-
-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Docker: Switch from gosu to setpriv in entrypoint.sh #2730
Conversation
Preserves supplementary groups if `PHOTOPRISM_GID` is set. Removes gosu installation as it is no longer needed.
Excellent, I didn't know about Since you seem to have a lot of experience with Unix privileges, feel free to check out the photoprism/scripts/dist/entrypoint.sh Lines 48 to 53 in 455028a
|
Awesome! In the meantime, I can just manually edit the entrypoint script and fallback to unaccelerated transcoding if it gets overwritten, no big deal. I admit the sudo setenv nopasswd entry caught my eye when looking at the Docker container. I haven't found any issues Side note: while trying to get acceleration to work, I found that the Bookworm image doesn't have |
Yes, it seems so - but we are switching to Ubuntu Jammy anyway, since Debian Testing does not receive security updates. The main reason for using Bookworm was the newer versions of FFmpeg, RawTherapee and Darktable which fixed bugs. These are now also available on Ubuntu. I'll see if I can merge your PR today, since my authentication enhancements have been pushed. They'll take some time to get released anyway - more than 10,000 lines of code. |
Description
This PR switches the su binary in entrypoint.sh from gosu to setpriv (included in Debian). This enables the following improvements:
PHOTOPRISM_UID
andPHOTOPRISM_GID
are set. Supplementary groups are required for hardware transcoding on many devices. (Videos: Improve hardware transcoding on Synology NAS devices #2228)photoprism
ifPHOTOPRISM_UID
is set. (This has no effect in typical use, as CapPrm and CapEff are cleared when changing to unprivileged user in Docker.)setpriv
has been available in theutil-linux
package since Debian 10.0 Buster and Ubuntu 20.04 Focal, so it is present in all supported Docker images. It is also listed as an alternative on the gosu README.Examples
Before (gosu):
After (setpriv):
Acceptance Criteria