Jellyfin runs as any non-root user. It has access to many things. Why do so many other apps require root? Steam-headless, Immich, Syncthing all require root but use similar resources to Jellyfin. I realize root isn’t admin and so on, but why use a common account?
Immich doesn’t require root
The only reason for root is I guess access to devices, but this can be achieved without
you should ask that the creator of the docker image. If he determined that it runs as root, it runs as root and only root. if you try to run it as a different user it will propably not start properly.
It’s worth noting that IIRC a lot of docker image authors take the lazy way out of permissions issues by just running a recursive chown of all files to be owned by what they want, and of course this requires being root or having root-equivalent privileges.
In a way I understand. Running as root is a way of avoiding to have to deal with problem reports because users can’t (or don’t want to) figure out how to configure permissions. Of course, it’s insecure and flies in the face of best-practices.
1 Like
I have to say that I fall into this category. Permissions are a real pain if you do not deal with them in your daily life. However I do think I need to get onboard and figure it out. I’m about to redo my TrueNAS and I would like to understand how to set it up for a Normal Home User where the NAS is NOT exposed to the WAN. root works for me day in and day out. That is the only user I logon as.
Maybe a Permissions For Idiots, or Permissions For Home Users book would be helpful.
Just thought I’d admit that I am part of the problem too.
Permissions have been a recurring user pain point with Free/TrueNAS for as long as I can remember, so something on this would be very helpful. I know a wiki where it’d be right at home if someone wanted to write it…
If it doesn’t require root, how do I install it so that it runs in a different account?
I’ve seen an app say it runs as root for initial permission setting, then the installation processes using root close. I’m more OK with that.
How do I contact the author? An issue ticket on the github page? (Are the apps just pulled from that space?)
Do you mean for apps or for the FS generally? I’d assumed I couldn’t overide the default container user assignments.
ACLs in TrueNAS are a type of Eldrich knowledge - The interface is hostile in hidden ways. You gaze at the text for hours until your eye glaze over, suddenly the symbols have meaning, your consciousness expands as the universe makes sense. That feeling is suddenly pulled from you as the maddness sets in. Did I just create a new rule? Or have I accidentally edited an old rule and broken something? Only The Old Ones know. [See also: regex]
Immich author has nothing to do with truenas or how truenas installs apps
you can see docker-compose in release version at his github : Release v1.127.0 · immich-app/immich · GitHub
its not running as root nor uses privileged container.
Exactly
Maybe… What is that link?
I just pulled one of my NVMe drives out of my NAS and will be reformatting everything. This is because I have never used more than 4.6TB of storage 4.4TB right now with 3.35 TB in backup images of my computers, soon most of those older images to be offloaded to a 5TB USB drive which means I can drop 4TB out of the system. And it gives me one NVMe on the side as a spare or for whatever I desire. So with that said, I will be exploring permissions setups, for the Home User, not exposed to the WAN. I will take notes and write something up, if for nothing more than my own notes. If it can become a useful resource, that is great. If it becomes a Wiki so others can update it, even better.
You should be able to register and create stuff as desired; PM me if you have any issues with it.
Uncle Festers Guide. My golly, that brings back some memories when Uncle Fester was active on the forums, the old forums.
Thanks for the link.
1 Like
Use your own compose yml file based on theirs and follow the doc.
1 Like
One possible path around apps needing to be root is to stop using the TrueNAS app catalog and either use docker directly through the command line or install something like Portainer. On my TrueNAS instance, I changed the web interface port to 8080 and the HTTPS web interface port to 8443, and in installed Portainer. Now I can use docker containers from sources like linuxserver.io, which don’t use root by default and are built to let you specify the UID and GID for each container. I can also put Nginx Proxy Manager in front of all of my containers using the default 80/443 ports, and get certificates through NPM. Works like a charm. I can even still bind mount to generic TrueNAS data sets without any issue. The downside is there is a learning curve, and its not going to be everyone’s cup of tea. The trade off is that it is way more flexible, but you have to dive deeper on using docker.
1 Like
I can confirm that running a container as root is usually not a runtime requirement but is often to initially create files (e.g. a PID under /run) and change ownership or mode/permissions of files/folders (especially in a volume mount) before running the primary app as a non-root user (which can only modify certain files). Last year I made a Dockerfile stage to mod recent images for NGINX and PostgreSQL to run correctly as an initial non-root user (well, with minimal errors in logs), to work in a hardened Kubernetes cluster that doesn’t allow running a container as root outside certain blessed namespaces. You have to make sure that the container user and group IDs have appropriate permissions in any mounted volumes - as well as in the files/folders provided in the image. This is all on the user to understand and ensure it all lines up - and if not, either the app refuses to run or you get the occasional odd error you can’t explain. And I’m not talking specifically about TrueNAS here but about container images in general.
So you see why most apps avoid the headache and “require” initially running as root.
And this stage is usually a POLA violation for end-users when an app does it unexpectedly and may be a major security issue if data is external to the app. I really wish devs didn’t do this. File ownership is like a historical fingerprint that’s actually important to sysadmins.
1 Like
When you say you realize root isn’t admin, can you elaborate? Does the admin account have access that root doesn’t?
It depends on which version you started with. Generally root doesn’t have an associated ‘log on’.
I second this advice, though I used Dockge instead as it’s a lot simpler than Portainer for this kind of use. The community apps are mostly terrible IMO, and this root access issue is another reason: many of the community app maintainers are simply too lazy to write their docker-compose files to use a non-root user. Just bypass them, and go to a better source like linuxserver.io or the actual app maintainer if they publish Docker images.
1 Like