[Issue]: Docker defaults running jellyfin process as root

Question

[Issue]: Docker defaults running jellyfin process as root

Opened this issue 3 years ago · 17 comments

Please describe your bug

The jellyfin process runs as root in the docker container.
I don't have much experience but i suspect it to be bad practice, for example official mysql image for docker is checking if the container is running as root, if so it runs the process as the mysql user created at image creation. (link to entry point script)
I belive this increases security.

Jellyfin Version

10.7.7

if other:

No response

Environment

- OS: Arch
- Virtualization: Docker
- Clients: Browser

Jellyfin logs

No response

FFmpeg logs

No response

Please attach any browser or client logs here

No response

Please attach any screenshots here

No response

Code of Conduct

I agree to follow this project's Code of Conduct

Answer 1 · 2022-04-30T02:15:51.000Z

This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments.

If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or master branch, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label.

This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on Matrix or Social Media.

Answer 2 · 2022-04-30T17:52:16.000Z

still issue still affects me, i looked at the dockerfile on master and i dont see any trace of a solution.

Answer 3 · 2023-04-25T01:56:01.000Z

This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments.

If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or master branch, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label.

This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on Matrix or Social Media.

Answer 4 · 2023-04-25T09:51:15.000Z

still issue still affects me, i looked at the dockerfile on master and i dont see any trace of a solution.

Answer 5 · 2023-09-26T01:49:14.000Z

This issue has gone 120 days without comment. To avoid abandoned issues, it will be closed in 21 days if there are no new comments.

If you're the original submitter of this issue, please comment confirming if this issue still affects you in the latest release or master branch, or close the issue if it has been fixed. If you're another user also affected by this bug, please comment confirming so. Either action will remove the stale label.

This bot exists to prevent issues from becoming stale and forgotten. Jellyfin is always moving forward, and bugs are often fixed as side effects of other changes. We therefore ask that bug report authors remain vigilant about their issues to ensure they are closed if fixed, or re-confirmed - perhaps with fresh logs or reproduction examples - regularly. If you have any questions you can reach us on Matrix or Social Media.

Answer 6 · 2023-09-26T13:28:07.000Z

still issue still affects me, i looked at the dockerfile on master and i dont see any trace of a solution.

Answer 7 · 2023-09-26T13:58:15.000Z

Feel free to post a PR fixing the issue in a way you seem fit.

Answer 8 · 2024-01-25T01:50:15.000Z

This issue has gone 120 days without an update and will be closed within 21 days if there is no new activity. To prevent this issue from being closed, please confirm the issue has not already been fixed by providing updated examples or logs.

If you have any questions you can use one of several ways to contact us.

Answer 9 · 2024-01-25T16:02:44.000Z

Can we please mark this issue with a tag that will exclude it from automatically closing it? This is not a problem that will go away without someone closing it with reason.
The 'confirmed' and 'future' tags also seem appropriate.

Answer 10 · 2024-05-25T01:48:34.000Z

This issue has gone 120 days without an update and will be closed within 21 days if there is no new activity. To prevent this issue from being closed, please confirm the issue has not already been fixed by providing updated examples or logs.

If you have any questions you can use one of several ways to contact us.

Answer 11 · 2024-05-25T21:51:08.000Z

Can we please mark this issue with a tag that will exclude it from being closed automatically?
The problem is still relevant, it will not go away without someone closing it with a solution.

The 'confirmed' and 'future' tags also seem appropriate.

Answer 12 · 2024-06-07T03:59:07.000Z

I agree with the idea here, but am not sure about the actual implementation or how it will affect e.g. existing containers.

I know at some point in the past this was tried and didn't work, but I don't know the details of what was done or why it failed. Probably HWA related and additional setup.

I'd definitely welcome PRs to address this.

Answer 13 · 2024-06-07T05:15:42.000Z

I'm not entirely convinced we should add any custom handling for this... running containers as root is the default in the docker ecosystem (for better or worse) but it can be provided a user or user id to run as a different user.

https://stackoverflow.com/questions/35734474/connect-to-docker-container-as-user-other-than-root#35736699

Answer 14 · 2024-06-07T10:57:14.000Z

but am not sure about the actual implementation or how it will affect e.g. existing containers

An option could be to have this as a new container "flavor", like 10.9-rootless or something like that.
If it works right, it could become the default one over time, but maybe that is not a good idea dependeng on the changes needed.

Probably HWA related

If we can't solve that, maybe we can still have a rootless container, but with very visible signs (e.g. in the dockerhub readme, maybe also with a log line when the container is starting up) that you wont be able to use hardware acceleration (for now) with that image.

Answer 15 · 2024-06-07T13:06:50.000Z

We might be able to get inspiration from photoprism
link to doc about rootless container and hwa

Can't users add permission for the user running jellyfin to the hwa device?

Answer 16 · 2024-06-19T14:10:43.000Z

Can't users add permission for the user running jellyfin to the hwa device?

Theoretically, yes. But HWA is already a bit of a troubleshooting nightmare and adding yet another variable into the equation is not something we're really keen on.

There is documentation on how to run the existing container image as a non-root user for both Docker Compose and Podman, but the default container using default docker is still root.

Answer 17 · 2024-06-19T16:11:32.000Z

I solved this problem in Vue this way a few weeks ago, but only for opening ports, there might be a need for extra capabilities in the server's case: https://github.com/jellyfin/jellyfin-vue/blob/master/packaging/docker/contents/postunpack.sh#L18

In case it's useful for someone to open a PR in the meantime, if not I will open it at some point since it's something I'd like to improve in the current packaging process regardless (but it can take a lot of time until I tackle it, hence why a PR is good regardless).