-
-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker: Don't update permissions of originals on startup #2371
Conversation
…poses. This will allow users with specific ownership on Originals to retain those owners while allowing the rest of the pathing to be owned by the UID/GID in the container.
You can mount any folder in read-only mode to restrict the access to files: volumes:
- "/mnt/photos/nature:/photoprism/originals/nature:ro" |
Very true. You can do many different things. I only opened the PR because the current default behavior goes against the "we do not ever touch originals" wording. I do understand from a non-paying-user support standpoint things are kept as simplistic as possible, but there should still be options. We don't always know the tech stack that others are using, and maybe they may not have the ability to mark something read-only. Regardless, being explicit is almost always a better thing than being implicit. I have an OKD cluster w/ CephFS backing my So my manifest looks like such: spec:
volumes:
- name: originals
cephfs:
path: "/path/to/originals"
readOnly: true
monitors:
- 10.1.2.30:6789
- 10.1.2.31:6789
- 10.1.2.32:6789
user: okd-photos-user
secretRef:
name: password My problem is solved, though I do not entirely like the implementation. You may close this PR if you deem it harmful. |
This problem really bothered me a hundred times, either adding different user management permissions, or restricting the permission modification of my origins file by photoprism (sorry, my English is poor, from translation software) |
Signed-off-by: Michael Mayer <michael@photoprism.app>
Signed-off-by: Michael Mayer <michael@photoprism.app>
Started a new preview build for testing! 👍 |
@lastzero thanks for the updates! There is 1 issue that has surfaced later than your commits regarding switching to uid 1000620000:1000620000
/opt/photoprism/bin/photoprism start
setpriv: uid 1000620000 not found, --init-groups requires an user that can be found on the system but I can open a separate issue for that and my issue and PR can be closed |
UID 1000620000 is not supported, see list of valid ranges in the config examples. |
Unfortunately this requires me to bypass certain security contexts in OpenShift/OKD, but I'll deal with it. |
Is this a configurable ? For example, can I turn this behaviour back on if I want to ? EDIT: Oh I see... I can set |
|
OOff..... so.... its not configurable then? |
The originals folder itself is not touched anymore, but the behavior for the storage folder can be enabled / disabled as before. |
Separating Originals path from Storage and Imports path for CHOWN purposes. This will allow users with specific ownership on Originals to retain those owners while allowing the rest of the pathing to be owned by the UID/GID in the container.
Photoprism states that it does NOT modify the Originals directory. This is untrue. A power user who controls the permissions of the Originals directory should be able to exclude it from being owned by container UID/GID.
Acceptance Criteria: