From 3bfa7f7904c088e6a6880e15491fc43670e1d5fd Mon Sep 17 00:00:00 2001 From: Beth Legesse Date: Thu, 2 Apr 2026 12:18:46 -0500 Subject: [PATCH 01/10] chore: upgrade guidance for non-root container change --- content/influxdb3/explorer/release-notes/_index.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/content/influxdb3/explorer/release-notes/_index.md b/content/influxdb3/explorer/release-notes/_index.md index 50b0e98d17..66a39ff85f 100644 --- a/content/influxdb3/explorer/release-notes/_index.md +++ b/content/influxdb3/explorer/release-notes/_index.md @@ -18,6 +18,19 @@ docker pull influxdata/influxdb3-ui ## v1.7.0 {date="2026-04-14"} +#### Breaking changes + +- **Container user change**: The Docker container now runs as non-root user `influxui` (uid 1500) instead of root for improved security. + + **Action required for upgrades:** If you're upgrading from v1.6.x or earlier with mounted volumes (e.g., `/db`, `/app-root/config`), you must update file ownership before the container will start: + + ```bash + sudo chown -R 1500:1500 /path/to/your/db + sudo chown -R 1500:1500 /path/to/your/config + ``` + + The container will exit with a clear error message and instructions if it detects root-owned files. Fresh installations are unaffected. + #### Features - **Transform Data**: Rename tables (measurements), rename columns, transform values (such as unit conversions), and filter rows from a dedicated Transform Data page with dry-run testing. @@ -28,6 +41,7 @@ docker pull influxdata/influxdb3-ui - **Line protocol validation**: Get clearer, inline validation when writing data with line protocol. - **TLS certificate management**: Generate and renew short-lived TLS certificates for IP-based deployments. - **Storage type display**: View the configured storage type for your InfluxDB instance in the metrics UI. +- **Security**: Container now runs as non-root user (uid 1500) for improved security posture. #### Bug fixes From b0cdfd046fe1d9bbfbde4aa359e82155ebeea089 Mon Sep 17 00:00:00 2001 From: Jason Stirnaman Date: Thu, 2 Apr 2026 12:57:50 -0500 Subject: [PATCH 02/10] style(explorer): improve upgrade warning clarity and formatting Use semantic line feeds, replace bold text with heading in callouts, explain the root cause (root-owned volumes), and use standard callout syntax for the release notes upgrade notice. --- content/influxdb3/explorer/install.md | 26 +++++++++++++++++++ .../explorer/release-notes/_index.md | 24 ++++++++++------- 2 files changed, 41 insertions(+), 9 deletions(-) diff --git a/content/influxdb3/explorer/install.md b/content/influxdb3/explorer/install.md index ac18e5ac98..088e3a2e96 100644 --- a/content/influxdb3/explorer/install.md +++ b/content/influxdb3/explorer/install.md @@ -213,6 +213,32 @@ docker-compose up -d > [!Important] > Without a mounted `./db` directory, application data is lost when the container is deleted. +> [!Warning] +> #### Upgrade from Explorer v1.6.x or earlier +> +> Starting with v1.7.0, the Explorer container runs as a non-root user +> (`influxui`, uid 1500) for improved security. Because earlier versions +> ran as root, existing mounted volumes are owned by root — and the new +> non-root process can't access them. +> +> If you start the upgraded container without updating file ownership, +> it exits with the following error: +> +> ``` +> ERROR: Directory '/db' is owned by root and not accessible to the 'influxui' user. +> ``` +> +> To prevent or resolve this error, change ownership of your mounted +> directories to uid 1500 before you start the container: +> +> ```bash +> sudo chown -R 1500:1500 /path/to/your/db +> sudo chown -R 1500:1500 /path/to/your/config +> ``` +> +> After you update ownership, restart the container. +> Fresh installations are unaffected. + ### Pre-configure InfluxDB connections Instead of configuring connections through the UI, you can pre-define connection settings using a `config.json` file. This is useful for: diff --git a/content/influxdb3/explorer/release-notes/_index.md b/content/influxdb3/explorer/release-notes/_index.md index 66a39ff85f..b038883b6a 100644 --- a/content/influxdb3/explorer/release-notes/_index.md +++ b/content/influxdb3/explorer/release-notes/_index.md @@ -22,14 +22,20 @@ docker pull influxdata/influxdb3-ui - **Container user change**: The Docker container now runs as non-root user `influxui` (uid 1500) instead of root for improved security. - **Action required for upgrades:** If you're upgrading from v1.6.x or earlier with mounted volumes (e.g., `/db`, `/app-root/config`), you must update file ownership before the container will start: - - ```bash - sudo chown -R 1500:1500 /path/to/your/db - sudo chown -R 1500:1500 /path/to/your/config - ``` - - The container will exit with a clear error message and instructions if it detects root-owned files. Fresh installations are unaffected. +> [!Important] +> #### Action required for upgrades +> +> If you're upgrading from v1.6.x or earlier with mounted volumes +> (for example, `/db` or `/app-root/config`), update file ownership +> before you start the container: +> +> ```bash +> sudo chown -R 1500:1500 /path/to/your/db +> sudo chown -R 1500:1500 /path/to/your/config +> ``` +> +> The container exits with an error message if it detects root-owned +> files. Fresh installations are unaffected. #### Features @@ -41,7 +47,7 @@ docker pull influxdata/influxdb3-ui - **Line protocol validation**: Get clearer, inline validation when writing data with line protocol. - **TLS certificate management**: Generate and renew short-lived TLS certificates for IP-based deployments. - **Storage type display**: View the configured storage type for your InfluxDB instance in the metrics UI. -- **Security**: Container now runs as non-root user (uid 1500) for improved security posture. +- **Non-root container**: The container now runs as a non-root user (uid 1500) for improved security. #### Bug fixes From a4a14ea6563302d17ba090e6ec72b6f33ff15117 Mon Sep 17 00:00:00 2001 From: Jason Stirnaman Date: Thu, 2 Apr 2026 13:09:35 -0500 Subject: [PATCH 03/10] Update content/influxdb3/explorer/install.md --- content/influxdb3/explorer/install.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/influxdb3/explorer/install.md b/content/influxdb3/explorer/install.md index 088e3a2e96..4f8c722637 100644 --- a/content/influxdb3/explorer/install.md +++ b/content/influxdb3/explorer/install.md @@ -216,7 +216,7 @@ docker-compose up -d > [!Warning] > #### Upgrade from Explorer v1.6.x or earlier > -> Starting with v1.7.0, the Explorer container runs as a non-root user +> In v1.7.0+, the Explorer container runs as a non-root user > (`influxui`, uid 1500) for improved security. Because earlier versions > ran as root, existing mounted volumes are owned by root — and the new > non-root process can't access them. From 2131fe739019135aa60bcdf5f09fb4a1859ad50d Mon Sep 17 00:00:00 2001 From: Beth Legesse Date: Mon, 13 Apr 2026 21:30:34 -0700 Subject: [PATCH 04/10] =?UTF-8?q?chore:=20update=20port=20mappings=20for?= =?UTF-8?q?=20non-root=20container=20(80=E2=86=928080,=20443=E2=86=928443)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- content/influxdb3/explorer/install.md | 44 +++++++++++++-------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/content/influxdb3/explorer/install.md b/content/influxdb3/explorer/install.md index 4f8c722637..434ce5fb43 100644 --- a/content/influxdb3/explorer/install.md +++ b/content/influxdb3/explorer/install.md @@ -36,7 +36,7 @@ Get {{% product-name %}} running in minutes: ```bash docker run --detach \ --name influxdb3-explorer \ - --publish 8888:80 \ + --publish 8888:8080 \ influxdata/influxdb3-ui:{{% latest-patch %}} ``` @@ -71,7 +71,7 @@ Install [Docker](https://docs.docker.com/engine/) or [Docker Desktop](https://do ```bash docker run --detach \ --name influxdb3-explorer \ - --publish 8888:80 \ + --publish 8888:8080 \ influxdata/influxdb3-ui:{{% latest-patch %}} ``` {{% /code-tab-content %}} @@ -86,7 +86,7 @@ services: image: influxdata/influxdb3-ui:{{% latest-patch %}} container_name: influxdb3-explorer ports: - - "8888:80" + - "8888:8080" volumes: - ./config:/app-root/config:ro restart: unless-stopped @@ -115,7 +115,7 @@ For production deployments with persistence, admin mode, and automatic image upd docker run --detach \ --name influxdb3-explorer \ --pull always \ - --publish 8888:80 \ + --publish 8888:8080 \ --volume $(pwd)/db:/db:rw \ --volume $(pwd)/config:/app-root/config:ro \ --env SESSION_SECRET_KEY=$(openssl rand -hex 32) \ @@ -137,7 +137,7 @@ services: pull_policy: always command: ["--mode=admin"] ports: - - "8888:80" + - "8888:8080" volumes: - ./db:/db:rw - ./config:/app-root/config:ro @@ -187,7 +187,7 @@ docker-compose up -d ```bash docker run --detach \ --name influxdb3-explorer \ - --publish 8888:80 \ + --publish 8888:8080 \ --volume $(pwd)/db:/db:rw \ influxdata/influxdb3-ui:{{% latest-patch %}} ``` @@ -202,7 +202,7 @@ docker-compose up -d image: influxdata/influxdb3-ui:{{% latest-patch %}} container_name: influxdb3-explorer ports: - - "8888:80" + - "8888:8080" volumes: - ./db:/db:rw restart: unless-stopped @@ -295,7 +295,7 @@ Instead of configuring connections through the UI, you can pre-define connection ```bash docker run --detach \ --name influxdb3-explorer \ - --publish 8888:80 \ + --publish 8888:8080 \ --volume $(pwd)/config:/app-root/config:ro \ influxdata/influxdb3-ui:{{% latest-patch %}} ``` @@ -310,7 +310,7 @@ Instead of configuring connections through the UI, you can pre-define connection image: influxdata/influxdb3-ui:{{% latest-patch %}} container_name: influxdb3-explorer ports: - - "8888:80" + - "8888:8080" volumes: - ./config:/app-root/config:ro restart: unless-stopped @@ -347,7 +347,7 @@ To enable TLS/SSL for secure connections: ```bash docker run --detach \ --name influxdb3-explorer \ - --publish 8888:443 \ + --publish 8888:8443 \ --volume $(pwd)/ssl:/etc/nginx/ssl:ro \ influxdata/influxdb3-ui:{{% latest-patch %}} ``` @@ -362,7 +362,7 @@ To enable TLS/SSL for secure connections: image: influxdata/influxdb3-ui:{{% latest-patch %}} container_name: influxdb3-explorer ports: - - "8888:443" + - "8888:8443" volumes: - ./ssl:/etc/nginx/ssl:ro restart: unless-stopped @@ -428,7 +428,7 @@ To configure Explorer to trust self-signed or custom CA certificates when connec docker run --detach \ --name influxdb3-explorer \ --restart unless-stopped \ - --publish 8888:443 \ + --publish 8888:8443 \ --volume $(pwd)/db:/db:rw \ --volume $(pwd)/config:/app-root/config:ro \ --volume $(pwd)/ssl:/etc/nginx/ssl:ro \ @@ -453,7 +453,7 @@ services: pull_policy: always command: ["--mode=admin"] ports: - - "8888:443" + - "8888:8443" volumes: - ./db:/db:rw - ./config:/app-root/config:ro @@ -491,14 +491,14 @@ Set the mode using the `--mode` parameter: # Query mode (default) docker run --detach \ --name influxdb3-explorer \ - --publish 8888:80 \ + --publish 8888:8080 \ influxdata/influxdb3-ui:{{% latest-patch %}} \ --mode=query # Admin mode docker run --detach \ --name influxdb3-explorer \ - --publish 8888:80 \ + --publish 8888:8080 \ influxdata/influxdb3-ui:{{% latest-patch %}} \ --mode=admin ``` @@ -516,7 +516,7 @@ services: # For admin mode, add: command: ["--mode=admin"] ports: - - "8888:80" + - "8888:8080" restart: unless-stopped ``` {{% /code-tab-content %}} @@ -558,8 +558,8 @@ services: | Container Port | Protocol | Purpose | Common Host Mapping | |----------------|----------|---------|---------------------| -| 80 | HTTP | Web UI (unencrypted) | 8888 | -| 443 | HTTPS | Web UI (encrypted) | 8888 | +| 8080 | HTTP | Web UI (unencrypted) | 8888 | +| 8443 | HTTPS | Web UI (encrypted) | 8888 | --- @@ -596,7 +596,7 @@ EOF docker run --detach \ --name influxdb3-explorer \ --pull always \ - --publish 8888:443 \ + --publish 8888:8443 \ --volume $(pwd)/db:/db:rw \ --volume $(pwd)/config:/app-root/config:ro \ --volume $(pwd)/ssl:/etc/nginx/ssl:ro \ @@ -619,7 +619,7 @@ services: pull_policy: always command: ["--mode=admin"] ports: - - "8888:443" + - "8888:8443" volumes: - ./db:/db:rw - ./config:/app-root/config:ro @@ -655,7 +655,7 @@ docker-compose up -d ```bash docker run --rm \ --name influxdb3-explorer \ - --publish 8888:80 \ + --publish 8888:8080 \ influxdata/influxdb3-ui:{{% latest-patch %}} ``` {{% /code-tab-content %}} @@ -670,7 +670,7 @@ services: image: influxdata/influxdb3-ui:{{% latest-patch %}} container_name: influxdb3-explorer ports: - - "8888:80" + - "8888:8080" ``` {{% /code-tab-content %}} {{< /code-tabs-wrapper >}} From 4db05728009e310212782e67d6c3a1f088b569a5 Mon Sep 17 00:00:00 2001 From: Beth Legesse Date: Wed, 15 Apr 2026 12:58:51 -0700 Subject: [PATCH 05/10] fix: specific linux in heading --- content/influxdb3/explorer/release-notes/_index.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/content/influxdb3/explorer/release-notes/_index.md b/content/influxdb3/explorer/release-notes/_index.md index b038883b6a..b71774dbaf 100644 --- a/content/influxdb3/explorer/release-notes/_index.md +++ b/content/influxdb3/explorer/release-notes/_index.md @@ -23,19 +23,18 @@ docker pull influxdata/influxdb3-ui - **Container user change**: The Docker container now runs as non-root user `influxui` (uid 1500) instead of root for improved security. > [!Important] -> #### Action required for upgrades +> #### Action required for upgrades on Linux and WSL2 > > If you're upgrading from v1.6.x or earlier with mounted volumes -> (for example, `/db` or `/app-root/config`), update file ownership -> before you start the container: +> (for example, `/db` or `/app-root/config`) on **Linux or Windows WSL2**, +> update file ownership before you start the container: > > ```bash > sudo chown -R 1500:1500 /path/to/your/db > sudo chown -R 1500:1500 /path/to/your/config > ``` > -> The container exits with an error message if it detects root-owned -> files. Fresh installations are unaffected. +> The container exits with an error message if it detects root-owned files. #### Features From 7236c96abbb96f672938630337cdd30d3a2ecbfb Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 15 Apr 2026 20:11:29 +0000 Subject: [PATCH 06/10] docs(explorer): simplify upgrade warning and link release notes Agent-Logs-Url: https://github.com/influxdata/docs-v2/sessions/7a4994d9-9c33-4957-9a95-7a7ce72459ab --- content/influxdb3/explorer/install.md | 52 ++++++++++--------- .../explorer/release-notes/_index.md | 16 +----- 2 files changed, 30 insertions(+), 38 deletions(-) diff --git a/content/influxdb3/explorer/install.md b/content/influxdb3/explorer/install.md index 434ce5fb43..a694e3945c 100644 --- a/content/influxdb3/explorer/install.md +++ b/content/influxdb3/explorer/install.md @@ -100,6 +100,7 @@ docker-compose up -d {{% /code-tab-content %}} {{< /code-tabs-wrapper >}} + ### Production setup For production deployments with persistence, admin mode, and automatic image updates: @@ -214,30 +215,34 @@ docker-compose up -d > Without a mounted `./db` directory, application data is lost when the container is deleted. > [!Warning] -> #### Upgrade from Explorer v1.6.x or earlier -> -> In v1.7.0+, the Explorer container runs as a non-root user -> (`influxui`, uid 1500) for improved security. Because earlier versions -> ran as root, existing mounted volumes are owned by root — and the new -> non-root process can't access them. -> -> If you start the upgraded container without updating file ownership, -> it exits with the following error: -> -> ``` -> ERROR: Directory '/db' is owned by root and not accessible to the 'influxui' user. -> ``` -> -> To prevent or resolve this error, change ownership of your mounted -> directories to uid 1500 before you start the container: -> -> ```bash -> sudo chown -R 1500:1500 /path/to/your/db -> sudo chown -R 1500:1500 /path/to/your/config -> ``` +> With v1.7.0+, the Explorer container runs as a non-root user. +> If you're upgrading from v1.6.x or earlier with mounted volumes, update file +> ownership before you start the container. > -> After you update ownership, restart the container. -> Fresh installations are unaffected. +### Set file permissions for upgrades + +In v1.7.0+, the Explorer container runs as a non-root user (`influxui`, uid +1500) for improved security. +Because earlier versions ran as root, existing mounted volumes are owned by +root and the new non-root process can't access them. + +If you start the upgraded container without updating file ownership, it exits +with the following error: + +```txt +ERROR: Directory '/db' is owned by root and not accessible to the 'influxui' user. +``` + +To prevent or resolve this error, change ownership of your mounted directories +to uid 1500 before you start the container--for example: + +```bash +sudo chown -R 1500:1500 /path/to/your/db +sudo chown -R 1500:1500 /path/to/your/config +``` + +After you update ownership, restart the container. +Fresh installations are unaffected. ### Pre-configure InfluxDB connections @@ -674,4 +679,3 @@ services: ``` {{% /code-tab-content %}} {{< /code-tabs-wrapper >}} - diff --git a/content/influxdb3/explorer/release-notes/_index.md b/content/influxdb3/explorer/release-notes/_index.md index b71774dbaf..ae0aea3a1c 100644 --- a/content/influxdb3/explorer/release-notes/_index.md +++ b/content/influxdb3/explorer/release-notes/_index.md @@ -21,20 +21,8 @@ docker pull influxdata/influxdb3-ui #### Breaking changes - **Container user change**: The Docker container now runs as non-root user `influxui` (uid 1500) instead of root for improved security. - -> [!Important] -> #### Action required for upgrades on Linux and WSL2 -> -> If you're upgrading from v1.6.x or earlier with mounted volumes -> (for example, `/db` or `/app-root/config`) on **Linux or Windows WSL2**, -> update file ownership before you start the container: -> -> ```bash -> sudo chown -R 1500:1500 /path/to/your/db -> sudo chown -R 1500:1500 /path/to/your/config -> ``` -> -> The container exits with an error message if it detects root-owned files. +- **Upgrade action**: See [Install InfluxDB 3 Explorer](/influxdb3/explorer/install/) + for upgrade file permission steps. #### Features From 97b749e7c1244a406cd84e687bf8b2565df1a2b6 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 15 Apr 2026 20:13:32 +0000 Subject: [PATCH 07/10] docs(explorer): adjust upgrade permission wording Agent-Logs-Url: https://github.com/influxdata/docs-v2/sessions/7a4994d9-9c33-4957-9a95-7a7ce72459ab --- content/influxdb3/explorer/install.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/content/influxdb3/explorer/install.md b/content/influxdb3/explorer/install.md index a694e3945c..3b5d2c8f1e 100644 --- a/content/influxdb3/explorer/install.md +++ b/content/influxdb3/explorer/install.md @@ -234,7 +234,8 @@ ERROR: Directory '/db' is owned by root and not accessible to the 'influxui' use ``` To prevent or resolve this error, change ownership of your mounted directories -to uid 1500 before you start the container--for example: +to uid 1500 before you start the container. +For example: ```bash sudo chown -R 1500:1500 /path/to/your/db From 7224fd4acf602423570954187da67e1f001c06f1 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 15 Apr 2026 20:15:36 +0000 Subject: [PATCH 08/10] docs(explorer): clarify warning impact and deep link install steps Agent-Logs-Url: https://github.com/influxdata/docs-v2/sessions/7a4994d9-9c33-4957-9a95-7a7ce72459ab --- content/influxdb3/explorer/install.md | 1 + content/influxdb3/explorer/release-notes/_index.md | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/content/influxdb3/explorer/install.md b/content/influxdb3/explorer/install.md index 3b5d2c8f1e..7d2ec0413b 100644 --- a/content/influxdb3/explorer/install.md +++ b/content/influxdb3/explorer/install.md @@ -218,6 +218,7 @@ docker-compose up -d > With v1.7.0+, the Explorer container runs as a non-root user. > If you're upgrading from v1.6.x or earlier with mounted volumes, update file > ownership before you start the container. +> The container exits with an error if mounted volumes have incorrect ownership. > ### Set file permissions for upgrades diff --git a/content/influxdb3/explorer/release-notes/_index.md b/content/influxdb3/explorer/release-notes/_index.md index ae0aea3a1c..61ebff4b81 100644 --- a/content/influxdb3/explorer/release-notes/_index.md +++ b/content/influxdb3/explorer/release-notes/_index.md @@ -21,7 +21,7 @@ docker pull influxdata/influxdb3-ui #### Breaking changes - **Container user change**: The Docker container now runs as non-root user `influxui` (uid 1500) instead of root for improved security. -- **Upgrade action**: See [Install InfluxDB 3 Explorer](/influxdb3/explorer/install/) +- **Upgrade action**: See [Install InfluxDB 3 Explorer](/influxdb3/explorer/install/#set-file-permissions-for-upgrades) for upgrade file permission steps. #### Features From 2f1817d050831d618a337f3dcd5ddae91d087cfb Mon Sep 17 00:00:00 2001 From: Jason Stirnaman Date: Wed, 15 Apr 2026 15:24:25 -0500 Subject: [PATCH 09/10] Update content/influxdb3/explorer/install.md --- content/influxdb3/explorer/install.md | 1 + 1 file changed, 1 insertion(+) diff --git a/content/influxdb3/explorer/install.md b/content/influxdb3/explorer/install.md index 7d2ec0413b..fcb6177687 100644 --- a/content/influxdb3/explorer/install.md +++ b/content/influxdb3/explorer/install.md @@ -220,6 +220,7 @@ docker-compose up -d > ownership before you start the container. > The container exits with an error if mounted volumes have incorrect ownership. > + ### Set file permissions for upgrades In v1.7.0+, the Explorer container runs as a non-root user (`influxui`, uid From 6b376765c762fe263808cbe1e975b483220cb294 Mon Sep 17 00:00:00 2001 From: Jason Stirnaman Date: Wed, 15 Apr 2026 15:24:51 -0500 Subject: [PATCH 10/10] Update content/influxdb3/explorer/install.md --- content/influxdb3/explorer/install.md | 1 - 1 file changed, 1 deletion(-) diff --git a/content/influxdb3/explorer/install.md b/content/influxdb3/explorer/install.md index fcb6177687..bbd5549363 100644 --- a/content/influxdb3/explorer/install.md +++ b/content/influxdb3/explorer/install.md @@ -219,7 +219,6 @@ docker-compose up -d > If you're upgrading from v1.6.x or earlier with mounted volumes, update file > ownership before you start the container. > The container exits with an error if mounted volumes have incorrect ownership. -> ### Set file permissions for upgrades