Run as non-root user

[CaptainScully]

I would like to run docker-drawio as a non-root user for security, same as #36, which was marked as completed. In my compose file, I set the user option to a non-root UID and GID, but get several permission errors in the docker-compose log. The container runs, but its webpage is not accessible. Removing the user option so it runs as root makes it work fine.

Is there anything else I need to do to run as a non-root user? Many thanks!

Running jgraph/drawio:27.0.5

drawio  | /docker-entrypoint.sh: line 16: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | Init PreConfig.js
drawio  | /docker-entrypoint.sh: line 17: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 18: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 20: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 24: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 25: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 26: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 27: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 28: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 31: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 32: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 46: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 47: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | Updating Tomcat context path to ''
drawio  | Permission denied: conf/server.xml
drawio  | Permission denied: conf/server.xml
drawio  | /docker-entrypoint.sh: line 62: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 64: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 65: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 67: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 69: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 72: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 73: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 74: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 78: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 96: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 110: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /**
drawio  |  * Copyright (c) 2006-2024, JGraph Ltd
drawio  |  * Copyright (c) 2006-2024, draw.io AG
drawio  |  */
drawio  | // Overrides of global vars need to be pre-loaded
drawio  | window.DRAWIO_PUBLIC_BUILD = true;
drawio  | window.EXPORT_URL = 'REPLACE_WITH_YOUR_IMAGE_SERVER';
drawio  | window.PLANT_URL = 'REPLACE_WITH_YOUR_PLANTUML_SERVER';
drawio  | window.DRAWIO_BASE_URL = null; // Replace with path to base of deployment, e.g. https://www.example.com/folder
drawio  | window.DRAWIO_VIEWER_URL = null; // Replace your path to the viewer js, e.g. https://www.example.com/js/viewer.min.js
drawio  | window.DRAWIO_LIGHTBOX_URL = null; // Replace with your lightbox URL, eg. https://www.example.com
drawio  | window.DRAW_MATH_URL = 'math/es5';
drawio  | window.DRAWIO_CONFIG = null; // Replace with your custom draw.io configurations. For more details, https://www.drawio.com/doc/faq/configure-diagram-editor
drawio  | urlParams['sync'] = 'manual';
drawio  | Init PostConfig.js
drawio  | /docker-entrypoint.sh: line 127: /usr/local/tomcat/webapps/draw/js/PostConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 128: /usr/local/tomcat/webapps/draw/js/PostConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 129: /usr/local/tomcat/webapps/draw/js/PostConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 133: /usr/local/tomcat/webapps/draw/js/PostConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 140: /usr/local/tomcat/webapps/draw/js/PostConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 144: /usr/local/tomcat/webapps/draw/js/PostConfig.js: Permission denied

[davidjgraph]

Please attach your compose file.

[CaptainScully]

Thanks for taking a look!

Removing the user: ${PUID}:${PGID} line from the drawio service makes it run normally. I run Docker Compose from OpenMediaVault, so it automatically loads the variables from an environment file. The user is just an unpriviliged user called dockeruser.

The containers are run behind SWAG reverse proxy and I'm trying What's Up Docker (WUD) to check for updates.

# https://hub.docker.com/r/jgraph/drawio
# https://github.com/jgraph/docker-drawio
services:
  drawio:
    image: jgraph/drawio:27.0.5
    container_name: drawio
    user: ${PUID}:${PGID}
    restart: unless-stopped
    links:
      - plantuml-server:plantuml-server
      - image-export:image-export
    depends_on:
      - plantuml-server
      - image-export
    networks:
      - drawionet
      - swag_reverse_proxy
    environment:
      - DRAWIO_SELF_CONTAINED=1
      - PLANTUML_URL=http://plantuml-server:8080/
      - EXPORT_URL=http://image-export:8000/
      - DRAWIO_BASE_URL=${DRAWIO_BASE_URL}
      - DRAWIO_SERVER_URL=${DRAWIO_SERVER_URL}
    labels:
      - wud.watch=true                     # Allow What's Up Docker to watch for updates
      - wud.display.name=Draw.io           # Set display name in WUD
      - wud.display.icon=hl:draw-io        # Set icon in WUD
      - wud.tag.include=^\d+\.\d+\.\d+$$   # Extract version numbers from release label
      - wud.link.template=https://github.com/jgraph/docker-drawio/tags

  plantuml-server:
    image: plantuml/plantuml-server:latest
    container_name: drawio-plantum-server
    user: ${PUID}:${PGID}
    restart: unless-stopped
    expose:
      - "8080"
    networks:
      - drawionet
      - swag_reverse_proxy
    environment:
      - TZ=${TZ}
    volumes:
      - ./fonts_volume:/usr/share/fonts/drawio # BACKUP
    labels:
      - wud.watch=false   # No need for WUD to watch for updates, will update along with main draw.io image

  image-export:
    image: jgraph/export-server
    container_name: drawio-export-server
    user: ${PUID}:${PGID}
    restart: unless-stopped
    expose:
      - "8000"
    networks:
      - drawionet
      - swag_reverse_proxy
    volumes:
      - ./fonts_volume:/usr/share/fonts/drawio # BACKUP
    environment:
      - DRAWIO_BASE_URL=${DRAWIO_BASE_URL}
    labels:
      - wud.watch=false   # No need for WUD to watch for updates, will update along with main draw.io image
    
networks:
  drawionet:
    name: drawionet
  swag_reverse_proxy:
    external: true

Docker Log

drawio  | Init PreConfig.js
drawio  | /docker-entrypoint.sh: line 16: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 17: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 18: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 20: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 24: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 25: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 26: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 27: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 28: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 31: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 32: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 46: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 47: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | Updating Tomcat context path to ''
drawio  | Permission denied: conf/server.xml
drawio  | Permission denied: conf/server.xml
drawio  | /docker-entrypoint.sh: line 62: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 64: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 65: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 67: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 69: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 72: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 73: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 74: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 78: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 96: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 110: /usr/local/tomcat/webapps/draw/js/PreConfig.js: Permission denied
drawio  | /**
drawio  |  * Copyright (c) 2006-2024, JGraph Ltd
drawio  |  * Copyright (c) 2006-2024, draw.io AG
drawio  |  */
drawio  | // Overrides of global vars need to be pre-loaded
drawio  | window.DRAWIO_PUBLIC_BUILD = true;
drawio  | window.EXPORT_URL = 'REPLACE_WITH_YOUR_IMAGE_SERVER';
drawio  | window.PLANT_URL = 'REPLACE_WITH_YOUR_PLANTUML_SERVER';
drawio  | window.DRAWIO_BASE_URL = null; // Replace with path to base of deployment, e.g. https://www.example.com/folder
drawio  | window.DRAWIO_VIEWER_URL = null; // Replace your path to the viewer js, e.g. https://www.example.com/js/viewer.min.js
drawio  | window.DRAWIO_LIGHTBOX_URL = null; // Replace with your lightbox URL, eg. https://www.example.com
drawio  | window.DRAW_MATH_URL = 'math/es5';
drawio  | window.DRAWIO_CONFIG = null; // Replace with your custom draw.io configurations. For more details, https://www.drawio.com/doc/faq/configure-diagram-editor
drawio  | urlParams['sync'] = 'manual';
drawio  | Init PostConfig.js
drawio  | /docker-entrypoint.sh: line 127: /usr/local/tomcat/webapps/draw/js/PostConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 128: /usr/local/tomcat/webapps/draw/js/PostConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 129: /usr/local/tomcat/webapps/draw/js/PostConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 133: /usr/local/tomcat/webapps/draw/js/PostConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 140: /usr/local/tomcat/webapps/draw/js/PostConfig.js: Permission denied
drawio  | /docker-entrypoint.sh: line 144: /usr/local/tomcat/webapps/draw/js/PostConfig.js: Permission denied
drawio  | /**
drawio  |  * Copyright (c) 2006-2024, JGraph Ltd
drawio  |  * Copyright (c) 2006-2024, draw.io AG
drawio  |  */
drawio  | // null'ing of global vars need to be after init.js
drawio  | window.VSD_CONVERT_URL = null;
drawio  | window.EMF_CONVERT_URL = null;
drawio  | window.ICONSEARCH_PATH = null;Generating Self-Signed certificate
drawio  | keytool error: java.io.FileNotFoundException: /usr/local/tomcat/.keystore (Permission denied)
drawio  | keytool error: java.lang.Exception: Keystore file does not exist: /usr/local/tomcat/.keystore
drawio  | java.lang.Exception: Keystore file does not exist: /usr/local/tomcat/.keystore
drawio  | 	at java.base/sun.security.tools.keytool.Main.doCommands(Unknown Source)
drawio  | 	at java.base/sun.security.tools.keytool.Main.run(Unknown Source)
drawio  | 	at java.base/sun.security.tools.keytool.Main.main(Unknown Source)
drawio  | NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.invoke=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.util.concurrent=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
drawio  | 15-May-2025 17:27:30.434 WARNING [main] org.apache.catalina.core.StandardContext.setPath A context path must either be an empty string or start with a '/' and do not end with a '/'. The path [/] does not meet these criteria and has been changed to []
drawio  | 15-May-2025 17:27:30.478 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version name:   Apache Tomcat/9.0.104
drawio  | 15-May-2025 17:27:30.478 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server built:          Apr 4 2025 12:32:55 UTC
drawio  | 15-May-2025 17:27:30.478 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version number: 9.0.104.0
drawio  | 15-May-2025 17:27:30.478 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Name:               Linux
drawio  | 15-May-2025 17:27:30.478 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log OS Version:            6.1.0-0.deb11.21-amd64
drawio  | 15-May-2025 17:27:30.478 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Architecture:          amd64
drawio  | 15-May-2025 17:27:30.479 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Java Home:             /opt/java/openjdk
drawio  | 15-May-2025 17:27:30.479 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Version:           11.0.27+6
drawio  | 15-May-2025 17:27:30.479 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log JVM Vendor:            Eclipse Adoptium
drawio  | 15-May-2025 17:27:30.479 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_BASE:         /usr/local/tomcat
drawio  | 15-May-2025 17:27:30.479 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log CATALINA_HOME:         /usr/local/tomcat
drawio  | 15-May-2025 17:27:30.494 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang=ALL-UNNAMED
drawio  | 15-May-2025 17:27:30.497 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang.invoke=ALL-UNNAMED
drawio  | 15-May-2025 17:27:30.497 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.lang.reflect=ALL-UNNAMED
drawio  | 15-May-2025 17:27:30.498 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.io=ALL-UNNAMED
drawio  | 15-May-2025 17:27:30.499 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util=ALL-UNNAMED
drawio  | 15-May-2025 17:27:30.499 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.base/java.util.concurrent=ALL-UNNAMED
drawio  | 15-May-2025 17:27:30.499 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
drawio  | 15-May-2025 17:27:30.500 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties
drawio  | 15-May-2025 17:27:30.500 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
drawio  | 15-May-2025 17:27:30.505 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djdk.tls.ephemeralDHKeySize=2048
drawio  | 15-May-2025 17:27:30.505 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.protocol.handler.pkgs=org.apache.catalina.webresources
drawio  | 15-May-2025 17:27:30.505 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dsun.io.useCanonCaches=false
drawio  | 15-May-2025 17:27:30.505 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dorg.apache.catalina.security.SecurityListener.UMASK=0027
drawio  | 15-May-2025 17:27:30.505 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dignore.endorsed.dirs=
drawio  | 15-May-2025 17:27:30.506 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.base=/usr/local/tomcat
drawio  | 15-May-2025 17:27:30.506 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Dcatalina.home=/usr/local/tomcat
drawio  | 15-May-2025 17:27:30.506 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command line argument: -Djava.io.tmpdir=/usr/local/tomcat/temp
drawio  | 15-May-2025 17:27:30.515 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded Apache Tomcat Native library [1.3.1] using APR version [1.7.2].
drawio  | 15-May-2025 17:27:30.521 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true], UDS [true].
drawio  | 15-May-2025 17:27:30.521 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
drawio  | 15-May-2025 17:27:30.532 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 3.0.13 30 Jan 2024]
drawio  | 15-May-2025 17:27:31.230 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8080"]
drawio  | 15-May-2025 17:27:31.286 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [1312] milliseconds
drawio  | 15-May-2025 17:27:31.349 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service [Catalina]
drawio  | 15-May-2025 17:27:31.349 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet engine: [Apache Tomcat/9.0.104]
drawio  | 15-May-2025 17:27:31.352 SEVERE [main] org.apache.catalina.startup.HostConfig.beforeStart Unable to create directory for deployment: [/usr/local/tomcat/conf/Catalina/localhost]
drawio  | 15-May-2025 17:27:32.061 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
drawio  | 15-May-2025 17:27:32.092 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/usr/local/tomcat/webapps/draw]
drawio  | 15-May-2025 17:27:32.315 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was scanned for TLDs yet contained no TLDs. Enable debug logging for this logger for a complete list of JARs that were scanned but no TLDs were found in them. Skipping unneeded JARs during scanning can improve startup time and JSP compilation time.
drawio  | 15-May-2025 17:27:32.318 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/usr/local/tomcat/webapps/draw] has finished in [225] ms
drawio  | 15-May-2025 17:27:32.321 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"]
drawio  | 15-May-2025 17:27:32.330 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [1042] milliseconds

[davidjgraph]

What if you hard code it with:

user: "1000:1000"

[CaptainScully]

Thanks for the suggestion, but still the same result. Tried with 1000:1000 and the hard coded UID:GID of my desired user.

[darkhonor]

+1 on this request. I'm trying to run this within a Kubernetes environment where I have to apply the following securityContext:

securityContext:
  capabilities:
    drop:
    - ALL
  readOnlyRootFilesystem: true
  runAsNonRoot: true
  runAsUser: 1000
  runAsGroup: 1000
  allowPrivilegeEscalation: false
  seccompProfile:
    type: RuntimeDefault

I can add writable volumes for the logs, but I don't think I can map volumes to everything here without breaking things. Same errors as @CaptainScully has shared for my result.