immich
immich copied to clipboard
immich-app
[BUG] Containers should run as non-root
The bug
Containers currently run as root, which is bad container security practise and causes problems like mentioned here.
❯ docker run -it ghcr.io/immich-app/immich-server:v1.60.0
/usr/src/app # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
Immich is perfectly capable of running as non-root, as I do so with security contexts in my Kubernetes cluster. I believe the nginx container is already unprivileged, so it should just be a case of following the official non-root guide for node images.
The OS that Immich Server is running on
N/A
Version of Immich Server
v1.60.0
Version of Immich Mobile App
N/A
Platform with the issue
- [X] Server
- [ ] Web
- [ ] Mobile
Your docker-compose.yml content
N/A
Your .env content
N/A
Reproduction steps
N/A
Additional information
No response
Until this is implemented, is there a recommended way to run immich as non-root with docker compose?
I just added the following to every container:
environment:
- PUID=1000
- GUID=1000
Is there a more elegant way?
Thanks in advance!
Until this is implemented, is there a recommended way to run immich as non-root with docker compose?
I just added the following to every container:
environment: - PUID=1000 - GUID=1000Is there a more elegant way?
Thanks in advance!
Have you tested it before posting it here? This does not work (I did test it myself). The PUID and GUID feature is a Linuxserver.io feature, not a Docker feature. So unless Immich implements such a feature in their startup scripts, this will be simply ignored.
I changed user and group by simply declaring the user property in the docker compose file and it seemed to work.
I changed user and group by simply declaring the
userproperty in the docker compose file and it seemed to work.
Here an example for docker newbies
...
services:
immich-server:
container_name: immich_server
image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
user: "1000:1000"
...
Even if you set user to non-root with user option in docker-compose.yml, all the files in the volumes are still owned by root user, e.g. the cache files in the volume created by immich_redis container. See #4903
Even if you set user to non-root with
useroption in docker-compose.yml, all the files in the volumes are still owned by root user, e.g. the cache files in the volume created by immich_redis container. See #4903
If you set "mount a volume" in the docker-compose and this folder does not exist, docker will create it as a root. That's normal docker behaviour.
Solution:
- Create the volume folder before the first start the docker compose with the correct user
- If you already startet the docker compose, stop it and change the folder owner with
sudo chown -R 1000:1000 /data
I was running with user and then migrated to a rootless docker installation (docs). It was working before with user but not anymore with rootless docker instalation. Exceptions related with permissions in the microservice:
ERROR [ExceptionHandler] could not open file "global/pg_filenode.map": Permission denied
I checked the directories and the user owns the directories so I am not exactly what I did wrong.
Using non-anonymous and explicit (bound?) volumes instead of anonymous together with pre-creating or chowning the folders worked for me. Thanks @BenRoe for the tip.