Docker image user

ahknight · November 27, 2017, 9:01pm

It looks like everything runs as root in the docker image by default. As a result, all of my recordings are owned by root. The linuxserver folks have docker images that let you specify PUID and PGID to have the containers create and use a user with those attributes internally so that files created/used by them in shared volumes will have the right ownership. Could something like that be adapted to channels-dvr?

Sadly, it’s not as simple as using the “–user” argument to Docker as that prevents the hardware transcoding feature from working as the device link is now inaccessible. It would need to create the user in the container, add that user to video, then start the app after switching to that user (via “USER username” in the Dockerfile).

tmm1 · November 27, 2017, 9:10pm

Ugh what a pain. Honestly, I regret making a docker container. You’d be much better off just using the Linux installer.

Anyway, one thing I could do is to fix the umask in the container. So even though everything is owned by root, atleast it will set permissions to allow other users to read/write the files.

Ideally we could support --user. Maybe there’s some way to convince docker to add that user to the dri device automatically?

ahknight · November 27, 2017, 9:16pm

The umask idea could work (umask 0?) as a temporary fix, but the files would still technically be owned by root and require cleanup eventually.

The problem with “–user” is that the user given will generally not have permission to run adduser/addgroup to make that change, or to chown the video devices to something usable. Only root can, so the container has to start as root and manage the users afterwards. Again, linuxserver.io has a base image that does all this for you, too. It’s also using Alpine.

Well, one thing you could do is post the Dockerfile and that part of the project to Github (since it downloads all the binaries it needs, the core of it should be open, no?). I can muck around with it and send you a PR that fixes it.

tmm1 · November 27, 2017, 9:26pm

The Dockerfile is very simple, and I would like to keep it that way. But I guess if we can export the current user’s id/gid into the container when it’s created, and use those to setup the same user inside automatically, then that’s not a bad solution.

gist.github.com

https://gist.github.com/tmm1/4aabe84ce8ee576d4c17a757f111394b

Dockerfile

FROM alpine:latest
RUN apk add --update curl && rm -rf /var/cache/apk/*
RUN mkdir -p /channels-dvr/data /data
COPY run.sh run.sh
VOLUME ["/channels-dvr", "/shares"]
CMD ./run.sh

run.sh

#!/bin/sh
set -e
if [ ! -x /channels-dvr/latest/channels-dvr ]; then
  echo Installing Channels DVR..
  curl -f -s https://getchannels.com/dvr/setup.sh | DOWNLOAD_ONLY=1 sh
fi
cd /channels-dvr/data
echo Running Channels DVR..
exec ../latest/channels-dvr >> channels-dvr.log 2>&1

tmm1 · November 28, 2017, 5:15pm

Can you link the Dockerfile you were referring to?

ahknight · November 28, 2017, 5:58pm

github.com

linuxserver/docker-baseimage-alpine/blob/master/Dockerfile

FROM scratch
ADD rootfs.tar.xz /

MAINTAINER sparklyballs

# set version for s6 overlay
ARG OVERLAY_VERSION="v1.21.7.0"
ARG OVERLAY_ARCH="amd64"

# environment variables
ENV PS1="$(whoami)@$(hostname):$(pwd)$ " \
HOME="/root" \
TERM="xterm"

RUN \
 echo "**** install build packages ****" && \
  apk add --no-cache --virtual=build-dependencies \
	curl \
	tar && \
 echo "**** install runtime packages ****" && \

This file has been truncated. show original

I was planning on poking around with it tonight. They have some other useful base images as well.

cardoe · December 4, 2017, 2:12am

So the simplest solution would probably be to modify your run.sh with some extra steps. I’ll link a script that the Yocto Project has used to drop root permissions to the same uid/gid combo as volume ownership of what’s passed in and then explain it.

github.com

cardoe/docker-yocto/blob/master/create-user.sh

#!/bin/bash

homedir=/var/build

# figure out the uid/gid we need to use by integrating the path that has
# been bind mounted in. this is then used for the builduser.
# the fallback is 580/580 which happily mapped properly under Docker
# for Mac back to my real uid/gid.
BUILD_UID=$(stat --printf=%u ${homedir} 2> /dev/null)
BUILD_GID=$(stat --printf=%g ${homedir} 2> /dev/null)
BUILD_UID=${BUILD_UID:-580}
BUILD_GID=${BUILD_GID:-580}
BUILD_UID=${BUILD_UID/#0/580}
BUILD_GID=${BUILD_GID/#0/580}

# create a group
groupadd --gid ${BUILD_GID} --non-unique buildgroup

# create a non-root user
useradd --no-create-home --home-dir ${homedir} -s /bin/bash \

This file has been truncated. show original

The trick is to take your VOLUME and run stat on it to get the UID (%u) and GID (%g) and then create a user and switch to that user. Given how your container works I’d probably wire this up to the /shares directory.

cardoe · December 4, 2017, 2:14am

You can ignore the 4 BUILD_UID and BUILD_GID lines after the stat call. Those are just there to massage things due to the way that Docker for Mac, Docker for Windows and docker-machine operate on non-Linux platforms. Since this container requires --net host neither of those 3 will work.

tmm1 · December 4, 2017, 5:00am

Clever.

jonfinley · February 14, 2020, 11:51pm

Not to open this topic again, is it possible that this could be fixed?

timstephens24 · June 27, 2020, 12:33pm

I just made a docker for this, you can try it out if you want. It’s located at https://hub.docker.com/repository/docker/timstephens24/channels-dvr or if you want the code it’s on github at https://github.com/timstephens24/channels-dvr_docker.

JMcGuire · June 28, 2020, 7:09am

Thank you, I'm moving to Truenas Scale once it is stable and this something I hadn't considered but I'm glad to see someone has made an easy fix.