Fix navidrome custom container image v1.0.2 #194

Merged

eblume merged 2 commits from fix/navidrome-container-v1.0.2 into main

2026-02-16 08:24:34 -08:00

Author	SHA1	Message	Date
Erich Blume	de476bab45	Run navidrome as non-root user with fsGroup for volume access All checks were successful Build Container / build (push) Successful in 28s Details Instead of running as root, create a dedicated navidrome user (UID 1000) in the container and use Kubernetes fsGroup to ensure PVC volumes are writable. This provides defense-in-depth against container escape attacks. - Dockerfile: add navidrome user/group (1000), set USER 1000 - Deployment: add pod securityContext (fsGroup, runAsUser, runAsGroup) - Deployment: add container securityContext (runAsNonRoot, no privilege escalation) - Bump image to v1.0.3 (v1.0.2 was built without these changes) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-16 08:07:36 -08:00
Erich Blume	2639647632	Switch navidrome to custom container image v1.0.2 The v1.0.1 image was built before the USER 65534 removal, causing SQLite write failures at runtime. v1.0.2 includes both the zlib-dev build fix and the non-root user removal. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-02-16 08:03:24 -08:00

Author

SHA1

Message

Date

Erich Blume

de476bab45

Run navidrome as non-root user with fsGroup for volume access

Build Container / build (push) Successful in 28s

Details

Instead of running as root, create a dedicated navidrome user (UID 1000)
in the container and use Kubernetes fsGroup to ensure PVC volumes are
writable. This provides defense-in-depth against container escape attacks.

- Dockerfile: add navidrome user/group (1000), set USER 1000
- Deployment: add pod securityContext (fsGroup, runAsUser, runAsGroup)
- Deployment: add container securityContext (runAsNonRoot, no privilege escalation)
- Bump image to v1.0.3 (v1.0.2 was built without these changes)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-16 08:07:36 -08:00

Erich Blume

2639647632

Switch navidrome to custom container image v1.0.2

The v1.0.1 image was built before the USER 65534 removal,
causing SQLite write failures at runtime. v1.0.2 includes
both the zlib-dev build fix and the non-root user removal.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

2026-02-16 08:03:24 -08:00