jlesage
Problem with cont-init.d/10-openbox.sh
Not sure if I missed anything, but it seems it's close to impossible to get derivative containers like jdownloader to run as nonroot due to the file ownership behavior in this particular script. I also haven't researched every other base script you have to screen for this same issue occurring elsewhere. My local change enabled me to run jdownloader as nonroot, so stopped digging in further, but I figured this may impact everyone at-large who probably just then resort to using some of your popular derivative containers like jdownloader as nonroot.
The flawed logic (I think) in 10-openbox.sh is how and when you use "cp -a". You create the XDG_DATA_HOME folder with the correct permissions, but then you end up copying files to this folder using "cp -a", preserving the root ownership of the files in the source folder. What this results in is that the [jdownloader] container FAILS hard with permission denied errors when restarted - even AFTER the user has modified their local folder hierarchy via "chown -R". This happens because when a container is brought up as nonroot, the logic fails in a loop trying to modify root-owned files inside 10-openbox.sh.
My "simple fix" was to override the original logic in this script to ensure files are copied without "cp -a" and that I take proper ownership of the files AFTER they have been copied. I then volume mount and override the script in Docker Compose using something like '/local/jdownloader/10-openbox.sh:/etc/cont-init.d/10-openbox.sh:ro'.
set -e # Exit immediately if a command exits with a non-zero status.
set -u # Treat unset variables as an error.
[ -d /var/run/openbox ] || mkdir --mode=755 /var/run/openbox
chown "${USER_ID}:${GROUP_ID}" /var/run/openbox
#
# Setup the Openbox theme.
#
mkdir -p "${XDG_DATA_HOME}"/themes
rm -rf "${XDG_DATA_HOME}"/themes/OpenboxTheme
if is-bool-val-true "${DARK_MODE:-0}"; then
# ORIGINAL COMMAND
#cp -a /opt/base/share/themes/Dark "${XDG_DATA_HOME}"/themes/OpenboxTheme
# NEW LOCAL CHANGE (just copy the files as is without the "-a" flag and fix permissions later)
cp -rf /opt/base/share/themes/Dark "${XDG_DATA_HOME}"/themes/OpenboxTheme
else
# ORIGINAL COMMAND
#cp -a /opt/base/share/themes/Light "${XDG_DATA_HOME}"/themes/OpenboxTheme
# NEW LOCAL CHANGE (just copy the files as is without the "-a" flag and fix permissions later)
cp -rf /opt/base/share/themes/Light "${XDG_DATA_HOME}"/themes/OpenboxTheme
fi
# NEW LOCAL CHANGE (files copied, fix permissions to nonroot user)
chown -R "${USER_ID}:${GROUP_ID}" "${XDG_DATA_HOME}/themes/OpenboxTheme"
# ... Rest of the script continues
As I said, this "fixed" jdownloader for me and allows me to run as nonroot, but you probably need to fix this elsewhere since it may impact all your other derivative images. So figured it was probably best to report it here.
Thanks for all your work!
What do you mean exactly by "running as non root"? Are you talking about the rootless mode? Running the container with something like podman ? Using the --user parameter of docker run?
Note that a change done a few weeks ago (similar to yours) would fix the specific problem you encountered. See https://github.com/jlesage/docker-baseimage-gui/commit/9fdfa35076aeab88763c8c788a34e9ff79f1e520.
You are correct, I meant running as nonroot. Does this change trickle down to your other containers like jdownloader? Only asking since your latest update to jdownloader was back in July.
From: Jocelyn Le Sage @.> Sent: Friday, November 21, 2025 4:44:52 PM To: jlesage/docker-baseimage-gui @.> Cc: codingoyster @.>; Author @.> Subject: Re: [jlesage/docker-baseimage-gui] Problem with cont-init.d/10-openbox.sh (Issue #181)
[https://avatars.githubusercontent.com/u/1791123?s=20&v=4]jlesage left a comment (jlesage/docker-baseimage-gui#181)https://github.com/jlesage/docker-baseimage-gui/issues/181#issuecomment-3565146087
What do you mean exactly by "running as non root"? Are you talking about the rootless mode? Running the container with something like podman ? Using the --user parameter of docker run?
Note that a change done a few weeks ago (similar to yours) would fix the specific problem you encountered. See 9fdfa35https://github.com/jlesage/docker-baseimage-gui/commit/9fdfa35076aeab88763c8c788a34e9ff79f1e520.
— Reply to this email directly, view it on GitHubhttps://github.com/jlesage/docker-baseimage-gui/issues/181#issuecomment-3565146087, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AHD3SBPO724YXKANBXIJ2XL356WYJAVCNFSM6AAAAACMEDWBQKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTKNRVGE2DMMBYG4. You are receiving this because you authored the thread.Message ID: @.***>
I meant running as nonroot
Sorry, still not clear, you said the same thing :))
Does this change trickle down to your other containers like jdownloader? Only asking since your latest update to jdownloader was back in July.
Yes it will.
Sorry, I meant rootless which is the same as nonroot for me 😀. Feel free to mark this resolved or merge with the original issue you already fixed. I haven't tested with a fresh copy of jdownloader, but will do so soon (or just wait for the next version bump from you).
From: Art Vandelay @.> Sent: Friday, November 21, 2025 5:28:07 PM To: jlesage/docker-baseimage-gui @.>; jlesage/docker-baseimage-gui @.> Cc: Author @.> Subject: Re: [jlesage/docker-baseimage-gui] Problem with cont-init.d/10-openbox.sh (Issue #181)
You are correct, I meant running as nonroot. Does this change trickle down to your other containers like jdownloader? Only asking since your latest update to jdownloader was back in July.
From: Jocelyn Le Sage @.> Sent: Friday, November 21, 2025 4:44:52 PM To: jlesage/docker-baseimage-gui @.> Cc: codingoyster @.>; Author @.> Subject: Re: [jlesage/docker-baseimage-gui] Problem with cont-init.d/10-openbox.sh (Issue #181)
[https://avatars.githubusercontent.com/u/1791123?s=20&v=4]jlesage left a comment (jlesage/docker-baseimage-gui#181)https://github.com/jlesage/docker-baseimage-gui/issues/181#issuecomment-3565146087
What do you mean exactly by "running as non root"? Are you talking about the rootless mode? Running the container with something like podman ? Using the --user parameter of docker run?
Note that a change done a few weeks ago (similar to yours) would fix the specific problem you encountered. See 9fdfa35https://github.com/jlesage/docker-baseimage-gui/commit/9fdfa35076aeab88763c8c788a34e9ff79f1e520.
— Reply to this email directly, view it on GitHubhttps://github.com/jlesage/docker-baseimage-gui/issues/181#issuecomment-3565146087, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AHD3SBPO724YXKANBXIJ2XL356WYJAVCNFSM6AAAAACMEDWBQKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTKNRVGE2DMMBYG4. You are receiving this because you authored the thread.Message ID: @.***>
Sorry, I meant rootless which is the same as nonroot for me
Rootless mode should work fine right now (at least it does with podman). So your issue might be that the root user inside the container is not mapped to a user ID on the host.
It doesn't work in Docker (see compose below if I missed anything) - I have other containers with same setup and mapped to non-root user 1000 on the host:
jdownloader:
image: 'jlesage/jdownloader-2:v25.07.2'
container_name: 'jdownloader'
environment:
- USER_ID=1000
- GROUP_ID=1000
- DARK_MODE=1
- ENABLE_CJK_FONT=1 # INSTALLS WIDE RANGE OF ASIAN FONTS
- DISPLAY_WIDTH=1280
- DISPLAY_HEIGHT=720
restart: 'unless-stopped'
ports:
- 5800:5800 # Web UI
volumes:
- '/etc/localtime:/etc/localtime:ro'
- '/data/output:/output'
- '/data/jdownloader:/config'
- '/data/10-openbox.sh:/etc/cont-init.d/10-openbox.sh:ro'
That last volume mount line overrides the script with the changes I shared earlier. If I remove that mount, the container keeps crashing at startup with permission denied errors upon restart. I have a user/group 1000 on the host too, which I use in other containers.
By the way, in compose, i have also tried to use the "user" tag along with the "USER_ID" and "GROUP_ID" environment variables - but results in the same error permission denied message on container restart/recreate (assuming mount volumes don't change).
user: '1000:1000'
I was also able to recreate the behavior on a fresh VM with a fresh pull of the image. So looks like until it's committed to the jdownloader image downstream, you should be able to reproduce. Here's the log:
...
[cont-init ] 10-init-users.sh: executing... 11:36:37 [19/1448]
[cont-init ] 10-init-users.sh: terminated successfully.
[cont-init ] 10-nginx.sh: executing...
[cont-init ] 10-nginx.sh: terminated successfully.
[cont-init ] 10-openbox.sh: executing...
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/openbox-3/max.xbm': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/openbox-3/close_hover.xbm': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/openbox-3/max_toggled.xbm': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/openbox-3/shade.xbm': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/openbox-3/desk_toggled.xbm': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/openbox-3/iconify_hover.xbm': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/openbox-3/iconify.xbm': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/openbox-3/themerc': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/openbox-3/desk.xbm': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/openbox-3/shade_hover.xbm': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/openbox-3/desk_hover.xbm': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/openbox-3/close.xbm': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/openbox-3/max_hover.xbm': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/gtk-2.0/assets/bevel_out_hollow.png': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/gtk-2.0/assets/slider_vert.png': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/gtk-2.0/assets/progressbar_trough_vert.png': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/gtk-2.0/assets/button_normal_prelight.png': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/gtk-2.0/assets/progressbar_bar.png': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/gtk-2.0/assets/arrow_right_insensitive_normal.png': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/gtk-2.0/assets/arrow_down_light_normal.png': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/gtk-2.0/assets/shadow_angled_in_sides_top.png': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/gtk-2.0/assets/inset_shadow_circle_tiny_ins.png': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/gtk-2.0/assets/arrow_down_insensitive_normal.png': Operation not permitted
[cont-init ] 10-openbox.sh: rm: can't remove '/config/xdg/data/themes/OpenboxTheme/gtk-2.0/assets/inset_shadow_tiny.png': Operation not permitted
...
i have also tried to use the "user" tag
This should not be used.
I was also able to recreate the behavior on a fresh VM with a fresh pull of the image. So looks like until it's committed to the jdownloader image downstream, you should be able to reproduce.
For sure I don't reproduce. Your problem seems related to your /data/jdownloader folder.
Few questions:
- What is the filesystem of this folder ? Is it a network share?
- Do see the issue if you just run
docker run --rm -ti jlesage/jdownloader-2? - Do you see the problem if you don't add any mapping to
/config? I.e. when removing:
- '/data/jdownloader:/config'
- '/data/10-openbox.sh:/etc/cont-init.d/10-openbox.sh:ro'
The config folder is just host mapped for testing, nothing fancy.
From: Jocelyn Le Sage @.> Sent: Tuesday, November 25, 2025 4:25:38 PM To: jlesage/docker-baseimage-gui @.> Cc: codingoyster @.>; Author @.> Subject: Re: [jlesage/docker-baseimage-gui] Problem with cont-init.d/10-openbox.sh (Issue #181)
[https://avatars.githubusercontent.com/u/1791123?s=20&v=4]jlesage left a comment (jlesage/docker-baseimage-gui#181)https://github.com/jlesage/docker-baseimage-gui/issues/181#issuecomment-3578188580
i have also tried to use the "user" tag
This should not be used.
I was also able to recreate the behavior on a fresh VM with a fresh pull of the image. So looks like until it's committed to the jdownloader image downstream, you should be able to reproduce.
For sure I don't reproduce. Your problem seems related to your /data/jdownloader folder.
Few questions:
-
What is the filesystem of this folder ? Is it a network share?
-
Do see the issue if you just run docker run --rm -ti jlesage/jdownloader-2 ?
-
Do you see the problem if you don't add any mapping to /config ? I.e. when removing:
- '/data/jdownloader:/config'
- '/data/10-openbox.sh:/etc/cont-init.d/10-openbox.sh:ro'
— Reply to this email directly, view it on GitHubhttps://github.com/jlesage/docker-baseimage-gui/issues/181#issuecomment-3578188580, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AHD3SBJWEQSTJXPZONTUN2L36TXQFAVCNFSM6AAAAACMEDWBQKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTKNZYGE4DQNJYGA. You are receiving this because you authored the thread.Message ID: @.***>