Going by the elog text in =net-p2p/go-ipfs-0.11.0 ( https://gitweb.gentoo.org/repo/gentoo.git/tree/net-p2p/go-ipfs/go-ipfs-0.11.0.ebuild#n1973 ) I create `/var/lib/ipfs/.ipfs`, set its ownership to ipfs:ipfs, and add my user to the ipfs group. Sadly by deafult a lot of files in the directory are not writeable by the group, and even after `chmod -R 775 /var/lib/ipfs` they will somehow revert to that. ``` chymera@decohost ~ $ ls -lahd .ipfs lrwxrwxrwx 1 chymera chymera 20 Apr 12 12:09 .ipfs -> /var/lib/ipfs/.ipfs/ chymera@decohost ~ $ ls -lah .ipfs/ total 2.3M drwxrwxr-x 5 ipfs ipfs 4.0K Apr 13 14:34 . drwxrwxr-x 3 ipfs ipfs 4.0K Apr 12 12:13 .. -rw-r--r-- 1 ipfs ipfs 23 Apr 13 14:34 api drwxrwxr-x 20 ipfs ipfs 4.0K Apr 13 14:34 blocks -rw------- 1 ipfs ipfs 3.7K Apr 13 14:32 config -rw------- 1 ipfs ipfs 3.7K Apr 13 14:31 config-pre-lowpower-2169471326 -rw------- 1 ipfs ipfs 3.7K Apr 13 14:32 config-pre-lowpower-3509665115 drwxrwxr-x 2 ipfs ipfs 4.0K Apr 13 14:34 datastore -rwxrwxr-x 1 ipfs ipfs 190 Apr 12 12:13 datastore_spec drwxrwxr-x 2 ipfs ipfs 4.0K Apr 12 12:13 keystore -rwxrwxr-x 1 ipfs ipfs 2.2M Apr 12 21:45 lala.png -rw-r--r-- 1 ipfs ipfs 0 Apr 13 14:34 repo.lock -rwxrwxr-x 1 ipfs ipfs 3 Apr 12 12:13 version ``` This means that it's very hard to manage the repository or configuration via my user (or any user at all, really, since ipfs isn't a user with a shell). After e.g. running: ``` chymera@decohost ~/.ipfs $ ipfs config profile apply lowpower ``` the service failed to start until I ran `chown -R ipfs:ipfs /var/lib/ipfs/`. This seems pretty unstable, though I'm not sure how this could be nicely fixed if upstream code insists on not setting group write. Perhaps I am just using the software inocrrectly and some additional info could be added to elog?
This is a more verbose demo of the permissions issues, as seen in a new installation right after using the code provided in elog and adding my user to the ipfs group. ``` chymera@neurohost ~ $ ls -lahd .ipfs lrwxrwxrwx 1 chymera chymera 19 Apr 13 17:01 .ipfs -> /var/lib/ipfs/.ipfs chymera@neurohost ~ $ ls -lahd /var/lib/ipfs/.ipfs drwxr-xr-x 5 ipfs ipfs 4.0K Apr 13 17:00 /var/lib/ipfs/.ipfs chymera@neurohost ~ $ ls -lah /var/lib/ipfs/.ipfs/ total 32K drwxr-xr-x 5 ipfs ipfs 4.0K Apr 13 17:00 . drwxr-xr-x 3 ipfs ipfs 4.0K Apr 13 17:00 .. drwxr-xr-x 4 ipfs ipfs 4.0K Apr 13 17:00 blocks -rw------- 1 ipfs ipfs 3.7K Apr 13 17:00 config drwxr-xr-x 2 ipfs ipfs 4.0K Apr 13 17:00 datastore -rw------- 1 ipfs ipfs 190 Apr 13 17:00 datastore_spec drwx------ 2 ipfs ipfs 4.0K Apr 13 17:00 keystore -rw-r--r-- 1 ipfs ipfs 3 Apr 13 17:00 version chymera@neurohost ~ $ groups wheel audio users portage ipfs syncthing chymera chymera-data manish-data chymera@neurohost ~ $ touch .ipfs/lala.py touch: cannot touch '.ipfs/lala.py': Permission denied ```
Well, I've reported this upstream, maybe they know how this is supposed to work: https://discuss.ipfs.io/t/ipfs-and-group-permissions/13983
Ok, so I was able to jerryrig an emergency fix but it's not nice because it simply runs the daemon as the user. I don't see why there should be one daemon per user. Ideally the present group approach could be made to work. For the time being, my fix was: (1) make the logs directory writable for the user:`chmod -R 775 /var/log/ipfs` (2) instead of the current init.d and conf.d files, use the attached files named `/etc/{init,conf}.d/ipfs.yourusername` respectively. (3) run `ipfs init` as user (4) start the service with `/etc/init.d/ipfs.youruser start`. Should work but let's hope we can fix the current approach instead.
Created attachment 770681 [details] /etc/init.d/ipfs.youruser
Created attachment 770684 [details] /etc/conf.d/ipfs.youruser
(In reply to Horea Christian from comment #0) > Going by the elog text in =net-p2p/go-ipfs-0.11.0 ( > https://gitweb.gentoo.org/repo/gentoo.git/tree/net-p2p/go-ipfs/go-ipfs-0.11. > 0.ebuild#n1973 ) I create `/var/lib/ipfs/.ipfs`, set its ownership to > ipfs:ipfs, and add my user to the ipfs group. > > Sadly by deafult a lot of files in the directory are not writeable by the > group, and even after `chmod -R 775 /var/lib/ipfs` they will somehow revert > to that. > > > ``` > chymera@decohost ~ $ ls -lahd .ipfs > lrwxrwxrwx 1 chymera chymera 20 Apr 12 12:09 .ipfs -> /var/lib/ipfs/.ipfs/ > chymera@decohost ~ $ ls -lah .ipfs/ > total 2.3M > drwxrwxr-x 5 ipfs ipfs 4.0K Apr 13 14:34 . > drwxrwxr-x 3 ipfs ipfs 4.0K Apr 12 12:13 .. > -rw-r--r-- 1 ipfs ipfs 23 Apr 13 14:34 api > drwxrwxr-x 20 ipfs ipfs 4.0K Apr 13 14:34 blocks > -rw------- 1 ipfs ipfs 3.7K Apr 13 14:32 config > -rw------- 1 ipfs ipfs 3.7K Apr 13 14:31 config-pre-lowpower-2169471326 > -rw------- 1 ipfs ipfs 3.7K Apr 13 14:32 config-pre-lowpower-3509665115 > drwxrwxr-x 2 ipfs ipfs 4.0K Apr 13 14:34 datastore > -rwxrwxr-x 1 ipfs ipfs 190 Apr 12 12:13 datastore_spec > drwxrwxr-x 2 ipfs ipfs 4.0K Apr 12 12:13 keystore > -rwxrwxr-x 1 ipfs ipfs 2.2M Apr 12 21:45 lala.png > -rw-r--r-- 1 ipfs ipfs 0 Apr 13 14:34 repo.lock > -rwxrwxr-x 1 ipfs ipfs 3 Apr 12 12:13 version > ``` > > This means that it's very hard to manage the repository or configuration via > my user (or any user at all, really, since ipfs isn't a user with a shell). > After e.g. running: > > ``` > chymera@decohost ~/.ipfs $ ipfs config profile apply lowpower > ``` > > the service failed to start until I ran `chown -R ipfs:ipfs /var/lib/ipfs/`. > This seems pretty unstable, though I'm not sure how this could be nicely > fixed if upstream code insists on not setting group write. > > Perhaps I am just using the software inocrrectly and some additional info > could be added to elog? Instead of having a symlink from ~/.ipfs to /var/lib/ipfs/.ipfs what I do is to export /etc/conf.d/ipfs so the shell uses that IPFS_PATH. I don't like it but it works, it maybe would be better to have a wrapper around ipfs or something like that which by default sets IPFS_PATH according to /etc/conf.d/ipfs
@David But even without the symlink and pointing to the right path, executing `ipfs` commands will fail if done as user: ``` neurohost /var/lib/ipfs # su -s /bin/sh -c "ipfs init -e" ipfs neurohost /var/lib/ipfs # /etc/init.d/ipfs start * Caching service dependencies ... [ ok ] * Starting ipfs ... neurohost /var/lib/ipfs # su - chymera chymera@neurohost ~ $ ipfs get Qmep2QrM7L7ditXcjKArVPkvmMtVNAh4p5KSPBBS8usr1X Error: error loading plugins: open /var/lib/ipfs/.ipfs/config: permission denied ```
(In reply to Horea Christian from comment #7) > @David > > But even without the symlink and pointing to the right path, executing > `ipfs` commands will fail if done as user: > > ``` > neurohost /var/lib/ipfs # su -s /bin/sh -c "ipfs init -e" ipfs > neurohost /var/lib/ipfs # /etc/init.d/ipfs start > * Caching service dependencies ... > [ ok ] > * Starting ipfs ... > neurohost /var/lib/ipfs # su - chymera > chymera@neurohost ~ $ ipfs get Qmep2QrM7L7ditXcjKArVPkvmMtVNAh4p5KSPBBS8usr1X > Error: error loading plugins: open /var/lib/ipfs/.ipfs/config: permission > denied > ``` It works for me, I will try with a fresh install. Did you update the permissions of /var/lib/ipfs/.ipfs/config after removing the symlink?
I am going to close this. There's workarounds for this use case, upstream advised on what to do, and I'm really not sure what we can do on the distro level. Add users to ipfs group and make sure the config has group read permissions, I think that's the resolution?