When downloading multiple photos as zip, extracted photos files have no read or write permissions

[Qhilm]

The bug

When I download a single photo, no issue.

When selecting multiple photos and downloading, Immich will make a zip file out of it and download it. When unpacking/extracting the zip files, all files in the zip have no read or write permissions somehow.

I tested this with Firefox 124.0.2 and Chrome 123 on macOS 14.4.1, as well as Firefox 124 on Ubuntu 22.04.

The OS that Immich Server is running on

macOS 14.4.1, Ubuntu 22.04

Version of Immich Server

v1.101.0

Version of Immich Mobile App

v1.101

Platform with the issue

• Server
• Web
• Mobile

Your docker-compose.yml content

version: '3.8'

#
# WARNING: Make sure to use the docker-compose.yml of the current release:
#
# https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
#
# The compose file on main may not be compatible with the latest release.
#

name: immich

services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    command: ['start.sh', 'immich']
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - stack.env
    ports:
      - 2283:3001
    depends_on:
      - redis
      - database
    restart: always

  immich-microservices:
    container_name: immich_microservices
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/hardware-transcoding
    #   file: hwaccel.transcoding.yml
    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
    command: ['start.sh', 'microservices']
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - stack.env
    depends_on:
      - redis
      - database
    restart: always

  immich-machine-learning:
    container_name: immich_machine_learning
    # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
    # Example tag: ${IMMICH_VERSION:-release}-cuda
    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration
    #   file: hwaccel.ml.yml
    #   service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable
    volumes:
      - model-cache:/cache
    env_file:
      - stack.env
    restart: always

  redis:
    container_name: immich_redis
    image: registry.hub.docker.com/library/redis:6.2-alpine@sha256:51d6c56749a4243096327e3fb964a48ed92254357108449cb6e23999c37773c5
    restart: always

  database:
    container_name: immich_postgres
    image: registry.hub.docker.com/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
    volumes:
      - pgdata:/var/lib/postgresql/data
    restart: always

volumes:
  pgdata:
  model-cache:

Your .env content

UPLOAD_LOCATION=/volume1/Photos/
IMMICH_VERSION=release
DB_PASSWORD=postgres
DB_HOSTNAME=immich_postgres
DB_USERNAME=postgres
DB_DATABASE_NAME=immich
REDIS_HOSTNAME=immich_redis

Reproduction steps

1. Select multiple photos in web interface
2. Click the three dots and click "download"
3. Extract the downloaded zip file
4. permissions of extracted files are "----------" / 000 (no permissions)

Relevant log output

No response

Additional information

No response

[mmomjian]

I am unable to replicate this on Debian. Can you please post the exact commands you used and the permissions of the user as well as the directory you are extracting into? I was under the impression that ZIP files did not store permissions.

Can you also try with a different ZIP file that didn't come from Immich?

[Qhilm]

I will recheck on Ubuntu, I might have mixed up something there, the issue might only exist on macOS.

On macOS, I simply double click the .zip file and it creates a folder with the same name (minus the extension). The folder itself has correct permissions (read and write for my user) but the files inside the folder do not.

I also tried unziping from the cli using unzip immich-20240414_195237.zip and it does not create a folder, puts both files directly in the same path, but it's exactly the same issue, both files have zero permissions.

Finally, I installed another decompression utility, Keka. And low and behold, the issue does not happen.

Hence, it seems it specific to the macOS uncompression utility (or unzip on macOS) and the immich archive. macOS is bundling unzip 6.0, in case that helps.

I do not have this issue with other zip files as far as I know.

[mmomjian]

This seems like a Mac OS problem then? I just opened an Immich ZIP using 7-zip and I see this:

[Qhilm]

I retested on Ubuntu 22.04, I confirm it's exactly the same issue. After extracting the files, they have zero permissions. No read permissions, no write permissions.

I also tested using unzip on the CLI, same results, files are extracted, owner is my user, but there are no permissions, neither for user, group or everyone: ls output shows "----------" for permissions.

[alextran1502]

Perhaps something is off with your storage permission at UPLOAD_LOCATION

This is the permission after I download the file from a local immich instance hosted on MacOS and has the UPLOAD_LOCATION point to the local storage on the mac

[Qhilm]

Thanks for testing this. This is strange, as stated above, if I download a single image, no issue. If something was wrong with my storage location, then here would also be an issue when downloading a single image, wouldn't it?

What wold you recommend me to do to check if something is off with my UPLOAD_LOCATION? (I use storage template {{y}}/{{y}}-{{MM}}-{{dd}}/{{filename}})

[Qhilm]

so, all files are root:root with ---------- permissions on my Synology, that could be the reason.

But I'm not entirely clear on my config error here. Docker runs as root as far as I know, hence the ownership is expected, but the permissions seem strange...

[Qhilm]

I am getting to the conclusion that on Synology, because Docker runs as root, one should configure PUID & GUID to avoid the aforementioned issue.

I'm thinking about following this guide (I'm using portainer):

1. Shutdown all containers
2. create new user (I don't think I need a new user group in my case, their aren't than many users to manage on the NAS)
3. chown and chmod on the postgres and upload directories as described here.
4. edit Docker Compose file and add the following for each container (replace "1000" with the correct PUID and PGID of the new user):

environment:
  - PUID=1000
  - PGID=1000

5. deploy stack.

Can someone spot any error in my thinking? Are their any containers where I should rather not change the PUID/GUID?

[Qhilm]

In general, it appears it's good practice not to run an internet facing container as root, hence I wanted to configure PUID and GUID, but it doesn't work it seems, immich-server can't connect to redis anymore, while the DB container itself doesn't show any error.

I followed these instructions.

1. created an immich-docker user on synology with write access to the folder where I store both the library and the DB.
2. sudo chown -R immich-docker:users /volume1/Photos
3. sudo chmod -R a=,a+rX,u+w,g+w /volume1/Photos
4. added PUID=1037 and GUID=100 to each container in the stack (I'm using Portainer).
5. redeploy stack

Current docker compose:

version: '3.8'

#
# WARNING: Make sure to use the docker-compose.yml of the current release:
#
# https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
#
# The compose file on main may not be compatible with the latest release.
#

name: immich

services:
  immich-server:
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    command: ['start.sh', 'immich']
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - stack.env
    ports:
      - 2283:3001
    depends_on:
      - redis
      - database
    restart: always
    environment:
      - PUID=1037
      - PGID=100

  immich-microservices:
    container_name: immich_microservices
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/hardware-transcoding
    #   file: hwaccel.transcoding.yml
    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
    command: ['start.sh', 'microservices']
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
    env_file:
      - stack.env
    depends_on:
      - redis
      - database
    restart: always
    environment:
      - PUID=1037
      - PGID=100

  immich-machine-learning:
    container_name: immich_machine_learning
    # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
    # Example tag: ${IMMICH_VERSION:-release}-cuda
    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration
    #   file: hwaccel.ml.yml
    #   service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable
    volumes:
      - model-cache:/cache
    env_file:
      - stack.env
    restart: always
    environment:
      - PUID=1037
      - PGID=100

  redis:
    container_name: immich_redis
    image: registry.hub.docker.com/library/redis:6.2-alpine@sha256:84882e87b54734154586e5f8abd4dce69fe7311315e2fc6d67c29614c8de2672
    restart: always
    environment:
      - PUID=1037
      - PGID=100

  database:
    container_name: immich_postgres
    image: registry.hub.docker.com/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
      PUID: 1037
      PGID: 100
    volumes:
      #- pgdata:/var/lib/postgresql/data
      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
    restart: always

volumes:
  # pgdata:
  model-cache:

Environment variables:

UPLOAD_LOCATION=/volume1/Photos/
IMMICH_VERSION=release
DB_PASSWORD=postgres
DB_HOSTNAME=immich_postgres
DB_USERNAME=postgres
DB_DATABASE_NAME=immich
REDIS_HOSTNAME=immich_redis
DB_DATA_LOCATION=/volume1/Photos/postgres/

errors in immich-server and immich:

[Nest] 7  - 05/11/2024, 8:33:11 AM   ERROR [ExceptionHandler] Connection terminated due to connection timeout
Error: Connection terminated due to connection timeout
    at Connection.<anonymous> (/usr/src/app/node_modules/pg/lib/client.js:132:73)
    at Object.onceWrapper (node:events:632:28)
    at Connection.emit (node:events:518:28)
    at Socket.<anonymous> (/usr/src/app/node_modules/pg/lib/connection.js:63:12)
    at Socket.emit (node:events:518:28)
    at TCP.<anonymous> (node:net:337:12)

Error: connect ETIMEDOUT
    at Socket.<anonymous> (/usr/src/app/node_modules/ioredis/built/Redis.js:170:41)
    at Object.onceWrapper (node:events:632:28)
    at Socket.emit (node:events:518:28)
    at Socket._onTimeout (node:net:589:8)
    at listOnTimeout (node:internal/timers:573:17)
    at process.processTimers (node:internal/timers:514:7) {
  errorno: 'ETIMEDOUT',
  code: 'ETIMEDOUT',
  syscall: 'connect'
}

but the redis container itself seems happy:

1:C 11 May 2024 08:28:26.222 # oO0OoO0OoO0Oo Redis is starting oO0OoO0OoO0Oo
1:C 11 May 2024 08:28:26.222 # Redis version=6.2.14, bits=64, commit=00000000, modified=0, pid=1, just started
1:C 11 May 2024 08:28:26.222 # Warning: no config file specified, using the default config. In order to specify a config file use redis-server /path/to/redis.conf
1:M 11 May 2024 08:28:26.224 * monotonic clock: POSIX clock_gettime
1:M 11 May 2024 08:28:26.225 * Running mode=standalone, port=6379.
1:M 11 May 2024 08:28:26.225 # WARNING: The TCP backlog setting of 511 cannot be enforced because /proc/sys/net/core/somaxconn is set to the lower value of 128.
1:M 11 May 2024 08:28:26.225 # Server initialized
1:M 11 May 2024 08:28:26.225 # WARNING Memory overcommit must be enabled! Without it, a background save or replication may fail under low memory condition. Being disabled, it can can also cause failures without low memory condition, see https://github.com/jemalloc/jemalloc/issues/1328. To fix this issue add 'vm.overcommit_memory = 1' to /etc/sysctl.conf and then reboot or run the command 'sysctl vm.overcommit_memory=1' for this to take effect.
1:M 11 May 2024 08:28:26.225 * Loading RDB produced by version 6.2.14
1:M 11 May 2024 08:28:26.225 * RDB age 28 seconds
1:M 11 May 2024 08:28:26.225 * RDB memory usage when created 0.77 Mb
1:M 11 May 2024 08:28:26.225 # Done loading RDB, keys loaded: 0, keys expired: 0.
1:M 11 May 2024 08:28:26.225 * DB loaded from disk: 0.000 seconds
1:M 11 May 2024 08:28:26.225 * Ready to accept connections

so is the postgresql container:

PostgreSQL Database directory appears to contain a database; Skipping initialization
2024-05-11 08:03:06.902 UTC [1] LOG:  starting PostgreSQL 14.10 (Debian 14.10-1.pgdg120+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 12.2.0-14) 12.2.0, 64-bit
2024-05-11 08:03:06.924 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432
2024-05-11 08:03:06.924 UTC [1] LOG:  listening on IPv6 address "::", port 5432
2024-05-11 08:03:07.213 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
[2024-05-11T08:03:07Z INFO  service::utils::clean] Find directory "pg_vectors/indexes/17336".
[2024-05-11T08:03:07Z INFO  service::utils::clean] Find directory "pg_vectors/indexes/17337".
[2024-05-11T08:03:07Z INFO  service::utils::clean] Find directory "pg_vectors/indexes/17337/segments/1242f013-62a7-4580-ba68-d171c2e35ac0".
2024-05-11 08:03:07.636 UTC [28] LOG:  database system was shut down at 2024-05-11 08:02:31 UTC
[2024-05-11T08:03:07Z INFO  service::utils::clean] Find directory "pg_vectors/indexes/17336/segments/a6b64904-d1fe-470a-9a08-02b515e6f054".
2024-05-11 08:03:07.924 UTC [1] LOG:  database system is ready to accept connections

I reverted docker compose, but it does not solve the issue, hence I think the owner/permission changes broke something. I thought that reversing to previous situation and having the container run as root again would be a safe fallback, since root should be able to read/access anything, but it does not seems like it.

If anyone has an idea how to properly do this with PUID and GUID, I'm all ears.

[bo0tzz]

The part after the : is the path inside of the container. Those should be /cache and /config, without a dot.

[Qhilm]

I'm confused a bit I think. These are the lines I added:

volumes:
-  - model-cache:/cache
+  - ${MACHINE_LEARNING_CACHE_LOCATION}:/cache
+  - ${MACHINE_LEARNING_CONFIG_LOCATION}:/config

You are saying I need to add two mores lines, for the similar folder names but with a dot in front? (/.cache and /.config)

To be clear: FAQ says /.cache but the original docker-compose.yml mentions /cache without a dot.

Hence I thought the choice would be either as above, or (note the dots in front of "cache" and "config"):

volumes:
- - model-cache:/cache
+  - ${MACHINE_LEARNING_CACHE_LOCATION}:/.cache
+  - ${MACHINE_LEARNING_CONFIG_LOCATION}:/.config

or am I completely missing something?

[bo0tzz]

My bad, I got mixed up - /.cache and /.config are not used by Immich itself, but by dependencies. You need all three.

[mmomjian]

To run rootless, you need /cache AND /.cache AND /.config mounted in the container, at least when I tested 2-3 months ago. The user running the container needs to be able to write to those folders, and by default only root can. That is the volumes I have mounted in my install. I think /config is old and no longer used.

[mmomjian]

You probably also need to make those folders on your host and chown them to the user running the container - by default docker bind mounts are owned by root, I think.

[Qhilm]

Whoohoo, it seems to work now, thanks a lot @mmomjian.

And it does fix the original issue I had, which was that downloading multiple photos at once would result in zero permissions when unzipping the files (tested on Linux and macOS), so my hunch was correct.

I think we should modify the doc to mention that on systems where docker runs as root (Synology DSM for example), this is a problem users may encounter and that the recommendation is to configure a user. What's your view @mmomjian and @bo0tzz?

My setup:

• The user for immich containers is immich-docker, I did not create a dedicated group for it and it's in the normal users group. PUID is 1037, which I got using id immich-docker on the CLI. It also shows the GUID for the group users is 100.
• I put all data (redis, postgresql, machine-learning, etc.) in the same /volume1/Photos folder.

I shut down all containers and ran the following commands:
sudo chown -R immich-docker:users /volume1/Photos
sudo chmod -R a=,a+rX,u+w,g+w /volume1/Photos

I then added user and volume binds to my stack in Portainer so it looks like this, in comparison to the latest docker-compose.yml:

#
# WARNING: Make sure to use the docker-compose.yml of the current release:
#
# https://github.com/immich-app/immich/releases/latest/download/docker-compose.yml
#
# The compose file on main may not be compatible with the latest release.
#

name: immich

services:
  immich-server:
+    user: '1037:100'
    container_name: immich_server
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    command: ['start.sh', 'immich']
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
    env_file:
-      - .env
+      - stack.env
    ports:
      - 2283:3001
    depends_on:
      - redis
      - database
    restart: always


  immich-microservices:
+    user: '1037:100'
    container_name: immich_microservices
    image: ghcr.io/immich-app/immich-server:${IMMICH_VERSION:-release}
    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/hardware-transcoding
    #   file: hwaccel.transcoding.yml
    #   service: cpu # set to one of [nvenc, quicksync, rkmpp, vaapi, vaapi-wsl] for accelerated transcoding
    command: ['start.sh', 'microservices']
    volumes:
      - ${UPLOAD_LOCATION}:/usr/src/app/upload
      - /etc/localtime:/etc/localtime:ro
    env_file:
-      - .env
+      - stack.env
    depends_on:
      - redis
      - database
    restart: always

  immich-machine-learning:
+    user: '1037:100'
    container_name: immich_machine_learning
    # For hardware acceleration, add one of -[armnn, cuda, openvino] to the image tag.
    # Example tag: ${IMMICH_VERSION:-release}-cuda
    image: ghcr.io/immich-app/immich-machine-learning:${IMMICH_VERSION:-release}
    # extends: # uncomment this section for hardware acceleration - see https://immich.app/docs/features/ml-hardware-acceleration
    #   file: hwaccel.ml.yml
    #   service: cpu # set to one of [armnn, cuda, openvino, openvino-wsl] for accelerated inference - use the `-wsl` version for WSL2 where applicable
    volumes:
-      - model-cache:/cache
+      - ${MACHINE_LEARNING_CACHE_LOCATION}:/cache
+      - ${MACHINE_LEARNING_DOTCACHE_LOCATION}:/.cache
+      - ${MACHINE_LEARNING_DOTCONFIG_LOCATION}:/.config
    env_file:
-      - .env
+      - stack.env
    restart: always

  redis:
+    user: '1037:100'
    container_name: immich_redis
    image: registry.hub.docker.com/library/redis:6.2-alpine@sha256:84882e87b54734154586e5f8abd4dce69fe7311315e2fc6d67c29614c8de2672
    restart: always
    volumes:
+      - ${REDIS_DATA_LOCATION}:/data

  database:
    user: '1037:100'
    container_name: immich_postgres
    image: registry.hub.docker.com/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0
    environment:
      POSTGRES_PASSWORD: ${DB_PASSWORD}
      POSTGRES_USER: ${DB_USERNAME}
      POSTGRES_DB: ${DB_DATABASE_NAME}
    volumes:
      - ${DB_DATA_LOCATION}:/var/lib/postgresql/data
    restart: always

-volumes:
-  model-cache:

environment variables look like this:

UPLOAD_LOCATION=/volume1/Photos/
IMMICH_VERSION=release
DB_PASSWORD=postgres
DB_HOSTNAME=immich_postgres
DB_USERNAME=postgres
DB_DATABASE_NAME=immich
REDIS_HOSTNAME=immich_redis
DB_DATA_LOCATION=/volume1/Photos/postgres/
MACHINE_LEARNING_CACHE_LOCATION=/volume1/Photos/machine-learning/cache/
MACHINE_LEARNING_DOTCACHE_LOCATION=/volume1/Photos/machine-learning/.cache/
MACHINE_LEARNING_DOTCONFIG_LOCATION=/volume1/Photos/machine-learning/.config/
REDIS_DATA_LOCATION=/volume1/Photos/redis/

[mmomjian]

Glad it worked!

By default Docker runs as root in almost all installations, so that is not a unique factor to your installation. This is a very rare issue as far as I know, so I don't think we need to recommend for everyone on Synology to do this. However if we see it coming up a lot more often we can potentially add a note. We currently do not recommend setting up a user as it takes more work to prepare the bind mounts, and for 99.9% of users this does not cause a problem.

In fact as you mentioned the files were all -------- permissions, so this is likely what fixed it: sudo chmod -R a=,a+rX,u+w,g+w

[Qhilm]

In fact as you mentioned the files were all -------- permissions, so this is likely what fixed it: sudo chmod -R a=,a+rX,u+w,g+w

True but I did not set permissions to ---------- on all files, Immich container did, while running as root. Hence I am surprised I'm the only one with this issue. Anyway, if anyone has the issue as well, they should be able to find this thread.