Merge 4359aca5bf into 814c497bef

docker/main/Dockerfile

@@ -287,6 +287,9 @@ RUN --mount=type=bind,source=docker/main/install_memryx.sh,target=/deps/install_
 
 COPY --from=deps-rootfs / /
 
+RUN mkdir -p /etc/letsencrypt/www /etc/letsencrypt/live/frigate /usr/local/nginx/logs /config /run /tmp/cache /media/frigate \
+    && chmod -R a+rwX /etc/letsencrypt /usr/local/nginx /config /run /tmp/cache /media/frigate
+
 RUN ldconfig
 
 EXPOSE 5000
@@ -297,6 +300,8 @@ EXPOSE 8555/tcp 8555/udp
 ENV S6_LOGGING_SCRIPT="T 1 n0 s10000000 T"
 # Do not fail on long-running download scripts
 ENV S6_CMD_WAIT_FOR_SERVICES_MAXTIME=0
+# Set HOME to cache directory so rootless users can cache downloaded models
+ENV HOME=/tmp/cache
 
 ENTRYPOINT ["/init"]
 CMD []

docker/main/rootfs/etc/s6-overlay/s6-rc.d/certsync-log/run

@@ -1,4 +1,4 @@
 #!/command/with-contenv bash
 # shellcheck shell=bash
 
-exec logutil-service /dev/shm/logs/certsync
+exec /usr/local/bin/logutil /dev/shm/logs/certsync/

docker/main/rootfs/etc/s6-overlay/s6-rc.d/frigate-log/run

@@ -1,4 +1,4 @@
 #!/command/with-contenv bash
 # shellcheck shell=bash
 
-exec logutil-service /dev/shm/logs/frigate
+exec /usr/local/bin/logutil /dev/shm/logs/frigate/

docker/main/rootfs/etc/s6-overlay/s6-rc.d/go2rtc-log/run

@@ -1,4 +1,4 @@
 #!/command/with-contenv bash
 # shellcheck shell=bash
 
-exec logutil-service /dev/shm/logs/go2rtc
+exec /usr/local/bin/logutil /dev/shm/logs/go2rtc/

docker/main/rootfs/etc/s6-overlay/s6-rc.d/log-prepare/run

@@ -7,5 +7,7 @@ set -o errexit -o nounset -o pipefail
 dirs=(/dev/shm/logs/frigate /dev/shm/logs/go2rtc /dev/shm/logs/nginx /dev/shm/logs/certsync)
 
 mkdir -p "${dirs[@]}"
-chown nobody:nogroup "${dirs[@]}"
+if [ "$(id -u)" = "0" ]; then
+    chown nobody:nogroup "${dirs[@]}"
+fi
 chmod 02755 "${dirs[@]}"

docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx-log/run

@@ -1,4 +1,4 @@
 #!/command/with-contenv bash
 # shellcheck shell=bash
 
-exec logutil-service /dev/shm/logs/nginx
+exec /usr/local/bin/logutil /dev/shm/logs/nginx/

docker/main/rootfs/etc/s6-overlay/s6-rc.d/nginx/run

@@ -65,6 +65,11 @@ function set_worker_processes() {
 
 set_worker_processes
 
+# NGINX cannot switch users if running rootless; strip the directive
+if [ "$(id -u)" != "0" ]; then
+    sed -i '/^user root;/d' /usr/local/nginx/conf/nginx.conf || true
+fi
+
 # ensure the directory for ACME challenges exists
 mkdir -p /etc/letsencrypt/www
 

docker/main/rootfs/usr/local/bin/logutil

@@ -0,0 +1,17 @@
+#!/command/with-contenv bash
+# shellcheck shell=bash
+
+LOG_DIR=$1
+
+if [ -z "$LOG_DIR" ]; then
+    echo "Usage: $0 <log-dir>"
+    exit 1
+fi
+
+CMD=(s6-log -b -- ${S6_LOGGING_SCRIPT:-n20 s1000000 T} "$LOG_DIR")
+
+if [ "$(id -u)" = "0" ]; then
+    exec /command/s6-envuidgid nobody /command/s6-applyuidgid -U -- "${CMD[@]}"
+else
+    exec "${CMD[@]}"
+fi