diff --git a/CHANGELOG.md b/CHANGELOG.md
index fab04b7d..c447c96b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -18,6 +18,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- JSON Schema added to the config template YAML file.
- `names` list under `custom_formats` in config YAML is now deprecated. Use `trash_ids` to list your
custom formats instead.
+- Docker: The image is now rootless. The `PUID` and `PGID` environment variables are no longer used.
+ See the [Docker] wiki page for more details.
### Fixed
diff --git a/docker/Dockerfile b/docker/Dockerfile
index 3fc0812b..31ff121d 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -22,18 +22,16 @@ ENV RECYCLARR_APP_DATA=/config \
# as needed.
CRON_SCHEDULE="@daily" \
# The GLOBALIZATION variable is so that we do not need libicu installed (saves us ~40MB).
- DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true \
- # User can specify their own UID/GID for the 'recyclarr' user if they want
- PUID=1000 \
- PGID=1000
-
-VOLUME /config
+ DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=true
RUN set -e; \
- apk add --no-cache busybox-suid su-exec libstdc++ tzdata; \
+ apk add --no-cache libstdc++ tzdata; \
mkdir -p "$DOTNET_BUNDLE_EXTRACT_BASE_DIR" && chmod 777 "$DOTNET_BUNDLE_EXTRACT_BASE_DIR"
-COPY --chmod=755 --from=build /build/recyclarr /usr/local/bin
-COPY --chmod=755 ./scripts/prod/*.sh /
+COPY --chmod=555 --from=build /build/recyclarr /usr/local/bin
+COPY --chmod=555 ./scripts/prod/*.sh /
+
+USER 1000:1000
+VOLUME /config
ENTRYPOINT ["/entrypoint.sh"]
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index 70d01bd8..730d2c64 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -8,6 +8,7 @@ networks:
services:
recyclarr:
image: ghcr.io/recyclarr/recyclarr
+ user: 1000:1000
build:
context: .
args:
diff --git a/docker/scripts/prod/entrypoint.sh b/docker/scripts/prod/entrypoint.sh
index 88f38a1b..e65bb11b 100644
--- a/docker/scripts/prod/entrypoint.sh
+++ b/docker/scripts/prod/entrypoint.sh
@@ -1,12 +1,14 @@
#!/bin/sh
set -e
-userspec="$PUID:$PGID"
-
-chown "$userspec" "$RECYCLARR_APP_DATA"
+if [[ ! -z ${PUID+x} ]]; then
+ echo 'PUID is no longer supported. Use `--user` instead.'
+ exit 1
+fi
-if [ ! -f "$RECYCLARR_APP_DATA/recyclarr.yml" ]; then
- su-exec "$userspec" recyclarr create-config
+if [[ ! -z ${PGID+x} ]]; then
+ echo 'PGID is no longer supported. Use `--user` instead.'
+ exit 1
fi
# If the script has any arguments, invoke the CLI instead. This allows the image to be used as a CLI
@@ -17,10 +19,10 @@ fi
# ```
#
if [ "$#" -gt 0 ]; then
- su-exec "$userspec" recyclarr "$@"
+ recyclarr "$@"
else
echo "Creating crontab file..."
- echo "$CRON_SCHEDULE su-exec \"$userspec\" /cron.sh" | crontab -
+ echo "$CRON_SCHEDULE /cron.sh" | crontab -
crontab -l
diff --git a/wiki/Docker.md b/wiki/Docker.md
index e848b66a..05584a28 100644
--- a/wiki/Docker.md
+++ b/wiki/Docker.md
@@ -25,13 +25,12 @@ services:
image: ghcr.io/recyclarr/recyclarr
container_name: recyclarr
init: true
+ user: 1000:1000
networks: [recyclarr]
volumes:
- ./config:/config
environment:
- TZ=America/Santiago
- - PUID=$DOCKER_UID
- - PGID=$DOCKER_GID
```
Here is a breakdown of the above YAML:
@@ -52,7 +51,10 @@ Here is a breakdown of the above YAML:
run `docker compose down` or `docker compose stop`. Internally, this runs Recyclarr using
[tini](https://github.com/krallin/tini). Please visit that repo to understand the benefits in
detail, if you're interested.
-- Stuff under `environment` is documented in the Environment section below.
+- `user`
+ Optional User and Group ID you want to run the container as. Recyclarr will run using this UID:GID
+ and any files it creates in your `/config` volume will also be owned by this user and group. The
+ default for this, if not specified, is `1000:1000`.
## Tags
@@ -92,21 +94,12 @@ value *stability* the most, you want the bottom row. If you value being on *the
- `TZ` (Default: `UTC`)
The time zone you want to use for Recyclarr's local time in the container.
-- `PUID` (Default: `1000`)
- The UID for the internal non-root user in the container. Match this to a UID on your host system
- if you're using a directory-mounted volume for `/config`.
-
-- `PGID` (Default: `1000`)
- The GID for the internal non-root user's group in the container. Match this to a GID on your host
- system if you're using a directory-mounted volume for `/config`.
-
## Modes
The docker container can operate in one of two different ways, which are documented below.
-**TIP:** The first time you run Recyclarr in docker, it will automatically run the `create-config`
-subcommand to create your `recyclarr.yml` file in the `/config` directory (in the container) if that
-file does not exist yet.
+**NOTE:** `recyclarr.yml` does not exist the first time you run the container. You will get an error
+until you either copy it manually into the volume or run `recyclarr create-config` manually.
### Manual Mode
@@ -144,9 +137,10 @@ I will not support any usage of `docker exec`, for now. It's far too error prone
mixed file permissions in Recyclarr's app data directory (the `/config` volume). Please use `docker
run --rm` instead (documented in the previous section).
-When you run `docker exec` without the `--user` option, commands are executed as the internal root
-user. If you absolutely insist on using this command, ensure you specify a user & group that matches
-the `PUID` & `PGID` environment variables.
+When you run `docker exec` without the `--user` option, commands are executed as the default
+internal user, which is `1000:1000`. If you absolutely insist on using this command, ensure you
+specify the `--user` option using the same UID:GID that you use in `docker run` and that matches
+your volume's file ownership.
### Cron Mode
@@ -169,3 +163,13 @@ docker compose up -d
```
This runs it without any subcommand or options, which will result in this mode being used.
+
+## Permission Issues
+
+The `/config` volume is very sensitive to user changes in the container. For example, if you first
+run the container using `user: 1000:1000` and then run a second time using `user: 1500:1500`, you
+are likely to get errors. This is because files that Recyclarr creates are owned by the user & group
+you specify. Not all files can be used by multiple users.
+
+If you change your user and/or group IDs, it is your responsibility to update the permissions of
+files in the `/config` volume so that they match.