Non-root configuration

[CiNcH83]

Hi everybody

I want to run Immich as a non-root user. I have learned that this is possible but I can't do anything with the respective FAQ. Guess I am lacking some Docker knowledge...

Adding user and group to the yml was the easy part. But what about the volume part? Are those 3 additional volumes needed or not? Do I have to remove the top-level volume and point all volumes to host directories to which the respective user has read/write permissions? The FAQ is also a bit misleading IMHO in that those 3 additional volumes look to be named volumes which I suppose do not work in a non-root environment!?

Can somebody post a proper non-root sample yml?

Thanks.

[CiNcH83]

Hi everbody

So let me make a proposal for a non-root yml from the things I have learned…

I have created a user Immich (1003/1003) which obviously has read/write permissions to /home/Immich.

name: immich

services:
  immich-server:
    container_name: immich
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    user: 1003:1003
    volumes:
      - /home/Immich/upload:/usr/src/app/upload
      - /home/Dan/assets:/assets/Dan
      - /home/Sab/assets:/assets/Sab
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - .env
    ports:
      - 2283:3001
    depends_on:
      - redis
      - database
    restart: unless-stopped
    healthcheck:
      disable: false

  immich-machine-learning:
    container_name: immich_machine_learning
    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
    user: 1003:1003
    volumes:
      - /home/Immich/var/cache:/cache
      - /home/Immich/var/.cache:/.cache
      - /home/Immich/var/.config:/.config
    env_file:
      - .env
    restart: unless-stopped
    healthcheck:
      disable: false

  redis:
    container_name: immich_redis
    image: docker.io/redis:6.2-alpine@sha256:2d1463258f2764328496376f5d965f20c6a67f66ea2b06dc42af351f75248792
    user: 1003:1003
    volumes:
      - /home/Immich/var/data:/data
    healthcheck:
      test: redis-cli ping || exit 1
    restart: unless-stopped

  database:
    container_name: immich_postgres
    image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
    user: 1003:1003
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      POSTGRES_INITDB_ARGS: '--data-checksums'
    volumes:
      - /home/Immich/var/database:/var/lib/postgresql/data
    healthcheck:
      test: pg_isready --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' || exit 1; Chksum="$$(psql --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' --tuples-only --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ "$$Chksum" = '0' ] || exit 1
      interval: 5m
      start_interval: 30s
      start_period: 5m
    command: ["postgres", "-c", "shared_preload_libraries=vectors.so", "-c", 'search_path="$$user", public, vectors', "-c", "logging_collector=on", "-c", "max_wal_size=2GB", "-c", "shared_buffers=512MB", "-c", "wal_compression=on"]
    restart: unless-stopped

Here are the things I have changed:

• Added user 1003:1003
• Removed top-level volume model-cache
• Added 3 additional volumes, see FAQ (/.config, /.cache, /data)
• Turned named volumes (/cache) into host volumes

I haven’t tried it yet. Will this work? Any suggestions for improvement? Do we really need cache and .cache in immich-machine-learning? How about those 3 additional volumes mentioned in the FAQ? Are they really needed? Since FAQ says that they "may be needed".

Thanks.

[R-Rudolf]

I have a non-root docker setup, however I have a K3D (kubernetes in docker) as well, so I can not directly share my config, but I will try to help.

I use the Helm chart instead of the docker-compose, but with host-path-volumes for the persistent data and docker volumes for cache it works perfectly and did not even need user change.

If you share what error messsge you got, I can help more directly. As I will have time, I will check out a setup with direct docker-compose.

To be sure, you use rootless docker, right?

[CiNcH83]

Hi Rudolf

Thanks for your response!

So far I only experimented with root priviliges on my brandnew Raspberry Pi 5 with 8 GB but want to run docker containers with a non-root user. I will do a complete reset of the device and am currently planning services and users+permissions I want to run on the Pi.

I created the above docker-compose.yml (yet untested) from the FAQ which in my opinion is a bit misleasing. That is why I was asking for a proper non-root docker-compose.yml template. The things that in my opinion don't make sense in the FAQ:

• Do we really need /cache AND /.cache volumes for immich-machine-learning?
• Are those 3 additional volumes really needed? Since the FAQ says "may be needed"...
• Are those 3 volumes meant to be named volumes as the chosen syntax suggests? Can two volumes even have the same name? Are named volumes accessible by non-root users? Guess those names in fact indicate the container service rather than the name of the volume!?

I plan to create an Immich user. So the Immich app will have full access to /home/Immich where I will point the "application" volumes to. I will add two more user groups for me and my wife's users to which I will add the Immich user so that Immich can read/write the user's assets folders which we will use to upload photos&videos to.

[R-Rudolf]

Hi,

So you wish to add external libraries to Immich to auto-import images in the two distinct user-home? Or do you wish to make uploaded images readable by other applications on Linux by using storage templates? Both-way sync in a single directory won't work out-of-the-box, only with some complicated scripting.

Another clarification would be needed to help you. Do you wish to use docker itself with a non-root user (aka rootless docker), or just the Immich services? The latter is easier, and as I understand that is your use case, but I want to double-check.

Here is a PR I drafted to have more concrete guide and compose file, please review it, if it is easier to follow, and verify if it works for you:
#13257

I tested it locally, checked the logs, uploaded an image, etc.. looks but I do not plan to use it as my main setup, so maybe there could be some edge case problems with it, who knows.

Regarding your concrete questions, yes, you really need these volumes, as the original docker images were not created with non-root user in mind, without those volumes the non-root user process is not able to save any data, thus will fail.
We can not use normal docker volumes, as those do not support non-root setup currently, only with workarounds, see relevant thread.

For Postgres I could not make it work with any USERID, it worked only with 999. I checked this thread on the topic, maybe further research have a better solution about it. If you really need to change the userid using my example, you need to learn about usernamespace-remapping.

[CiNcH83]

So you wish to add external libraries to Immich to auto-import images in the two distinct user-home? Or do you wish to make uploaded images readable by other applications on Linux by using storage templates? Both-way sync in a single directory won't work out-of-the-box, only with some complicated scripting.

I want to create two Samba shares for me and my wife. We will upload the photos from our mobile phones to those shares. Immich is supposed to take the photos from those shared folders via external libraries. Those folders and photos are owned by me and my wife's respective user and group. The Immich user, who is supposed to run the Immich server, will be part of both user groups and should therefore be able to access the photos.

Another clarification would be needed to help you. Do you wish to use docker itself with a non-root user (aka rootless docker), or just the Immich services?

Just the Immich service. I am thinking about going full rootless but I am quite new to the whole thing...

Here is a PR I drafted to have more concrete guide and compose file, please review it, if it is easier to follow, and verify if it works for you:
#13257

Much appreciated. Thanks a lot.

Since you did not add a mount for /.cache, I guess this is a mistake in the respective FAQ?

For Postgres I could not make it work with any USERID, it worked only with 999. I checked this thread on the topic, maybe further research have a better solution about it. If you really need to change the userid using my example, you need to learn about usernamespace-remapping.

I think I can live with user 999!? Thanks for the hint!

[R-Rudolf]

Thank you for detailing your scenario, we are on the same page.

Regarding /.cache, I changed that too, see link.

[CiNcH83]

For Postgres I could not make it work with any USERID, it worked only with 999. I checked this thread on the topic, maybe further research have a better solution about it.

It should also work by creating the volume directory beforehand with the appropriate user, no? In my above docker-compose.yml it would be /home/Immich/var/database (with user 1003).

Another big thanks to @R-Rudolf for your valuable help!

[CiNcH83]

I want to create two Samba shares for me and my wife. We will upload the photos from our mobile phones to those shares. Immich is supposed to take the photos from those shared folders via external libraries. Those folders and photos are owned by me and my wife's respective user and group. The Immich user, who is supposed to run the Immich server, will be part of both user groups and should therefore be able to access the photos.

I just figured that this might not work at all since Immich is part of the users' groups outside the container but not inside the container...

Think I will make one share for the Immich user then...

[CiNcH83]

I just figured that this might not work at all since Immich is part of the users' groups outside the container but not inside the container...

Guess I can get this fixed via group_add tag in the docker-compose.yml.

[CiNcH83]

Here is the final result...

I created a non-root Immich user which the Immich service is run under. I have also created two conenventional users and corresponding groups with respective SAMBA shares. Immich is part of the conventional users' groups in order to be able to access their assets.

.env

IMMICH_HOME=/home/Immich
USER1_LIB=/home/User1/assets
USER2_LIB=/home/User2/assets

IMMICH_UID=2000
IMMICH_GID=2000
USER1_GID=3000
USER2_GID=3001

docker-compose.yml

name: immich

services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    user: $IMMICH_UID:$IMMICH_GID
    group_add:
      - $USER1_GID
      - $USER2_GID
    volumes:
      - ${IMMICH_HOME}/upload:/usr/src/app/upload
      - ${USER1_LIB}:/assets/User1
      - ${USER2_LIB}:/assets/User2
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - .env
    ports:
      - 2283:2283
    depends_on:
      - redis
      - database
    restart: unless-stopped
    healthcheck:
      disable: false

  immich-machine-learning:
    container_name: immich_machine_learning
    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
    user: $IMMICH_UID:$IMMICH_GID
    group_add:
      - $USER1_GID
      - $USER2_GID
    volumes:
      - ${IMMICH_HOME}/.var/cache:/cache
      - ${IMMICH_HOME}/.var/.config:/.config
    env_file:
      - .env
    restart: unless-stopped
    healthcheck:
      disable: false

  redis:
    container_name: immich_redis
    image: docker.io/redis:6.2-alpine@sha256:2ba50e1ac3a0ea17b736ce9db2b0a9f6f8b85d4c27d5f5accc6a416d8f42c6d5
    user: $IMMICH_UID:$IMMICH_GID
    group_add:
      - $USER1_GID
      - $USER2_GID
    volumes:
      - ${IMMICH_HOME}/.var/data:/data
    healthcheck:
      test: redis-cli ping || exit 1
    restart: unless-stopped

  database:
    container_name: immich_postgres
    image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      POSTGRES_INITDB_ARGS: '--data-checksums'
    volumes:
      - ${IMMICH_HOME}/.var/database:/var/lib/postgresql/data
    healthcheck:
      test: pg_isready --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' || exit 1; Chksum="$$(psql --dbname='${DB_DATABASE_NAME}' --username='${DB_USERNAME}' --tuples-only --no-align --command='SELECT COALESCE(SUM(checksum_failures), 0) FROM pg_stat_database')"; echo "checksum failure count is $$Chksum"; [ "$$Chksum" = '0' ] || exit 1
      interval: 5m
      start_interval: 30s
      start_period: 5m
    command:
      [
        'postgres',
        '-c',
        'shared_preload_libraries=vectors.so',
        '-c',
        'search_path="$$user", public, vectors',
        '-c',
        'logging_collector=on',
        '-c',
        'max_wal_size=2GB',
        '-c',
        'shared_buffers=512MB',
        '-c',
        'wal_compression=on',
      ]
    restart: unless-stopped

Everything seems to be working beautifully.

[janusn]

${IMMICH_HOME}/.var/database:
How about the service database? Is there a chance to change it to non-root as well?
Is chwon $IMMICH_UID:$IMMICH_GID "${IMMICH_HOME}/.var/database" good enough?

[pierrecnalb]

In case you're interested, here is the equivalent of the given configuration, except using postman and in a more secure environment (using dedicated user namespaces, no new privileges etc...)
https://github.com/pierrecnalb/quadlets/tree/main/immich

[szilardx]

Installed docker on a fresh Ubuntu 24.04 server.
Set up rootless docker as per docker docs.

Tried to migrate an Immich setup previously ran as root. I did the users, etc, changed the docker-compose.yml config as the docs recommended, with the new 'immich' user's uid:gid, etc.

Then immich_server container failed to start - with access denied to profiles folder.

I removed the user uid settings from docker-compose.yml, and everything seems to work fine. I confirmed that that the user inside the container is root, but it is mapped to 'immich' user outside the container. (docker.com rootless setup)

[JakobTewes]

Hmmz....needing a solution for library being owned by non-root user. Ideas?