starred/motioneye

Fork 0

mirror of https://github.com/motioneye-project/motioneye.git synced 2026-03-02 22:57:06 -05:00

Running motioneye docker as non-root user, can't access /var/run #2247

New issue

Open

opened 2026-02-28 01:08:12 -05:00 by deekerman · 5 comments

deekerman commented

2026-02-28 01:08:12 -05:00

Owner

Originally created by @towerofpower256 on GitHub (Jun 21, 2022).

If I installed the motioneye docker and ran as root, no issues there.

However I run into an issue when I use the motioneye docker image as another user that is not root (e.g. --user 1003:1003). I started getting errors that are visible in the log saying that motioneye was unable to create the .pid file in the /var/run directory. Motioneye isn't able to start either, and I can't get to the web interface.

The log:

CRITICAL: pid directory "/etc/motioneye/run" does not exist or is not writable
    INFO: hello! this is motionEye server 0.42
CRITICAL: pid directory "/etc/motioneye/run" does not exist or is not writable
    INFO: hello! this is motionEye server 0.42
CRITICAL: pid directory "/etc/motioneye/run" does not exist or is not writable
    INFO: hello! this is motionEye server 0.42

Here's my docker run command, including --user and RUN_UID and RUN_GID arguments:

docker run --name="motioneye" \
    -p 8765:8765 \
    --hostname="motioneye" \
    -v /etc/localtime:/etc/localtime:ro \
    -v /srv/motioneye/etc:/etc/motioneye \
    -v /srv/motioneye/lib:/var/lib/motioneye \
    --restart="always" \
    --detach=true \
    --user 1003:1006 \
    -e "RUN_UID=1003" \
    -e "RUN_GID=1006" \
    ccrisan/motioneye:master-amd64

I was able to get around this by updating motioneye.conf to store the pid file in another directory that motioneye should have access to. This fix appears to be working so far.

# path to the directory where pid files go (must be writable by motionEye)
#run_path /var/run
run_path /etc/motioneye/run # Fix for no access to /var/run within container if non-root

I suspect this is due to the Docker image that the motioneye docker image is utilizing, debian:buster-slim.
github.com/debuerreotype/docker-debian-artifacts@337f494fae/buster/slim/rootfs.tar.xz

Doing some poking around:

/run exists, with permissions of 755 (writable by root, read-only to everything else).
/var/run exists appears to be a link to /run.

Console output:

I have no name!@motioneye:/run$ ls -l /var/ | grep run
lrwxrwxrwx 1 root root     9 Jul 19  2019 lock -> /run/lock
lrwxrwxrwx 1 root root     4 Jul 19  2019 run -> /run

I have no name!@motioneye:/run$ ls -l / | grep run
drwxr-xr-x   1 root root 4096 Jun 22 10:35 run

I have no name!@motioneye:/run$ ls -l /run        
total 16
drwxrwxrwt 2 root root 4096 Jul 19  2019 lock
drwxr-xr-x 2 root root 4096 Jun 22 10:35 motion
drwxr-xr-x 2 root root 4096 Jul 19  2019 mount
drwxr-xr-x 2 root root 4096 Jul 24  2019 systemd
-rw-rw-r-- 1 root utmp    0 Jul 19  2019 utmp

In the motioneye docker file, I can see that it's trying to own the /var/run folder, but I believe it's only chowning the link to the /run directory, not the /run directory itself, which is causing the issue.

Does that mean the fix is just to update the docker file to include /run in the directories that it's chowning?

chown motion:motion /var/run /var/log /run ....

Originally created by @towerofpower256 on GitHub (Jun 21, 2022). If I installed the motioneye docker and ran as root, no issues there. However I run into an issue when I use the motioneye docker image as another user that is not root (e.g. `--user 1003:1003`). I started getting errors that are visible in the log saying that motioneye was unable to create the .pid file in the /var/run directory. Motioneye isn't able to start either, and I can't get to the web interface. The log: ``` CRITICAL: pid directory "/etc/motioneye/run" does not exist or is not writable INFO: hello! this is motionEye server 0.42 CRITICAL: pid directory "/etc/motioneye/run" does not exist or is not writable INFO: hello! this is motionEye server 0.42 CRITICAL: pid directory "/etc/motioneye/run" does not exist or is not writable INFO: hello! this is motionEye server 0.42 ``` Here's my docker run command, including `--user` and RUN_UID and RUN_GID arguments: ```sh docker run --name="motioneye" \ -p 8765:8765 \ --hostname="motioneye" \ -v /etc/localtime:/etc/localtime:ro \ -v /srv/motioneye/etc:/etc/motioneye \ -v /srv/motioneye/lib:/var/lib/motioneye \ --restart="always" \ --detach=true \ --user 1003:1006 \ -e "RUN_UID=1003" \ -e "RUN_GID=1006" \ ccrisan/motioneye:master-amd64 ``` I was able to get around this by updating motioneye.conf to store the pid file in another directory that motioneye should have access to. This fix appears to be working so far. ```sh # path to the directory where pid files go (must be writable by motionEye) #run_path /var/run run_path /etc/motioneye/run # Fix for no access to /var/run within container if non-root ``` I suspect this is due to the Docker image that the motioneye docker image is utilizing, `debian:buster-slim`. https://github.com/debuerreotype/docker-debian-artifacts/blob/337f494fae12a1db13a003cea38e74f43d312ee6/buster/slim/rootfs.tar.xz Doing some poking around: * `/run` exists, with permissions of 755 (writable by root, read-only to everything else). * `/var/run` exists appears to be a link to `/run`. Console output: ``` I have no name!@motioneye:/run$ ls -l /var/ | grep run lrwxrwxrwx 1 root root 9 Jul 19 2019 lock -> /run/lock lrwxrwxrwx 1 root root 4 Jul 19 2019 run -> /run I have no name!@motioneye:/run$ ls -l / | grep run drwxr-xr-x 1 root root 4096 Jun 22 10:35 run I have no name!@motioneye:/run$ ls -l /run total 16 drwxrwxrwt 2 root root 4096 Jul 19 2019 lock drwxr-xr-x 2 root root 4096 Jun 22 10:35 motion drwxr-xr-x 2 root root 4096 Jul 19 2019 mount drwxr-xr-x 2 root root 4096 Jul 24 2019 systemd -rw-rw-r-- 1 root utmp 0 Jul 19 2019 utmp ``` In the motioneye docker file, I can see that it's trying to own the `/var/run` folder, but I believe it's only chowning the **link** to the `/run` directory, not the `/run` directory itself, which is causing the issue. Does that mean the fix is just to update the docker file to include `/run` in the directories that it's chowning? ```sh chown motion:motion /var/run /var/log /run .... ```

deekerman added the

docker

label

2026-02-28 01:08:12 -05:00

deekerman commented

2026-02-28 01:08:14 -05:00

Author

Owner

@towerofpower256 commented on GitHub (Jun 21, 2022):

Possibly related to:
#2407
#2388

@towerofpower256 commented on GitHub (Jun 21, 2022): Possibly related to: #2407 #2388

deekerman commented

2026-02-28 01:08:15 -05:00

Author

Owner

@towerofpower256 commented on GitHub (Jun 21, 2022):

This article here suggests that it may be better to create a directory within run to hold app-specific pid files.
https://serverfault.com/questions/159334/what-permissions-are-needed-to-write-a-pid-file-in-var-run

E.g. a new directory /var/run/motioneye, grant full access for the motion user to that directory, and update the motioneye.conf to store the pid files in there, instead of just /var/run.

@towerofpower256 commented on GitHub (Jun 21, 2022): This article here suggests that it may be better to create a directory within `run` to hold app-specific pid files. https://serverfault.com/questions/159334/what-permissions-are-needed-to-write-a-pid-file-in-var-run E.g. a new directory `/var/run/motioneye`, grant full access for the `motion` user to that directory, and update the motioneye.conf to store the pid files in there, instead of just `/var/run`.

deekerman commented

2026-02-28 01:08:15 -05:00

Author

Owner

@tobschndr commented on GitHub (Nov 8, 2022):

I am facing the same issues.
Via Portainer the log is showing the following after reboot (as assumed with regard to the article):

INFO: hello! this is motionEye server 0.42.1
CRITICAL: pid directory "/var/run/motioneye" does not exist or is not writable

So I wrote a startup script as linked in the article:
(thanks @towerofpower256 )

mkdir /var/run/motioneye
chown motioneye:motioneye /var/run/motioneye

My questions:

Will/can this task (adding the folders and permissions after reboots) be part of the docker container in future?
How "dangerous" is it to run the container as root? (without adding the UID and GID to docker run and modifying the /var/run)

@tobschndr commented on GitHub (Nov 8, 2022): I am facing the same issues. Via Portainer the log is showing the following after reboot (as assumed with regard to the article): INFO: hello! this is motionEye server 0.42.1 CRITICAL: pid directory "/var/run/motioneye" does not exist or is not writable So I wrote a startup script as linked in the article: (thanks @towerofpower256 ) mkdir /var/run/motioneye chown motioneye:motioneye /var/run/motioneye My questions: - Will/can this task (adding the folders and permissions after reboots) be part of the docker container in future? - How "dangerous" is it to run the container as root? (without adding the UID and GID to docker run and modifying the /var/run)

deekerman commented

2026-02-28 01:08:15 -05:00

Author

Owner

@PhatHub commented on GitHub (Feb 20, 2023):

For those who haven't figured out the systemd-onic (sorry didn't know how to say "systemd" in the same way of "pythonic") way of doing it, I just found out... utilize tmpfiles.d

It took me a while because the first time I tried to google for the answer, it took me weeks, and I couldn't find anything besides "it'll be complex."

A few weeks later I found this answer within minutes, and it all clicked.

I did this on Ubuntu Server, so YMMV if you're on something else, like RedHat. tmpfiles.d is an installable package, so if it doesn't work, make sure it's installed but I doubt it'll be missing since basically everyone is running systemd.

Create a motioneye file sudo touch /usr/lib/tmpfiles.d/motioneye.conf
Edit the file to create a temp file sudo vim /usr/lib/tmpfiles.d/motioneye.com (or use your preferred editor instead of vim)
...and add a single line, d /var/run/motioneye 0744 motion motion (I put tabs instead of spaces to kind of line up columns in the future)
Exit your editor, stop motioneye systemctl stop motioneye to force it to delete the previous pid directory.
Restart it and see if it works. systemctl start motioneye

Hopefully this helps.

@PhatHub commented on GitHub (Feb 20, 2023): For those who haven't figured out the systemd-onic (sorry didn't know how to say "systemd" in the same way of "pythonic") way of doing it, I just found out... utilize [`tmpfiles.d`](https://www.freedesktop.org/software/systemd/man/tmpfiles.d.html) It took me a while because the first time I tried to google for the answer, it took me weeks, and I couldn't find anything besides "it'll be complex." A few weeks later I found [this answer within minutes](https://askubuntu.com/questions/303120/how-folders-created-in-var-run-on-each-reboot), and it all clicked. I did this on Ubuntu Server, so YMMV if you're on something else, like RedHat. `tmpfiles.d` is an installable package, so if it doesn't work, make sure it's installed but I doubt it'll be missing since basically everyone is running `systemd`. 1. Create a motioneye file `sudo touch /usr/lib/tmpfiles.d/motioneye.conf` 2. Edit the file to create a temp file `sudo vim /usr/lib/tmpfiles.d/motioneye.com` (or use your preferred editor instead of `vim`) 3. ...and add a single line, `d /var/run/motioneye 0744 motion motion` (I put tabs instead of spaces to kind of line up columns in the future) 4. Exit your editor, stop motioneye `systemctl stop motioneye` to force it to delete the previous pid directory. 5. Restart it and see if it works. `systemctl start motioneye` Hopefully this helps.

deekerman commented

2026-02-28 01:08:15 -05:00

Author

Owner

@MichaIng commented on GitHub (Mar 30, 2023):

@PhatHub
It's about the Docker image here, which has no systemd or native tmpfiles support.

Best solution is to allow not having any PID file at all. It is nonsense in this Docker image but currently not possible. I'll see if I find time to implement this during the weekend. But otherwise using /etc/motioneye indeed is a good idea and shouldn't cause any issues.

@MichaIng commented on GitHub (Mar 30, 2023): @PhatHub It's about the Docker image here, which has no systemd or native tmpfiles support. Best solution is to allow not having any PID file at all. It is nonsense in this Docker image but currently not possible. I'll see if I find time to implement this during the weekend. But otherwise using `/etc/motioneye` indeed is a good idea and shouldn't cause any issues.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/motioneye#2247

No description provided.

Rows
Columns