Rootless docker with the stashapp/stash
"Rootless" comes in two main forms:
- Running with
user: x:yin docker-compose - Other containerd engines like Podman / Docker Rootless mode / Incus
Unless you're paranoid about security or are running with user restrictions, you don't need to worry about it
Warning
stashapp/stash does NOT support GUID/ PUID in environment variables containers that use that syntax are also rootful by default and unless otherwise specified, usually break in rootless environments
services:
stash:
image: stashapp/stash:latest
...
user: 1000:10000
environment:
- USER=stash
- STASH_CONFIG_FILE=/config/config.yml
volumes:
...
- /mnt/host/stash:/configWe add the USER environment variable to avoid the following error:
panic: user: Current requires cgo or $USER set in environment. This is necessary since stash looks at $HOME/.config for the default config path
We also have to override STASH_CONFIG_FILE to point outside of /root/.stash since not running as root, we don't have access to the /root folder, even if we can map the path underneath it
Set user to whatever UID/GID combo you use for your apps and make sure the path of the volume you're mapping has access to it too (chown)
If you have every path mapped and would like additional security assurances, you can prevent changes to filesystems with read_only This will ensure nothing outside of mount paths will be written to stash. This notably includes adding and updating existing python dependencies.
Migration is tricky but can be broken down into a few complicated steps
- Adjust your
config.ymlto point to the new paths- Since we cannot use
/root/.stash, you need to remap them to other paths,/configis my personal preference /root/.stash/scraperswould turn into/config/scrapers
- Since we cannot use
- adjust the permissions on your new/old folder to match