starred/immich

Fork 0

mirror of https://github.com/immich-app/immich.git synced 2026-03-02 22:57:45 -05:00

[BUG] Can't run microservices container as non-root user #2 #1458

New issue

Closed

opened 2026-02-20 00:09:16 -05:00 by deekerman · 3 comments

deekerman commented

2026-02-20 00:09:16 -05:00

Owner

Originally created by @Jurrer on GitHub (Oct 14, 2023).

The bug

I know this issue has been addressed already, but I am experiencing problems running immich-microservices.

I followed the FAQ version on how to run immich in non-root mode, but it didn't work. Logs were saying that access to geocoding directory was denied.

Then I followed a nice comment about it, to declare a directory via REVERSE_GEOCODING_DUMP_DIRECTORY variable, and mount my volume there. It didn't work either, I got the same error. It was basically the first option with extra steps.

I considered not mounting anything, and letting immich-microservices handle their own volumes, as this pull request says to do, but to no avail I ended up with error once again.

Error causes container to go in a restart loop, and basically the microservices don't work.

[Nest] 7  - 10/15/2023, 12:25:21 AM   ERROR [MetadataService] Unable to initialize reverse geocoding: Error: EACCES: permission denied, mkdir '/usr/src/app/geocoding/cities500'
Error: EACCES: permission denied, mkdir '/usr/src/app/geocoding/cities500'
    at Object.mkdirSync (node:fs:1379:3)
    at Object._getData (/usr/src/app/node_modules/local-reverse-geocoder/index.js:163:10)
    at Object._getGeoNamesCitiesData (/usr/src/app/node_modules/local-reverse-geocoder/index.js:468:10)
    at nextTask (/usr/src/app/node_modules/async/dist/async.js:5789:13)
    at Object.waterfall (/usr/src/app/node_modules/async/dist/async.js:5800:9)
    at Object.awaitable [as waterfall] (/usr/src/app/node_modules/async/dist/async.js:211:32)
    at /usr/src/app/node_modules/local-reverse-geocoder/index.js:682:19
    at /usr/src/app/node_modules/async/dist/async.js:3674:28
    at eachOfArrayLike (/usr/src/app/node_modules/async/dist/async.js:506:13)
    at eachOf (/usr/src/app/node_modules/async/dist/async.js:626:16)

My fix was mounting a local path to serve as geocoding directory.

I do not consider this as solved, because it adds some complexity when running through portainer, and is not in a 'stateless' mindset.

Please point if I did something wrong, I wish to run this service using volumes, as everyone else.

The OS that Immich Server is running on

Ubuntu Server 22.04 LTS; Docker Engine 24.0.6, Storage Driver: overlay2

Version of Immich Server

v1.81.1

Version of Immich Mobile App

v1.80.0

Platform with the issue

Server
Web
Mobile

Your docker-compose.yml content

version: "3.9"

services:
  
...

  immich-microservices:
    container_name: immich-microservices
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    user: ${PUID}:${PGID}
    command: [ "start.sh", "microservices" ]
    volumes:
      - ${DATAPATH}/pictures:/usr/src/app/upload
      # - /etc/localtime:/etc/localtime:ro
      - immich_geocoding_dump:${REVERSE_GEOCODING_DUMP_DIRECTORY}
    environment:
      TZ: ${TZ}
      PUID: ${PUID}
      PGID: ${PGID}
      DB_HOSTNAME: ${IMMICH_DB_HOST}
      DB_DATABASE_NAME: ${IMMICH_DB}
      DB_USERNAME: ${IMMICH_DB_USERNAME}
      DB_PASSWORD: ${IMMICH_DB_PASSWORD}
      REDIS_PASSWORD: ${IMMICH_REDIS_PASSWORD}
      REDIS_HOSTNAME: ${IMMICH_REDIS_HOST}
      TYPESENSE_API_KEY: ${TYPESENSE_API_KEY}
      REVERSE_GEOCODING_DUMP_DIRECTORY: ${REVERSE_GEOCODING_DUMP_DIRECTORY}
    depends_on:
      - redis-immich
      - typesense
    restart: unless-stopped

...

volumes:
  immich_geocoding_dump:

Your .env content

REVERSE_GEOCODING_DUMP_DIRECTORY=/usr/src/app/geocoding
PUID=1000
PGID=1000

Reproduction steps

1. Deploy a working immich app with immich-microservices set up as shown in above docker-compose.yaml
2. Read logs of immich-microservices container

Additional information

No response

Originally created by @Jurrer on GitHub (Oct 14, 2023). ### The bug I know this issue has been addressed already, but I am experiencing problems running immich-microservices. I followed [the FAQ](https://documentation.immich.app/docs/FAQ#how-can-i-run-immich-as-a-non-root-user) version on how to run immich in non-root mode, but it didn't work. Logs were saying that access to geocoding directory was denied. Then I followed [a nice comment](https://github.com/immich-app/immich/issues/776#issuecomment-1271459885) about it, to declare a directory via REVERSE_GEOCODING_DUMP_DIRECTORY variable, and mount my volume there. It didn't work either, I got the same error. It was basically the first option with extra steps. I considered not mounting anything, and letting immich-microservices handle their own volumes, as [this pull request](https://github.com/immich-app/immich/pull/1234) says to do, but to no avail I ended up with error once again. Error causes container to go in a restart loop, and basically the microservices don't work. ```log [Nest] 7 - 10/15/2023, 12:25:21 AM ERROR [MetadataService] Unable to initialize reverse geocoding: Error: EACCES: permission denied, mkdir '/usr/src/app/geocoding/cities500' Error: EACCES: permission denied, mkdir '/usr/src/app/geocoding/cities500' at Object.mkdirSync (node:fs:1379:3) at Object._getData (/usr/src/app/node_modules/local-reverse-geocoder/index.js:163:10) at Object._getGeoNamesCitiesData (/usr/src/app/node_modules/local-reverse-geocoder/index.js:468:10) at nextTask (/usr/src/app/node_modules/async/dist/async.js:5789:13) at Object.waterfall (/usr/src/app/node_modules/async/dist/async.js:5800:9) at Object.awaitable [as waterfall] (/usr/src/app/node_modules/async/dist/async.js:211:32) at /usr/src/app/node_modules/local-reverse-geocoder/index.js:682:19 at /usr/src/app/node_modules/async/dist/async.js:3674:28 at eachOfArrayLike (/usr/src/app/node_modules/async/dist/async.js:506:13) at eachOf (/usr/src/app/node_modules/async/dist/async.js:626:16) ``` My fix was mounting a local path to serve as geocoding directory. I do not consider this as solved, because it adds some complexity when running through portainer, and is not in a 'stateless' mindset. Please point if I did something wrong, I wish to run this service using volumes, as everyone else. ### The OS that Immich Server is running on Ubuntu Server 22.04 LTS; Docker Engine 24.0.6, Storage Driver: overlay2 ### Version of Immich Server v1.81.1 ### Version of Immich Mobile App v1.80.0 ### Platform with the issue - [X] Server - [ ] Web - [ ] Mobile ### Your docker-compose.yml content ```YAML version: "3.9" services: ... immich-microservices: container_name: immich-microservices image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release} user: ${PUID}:${PGID} command: [ "start.sh", "microservices" ] volumes: - ${DATAPATH}/pictures:/usr/src/app/upload # - /etc/localtime:/etc/localtime:ro - immich_geocoding_dump:${REVERSE_GEOCODING_DUMP_DIRECTORY} environment: TZ: ${TZ} PUID: ${PUID} PGID: ${PGID} DB_HOSTNAME: ${IMMICH_DB_HOST} DB_DATABASE_NAME: ${IMMICH_DB} DB_USERNAME: ${IMMICH_DB_USERNAME} DB_PASSWORD: ${IMMICH_DB_PASSWORD} REDIS_PASSWORD: ${IMMICH_REDIS_PASSWORD} REDIS_HOSTNAME: ${IMMICH_REDIS_HOST} TYPESENSE_API_KEY: ${TYPESENSE_API_KEY} REVERSE_GEOCODING_DUMP_DIRECTORY: ${REVERSE_GEOCODING_DUMP_DIRECTORY} depends_on: - redis-immich - typesense restart: unless-stopped ... volumes: immich_geocoding_dump: ``` ### Your .env content ```Shell REVERSE_GEOCODING_DUMP_DIRECTORY=/usr/src/app/geocoding PUID=1000 PGID=1000 ``` ### Reproduction steps ```bash 1. Deploy a working immich app with immich-microservices set up as shown in above docker-compose.yaml 2. Read logs of immich-microservices container ``` ### Additional information _No response_

deekerman closed this issue

2026-02-20 00:09:16 -05:00

deekerman commented

2026-02-20 00:09:17 -05:00

Author

Owner

@chk86 commented on GitHub (Oct 30, 2023):

I was reviewing how to set up non-root for myself and saw your post. I noted in your .env that you're missing both lines that were mentioned in the comment you referenced:

GEOCODING_DATA=/path/to/an/empty/folder/with/full/permissions/to/immich/user
REVERSE_GEOCODING_DUMP_DIRECTORY=/usr/src/app/geocoding

I wasn't sure if that might be your issue, but I wanted to mention it. Adding both those lines and the other steps seems to be working for me.

@chk86 commented on GitHub (Oct 30, 2023): I was reviewing how to set up non-root for myself and saw your post. I noted in your .env that you're missing both lines that were mentioned in the comment you referenced: GEOCODING_DATA=/path/to/an/empty/folder/with/full/permissions/to/immich/user REVERSE_GEOCODING_DUMP_DIRECTORY=/usr/src/app/geocoding I wasn't sure if that might be your issue, but I wanted to mention it. Adding both those lines and the other steps seems to be working for me.

deekerman commented

2026-02-20 00:09:17 -05:00

Author

Owner

@Jurrer commented on GitHub (Oct 30, 2023):

@chk86 Yes, it's on purpose. You're suggesting bind mounting geocoding directory locally, which works.

My issue is about mounting it to a docker volume, which does not.

Thanks tho!

@Jurrer commented on GitHub (Oct 30, 2023): @chk86 Yes, it's on purpose. You're suggesting bind mounting geocoding directory locally, which works. My issue is about mounting it to a docker volume, which does not. Thanks tho!

deekerman commented

2026-02-20 00:09:17 -05:00

Author

Owner

@jrasm91 commented on GitHub (Oct 30, 2023):

I don't think this is even an immich-specific issue. The user you are running the service with does not have permission to create a directory with way you are mounting the volume. This has very little to do with immich and is a general permission issue. I'd try searching for that instead of waiting for an answer from the development team here.

@jrasm91 commented on GitHub (Oct 30, 2023): I don't think this is even an immich-specific issue. The user you are running the service with does not have permission to create a directory with way you are mounting the volume. This has very little to do with immich and is a general permission issue. I'd try searching for that instead of waiting for an answer from the development team here.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/immich#1458

No description provided.

Rows
Columns