ppaslan a49152d08d feat: add non-root fast path for K8s and hardened Docker deployments (#415) ...

The container previously required starting as root to handle PUID/PGID/UMASK
and chown the config volume. This made it incompatible with Kubernetes Pod
Security Standards (runAsNonRoot, capability dropping) and hardened Docker
setups.

The entrypoint now detects if it is already running as a non-root user and
skips all privilege operations, execing the app directly. Volume ownership
is expected to be handled externally (K8s fsGroup, pre-provisioned storage).

A build-time profilarr user (UID/GID 1000) is added to the image so tooling
that requires a named passwd entry is satisfied. Existing root/PUID/PGID
behaviour is unchanged.

Co-authored-by: ppaslan <pal@aslan.cx>

2026-04-10 06:43:16 +09:30

3.9 KiB

Executable File

Raw Permalink Blame History

View Raw