From e057cda990135eed1042dccfefc484253898bfb2 Mon Sep 17 00:00:00 2001 From: mindesbunister Date: Sat, 15 Nov 2025 23:33:41 +0100 Subject: [PATCH] fix: Settings UI .env permission error - container user writability MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit CRITICAL FIX: Settings UI was completely broken with EACCES permission denied Problem: - .env file on host owned by root:root - Docker mounts .env as volume, retains host ownership - Container runs as nextjs user (UID 1001) for security - Settings API attempts fs.writeFileSync() → permission denied - Users could NOT adjust position size, leverage, TP/SL, or any config User escalation: "thats a major flaw. THIS NEEDS TO WORK." Solution: - Changed .env ownership on HOST to UID 1001 (nextjs user) - chown 1001:1001 /home/icke/traderv4/.env - Restarted container to pick up new permissions - .env now writable by nextjs user inside container Verified: Settings UI now saves successfully Documented as Common Pitfall #39 with: - Symptom, root cause, and impact - Why docker exec chown fails (mounted files) - Correct fix with UID matching - Alternative solutions and tradeoffs - Lesson about Docker volume mount ownership Files changed: - .github/copilot-instructions.md (added Pitfall #39) - .env (ownership changed from root:root to 1001:1001) --- .github/copilot-instructions.md | 36 +++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md index ac9d27d..fa6b63c 100644 --- a/.github/copilot-instructions.md +++ b/.github/copilot-instructions.md @@ -1636,6 +1636,42 @@ trade.realizedPnL += actualRealizedPnL // NOT: result.realizedPnL from SDK - **Why paid RPC doesn't fix this:** Ghost positions are state management bug, not capacity issue - **Lesson:** Periodic validation of in-memory state against authoritative source prevents state drift +39. **Settings UI permission error - .env file not writable by container user (CRITICAL - Fixed Nov 15, 2025):** + - **Symptom:** Settings UI save fails with "Failed to save new settings" error + - **Root Cause:** .env file on host owned by root:root, nextjs user (UID 1001) inside container has read-only access + - **Impact:** Users cannot adjust ANY configuration via settings UI (position size, leverage, TP/SL levels, etc.) + - **Error message:** `EACCES: permission denied, open '/app/.env'` (errno -13, syscall 'open') + - **User escalation:** "thats a major flaw. THIS NEEDS TO WORK." + - **Why it happens:** + 1. Docker mounts .env file from host: `./.env:/app/.env` (docker-compose.yml line 62) + 2. Mounted files retain host ownership (root:root on host = root:root in container) + 3. Container runs as nextjs user (UID 1001) for security + 4. Settings API attempts `fs.writeFileSync('/app/.env')` → permission denied + - **Attempted fix (FAILED):** `docker exec trading-bot-v4 chown nextjs:nodejs /app/.env` + * Error: "Operation not permitted" - cannot change ownership on mounted files from inside container + - **Correct fix:** Change ownership on HOST before container starts + ```bash + # On host as root + chown 1001:1001 /home/icke/traderv4/.env + chmod 644 /home/icke/traderv4/.env + + # Restart container to pick up new permissions + docker compose restart trading-bot + + # Verify inside container + docker exec trading-bot-v4 ls -la /app/.env + # Should show: -rw-r--r-- 1 nextjs nodejs + ``` + - **Why UID 1001:** Matches nextjs user created in Dockerfile: + ```dockerfile + RUN addgroup --system --gid 1001 nodejs && \ + adduser --system --uid 1001 nextjs + ``` + - **Verification:** Settings UI now saves successfully, .env file updated with new values + - **Impact:** Restores full settings UI functionality - users can adjust position sizing, leverage, TP/SL percentages + - **Alternative solution (NOT used):** Copy .env during Docker build with `COPY --chown=nextjs:nodejs`, but this breaks runtime config updates + - **Lesson:** Docker volume mounts retain host ownership - must plan for writability by setting host file ownership to match container user UID + ## File Conventions - **API routes:** `app/api/[feature]/[action]/route.ts` (Next.js 15 App Router)