Running emby as non-root in docker/k8s

[augunrik 0]

Hi!

I'm trying to run emby server as non-root inside Kubernetes with the configuration:

 

      volumes:
        - name: emby-config-storage
          persistentVolumeClaim:
            claimName: emby-config-storage
        - name: emby-media-storage
          persistentVolumeClaim:
            claimName: emby-media-storage
        - name: s6-cache
          emptyDir: {}
      containers:
        - name: emby
          image: "{{ emby_image }}"
          imagePullPolicy: Always
          securityContext:
            allowPrivilegeEscalation: false
            runAsUser: 1000
            runAsGroup: 1000
            runAsNonRoot: true
            fsGroup: 1000
          resources:
            requests:
              cpu: 10m
              memory: "512Mi"
            limits:
              cpu: 2
              memory: "1Gi"
          volumeMounts:
            - name: emby-config-storage
              mountPath: "/config/"
            - name: emby-media-storage
              mountPath: "/mnt/media/"
            - name: s6-cache
              mountPath: "/var"
          env:
            - name: "UID"
              value: "1000"
            - name: "GID"
              value: "1000"
            - name: "S6_READ_ONLY_ROOT"
              value: "1"
          ports:
            - name: http
              protocol: TCP
              containerPort: 8096

Unfortunately I'm only receiving:

s6-mkfifo: fatal: unable to mkfifo /var/run/s6/services/s6-fdholderd/supervise/control: No such file or directory
 

But, /var is mounted as temp directory, so it should be accessible to the user.

What to do? Also there seems to be a lot of documentation/old settings that are out of date (the env UID and GID actually do nothing anymore.)

 

Thanks!

 

 

[Luke 42078]

Hi, how does it compare running as root?

[augunrik 0]

You mean the yaml file?

You change the security context to "runAsNonRoot: false" or remove the securityContext altogether. That's how it's running now.

But, emby is then running as root:

$ ps aux | grep emby
root     17029  0.0  0.0    204     4 ?        S    Feb28   0:00 s6-supervise emby-server

 

According to https://github.com/just-containers/s6-overlay#read-only-root-filesystem setting S6_READ_ONLY_ROOT=1 and mounting something writable under "/var" should be good enough - but it doesn't work for me.