
drwxrwx--- 15 1000 1000 4096 Apr 12 13:40 ..
-rwxrwx---  1 1000 1000  565 Apr 12 14:00 .env
drwxrwx--- 10  100 1000 4096 Apr 12 14:24 bbs
-rwxrwx---  1 1000 1000 1832 Apr 12 13:56 docker-compose.yml
❯ ls -aln bbs
total 40
drwxrwx--- 10  100 1000 4096 Apr 12 14:24 .
drwxrwx---  3 1000 1000 4096 Apr 12 14:15 ..
drwxrwx---  2 1000 1000 4096 Apr 12 14:00 .ssh-host-keys
drwxr-xr-x  2   33   33 4096 Apr 12 14:24 backups
drwxr-xr-x  2   33   33 4096 Apr 12 14:24 cache
drwxr-xr-x  2  999  994 4096 Apr 12 14:23 clickhouse
drwxr-xr-x  2    0    0 4096 Apr 12 14:24 config
drwxr-xr-x  2   33   33 4096 Apr 12 14:24 home
drwxr-xr-x  7  100  101 4096 Apr 12 14:24 mysql
drwxrwxrwt  2   33   33 4096 Apr 12 14:23 tmp

[addvanced]

Running into the same issues with mounted volumes. Cannot create clients etc. due to permission issues. E.g.:

Cannot create client — failed to create storage directory: /var/bbs/home/2. 
Check permissions on /var/bbs/home.

[marcpope]

You're right that bind mounts are painful here. The root cause is that BBS runs multiple services under different UIDs inside one container (MariaDB as UID 100, ClickHouse as UID 999, Apache/PHP as www-data UID 33, and root for config/SSH keys). Named volumes hide this entirely. Bind mounts expose it, and if your host filesystem blocks the entrypoint's chown calls — which happens with rootless Docker, SELinux, or network mounts — every service that can't write to its own directory crashes.

Easy path: named volume

If you just want it to work, use the default docker-compose.yml with a named volume (bbs-data:/var/bbs). That's how the project is designed to run, and it's what we test against. Docker handles all the ownership automatically.

If you really need a bind mount

The entrypoint chowns each subdirectory to the right service user on first start. What you're hitting is that your host environment is preventing those chowns from sticking. Common causes:

• Rootless Docker / Podman — container "root" is a namespaced subuid, not real root on the host. Add :U (Podman) to auto-remap, or just use named volumes.
• SELinux-enforcing hosts — add :Z to the volume: - ./bbs:/var/bbs:Z
• NFS / SMB mounted host paths — silently reject chown. Use a local disk for /var/bbs and add network shares only as additional storage locations via the Storage page in BBS.

If none of those apply, the bind-mount subdirectories must match these UIDs:

Path	Owner UID
/var/bbs/mysql/	100 (mysql)
/var/bbs/clickhouse/	999 (clickhouse)
/var/bbs/home/ /cache/ /backups/ /tmp/	33 (www-data)
/var/bbs/config/ /.ssh-host-keys/	0 (root)

I've updated the Docker-Installation wiki page with all of this — see the "Bind Mount Troubleshooting" and "Required subdirectory ownership" sections.

Don't install BBS on a server that has other services

Separately, worth calling out — BBS is designed to be the only application in its container (or on its host for the standard install). It manages its own MariaDB, ClickHouse, Apache, SSH daemon, and system users. If you're trying to install it alongside an existing workload you'll fight it constantly. If you want to back up your other servers, install the BBS agent on them — it's a tiny Python daemon that pushes backups to your BBS instance. I've added that warning to the wiki too.

[ovizii]

Thanks for the detailed answer and for picking up the PR below. This makes everything much easier.

[addvanced]

@marcpope

I made a fork of your repo and made it work on my own machine (Synology NAS).
If you want me to, I can make a PR so you can review the changes? I basically introduced an option to add PUID and PGID environment variables, to map the www-data user inside the container, to your host user, and fixed some permission issues as well.

You have a more in-depth insight into your own app, so maybe you can say if this is a bad solution or not.

Edit:
Here's the PR #143