Fixing Penpot Access Denied Errors in Docker

This guide provides steps to resolve the AccessDeniedException: /opt/data/assets/2c error that occurs when Penpot cannot write to its asset directories.

In this guide, we will use /srv/dockerdata/cloud-services/penpot/assets as the directory for the /opt/data/assets for penpot-penpot-backend-1 (based on the default naming scheme from the compose files provided here. That said, you should refrain from using the same name and directory in the example above.)

Problem

If you see an error like this in your Penpot logs:

java.nio.file.AccessDeniedException: /opt/data/assets/2c

It means the Penpot application does not have permission to write to the assets directory.

Quick Fix

1. Check Current Permissions

First, examine the current ownership of your assets directory:

ls -la /srv/dockerdata/cloud-services/penpot/assets

If the directory is owned by a user other than the one running Penpot, you need to change the ownership.

2. Find Penpot's User ID

Determine which user ID Penpot runs as inside the container:

docker exec -it $(docker ps | grep penpot | awk '{print $1}') id

Note the UID and GID returned (typically 1000 or 1001 for Penpot).

3. Change Ownership

Update the directory ownership to match Penpot's user ID:

sudo chown -R 1001:1001 /srv/dockerdata/cloud-services/penpot/assets

Replace 1001:1001 with the actual UID:GID from step 2.

4. Set Correct Permissions

Ensure the directory has the right permissions:

sudo chmod -R 755 /srv/dockerdata/cloud-services/penpot/assets

5. Create Required Subdirectories

If needed, explicitly create the problematic subdirectory:

sudo mkdir -p /srv/dockerdata/cloud-services/penpot/assets/2c
sudo chown -R 1001:1001 /srv/dockerdata/cloud-services/penpot/assets/2c

6. Restart Penpot

Restart the container to apply changes:

docker restart $(docker ps | grep penpot | awk '{print $1}')

Or if using Docker Compose:

docker-compose restart penpot

Preventing Future Issues

To prevent this issue in the future, consider updating your Docker Compose configuration to ensure volume permissions are correctly maintained:

services:
  penpot-frontend:
    # ... other config ...
    volumes:
      - /srv/dockerdata/cloud-services/penpot/assets:/opt/data/assets:rw
    user: "1001:1001"  # Use the correct UID:GID

This should resolve the permission issues and allow Penpot to function properly.