Selfhosted docker unable to run as non-root user

[retrodaredevil]

I am unable to run sourcebot as a non-root user. This is the error message I get when attempting to use a different user:

[Warning] AUTH_SECRET is not set.
[Info] Loading environment variables from /data/sourcebot/.authjs-secret
[Warning] AUTH_URL is not set.
[Info] Running database migration...
[Info] Running database migration...
Internal Error: EACCES: permission denied, open '/app/.yarn/install-state.gz'
Error: EACCES: permission denied, open '/app/.yarn/install-state.gz'
Internal Error: EACCES: permission denied, open '/app/.yarn/install-state.gz'
Error: EACCES: permission denied, open '/app/.yarn/install-state.gz'
sourcebot exited with code 0

It seems that everything in /app has root:root ownership, but it looks like non-root users should still be able to read the files in /app, so I'm not really sure what the problem is.

For reference:

/app # ls -la /app/.yarn/install-state.gz
-rw-r--r--    1 root     root       1331645 May 10 13:36 /app/.yarn/install-state.gz

Here's my overly complex docker compose file if anyone was curious:

# Sourcebot
# config.json docs: https://docs.sourcebot.dev/self-hosting/more/declarative-config
services:
  sourcebot:
    container_name: sourcebot
    image: ghcr.io/sourcebot-dev/sourcebot:latest
    restart: unless-stopped
    # TODO raise an issue to allow running as non-root - some permission error occurs
    #user: 2414:2414
    user: 0:0
    networks:
      - caddy_net-sourcebot
      - default
#    ports:
#      - "3000:3000"
    env_file:
      - ../timezone.env
    environment:
      - CONFIG_PATH=/config/config.json
      - DATA_DIR=/data
      - DATA_CACHE_DIR=/data/sourcebot
      - SOURCEBOT_TELEMETRY_DISABLED=true
      - DATABASE_URL=postgresql://postgres@postgres/sourcebot
      - REDIS_URL=redis://redis:6379
    volumes:
      - "/opt/containers/sourcebot/data:/data"
      - "./config:/config:ro"
    healthcheck:
      test: ["CMD-SHELL", "curl -f http://localhost:3000/api/health || exit 1"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 10s
    depends_on:
      - postgres
      - redis
  postgres:
    image: postgres:17-alpine
    restart: unless-stopped
    user: 2414:2414
    env_file:
      - ../timezone.env
    environment:
      - POSTGRES_DB=sourcebot
      - POSTGRES_HOST_AUTH_METHOD=trust
    volumes:
      - "/opt/containers/sourcebot/db:/var/lib/postgresql/data"
  redis:
    image: redis:8.0-alpine
    restart: unless-stopped
    user: 2414:2414
    env_file:
      - ../timezone.env
    volumes:
      - "/opt/containers/sourcebot/redis:/data"
networks:
  caddy_net-sourcebot:
    name: caddy_net-sourcebot
    external: true

[msukkari]

Unfortunately this isn't a case we've really tested before. Is this a blocker for you to deploy Sourcebot? I'd love to understand why the non-root user is used here

[retrodaredevil]

I prefer to use non-root users for all of my containers in my homelab. It makes them slightly more secure and is best practice.

Definitely not a blocker, as I'll just go ahead and use the root user, but I like to report this kind of thing when I come across it.

[gaeljw]

I just hit the issue as well. We have policies in place to limit the use of root user as most as possible in our Kubernetes clusters. I temporarily made an exception for this container.

[66115707]

This would probably be a blocker for my organization as well.
At the very least it would prohibit us to use our regular environment because of policies.