github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-08 13:49:15 -05:00
Code Issues 564 Packages Projects Releases 72 Wiki Activity

[GH-ISSUE #1207] SqliteError: unable to open database file when using podman #10570

New Issue
Open
opened 2026-05-06 14:08:34 -05:00 by GiteaMirror · 13 comments
GiteaMirror commented 2026-05-06 14:08:34 -05:00
Owner
Copy Link

Originally created by @hseliger on GitHub (Aug 3, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/1207

Hi!
I am tryying to install pangoin under linux (Alma Linux 9) using podman and podman-compose. The installer starts, creates the folder structure and all configuration files, but then hangs. I have checked the created files against the documentation and compared to "manual installation using docker compose". All seems fine (some minor additions the installer seems to make, such as enabling ipv6).
When I run podman compose up (skipping the "-d" so I see the output) I get the follwing sqlite error:

[pangolin] | 
[pangolin] | > @fosrl/pangolin@0.0.0 start:sqlite
[pangolin] | > DB_TYPE=sqlite NODE_OPTIONS=--enable-source-maps NODE_ENV=development ENVIRONMENT=prod sh -c 'node dist/migrations.mjs && node dist/server.mjs'
[pangolin] | 
[pangolin] | 
[pangolin] | /app/node_modules/better-sqlite3/lib/database.js:69
[pangolin] |            [util.cppdb]: { value: new addon.Database(filename, filenameGiven, anonymous, readonly, fileMustExist, timeout, verbose || null, buffer || null) },
[pangolin] |                                   ^
[pangolin] | SqliteError: unable to open database file
[pangolin] |     at new Database (/app/node_modules/better-sqlite3/lib/database.js:69:26)
[pangolin] |     at createDb (/app/server/db/sqlite/driver.ts:15:20)
[pangolin] |     at <anonymous> (/app/server/db/sqlite/driver.ts:19:19)
[pangolin] |     at ModuleJob.run (node:internal/modules/esm/module_job:263:25)
[pangolin] |     at async ModuleLoader.import (node:internal/modules/esm/loader:540:24)
[pangolin] |     at async asyncRunEntryPointWithESMLoader (node:internal/modules/run_main:117:5) {
[pangolin] |   code: 'SQLITE_CANTOPEN'
[pangolin] | }
[pangolin] | 
[pangolin] | Node.js v20.19.4

SInce my assumption is that all commands are running inside the container environment, it should not be an issue of missing packages on the system. Permissions should not be an issue. Podman is run as root and I tried setting config/db folder permissions to world-writable (777) which did not change things.

Anything I can do to get it started? I could not find a matching existing issue, but it could of course still be that I am the problem…

Cheers,
Hendrik

Originally created by @hseliger on GitHub (Aug 3, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/1207 Hi! I am tryying to install pangoin under linux (Alma Linux 9) using podman and podman-compose. The installer starts, creates the folder structure and all configuration files, but then hangs. I have checked the created files against the documentation and compared to "manual installation using docker compose". All seems fine (some minor additions the installer seems to make, such as enabling ipv6). When I run `podman compose up` (skipping the "-d" so I see the output) I get the follwing sqlite error: ``` [pangolin] | [pangolin] | > @fosrl/pangolin@0.0.0 start:sqlite [pangolin] | > DB_TYPE=sqlite NODE_OPTIONS=--enable-source-maps NODE_ENV=development ENVIRONMENT=prod sh -c 'node dist/migrations.mjs && node dist/server.mjs' [pangolin] | [pangolin] | [pangolin] | /app/node_modules/better-sqlite3/lib/database.js:69 [pangolin] | [util.cppdb]: { value: new addon.Database(filename, filenameGiven, anonymous, readonly, fileMustExist, timeout, verbose || null, buffer || null) }, [pangolin] | ^ [pangolin] | SqliteError: unable to open database file [pangolin] | at new Database (/app/node_modules/better-sqlite3/lib/database.js:69:26) [pangolin] | at createDb (/app/server/db/sqlite/driver.ts:15:20) [pangolin] | at <anonymous> (/app/server/db/sqlite/driver.ts:19:19) [pangolin] | at ModuleJob.run (node:internal/modules/esm/module_job:263:25) [pangolin] | at async ModuleLoader.import (node:internal/modules/esm/loader:540:24) [pangolin] | at async asyncRunEntryPointWithESMLoader (node:internal/modules/run_main:117:5) { [pangolin] | code: 'SQLITE_CANTOPEN' [pangolin] | } [pangolin] | [pangolin] | Node.js v20.19.4 ``` SInce my assumption is that all commands are running inside the container environment, it should not be an issue of missing packages on the system. Permissions should not be an issue. Podman is run as root and I tried setting config/db folder permissions to world-writable (777) which did not change things. Anything I can do to get it started? I could not find a matching existing issue, but it could of course still be that I am the problem… Cheers, Hendrik
GiteaMirror added the needs investigatingdockerhelp wanted labels 2026-05-06 14:08:34 -05:00
GiteaMirror commented 2026-05-06 14:08:36 -05:00
Author
Owner
Copy Link

@oschwartz10612 commented on GitHub (Aug 3, 2025):

Hum it should have generated a db.sqlite file in your config/db/ directory. Is there a file there?

If not it is supposed to create one which is strange.

<!-- gh-comment-id:3148627378 --> @oschwartz10612 commented on GitHub (Aug 3, 2025): Hum it should have generated a `db.sqlite` file in your `config/db/` directory. Is there a file there? If not it is supposed to create one which is strange.
GiteaMirror commented 2026-05-06 14:08:36 -05:00
Author
Owner
Copy Link

@hseliger commented on GitHub (Aug 3, 2025):

No, the directory db was created but no file im it. That's why I tried with world-writable, to no avail.
Here is what was created:

.
├── config
│   ├── config.yml
│   ├── db
│   ├── letsencrypt
│   ├── logs
│   └── traefik
│       ├── dynamic_config.yml
│       ├── logs
│       └── traefik_config.yml
├── docker-compose.yml
<!-- gh-comment-id:3148672880 --> @hseliger commented on GitHub (Aug 3, 2025): No, the directory db was created but no file im it. That's why I tried with world-writable, to no avail. Here is what was created: ``` . ├── config │ ├── config.yml │ ├── db │ ├── letsencrypt │ ├── logs │ └── traefik │ ├── dynamic_config.yml │ ├── logs │ └── traefik_config.yml ├── docker-compose.yml ```
GiteaMirror commented 2026-05-06 14:08:38 -05:00
Author
Owner
Copy Link

@AdamWorley commented on GitHub (Aug 4, 2025):

I am also seeing this when running the quick start guide using docker (compose). The file is created for me but the file it would seem is read only

pangolin  | > @fosrl/pangolin@0.0.0 start:sqlite
pangolin  | > DB_TYPE=sqlite NODE_OPTIONS=--enable-source-maps NODE_ENV=development ENVIRONMENT=prod sh -c 'node dist/migrations.mjs && node dist/server.mjs'
pangolin  |
pangolin  | Starting migrations from version 1.8.0
pangolin  | Migrations to run:
pangolin  | All migrations completed successfully
pangolin  | 2025-08-04T18:52:37.633Z [info]: Started offline checker interval
pangolin  | 2025-08-04T18:52:37.644Z [warn]: Email SMTP configuration is missing. Emails will not be sent.
pangolin  | SqliteError: attempt to write a readonly database
pangolin  |     at PreparedQuery.run (/app/node_modules/src/better-sqlite3/session.ts:132:20)
pangolin  |     at QueryPromise.run (/app/node_modules/src/sqlite-core/query-builders/update.ts:443:26)
pangolin  |     at QueryPromise.execute (/app/node_modules/src/sqlite-core/query-builders/update.ts:459:53)
pangolin  |     at Function.<anonymous> (/app/server/setup/copyInConfig.ts:68:22)
pangolin  |     at async cw (/app/server/setup/copyInConfig.ts:34:5)
pangolin  |     at async Pp (/app/server/setup/copyInConfig.ts:12:9)
pangolin  |     at async vp (/app/server/setup/index.ts:6:5)
pangolin  |     at async uD (/app/server/index.ts:14:5) {
pangolin  |   code: 'SQLITE_READONLY'
pangolin  | }
pangolin  | 2025-08-04T18:53:07.646Z [error]: Error in offline checker interval {"error":{"code":"SQLITE_READONLY"}}
pangolin  | 2025-08-04T18:53:37.639Z [error]: Error in offline checker interval {"error":{"code":"SQLITE_READONLY"}}

Attempting to delete the "tmp" folder I added for testing results in the following if this is of any help

rm: cannot remove 'tmp/config/db/db.sqlite': Permission denied
rm: cannot remove 'tmp/config/logs': Permission denied
rm: cannot remove 'tmp/config/traefik/dynamic_config.yml': Permission denied
rm: cannot remove 'tmp/config/traefik/traefik_config.yml': Permission denied
rm: cannot remove 'tmp/config/config.yml': Permission denied
rm: cannot remove 'tmp/config/letsencrypt': Permission denied
<!-- gh-comment-id:3151984216 --> @AdamWorley commented on GitHub (Aug 4, 2025): I am also seeing this when running the quick start guide using docker (compose). The file is created for me but the file it would seem is read only ``` pangolin | > @fosrl/pangolin@0.0.0 start:sqlite pangolin | > DB_TYPE=sqlite NODE_OPTIONS=--enable-source-maps NODE_ENV=development ENVIRONMENT=prod sh -c 'node dist/migrations.mjs && node dist/server.mjs' pangolin | pangolin | Starting migrations from version 1.8.0 pangolin | Migrations to run: pangolin | All migrations completed successfully pangolin | 2025-08-04T18:52:37.633Z [info]: Started offline checker interval pangolin | 2025-08-04T18:52:37.644Z [warn]: Email SMTP configuration is missing. Emails will not be sent. pangolin | SqliteError: attempt to write a readonly database pangolin | at PreparedQuery.run (/app/node_modules/src/better-sqlite3/session.ts:132:20) pangolin | at QueryPromise.run (/app/node_modules/src/sqlite-core/query-builders/update.ts:443:26) pangolin | at QueryPromise.execute (/app/node_modules/src/sqlite-core/query-builders/update.ts:459:53) pangolin | at Function.<anonymous> (/app/server/setup/copyInConfig.ts:68:22) pangolin | at async cw (/app/server/setup/copyInConfig.ts:34:5) pangolin | at async Pp (/app/server/setup/copyInConfig.ts:12:9) pangolin | at async vp (/app/server/setup/index.ts:6:5) pangolin | at async uD (/app/server/index.ts:14:5) { pangolin | code: 'SQLITE_READONLY' pangolin | } pangolin | 2025-08-04T18:53:07.646Z [error]: Error in offline checker interval {"error":{"code":"SQLITE_READONLY"}} pangolin | 2025-08-04T18:53:37.639Z [error]: Error in offline checker interval {"error":{"code":"SQLITE_READONLY"}} ``` Attempting to delete the "tmp" folder I added for testing results in the following if this is of any help ``` rm: cannot remove 'tmp/config/db/db.sqlite': Permission denied rm: cannot remove 'tmp/config/logs': Permission denied rm: cannot remove 'tmp/config/traefik/dynamic_config.yml': Permission denied rm: cannot remove 'tmp/config/traefik/traefik_config.yml': Permission denied rm: cannot remove 'tmp/config/config.yml': Permission denied rm: cannot remove 'tmp/config/letsencrypt': Permission denied ```
GiteaMirror commented 2026-05-06 14:08:38 -05:00
Author
Owner
Copy Link

@hseliger commented on GitHub (Aug 5, 2025):

An update from my end: I remove podman and installed docker-ce. Now pangolin installs and runs correctly. I've so fr never had problems using podman, at least as long as I run it as root (user podman and priviledged ports is an issue), so no idea what the problem is. I've amended the topic accordingly)

<!-- gh-comment-id:3154076325 --> @hseliger commented on GitHub (Aug 5, 2025): An update from my end: I remove podman and installed docker-ce. Now pangolin installs and runs correctly. I've so fr never had problems using podman, at least as long as I run it as root (user podman and priviledged ports is an issue), so no idea what the problem is. I've amended the topic accordingly)
GiteaMirror commented 2026-05-06 14:08:39 -05:00
Author
Owner
Copy Link

@KorewaLidesu commented on GitHub (Aug 5, 2025):

An update from my end: I remove podman and installed docker-ce. Now pangolin installs and runs correctly. I've so fr never had problems using podman, at least as long as I run it as root (user podman and priviledged ports is an issue), so no idea what the problem is. I've amended the topic accordingly)

I have same problem with this
I think it is due to installer use root to create folder, which cause issue when normal user try start Pangolin on userspace mode
This can be fix by simply run podman compose on root (via sudo) instead of normal user.
Or manual fix permission.

<!-- gh-comment-id:3154225742 --> @KorewaLidesu commented on GitHub (Aug 5, 2025): > An update from my end: I remove podman and installed docker-ce. Now pangolin installs and runs correctly. I've so fr never had problems using podman, at least as long as I run it as root (user podman and priviledged ports is an issue), so no idea what the problem is. I've amended the topic accordingly) I have same problem with this I think it is due to installer use root to create folder, which cause issue when normal user try start Pangolin on userspace mode This can be fix by simply run podman compose on root (via `sudo`) instead of normal user. Or manual fix permission.
GiteaMirror commented 2026-05-06 14:08:41 -05:00
Author
Owner
Copy Link

@hseliger commented on GitHub (Aug 5, 2025):

This cannot be all, because I did run podman compose as root. I'm installing on a virtual server that should only serve pangolin, so there aren't any other users on that machine. I run the installer for pangolin as root and that already fails to set up the sqlite db.

<!-- gh-comment-id:3154247337 --> @hseliger commented on GitHub (Aug 5, 2025): This cannot be all, because I did run podman compose as root. I'm installing on a virtual server that should only serve pangolin, so there aren't any other users on that machine. I run the installer for pangolin as root and that already fails to set up the sqlite db.
GiteaMirror commented 2026-05-06 14:08:42 -05:00
Author
Owner
Copy Link

@oschwartz10612 commented on GitHub (Aug 6, 2025):

I think it is due to installer use root to create folder, which cause
issue when normal user try start Pangolin on userspace mode

I suspect you are probably onto something here. Docker and podman have differences in the permissions inside and around the containers. The database is actually created inside of the container and because the volume is mounted it would have the permissions of the process inside of that first container. But if the volume is not writable by the podman container because it was created by root then you would have an issue there.

This probably warrants some investigation! @wayneyaoo thoughts?

<!-- gh-comment-id:3161107540 --> @oschwartz10612 commented on GitHub (Aug 6, 2025): > I think it is due to installer use root to create folder, which cause > issue when normal user try start Pangolin on userspace mode I suspect you are probably onto something here. Docker and podman have differences in the permissions inside and around the containers. The database is actually created inside of the container and because the volume is mounted it would have the permissions of the process inside of that first container. But if the volume is not writable by the podman container because it was created by root then you would have an issue there. This probably warrants some investigation! @wayneyaoo thoughts?
GiteaMirror commented 2026-05-06 14:08:44 -05:00
Author
Owner
Copy Link

@wayneyaoo commented on GitHub (Aug 30, 2025):

Hi @oschwartz10612 and @hseliger I took some time to look into this today. So I had a repro of the issue on AlmaLinux 9. The symptom was exactly like what was reported. I attempted this and found that in the container the access to the /app/config directory itself was denied:

[root@202508301503 ~] podman exec -it pangolin ls -al /app/config
ls: can't open '/app/config': Permission denied
total 0

A bit of Googling led me to believe this was a SELinux issue, that container context somehow cannot access host directories unless directory context is configured correctly or SELinux is disabled. This didn't repro on Debian probably because ALMALinux has SELinux enabled by default (in my case) and Debian doesn't.

Solutions are two: either SELinux is disabled or the folder is configured with correct context. I can't recommend disabling SELinux (cough...) but that might be an option for home labs:)

# At this point Panglin won't start.
[root@202508301503 ~] podman exec -it pangolin ls -al /app/config
ls: can't open '/app/config': Permission denied
total 0

# Temporarily disbale SELinux
[root@202508301503 ~] setenforce 0
[root@202508301503 ~]

# Works
[root@202508301503 ~] podman exec -it pangolin ls -al /app/config
total 8
drwxr-xr-x    6 root     root            91 Aug 30 09:24 .
drwxr-xr-x    1 root     root            20 Aug 30 09:24 ..
-rw-r--r--    1 root     root           775 Aug 30 07:41 config.yml
drwxrwxrwx    2 root     root            23 Aug 30 09:24 db
-rw-r--r--    1 root     root            44 Aug 30 09:24 key
drwxr-xr-x    2 root     root            23 Aug 30 09:24 letsencrypt
drwxr-xr-x    2 root     root             6 Aug 30 07:41 logs
drwxr-xr-x    3 root     root            70 Aug 30 07:42 traefik

# Or do this to configure on host
[root@202508301503 ~] chcon -Rt svirt_sandbox_file_t config/
# Now Pangolin should start

Note setenforce 0 only disables SELinux until next reboot.

Please check if Pangolin works correctly after this.

Reference:

<!-- gh-comment-id:3239154487 --> @wayneyaoo commented on GitHub (Aug 30, 2025): Hi @oschwartz10612 and @hseliger I took some time to look into this today. So I had a repro of the issue on AlmaLinux 9. The symptom was exactly like what was reported. I attempted this and found that in the container the access to the `/app/config` directory itself was denied: ```bash [root@202508301503 ~] podman exec -it pangolin ls -al /app/config ls: can't open '/app/config': Permission denied total 0 ``` A bit of Googling led me to believe this was a SELinux issue, that container context somehow cannot access host directories unless directory context is configured correctly or SELinux is disabled. This didn't repro on Debian probably because ALMALinux has SELinux enabled by default (in my case) and Debian doesn't. Solutions are two: either SELinux is disabled or the folder is configured with correct context. I can't recommend disabling SELinux (cough...) but that might be an option for home labs:) ```bash # At this point Panglin won't start. [root@202508301503 ~] podman exec -it pangolin ls -al /app/config ls: can't open '/app/config': Permission denied total 0 # Temporarily disbale SELinux [root@202508301503 ~] setenforce 0 [root@202508301503 ~] # Works [root@202508301503 ~] podman exec -it pangolin ls -al /app/config total 8 drwxr-xr-x 6 root root 91 Aug 30 09:24 . drwxr-xr-x 1 root root 20 Aug 30 09:24 .. -rw-r--r-- 1 root root 775 Aug 30 07:41 config.yml drwxrwxrwx 2 root root 23 Aug 30 09:24 db -rw-r--r-- 1 root root 44 Aug 30 09:24 key drwxr-xr-x 2 root root 23 Aug 30 09:24 letsencrypt drwxr-xr-x 2 root root 6 Aug 30 07:41 logs drwxr-xr-x 3 root root 70 Aug 30 07:42 traefik # Or do this to configure on host [root@202508301503 ~] chcon -Rt svirt_sandbox_file_t config/ # Now Pangolin should start ``` Note `setenforce 0` only disables SELinux until next reboot. Please check if Pangolin works correctly after this. Reference: - https://stackoverflow.com/questions/24288616/permission-denied-on-accessing-host-directory-in-docker
GiteaMirror commented 2026-05-06 14:08:46 -05:00
Author
Owner
Copy Link

@fcrozat commented on GitHub (Aug 30, 2025):

In fact, there is no need to disable SELinux but the default settings for volume selinux protection ensure the volume is only accessable from the original container.
In the Pangolin case, you need to lower a bit the selinux protection of pangolin and gerbil volume.

When using podman quadlet (you can use the same on podman CLI), you go from:
Volume=/var/lib/pangolin:/var/config:Z
to
Volume=/var/lib/pangolin:/var/config:z

Z => z will allow volume to be shared between different containers.

<!-- gh-comment-id:3239240305 --> @fcrozat commented on GitHub (Aug 30, 2025): In fact, there is no need to disable SELinux but the default settings for volume selinux protection ensure the volume is only accessable from the original container. In the Pangolin case, you need to lower a bit the selinux protection of pangolin and gerbil volume. When using podman quadlet (you can use the same on podman CLI), you go from: Volume=/var/lib/pangolin:/var/config:Z to Volume=/var/lib/pangolin:/var/config:z Z => z will allow volume to be shared between different containers.
GiteaMirror commented 2026-05-06 14:08:50 -05:00
Author
Owner
Copy Link

@wayneyaoo commented on GitHub (Aug 30, 2025):

@fcrozat thanks for the info! I tested again with your suggestion by adding a :z to all the host volumes in the docker-compose.yml. The directory access was resolved, but I believe some network permission arose.. So the pangolin could start, creating the db just fine with :z, but traefik and gerbil failed with these respectively:

traefik:

[traefik]  | Error: unable to start container 0a04a26c72dffce5b2c59c5c3b76190f4a961de19764a706c70f280ad392d43c: crun: open `/proc/76708/ns/net`: No such file or directory: OCI runtime attempted to invoke a command that was not found

gerbil:

[gerbil]   | INFO: 2025/08/30 19:07:30 Fetching remote config from http://pangolin:3001/api/v1/gerbil/get-config
[pangolin] | 2025-08-30T19:07:31.023Z [info]: Updated exit node
[gerbil]   | FATAL: 2025/08/30 19:07:31 Failed to create WireGuard interface: operation not supported
[pangolin] | 2025-08-30T19:07:32.542Z [info]: Updated exit node
[pangolin] | 2025-08-30T19:07:33.503Z [info]: Updated exit node
[pangolin] | 2025-08-30T19:07:34.785Z [info]: Updated exit node
[pangolin] | 2025-08-30T19:07:35.854Z [info]: Updated exit node
[pangolin] | 2025-08-30T19:07:36.863Z [info]: Updated exit node
.... # pangolin kept updating exit node

Gven this "ns/net" not found and gerbil not being able to create an interface, I presume SELinux blocked some network config calls? I can probably use some research, but at this point, disabling SELinux as a workaround isn't unreasonable.

<!-- gh-comment-id:3239493089 --> @wayneyaoo commented on GitHub (Aug 30, 2025): @fcrozat thanks for the info! I tested again with your suggestion by adding a `:z` to all the host volumes in the `docker-compose.yml`. The directory access was resolved, but I believe some network permission arose.. So the pangolin could start, creating the db just fine with `:z`, but `traefik` and `gerbil` failed with these respectively: traefik: ``` [traefik] | Error: unable to start container 0a04a26c72dffce5b2c59c5c3b76190f4a961de19764a706c70f280ad392d43c: crun: open `/proc/76708/ns/net`: No such file or directory: OCI runtime attempted to invoke a command that was not found ``` gerbil: ``` [gerbil] | INFO: 2025/08/30 19:07:30 Fetching remote config from http://pangolin:3001/api/v1/gerbil/get-config [pangolin] | 2025-08-30T19:07:31.023Z [info]: Updated exit node [gerbil] | FATAL: 2025/08/30 19:07:31 Failed to create WireGuard interface: operation not supported [pangolin] | 2025-08-30T19:07:32.542Z [info]: Updated exit node [pangolin] | 2025-08-30T19:07:33.503Z [info]: Updated exit node [pangolin] | 2025-08-30T19:07:34.785Z [info]: Updated exit node [pangolin] | 2025-08-30T19:07:35.854Z [info]: Updated exit node [pangolin] | 2025-08-30T19:07:36.863Z [info]: Updated exit node .... # pangolin kept updating exit node ``` Gven this "ns/net" not found and gerbil not being able to create an interface, I presume SELinux blocked some network config calls? I can probably use some research, but at this point, disabling SELinux as a workaround isn't unreasonable.
GiteaMirror commented 2026-05-06 14:08:53 -05:00
Author
Owner
Copy Link

@fcrozat commented on GitHub (Aug 30, 2025):

Here is the configuration I use with podman quadlet, which is working fine with SELinux enforcing mode on openSUSE MicroOS (I'll try to create a github repo with those quadlets:

pangolin.container:

[Unit]
Description=Pangolin Service
After=network.target

[Container]
Network=pangolin.network
Image=docker.io/fosrl/pangolin:latest
ContainerName=pangolin
Volume=/var/lib/pangolin:/app/config:z
HealthCmd=curl -f http://localhost:3001/api/v1/
HealthInterval=3s
HealthTimeout=3s
HealthRetries=15

[Service]
Restart=always

[Install]
WantedBy=multi-user.target

gerbil.container:

[Unit]
Description=Gerbil Service
After=pangolin.service network.target
Requires=pangolin.service

[Container]
Network=pangolin.network
Image=docker.io/fosrl/gerbil:latest
ContainerName=gerbil
Volume=/var/lib/pangolin:/var/config:z
AddCapability=CAP_NET_ADMIN CAP_SYS_MODULE CAP_NET_RAW
PublishPort=51820:51820/udp
PublishPort=21820:21820/udp
Exec=--reachableAt=http://gerbil:3003 --generateAndSaveKeyTo=/var/config/key --remoteConfig=http://pangolin:3001/api/v1/gerbil/get-config --reportBandwidthTo=http://pangolin:3001/api/v1/gerbil/receive-bandwidth

[Service]
Restart=always

[Install]
WantedBy=multi-user.target

pangolin.network:

[Network]
Label=app=pangolin

traefik.container:

[Unit]
Description=Traefik Reverse Proxy
After=pangolin.service gerbil.service network.target
Requires=pangolin.service gerbil.service

[Container]
Image=docker.io/library/traefik:v3.4.0
ContainerName=traefik
Network=pangolin.network
Volume=/var/lib/pangolin/traefik:/etc/traefik:ro,Z
Volume=/var/lib/pangolin/letsencrypt:/letsencrypt:Z
Exec=--configFile=/etc/traefik/traefik_config.yml
PublishPort=80:80
PublishPort=443:443

[Service]
Restart=always

[Install]
WantedBy=multi-user.target

/etc/modules-load.d/pangolin.conf

rtnl-link-wireguard
net-pf-16-proto-16-family-wireguard
nfnetlink-subsys-11
nft-expr-target
ipt_tcp
ipt_TCPMSS

(the last file is needed because containers are not allowed to load kernel modules, it is safer to preload them in advance).

<!-- gh-comment-id:3239497082 --> @fcrozat commented on GitHub (Aug 30, 2025): Here is the configuration I use with podman quadlet, which is working fine with SELinux enforcing mode on openSUSE MicroOS (I'll try to create a github repo with those quadlets: pangolin.container: ``` [Unit] Description=Pangolin Service After=network.target [Container] Network=pangolin.network Image=docker.io/fosrl/pangolin:latest ContainerName=pangolin Volume=/var/lib/pangolin:/app/config:z HealthCmd=curl -f http://localhost:3001/api/v1/ HealthInterval=3s HealthTimeout=3s HealthRetries=15 [Service] Restart=always [Install] WantedBy=multi-user.target ``` gerbil.container: ``` [Unit] Description=Gerbil Service After=pangolin.service network.target Requires=pangolin.service [Container] Network=pangolin.network Image=docker.io/fosrl/gerbil:latest ContainerName=gerbil Volume=/var/lib/pangolin:/var/config:z AddCapability=CAP_NET_ADMIN CAP_SYS_MODULE CAP_NET_RAW PublishPort=51820:51820/udp PublishPort=21820:21820/udp Exec=--reachableAt=http://gerbil:3003 --generateAndSaveKeyTo=/var/config/key --remoteConfig=http://pangolin:3001/api/v1/gerbil/get-config --reportBandwidthTo=http://pangolin:3001/api/v1/gerbil/receive-bandwidth [Service] Restart=always [Install] WantedBy=multi-user.target ``` pangolin.network: ``` [Network] Label=app=pangolin ``` traefik.container: ``` [Unit] Description=Traefik Reverse Proxy After=pangolin.service gerbil.service network.target Requires=pangolin.service gerbil.service [Container] Image=docker.io/library/traefik:v3.4.0 ContainerName=traefik Network=pangolin.network Volume=/var/lib/pangolin/traefik:/etc/traefik:ro,Z Volume=/var/lib/pangolin/letsencrypt:/letsencrypt:Z Exec=--configFile=/etc/traefik/traefik_config.yml PublishPort=80:80 PublishPort=443:443 [Service] Restart=always [Install] WantedBy=multi-user.target ``` /etc/modules-load.d/pangolin.conf ``` rtnl-link-wireguard net-pf-16-proto-16-family-wireguard nfnetlink-subsys-11 nft-expr-target ipt_tcp ipt_TCPMSS ``` (the last file is needed because containers are not allowed to load kernel modules, it is safer to preload them in advance).
GiteaMirror commented 2026-05-06 14:08:55 -05:00
Author
Owner
Copy Link

@wayneyaoo commented on GitHub (Aug 30, 2025):

:) well, the last file might be the key - I saw Wireguard stuff there. I can give it a try tomorrow.

<!-- gh-comment-id:3239500625 --> @wayneyaoo commented on GitHub (Aug 30, 2025): :) well, the last file might be the key - I saw Wireguard stuff there. I can give it a try tomorrow.
GiteaMirror commented 2026-05-06 14:08:55 -05:00
Author
Owner
Copy Link

@pomac303 commented on GitHub (Nov 14, 2025):

I ran in to this as well... so:
1, change the docker file to add :z in the volume mounts, example:
- ./config:/app/config:z
- pangolin-data:/var/certificates:z
- pangolin-data:/var/dynamic:z

  1. You now have to change the labels of your files;
    setenforce 0 # (can't do it with selinux enforcing)
    chcon -R -t container_file_t -u system_u *
    setenforce 1

You should now be able to start pangolin

<!-- gh-comment-id:3532477149 --> @pomac303 commented on GitHub (Nov 14, 2025): I ran in to this as well... so: 1, change the docker file to add :z in the volume mounts, example: - ./config:/app/config:z - pangolin-data:/var/certificates:z - pangolin-data:/var/dynamic:z 2. You now have to change the labels of your files; setenforce 0 # (can't do it with selinux enforcing) chcon -R -t container_file_t -u system_u * setenforce 1 You should now be able to start pangolin
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
wontfix
No Label docker help wanted needs investigating
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#10570
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?