Application is unable to create directory in Volume

Hello! I’m trying to deploy an application that uses a persistent volume to store application related data, but am bumping up against permissions errors.

When deploying the application, on startup, a directory is created to store some application binaries as well as some other application data. When I deploy the application without a volume, everything is created successfully and the application runs as expected. I need this information to persist across restarts so I created a volume and updated my fly.toml to mount it. During build and deploy, I can see the volume is mounted, but when the application tries to create a directory inside that volume, it fails with a permissions error.

from the logs:

# Volume is mounted
Mounting /dev/vdc at /home/atlantis/.atlantis
# ... Application starts
Error: initializing server: unable to creare dir "/home/atlantis/.atlantis/bin": mkdir /home/atlantis/.atlantis/bin: permission denied

Any suggestions on how to achieve writing to these volumes?


Are you using a Dockerfile? If so, can you share it here?

This usually means the user running the process doesn’t own the volume’s directory. We set ownership on that directory to whatever user is specified in the Dockerfile, but some start scripts like to drop to a less privileged user.

Sure thing! Its just a thin layer around runatlantis/atlantis:latest that essentially starts the server with some additional flags.

FROM runatlantis/atlantis:latest

CMD ["atlantis", "server", "--write-git-creds", "--gh-app-id", "<ID>",  "--gh-webhook-secret", "<SECRET>", "--repo-allowlist", "<ORG>/*", "--atlantis-url", "https://<APP NAME>", "--gh-org", "<ORG>", "--data-dir", "/home/atlantis/data/.atlantis"]

Ah! I’m guessing the atlantis server process drops permissions to something like an atlantis user. A hacky workaround is to create a start script that runs chown -R atlantis:atlantis /home/atlantis/data/ before it starts the server.

We’re going to look into this a little bit and see if there’s a cleaner way.

Oh you might also try adding USER atlantis right before the run command in your dockerfile. I’m not positive that’ll work but it’s the simplest option if it does.

Awesome that did it, can confirm my locks are persisting across restarts! Thanks for your help Kurt!

1 Like

Oh that’s awesome. Thanks for letting me know.