From 4359aca5bf26f32cd88ed487cd6b2565830e1baa Mon Sep 17 00:00:00 2001
From: Jonathan Gilbert <jpg@Jonathans-MBP.home>
Date: Sat, 2 May 2026 09:14:18 +1000
Subject: [PATCH] feat: native support for rootless container execution

---
 docker/main/Dockerfile                          |  5 +++++
 .../etc/s6-overlay/s6-rc.d/certsync-log/run     |  2 +-
 .../etc/s6-overlay/s6-rc.d/frigate-log/run      |  2 +-
 .../etc/s6-overlay/s6-rc.d/go2rtc-log/run       |  2 +-
 .../etc/s6-overlay/s6-rc.d/log-prepare/run      |  4 +++-
 .../rootfs/etc/s6-overlay/s6-rc.d/nginx-log/run |  2 +-
 .../rootfs/etc/s6-overlay/s6-rc.d/nginx/run     |  5 +++++
 docker/main/rootfs/usr/local/bin/logutil        | 17 +++++++++++++++++
 8 files changed, 34 insertions(+), 5 deletions(-)
 create mode 100755 docker/main/rootfs/usr/local/bin/logutil

diff --git a/docker/main/Dockerfile b/docker/main/Dockerfile
index c512ceb84..5d880cf55 100644
--- a/docker/main/Dockerfile
+++ b/docker/main/Dockerfile
@@ -287,6 +287,9 @@ RUN --mount=type=bind,source=docker/main/install_memryx.sh,target=/deps/install_
 
 COPY --from=deps-rootfs / /
 
+RUN mkdir -p /etc/letsencrypt/www /etc/letsencrypt/live/frigate /usr/local/nginx/logs /config /run /tmp/cache /media/frigate \
+    && chmod -R a+rwX /etc/letsencrypt /usr/local/nginx /config /run /tmp/cache /media/frigate
+
 RUN ldconfig
 
 EXPOSE 5000
@@ -297,6 +300,8 @@ EXPOSE 8555/tcp 8555/udp
 ENV S6_LOGGING_SCRIPT="T 1 n0 s10000000 T"
 # Do not fail on long-running download scripts
 ENV S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0
+# Set HOME to cache directory so rootless users can cache downloaded models
+ENV HOME=/tmp/cache
 
 ENTRYPOINT ["/init"]
 CMD []
diff --git a/docker/main/rootfs/etc/s6-overlay/s6-rc.d/certsync-log/run b/docker/main/rootfs/etc/s6-overlay/s6-rc.d/certsync-log/run
index 7d66e2c81..d5dff6e53 100755
--- a/docker/main/rootfs/etc/s6-overlay/s6-rc.d/certsync-log/run
+++ b/docker/main/rootfs/etc/s6-overlay/s6-rc.d/certsync-log/run
@@ -1,4 +1,4 @@
 #!/command/with-contenv bash
 # shellcheck shell=bash
 
-exec logutil-service /dev/shm/logs/certsync
+exec /usr/local/bin/logutil /dev/shm/logs/certsync/
diff --git a/docker/main/rootfs/etc/s6-overlay/s6-rc.d/frigate-log/run b/docker/main/rootfs/etc/s6-overlay/s6-rc.d/frigate-log/run
index c10284862..ea5e2de6e 100755
--- a/docker/main/rootfs/etc/s6-overlay/s6-rc.d/frigate-log/run
+++ b/docker/main/rootfs/etc/s6-overlay/s6-rc.d/frigate-log/run
@@ -1,4 +1,4 @@
 #!/command/with-contenv bash
 # shellcheck shell=bash
 
-exec logutil-service /dev/shm/logs/frigate
+exec /usr/local/bin/logutil /dev/shm/logs/frigate/
diff --git a/docker/main/rootfs/etc/s6-overlay/s6-rc.d/go2rtc-log/run b/docker/main/rootfs/etc/s6-overlay/s6-rc.d/go2rtc-log/run
index 96a204b9d..7e40a9baa 100755
--- a/docker/main/rootfs/etc/s6-overlay/s6-rc.d/go2rtc-log/run
+++ b/docker/main/rootfs/etc/s6-overlay/s6-rc.d/go2rtc-log/run
@@ -1,4 +1,4 @@
 #!/command/with-contenv bash
 # shellcheck shell=bash
 
-exec logutil-service /dev/shm/logs/go2rtc
+exec /usr/local/bin/logutil /dev/shm/logs/go2rtc/
diff --git a/docker/main/rootfs/etc/s6-overlay/s6-rc.d/log-prepare/run b/docker/main/rootfs/etc/s6-overlay/s6-rc.d/log-prepare/run
index c493e320e..c1cb90026 100755
--- a/docker/main/rootfs/etc/s6-overlay/s6-rc.d/log-prepare/run
+++ b/docker/main/rootfs/etc/s6-overlay/s6-rc.d/log-prepare/run
@@ -7,5 +7,7 @@ set -o errexit -o nounset -o pipefail
 dirs=(/dev/shm/logs/frigate /dev/shm/logs/go2rtc /dev/shm/logs/nginx /dev/shm/logs/certsync)
 
 mkdir -p "${dirs[@]}"
-chown nobody:nogroup "${dirs[@]}"
+if [ "$(id -u)" = "0" ]; then
+    chown nobody:nogroup "${dirs[@]}"
+fi
 chmod 02755 "${dirs[@]}"
diff --git a/docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx-log/run b/docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx-log/run
index 50057d1d7..037e4ccb3 100755
--- a/docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx-log/run
+++ b/docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx-log/run
@@ -1,4 +1,4 @@
 #!/command/with-contenv bash
 # shellcheck shell=bash
 
-exec logutil-service /dev/shm/logs/nginx
+exec /usr/local/bin/logutil /dev/shm/logs/nginx/
diff --git a/docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx/run b/docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx/run
index a3c7b3248..2647df0fe 100755
--- a/docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx/run
+++ b/docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx/run
@@ -65,6 +65,11 @@ function set_worker_processes() {
 
 set_worker_processes
 
+# NGINX cannot switch users if running rootless; strip the directive
+if [ "$(id -u)" != "0" ]; then
+    sed -i '/^user root;/d' /usr/local/nginx/conf/nginx.conf || true
+fi
+
 # ensure the directory for ACME challenges exists
 mkdir -p /etc/letsencrypt/www
 
diff --git a/docker/main/rootfs/usr/local/bin/logutil b/docker/main/rootfs/usr/local/bin/logutil
new file mode 100755
index 000000000..93dc6fa4f
--- /dev/null
+++ b/docker/main/rootfs/usr/local/bin/logutil
@@ -0,0 +1,17 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+
+LOG_DIR=$1
+
+if [ -z "$LOG_DIR" ]; then
+    echo "Usage: $0 <log-dir>"
+    exit 1
+fi
+
+CMD=(s6-log -b -- ${S6_LOGGING_SCRIPT:-n20 s1000000 T} "$LOG_DIR")
+
+if [ "$(id -u)" = "0" ]; then
+    exec /command/s6-envuidgid nobody /command/s6-applyuidgid -U -- "${CMD[@]}"
+else
+    exec "${CMD[@]}"
+fi