immich icon indicating copy to clipboard operation
immich copied to clipboard
verified publisher icon immich-app

feat(deployment): Geocoding volume

Open bt90 opened this issue 3 years ago • 8 comments

This defines an anonymous volume to store the reverse geocoding files. Additionally, mount points are created as part of the Dockerfile. As a side effect, we could now run the containers with a read-only file system.

Without these changes, Docker will detect the changes to the container's file system:

docker diff immich_microservices
C /usr
C /usr/src
C /usr/src/app
A /usr/src/app/.reverse-geocoding-dump
A /usr/src/app/upload

bt90 avatar Dec 30 '22 17:12 bt90

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated
immich ✅ Ready (Inspect) Visit Preview Dec 30, 2022 at 5:20PM (UTC)

vercel[bot] avatar Dec 30 '22 17:12 vercel[bot]

Fixes #1135

bt90 avatar Dec 30 '22 17:12 bt90

We use this image for both microservices and server, but microservices is the only one that uses the reverse geo coding directory. Does that change anything? What impact do the mountpoints in the image have on the running server container? Or is it just metadata?

jrasm91 avatar Dec 30 '22 17:12 jrasm91

We use this image for both microservices and server, but microservices is the only one that uses the reverse geo coding directory. Does that change anything?

For the server container we end up with an empty directory which shouldn't hurt.

What impact do the mountpoints in the image have on the running server container? Or is it just metadata?

Docker needs to create any missing folder structures for bind/volume mounts in the filesystem of the container.

Basically following best practices: https://github.com/docker-library/postgres/blob/41bd7bf3f487e6dc0036fd73efaff6ccb6fbbacd/15/bullseye/Dockerfile#L184-L186 https://github.com/docker-library/redis/blob/fba559d5d2ac21c7c07e0bfeba6c29cceb346689/7.0/Dockerfile#L112-L113

This avoids such operations and allows us to keep the root filesystem read-only if we want to do that in the future: https://benlobaugh.medium.com/how-to-secure-docker-containers-with-a-read-only-filesystem-b27230f6efb

bt90 avatar Dec 30 '22 17:12 bt90

Cool, thanks for the information. This makes sense to me and seems like a good change.

jrasm91 avatar Dec 30 '22 17:12 jrasm91

It's still marked as a draft because I haven't tested it yet. You are welcome to try it if you want 😉 .

bt90 avatar Dec 30 '22 17:12 bt90

This should also solve this permission problem: https://documentation.immich.app/docs/FAQ#how-can-i-run-immich-as-a-non-root-user

bt90 avatar Dec 30 '22 17:12 bt90

Yeah I saw that, which would be nice.

jrasm91 avatar Dec 30 '22 17:12 jrasm91