github-starred/open-webui
2
0
Fork 0
mirror of https://github.com/open-webui/open-webui.git synced 2026-05-08 12:58:11 -05:00
Code Issues 1.3k Packages Projects Releases 126 Wiki Activity

[GH-ISSUE #959] Unable to run open-webui docker container as non-root user #12269

New Issue
Closed
opened 2026-04-19 19:09:49 -05:00 by GiteaMirror · 1 comment
GiteaMirror commented 2026-04-19 19:09:49 -05:00
Owner
Copy Link

Originally created by @Zyzzx on GitHub (Feb 28, 2024).
Original GitHub issue: https://github.com/open-webui/open-webui/issues/959

Bug Report

After upgrading I am no longer able to run the open-webui docker container as a non-root user.

Description

I have been building the docker container and run it with: -user=$(id ollama -u):$(id ollama -g)
This has been the case for a while now. I don't like anything running as root even in docker containers.
I have a directory which I mount for the app data which is also owned by the ollama user, and it has been working
fine.

Bug Summary:
From what I can see, getting into both the built and downloaded container, all the files and
directories in the container are owned by root and within the startup process within the container files are copied from
one location in the container to another. When it is running as a different user then it fails with a "permission denied" error trying to copy the favicon.ico file to a new location.

Steps to Reproduce:
Run the docker container as specified in the documentation (without restart), but have it run as a different user (choose your own):

docker run -d -p 3000:8080 -user=$(id ollama -u):$(id ollama -g) --add-host=host.docker.internal:host-gateway -v open-webui:/app/backend/data --name open-webui --rm ghcr.io/open-webui/open-webui:main

Expected Behavior:
I expected it to run exactly as before (3 or 4 days prior), which it has been. I build it and run it. Not had any problems.

Actual Behavior:
Startup fails with a permission denied error. See container console log.

Environment

  • Ubuntu Linux 22.04/amd64:

Reproduction Details

I entered the container with bash and did verify that everything was owned by root and the scripts were trying to copy file within the running container.

Confirmation:

  • [ X] I have read and followed all the instructions provided in the README.md.
  • [ X] I have reviewed the troubleshooting.md document.
  • I have included the browser console logs.
  • [ X] I have included the Docker container logs.

Logs and Screenshots

Docker Container Logs:

Status: Downloaded newer image for ghcr.io/open-webui/open-webui:main
No WEBUI_SECRET_KEY provided
Generating WEBUI_SECRET_KEY
start.sh: line 15: .webui_secret_key: Permission denied
Loading WEBUI_SECRET_KEY from .webui_secret_key
cat: .webui_secret_key: No such file or directory
Traceback (most recent call last):
  File "/usr/local/bin/uvicorn", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1157, in __call__
    return self.main(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1078, in main
    rv = self.invoke(ctx)
         ^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1434, in invoke
    return ctx.invoke(self.callback, **ctx.params)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/click/core.py", line 783, in invoke
    return __callback(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/uvicorn/main.py", line 418, in main
    run(
  File "/usr/local/lib/python3.11/site-packages/uvicorn/main.py", line 587, in run
    server.run()
  File "/usr/local/lib/python3.11/site-packages/uvicorn/server.py", line 62, in run
    return asyncio.run(self.serve(sockets=sockets))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/asyncio/runners.py", line 190, in run
    return runner.run(main)
           ^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/asyncio/runners.py", line 118, in run
    return self._loop.run_until_complete(task)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "uvloop/loop.pyx", line 1517, in uvloop.loop.Loop.run_until_complete
  File "/usr/local/lib/python3.11/site-packages/uvicorn/server.py", line 69, in serve
    config.load()
  File "/usr/local/lib/python3.11/site-packages/uvicorn/config.py", line 458, in load
    self.loaded_app = import_from_string(self.app)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/site-packages/uvicorn/importer.py", line 21, in import_from_string
    module = importlib.import_module(module_str)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/importlib/__init__.py", line 126, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "<frozen importlib._bootstrap>", line 1204, in _gcd_import
  File "<frozen importlib._bootstrap>", line 1176, in _find_and_load
  File "<frozen importlib._bootstrap>", line 1147, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 690, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 940, in exec_module
  File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed
  File "/app/backend/main.py", line 21, in <module>
    from apps.ollama.main import app as ollama_app
  File "/app/backend/apps/ollama/main.py", line 11, in <module>
    from apps.web.models.users import Users
  File "/app/backend/apps/web/models/users.py", line 8, in <module>
    from apps.web.internal.db import DB
  File "/app/backend/apps/web/internal/db.py", line 2, in <module>
    from config import DATA_DIR
  File "/app/backend/config.py", line 27, in <module>
    shutil.copyfile("../build/favicon.png", "./static/favicon.png")
  File "/usr/local/lib/python3.11/shutil.py", line 258, in copyfile
    with open(dst, 'wb') as fdst:
         ^^^^^^^^^^^^^^^

PermissionError: [Errno 13] Permission denied: './static/favicon.png'

And in case the markdown butchers the output...

docker_console.log

Installation Method

docker build . -t open-webui:latest

Additional Information

It seems strange to me that the copying of these files for the webserver is not done at build time.

Originally created by @Zyzzx on GitHub (Feb 28, 2024). Original GitHub issue: https://github.com/open-webui/open-webui/issues/959 # Bug Report After upgrading I am no longer able to run the open-webui docker container as a non-root user. ## Description I have been building the docker container and run it with: -user=$(id ollama -u):$(id ollama -g) This has been the case for a while now. I don't like anything running as root even in docker containers. I have a directory which I mount for the app data which is also owned by the ollama user, and it has been working fine. **Bug Summary:** From what I can see, getting into both the built and downloaded container, all the files and directories in the container are owned by root and within the startup process within the container files are copied from one location in the container to another. When it is running as a different user then it fails with a "permission denied" error trying to copy the favicon.ico file to a new location. **Steps to Reproduce:** Run the docker container as specified in the documentation (without restart), but have it run as a different user (choose your own): docker run -d -p 3000:8080 -user=$(id ollama -u):$(id ollama -g) --add-host=host.docker.internal:host-gateway -v open-webui:/app/backend/data --name open-webui --rm ghcr.io/open-webui/open-webui:main **Expected Behavior:** I expected it to run exactly as before (3 or 4 days prior), which it has been. I build it and run it. Not had any problems. **Actual Behavior:** Startup fails with a permission denied error. See container console log. ## Environment - **Ubuntu Linux 22.04/amd64:** ## Reproduction Details I entered the container with bash and did verify that everything was owned by root and the scripts were trying to copy file within the running container. **Confirmation:** - [ X] I have read and followed all the instructions provided in the README.md. - [ X] I have reviewed the troubleshooting.md document. - [ ] I have included the browser console logs. - [ X] I have included the Docker container logs. ## Logs and Screenshots **Docker Container Logs:** ```console Status: Downloaded newer image for ghcr.io/open-webui/open-webui:main No WEBUI_SECRET_KEY provided Generating WEBUI_SECRET_KEY start.sh: line 15: .webui_secret_key: Permission denied Loading WEBUI_SECRET_KEY from .webui_secret_key cat: .webui_secret_key: No such file or directory Traceback (most recent call last): File "/usr/local/bin/uvicorn", line 8, in <module> sys.exit(main()) ^^^^^^ File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1157, in __call__ return self.main(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1078, in main rv = self.invoke(ctx) ^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/click/core.py", line 1434, in invoke return ctx.invoke(self.callback, **ctx.params) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/click/core.py", line 783, in invoke return __callback(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/uvicorn/main.py", line 418, in main run( File "/usr/local/lib/python3.11/site-packages/uvicorn/main.py", line 587, in run server.run() File "/usr/local/lib/python3.11/site-packages/uvicorn/server.py", line 62, in run return asyncio.run(self.serve(sockets=sockets)) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/asyncio/runners.py", line 190, in run return runner.run(main) ^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/asyncio/runners.py", line 118, in run return self._loop.run_until_complete(task) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "uvloop/loop.pyx", line 1517, in uvloop.loop.Loop.run_until_complete File "/usr/local/lib/python3.11/site-packages/uvicorn/server.py", line 69, in serve config.load() File "/usr/local/lib/python3.11/site-packages/uvicorn/config.py", line 458, in load self.loaded_app = import_from_string(self.app) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/site-packages/uvicorn/importer.py", line 21, in import_from_string module = importlib.import_module(module_str) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.11/importlib/__init__.py", line 126, in import_module return _bootstrap._gcd_import(name[level:], package, level) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "<frozen importlib._bootstrap>", line 1204, in _gcd_import File "<frozen importlib._bootstrap>", line 1176, in _find_and_load File "<frozen importlib._bootstrap>", line 1147, in _find_and_load_unlocked File "<frozen importlib._bootstrap>", line 690, in _load_unlocked File "<frozen importlib._bootstrap_external>", line 940, in exec_module File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed File "/app/backend/main.py", line 21, in <module> from apps.ollama.main import app as ollama_app File "/app/backend/apps/ollama/main.py", line 11, in <module> from apps.web.models.users import Users File "/app/backend/apps/web/models/users.py", line 8, in <module> from apps.web.internal.db import DB File "/app/backend/apps/web/internal/db.py", line 2, in <module> from config import DATA_DIR File "/app/backend/config.py", line 27, in <module> shutil.copyfile("../build/favicon.png", "./static/favicon.png") File "/usr/local/lib/python3.11/shutil.py", line 258, in copyfile with open(dst, 'wb') as fdst: ^^^^^^^^^^^^^^^ PermissionError: [Errno 13] Permission denied: './static/favicon.png' ``` And in case the markdown butchers the output... [docker_console.log](https://github.com/open-webui/open-webui/files/14439142/docker_console.log) ## Installation Method docker build . -t open-webui:latest ## Additional Information It seems strange to me that the copying of these files for the webserver is not done at build time.
GiteaMirror commented 2026-04-19 19:09:51 -05:00
Author
Owner
Copy Link

@tjbck commented on GitHub (Mar 3, 2024):

Unofficial method of installation, but I'd like to know any possible solutions for this. Moving to discussion.

<!-- gh-comment-id:1975278084 --> @tjbck commented on GitHub (Mar 3, 2024): Unofficial method of installation, but I'd like to know any possible solutions for this. Moving to discussion.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
bug
confirmed
confirmed issue
core
documentation
enhancement
good first issue
help wanted
non-core
pull-request
Mirrored from GitHub Pull Request
 python
question
testing wanted
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#12269
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?