Docker image cannot run as non-root user - documentation examples don't work

[mydogsburneraccount]

Docker Image Cannot Run as Non-Root User - Documentation Examples Don't Work

Summary

The official documentation shows running Listenarr with --user 1001:1001, but this configuration causes immediate crash loops due to filesystem permission issues in the Docker image. The image cannot run as a non-root user despite what the docs claim.

Environment

• Image: ghcr.io/therobbiedavis/listenarr:canary
• Tag: canary (tested 2026-01-15, latest as of issue date)
• Docker Version: 24.0.7
• Host OS: Linux (Ubuntu 22.04)

Expected Behavior (Per Official Docs)

From the official README:

docker run -d \
  ## Replace with your desired UID and GID
  --user 1001:1001 \
  --name listenarr \
  -p 4545:4545 \
  -v listenarr_data:/app/config \
  ghcr.io/therobbiedavis/listenarr:canary

Expected: Container starts successfully, runs as UID 1001

Actual Behavior

Actual: Container enters crash loop with permission denied errors:

System.UnauthorizedAccessException: Access to the path '/app/config/dataprotection-keys' is denied.
 ---> System.IO.IOException: Permission denied
   at System.IO.FileSystem.CreateDirectory(String fullPath, UnixFileMode unixCreateMode)
   at System.IO.Directory.CreateDirectory(String path)
   at Program.<Main>$(String[] args) in /home/runner/work/Listenarr/Listenarr/listenarr.api/Program.cs:line 654

Root Cause

Inspection of the Docker image reveals that /app/config is baked into the image with restrictive permissions:

$ docker run --rm --entrypoint ls ghcr.io/therobbiedavis/listenarr:canary -la /app/ | grep config
drwxr-xr-x  3 root root    4096 Jan 14 23:30 config

The issue:

1. /app directory is owned by root:root with 755 permissions
2. /app/config subdirectory exists in the image as root:root
3. When running as non-root user (e.g., 1001), the application cannot create subdirectories in /app/config/
4. Application tries to create:
   • /app/config/appsettings/
   • /app/config/dataprotection-keys/
5. Permission denied → crash loop

Steps to Reproduce

1. Create docker-compose.yml:

version: '3.8'
services:
  listenarr:
    image: ghcr.io/therobbiedavis/listenarr:canary
    user: "1001:1001"
    ports:
      - "4545:4545"
    volumes:
      - listenarr_data:/app/config

volumes:
  listenarr_data:

2. Run: docker-compose up
3. Observe crash loop in logs

Tested Workarounds (None Work)

Workaround	Result
Pre-create volume with correct ownership	❌ Still fails - parent /app restricts subdirectory creation
Use different mount point (/config)	❌ App hardcoded to use /app/config
Fix permissions in entrypoint script	❌ Would require root (defeats purpose of non-root)

Current Working Configuration (Insecure)

The only working configuration is to run as root:

listenarr:
  image: ghcr.io/therobbiedavis/listenarr:canary
  # NO user: directive - runs as root
  ports:
    - "4545:4545"
  volumes:
    - listenarr_data:/app/config

This violates Docker security best practices and contradicts the official documentation.

[JPDVM2014]

I'm not sure how to help, but I'm running the most recent version as "user : 99:100" with no issue. Everything in my /app directory is owned by root with the exception of my config directory.

Unless this is a new issue that wasn't present when I first setup listenarr.

[JPDVM2014]

I just confirmed I have this same issue in a fresh install.

However, creating the config directory ahead of time with the correct permissions works for me.

[gshomelab]

Having the same issue