Docker/Podman Permission issue (OS Error 13)

[PrestonHager]

I am installing SpacetimeDB on nixos using podman OCI containers. I suspect this issue is related to the data directories that I pass into the docker container. The nix file can be summed up into the following docker command: docker run --rm --pull always -p 8084:80 -v /stdb/:/stdb/ clockworklabs/spacetime start. After looking at the docker-compose-live.yml it seems like I was in fact missing a /etc/spacetimedb directory which is where the keyfiles are loaded from.

I also found that port 3000 is what is used in the currently uploaded Dockerfile. This is correct, however, I believe the documentation is wrong. #203 says that port 3000 is correct for docker images, however the README.md has these ports backwards and should be the following instead:

docker run --rm --pull always -p 80:3000 clockworklabs/spacetimedb start

To me the following things should be added to documentation:

1. Documentation pages should include a section on how to setup a docker instance.
2. Docker documentation should include what variables and .env are allowed based on current options present in the repository's docker compose files.
3. README.md should include a corrected docker command at the least, and possibly a link/expanded documentation on docker options. Note that the corrected command should probably be the above plus the volumes needed at a bare-minimum which are /stdb and /etc/spacetimedb.

Mar 05 19:16:27 ace spacetimedb[35298]: spacetimedb-standalone version: 1.0.0
Mar 05 19:16:27 ace spacetimedb[35298]: spacetimedb-standalone path: /usr/local/bin/spacetimedb-standalone
Mar 05 19:16:27 ace spacetimedb[35298]: database running in data directory /stdb/data
Mar 05 19:16:27 ace spacetimedb[35298]: warning: some trace filter directives would enable traces that are disabled statically
Mar 05 19:16:27 ace spacetimedb[35298]: note: `axum::rejection=trace` would enable the TRACE level for the `axum::rejection` target
Mar 05 19:16:27 ace spacetimedb[35298]: note: the static max level is `debug`
Mar 05 19:16:27 ace spacetimedb[35298]: help: to enable TRACE logging, remove the `max_level_debug` feature from the `tracing` crate
Mar 05 19:16:28 ace spacetimedb[35298]: Error: Permission denied (os error 13)
Mar 05 19:16:28 ace spacetimedb[35298]:
Mar 05 19:16:28 ace spacetimedb[35298]: Stack backtrace:
Mar 05 19:16:28 ace spacetimedb[35298]:    0: anyhow::error::<impl core::convert::From<E> for anyhow::Error>::from
Mar 05 19:16:28 ace spacetimedb[35298]:    1: spacetimedb::auth::get_or_create_keys
Mar 05 19:16:28 ace spacetimedb[35298]:    2: spacetimedb_standalone::subcommands::start::exec::{{closure}}
Mar 05 19:16:28 ace spacetimedb[35298]:    3: spacetimedb_standalone::async_main::{{closure}}
Mar 05 19:16:28 ace spacetimedb[35298]:    4: spacetimedb_standalone::main
Mar 05 19:16:28 ace spacetimedb[35298]:    5: std::sys::backtrace::__rust_begin_short_backtrace
Mar 05 19:16:28 ace spacetimedb[35298]:    6: std::rt::lang_start::{{closure}}
Mar 05 19:16:28 ace spacetimedb[35298]:    7: std::rt::lang_start_internal
Mar 05 19:16:28 ace spacetimedb[35298]:    8: main
Mar 05 19:16:28 ace spacetimedb[35298]:    9: <unknown>
Mar 05 19:16:28 ace spacetimedb[35298]:   10: __libc_start_main
Mar 05 19:16:28 ace spacetimedb[35298]:   11: _start

The nix container files for completeness in case you want to try it on a nixos or nixos WSL machine.

containers.nix

{ config, pkgs, ... }:

{
  imports = [
    # Import specific Podman or Docker containers here
    # Be sure not to mix podman and docker configurations, and set your backend
    # properly in the virtualisation.oci-containers.backend varaible correctly.
    ./spacetimedb.nix
  ];

  # Enable Podman (or Docker) for use with oci-containers
  virtualisation = {
    containers.enable = true;
    podman = {
      enable = true;
      dockerCompat = true;
    };
  };

  # Some helpful packages, comment these out if they aren't needed
  environment.systemPackages = with pkgs; [
    dive # look into docker image layers
    podman-tui # status of containers in the terminal
  ];

  # The underlying Docker implementation to use
  # default is "podman", you can also use "docker"
  virtualisation.oci-containers.backend = "podman";
}

spacetimedb.nix

{ config, ... }:

{
  # Create the spacetimedb user and group
  users.users.spacetimedb = {
    isSystemUser = true;
    description = "Spacetime DB";
    group = "spacetimedb";
  };
  users.groups.spacetimedb = {};

  # Create the data directory
  systemd.tmpfiles.rules = [
    "d /stdb 0770 spacetimedb spacetimedb -"
  ];

  # Define the container
  virtualisation.oci-containers.containers."spacetimedb" = {
    autoStart = true;

    # <hostPort>:<containerPort>
    ports = [
      "8084:80"
    ];

    # User and group to run the container as
    user = "spacetimedb:spacetimedb";

    # Volumes to make persistent in the host/container
    volumes = [
      "/etc/passwd:/etc/passwd:ro"
      "/etc/group:/etc/group:ro"
      "/stdb/:/stdb/"
    ];

    # Finally, the spacetimedb image and version
    image = "clockworklabs/spacetimedb:latest";
  };
}