I notice that in the plex container, only the s6 supervisor software runs as root while the Plex application itself runs as the supplied PLEX_UID.
As of version 3.2.0.0 (released 3 months ago), the s6-overlay software supports running as a non root user. From their readme:
As of version 3.2.0.0, s6-overlay has limited support for running as a user other than
root:
- Tools like
fix-attrsandlogutil-serviceare unlikely to work (they rely on being able to change UIDs).- The syslogd emulation will not work.
Generally speaking, if you’re running a simple container with a main application and one or two support services, you may benefit from the
USERdirective if that is your preferred way of running containers.
The plex container seems to fit the bill. Could you please consider supporting running the plexinc/pms-docker image with “docker run --user myusername”? In general, it’s more secure for containers to never have root. If you fully commit to having your users always supply “–user” and trust docker users to not mess up directory permissions, you can get rid of PLEX_UID, PLEX_GID, CHANGE_CONFIG_DIR_OWNERSHIP variables and simplify your code as well.
