fix(immich): declare the caps its root process needs over the subuid-owned data tree

capabilities:[] was latent — the long-lived legacy container predated
strict manifest enforcement, so nothing noticed that a recreate against
this manifest produces a root process without DAC_OVERRIDE that
EACCESes on upload/encoded-video and crash-loops (49 systemd restarts
on .228 when the 2026-07-05 secret-env migration finally recreated
it). Any reinstall or reboot-repair would have tripped the same wire.

Cap set mirrors immich-postgres minus SETUID/SETGID.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
archipelago 2026-07-05 16:33:30 -04:00
parent 4665e497d7
commit 11a4f2910a

View File

@ -30,7 +30,13 @@ app:
disk_limit: 200Gi
security:
capabilities: []
# Runs as container root over a data tree the legacy installer chowned
# to the subuid range (host 100000 = container uid 1). Without
# DAC_OVERRIDE the server EACCESes writing upload/encoded-video the
# moment the container is recreated against this manifest (latent until
# the 2026-07-05 secret-env migration recreated it). Same cap set as
# immich-postgres minus the setuid pair it doesn't use.
capabilities: [CHOWN, DAC_OVERRIDE, FOWNER]
readonly_root: false
network_policy: isolated