eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Fix navidrome custom container image v1.0.2 #194

Merged
eblume merged 2 commits from fix/navidrome-container-v1.0.2 into main 2026-02-16 08:24:34 -08:00
Conversation 0 Commits 2 Files changed 3 +13 -2
eblume commented 2026-02-16 08:03:51 -08:00
Owner
Copy link

Summary

  • Switch navidrome deployment from upstream deluan/navidrome:0.60.3 back to custom image registry.ops.eblu.me/blumeops/navidrome:v1.0.2
  • The v1.0.1 image was tagged before the USER 65534 removal commit, so it still ran as a non-root user that couldn't write to the SQLite data directory
  • v1.0.2 is built from current main which includes both the zlib-dev build fix and the non-root user removal

Deployment and Testing

  • Wait for CI to build navidrome:v1.0.2 image
  • Sync via ArgoCD and verify pod starts without CrashLoopBackOff
  • Verify navidrome UI accessible at https://navidrome.ops.eblu.me
## Summary - Switch navidrome deployment from upstream `deluan/navidrome:0.60.3` back to custom image `registry.ops.eblu.me/blumeops/navidrome:v1.0.2` - The v1.0.1 image was tagged before the `USER 65534` removal commit, so it still ran as a non-root user that couldn't write to the SQLite data directory - v1.0.2 is built from current main which includes both the `zlib-dev` build fix and the non-root user removal ## Deployment and Testing - [ ] Wait for CI to build `navidrome:v1.0.2` image - [ ] Sync via ArgoCD and verify pod starts without CrashLoopBackOff - [ ] Verify navidrome UI accessible at https://navidrome.ops.eblu.me
The v1.0.1 image was built before the USER 65534 removal,
causing SQLite write failures at runtime. v1.0.2 includes
both the zlib-dev build fix and the non-root user removal.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Run navidrome as non-root user with fsGroup for volume access
All checks were successful
Build Container / build (push) Successful in 28s
Details
de476bab45 
Instead of running as root, create a dedicated navidrome user (UID 1000)
in the container and use Kubernetes fsGroup to ensure PVC volumes are
writable. This provides defense-in-depth against container escape attacks.

- Dockerfile: add navidrome user/group (1000), set USER 1000
- Deployment: add pod securityContext (fsGroup, runAsUser, runAsGroup)
- Deployment: add container securityContext (runAsNonRoot, no privilege escalation)
- Bump image to v1.0.3 (v1.0.2 was built without these changes)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
eblume merged commit 74294094e3 into main 2026-02-16 08:24:34 -08:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
eblume/blumeops!194
No description provided.