[Support]: check s6-overlay-suexec permissions

[rasulovk]

Checklist

• I have updated to the latest available Frigate version.
• I have cleared the cache of my browser.
• I have tried a different browser to see if it is related to my browser.
• I have tried reproducing the issue in incognito mode to rule out problems with any third party extensions or plugins I have installed.

Describe the problem you are having

My setup:
image : ghcr.io/blakeblackshear/frigate:stable-rk
SOC : RK3588
Kernel: 6.1.0-1025-rockchi
Docker version 28.3.3 - with user namespace remap enabled

After upgrade to altest 0.16 version I got follwoing error:

frigate | s6-overlay-suexec: warning: real uid is 0 while effective uid is 100000; setting everything to 0; check s6-overlay-suexec permissions
frigate | /package/admin/s6-overlay/libexec/preinit: fatal: /run belongs to uid 100000 instead of 0, has insecure and/or unworkable permissions, and we're lacking the privileges to fix it.
frigate | s6-overlay-suexec: fatal: child failed with exit code 100
frigate exited with code 100

Steps to reproduce

1.Docker version
2.
3.
...

Version

0.16

In which browser(s) are you experiencing the issue with?

No response

Frigate config file

mqtt:
  host: IP_address
  user: user
  password: 'Pass'
cameras:
  mammy_door:
    ffmpeg:
      hwaccel_args: preset-jetson-h264
      inputs:
        - path: rtsp://1.1.1.1:8554/unicast
          roles:
            - detect
            - rtmp
    snapshots:
      enabled: true
      timestamp: true
      bounding_box: true
      retain: 
        default: 2
    record:
        enabled: true
        retain:
          days: 0
          mode: motion
        events:
          retain:
            default: 5
            mode: active_objects
          pre_capture: 5
          post_capture: 8
          objects:
            - car
            - person
            - cat
record:
  enabled: True
  retain:
    days: 7
    mode: motion
  events:
    retain:
      default: 30
      mode: motion

snapshots:
  enabled: True
  retain:
    default: 30

detectors:
  tensorrt:
    type: tensorrt
    model:
      path: /config/model_cache/tensorrt/yolov7-320.trt

model:
  input_tensor: nchw                              # yolo models are nchw
  width: 320                                      # must match model size
  height: 320                                     # must match model size

docker-compose file or Docker CLI command

services:
  frigate:
    container_name: frigate
    privileged: true # this may not be necessary for all setups
    restart: unless-stopped
    userns_mode: host
    shm_size: "128mb" # update for your cameras based on calculation above
    image: ghcr.io/blakeblackshear/frigate:stable-rk
    security_opt:
      - apparmor=unconfined
      - systempaths=unconfined
    devices:
      - /dev/dri
      - /dev/dma_heap
      - /dev/rga
      - /dev/mpp_service
      # - /dev/shm
    volumes:
      - /proc/device-tree/compatible:/proc/device-tree/compatible
      - /etc/localtime:/etc/localtime:ro
      - ./config/config.yml:/config/config.yml
      - ./config/model_cache:/config/model_cache
      - ./storage:/media/frigate
      - type: tmpfs # Optional: 1GB of memory, reduces SSD/SD Card wear
        target: /tmp/cache
        tmpfs:
          size: 1000000000
     ports:
       - "5000:5000"
       - "8554:8554" # RTSP feeds
       - "8555:8555/tcp" # WebRTC over tcp
       - "8555:8555/udp" # WebRTC over udp
    environment:
      FRIGATE_RTSP_PASSWORD: "${FRIGATE_RTSP_PASSWORD}"
      FRIGATE_MQTT_USER: "${MQTT_USER}"
      FRIGATE_MQTT_PASSWORD: "${MQTT_PASSWORD}"

    networks:
      frigate_default:



networks:
  frigate_default:
    driver: bridge
    # external: true

Relevant Frigate log output

frigate  | s6-overlay-suexec: fatal: child failed with exit code 100
frigate  | s6-overlay-suexec: warning: real uid is 0 while effective uid is 100000; setting everything to 0; check s6-overlay-suexec permissions
frigate  | /package/admin/s6-overlay/libexec/preinit: fatal: /run belongs to uid 100000 instead of 0, has insecure and/or unworkable permissions, and we're lacking the privileges to fix it.
frigate  | s6-overlay-suexec: fatal: child failed with exit code 100
frigate  | s6-overlay-suexec: warning: real uid is 0 while effective uid is 100000; setting everything to 0; check s6-overlay-suexec permissions
frigate  | /package/admin/s6-overlay/libexec/preinit: fatal: /run belongs to uid 100000 instead of 0, has insecure and/or unworkable permissions, and we're lacking the privileges to fix it.
frigate  | s6-overlay-suexec: fatal: child failed with exit code 100
frigate exited with code 100

Relevant go2rtc log output

frigate  | s6-overlay-suexec: fatal: child failed with exit code 100
frigate  | s6-overlay-suexec: warning: real uid is 0 while effective uid is 100000; setting everything to 0; check s6-overlay-suexec permissions
frigate  | /package/admin/s6-overlay/libexec/preinit: fatal: /run belongs to uid 100000 instead of 0, has insecure and/or unworkable permissions, and we're lacking the privileges to fix it.
frigate  | s6-overlay-suexec: fatal: child failed with exit code 100
frigate  | s6-overlay-suexec: warning: real uid is 0 while effective uid is 100000; setting everything to 0; check s6-overlay-suexec permissions
frigate  | /package/admin/s6-overlay/libexec/preinit: fatal: /run belongs to uid 100000 instead of 0, has insecure and/or unworkable permissions, and we're lacking the privileges to fix it.
frigate  | s6-overlay-suexec: fatal: child failed with exit code 100
frigate exited with code 100

Operating system

Other Linux

Install method

Docker Compose

Network connection

Wired

Camera make and model

PiCamera

Screenshots of the Frigate UI's System metrics pages

Container not running

Any other information that may be helpful

No response

[inkeep-ai-assistant[bot]]

The issue you're experiencing is related to Docker user namespace remapping conflicting with the s6-overlay init system used in Frigate. Based on the Rockchip platform setup documentation, there are specific configuration requirements that may help resolve this issue.

For Rockchip platforms, the documentation recommends starting with privileged mode during configuration to avoid permission errors(1). Your current setup already includes privileged: true, but the user namespace remapping (userns_mode: host) might be causing the conflict.

The recommended security configuration for Rockchip platforms includes(1):

security_opt:
  - apparmor=unconfined
  - systempaths=unconfined
devices:
  - /dev/dri

You already have these configured correctly. However, the documentation suggests that after everything works, you should disable privileged mode and rely only on the necessary permissions(1).

Try removing the userns_mode: host line from your docker-compose configuration, as this appears to be causing the UID mismatch between the container's expected root user (0) and the remapped user (100000). The s6-overlay system expects to run as root and is having permission issues with the remapped user namespace.

If you need user namespace remapping for security reasons, you may need to either:

1. Configure Docker's user namespace remapping to exclude the Frigate container
2. Use a different approach that doesn't conflict with s6-overlay's requirements

The Rockchip-specific image (stable-rk) should work properly with the standard privileged mode configuration shown in the documentation(1).

📚 Sources:

1. Installation

---

Have another question? Just tag @inkeep.

[rasulovk]

“Even though the response was late, I decided to update the Frigate container to use the new feature. To avoid issues with s6-overlay permissions, I created a new folder using mkdir run and set its owner to 10000 as the remapped user. It is now working. Thanks a lot.”
Example:
mkdir run
chown 10000 run

In Docker compose under volume:
...
./run:/run
...