OF-Scraper icon indicating copy to clipboard operation
OF-Scraper copied to clipboard
verified publisher icon datawhores

v3.13.x breaks non-root docker container

Open dunngitter opened this issue 5 months ago • 3 comments

I'm migrating from 3.12.7 so I'm not sure exactly which 3.13 release introduced this change, but it looks like with the switch to gosu, using a non-root user in the docker container is no longer supported.

Previously, when fixuid was being used, I could easily run the container as a non-root user.

Before I start working on a fix, @datawhores do you have any thoughts or preferences on how the non-root case should be handled?

dunngitter avatar Jul 18 '25 18:07 dunngitter

After a bit of testing, it seems like if the permissions are correct for the mounted volumes, the script runs just fine as a non-root user. ~It hasn't completed a full run yet so I'll report back when it does, but it has already downloaded files so it seems promising.~ script completed just fine

All I did was overwrite the entrypoint in my docker compose to directly call ofscraper rather than the entrypoint shell script. I propose adding a ALLOW_NON_ROOT env var and then simply modifying the main function in entrypoint.sh as follows:

    elif [ "${ALLOW_NON_ROOT:-false}" = "true" ]; then
        echo "WARNING: Running as a non-root user. It is up to you to ensure that permissions are correct on all mounted volumes!"
        exec "$@"
    <existing `else` case>

then, anybody that wants to run as non-root can simply use the user directive in their docker-compose file or docker command and set the command directive to the ofscraper command they want to use. In my case, I'm actually just calling a shell script that looks like:

#!/bin/bash

ofscraper \
    --daemon 180 \
    --config /home/ofscraper/config/config.json \
    --username ALL \
    --posts all \
    --black-list blacklisted \
    --action download \
    --output low \
    --log debug \
    --no-live \
    --auth-fail \
    --sort expired

(i.e. I didn't do anything special to handle the non-root case)

I think this only works because /home/ofscraper has perms o+x, so my non-root user can still read and execute everything I've mounted in /home/ofscraper

Thoughts?

BTW, super nice cleanup switching from poetry to uv! I was actually going to propose this in the discord and maybe start working on it. The dockerfile is way cleaner now too

dunngitter avatar Jul 18 '25 18:07 dunngitter

Yeah I think the only options are really to execute or to quit and warn the user But if you and others are able to get it to work, then I fine with the way you've done it

datawhores avatar Jul 19 '25 00:07 datawhores

Cool I'll put up a pr soon, ty

dunngitter avatar Jul 19 '25 03:07 dunngitter