How do I run ryot rootless and as a read-only container? #1656

UtkarshVerma · 2026-01-02T09:16:14Z

UtkarshVerma
Jan 2, 2026

I tried giving ryot a shot today but couldn't get it to run for me as a normal user and read-only container. Here is my compose.yaml:

include:
  - ../compose.common.yaml
  - ../traefik/compose.yaml
  - ../vectorchord/compose.yaml

services:
  ryot:
    container_name: ryot
    image: ghcr.io/ignisda/ryot:v10.0.2

    user: $PUID:$PGID
    read_only: true
    security_opt:
      - no-new-privileges
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE  # Needed for Caddy.

    networks:
      - traefik
      - vectorchord
      # - internet

    environment:
      DISABLE_TELEMETRY: true
      FRONTEND_URL: https://ryot.$DOMAIN
      DATABASE_URL: postgres://$RYOT_DB_USER:$RYOT_DB_PASSWORD@vectorchord:5432/$RYOT_DB
      SERVER_ADMIN_ACCESS_TOKEN: $RYOT_ADMIN_ACCESS_TOKEN
      SERVER_OIDC_ISSUER_URL: https://pocket-id.$DOMAIN
      RUST_LOG: ryot=debug
      TZ: $TZ

    expose:
      - &port 8000

    labels:
      traefik.enable: true
      traefik.http.routers.ryot.rule: Host(`ryot.$DOMAIN`)
      traefik.http.services.ryot.loadbalancer.server.port: *port 

    # tmpfs:
    #  - /tmp:noexec

    # volumes:
    # - ./cache:/app/cache:rw
    # - ./state:/app/config:rw

    restart: unless-stopped

When I run this, I get the following:

ryot  | [backend] Error: Read-only file system (os error 30)
ryot  | [backend] BACKEND_PORT=5000 /usr/local/bin/backend exited with code 1
ryot  | --> Sending SIGTERM to other processes..
ryot  | [frontend] PORT=3000 npx react-router-serve ./build/server/index.js exited with code SIGTERM
ryot  | --> Sending SIGTERM to other processes..
ryot  | [proxy] caddy run --config /etc/caddy/Caddyfile exited with code SIGTERM
ryot exited with code 1 (restarting)

This was expected to some extent and it would be nice to know which directories ryot expects to write to so that I can mount externally backed-up directories inside.

I disabled the read-only flag, and even then I get permission denied:

ryot  | [backend] Error: Permission denied (os error 13)
ryot  | [backend] BACKEND_PORT=5000 /usr/local/bin/backend exited with code 1
ryot  | --> Sending SIGTERM to other processes..
ryot  | [proxy] caddy run --config /etc/caddy/Caddyfile exited with code SIGTERM
ryot  | --> Sending SIGTERM to other processes..
ryot  | [frontend] PORT=3000 npx react-router-serve ./build/server/index.js exited with code SIGTERM

Answered by UtkarshVerma

Jan 2, 2026

Thanks, I was able to modify my compose.yaml and now it works. All I had to do was add a tmpfs mount for /home/ryot/tmp and volume mounts for /.local and .config.

View full answer

IgnisDa · 2026-01-02T13:09:41Z

IgnisDa
Jan 2, 2026
Maintainer

Ryot also writes the finalized configuration to /home/ryot/tmp. So you should whitelist that directory.

3 replies

UtkarshVerma Jan 2, 2026
Author

Thanks, I was able to modify my compose.yaml and now it works. All I had to do was add a tmpfs mount for /home/ryot/tmp and volume mounts for /.local and .config.

Answer selected by UtkarshVerma

IgnisDa Jan 2, 2026
Maintainer

Thanks for the confirmation! Could you also post the final compose so that people can refer to it in the future?

UtkarshVerma Jan 2, 2026
Author

Sure, here it is:

include:
  - ../compose.common.yaml
  - ../traefik/compose.yaml
  - ../vectorchord/compose.yaml

services:
  ryot:
    container_name: ryot
    image: ghcr.io/ignisda/ryot:v10.0.2

    user: $PUID:$PGID
    read_only: true
    security_opt:
      - no-new-privileges
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE  # Needed for Caddy.

    networks:
      - traefik
      - vectorchord
      - internet  # For metadata.

    environment:
      DISABLE_TELEMETRY: true
      FRONTEND_URL: https://ryot.$DOMAIN
      DATABASE_URL: postgres://$RYOT_DB_USER:$RYOT_DB_PASSWORD@vectorchord:5432/$RYOT_DB
      SERVER_ADMIN_ACCESS_TOKEN: $RYOT_ADMIN_ACCESS_TOKEN
      USERS_DISABLE_LOCAL_AUTH: true

      SERVER_OIDC_ISSUER_URL: https://pocket-id.$DOMAIN
      SERVER_OIDC_CLIENT_ID: $RYOT_OIDC_CLIENT_ID
      SERVER_OIDC_CLIENT_SECRET: $RYOT_OIDC_CLIENT_SECRET
      FRONTEND_OIDC_BUTTON_LABEL: Login with Pocket ID

      TZ: $TZ

    expose:
      - &port 8000

    labels:
      traefik.enable: true
      traefik.http.routers.ryot.rule: Host(`ryot.$DOMAIN`)
      traefik.http.services.ryot.loadbalancer.server.port: *port 

      glance.name: &name Ryot
      glance.icon: auto-invert di:ryot
      glance.url: https://ryot.$DOMAIN
      glance.category: frontend/users
      glance.description: Media tracker

      wud.watch: true
      wud.display.name: *name 
      wud.display.icon: di:ryot
      wud.tag.include: ^\d+\.\d+\.\d+$$
      wud.link.template: https://github.com/ignisda/ryot/releases/tag/v$${major}.$${minor}.$${patch}

    tmpfs:
      - /home/ryot/tmp:noexec,uid=$PUID,gid=$PGID

    volumes:
      - ./state/config:/.config:rw
      - ./state/local:/.local:rw

    restart: unless-stopped

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How do I run ryot rootless and as a read-only container? #1656

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 3 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

How do I run ryot rootless and as a read-only container? #1656

Uh oh!

UtkarshVerma Jan 2, 2026

Replies: 1 comment · 3 replies

Uh oh!

Uh oh!

IgnisDa Jan 2, 2026 Maintainer

Uh oh!

UtkarshVerma Jan 2, 2026 Author

Uh oh!

IgnisDa Jan 2, 2026 Maintainer

Uh oh!

UtkarshVerma Jan 2, 2026 Author

UtkarshVerma
Jan 2, 2026

Replies: 1 comment 3 replies

IgnisDa
Jan 2, 2026
Maintainer

UtkarshVerma Jan 2, 2026
Author

IgnisDa Jan 2, 2026
Maintainer

UtkarshVerma Jan 2, 2026
Author