Run Open Webui container as non ROOT user #18541

mirco-bozzolini · 2025-10-23T14:44:49Z

mirco-bozzolini
Oct 23, 2025

I'm trying to run this service in a EKS cluster, right now the container is built to be run as ROOT user which isn't a best practice for security reason.

If I try to start the container with a different UID and GUID I get an error on startup because it cannot generate a random WEBUI_SECRET_KEY to the file in the container path .webui_secret_key since it has not the permission to write in a path owned by the root user.

I could re-build the image passing the args UID and GUID but I think is not the correct approach since the container itself should follow common best practices.

What do you suggest?

Answered by Elettrotecnica

Feb 18, 2026

A better approach to what I have wrote earlier is to use the "native" OpenWebUI Docker file arguments UID and GID to build a custom image:

open-webui/Dockerfile

Lines 23 to 24 in b8112d7

     ARG UID=0  
   ARG GID=0

This ensures the user and group are actually created, permissions are set and so on...

According to the Dockerfile, this approach is not officially supported, but it seems to be working in practices, at least on my installation.

View full answer

Elettrotecnica · 2026-02-13T15:49:30Z

Elettrotecnica
Feb 13, 2026

OpenWebUI does not seem to offer a rootless image right now, see #17583 (comment)

What is working for me at the moment is something like this:

FROM ghcr.io/open-webui/open-webui:latest

RUN groupadd -r app --gid=1001 && \
    useradd -r -g app --uid=1001 --shell=/bin/bash --create-home app

RUN chown -R 1001:1001 .

USER 1001:1001

Before 0.8.0 the following was enough:

FROM ghcr.io/open-webui/open-webui:latest

RUN chown -R 1001:1001 .

USER 1001:1001

I really believe the project should start offering a rootless image out of the box. Adapting existing images is easy enough for now, but already inconsistent from version to version.

3 replies

Elettrotecnica Feb 18, 2026

A better approach to what I have wrote earlier is to use the "native" OpenWebUI Docker file arguments UID and GID to build a custom image:

open-webui/Dockerfile

Lines 23 to 24 in b8112d7

    
           ARG UID=0 
        
           ARG GID=0

This ensures the user and group are actually created, permissions are set and so on...

According to the Dockerfile, this approach is not officially supported, but it seems to be working in practices, at least on my installation.

Answer selected by mirco-bozzolini

mirco-bozzolini Feb 19, 2026
Author

Thank you, that is the way I chose to follow.

I used a pipeline which builds me a rootless image. It is a bit cumbersome to keep up with the updates but for now it works.

Elettrotecnica Feb 20, 2026

In fact, you had mentioned this option at the very beginning :-)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Run Open Webui container as non ROOT user #18541

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

Run Open Webui container as non ROOT user #18541

Uh oh!

mirco-bozzolini Oct 23, 2025

Replies: 1 comment · 3 replies

Uh oh!

Elettrotecnica Feb 13, 2026

Uh oh!

Elettrotecnica Feb 18, 2026

Uh oh!

Uh oh!

mirco-bozzolini Feb 19, 2026 Author

Uh oh!

Elettrotecnica Feb 20, 2026

mirco-bozzolini
Oct 23, 2025

Replies: 1 comment 3 replies

Elettrotecnica
Feb 13, 2026

mirco-bozzolini Feb 19, 2026
Author