Running Docker images with non-root UID
Very excited to get started with Immich, it seems perfect for my use-case.
I however try to avoid running any Docker containers as root for security purposes and external backup workflows.
I am having very little luck getting immich-machine-learning, immich-server and immich-microservices running with UID 1000.
I have tried setting
user: 1000:1000 in the Docker-Compose but as soon as the container attempts to write/read any data on the shared volume it encounters permission issues.
I have also tried the typical :
- PUID=1000
- PGID=1000
as env variables, but with no luck. These are typically supported or at least added by a community image by groups such as linuxserver.io. I have not found any evidence they are supported by Immich.
Are there any recommended ways to achieve non-root Docker images? Is this even something other users have trouble with?8 Replies
I'm running Immich with non-root UID/GID: Setting PUID & PGID in
.env file and in docker-compose.yml add user: 123:123 to both immich-server and immich-microservices . Further, you need to add an additional volume to microservices for geocoding (see https://github.com/immich-app/immich/issues/776#issuecomment-1271459885 for details)GitHub
Some photos are completely ignored by the app. · Issue #776 · immi...
I've been trying immich for a little over month now an have been very happy with it. Really liking it but was wondering if maybe I'm doing something wrong or maybe there is a bug. E...
Hey, thank you for your assistance.
I tried it out, but the microservice is now complaining it can't access the
/usr/src/app/geocoding/ directory. I noticed the mounted directory was created as root on the host machine. So I think the directory still gets created as root and is then inaccessible because the container is running as 1000?
I just noticed the error from microservices was not complaining about writing to /usr/src/app/geocoding but rather /usr/src/app/.reverse-geocoding-dump/. I mounted that directory as well, then used chown on it afterwards. After a restart the container is running and everything is functional! Thank you!great! 🙂 you're welcome!
One more point of clarification. The UID / GID env variable is only actually used by the WEB container, right?
I believe that's true, I don't know much about that aspect of configuring docker, but I'm sure it wouldn't be too hard to add support for in the other images.
Also, FWIW - https://immich.app/docs/FAQ#how-can-i-run-immich-as-a-non-root-user
FAQ | Immich
What is the difference between the cloud icon on the mobile app?
that is correct, web container currently needs root at startup.. but delegates to UID/GID if configured. the other containers can use the default docker mechanism to set user/group
@zody is this to actually bind a socket to a port? I noticed other containers do this and never understood why
To bind to a privileged port (<1024) you need root. But this is not the case here. it's because the web container is writing files on start-up. Maybe we've already fixed that and can change the UID setting... I'll take a look