[BUG] docker - immich_proxy has rights issues running as non-root user #1298

New Issue

OVERLORD · 2026-02-05T01:11:45+03:00

OVERLORD commented

2026-02-05 01:11:45 +03:00

Originally created by @ndewijer on GitHub (Sep 1, 2023).

The bug

Setting up Immich via docker-compose to run as non-root user breaks nginx inside immich_proxy as it can no longer write to it's config.

Workaround is copying /etc/nginx out of the container, into a directory with correct rights and mounting the folder as a volume.

The OS that Immich Server is running on

Ubuntu 22.04.3 LTS

Version of Immich Server

v1.76.1

Version of Immich Mobile App

n/a

Platform with the issue

Server
Web
Mobile

Your docker-compose.yml content

version: "3.8"

services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    command: [ "start.sh", "immich" ]
    user: ${PUID}:${PGID}
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
    env_file:
      - stack.env
    depends_on:
      - redis
      - database
      - typesense
    restart: always

  immich-microservices:
    container_name: immich_microservices
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    # extends:
    #   file: hwaccel.yml
    #   service: hwaccel
    command: [ "start.sh", "microservices" ]
    user: ${PUID}:${PGID}
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - ${DOCKERPATH}/immich/geocoding:/usr/src/app/.reverse-geocoding-dump
    env_file:
      - stack.env
    depends_on:
      - redis
      - database
      - typesense
    restart: always
    mem_limit: "4g"

  immich-machine-learning:
    container_name: immich_machine_learning
    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
    user: ${PUID}:${PGID}
    volumes:
      - model-cache:/cache
    env_file:
      - stack.env
    restart: always

  immich-web:
    container_name: immich_web
    image: ghcr.io/immich-app/immich-web:${IMMICH_VERSION:-release}
    user: ${PUID}:${PGID}
    env_file:
      - stack.env
    restart: always

  typesense:
    container_name: immich_typesense
    image: typesense/typesense:0.24.1@sha256:9bcff2b829f12074426ca044b56160ca9d777a0c488303469143dd9f8259d4dd
    user: ${PUID}:${PGID}
    environment:
      - TYPESENSE_API_KEY=${TYPESENSE_API_KEY}
      - TYPESENSE_DATA_DIR=/data
      # remove this to get debug messages
      - GLOG_minloglevel=1
    volumes:
      - tsdata:/data
    restart: always

  redis:
    container_name: immich_redis
    user: ${PUID}:${PGID}
    image: redis:6.2-alpine@sha256:70a7a5b641117670beae0d80658430853896b5ef269ccf00d1827427e3263fa3
    restart: always

  database:
    container_name: immich_postgres
    user: ${PUID}:${PGID}
    image: postgres:14-alpine@sha256:28407a9961e76f2d285dc6991e8e48893503cc3836a4755bbc2d40bcc272a441
    env_file:
      - stack.env
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
    volumes:
      - pgdata:/var/lib/postgresql/data
    restart: always

  immich-proxy:
    container_name: immich_proxy
    image: ghcr.io/immich-app/immich-proxy:${IMMICH_VERSION:-release}
    user: ${PUID}:${PGID}
    environment:
      - ${IMMICH_SERVER_URL}
      - ${IMMICH_WEB_URL}
    ports:
      - 2283:8080
    depends_on:
      - immich-server
      - immich-web
    restart: always

volumes:
  pgdata:
  model-cache:
  tsdata:

Your .env content

DOCKERPATH=/docker
TZ=Europe/Amsterdam
PUID=1013
PGID=1016
UPLOAD_LOCATION=/data/immich/
IMMICH_VERSION=release
TYPESENSE_API_KEY=xxx
DB_PASSWORD=xxx
DB_HOSTNAME=immich_postgres
DB_USERNAME=xx
DB_DATABASE_NAME=immich
REDIS_HOSTNAME=immich_redis
IMMICH_SERVER_URL=http://immich-server:3001
IMMICH_WEB_URL=http://immich-web:3000
PUBLIC_IMMICH_SERVER_URL=https://immich.local.xx.xx

Reproduction steps

1. follow steps from https://immich.app/docs/FAQ#how-can-i-run-immich-as-a-non-root-user
2. check docker logs of immich-proxy

Additional information

No response

Originally created by @ndewijer on GitHub (Sep 1, 2023). ### The bug Setting up Immich via docker-compose to run as non-root user breaks nginx inside immich_proxy as it can no longer write to it's config. Workaround is copying /etc/nginx out of the container, into a directory with correct rights and mounting the folder as a volume. ### The OS that Immich Server is running on Ubuntu 22.04.3 LTS ### Version of Immich Server v1.76.1 ### Version of Immich Mobile App n/a ### Platform with the issue - [X] Server - [ ] Web - [ ] Mobile ### Your docker-compose.yml content ```YAML version: "3.8" services: immich-server: container_name: immich_server image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release} command: [ "start.sh", "immich" ] user: ${PUID}:${PGID} volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload env_file: - stack.env depends_on: - redis - database - typesense restart: always immich-microservices: container_name: immich_microservices image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release} # extends: # file: hwaccel.yml # service: hwaccel command: [ "start.sh", "microservices" ] user: ${PUID}:${PGID} volumes: - ${UPLOAD_LOCATION}:/usr/src/app/upload - ${DOCKERPATH}/immich/geocoding:/usr/src/app/.reverse-geocoding-dump env_file: - stack.env depends_on: - redis - database - typesense restart: always mem_limit: "4g" immich-machine-learning: container_name: immich_machine_learning image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release} user: ${PUID}:${PGID} volumes: - model-cache:/cache env_file: - stack.env restart: always immich-web: container_name: immich_web image: ghcr.io/immich-app/immich-web:${IMMICH_VERSION:-release} user: ${PUID}:${PGID} env_file: - stack.env restart: always typesense: container_name: immich_typesense image: typesense/typesense:0.24.1@sha256:9bcff2b829f12074426ca044b56160ca9d777a0c488303469143dd9f8259d4dd user: ${PUID}:${PGID} environment: - TYPESENSE_API_KEY=${TYPESENSE_API_KEY} - TYPESENSE_DATA_DIR=/data # remove this to get debug messages - GLOG_minloglevel=1 volumes: - tsdata:/data restart: always redis: container_name: immich_redis user: ${PUID}:${PGID} image: redis:6.2-alpine@sha256:70a7a5b641117670beae0d80658430853896b5ef269ccf00d1827427e3263fa3 restart: always database: container_name: immich_postgres user: ${PUID}:${PGID} image: postgres:14-alpine@sha256:28407a9961e76f2d285dc6991e8e48893503cc3836a4755bbc2d40bcc272a441 env_file: - stack.env environment: POSTGRES_PASSWORD: ${DB_PASSWORD} POSTGRES_USER: ${DB_USERNAME} POSTGRES_DB: ${DB_DATABASE_NAME} volumes: - pgdata:/var/lib/postgresql/data restart: always immich-proxy: container_name: immich_proxy image: ghcr.io/immich-app/immich-proxy:${IMMICH_VERSION:-release} user: ${PUID}:${PGID} environment: - ${IMMICH_SERVER_URL} - ${IMMICH_WEB_URL} ports: - 2283:8080 depends_on: - immich-server - immich-web restart: always volumes: pgdata: model-cache: tsdata: ``` ### Your .env content ```Shell DOCKERPATH=/docker TZ=Europe/Amsterdam PUID=1013 PGID=1016 UPLOAD_LOCATION=/data/immich/ IMMICH_VERSION=release TYPESENSE_API_KEY=xxx DB_PASSWORD=xxx DB_HOSTNAME=immich_postgres DB_USERNAME=xx DB_DATABASE_NAME=immich REDIS_HOSTNAME=immich_redis IMMICH_SERVER_URL=http://immich-server:3001 IMMICH_WEB_URL=http://immich-web:3000 PUBLIC_IMMICH_SERVER_URL=https://immich.local.xx.xx ``` ### Reproduction steps ```bash 1. follow steps from https://immich.app/docs/FAQ#how-can-i-run-immich-as-a-non-root-user 2. check docker logs of immich-proxy ``` ### Additional information _No response_

OVERLORD closed this issue

2026-02-05 01:11:48 +03:00

OVERLORD commented

2026-02-05 01:11:50 +03:00

@yodatak commented on GitHub (Sep 6, 2023):

Same with kubernetes k8s ^

@yodatak commented on GitHub (Sep 6, 2023): Same with kubernetes k8s ^

OVERLORD commented

2026-02-05 01:11:56 +03:00

@kjkent commented on GitHub (Oct 3, 2023):

Just reporting that this issue doesn't occur for me using the current releases

@kjkent commented on GitHub (Oct 3, 2023): Just reporting that this issue doesn't occur for me using the current releases

OVERLORD commented

2026-02-05 01:11:59 +03:00

@yodatak commented on GitHub (Oct 15, 2023):

same for me its no more occur

@yodatak commented on GitHub (Oct 15, 2023): same for me its no more occur

OVERLORD commented

2026-02-05 01:12:03 +03:00

@bestrocker221 commented on GitHub (Oct 29, 2023):

I tried to run immich as non-root. The proxy gets fixed as @ndewijer is saying, by mounting the nginx volume but the microservices container does not work.
It will try to modify the folder /usr/src/app, which is owned by root with the non-root user.

@bestrocker221 commented on GitHub (Oct 29, 2023): I tried to run immich as non-root. The proxy gets fixed as @ndewijer is saying, by mounting the nginx volume but the microservices container does not work. It will try to modify the folder /usr/src/app, which is owned by root with the non-root user.

OVERLORD commented

2026-02-05 01:12:07 +03:00

@jrasm91 commented on GitHub (Nov 23, 2023):

This container no longer exists

@jrasm91 commented on GitHub (Nov 23, 2023): This container no longer exists

Sign in to join this conversation.

Branches Tags

main

fix/web-people-hidden-state

fix-filename-search-label

chore/yank-cloud-id

chore/oauth-labels

renovate/machine-learning

uhthomas/mobile-fix-app-bar-fade

feat/debug-schema

renovate/typescript-projects

fix/25803

feat/asset-file-apis

chore/translations

fix/web-switch-label-clickable

release/next

fix/timezones

fix/time-zone-upserts

midzelis/wip

push-zpwsovysllvn

push-nwxlpmyzkyrl

push-nvnkszuqwppm

renovate/github-actions

push-smstsuupsowp

refactor/adaptive_image

push-olwpzvrxnomt

push-lmxsupnmxspl

feat/web-chromecast-video-looping

feat/use-native-clients

renovate/flutter

fix/create-face-edited

fix/mobile-ios-mtls

docs/contributing

docs/mise-mobile

renovate/grafana-monorepo

feature/bottom-buttons-order

feat/immich-mobile-ui-showcase

refactor/consolidate-image-requests

renovate/connectivity_plus-7.x

renovate/major-vitest-monorepo

renovate/pypi-python-multipart-vulnerability

fix/mobile-people-query

sqlite_thumbs

feat/html-text

chore/no-macro-validation

refactor/purchase-store

uhthomas/mobile-fix-asset-jump

feat/pano-ocr

feat/shared-link-login

fix/database-backup-db-names

fix-keep-correct-ios-shared-album-asset

fix-memory-generation-and-display

feat/verify-permissions

refactor/album-service-small-tests

fix/ml-rocm-build

fix/flipped-dimensions-mobile

push-vpxwmwwxwnvw

fix-migration-width-height

refactor/more-queries

revert/prettier-translations

refactor/asset-service-queries

fix/locale-settings-desc

chore/add-debug-log

feat/edit-filters

shared-deep-link-handler

feat/mobile-editing

feat/thumbnail-native-clients

feat/platform-clients

feat/integrity-checks-izzy

fix/foreground-cloud-sync

feat/dynamic-layout

filter-by-person

feat/csp

refactor/sidebar

fix/disable-editing

fix/view-timeline-deeplink

image-zoom-on-slow-connection

fix-consider-dar-for-video-dimension

fix/merged-edited-assets

perf/optimize-album-sort

open-api-fix

feat/create-job-with-dto

use-toast-primary

feat/vitest-4

feat/ios-fastlane-match

match-signing

fix-update-time-update-timeline

chore/translation-keys

feat/modal-routes

feat/panorama-tiles

feature/mobile-view-asset-owner

feat/system-settings

feature/show-activity-count

better-info-in-asset-viewer

fix/all-people-count

feat/location-favorites

feature/rearrange-buttons-2

fix/download-storage-template

feat/kb-shortcuts-mobile

fix/people-count

push-qolzzzzxrvvn

chore/originals-in-asset-files

feat/asset-size-columns

ben/tree-a11y

new-search-filter-ui

refactor/expectSelectedReadonly

refactor/mobile-grdb

push-qvuktpxmkknu

feat/mobile-native-local-sync

refactor/timeline_ops

fix/scrubber_end

feat/version.txt

feat/context-menus

feat/server-chunked-uploads

refactor/virtualsegment

refactor/rename_daymonth_groups

fix/restrict-android-bg-worker

feat/android-periodic-worker

fix-remote-sync-clean-up

refactor/timeline_move_ops

renovate/mapbox-mapbox-gl-rtl-text-0.x

fix/timeline_split_selectable

feat/keyboard_actions_help_modal

feat/static_frontend

feat/notification-warnign-android

feat/plugins2

feat/plugins

test/create-workflow-token-action

fix/docs-force

debug/search-result-similarity

debug/cf-chunked-uploads

feat/eslint_rule

feat/search-filter-album/web

refactor/timeline_photostream

refactor/timelineasset_asset

feat/session-permissions

feat/timeline_photostream_assetnav

feat/timeline_minor_optimize

feat/timeline_perf_nocomp

feat/timeline_search_results_actions

feat/timeline_search_results_page

fix/timeline_padding

fix/timeline_search_reactivity_warnings

feat/timeline_scrollbar

feat/timeline_stream_withviewer

fix/timeline_back_forth_nav

refactor/timeline_photostream_component

fix/generated-files-checks

fix/locate-button-local

chore/base-image-mimalloc

refactor/timeline_assetlayout

refactor/timeline_selectable

refactor/timeline_aware_actions

refactor/timeline_monthsegment

feat/remove-old-pages

chore/deps-gradle

tmp_photostream

tmp/lcms

feat/mobile-dynamic-thumbnails

fix/mobile-finer-thumbnail-concurrency

refactor/timeline1

refactor/extract_photostream

refactor/rename_load_api

refactor/timeline2

refactor/timeline3

feat/multi-select-asset-viewer

feat-no-thumbhash-cache

refactor/asset_grid

feat/faster-access-checks

fix/18991

fix/19543

chore/temp-remove

fix/21419

feat/mobile-hdr-images

chore/update-mise-lockfile

feat/mise-server-checks

feat/mise-ci

feat/windows-2025

feat/dev_cli

refactor/mobile-migrate-clients

fix/map-theme

fix/require-checkbox

chore/use_swc

feat/efficient-thumbnail-decoding

refactor/mobile-thumbhash

refactor/mobile-thumbhash-new

fix/mobile-uncached-zoom

feat/beta-background-upload

fix/beta-timeline-memories-setting

fix/failed-uploads-not-removed

feat/mobile-shared-album

feat/groups

drift-map-page

drift-auth-user-sync

fix/disable-memory

feat/add-to-album-action

edit-date-time-action

drift-people-page

sqlite-remove-isIn

feat/inline-storage-columns

chore/required-reviewers

refact/asset-manager

fix/folder-sort

pnpm

feat/widget-multiple-server-urls

chore/medium-tests-dbname

fix/web-no-iterator-find

fix/map-pan-interruption

track-livephotos

timeline_events

chore/oxlint-migration

feat/maintenance-worker

feat/dav

chore/demo-snapshot

refactor/server-side-dedupe

feat/integrity-checks

dev/recognition-eval

lighter_buckets_test

perf/postgres-queue

postgres-queue

focus_rings

refactor/web-stores-1

refactor/add-to-taken

feat/sort-places

feat/sidecar-asset-file

vet

tmp/demo-snapshot-preview

fix/server-migration-file-extension

refactor/mobile-v2

fix/asset-update-race-condition

rknn-toolkit-lite2

refactor/mobile-split-up-search-page

feature/Add-rocm-support-for-machine-learning

feat/rocm

chore/async-hash-file

feat/shared-link-view-count

feat/rotation

feat/graphql

feat/job-ids

feat/ignore-library-permission-error

feat/docker-compose-builder

feat/kysely-typeorm

mobile/onboarding

no-video-player

fix/server-qsv-output-format

chore/server-geodata-tweaks

mobile/native-video-player-no-hero

feat/xxhash

fix/docs-concurrency

feat/preload-ml-textual-model

feat/local-tileserver

refactor/exif-orientation

original-path-infix

refactor/mobile/login-form-1

feat/server-editor-endpoints

fix/server-qsv-vbr

fix-mobile-db-problems

feat/ml-armnn-conversion

feat/mobile/backup-with-album-info

feat/fast-initial-sync-1

chore/handle-output_dims

feat/server-more-robust-generation

feat/unassign-faces

feat/shortcuts-on-asset-grid

feat/background-upload

feat/capacitor-mobile-app-poc

feat/server-nvenc-hw-decoding

release/v1.105

fix/mobile-fetch-non-archive

feat/fine-grained-access-controls

web/automation-ui

feat/mobile-server-endpoint-save-dropdown

feat/blurhash-thumbnail

object-storage

feat/memories-animations

dev/metrics

ml/tflite

feat/ml-export-cli

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: immich-app/immich#1298