Docker: Specify explicitly supported user and group ID ranges #2336

docker-compose.yml

@@ -31,6 +31,7 @@ services:
       - "traefik.http.routers.photoprism.tls.domains[0].sans=*.localssl.dev"
       - "traefik.http.routers.photoprism.tls=true"
     environment:
+      ## Switch to a non-root user after initialization (supported IDs are 33, 50-99, 500-600, and 900-1200):
       PHOTOPRISM_UID: ${UID:-1000}                   # user id, should match your host user id
       PHOTOPRISM_GID: ${GID:-1000}                   # group id
       PHOTOPRISM_ADMIN_PASSWORD: "photoprism"        # initial "admin" password (minimum 8 characters)

docker/examples/arm64/docker-compose.yml

@@ -94,12 +94,10 @@ services:
       ## Hardware Video Transcoding (for sponsors only due to high maintenance and support costs):
       # PHOTOPRISM_FFMPEG_ENCODER: "raspberry"       # FFmpeg encoder ("software", "intel", "nvidia", "apple", "raspberry")
       # PHOTOPRISM_FFMPEG_BITRATE: "32"              # FFmpeg encoding bitrate limit in Mbit/s (default: 50)
-      ## Run as a specific user, group, or with a custom umask (does not work together with "user:")
+      ## Switch to a non-root user after initialization (supported IDs are 33, 50-99, 500-600, and 900-1200):
       # PHOTOPRISM_UID: 1000
       # PHOTOPRISM_GID: 1000
       # PHOTOPRISM_UMASK: 0000
-    ## Start as a non-root user (see https://docs.docker.com/engine/reference/run/#user)
-    # user: "1000:1000"
     ## Share hardware devices with FFmpeg and TensorFlow (optional):
     # devices:
     #  - "/dev/video11:/dev/video11"                 # Raspberry V4L2

docker/examples/armv7/docker-compose.yml

@@ -86,12 +86,10 @@ services:
       PHOTOPRISM_SITE_AUTHOR: ""                     # meta site author
       ## Run/install on first startup (options: update, gpu, tensorflow, davfs, clean):
       # PHOTOPRISM_INIT: "update clean"
-      ## Run as a specific user, group, or with a custom umask (does not work together with "user:")
+      ## Switch to a non-root user after initialization (supported IDs are 33, 50-99, 500-600, and 900-1200):
       # PHOTOPRISM_UID: 1000
       # PHOTOPRISM_GID: 1000
       # PHOTOPRISM_UMASK: 0000
-    ## Start as a non-root user (see https://docs.docker.com/engine/reference/run/#user)
-    # user: "1000:1000"
     ## Share hardware devices with FFmpeg and TensorFlow (optional):
     # devices:
     #  - "/dev/video11:/dev/video11" # Video4Linux (h264_v4l2m2m)

docker/examples/docker-compose.yml

@@ -85,11 +85,11 @@ services:
       ## Hardware Video Transcoding (for sponsors only due to high maintenance and support costs):
       # PHOTOPRISM_FFMPEG_ENCODER: "software"        # FFmpeg encoder ("software", "intel", "nvidia", "apple", "raspberry")
       # PHOTOPRISM_FFMPEG_BITRATE: "32"              # FFmpeg encoding bitrate limit in Mbit/s (default: 50)
-      ## Run as a specific user, group, or with a custom umask (does not work together with "user:")
+      ## Switch to a non-root user after initialization (supported IDs are 33, 50-99, 500-600, and 900-1200):
       # PHOTOPRISM_UID: 1000
       # PHOTOPRISM_GID: 1000
       # PHOTOPRISM_UMASK: 0000
-    ## Start as a non-root user (see https://docs.docker.com/engine/reference/run/#user)
+    ## Start as a non-root user before initialization (supported IDs are 33, 50-99, 500-600, and 900-1200):
     # user: "1000:1000"
     ## Share hardware devices with FFmpeg and TensorFlow (optional):
     # devices:

docker/examples/scheduler/docker-compose.yml

@@ -84,12 +84,10 @@ services:
       PHOTOPRISM_SITE_AUTHOR: ""                     # meta site author
       ## Run/install on first startup (options: update, gpu, tensorflow, davfs, clitools, clean):
       # PHOTOPRISM_INIT: "gpu tensorflow"
-      ## Run as a specific user, group, or with a custom umask (does not work together with "user:")
+      ## Switch to a non-root user after initialization (supported IDs are 33, 50-99, 500-600, and 900-1200):
       # PHOTOPRISM_UID: 1000
       # PHOTOPRISM_GID: 1000
       # PHOTOPRISM_UMASK: 0000
-    ## Start as a non-root user (see https://docs.docker.com/engine/reference/run/#user)
-    # user: "1000:1000"
     working_dir: "/photoprism" # do not change or remove
     ## Storage Folders: "~" is a shortcut for your home directory, "." for the current directory
     volumes:

docker/examples/sqlite/docker-compose.yml

@@ -77,12 +77,10 @@ services:
       PHOTOPRISM_SITE_AUTHOR: ""                     # meta site author
       ## Run/install on first startup (options: update, gpu, tensorflow, davfs, clitools, clean):
       # PHOTOPRISM_INIT: "gpu tensorflow"
-      ## Run as a specific user, group, or with a custom umask (does not work together with "user:")
+      ## Switch to a non-root user after initialization (supported IDs are 33, 50-99, 500-600, and 900-1200):
       # PHOTOPRISM_UID: 1000
       # PHOTOPRISM_GID: 1000
       # PHOTOPRISM_UMASK: 0000
-    ## Start as a non-root user (see https://docs.docker.com/engine/reference/run/#user)
-    # user: "1000:1000"
     working_dir: "/photoprism" # do not change or remove
     ## Storage Folders: "~" is a shortcut for your home directory, "." for the current directory
     volumes:

scripts/dist/create-users.sh

@@ -32,6 +32,9 @@ groupdel -f 1000 >/dev/null 2>&1
 groupadd -f -g 1000 photoprism 1>&2
 echo "✅ added group photoprism (1000)"
 
+# add existing www-data user to groups
+usermod -a -G photoprism,video,davfs2,renderd,render,videodriver www-data
+
 # create user 'videodriver'
 userdel -r -f videodriver >/dev/null 2>&1
 useradd -u 937 -r -N -g 937 -G photoprism,www-data,video,davfs2,renderd,render -s /bin/bash -m -d "/home/videodriver" videodriver