immich-app/immich
1
0
Fork 0
mirror of https://github.com/immich-app/immich.git synced 2026-02-05 00:30:57 +03:00
Code Issues 11 Packages Projects Releases 10 Wiki Activity

[BUG] Running as non-root issue #1167

New Issue
Closed
opened 2026-02-05 00:42:22 +03:00 by OVERLORD · 8 comments
OVERLORD commented 2026-02-05 00:42:22 +03:00
Owner
Copy Link

Originally created by @gauth-fr on GitHub (Jul 29, 2023).

The bug

I'm tring to test the new panoramic feature.
I took a panoramic picture and back it up.

In the web UI, it displays as a "broken image" and will display, when click, the same "broken image"

image
image

The OS that Immich Server is running on

Docker on Synology

Version of Immich Server

v1.71.0

Version of Immich Mobile App

v1.70.0 build 93

Platform with the issue

  • Server
  • Web
  • Mobile

Your docker-compose.yml content

version: "3.8"

services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    user: ${IMMICH_PUID}:${IMMICH_PGID}
    command: [ "start.sh", "immich" ]
    ports:
      - 3001:3001
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /volume1/photo:/photo:ro
    env_file:
      - .env
    depends_on:
      - redis
      - database
      - typesense
    restart: always

  immich-microservices:
    container_name: immich_microservices
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    user: ${IMMICH_PUID}:${IMMICH_PGID}
    command: [ "start.sh", "microservices" ]
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /volume1/photo:/photo:ro
    env_file:
      - .env
    depends_on:
      - redis
      - database
      - typesense
    restart: always

  immich-machine-learning:
    container_name: immich_machine_learning
    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
    volumes:
      - $CONFIGFOLDER/immich/data/model-cache:/cache
    env_file:
      - .env
    restart: always

  immich-web:
    container_name: immich_web
    image: ghcr.io/immich-app/immich-web:${IMMICH_VERSION:-release}
    ports:
      - 3000:3000
    env_file:
      - .env
    restart: always

  typesense:
    container_name: immich_typesense
    image: typesense/typesense:0.24.1@sha256:9bcff2b829f12074426ca044b56160ca9d777a0c488303469143dd9f8259d4dd
    environment:
      - TYPESENSE_API_KEY=${TYPESENSE_API_KEY}
      - TYPESENSE_DATA_DIR=/data
    logging:
      driver: none
    volumes:
      - $CONFIGFOLDER/immich/data/typesense:/data
    restart: always

  redis:
    container_name: immich_redis
    image: redis:6.2-alpine@sha256:70a7a5b641117670beae0d80658430853896b5ef269ccf00d1827427e3263fa3
    restart: always

  database:
    container_name: immich_postgres
    image: postgres:14-alpine@sha256:28407a9961e76f2d285dc6991e8e48893503cc3836a4755bbc2d40bcc272a441
    env_file:
      - .env
    ports:
      - 55432:5432
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      PG_DATA: /var/lib/postgresql/data
    volumes:
      - $CONFIGFOLDER/immich/data/pgdata:/var/lib/postgresql/data
    restart: always

  immich-proxy:
    container_name: immich_proxy
    image: ghcr.io/immich-app/immich-proxy:${IMMICH_VERSION:-release}
    environment:
      # Make sure these values get passed through from the env file
      - IMMICH_SERVER_URL
      - IMMICH_WEB_URL
    ports:
      - 2283:8080
    depends_on:
      - immich-server
      - immich-web
    restart: always

Your .env content

##
## IMMICH
##
IMMICH_PUID=1042
IMMICH_PGID=100

DB_HOSTNAME=immich_postgres
DB_USERNAME=postgres
DB_PASSWORD=password
DB_DATABASE_NAME=immich

LOG_LEVEL=debug

REDIS_HOSTNAME=immich_redis

REDIS_URL=ioredis://eyJzZW50aW5lbHMiOlt7Imhvc3QiOiJyZWRpcy1zZW50aW5lbDEiLCJwb3J0IjoyNjM3OX0seyJob3N0IjoicmVkaXMtc2VudGluZWwyIiwicG9ydCI6MjYzNzl9XSwibmFtZSI6Im15bWFzdGVyIn0=

UPLOAD_LOCATION=/volume1/immich

TYPESENSE_API_KEY=key

TYPESENSE_URL=ha://WwogIHsgImhvc3QiOiAidHlwZXNlbnNlLTEuZXhhbXBsZS5uZXQiLCAicG9ydCI6ICI0NDMiLCAicHJvdG9jb2wiOiAiaHR0cHMiIH0sCiAgeyAiaG9zdCI6ICJ0eXBlc2Vuc2UtMi5leGFtcGxlLm5ldCIsICJwb3J0IjogIjQ0MyIsICJwcm90b2NvbCI6ICJodHRwcyIgfSwKICB7ICJob3N0IjogInR5cGVzZW5zZS0zLmV4YW1wbGUubmV0IiwgInBvcnQiOiAiNDQzIiwgInByb3RvY29sIjogImh0dHBzIiB9Cl0=

PUBLIC_LOGIN_PAGE_MESSAGE=

IMMICH_WEB_URL=http://immich-web:3000
IMMICH_SERVER_URL=http://immich-server:3001
IMMICH_MACHINE_LEARNING_URL=http://immich-machine-learning:3003

Reproduction steps

1. Upload from 1.70 to  1.71 to test the panoramic feature 
2. take panoramic with the phone / upload one thru the WebUI
3. The thumbnail appear like a broken file
4. Clicking the image will show the same "broken file"

Additional information

No response

Originally created by @gauth-fr on GitHub (Jul 29, 2023). ### The bug I'm tring to test the new panoramic feature. I took a panoramic picture and back it up. In the web UI, it displays as a "broken image" and will display, when click, the same "broken image" ![image](https://github.com/immich-app/immich/assets/39403109/838cd6c8-4634-42ba-821e-cef6adeea824) ![image](https://github.com/immich-app/immich/assets/39403109/242c9272-4818-424c-b9a4-cc5673adc743) ### The OS that Immich Server is running on Docker on Synology ### Version of Immich Server v1.71.0 ### Version of Immich Mobile App v1.70.0 build 93 ### Platform with the issue - [X] Server - [ ] Web - [ ] Mobile ### Your docker-compose.yml content ```YAML version: "3.8" services: immich-server: container_name: immich_server image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release} user: ${IMMICH_PUID}:${IMMICH_PGID} command: [ "start.sh", "immich" ] ports: - 3001:3001 volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload - /volume1/photo:/photo:ro env_file: - .env depends_on: - redis - database - typesense restart: always immich-microservices: container_name: immich_microservices image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release} user: ${IMMICH_PUID}:${IMMICH_PGID} command: [ "start.sh", "microservices" ] volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload - /volume1/photo:/photo:ro env_file: - .env depends_on: - redis - database - typesense restart: always immich-machine-learning: container_name: immich_machine_learning image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release} volumes: - $CONFIGFOLDER/immich/data/model-cache:/cache env_file: - .env restart: always immich-web: container_name: immich_web image: ghcr.io/immich-app/immich-web:${IMMICH_VERSION:-release} ports: - 3000:3000 env_file: - .env restart: always typesense: container_name: immich_typesense image: typesense/typesense:0.24.1@sha256:9bcff2b829f12074426ca044b56160ca9d777a0c488303469143dd9f8259d4dd environment: - TYPESENSE_API_KEY=${TYPESENSE_API_KEY} - TYPESENSE_DATA_DIR=/data logging: driver: none volumes: - $CONFIGFOLDER/immich/data/typesense:/data restart: always redis: container_name: immich_redis image: redis:6.2-alpine@sha256:70a7a5b641117670beae0d80658430853896b5ef269ccf00d1827427e3263fa3 restart: always database: container_name: immich_postgres image: postgres:14-alpine@sha256:28407a9961e76f2d285dc6991e8e48893503cc3836a4755bbc2d40bcc272a441 env_file: - .env ports: - 55432:5432 environment: POSTGRES_PASSWORD: ${DB_PASSWORD} POSTGRES_USER: ${DB_USERNAME} POSTGRES_DB: ${DB_DATABASE_NAME} PG_DATA: /var/lib/postgresql/data volumes: - $CONFIGFOLDER/immich/data/pgdata:/var/lib/postgresql/data restart: always immich-proxy: container_name: immich_proxy image: ghcr.io/immich-app/immich-proxy:${IMMICH_VERSION:-release} environment: # Make sure these values get passed through from the env file - IMMICH_SERVER_URL - IMMICH_WEB_URL ports: - 2283:8080 depends_on: - immich-server - immich-web restart: always ``` ### Your .env content ```Shell ## ## IMMICH ## IMMICH_PUID=1042 IMMICH_PGID=100 DB_HOSTNAME=immich_postgres DB_USERNAME=postgres DB_PASSWORD=password DB_DATABASE_NAME=immich LOG_LEVEL=debug REDIS_HOSTNAME=immich_redis REDIS_URL=ioredis://eyJzZW50aW5lbHMiOlt7Imhvc3QiOiJyZWRpcy1zZW50aW5lbDEiLCJwb3J0IjoyNjM3OX0seyJob3N0IjoicmVkaXMtc2VudGluZWwyIiwicG9ydCI6MjYzNzl9XSwibmFtZSI6Im15bWFzdGVyIn0= UPLOAD_LOCATION=/volume1/immich TYPESENSE_API_KEY=key TYPESENSE_URL=ha://WwogIHsgImhvc3QiOiAidHlwZXNlbnNlLTEuZXhhbXBsZS5uZXQiLCAicG9ydCI6ICI0NDMiLCAicHJvdG9jb2wiOiAiaHR0cHMiIH0sCiAgeyAiaG9zdCI6ICJ0eXBlc2Vuc2UtMi5leGFtcGxlLm5ldCIsICJwb3J0IjogIjQ0MyIsICJwcm90b2NvbCI6ICJodHRwcyIgfSwKICB7ICJob3N0IjogInR5cGVzZW5zZS0zLmV4YW1wbGUubmV0IiwgInBvcnQiOiAiNDQzIiwgInByb3RvY29sIjogImh0dHBzIiB9Cl0= PUBLIC_LOGIN_PAGE_MESSAGE= IMMICH_WEB_URL=http://immich-web:3000 IMMICH_SERVER_URL=http://immich-server:3001 IMMICH_MACHINE_LEARNING_URL=http://immich-machine-learning:3003 ``` ### Reproduction steps ```bash 1. Upload from 1.70 to 1.71 to test the panoramic feature 2. take panoramic with the phone / upload one thru the WebUI 3. The thumbnail appear like a broken file 4. Clicking the image will show the same "broken file" ``` ### Additional information _No response_
OVERLORD commented 2026-02-05 00:42:26 +03:00
Author
Owner
Copy Link

@alextran1502 commented on GitHub (Jul 29, 2023):

Hello, can you share the example broken photo so we can troubleshoot? You can get the original by hitting the download button

@alextran1502 commented on GitHub (Jul 29, 2023): Hello, can you share the example broken photo so we can troubleshoot? You can get the original by hitting the download button
OVERLORD commented 2026-02-05 00:42:38 +03:00
Author
Owner
Copy Link

@gauth-fr commented on GitHub (Jul 29, 2023):

Sure!
Didn't know what's the bet way to share while retaining all metadata so... gdrive :)
https://drive.google.com/drive/folders/1g8hgg7U6jUT1VpMbi55RcbPH5-k_g6Ie?usp=sharing

Note that before the update, the photo PXL_20230715_154735326.PANO (1).jpg was uploaded to immich without problem, just not display as panorama :)

@gauth-fr commented on GitHub (Jul 29, 2023): Sure! Didn't know what's the bet way to share while retaining all metadata so... gdrive :) [https://drive.google.com/drive/folders/1g8hgg7U6jUT1VpMbi55RcbPH5-k_g6Ie?usp=sharing ](https://drive.google.com/drive/folders/1g8hgg7U6jUT1VpMbi55RcbPH5-k_g6Ie?usp=sharing ) Note that before the update, the photo PXL_20230715_154735326.PANO (1).jpg was uploaded to immich without problem, just not display as panorama :)
OVERLORD commented 2026-02-05 00:42:40 +03:00
Author
Owner
Copy Link

@gauth-fr commented on GitHub (Jul 30, 2023):

Hi again,
So, a few things while testing.. :)

  1. this morning when i checked immich, the 2 pictures where showing correctly. But, since they are panoramic, i was expecting the new viewer, but no ^^
  2. the 2 initial picture, even if there are showing, have no exif metadata. At least, shown by immich, I checked the picture (by downloading it from immich) with exiftool and it shows some metadata.
  3. The problem is not with panoramic only. I tried to take and upload a "normal" photo, but it displays in immich the "broken" stub. Maybe i will display later, but without exif data..?

I tried to check the different logs, but there are not very verbose.
The only exception i could see was in the microservices container, but i don't know if it's linked:

[Nest] 7  - 07/30/2023, 12:11:47 PM   ERROR [MetadataExtractionProcessor] Unable to initialize reverse geocoding: Error: EACCES: permission denied, mkdir '/usr/src/app/.reverse-geocoding-dump/'
Error: EACCES: permission denied, mkdir '/usr/src/app/.reverse-geocoding-dump/'
    at Object.mkdirSync (node:fs:1396:3)
@gauth-fr commented on GitHub (Jul 30, 2023): Hi again, So, a few things while testing.. :) 1. this morning when i checked immich, the 2 pictures where showing correctly. But, since they are panoramic, i was expecting the new viewer, but no ^^ 2. the 2 initial picture, even if there are showing, have no exif metadata. At least, shown by immich, I checked the picture (by downloading it from immich) with exiftool and it shows some metadata. 3. The problem is not with panoramic only. I tried to take and upload a "normal" photo, but it displays in immich the "broken" stub. Maybe i will display later, but without exif data..? I tried to check the different logs, but there are not very verbose. The only exception i could see was in the microservices container, but i don't know if it's linked: ``` [Nest] 7 - 07/30/2023, 12:11:47 PM ERROR [MetadataExtractionProcessor] Unable to initialize reverse geocoding: Error: EACCES: permission denied, mkdir '/usr/src/app/.reverse-geocoding-dump/' Error: EACCES: permission denied, mkdir '/usr/src/app/.reverse-geocoding-dump/' at Object.mkdirSync (node:fs:1396:3) ```
OVERLORD commented 2026-02-05 00:42:47 +03:00
Author
Owner
Copy Link

@jrasm91 commented on GitHub (Jul 30, 2023):

That problem should be addressed first, and it explains why you don't see any thumbnails.

https://immich.app/docs/FAQ#how-can-i-run-immich-as-a-non-root-user

@jrasm91 commented on GitHub (Jul 30, 2023): That problem should be addressed first, and it explains why you don't see any thumbnails. https://immich.app/docs/FAQ#how-can-i-run-immich-as-a-non-root-user
OVERLORD commented 2026-02-05 00:42:50 +03:00
Author
Owner
Copy Link

@gauth-fr commented on GitHub (Jul 30, 2023):

Ok so I did quite some testing this afternoon...
tl;dr:
I was running the servers as non-root user, which the microservices doesn't like.
So it's completely NOT because of the new features, and ENTIRELY my fault :)

So im made some more testing, spinning some other immich instance, 1 running as root, 1 as noon-root.
Running as root definitely works.
But running as non-root, i get the error:

[Nest] 7  - 07/30/2023, 12:11:47 PM   ERROR [MetadataExtractionProcessor] Unable to initialize reverse geocoding: Error: EACCES: permission denied, mkdir '/usr/src/app/.reverse-geocoding-dump/'
Error: EACCES: permission denied, mkdir '/usr/src/app/.reverse-geocoding-dump/'
    at Object.mkdirSync (node:fs:1396:3)

and the MetadataExtractionProcessor was not starting.

And due to my poor comprehension of how Immich is working, nothing was happening when i was uploading a picture.
If going to the Administration > Job and starting manual the Extract metadata job, it starts ingesting my uploads, then the flow continue with the other jobs. I still get the error but it seems to do the job as the metadata job stays running..

But... I want to run as non root and i don't want to start the service manually each time the container is restarted so...
I created another volume mount for the "faulty" directory, and so far, it seems to do the trick.

      - ${CONFIGFOLDER}/immich-nonroot/data/microservices/.reverse-geocoding-dump:/usr/src/app/.reverse-geocoding-dump

Note that i gave the ownership of the ${CONFIGFOLDER}/immich-nonroot/data/microservices/.reverse-geocoding-dump to the user running the container to avoid, again, permission issue.

Now that the issue is solved, i'm torned between running as root (it's bad but for sure won't have issue) and as non-root (it's less bad but if one day you had another directory like this, i may encounter similar problem :p)

Maybe a solution would be to let the app work in a specific workdir, which would be mounted and given privileges, and where everything that needs to be created would go..?

Well, at least it works :)
Sorry for the disturbance!

@gauth-fr commented on GitHub (Jul 30, 2023): Ok so I did quite some testing this afternoon... tl;dr: I was running the servers as non-root user, which the microservices doesn't like. So it's completely NOT because of the new features, and ENTIRELY my fault :) So im made some more testing, spinning some other immich instance, 1 running as root, 1 as noon-root. Running as root definitely works. But running as non-root, i get the error: ``` [Nest] 7 - 07/30/2023, 12:11:47 PM ERROR [MetadataExtractionProcessor] Unable to initialize reverse geocoding: Error: EACCES: permission denied, mkdir '/usr/src/app/.reverse-geocoding-dump/' Error: EACCES: permission denied, mkdir '/usr/src/app/.reverse-geocoding-dump/' at Object.mkdirSync (node:fs:1396:3) ``` and the MetadataExtractionProcessor was not starting. And due to my poor comprehension of how Immich is working, nothing was happening when i was uploading a picture. If going to the Administration > Job and starting manual the Extract metadata job, it starts ingesting my uploads, then the flow continue with the other jobs. I still get the error but it seems to do the job as the metadata job stays running.. But... I want to run as non root and i don't want to start the service manually each time the container is restarted so... I created another volume mount for the "faulty" directory, and so far, it seems to do the trick. ``` - ${CONFIGFOLDER}/immich-nonroot/data/microservices/.reverse-geocoding-dump:/usr/src/app/.reverse-geocoding-dump ``` Note that i gave the ownership of the `${CONFIGFOLDER}/immich-nonroot/data/microservices/.reverse-geocoding-dump` to the user running the container to avoid, again, permission issue. Now that the issue is solved, i'm torned between running as root (it's bad but for sure won't have issue) and as non-root (it's less bad but if one day you had another directory like this, i may encounter similar problem :p) Maybe a solution would be to let the app work in a specific workdir, which would be mounted and given privileges, and where everything that needs to be created would go..? Well, at least it works :) Sorry for the disturbance!
OVERLORD commented 2026-02-05 00:42:53 +03:00
Author
Owner
Copy Link

@gauth-fr commented on GitHub (Jul 30, 2023):

That problem should be addressed first, and it explains why you don't see any thumbnails.

https://immich.app/docs/FAQ#how-can-i-run-immich-as-a-non-root-user

And instead of spending 2hours debugging, i coud have read the f****g manual 🤣
Anyway thanks to point to the solution, it may help others :)

@gauth-fr commented on GitHub (Jul 30, 2023): > That problem should be addressed first, and it explains why you don't see any thumbnails. > > https://immich.app/docs/FAQ#how-can-i-run-immich-as-a-non-root-user And instead of spending 2hours debugging, i coud have read the f****g manual 🤣 Anyway thanks to point to the solution, it may help others :)
OVERLORD commented 2026-02-05 00:42:56 +03:00
Author
Owner
Copy Link

@jrasm91 commented on GitHub (Jul 30, 2023):

No worries, we want to support running as non-root as well.

@jrasm91 commented on GitHub (Jul 30, 2023): No worries, we want to support running as non-root as well.
OVERLORD commented 2026-02-05 00:43:01 +03:00
Author
Owner
Copy Link

@gauth-fr commented on GitHub (Jul 30, 2023):

I changed the title as it was completely misleading, and i close the issue since it's now solved!
Thanks again for the help and for Immich!

@gauth-fr commented on GitHub (Jul 30, 2023): I changed the title as it was completely misleading, and i close the issue since it's now solved! Thanks again for the help and for Immich!
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
accessibility
changelog:enhancement
changelog:security
changelog:translation
cli
date-time
documentation
external-library
format
good first issue
needs-answer
nice to have
sharing
tech-debt
📱mobile
🖥️web
🗄️server
🧠machine-learning
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: immich-app/immich#1167
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?