Question regarding Docker container compatibility with read_only: true
I am in the process of deploying the Immich container and am looking to enhance security by running the container with a read-only root filesystem, using the read_only: true Docker option.
Before implementing this, I wanted to ask if this configuration is officially supported or tested. Specifically, I'm curious about:
1. Whether the core application can run correctly in this mode.
2. If there are specific paths that require write access (e.g., for temporary files, cache, or logs) that would need to be mounted as volumes or tmpfs when using read_only: true.
Any guidance or insights you could provide would be greatly appreciated!
This is a security feature and spell should be supported and documented
Thank you.
9 Replies
:wave: Hey @L0rdRaiden,
Thanks for reaching out to us. Please carefully read this message and follow the recommended actions. This will help us be more effective in our support effort and leave more time for building Immich :immich:.
References
- Container Logs:
docker compose logs docs
- Container Status: docker ps -a docs
- Reverse Proxy: https://immich.app/docs/administration/reverse-proxy
- Code Formatting https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline#h_01GY0DAKGXDEHE263BCAYEGFJA
Checklist
I have...
1. :ballot_box_with_check: verified I'm on the latest release(note that mobile app releases may take some time).
2. :ballot_box_with_check: read applicable release notes.
3. :ballot_box_with_check: reviewed the FAQs for known issues.
4. :ballot_box_with_check: reviewed Github for known issues.
5. :ballot_box_with_check: tried accessing Immich via local ip (without a custom reverse proxy).
6. :ballot_box_with_check: uploaded the relevant information (see below).
7. :ballot_box_with_check: tried an incognito window, disabled extensions, cleared mobile app cache, logged out and back in, different browsers, etc. as applicable
(an item can be marked as "complete" by reacting with the appropriate number)
Information
In order to be able to effectively help you, we need you to provide clear information to show what the problem is. The exact details needed vary per case, but here is a list of things to consider:
- Your docker-compose.yml and .env files.
- Logs from all the containers and their status (see above).
- All the troubleshooting steps you've tried so far.
- Any recent changes you've made to Immich or your system.
- Details about your system (both software/OS and hardware).
- Details about your storage (filesystems, type of disks, output of commands like fdisk -l and df -h).
- The version of the Immich server, mobile app, and other relevant pieces.
- Any other information that you think might be relevant.
Please paste files and logs with proper code formatting, and especially avoid blurry screenshots.
Without the right information we can't work out what the problem is. Help us help you ;)
If this ticket can be closed you can use the /close command, and re-open it later if needed.
Successfully submitted, a tag has been added to inform contributors. :white_check_mark:Are you talking about the main
immich_server container?
From my experience it runs fine with readonly rootfs. Though I did not test it throughly. Also I'm not aware of any features that explicitly require rw access. (Apart from mounted media/library directories of course)
Related: https://github.com/immich-app/immich/discussions/4533
AFAIK there is no official documentation or testing of read_only mode.[Discussion] [Feature] [Security] Ensure immich containers work with readOnlyRootFilesystem enabled (immich-app/immich#4533)
Our Postgres container doesn’t support RO FS due to the custom bootstrap
Otherwise should work fine
Yeah, regarding Postgres see https://github.com/immich-app/base-images/pull/220
[Pull Request] Fix: store Postgres config templates in a different folder than
/etc/postgresql (immich-app/base-images#220)So the server image can probably run in read only right?
On other hand, do you plan to release rootless and distroless images?
Something like https://github.com/11notes/docker-homeassistant
At least for the server container which is the one usually publish to internet
You can already run them rootless. I doubt we will do distro less
Why?