eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Fix navidrome custom container image v1.0.2 #194

Merged
eblume merged 2 commits from fix/navidrome-container-v1.0.2 into main 2026-02-16 08:24:34 -08:00
Conversation 0 Commits 2 Files changed 3 +13 -3
3 changed files with 13 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit de476bab45 - Show all commits

Run navidrome as non-root user with fsGroup for volume access
All checks were successful
Build Container / build (push) Successful in 28s
Details

Prev Next 
Instead of running as root, create a dedicated navidrome user (UID 1000)
in the container and use Kubernetes fsGroup to ensure PVC volumes are
writable. This provides defense-in-depth against container escape attacks.

- Dockerfile: add navidrome user/group (1000), set USER 1000
- Deployment: add pod securityContext (fsGroup, runAsUser, runAsGroup)
- Deployment: add container securityContext (runAsNonRoot, no privilege escalation)
- Bump image to v1.0.3 (v1.0.2 was built without these changes)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Erich Blume 2026-02-16 08:07:36 -08:00
commit de476bab45

9
argocd/manifests/navidrome/deployment.yaml
View file

@ -14,9 +14,16 @@ spec:
labels:
app: navidrome
spec:
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- name: navidrome
image: registry.ops.eblu.me/blumeops/navidrome:v1.0.2
image: registry.ops.eblu.me/blumeops/navidrome:v1.0.3
securityContext:
runAsNonRoot: true
allowPrivilegeEscalation: false
ports:
- containerPort: 4533
name: http

5
containers/navidrome/Dockerfile
View file

@ -42,10 +42,13 @@ LABEL org.opencontainers.image.description="Navidrome is a self-hosted music ser
# Points to upstream canonical source, not the forge mirror used for builds
LABEL org.opencontainers.image.source=https://github.com/navidrome/navidrome
RUN apk add --no-cache ca-certificates tzdata taglib ffmpeg
RUN apk add --no-cache ca-certificates tzdata taglib ffmpeg \
&& addgroup -g 1000 navidrome \
&& adduser -u 1000 -G navidrome -D navidrome
COPY --from=build /navidrome /usr/bin/navidrome
EXPOSE 4533
USER 1000
CMD ["/usr/bin/navidrome"]

2
docs/changelog.d/fix-navidrome-container-v1.0.2.bugfix.md
View file

@ -1 +1 @@
Fix navidrome custom container image (removed non-root user that prevented SQLite writes)
Switch navidrome to custom container image with dedicated non-root user and fsGroup security context