Linuxserver container not working with --user flag anymore. cap-add is not doing anything.

[freestuff002]

Is this a BUG REPORT or FEATURE REQUEST? (leave only one on its own line)

/kind bug

Description

As of recent linuxserver containers have stopped working with the --user flag. I believe the proper capabilities are not being added with the cap-add flag. Testing with capeff shows that no capabilities are being added. This wasn't always the case, I used to be able to run pods with the '--user' flag with no issues. This is happening with at least the qbittorrent, radarr, sonarr, bazarr and jellyfin images. All images was working fine a few months ago.

I am not really sure how to properly diagnose the issue. However, I was able to find the first image released that stopped working with the --user tag for the qbittorrent image. It will be image 4.4.3.1-r2-ls202 which make image 4.4.3.1-r1-ls201 to be the last working image.

I have no issue running the latest container images without the --user flag. Running --cap-drop and --cap-add actually do work when not using the --user flag.

Steps to reproduce the issue:

1. Pull recent linuxserver container image, for example qbittorrent image

2. Run podman with --user flag adding necessary capabilities with cap-add

podman run -d \
  --name=qbittorrent \
  --user 1000:1000 \
  -p 8080:8080 \
  --cap-add=CHOWN,DAC_OVERRIDE,FOWNER,KILL,SETGID,SETUID \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=America/New_York \
  -e WEBUI_PORT=8080 \
  --restart unless-stopped \
  linuxserver/qbittorrent:latest

Describe the results you received:
Unable to access webui. Container does not work.

Output of podman logs -f qbittorrent

s6-rc: info: service s6rc-oneshot-runner: starting
s6-rc: info: service s6rc-oneshot-runner successfully started
s6-rc: info: service fix-attrs: starting
s6-rc: info: service 00-legacy: starting
s6-rc: info: service 00-legacy successfully started
s6-rc: info: service fix-attrs successfully started
s6-rc: info: service legacy-cont-init: starting
cont-init: info: running /etc/cont-init.d/01-envfile
cont-init: info: /etc/cont-init.d/01-envfile exited 0
cont-init: info: running /etc/cont-init.d/01-migrations
[migrations] started
[migrations] no migrations found
cont-init: info: /etc/cont-init.d/01-migrations exited 0
cont-init: info: running /etc/cont-init.d/02-tamper-check
cont-init: info: /etc/cont-init.d/02-tamper-check exited 0
cont-init: info: running /etc/cont-init.d/10-adduser
groupmod: /etc/group.69: Permission denied
groupmod: cannot lock /etc/group; try again later.
usermod: /etc/passwd.70: Permission denied
usermod: cannot lock /etc/passwd; try again later.

-------------------------------------
          _         ()
         | |  ___   _    __
         | | / __| | |  /  \
         | | \__ \ | | | () |
         |_| |___/ |_|  \__/


Brought to you by linuxserver.io
-------------------------------------

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid:    911
User gid:    1001
-------------------------------------

chown: changing ownership of '/app': Operation not permitted
chown: changing ownership of '/config': Operation not permitted
chown: changing ownership of '/defaults': Operation not permitted
cont-init: info: /etc/cont-init.d/10-adduser exited 1
cont-init: info: running /etc/cont-init.d/30-config
/package/admin/s6-overlay-3.1.0.1/etc/s6-rc/scripts/cont-init: line 14: /etc/cont-init.d/30-config: Permission denied
cont-init: info: /etc/cont-init.d/30-config exited 126
cont-init: info: running /etc/cont-init.d/90-custom-folders
mkdir: cannot create directory ‘/config/custom-cont-init.d’: Permission denied
mkdir: cannot create directory ‘/config/custom-services.d’: Permission denied
chown: cannot access '/config/custom-cont-init.d': No such file or directory
chown: cannot access '/config/custom-services.d': No such file or directory
cont-init: info: /etc/cont-init.d/90-custom-folders exited 1
cont-init: info: running /etc/cont-init.d/99-custom-files
[custom-init] no custom files found exiting...
cont-init: info: /etc/cont-init.d/99-custom-files exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service init-mods: starting
s6-rc: info: service init-mods successfully started
s6-rc: info: service init-mods-package-install: starting
s6-rc: info: service init-mods-package-install successfully started
s6-rc: info: service init-mods-end: starting
s6-rc: info: service init-mods-end successfully started
s6-rc: info: service init-services: starting
s6-rc: info: service init-services successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun qbittorrent (no readiness notification)
s6-supervise qbittorrent (child): fatal: unable to exec run: Permission denied
s6-supervise qbittorrent: warning: unable to spawn ./run - waiting 10 seconds
s6-rc: info: service legacy-services successfully started
s6-rc: info: service 99-ci-service-check: starting
[ls.io-init] done.
s6-rc: info: service 99-ci-service-check successfully started
s6-supervise qbittorrent (child): fatal: unable to exec run: Permission denied
s6-supervise qbittorrent: warning: unable to spawn ./run - waiting 10 seconds

output of podman top -l capeff

EFFECTIVE CAPS
none
none
none
none
none
none
none

Describe the results you expected:

For the container to work properly, access webui. Example running container with most recent working image linuxserver/qbittorrent:4.4.3.1-r1-ls201

output of podman logs -f qbittorrent

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing... 
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 01-migrations: executing... 
[migrations] started
[migrations] no migrations found
[cont-init.d] 01-migrations: exited 0.
[cont-init.d] 02-tamper-check: executing... 
[cont-init.d] 02-tamper-check: exited 0.
[cont-init.d] 10-adduser: executing... 

-------------------------------------
          _         ()
         | |  ___   _    __
         | | / __| | |  /  \
         | | \__ \ | | | () |
         |_| |___/ |_|  \__/


Brought to you by linuxserver.io
-------------------------------------

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid:    1000
User gid:    1000
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 30-config: executing... 
[cont-init.d] 30-config: exited 0.
[cont-init.d] 90-custom-folders: executing... 
[cont-init.d] 90-custom-folders: exited 0.
[cont-init.d] 99-custom-files: executing... 
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

******** Information ********
To control qBittorrent, access the WebUI at: http://localhost:8080

output of podman top -l capeff

EFFECTIVE CAPS
CHOWN,DAC_OVERRIDE,FOWNER,KILL,SETGID,SETUID
CHOWN,DAC_OVERRIDE,FOWNER,KILL,SETGID,SETUID
CHOWN,DAC_OVERRIDE,FOWNER,KILL,SETGID,SETUID
CHOWN,DAC_OVERRIDE,FOWNER,KILL,SETGID,SETUID

Additional information you deem important (e.g. issue happens only occasionally):

Output of podman version:

podman version 4.1.1

Output of podman info:

host:
  arch: amd64
  buildahVersion: 1.26.1
  cgroupControllers:
  - memory
  - pids
  cgroupManager: systemd
  cgroupVersion: v2
  conmon:
    package: conmon-2.1.2-1.1.x86_64
    path: /usr/bin/conmon
    version: 'conmon version 2.1.2, commit: unknown'
  cpuUtilization:
    idlePercent: 63.57
    systemPercent: 9.53
    userPercent: 26.9
  cpus: 12
  distribution:
    distribution: '"opensuse-tumbleweed"'
    version: "20220812"
  eventLogger: journald
  hostname: localhost.localdomain
  idMappings:
    gidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
    uidmap:
    - container_id: 0
      host_id: 1000
      size: 1
    - container_id: 1
      host_id: 100000
      size: 65536
  kernel: 5.19.0-1-default
  linkmode: dynamic
  logDriver: journald
  memFree: 175075328
  memTotal: 4086444032
  networkBackend: cni
  ociRuntime:
    name: runc
    package: runc-1.1.3-2.1.x86_64
    path: /usr/bin/runc
    version: |-
      runc version 1.1.3
      commit: v1.1.3-0-ga916309fff0f
      spec: 1.0.2-dev
      go: go1.18.3
      libseccomp: 2.5.4
  os: linux
  remoteSocket:
    path: /run/user/1000/podman/podman.sock
  security:
    apparmorEnabled: false
    capabilities: CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_NET_BIND_SERVICE,CAP_SETFCAP,CAP_SETGID,CAP_SETPCAP,CAP_SETUID,CAP_SYS_CHROOT
    rootless: true
    seccompEnabled: true
    seccompProfilePath: /etc/containers/seccomp.json
    selinuxEnabled: false
  serviceIsRemote: false
  slirp4netns:
    executable: /usr/bin/slirp4netns
    package: slirp4netns-1.1.11-1.6.x86_64
    version: |-
      slirp4netns version 1.1.11
      commit: unknown
      libslirp: 4.7.0
      SLIRP_CONFIG_VERSION_MAX: 3
      libseccomp: 2.5.4
  swapFree: 871059456
  swapTotal: 1339006976
  uptime: 31m 58.73s
plugins:
  log:
  - k8s-file
  - none
  - passthrough
  - journald
  network:
  - bridge
  - macvlan
  - ipvlan
  volume:
  - local
registries:
  search:
  - registry.opensuse.org
  - registry.suse.com
  - docker.io
store:
  configFile: /home/test/.config/containers/storage.conf
  containerStore:
    number: 1
    paused: 0
    running: 1
    stopped: 0
  graphDriverName: btrfs
  graphOptions: {}
  graphRoot: /home/test/.local/share/containers/storage
  graphRootAllocated: 19593691136
  graphRootUsed: 6826401792
  graphStatus:
    Build Version: Btrfs v5.18.1
    Library Version: "102"
  imageCopyTmpDir: /var/tmp
  imageStore:
    number: 15
  runRoot: /run/user/1000/containers
  volumePath: /home/test/.local/share/containers/storage/volumes
version:
  APIVersion: 4.1.1
  Built: 1656633600
  BuiltTime: Thu Jun 30 20:00:00 2022
  GitCommit: ""
  GoVersion: go1.16.15
  Os: linux
  OsArch: linux/amd64
  Version: 4.1.1

Package info (e.g. output of rpm -q podman or apt list podman):

podman-4.1.1-2.1.x86_64

Have you tested with the latest version of Podman and have you checked the Podman Troubleshooting Guide? (https://github.com/containers/podman/blob/main/troubleshooting.md)

Checked troubleshooting. Have tried most recent github version.

Additional environment details (AWS, VirtualBox, physical, etc.):

[mheon]

I looked into this around a month ago for a different issue, and the change to capabilities (--cap-add not granting actual caps when --user is given - I think it might only set bounding caps?) was deliberately done to match Docker - I think it may have been a CVE at one point, even, that we assigned more caps than Docker did when --user was given, but that might just be my memory acting up. This was a long time ago, though, at least two years from my memory - so if this only broke recently for you, it might be another change that has crept in.

All that said, I am not opposed to changing the behavior of --cap-add with --user. The way it works now (IMO) makes very little sense. We would need consensus from the team, and agreement as to whether this is a major-version bump (I would vote no, but it is arguably a security-related change).

[freestuff002]

Like you mentioned, this only started happening recently so I think it might be a different issue. It also only happens with linuxserver containers specifically. I ran the jellyfin container image provided by the actually jellyfin team and --cap-add works fine with --user.

I am not exactly sure what changed in the linuxserver containers that started causing this issue.

[rhatdan]

$ podman run --rm --user bin --cap-add=net_admin fedora capsh --print | grep Current:
Current: cap_net_admin=eip

What container image are you seeing something different?

[freestuff002]

I am having issues with recent images of all the linuxserver containers that I use which are radarr, sonarr, bazarr, jellyfin and qbittorrent. The only non linuxserver container that I use is the official jellyfin one which works fine with --user and --cap-add. This only started happening recently. In the op I posted the most recent working qbittorrent image and the first broken one. I was also able to track the same images for radarr.

Release 4.1.0.6175-ls145 is the most working one.

  podman run -d \
  --name=radarr \
  --user 1001:1001 \
  --cap-add=CHOWN,DAC_OVERRIDE,FOWNER,KILL,SETGID,SETUID \
  -p 7878:7878 \
  linuxserver/radarr:4.1.0.6175-ls145

EFFECTIVE CAPS
CHOWN,DAC_OVERRIDE,FOWNER,KILL,SETGID,SETUID

While release 4.1.0.6175-ls146 is the first broken one.

  podman run -d \
  --name=radarr \
  --user 1001:1001 \
  --cap-add=CHOWN,DAC_OVERRIDE,FOWNER,KILL,SETGID,SETUID \
  -p 7878:7878 \
  linuxserver/radarr:4.1.0.6175-ls146

EFFECTIVE CAPS
none

So I am not too experienced with this but I did try to pinpoint what exactly might be the issue. The only difference between the two above releases will be with the linuxserver base image for radarr. As far as I can tell this is the only major commit that happened between the two above releases, linuxserver/docker-baseimage-alpine#93. In this commit s6-overlay was upgraded to v3, s6-overlay was also upgraded in between the two qbittorrent releases mentioned in the op. Not sure if that is very helpful or even accurate but that is the only major changes I can see between the releases. I suppose it will also make sense since all of the linuxserver images, as of late, do no work anymore with the --user and --cap-add flags. They do work completely fine if I omit --user.

[eriksjolund]

A GitHub comment talks about a problematic line

 chmod +x \ 

I noticed that there is a difference between the working and the broken container image for that line

$ cat /tmp/test.sh 
#!/bin/bash
ctr=$(podman create $1)
mnt=$(podman mount $ctr)
cat $mnt/docker-mods 
podman unmount $ctr > /dev/null
podman rm $ctr > /dev/null

$ podman unshare /tmp/test.sh docker.io/linuxserver/radarr:4.1.0.6175-ls145 | grep chmod
$ podman unshare /tmp/test.sh docker.io/linuxserver/radarr:4.1.0.6175-ls146 | grep chmod
  chmod +x \
$ 

(I haven't spent any more time investigating)

[EQUALIT-CG]

Hi guys

I'm having issues with linuxserver/jellyfin

I can not get it to start when i docker-compose up the output comes as follows

jellyfin    | -------------------------------------
jellyfin    |           _         ()
jellyfin    |          | |  ___   _    __
jellyfin    |          | | / __| | |  /  \
jellyfin    |          | | \__ \ | | | () |
jellyfin    |          |_| |___/ |_|  \__/
jellyfin    |
jellyfin    |
jellyfin    | Brought to you by linuxserver.io
jellyfin    | -------------------------------------
jellyfin    |
jellyfin    | To support the app dev(s) visit:
jellyfin    | Jellyfin: https://opencollective.com/jellyfin
jellyfin    |
jellyfin    | To support LSIO projects visit:
jellyfin    | https://www.linuxserver.io/donate/
jellyfin    | -------------------------------------
jellyfin    | GID/UID
jellyfin    | -------------------------------------
jellyfin    |
jellyfin    | User uid:    911
jellyfin    | User gid:    1000
jellyfin    | -------------------------------------
jellyfin    |
jellyfin    | chown: changing ownership of '/app': Operation not permitted
jellyfin    | chown: changing ownership of '/config': Operation not permitted
jellyfin    | chown: changing ownership of '/defaults': Operation not permitted
jellyfin    | cont-init: info: /etc/cont-init.d/10-adduser exited 1
jellyfin    | cont-init: info: running /etc/cont-init.d/30-config
jellyfin    | /package/admin/s6-overlay-3.1.0.1/etc/s6-rc/scripts/cont-init: 14: /etc/cont-init.d/30-config: Permission denied
jellyfin    | cont-init: info: /etc/cont-init.d/30-config exited 126
jellyfin    | cont-init: info: running /etc/cont-init.d/40-gid-video
jellyfin    | /package/admin/s6-overlay-3.1.0.1/etc/s6-rc/scripts/cont-init: 14: /etc/cont-init.d/40-gid-video: Permission denied
jellyfin    | cont-init: info: /etc/cont-init.d/40-gid-video exited 126
jellyfin    | cont-init: info: running /etc/cont-init.d/90-custom-folders
jellyfin    | mkdir: cannot create directory ‘/config/custom-cont-init.d’: Permission denied
jellyfin    | mkdir: cannot create directory ‘/config/custom-services.d’: Permission denied
jellyfin    | chown: cannot access '/config/custom-cont-init.d': No such file or directory
jellyfin    | chown: cannot access '/config/custom-services.d': No such file or directory
jellyfin    | cont-init: info: /etc/cont-init.d/90-custom-folders exited 1
jellyfin    | cont-init: info: running /etc/cont-init.d/99-custom-scripts
jellyfin    | [custom-init] no custom files found, skipping...
jellyfin    | cont-init: info: /etc/cont-init.d/99-custom-scripts exited 0
jellyfin    | s6-rc: info: service legacy-cont-init successfully started
jellyfin    | s6-rc: info: service init-mods: starting
jellyfin    | s6-rc: info: service init-mods successfully started
jellyfin    | s6-rc: info: service init-mods-package-install: starting
jellyfin    | s6-rc: info: service init-mods-package-install successfully started
jellyfin    | s6-rc: info: service init-mods-end: starting
jellyfin    | s6-rc: info: service init-mods-end successfully started
jellyfin    | s6-rc: info: service init-services: starting
jellyfin    | s6-rc: info: service init-services successfully started
jellyfin    | s6-rc: info: service legacy-services: starting
jellyfin    | services-up: info: copying legacy longrun jellyfin (no readiness notification)
jellyfin    | s6-supervise jellyfin (child): fatal: unable to exec run: Permission denied
jellyfin    | s6-supervise jellyfin: warning: unable to spawn ./run - waiting 10 seconds
jellyfin    | s6-rc: info: service legacy-services successfully started
jellyfin    | s6-rc: info: service 99-ci-service-check: starting
jellyfin    | [ls.io-init] done.

I can not get this to run when i go with UID & GID
I can log in no issues but still not able to mount my media Iv ask and looked around for support with no luck anyone able to explain to me how to fix this please

[rhatdan]

Could you try it in rootful mode and see if it works.

Also could you see if this is an SELinux issue.

[EQUALIT-CG]

Hi @rhatdan

Thank so much for the support
I will add my os info below

I'm so what new some what not reason i say this is i don't understand what you mean can you try and put it in simple terms for me please

NAME="Fedora Linux"
VERSION="36.20220820.3.0 (CoreOS)"
ID=fedora
VERSION_ID=36
VERSION_CODENAME=""
PLATFORM_ID="platform:f36"
PRETTY_NAME="Fedora CoreOS 36.20220820.3.0"
ANSI_COLOR="0;38;2;60;110;180"
LOGO=fedora-logo-icon
CPE_NAME="cpe:/o:fedoraproject:fedora:36"
HOME_URL="https://getfedora.org/coreos/"
DOCUMENTATION_URL="https://docs.fedoraproject.org/en-US/fedora-coreos/"
SUPPORT_URL="https://github.com/coreos/fedora-coreos-tracker/"
BUG_REPORT_URL="https://github.com/coreos/fedora-coreos-tracker/"
REDHAT_BUGZILLA_PRODUCT="Fedora"
REDHAT_BUGZILLA_PRODUCT_VERSION=36
REDHAT_SUPPORT_PRODUCT="Fedora"
REDHAT_SUPPORT_PRODUCT_VERSION=36
PRIVACY_POLICY_URL="https://fedoraproject.org/wiki/Legal:PrivacyPolicy"
VARIANT="CoreOS"
VARIANT_ID=coreos
OSTREE_VERSION='36.20220820.3.0'
DEFAULT_HOSTNAME=localhost

[EQUALIT-CG]

Hi guys

so i can start the docker-compose "Jellyfin"
But no media shows up inside the container

I have tried as core os user "core" as well as root
haven't been able to find any media

I will not post my docker-compose so maybe someone can test it
The remote storage works fine with the default image of jellyfin so i don't have an issues with it from synology setup as NFS as root

version: "3.6"

services:
  jellyfin:                             # Jellyfin is a suite of multimedia applications
    container_name: jellyfin
#    image: lscr.io/linuxserver/jellyfin:latest
    image: jellyfin/jellyfin
    restart: unless-stopped
    ports:
      - 8096:8096                       # Http webUI interface
      - 8920:8920                       # Https webUI interface
      - 7359:7359/udp                   # server auto discover
      - 1900:1900/udp                   # DLNA interface
      - 1901:1901                       # DLNA interface
    volumes:
      - /opt/jellyfinn/cache:/cache:z
#      - /opt/jellyfinn/config/config:/config:z
      - /opt/jellyfin/config/config:/config:z
      - type: volume
        source: jellyfin-media
        target: /media
        volume:
         nocopy: true
      - type: volume
        source: new-release
        target: /new_release
        volume:
         nocopy: true
#    user: ${PUID}:${PGID}
    environment:
      - PUID=1000
      - PGID=1000

volumes:
  jellyfin-config:

# Jellyfin
  jellyfin-media:
    driver_opts:
      type: "nfs"
      o: "addr=${NASIP},nolock,soft,rw"
      device: ":/volume4/Jellyfin"

# new-release
  new-release:
    driver_opts:
      type: "nfs"
      o: "addr=${NASIP},nolock,soft,rw"
      device: ":/volume4/new_release"

networks:
  default:
    driver: bridge

[rhatdan]

Put SELinux into permissive mode
$ sudo setenforce 0

Test docker-compose. If it works, then you have an SELinux issue.
If not try to run docker-compose as root

$ sudo docker-compose up

If this works then it is a user namespace issue.

[EQUALIT-CG]

Hi @rhatdan

Thank for trying to help me but sadly non of it helped being able to see my media i will add a log below as well as switching back to my default image

also thanks for posting the commend that was very easy to read

Edited :
added the logs to past bin

https://pastebin.com/LrCBCgxv

[EQUALIT-CG]

I'm sure you can see for yourself that with the default image works fine
I'm happy that it works but i really want the linuxserver image to work why
its just a little bit better with the UI and page refresh as well as driver etc etc

so would be nice but idk what to do nothing on the NAS has change noting in the docker has change
only the image and parth for the config that it

[rishubn]

I am also experiencing this issue, only running with sudo changes the PID and UID of the container user

[EQUALIT-CG]

@rishubn was that mean for me ...?
I given up would love to get it running but never worked out

[rishubn]

@EQUALIT-CG Can you try appending the flag: --userns="" to your podman run command?

After trying a few things, adding that flag worked for me:
podman run -d --rm --userns="" -e PUID=1000 -e PGID=1000 --name=qbittorrent -e TZ=Europe/London -e WEBUI_PORT=5080 -v $PWD/qbittorrent:/config:Z -v $PWD/data/downloads:/downloads:Z lscr.io/linuxserver/qbittorrent:latest

-------------------------------------
          _         ()
         | |  ___   _    __
         | | / __| | |  /  \
         | | \__ \ | | | () |
         |_| |___/ |_|  \__/


Brought to you by linuxserver.io
-------------------------------------

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid:    1000
User gid:    1000
-------------------------------------

[EQUALIT-CG]

@rishubn
I wasn't running pod man witch is why i DM the admin to close this i was trying to get help with Jellyfin
I asked the Discord and no one was able to help when googling i send me here and i wasn't reading what it said and posted here anyways
I later worked out what wrong place and asked the admin to close this ticket etc etc

[gzqx]

Meeting same problem on podman 4.2.1 on Fedora 36.

[eriksjolund]

It seems that LinuxServer.io does not support running their containers with rootless Podman or rootless Docker.

It's not mentioned in their official documentation, but it's mentioned in their support forums.

I searched for "rootless" in their documentation but didn't find anything:
https://docs.linuxserver.io/?q=rootless

Their web page Where to get support lists two support forums:

• Discord
• Discourse

quotes from Discourse

I searched for "rootless" and found 8 search results.

Some quotes:

• We also do not support rootless for the reasons you’ve already seen. this is not going to change any time soon.
  quote from 8 May 2022.

• We do not offer any support for rootless at all and we have no intention of doing so in the near future.
  quote from 19 June 2022.

quotes from Discord

I signed up for an account in the Discord and searched for "rootless" and found 228 search results.

Some quotes:

• "But broadly it should work on podman as long as you're not running rootless"
• "Most of our images will work if you run them as root, you'll run into problems with a lot of them running rootless"
• "Our images don't support rootless docker as various init steps require root"

[UnconventionalMindset]

Same issue with Podman 4.3.0 on Fedora CoreOS 37.20221106.3.0

$ podman run --security-opt label=disable --name jellyfin --publish 8096:8096/tcp --rm --userns="" -e PGID=1000 -e PUID=1000 lscr.io/linuxserver/jellyfin:latest
[custom-init] No custom services found, skipping...
[migrations] started
[migrations] no migrations found

---

      _         ()
     | |  ___   _    __
     | | / __| | |  /  \
     | | \__ \ | | | () |
     |_| |___/ |_|  \__/

Brought to you by linuxserver.io

To support the app dev(s) visit:
Jellyfin: https://opencollective.com/jellyfin

To support LSIO projects visit:
https://www.linuxserver.io/donate/

GID/UID

User uid: 1000
User gid: 1000

[custom-init] No custom files found, skipping...
s6-applyuidgid: fatal: unable to exec /usr/bin/jellyfin: Permission denied

[eriksjolund]

The issue

• [BUG] issues using podman rootless with amd dockermod linuxserver/docker-jellyfin#184

was closed with the motivation

We don't test, support or go out of our way to ensure our 
images (and mods) works in a rootless environment.

---

In other words using lscr.io/linuxserver/jellyfin:latest with rootless Podman (or rootless Docker) is not supported by the upstream project.

[rhatdan]

I think I can close this issue, then.