Problem
Terraform Enterprise fails to start with the following error from the Nginx process.
{"log":"nginx: [emerg] mkdir() \"/var/run/terraform-enterprise/tmp\" failed (13: Permission denied)","component":"nginx"}
Prerequisites
- Flexible Deployment Options (Docker deployment)
- Terraform Enterprise >=v202404-2
Cause
This is caused by running the container as root user. In Terraform Enterprise >=v202404-2, the individual services comprising Terraform Enterprise run under unprivileged user accounts (i.e Nginx runs under the unprivileged nginx account and is a member of the root group).
docker exec -ti terraform-enterprise id nginx
uid=999(nginx) gid=999(nginx) groups=999(nginx),0(root)
Terraform Enterprise configures Nginx to use /var/run/terraform-enterprise/tmp a path for storing temporary files and as part of its startup routines Nginx will attempt to create this directory. However, when the container is configured to run as the root user, a necessary startup procedure which assigns write permissions to the group owner of the /var/run/terraform-enterprise directory is skipped. As a result, the Nginx process does not have permission to create a subdirectory.
docker exec -ti terraform-enterprise ls -ld /var/run/terraform-enterprise/
drwxr-xr-x 23 root root 480 Feb 25 15:41 /var/run/terraform-enterprise/
This is evidenced by the following startup log, which indicates that the init process of the container was not started as the default user, terraform-enterprise.
Not running as builtin tfe user, will attempt to create scratch directories but skipping ownership changes...
Solution
To resolve this issue, run the Terraform Enterprise container as its default unprivileged user, terraform-enterprise, by removing any directive from the configuration which specifies the Username or UID:GID. The container user is configured differently depending on the platform- see the example below for guidance.
Docker Compose
...
services:
<TFE_SERVICE_NAME>:
user: root