Add PUID/PGID support for NAS volume permissions#95
Merged
Conversation
Unraid and TrueNAS pass PUID/PGID env vars instead of --user. The hardcoded USER tracefinity (UID 1000) caused permission denied errors when host volumes are owned by a different user. - Remove USER directive; entrypoint starts as root and drops privileges via gosu after remapping - Add PUID/PGID handling: groupmod/usermod to remap the tracefinity user, chown /app/storage when ownership differs - Preserve --user flag path: non-root entrypoint skips remapping and runs directly (existing behaviour) - Default (no env vars) is identical to previous releases Fixes #94 Signed-off-by: Jason Madigan <[email protected]>
The root cause: supervisord re-opens /dev/stdout and /dev/stderr as
filesystem paths for child log capture. These resolve through
/proc/self/fd/{1,2} which are owned by root with mode 0200. After gosu
drops to UID 1000, supervisor's open() calls fail with EACCES.
Fix: let supervisord run as root (it can open the log paths) and use
supervisor's own user= directive on each [program:] section to drop
privileges per-child. The entrypoint still handles PUID/PGID remapping
and storage ownership, but no longer uses gosu for the final exec.
The --user flag path is unaffected (supervisor runs as the given UID,
user=tracefinity is a no-op when already that UID).
Signed-off-by: Jason Madigan <[email protected]>
The supervisor config shipped with user=tracefinity baked into each [program:xxx] section. This works when supervisord runs as root (it can setuid to the target user), but breaks with --user flag because a non-root supervisor cannot call setuid at all, causing "Can't drop privilege as nonroot user" and immediate exit. Fix: ship the config WITHOUT any user= directives (compatible with --user mode), and have the entrypoint inject user=root in [supervisord] plus user=tracefinity in each [program:xxx] only when running as root. The injection is idempotent (skipped if user= already present). All three deployment modes now work: - Default (root, no PUID/PGID): children run as tracefinity (1000:1000) - PUID/PGID (root, remapped): children run as remapped tracefinity - --user flag (non-root): all processes run as the specified UID Signed-off-by: Jason Madigan <[email protected]>
shanetinklenberg
pushed a commit
to shanetinklenberg/tracefinity
that referenced
this pull request
Jun 28, 2026
* Add PUID/PGID support for NAS volume permissions (tracefinity#94) Unraid and TrueNAS pass PUID/PGID env vars instead of --user. The hardcoded USER tracefinity (UID 1000) caused permission denied errors when host volumes are owned by a different user. - Remove USER directive; entrypoint starts as root and drops privileges via gosu after remapping - Add PUID/PGID handling: groupmod/usermod to remap the tracefinity user, chown /app/storage when ownership differs - Preserve --user flag path: non-root entrypoint skips remapping and runs directly (existing behaviour) - Default (no env vars) is identical to previous releases Fixes tracefinity#94 Signed-off-by: Jason Madigan <[email protected]> * Fix supervisor EACCES when entrypoint drops privileges via gosu The root cause: supervisord re-opens /dev/stdout and /dev/stderr as filesystem paths for child log capture. These resolve through /proc/self/fd/{1,2} which are owned by root with mode 0200. After gosu drops to UID 1000, supervisor's open() calls fail with EACCES. Fix: let supervisord run as root (it can open the log paths) and use supervisor's own user= directive on each [program:] section to drop privileges per-child. The entrypoint still handles PUID/PGID remapping and storage ownership, but no longer uses gosu for the final exec. The --user flag path is unaffected (supervisor runs as the given UID, user=tracefinity is a no-op when already that UID). Signed-off-by: Jason Madigan <[email protected]> * Fix supervisor child processes running as root instead of tracefinity The supervisor config shipped with user=tracefinity baked into each [program:xxx] section. This works when supervisord runs as root (it can setuid to the target user), but breaks with --user flag because a non-root supervisor cannot call setuid at all, causing "Can't drop privilege as nonroot user" and immediate exit. Fix: ship the config WITHOUT any user= directives (compatible with --user mode), and have the entrypoint inject user=root in [supervisord] plus user=tracefinity in each [program:xxx] only when running as root. The injection is idempotent (skipped if user= already present). All three deployment modes now work: - Default (root, no PUID/PGID): children run as tracefinity (1000:1000) - PUID/PGID (root, remapped): children run as remapped tracefinity - --user flag (non-root): all processes run as the specified UID Signed-off-by: Jason Madigan <[email protected]> --------- Signed-off-by: Jason Madigan <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #94
Adds PUID/PGID env var support to the entrypoint for Unraid/TrueNAS deployments where host volumes are owned by non-1000 UIDs.
Three code paths:
Default behaviour is unchanged -- existing users unaffected.