Skip to content

Can’t write to existing log directories after upgrading to v1.19 (default UID changed) #448

New issue
New issue
Open
Open
Can’t write to existing log directories after upgrading to v1.19 (default UID changed)#448
Labels
waiting-for-triageNeed to triage the issue
@aoirint

Description

@aoirint
aoirint
opened on Oct 3, 2025

Describe the bug

Users relying on the default tag (e.g. fluent/fluentd:latest) or OS-agnostic version tags (e.g. fluent/fluentd:v1.18-1) from v1.18 and earlier may fail to write to existing log directories after upgrading to v1.19.

This seems to be caused by a change in the default UID (maybe unintended).

To Reproduce

1. Create a log directory (as it works in v1.18)

# docker run --rm fluent/fluentd:v1.18-1 id -u
100
mkdir 'logs'
chown -R '100:100' 'logs'

2. (Optional) Run v1.18

# docker image inspect --format '{{.Id}}' fluent/fluentd:v1.18-1
sha256:857a0fbd95b2eb610761fbcd2989e10e08c09d9b7de117ec796f8b1872a1a8ac
docker run \
  -d \
  --name fluentd-118 \
  -p '127.0.0.1:9880:9880/tcp' \
  -v './fluent.conf:/fluentd/etc/fluent.conf:ro' \
  -v './logs:/logs' \
  fluent/fluentd:v1.18-1

curl -X POST -d '{"msg":"hello from v1.18"}' -H 'Content-Type: application/json' http://127.0.0.1:9880/myapp.access

docker kill --signal SIGUSR1 fluentd-118

docker stop fluentd-118
docker rm fluentd-118

As expected, v1.18 successfully writes to the log directory.

# cat logs/access.20251003_0.log
{"msg":"hello from v1.18"}

3. Run v1.19

# docker image inspect --format '{{.Id}}' fluent/fluentd:v1.19-2
sha256:25e8eec7490783f7c26fe1454e55591d367e374ae93712c4a1be883aaebf3ba0
docker run \
  -d \
  --name fluentd-119 \
  -p '127.0.0.1:9880:9880/tcp' \
  -v './fluent.conf:/fluentd/etc/fluent.conf:ro' \
  -v './logs:/logs' \
  fluent/fluentd:v1.19-2

In contrast, v1.19 fails to start and does not write to the same log directory.

# curl -X POST -d '{"msg":"hello from v1.19"}' -H 'Content-Type: application/json' http://127.0.0.1:9880/myapp.access
curl: (7) Failed to connect to 127.0.0.1 port 9880 after 0 ms: Couldn't connect to server

# docker kill --signal SIGUSR1 fluentd-119
Error response from daemon: cannot kill container: fluentd-119: container 5e409fb16a44fb39485e46a0e3789db0cec3f482ef7730c3b07f25a0a83591ac is not running
docker stop fluentd-119
docker rm fluentd-119
# cat logs/access.20251003_1.log
cat: logs/access.20251003_1.log: No such file or directory

Expected behavior

v1.19 should have started successfully and written to the same log directory.

# cat logs/access.20251003_1.log
{"msg":"hello from v1.19"}

Your Environment

  • Tag of using fluentd-docker-image: fluent/fluentd:v1.18-1, fluent/fluentd:v1.19-2
  • Ubuntu 24.04 (WSL2, Windows 11 24H2)
  • Docker Desktop for Windows v4.47.0
    • Docker Engine v28.4.0

Your Configuration

<source>
  @type http
  port 9880
  <parse>
    @type json
  </parse>
</source>

<match myapp.access>
  @type file
  path /logs/access
  <format>
    @type json
  </format>
</match>
`

Your Error Log

# docker logs fluentd-119
2025-10-03 12:33:52 +0000 [info]: init supervisor logger path=nil rotate_age=nil rotate_size=nil
2025-10-03 12:33:52 +0000 [info]: parsing config file is succeeded path="/fluentd/etc/fluent.conf"
2025-10-03 12:33:52 +0000 [info]: inaccessible include directory was specified path="/etc/fluent/conf.d"
2025-10-03 12:33:52 +0000 [info]: gem 'fluentd' version '1.19.0'
2025-10-03 12:33:52 +0000 [error]: config error file="/fluentd/etc/fluent.conf" error_class=Fluent::ConfigError error="out_file: `/logs/access.20251003_**.log` is not writable"

Additional context

This issue is a follow-up to a post thread on X.

This issue is intended as a reference. It’s already resolved on my side, so I’ll leave it to the maintainers to decide whether to address it further, simply close it, or make some form of announcement.

Investigation

It looks like the default UID of the default tags has changed since v1.19.

# docker run --rm fluent/fluentd:v1.19-2 id -u
999

This seems to be because the base OS for the default tags was switched from Alpine Linux to Debian ( #424 ), causing adduser/useradd to assign a different initial UID.

# docker image inspect --format '{{.Id}}' alpine:3.19
sha256:3be987e6cde1d07e873c012bf6cfe941e6e85d16ca5fc5b8bedc675451d2de67

# docker run --rm alpine:3.19 ash -c 'addgroup -S fluent && adduser -S -G fluent fluent && id -u fluent'
100
# docker image inspect --format '{{.Id}}' debian:13
sha256:fd8f5a1df07b5195613e4b9a0b6a947d3772a151b81975db27d47f093f60c6e6

# docker run --rm debian:13 bash -c 'groupadd -r fluent && useradd -r -g fluent fluent && id -u fluent'
999

Personally, I assume that users of the prior Debian-based images expect the UID to be 999. Since the Alpine-based images have been deprecated, changing the default tag’s UID to 100 might not be a good approach.

# docker image inspect --format '{{.Id}}' fluent/fluentd:v1.18-debian
sha256:f8d26db76ba06ce96e8d402119675071624dab724af49be40fd34641c347c440

# docker run --rm fluent/fluentd:v1.18-debian id -u
999

As a user-side practice, explicitly specifying the Docker user (e.g. using docker run --user) may help avoid this kind of issue.

# docker run --rm --user '999:999' fluent/fluentd:v1.18-1 id -u
999

# docker run --rm --user '100:100' fluent/fluentd:v1.19-2 id -u
100

Or adjust ownership of existing log directories (and files) to match the new default UID in v1.19.

chown -R '999:999' logs

Metadata

Metadata

Assignees

No one assigned

    Labels

    waiting-for-triageNeed to triage the issue

    Type

    No type

    Projects

    Fluentd Kanban

    Status

    No status

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions