Introduction
From v9.2+, containers no longer run using the root user, but using the following details:
user: 5001
group: 5001 (this can be changed - see below)
Running as non-root
In line with best practices, this increases the security of your container - as the container runs as a standard user, it adds an extra level of protection in the event a malicious actor attempts to break out of the container.
Using a custom group (5001)
This allows users on your host PC (and outside of the container) who are members of the 5001 group to access the files. You can override the 5001 group to a value of your setting using a configuration file.
You can change the default group if desired.
Overriding the user ID using Docker
Docker contains other mechanisms to override the user ID and group ID. We do not recommend using these as certain features (e.g. GPU acceleration and recordings) have requirements around using the default user ID.
Upgrading from v9.1
v9.1 supported using a custom GID (default 5001), so that recordings saved by the container are accessible easily outside of the container. That means that currently all your container files were saved using the root/5001 user and group.
To operate correctly using a non-root user, there will be a conversion process where, as part of the upgrade, the container will:
Start up as root temporarily and perform a permissions check for the upgrade conversion. If this check fails, the container will stop, and you should check the container's logs for an error. You may have to contact support for advice - please supply the logs containing the error.
Convert all the recording files from user root/5001 to 5001/5001 - this is necessary as the container requires the correct permissions to manage recordings.
If successful, start up normally, using user 5001/5001.
Does your v9.1 compose file already override EV_GID?
If your existing container config file has a custom EV_GID then the same setting must also be in your updated v9.2 config file for the conversion to work!
Do you use external storage (like a NAS)?
There are situations (like using a mounted NAS for storage) that also have their own permissions. As the container is now no longer running as root, you may have to adjust the permissions granted so that the container can continue to access the recordings location.
Using a different group ID
You have multiple options for configuring your container using a config file - including 'burning in these settings using environment variables, or using a seed config file to provide initial settings for your users.
To change the group uses, you can add the following setting to your config file:
Setting | Description |
EV_GID | Set the group you want all configuration and recording files to use.
The default is 5001. On restarting the container, it will change the group of all existing files to the new GID. |