[Issue]: Docker defaults running jellyfin process as root #28
Comments
jNullj
changed the title
This comment has been minimized.
This comment has been minimized.
|
still issue still affects me, i looked at the dockerfile on master and i dont see any trace of a solution. |
This comment has been minimized.
This comment has been minimized.
|
still issue still affects me, i looked at the dockerfile on master and i dont see any trace of a solution. |
This comment has been minimized.
This comment has been minimized.
|
still issue still affects me, i looked at the dockerfile on master and i dont see any trace of a solution. |
|
Feel free to post a PR fixing the issue in a way you seem fit. |
This comment has been minimized.
This comment has been minimized.
|
Can we please mark this issue with a tag that will exclude it from automatically closing it? This is not a problem that will go away without someone closing it with reason. |
This comment has been minimized.
This comment has been minimized.
|
Can we please mark this issue with a tag that will exclude it from being closed automatically? The 'confirmed' and 'future' tags also seem appropriate. |
Bond-009
added
enhancement
|
I agree with the idea here, but am not sure about the actual implementation or how it will affect e.g. existing containers. I know at some point in the past this was tried and didn't work, but I don't know the details of what was done or why it failed. Probably HWA related and additional setup. I'd definitely welcome PRs to address this. |
|
I'm not entirely convinced we should add any custom handling for this... running containers as root is the default in the docker ecosystem (for better or worse) but it can be provided a user or user id to run as a different user. |
An option could be to have this as a new container "flavor", like
If we can't solve that, maybe we can still have a rootless container, but with very visible signs (e.g. in the dockerhub readme, maybe also with a log line when the container is starting up) that you wont be able to use hardware acceleration (for now) with that image. |
|
We might be able to get inspiration from photoprism Can't users add permission for the user running jellyfin to the hwa device? |
Theoretically, yes. But HWA is already a bit of a troubleshooting nightmare and adding yet another variable into the equation is not something we're really keen on. There is documentation on how to run the existing container image as a non-root user for both Docker Compose and Podman, but the default container using default docker is still root. |
|
I solved this problem in Vue this way a few weeks ago, but only for opening ports, there might be a need for extra capabilities in the server's case: https://github.com/jellyfin/jellyfin-vue/blob/master/packaging/docker/contents/postunpack.sh#L18 In case it's useful for someone to open a PR in the meantime, if not I will open it at some point since it's something I'd like to improve in the current packaging process regardless (but it can take a lot of time until I tackle it, hence why a PR is good regardless). |
Please describe your bug
The jellyfin process runs as root in the docker container.
I don't have much experience but i suspect it to be bad practice, for example official mysql image for docker is checking if the container is running as root, if so it runs the process as the mysql user created at image creation. (link to entry point script)
I belive this increases security.
Jellyfin Version
10.7.7
if other:
No response
Environment
Jellyfin logs
No response
FFmpeg logs
No response
Please attach any browser or client logs here
No response
Please attach any screenshots here
No response
Code of Conduct
The text was updated successfully, but these errors were encountered: