Docker Container - non root user dev/shm access

[BlackShadow171]

Hi all

I was searching around and it doesn’t appear that many have setup frigate in a docker container to run as non root. I found one other that seemed to have done it but I was unclear on their pathway.

I seem to be having the issue where it gets stuck on:

chown: changing ownership of '/dev/shm/logs/frigate': Operation not permitted
chown: changing ownership of '/dev/shm/logs/go2rtc': Operation not permitted
chown: changing ownership of '/dev/shm/logs/nginx': Operation not permitted
chown: changing ownership of '/dev/shm/logs/certsync': Operation not permitted

I gather that these are the temp files that frigate creates on start with RAM.

I’ve setup the user in ACL to RW- to /dev/shm thinking that would solve it. I might have to go back to reviewing ACL controls to see how it applies to created folders.

Just wondered if anyone else had come across this or have any thoughts.

[inkeep-ai-assistant[bot]]

Running Frigate in Docker as a non-root user is possible but requires several adjustments, especially for handling /dev/shm and directory ownership issues. Based on user findings:

• You need to ensure the non-root user inside the container has the correct UID/GID and is in the groups that own /dev/shm and related device files.
• Use the user and group_add options in your docker-compose (or Docker run) to specify the UID/GID and relevant groups for device access.
• Mount /dev/shm as tmpfs with the correct permissions, for example:

  tmpfs:
    - /dev/shm:mode=770,uid=YOUR_UID,gid=YOUR_GID,size=268435456
  

  Replace YOUR_UID and YOUR_GID with the actual values used for your container user.
• Make sure all necessary override directories and files (for logs, nginx, etc.) exist and are writable by your non-root user.
• You might also need to adjust S6 overlay and related init scripts as described in community discussions for full non-root compatibility.

For more implementation details and example configurations, see the discussion at Running Frigate as a non-root user in Docker(1).

📚 Sources:

1. Running Frigate as a non-root user in Docker

---

Have another question? Just tag @inkeep.

[ZhaiSoul]

Are you mapping /dev/shm in the volume? Please don't do this.

/dev/shm: Internal cache for raw decoded frames in shared memory. It is not recommended to modify this directory or map it with docker. The minimum size is impacted by the shm-size calculations below.

https://docs.frigate.video/frigate/installation#storage

[BlackShadow171]

No im not mapping dev/shm.

if I’ve understood what the code is trying to do, its creating folders in internal cache for temporary use then trying via chown command to make them owned by the user that is set to run docker container. The problem is that only the root user being the current owner has the power to change owner to things created in dev/shm.

I’m not sure if I should be worried about frigate running as root user or not. I thought it would be a good way to learn more about what it does.

I’ll have a think maybe there is a better logic for how I manage the dev/shm.