Add an option to run the service with the container's root user

This is tagged as calibre-web and code-server issue, but it’s actually a generic one, and these are just examples.
PUID and PGID don’t help with rootless containers, as mapping is done automatically based on /etc/sub{u,g}id.
While I think it’s better to run the rootless containers with a dedicated host user and just chown-ing whatever it needs access to, some containers are more fitted to run under the personal user host account, like short live code-server containers, or calibre-web that access a library that is only available when the user is logged in (e.g. library in user’s home systemd-homed luks encrypted image).

If the rootless contained service needs access to filesystem resource owned by the host user, then there are two options:

  1. Make the resource world-accessible. I can’t see how this can be an acceptable solution.
  2. Run the service with the root user in the container. It will have the same UID/GID as the host user that started the container, which will solve the filesystem permission issue.

My suggestion is to add to all of linuxserver’s container images the option to start the contained services with the root user.
Of course, this shouldn’t be the default behavior for rootless containers.

This is not simple, or even fully possible for us to implement. We use S6-overlay, which has rudamentry support for this. Because of this restriction we also dont claim to support neither rootless or --user.

Using this overlay gives us more advantages than dowmsides when it comes to our userbase.

1 Like

@Roxedus thanks for replying. I hope this could be reconsidered in the future if s6-overlay will support this better.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.