Immich container fails to mount read-only volume
I am trying to deploy immich rootless on podman conainers. I use the docker-compose.yml from immich github. It works fine. I can bring up the application, and start use it. So far so good.
I mount my photo collection using a local override yml:
However, I have my photo collection owned by the group photo. This group has rwx access to the photo collection.
I want to let immich read files on there but not write files in the collection. So I cannot just make the container user member of photo group because that would give too much permission.
So instead, I use ACL to give rx permission to the user running the immich containers.
Now, this works when I test it on the filesystem. However, when I actually start immich containers, it fails to stat this folder.
This is likely due to something about the rootless/subgids...
20 Replies
:wave: Hey @EbenezerIbiza,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :blue_square: verified I'm on the latest release(note that mobile app releases may take some time).
2. :blue_square: read applicable release notes.
3. :blue_square: reviewed the FAQs for known issues.
4. :blue_square: reviewed Github for known issues.
5. :blue_square: tried accessing Immich via local ip (without a custom reverse proxy).
6. :blue_square: uploaded the relevant information (see below).
7. :blue_square: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.Full error from starting immich:
This is a docker error, not an immich one
So it’s something specific to your system/perms
Indeed.
What OS is this
Debian 12
I am considering adding
mm does 12 have SELinux?
However, this would require that immich supports this... And I am not sure if it does ?
Well, I believe you can install SELinux in Debian 12. This is not SELinux, however. This is pure ACLs on the file system
Yep thought so, no ideas then
Does immich suppport userns=keep-id?
I have never heard of that option so ... maybe?
This would mean that root inside the container would be the container user id instead.
Some apps are not prepared for that and will typically break hard.
So I am a bit afraid to try.
While others do not require root and will work just fine
Immich doesn’t require root at all
That’s covered in our docs
We don't require root but we also use docker, not podman
And try as it might, it's not a drop-in replacement
Yeah, I know. However, using docker is not an option for me.
Can the Immich containers run correctly if the main process does not run as root inside the container, but instead as a non-root user?
Example: without this option, the following would happen:
With the keep-id option, the following would happen:
Wouldn't it be simpler to just try and see? I have no answers here
Yeah, I guess...
I guess my biggest concern is if immich would start in some weird state and break some state, e.g. in the db such that just removing the option would not fix it. Anyhoo - here goes me trying
Worst case you just
rm -rf the database, no? 👀 This is a fresh install is it not?Almost.... I started setting some things up...
Then you should have backups lol
No one here will be able to guess what will happen with a non standard setup