[Bug] Long delay when starting docker image due to recursive `chown`

[pR0Ps]

Describe the bug

When running the current freshrss/freshrss:latest container, startup takes an extremely long time due to the following line:

FreshRSS/cli/access-permissions.sh

Line 15 in 697f8f5

chown -R :www-data .

Logs (via docker logs --follow --timestamps <container id>):

2025-07-31T03:13:27.908365000Z Enabling module auth_openidc.
2025-07-31T03:25:33.676488000Z [Thu Jul 31 03:25:33.676143 2025] [mpm_prefork:notice] [pid 1:tid 1] AH00163: Apache/2.4.62 (Debian) configured -- resuming normal operations

Notice the roughly 12 minute gap in the logs between when the entry point runs and when Apache is started. Basically all of that time is spent running the above chown command. This is on a fresh instance with only a single user and a single feed.

To Reproduce

I can reproduce it by running the following docker compose file:

services:
  freshrss:
    image: freshrss/freshrss:latest
    container_name: freshrss
    restart: unless-stopped
    volumes:
      - /data/freshrss/data:/var/www/FreshRSS/data
      - /data/freshrss/extensions:/var/www/FreshRSS/extensions
    ports:
      - 8080:80
    environment:
      CRON_MIN: 2,32
      OIDC_ENABLED: 1
      OIDC_PROVIDER_METADATA_URL: https://<REDACTED>/.well-known/openid-configuration
      OIDC_CLIENT_ID: <REDACTED>
      OIDC_CLIENT_SECRET: <REDACTED>
      OIDC_CLIENT_CRYPTO_KEY: <REDACTED>
      OIDC_REMOTE_USER_CLAIM: preferred_username
      OIDC_SCOPES: openid email profile
      OIDC_X_FORWARDED_HEADERS: X-Forwarded-Host X-Forwarded-Port X-Forwarded-Proto

I also tested the alpine, edge, and edge-alpine tags with the same result (unsurprising since they all run the same startup script).

Expected behavior

I expect the container to start without a long delay.

FreshRSS version

1.26.3

System information

• Database version: SQLite
• PHP version: <managed by docker image>
• Installation type: Docker (latest, alpine, edge, and edge-alpine)
• Web server type: <managed by docker image>
• Device: N/A
• Host OS: Debian 12.10 container running under Proxmox (kernel 6.8.12-1-pve) with nesting enabled so it can run containers within it.
• Host filesystem: ZFS backed by a pool of hard drives
• Browser: N/A

Relevant lines from docker info:

Server:
 Server Version: 28.0.1
 Storage Driver: overlay2
  Backing Filesystem: zfs
  Supports d_type: true
  Using metacopy: false
  Native Overlay Diff: true
  userxattr: true
 Kernel Version: 6.8.12-1-pve
 Operating System: Debian GNU/Linux 12 (bookworm)
 OSType: linux
 Architecture: x86_64

Additional context

chown being slow is a known issue with the overlay2 storage driver when paired with some filesystems/kernels/other. See:

• Recursive chown is really slow docker/for-linux#388
• CHOWN command incredibly slow  linuxserver/docker-bookstack#60

I don't think this issue can be avoided entirely, but there are some potential ways to improve it. The most common recommendation seems to be to use the --chown flag when COPY-ing files into the image wherever possible so only a few directories have the be chown'd at runtime. Here's a random example of doing this that I found linked from the above issue: wizarrrr/wizarr@f68faee

[Frenzie]

The most common recommendation seems to be to use the --chown flag when COPY-ing files into the image wherever possible so only a few directories have the be chown'd at runtime.

Unfortunately that doesn't sound relevant because that's build time, not run time. This is user data that neither can nor should be copied into the image.

[Alkarex]

• Is there any difference when running our Alpine version?
• How many files do you have in your /data/freshrss/ folder?
• Is the chmod command also slow?
• Is it also slow when you start the container without any Docker volume?

PR welcome to add an environment variable to disable the chown steps, which should remain enabled by default.

[pR0Ps]

This is user data that neither can nor should be copied into the image.

The chown runs on the /var/www/FreshRSS directory which is almost entirely contents that have been COPY'd into the container:

FreshRSS/Docker/Dockerfile

Line 19 in c952256

COPY . /var/www/FreshRSS

I agree that running chown on user-mapped directories (/var/www/FreshRSS/data and /var/www/FreshRSS/extensions) probably still makes sense, but that should take much less time than having to chown the entire app.

EDIT: after doing some testing, this next paragraph turns out to be wrong

Also, I haven't had the chance to test this yet, but my understanding of the underlying issue is that it's just the actual changing of the owner/group that's slow. Due to this, I would expect that if the vast majority of /var/www/FreshRSS already had the correct www-data group due to it being set by COPY --chown in the Dockerfile, running the chown on it should take much less time. If this is the case, I can definitely make a PR.

@Alkarex To answer your questions:

Is there any difference when running our Alpine version?

No, it seems to be roughly the same.

How many files do you have in your /data/freshrss/ folder?

None. This issue occurred on the first run of the container where all I had done was create the folders to set up the mounts.

Is the chmod command also slow?

I don't think so. While the container was booting I was checking in on it periodically. Each time I either saw it running the chown command or being fully started up.
EDIT: did some more testing and the chmod command is slow as well.

Is it also slow when you start the container without any Docker volume?

I haven't tested this specifically, but given that the only mounted volumes had nothing in them, I would expect it to be about the same.

[pR0Ps]

I've been able to test a few things and have some corrections (edited inline above as well)

• Even with the directory already having the correct group due to using COPY --chown, running the chown -R . command in the access-permissions.sh script is still very slow.
• The chmod command is slow as well, it's not just the chown command.

I will submit a PR with a workaround (similar to @Alkarex 's suggestion to add an environment variable) soon.

[Alkarex]

Our freshrss/freshrss:edge image has been updated to Debian 13. By curiosity, it would be interesting to see whether it makes any difference in your case

[pR0Ps]

Unfortunately it does not resolve the issue for me:

2025-08-05T21:55:48.769273000Z Enabling module auth_openidc.
2025-08-05T22:11:00.245467000Z [Tue Aug 05 22:11:00.245133 2025] [mpm_prefork:notice] [pid 1:tid 1] AH00163: Apache/2.4.65 (Debian) configured -- resuming normal operations