From 146bf65d02cf5e344ff0b81a0c23c84a0cd2485b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20Sch=C3=A4fer?= Date: Fri, 5 Dec 2025 15:26:20 +0100 Subject: [PATCH] refactor(dev): remove ulimits for rootless docker (#24393) Description ----------- When I follow the [developer setup](https://docs.immich.app/developer/setup) I run into a permission error using rootless docker. A while ago I asked on Discord in [#contributing](https://discord.com/channels/979116623879368755/1071165397228855327/1442974448776122592) about these ulimits. I suggest to remove the `ulimits` altogether. It seems that @ItalyPaleAle has left the setting just hoping that it could help somebody in the future. See the [PR description](https://github.com/immich-app/immich/pull/4556). How Has This Been Tested? ------------------------- Using rootless docker: ``` $ docker context ls NAME DESCRIPTION DOCKER ENDPOINT ERROR default unix:///var/run/docker.sock rootless * unix:///run/user/1000/docker.sock ``` Running `make` will fail because of permission errors: ``` $ docker compose -f ./docker/docker-compose.dev.yml up --remove-orphans ... Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: error setting rlimits for ready process: error setting rlimit type 7: operation not permitted ``` On my machine I have the following hard limit for "Maximum number of open file descriptors": ``` $ ulimit -nH 524288 ``` I can confirm that the permission error is caused by the security restrictions of the operating system mentioned above: Changing `docker/docker-compose.dev.yml` like .. ``` ulimits: nofile: soft: 524289 hard: 524289 ``` .. will lead to a permission error whereas this .. ``` ulimits: nofile: soft: 524288 hard: 524288 ``` .. starts fine. Apparently the defaults for these limits are coming from [systemd](https://github.com/systemd/systemd/blob/26b2085d54ebbfca8637362eafcb4a8e3faf832f/man/systemd.exec.xml#L1122) which is used on nearly every linux distribution. So my assumption is that almost any linux user who uses rootless docker will run into a permission error when starting the development setup. Checklist: ---------- - [x] I have performed a self-review of my own code - [x] I have made corresponding changes to the documentation if applicable - [x] I have no unrelated changes in the PR. - [ ] I have confirmed that any new dependencies are strictly necessary. - [ ] I have written tests for new code (if applicable) - [ ] I have followed naming conventions/patterns in the surrounding code - [ ] All code in `src/services/` uses repositories implementations for database calls, filesystem operations, etc. - [ ] All code in `src/repositories/` is pretty basic/simple and does not have any immich specific logic (that belongs in `src/services/`) --- docker/docker-compose.dev.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/docker/docker-compose.dev.yml b/docker/docker-compose.dev.yml index 6fa1c51bdd..4b1a69d133 100644 --- a/docker/docker-compose.dev.yml +++ b/docker/docker-compose.dev.yml @@ -58,10 +58,6 @@ services: IMMICH_THIRD_PARTY_BUG_FEATURE_URL: https://github.com/immich-app/immich/issues IMMICH_THIRD_PARTY_DOCUMENTATION_URL: https://docs.immich.app IMMICH_THIRD_PARTY_SUPPORT_URL: https://docs.immich.app/community-guides - ulimits: - nofile: - soft: 1048576 - hard: 1048576 ports: - 9230:9230 - 9231:9231 @@ -100,10 +96,6 @@ services: - app-node_modules:/usr/src/app/node_modules - sveltekit:/usr/src/app/web/.svelte-kit - coverage:/usr/src/app/web/coverage - ulimits: - nofile: - soft: 1048576 - hard: 1048576 restart: unless-stopped depends_on: immich-server: