Synology/ACL Non-root-user support for external (read-only) libraries

[VegetableElk]

Hi!

(wow, just found and spun up Immich, what an amazing project moving at breakneck speed!)

TLDR; propose adding “VOLUME /usr/src/app/external” to server/Dockerfile

I found I was unable to run the Immich containers as not-root with an external read only library. This is because the path /usr/src/app/external is not specified as a VOLUME in the server DockerFile. When docker mounts an (unspecified) volume it binds it as owned by root with permissions 000, this makes it unreadable by not-root and because it is read-only it is not possible to even change this with a docker exec -u 0 command.

thanks in advance for any thoughts on this.

[aisbergde]

https://immich.app/docs/FAQ#how-can-i-run-immich-as-a-non-root-user

[aisbergde]

and grant explicit access to the user

[VegetableElk]

aisbergde, thanks!

I found and followed the faq initially to get set up, the non-root section was written over two years ago and before external library support was added (blame FAQ.md) There is a valid use case of mounting external libraries as read-only, this was not considered in the faq then.

When a volume is ro mounted with an undeclared bind it is impossible even as root to change the 000 permissions of the mount-point so the mount is inaccessible to a non-root user. Also, even with a rw mount-point, there isn’t any way to in a docker-compose.yml file of opening up the permissions. If a VOLUME is specified in the DockerFile then the mountpoint will carry the DockerFile’s permissions — the existing VOLUME /usr/src/app/upload has permissions 755 as opposed to the DockerFile unspecified mount /usr/arc/app/external which Docker creates with permissions 0.

[aisbergde]

I just can say, that my immich runs in docker on a Synology NAS as non root user, but as a dedicated user, and (only) my external libraries are mounted read only and it works. But I needed to grant explicit access for this user to used folders.

[VegetableElk]

aisbergde — Thanks!

My question was about mounting a Synology /volumeX/photo to /usr/src/app/external with a user I created and gave read-only permissions to through the DSM user management.

Even though I had given permissions — and made the user the owner of /volumeX/photo — when mounted ls -l /usr/src/app/ | grep external showed as d root root (and so was unreadable — this was the initial issue I was trying to solve with the incorrect suggestion above).

I ‘fixed’ it by mounting rw, chmod ugo+rwx external, and then restarting ro. This allowed a non-root user to access the read only mount of /volume/photo — but the host Synology /volume/photo has lost its ACL ‘+’ tag which is not really a solution…

[VegetableElk]

Ok! this thread now has a solution, thanks aisbergde for the encouragement. It was a permissions issue, so long as the mount is readable on the host by the non-root user it will work.

Below notes for anyone else following up on this:

The issue was that Synology NAS use enhanced permissions with access control lists (ACL). For reasons unknown the link between the web DSM controls to set permissions and the actual permissions were broken (possibly to do with a migration of a disk between systems) — this mean the non-root user (immich) was set to deny for /volumeX/photo and so could not access the mount even if given permissions in the DSM control panel (or with chmod unix permissions).

Removing Synology Photos, deleting /volumeX/photo in DSM and recreating with a clean install of Synology Photos fixed the unlinked ACL permissions issue (removing ACL and re-adding didn’t). Permissions can be checked using the synology console command: synoacltool (note the + in the ‘unix permissions’ which indicates that ACL are being used)

e.g.

$ ls -l /volumeX | grep photo
drwxrwxrwx+ 22 root     root    4096 Jan  4 00:00 photo
$
$ synoacltool -get /volumeX/photo/
ACL version: 1
Archive: has_ACL,is_support_ACL
Owner: [root(user)]
---------------------
         [0] group:administrators:allow:rwxpdDaARWc--:fd-- (level:0)
         [1] user:immich:allow:r-x---a-R-c--:fd-- (level:0)