fej/docker-plex-wireguard
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

Merge pull request #416 from linuxserver/nonroot

Browse source
This commit is contained in:
Adam 2025-01-01 22:45:59 +00:00 committed by GitHub
commit aa406f1496
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 84 additions and 57 deletions
Download patch file Download diff file Expand all files Collapse all files

10
README.md
View file

@ -86,6 +86,15 @@ This image can be run with a read-only container filesystem. For details please
* Runtime update of Plex (and thus Plexpass builds) is not supported. * Runtime update of Plex (and thus Plexpass builds) is not supported.
* Transcode directory must be mounted to a host path or tmpfs. * Transcode directory must be mounted to a host path or tmpfs.
## Non-Root Operation
This image can be run with a non-root user. For details please [read the docs](https://docs.linuxserver.io/misc/non-root/).
### Caveats
* Runtime update of Plex (and thus Plexpass builds) is not supported.
* Transcode directory must be mounted to a host path or tmpfs.
### Hardware Acceleration ### Hardware Acceleration
Many desktop applications need access to a GPU to function properly and even some Desktop Environments have compositor effects that will not function without a GPU. However this is not a hard requirement and all base images will function without a video device mounted into the container. Many desktop applications need access to a GPU to function properly and even some Desktop Environments have compositor effects that will not function without a GPU. However this is not a hard requirement and all base images will function without a video device mounted into the container.
@ -174,6 +183,7 @@ Containers are configured using parameters passed at runtime (such as those abov
| `-v /tv` | Media goes here. Add as many as needed e.g. `/movies`, `/tv`, etc. | | `-v /tv` | Media goes here. Add as many as needed e.g. `/movies`, `/tv`, etc. |
| `-v /movies` | Media goes here. Add as many as needed e.g. `/movies`, `/tv`, etc. | | `-v /movies` | Media goes here. Add as many as needed e.g. `/movies`, `/tv`, etc. |
| `--read-only=true` | Run container with a read-only filesystem. Please [read the docs](https://docs.linuxserver.io/misc/read-only/). | | `--read-only=true` | Run container with a read-only filesystem. Please [read the docs](https://docs.linuxserver.io/misc/read-only/). |
| `--user=1000:1000` | Run container with a non-root user. Please [read the docs](https://docs.linuxserver.io/misc/non-root/). |
## Environment variables from files (Docker secrets) ## Environment variables from files (Docker secrets)

4
readme-vars.yml
View file

@ -75,6 +75,10 @@ readonly_supported: true
readonly_message: | readonly_message: |
* Runtime update of Plex (and thus Plexpass builds) is not supported. * Runtime update of Plex (and thus Plexpass builds) is not supported.
* Transcode directory must be mounted to a host path or tmpfs. * Transcode directory must be mounted to a host path or tmpfs.
nonroot_supported: true
nonroot_message: |
* Runtime update of Plex (and thus Plexpass builds) is not supported.
* Transcode directory must be mounted to a host path or tmpfs.
# init diagram # init diagram
init_diagram: | init_diagram: |
"plex:latest": { "plex:latest": {

34
root/etc/s6-overlay/s6-rc.d/init-plex-chown/run
View file

@ -6,16 +6,9 @@ mkdir -p /run/plex-temp
# create folders # create folders
if [[ ! -d "${PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR}" ]]; then if [[ ! -d "${PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR}" ]]; then
mkdir -p "${PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR}" mkdir -p "${PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR}"
if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
lsiown -R abc:abc /config lsiown -R abc:abc /config
fi fi
# check Library permissions
PUID=${PUID:-911}
if [[ ! "$(stat -c %u /config/Library)" == "${PUID}" ]]; then
echo "Change in ownership detected, please be patient while we chown existing files"
echo "This could take some time"
lsiown -R abc:abc \
/config/Library
fi fi
# remove plex pid after unclean stop # remove plex pid after unclean stop
@ -23,9 +16,19 @@ if [[ -f "/config/Library/Application Support/Plex Media Server/plexmediaserver.
rm -f "/config/Library/Application Support/Plex Media Server/plexmediaserver.pid" rm -f "/config/Library/Application Support/Plex Media Server/plexmediaserver.pid"
fi fi
# set permissions on Plex Transcoder Temp Directory if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
PLEX_MEDIA_SERVER_PREFERENCES="${PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR}/Plex Media Server/Preferences.xml" # check Library permissions
if [[ -f "${PLEX_MEDIA_SERVER_PREFERENCES}" ]]; then PUID=${PUID:-911}
if [[ ! "$(stat -c %u /config/Library)" == "${PUID}" ]]; then
echo "Change in ownership detected, please be patient while we chown existing files"
echo "This could take some time"
lsiown -R abc:abc \
/config/Library
fi
# set permissions on Plex Transcoder Temp Directory
PLEX_MEDIA_SERVER_PREFERENCES="${PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR}/Plex Media Server/Preferences.xml"
if [[ -f "${PLEX_MEDIA_SERVER_PREFERENCES}" ]]; then
TranscoderTempDirectory='\bTranscoderTempDirectory="([^"]+)"' TranscoderTempDirectory='\bTranscoderTempDirectory="([^"]+)"'
while IFS= read -r line; do while IFS= read -r line; do
if [[ ${line} =~ ${TranscoderTempDirectory} ]] && [[ -d "${BASH_REMATCH[1]}" ]]; then if [[ ${line} =~ ${TranscoderTempDirectory} ]] && [[ -d "${BASH_REMATCH[1]}" ]]; then
@ -33,10 +36,11 @@ if [[ -f "${PLEX_MEDIA_SERVER_PREFERENCES}" ]]; then
lsiown -R abc:abc "${BASH_REMATCH[1]}" lsiown -R abc:abc "${BASH_REMATCH[1]}"
fi fi
done <"${PLEX_MEDIA_SERVER_PREFERENCES}" done <"${PLEX_MEDIA_SERVER_PREFERENCES}"
fi fi
# permissions (non-recursive) on config root and folders # permissions (non-recursive) on config root and folders
lsiown abc:abc \ lsiown abc:abc \
/run/plex-temp \ /run/plex-temp \
/config \ /config \
/config/* /config/*
fi

8
root/etc/s6-overlay/s6-rc.d/init-plex-gid-video/run
View file

@ -1,9 +1,10 @@
#!/usr/bin/with-contenv bash #!/usr/bin/with-contenv bash
# shellcheck shell=bash # shellcheck shell=bash
FILES=$(find /dev/dri /dev/dvb -type c -print 2>/dev/null) if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
FILES=$(find /dev/dri /dev/dvb -type c -print 2>/dev/null)
for i in ${FILES}; do for i in ${FILES}; do
VIDEO_GID=$(stat -c '%g' "${i}") VIDEO_GID=$(stat -c '%g' "${i}")
VIDEO_UID=$(stat -c '%u' "${i}") VIDEO_UID=$(stat -c '%u' "${i}")
# check if user matches device # check if user matches device
@ -32,4 +33,5 @@ for i in ${FILES}; do
chmod g+rw "${i}" chmod g+rw "${i}"
fi fi
fi fi
done done
fi

9
root/etc/s6-overlay/s6-rc.d/svc-plex/run
View file

@ -6,6 +6,13 @@ PLEX_MEDIA_SERVER_INFO_MODEL=$(uname -m)
export PLEX_MEDIA_SERVER_INFO_MODEL export PLEX_MEDIA_SERVER_INFO_MODEL
PLEX_MEDIA_SERVER_INFO_PLATFORM_VERSION=$(uname -r) PLEX_MEDIA_SERVER_INFO_PLATFORM_VERSION=$(uname -r)
export PLEX_MEDIA_SERVER_INFO_PLATFORM_VERSION export PLEX_MEDIA_SERVER_INFO_PLATFORM_VERSION
exec \
if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
exec \
s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 32400" \ s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 32400" \
s6-setuidgid abc "/usr/lib/plexmediaserver/Plex Media Server" s6-setuidgid abc "/usr/lib/plexmediaserver/Plex Media Server"
else
exec \
s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 32400" \
"/usr/lib/plexmediaserver/Plex Media Server"
fi