From d5994a9037e388d16815d2736fbfd09242f43482 Mon Sep 17 00:00:00 2001
From: Maximilian Dorninger <97409287+maxdorninger@users.noreply.github.com>
Date: Tue, 3 Feb 2026 13:06:18 +0100
Subject: [PATCH] Fix docker permission issues (#395)

This PR fixes docker permission issues by first starting as root and
then chown-ing all the volumes. This should fix #388 #389
---
 Dockerfile                |  4 ++--
 mediamanager-startup.sh   | 19 ++++++++++++++++---
 metadata_relay/Dockerfile | 20 +++++++++++---------
 3 files changed, 29 insertions(+), 14 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 196df35..a6fa56a 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,7 +13,7 @@ RUN env PUBLIC_VERSION=${VERSION} PUBLIC_API_URL=${BASE_PATH} BASE_PATH=${BASE_P
 FROM ghcr.io/astral-sh/uv:python3.13-trixie-slim AS base 
 
 RUN apt-get update && \
-    apt-get install -y ca-certificates bash libtorrent21 gcc bc locales postgresql media-types mailcap curl gzip unzip tar 7zip bzip2 unar && \
+    apt-get install -y ca-certificates bash libtorrent21 gcc bc locales postgresql media-types mailcap curl gzip unzip tar 7zip bzip2 unar gosu && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
@@ -33,7 +33,6 @@ RUN chown -R mediamanager:mediamanager /app
 
 USER mediamanager
 
-# Set uv cache to a writable home directory and use copy mode for volume compatibility
 ENV UV_CACHE_DIR=/home/mediamanager/.cache/uv \
     UV_LINK_MODE=copy
 
@@ -47,6 +46,7 @@ ARG BASE_PATH=""
 LABEL author="github.com/maxdorninger"
 LABEL version=${VERSION}
 LABEL description="Docker image for MediaManager"
+USER root
 
 ENV PUBLIC_VERSION=${VERSION} \
     CONFIG_DIR="/app/config" \
diff --git a/mediamanager-startup.sh b/mediamanager-startup.sh
index 06360cc..1880930 100644
--- a/mediamanager-startup.sh
+++ b/mediamanager-startup.sh
@@ -145,8 +145,21 @@ else
     echo "Config file found at: $CONFIG_FILE"
 fi
 
+# permission fix
+echo "Ensuring file permissions for mediamanager user..."
+
+chown -R mediamanager:mediamanager "$CONFIG_DIR"
+
+if [ -d "/data" ]; then
+    if [ "$(stat -c '%U' /data)" != "mediamanager" ]; then
+        echo "Fixing ownership of /data (this may take a while for large libraries)..."
+        chown -R mediamanager:mediamanager /data
+    fi
+fi
+
+
 echo "Running DB migrations..."
-uv run alembic upgrade head
+gosu mediamanager uv run alembic upgrade head
 
 echo "Starting MediaManager backend service..."
 echo ""
@@ -161,7 +174,7 @@ DEVELOPMENT_MODE=${MEDIAMANAGER_MISC__DEVELOPMENT:-FALSE}
 PORT=${PORT:-8000}
 if [ "$DEVELOPMENT_MODE" == "TRUE" ]; then
     echo "Development mode is enabled, enabling auto-reload..."
-    uv run fastapi run /app/media_manager/main.py --port "$PORT" --proxy-headers --reload
+    exec gosu mediamanager uv run fastapi run /app/media_manager/main.py --port "$PORT" --proxy-headers --reload
 else
-  uv run fastapi run /app/media_manager/main.py --port "$PORT" --proxy-headers
+    exec gosu mediamanager uv run fastapi run /app/media_manager/main.py --port "$PORT" --proxy-headers
 fi
diff --git a/metadata_relay/Dockerfile b/metadata_relay/Dockerfile
index 019d61f..6d38f3f 100644
--- a/metadata_relay/Dockerfile
+++ b/metadata_relay/Dockerfile
@@ -8,23 +8,25 @@ RUN apt-get update && apt-get install -y ca-certificates && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
-# Create a non-root user and group
 RUN groupadd -g 1000 mediamanager && \
     useradd -m -u 1000 -g mediamanager mediamanager
 
 WORKDIR /app
-# Ensure mediamanager owns the app directory
 RUN chown -R mediamanager:mediamanager /app
 
-USER mediamanager
-
-# Set uv cache to a writable home directory and use copy mode for volume compatibility
 ENV UV_CACHE_DIR=/home/mediamanager/.cache/uv \
-    UV_LINK_MODE=copy
+    UV_LINK_MODE=copy \
+    UV_COMPILE_BYTECODE=1
+
+COPY --chown=mediamanager:mediamanager pyproject.toml uv.lock ./
+
+USER mediamanager
+RUN --mount=type=cache,target=/home/mediamanager/.cache/uv,uid=1000,gid=1000 \
+    uv sync --frozen --no-install-project --no-dev
 
 COPY --chown=mediamanager:mediamanager . .
-RUN --mount=type=cache,target=/home/mediamanager/.cache/uv,uid=1000,gid=1000 \
-    uv sync --locked
+
+RUN uv sync --frozen --no-dev
 
 EXPOSE 8000
-CMD ["uv", "run", "fastapi", "run", "/app/main.py"]
\ No newline at end of file
+CMD ["uv", "run", "fastapi", "run", "/app/main.py", "--port", "8000", "--proxy-headers"]
\ No newline at end of file