Summary
Running the published Docker image fails immediately because uv cannot resolve the virtualenv Python interpreter when the container runs as pwuser. The error is:
error: Failed to query Python interpreter
Caused by: failed to canonicalize path `/app/.venv/bin/python3`: Permission denied (os error 13)
Root cause
Inside the image, python3 and python under /app/.venv/bin/ are symlinks that ultimately resolve to a path under /root/.local/share/uv/python/.... The Dockerfile sets USER pwuser, so pwuser cannot traverse /root, and std::fs::canonicalize (used by uv) returns EACCES.
Example (reproduced locally):
docker run --rm --entrypoint "" stickerdaniel/linkedin-mcp-server:latest \
sh -c 'readlink -f /app/.venv/bin/python; ls -la /app/.venv/bin/python'
The symlink target is under /root/.local/share/uv/....
This likely comes from RUN uv sync --frozen (and related uv steps) executing as root before USER pwuser. The managed Python install ends up owned by root under /root/.local, while the venv in /app still references it.
Reproduction
docker run --rm -i \
-v "$HOME/.linkedin-mcp:/home/pwuser/.linkedin-mcp" \
stickerdaniel/linkedin-mcp-server:latest
Observed: process exits with the canonicalize error above (MCP clients show the same when they start the container).
Workaround used in the wild: run as root and set HOME=/home/pwuser so the volume mount still matches app defaults (not ideal for security).
Suggested fix
Ensure the entire uv sync / uv run build chain runs as pwuser (or chown the uv-managed Python cache to pwuser and avoid any /root/.local references in the venv), so production ENTRYPOINT ["uv", "run", ...] works as the non-root user.
Thanks for maintaining this project.
Summary
Running the published Docker image fails immediately because
uvcannot resolve the virtualenv Python interpreter when the container runs aspwuser. The error is:Root cause
Inside the image,
python3andpythonunder/app/.venv/bin/are symlinks that ultimately resolve to a path under/root/.local/share/uv/python/.... The Dockerfile setsUSER pwuser, sopwusercannot traverse/root, andstd::fs::canonicalize(used byuv) returns EACCES.Example (reproduced locally):
The symlink target is under
/root/.local/share/uv/....This likely comes from
RUN uv sync --frozen(and relateduvsteps) executing as root beforeUSER pwuser. The managed Python install ends up owned by root under/root/.local, while the venv in/appstill references it.Reproduction
docker run --rm -i \ -v "$HOME/.linkedin-mcp:/home/pwuser/.linkedin-mcp" \ stickerdaniel/linkedin-mcp-server:latestObserved: process exits with the canonicalize error above (MCP clients show the same when they start the container).
Workaround used in the wild: run as root and set
HOME=/home/pwuserso the volume mount still matches app defaults (not ideal for security).Suggested fix
Ensure the entire
uv sync/uv runbuild chain runs aspwuser(or chown the uv-managed Python cache topwuserand avoid any/root/.localreferences in the venv), so productionENTRYPOINT ["uv", "run", ...]works as the non-root user.Thanks for maintaining this project.