Support nonroot operation

2024-12-20 20:31:10 +00:00 · 2024-12-20 20:31:10 +00:00 · b29a1b8320
commit b29a1b8320
parent 5521df85df
5 changed files with 84 additions and 57 deletions
--- a/README.md
+++ b/README.md
@ -86,6 +86,15 @@ This image can be run with a read-only container filesystem. For details please
 * Runtime update of Plex (and thus Plexpass builds) is not supported.
 * Transcode directory must be mounted to a host path or tmpfs.

+## Non-Root Operation
+
+This image can be run with a non-root user. For details please [read the docs](https://docs.linuxserver.io/misc/non-root/).
+
+### Caveats
+
+* Runtime update of Plex (and thus Plexpass builds) is not supported.
+* Transcode directory must be mounted to a host path or tmpfs.
+
 ### Hardware Acceleration

 Many desktop applications need access to a GPU to function properly and even some Desktop Environments have compositor effects that will not function without a GPU. However this is not a hard requirement and all base images will function without a video device mounted into the container.
@ -174,6 +183,7 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-v /tv` | Media goes here. Add as many as needed e.g. `/movies`, `/tv`, etc. |
 | `-v /movies` | Media goes here. Add as many as needed e.g. `/movies`, `/tv`, etc. |
 | `--read-only=true` | Run container with a read-only filesystem. Please [read the docs](https://docs.linuxserver.io/misc/read-only/). |
+| `--user=1000:1000` | Run container with a non-root user. Please [read the docs](https://docs.linuxserver.io/misc/non-root/). |

 ## Environment variables from files (Docker secrets)

--- a/readme-vars.yml
+++ b/readme-vars.yml
@ -75,6 +75,10 @@ readonly_supported: true
 readonly_message: |
  * Runtime update of Plex (and thus Plexpass builds) is not supported.
  * Transcode directory must be mounted to a host path or tmpfs.
+nonroot_supported: true
+nonroot_message: |
+  * Runtime update of Plex (and thus Plexpass builds) is not supported.
+  * Transcode directory must be mounted to a host path or tmpfs.
 # init diagram
 init_diagram: |
  "plex:latest": {
--- a/root/etc/s6-overlay/s6-rc.d/init-plex-chown/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-plex-chown/run
@ -6,9 +6,17 @@ mkdir -p /run/plex-temp
 # create folders
 if [[ ! -d "${PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR}" ]]; then
    mkdir -p "${PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR}"
+    if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
        lsiown -R abc:abc /config
    fi
+fi

+# remove plex pid after unclean stop
+if [[ -f "/config/Library/Application Support/Plex Media Server/plexmediaserver.pid" ]]; then
+    rm -f "/config/Library/Application Support/Plex Media Server/plexmediaserver.pid"
+fi
+
+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
    # check Library permissions
    PUID=${PUID:-911}
    if [[ ! "$(stat -c %u /config/Library)" == "${PUID}" ]]; then
@ -18,11 +26,6 @@ if [[ ! "$(stat -c %u /config/Library)" == "${PUID}" ]]; then
            /config/Library
    fi

-# remove plex pid after unclean stop
-if [[ -f "/config/Library/Application Support/Plex Media Server/plexmediaserver.pid" ]]; then
-    rm -f "/config/Library/Application Support/Plex Media Server/plexmediaserver.pid"
-fi
-
    # set permissions on Plex Transcoder Temp Directory
    PLEX_MEDIA_SERVER_PREFERENCES="${PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR}/Plex Media Server/Preferences.xml"
    if [[ -f "${PLEX_MEDIA_SERVER_PREFERENCES}" ]]; then
@ -40,3 +43,4 @@ lsiown abc:abc \
        /run/plex-temp \
        /config \
        /config/*
+fi
--- a/root/etc/s6-overlay/s6-rc.d/init-plex-gid-video/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-plex-gid-video/run
@ -1,6 +1,7 @@
 #!/usr/bin/with-contenv bash
 # shellcheck shell=bash

+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
    FILES=$(find /dev/dri /dev/dvb -type c -print 2>/dev/null)

    for i in ${FILES}; do
@ -33,3 +34,4 @@ for i in ${FILES}; do
            fi
        fi
    done
+fi
--- a/root/etc/s6-overlay/s6-rc.d/svc-plex/run
+++ b/root/etc/s6-overlay/s6-rc.d/svc-plex/run
@ -6,6 +6,13 @@ PLEX_MEDIA_SERVER_INFO_MODEL=$(uname -m)
 export PLEX_MEDIA_SERVER_INFO_MODEL
 PLEX_MEDIA_SERVER_INFO_PLATFORM_VERSION=$(uname -r)
 export PLEX_MEDIA_SERVER_INFO_PLATFORM_VERSION
+
+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
    exec \
        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 32400" \
            s6-setuidgid abc "/usr/lib/plexmediaserver/Plex Media Server"
+else
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z localhost 32400" \
+            "/usr/lib/plexmediaserver/Plex Media Server"
+fi