[FEAT] Obsidian CLI Support

[daichi-629]

Is this a new feature request?

• I have searched the existing issues

Wanted change

• I want to use Obsidian CLI to connect to the running instance inside the container (e.g., docker exec <container name> obsidian help)

Reason for change

Environment

Started with this compose.yml:

services:
  obsidian:
    image: lscr.io/linuxserver/obsidian:latest
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Asia/Tokyo
      - LC_ALL=ja_JP.UTF-8
    volumes:
      - ./config:/config
    ports:
      - 127.0.0.1:3030:3000
      - 127.0.0.1:3032:3031
    shm_size: "2gb"
    restart: unless-stopped

What I tried

1. Run CLI via docker exec -> it crashed with SUID sandbox error:

[1492:0302/224047.796385:FATAL:sandbox/linux/suid/client/setuid_sandbox_host.cc:166] The SUID sandbox helper binary was found, but is not configured correctly. Rather than run without sandboxing I'm aborting now. You need to make sure that /opt/obsidian/chrome-sandbox is owned by root and has mode 4755.
Trace/breakpoint trap (core dumped)

2. Attempted fixes:

• entrypoint in compose.yml to run chown/chmod -> no effect (permissions reverted during init)
• Mounting /etc/cont-init.d script -> no effect (permissions reverted during init)

3. Added an s6-overlay oneshot that runs after init-obsidian-config and restores permissions:

Mounted paths:

./s6-overlay/s6-rc.d/fix-chrome-sandbox:/etc/s6-overlay/s6-rc.d/fix-chrome-sandbox:ro
./s6-overlay/s6-rc.d/user/contents.d/fix-chrome-sandbox:/etc/s6-overlay/s6-rc.d/user/contents.d/fix-chrome-sandbox:ro

Files and contents:

s6-overlay/s6-rc.d/fix-chrome-sandbox/type
oneshot

s6-overlay/s6-rc.d/fix-chrome-sandbox/up
/etc/s6-overlay/s6-rc.d/fix-chrome-sandbox/run

s6-overlay/s6-rc.d/fix-chrome-sandbox/dependencies.d/init-obsidian-config

s6-overlay/s6-rc.d/user/contents.d/fix-chrome-sandbox

s6-overlay/s6-rc.d/fix-chrome-sandbox/run
#!/usr/bin/with-contenv bash
set -euo pipefail

# Ensure Electron SUID sandbox has correct ownership/permissions.
if [ -e /opt/obsidian/chrome-sandbox ]; then
  chown root:root /opt/obsidian/chrome-sandbox
  chmod 4755 /opt/obsidian/chrome-sandbox
fi

This removed the first error, but I then got another crash:

Failed to move to new namespace: PID namespaces supported, Network namespace supported, but failed: errno = Operation not permitted
[4749:0303/191307.985248:FATAL:content/browser/zygote_host/zygote_host_impl_linux.cc:207] Check failed: . : Invalid argument (22)
Trace/breakpoint trap (core dumped)

4. Adding the following to compose.yml fixed it:

    security_opt:
      - seccomp=unconfined

Proposed code change

• The current behavior resets /opt/obsidian ownership to abc:abc during init, which also resets chrome-sandbox and breaks the CLI.
• Please change the image so that chrome-sandbox remains root:root 4755 after startup.
  • Option A: exclude chrome-sandbox from the recursive lsiown -R abc:abc /opt/obsidian.
  • Option B: add a built-in s6 oneshot (after init-obsidian-config) that restores root:root 4755 on /opt/obsidian/chrome-sandbox.

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[prrtzt]

Running into the same issue. Would be great to be able to use the CLI that way.