Docker container won't start if the daemon doesn't have root permissions on /app/data

[kaysond]

⚠️ Please verify that this bug has NOT been raised before.

• I checked and didn't find similar issue

🛡️ Security Policy

• I agree to have read this project Security Policy

Description

uptime-kuma/extra/entrypoint.sh

Lines 8 to 13 in cf10e26

	files_ownership () {
	# -h Changes the ownership of an encountered symbolic link and not that of the file or directory pointed to by the symbolic link.
	# -R Recursively descends the specified directories
	# -c Like verbose but report only when a change is made
	chown -hRc "$PUID":"$PGID" /app/data
	}

The entrypoint assumes you have root access to the filesystem before dropping privileges, which may not be the case if you're running rootless docker or using nfs. This command fails, and since the entrypoint has set -e, the container exits.

This is an easy one-liner fix. You could do something like (LL16) files_ownership || echo "Warning: could not set permissions on /app/data" >&2

👟 Reproduction steps

Start uptime-kuma container with /app/data pointing to something where root does not have access (two easy ways as mentioned above are nfs since it squashes root by default, or rootless docker daemon)

👀 Expected behavior

Container starts

😓 Actual Behavior

Container doesn't start

🐻 Uptime-Kuma Version

1.17.1

💻 Operating System and Arch

Debian

🌐 Browser

N/A

🐋 Docker Version

No response

🟩 NodeJS Version

No response

📝 Relevant log output

No response

[louislam]

Is it related pr?
#1286

[louislam]

Btw NFS is not supported anyway due to SQLite.

For your information, back in the day while I created the Uptime Kuma's dockerfile and the first docker image, I followed a bad dockerize tutorial for Node.js which do not follow best practice. One day, someone taught me that the dockerfile should run in USER node instead of root. However, it is too late to add, as it would affect existing users. So they created entrypoint.sh to partially solve the issue.

In the future non-backward compatibility version (probably 2.0), I will try to make the image true rootless without entrypoint.sh.

[kaysond]

Is it related pr? #1286

Yeah looks like this is a dupe of #694 so I'll close this

Btw NFS is not supported anyway due to SQLite.

That's not exactly true... You can theoretically use SQLite over NFS. The issue is with file locking which is implementation-dependent. If you have a single process accessing a single server, it shouldn't be a huge issue. Even with more complex cases, nfs4 supports locking and from what I can tell (there's not a lot of great info online), it is compatible with sqlite. I've been running sqlite over nfs for a long time now without any issues!

In the future non-backward compatibility version (probably 2.0), I will try to make the image true rootless without entrypoint.sh.

Awesome! Let me know if you want any help with that