github-starred/komodo
2
0
Fork 0
mirror of https://github.com/moghtech/komodo.git synced 2025-12-05 19:17:36 -06:00
Code Issues 258 Packages Projects Releases 10 Wiki Activity

Can Komodo run as non-root on Unraid? #611

New Issue
Closed
opened 2025-10-31 15:16:23 -05:00 by GiteaMirror · 2 comments
GiteaMirror commented 2025-10-31 15:16:23 -05:00
Owner
Copy Link

Originally created by @RikudouGoku on GitHub (Sep 30, 2025).

Hi, just a quick question, is it possible to run Komodo on an Unraid server with the PUID:99 and GUID:100 user (nobody and group "user") instead of root? As I believe that is best practice on Unraid.

Originally created by @RikudouGoku on GitHub (Sep 30, 2025). Hi, just a quick question, is it possible to run Komodo on an Unraid server with the PUID:99 and GUID:100 user (nobody and group "user") instead of root? As I believe that is best practice on Unraid.
GiteaMirror commented 2025-10-31 15:16:24 -05:00
Author
Owner
Copy Link

@serfriz commented on GitHub (Oct 26, 2025):

I've given up trying to run everything in Unraid as user:nobody, it's not the best practice running Docker containers as root but as long as everything is accessed through VPN or exposed to the internet in a secure way (behind Cloudflare + Caddy + Crowdsec + Authentik in my case) it should be fine.

In Komodo's case I'd never expose it to the internet anyway (only VPN) since it would be a door (secured but still a door) to pretty much all my servers and services.

@serfriz commented on GitHub (Oct 26, 2025): I've given up trying to run everything in Unraid as user:nobody, it's not the best practice running Docker containers as root but as long as everything is accessed through VPN or exposed to the internet in a secure way (behind Cloudflare + Caddy + Crowdsec + Authentik in my case) it should be fine. In Komodo's case I'd never expose it to the internet anyway (only VPN) since it would be a door (secured but still a door) to pretty much all my servers and services.
GiteaMirror commented 2025-10-31 15:16:24 -05:00
Author
Owner
Copy Link

@RikudouGoku commented on GitHub (Oct 26, 2025):

I've given up trying to run everything in Unraid as user:nobody, it's not the best practice running Docker containers as root but as long as everything is accessed through VPN or exposed to the internet in a secure way (behind Cloudflare + Caddy + Crowdsec + Authentik in my case) it should be fine.

In Komodo's case I'd never expose it to the internet anyway (only VPN) since it would be a door (secured but still a door) to pretty much all my servers and services.

Oh totally forgot I asked this but i managed to make it work Here is the mongo.compose.yaml content:

################################
# 🦎 KOMODO COMPOSE - MONGO 🦎 #
################################

## This compose file will deploy:
##   1. MongoDB
##   2. Komodo Core
##   3. Komodo Periphery

services:
  mongo:
    image: mongo
    labels:
      komodo.skip: # Prevent Komodo from stopping with StopAllContainers
    command: --quiet --wiredTigerCacheSizeGB 0.25
    restart: unless-stopped
    networks:
      - komodo-internal-network
    # ports:
    #   - 27017:27017
    volumes:
      - mongo-data:/data/db
      - mongo-config:/data/configdb
    environment:
      MONGO_INITDB_ROOT_USERNAME: ${KOMODO_DB_USERNAME}
      MONGO_INITDB_ROOT_PASSWORD: ${KOMODO_DB_PASSWORD}
      PUID: 99
      PGID: 100
  
  core:
    image: ghcr.io/moghtech/komodo-core:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
    labels:
      komodo.skip: # Prevent Komodo from stopping with StopAllContainers
    restart: unless-stopped
    networks:
      - komodo-network
      - komodo-internal-network
    depends_on:
      - mongo
    ports:
      - 9120:9120
    env_file: ./compose.env
    environment:
      KOMODO_DATABASE_ADDRESS: mongo:27017
      KOMODO_DATABASE_USERNAME: ${KOMODO_DB_USERNAME}
      KOMODO_DATABASE_PASSWORD: ${KOMODO_DB_PASSWORD}
      PUID: 99
      PGID: 100
    volumes:
      ## Store dated backups of the database - https://komo.do/docs/setup/backup
      - ${COMPOSE_KOMODO_BACKUPS_PATH}:/backups
      ## Store sync files on server
      # - /path/to/syncs:/syncs
      ## Optionally mount a custom core.config.toml
      # - /path/to/core.config.toml:/config/config.toml
    ## Allows for systemd Periphery connection at 
    ## "https://host.docker.internal:8120"
    # extra_hosts:
    #   - host.docker.internal:host-gateway

  ## Deploy Periphery container using this block,
  ## or deploy the Periphery binary with systemd using 
  ## https://github.com/moghtech/komodo/tree/main/scripts

  socket-proxy:
    image: lscr.io/linuxserver/socket-proxy:latest
    environment:
      - ALLOW_START=1
      - ALLOW_STOP=1
      - ALLOW_RESTARTS=1
      - AUTH=1 #optional, enable for pushing builds to registry and increasing pull rate limits
      - BUILD=1 #required to build images
      - COMMIT=0 #optional
      - CONFIGS=0
      - CONTAINERS=1 #required to manage containers
      - DISABLE_IPV6=0
      - DISTRIBUTION=1 #required for image digest and registry info
      - EVENTS=1 #required for core communication
      - EXEC=1 #required for 'exec' into container, future use
      - IMAGES=1 #required to manage images
      - INFO=1
      - NETWORKS=1 #required to manage networks
      - NODES=0
      - PING=1 #required for core communication
      - POST=1 #required for WRITE operations to all other permissions
      - PLUGINS=0 #optional
      - SECRETS=0
      - SERVICES=0
      - SESSION=1
      - SWARM=0
      - SYSTEM=1 #optional, enable for system stats in dashboard
      - TASKS=0
      - VERSION=1 #required for core communication
      - VOLUMES=1 #required to manage volumes
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    restart: unless-stopped
    read_only: true
    tmpfs:
      - /run
    networks:
      - komodo-internal-network

  periphery:
    labels:
      komodo.skip: # Prevent Komodo from stopping with StopAllContainers
    restart: unless-stopped
    networks:
      - komodo-internal-network
    build:
      context: .
      dockerfile_inline: |
        FROM ghcr.io/moghtech/komodo-periphery:${COMPOSE_KOMODO_IMAGE_TAG:-latest}
        # Create the home directory and set the correct permissions
        RUN mkdir -p /home/nobody && \
            chown -R 99:100 /home/nobody

        # Switch to the nobody user
        USER 99:100

        # Set the working directory and home environment variable
        WORKDIR /home/nobody
        ENV HOME=/home/nobody
    env_file: ./compose.env
    environment:
      # THE KEY to making periphery access docker without docker.sock
      DOCKER_HOST: tcp://socket-proxy:2375
    volumes:
      ## Allow Periphery to see processes outside of container
      - /proc:/proc
      ## Specify the Periphery agent root directory.
      ## Must be the same inside and outside the container,
      ## or docker will get confused. See https://github.com/moghtech/komodo/discussions/180.
      ## Default: /etc/komodo.
      - ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}:${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}
    depends_on:
      - socket-proxy

networks:
  komodo-network:
    name: komodo-network
    driver: bridge
    ipam:
      config:
        - subnet: 172.45.0.0/28
          gateway: 172.45.0.1

  komodo-internal-network:
    name: komodo-internal-network
    driver: bridge
    internal: true
    ipam:
      config:
        - subnet: 172.45.0.16/29
          gateway: 172.45.0.17


volumes:
  # Mongo
  mongo-data:
  mongo-config:

I referenced this.
https://blog.foxxmd.dev/posts/migrating-to-komodo/#create-komodo-periphery-agents

Note that I do not use the git function in it so I do not know if it works but according to the blog I linked it should work.

But yeah I totally get that this is extreme paranoia as I do not have anything exposed to the public and I access my LAN via Wireguard VPN...but since I am setting up a new server I like to do it once and do it properly. Which also includes using specific subnets for the custom networks.

@RikudouGoku commented on GitHub (Oct 26, 2025): > I've given up trying to run everything in Unraid as user:nobody, it's not the best practice running Docker containers as root but as long as everything is accessed through VPN or exposed to the internet in a secure way (behind Cloudflare + Caddy + Crowdsec + Authentik in my case) it should be fine. > > In Komodo's case I'd never expose it to the internet anyway (only VPN) since it would be a door (secured but still a door) to pretty much all my servers and services. Oh totally forgot I asked this but i managed to make it work Here is the mongo.compose.yaml content: ``` ################################ # 🦎 KOMODO COMPOSE - MONGO 🦎 # ################################ ## This compose file will deploy: ## 1. MongoDB ## 2. Komodo Core ## 3. Komodo Periphery services: mongo: image: mongo labels: komodo.skip: # Prevent Komodo from stopping with StopAllContainers command: --quiet --wiredTigerCacheSizeGB 0.25 restart: unless-stopped networks: - komodo-internal-network # ports: # - 27017:27017 volumes: - mongo-data:/data/db - mongo-config:/data/configdb environment: MONGO_INITDB_ROOT_USERNAME: ${KOMODO_DB_USERNAME} MONGO_INITDB_ROOT_PASSWORD: ${KOMODO_DB_PASSWORD} PUID: 99 PGID: 100 core: image: ghcr.io/moghtech/komodo-core:${COMPOSE_KOMODO_IMAGE_TAG:-latest} labels: komodo.skip: # Prevent Komodo from stopping with StopAllContainers restart: unless-stopped networks: - komodo-network - komodo-internal-network depends_on: - mongo ports: - 9120:9120 env_file: ./compose.env environment: KOMODO_DATABASE_ADDRESS: mongo:27017 KOMODO_DATABASE_USERNAME: ${KOMODO_DB_USERNAME} KOMODO_DATABASE_PASSWORD: ${KOMODO_DB_PASSWORD} PUID: 99 PGID: 100 volumes: ## Store dated backups of the database - https://komo.do/docs/setup/backup - ${COMPOSE_KOMODO_BACKUPS_PATH}:/backups ## Store sync files on server # - /path/to/syncs:/syncs ## Optionally mount a custom core.config.toml # - /path/to/core.config.toml:/config/config.toml ## Allows for systemd Periphery connection at ## "https://host.docker.internal:8120" # extra_hosts: # - host.docker.internal:host-gateway ## Deploy Periphery container using this block, ## or deploy the Periphery binary with systemd using ## https://github.com/moghtech/komodo/tree/main/scripts socket-proxy: image: lscr.io/linuxserver/socket-proxy:latest environment: - ALLOW_START=1 - ALLOW_STOP=1 - ALLOW_RESTARTS=1 - AUTH=1 #optional, enable for pushing builds to registry and increasing pull rate limits - BUILD=1 #required to build images - COMMIT=0 #optional - CONFIGS=0 - CONTAINERS=1 #required to manage containers - DISABLE_IPV6=0 - DISTRIBUTION=1 #required for image digest and registry info - EVENTS=1 #required for core communication - EXEC=1 #required for 'exec' into container, future use - IMAGES=1 #required to manage images - INFO=1 - NETWORKS=1 #required to manage networks - NODES=0 - PING=1 #required for core communication - POST=1 #required for WRITE operations to all other permissions - PLUGINS=0 #optional - SECRETS=0 - SERVICES=0 - SESSION=1 - SWARM=0 - SYSTEM=1 #optional, enable for system stats in dashboard - TASKS=0 - VERSION=1 #required for core communication - VOLUMES=1 #required to manage volumes volumes: - /var/run/docker.sock:/var/run/docker.sock:ro restart: unless-stopped read_only: true tmpfs: - /run networks: - komodo-internal-network periphery: labels: komodo.skip: # Prevent Komodo from stopping with StopAllContainers restart: unless-stopped networks: - komodo-internal-network build: context: . dockerfile_inline: | FROM ghcr.io/moghtech/komodo-periphery:${COMPOSE_KOMODO_IMAGE_TAG:-latest} # Create the home directory and set the correct permissions RUN mkdir -p /home/nobody && \ chown -R 99:100 /home/nobody # Switch to the nobody user USER 99:100 # Set the working directory and home environment variable WORKDIR /home/nobody ENV HOME=/home/nobody env_file: ./compose.env environment: # THE KEY to making periphery access docker without docker.sock DOCKER_HOST: tcp://socket-proxy:2375 volumes: ## Allow Periphery to see processes outside of container - /proc:/proc ## Specify the Periphery agent root directory. ## Must be the same inside and outside the container, ## or docker will get confused. See https://github.com/moghtech/komodo/discussions/180. ## Default: /etc/komodo. - ${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo}:${PERIPHERY_ROOT_DIRECTORY:-/etc/komodo} depends_on: - socket-proxy networks: komodo-network: name: komodo-network driver: bridge ipam: config: - subnet: 172.45.0.0/28 gateway: 172.45.0.1 komodo-internal-network: name: komodo-internal-network driver: bridge internal: true ipam: config: - subnet: 172.45.0.16/29 gateway: 172.45.0.17 volumes: # Mongo mongo-data: mongo-config: ``` I referenced this. https://blog.foxxmd.dev/posts/migrating-to-komodo/#create-komodo-periphery-agents Note that I do not use the git function in it so I do not know if it works but according to the blog I linked it should work. But yeah I totally get that this is extreme paranoia as I do not have anything exposed to the public and I access my LAN via Wireguard VPN...but since I am setting up a new server I like to do it once and do it properly. Which also includes using specific subnets for the custom networks.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
1.19.0
1.19.1
1.19.2
1.19.3
1.19.4
bug
documentation
done
enhancement
help wanted
info
pull-request
Mirrored from GitHub Pull Request
question
security
seen 👀
setup
thinking 🤔
ui
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/komodo#611
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?