[Electric Eel][Jellyfin][ffmpeg] Playback error due to permissions denied

Hi all! First post and first experience with TrueNAS :slight_smile:

I’m tinkering with Electric Eel RC2 before committing to a reliable home server once 24.10 is out!

I’m encountering some problems I can’t quite fully understand with some apps, particularly Jellyfin

I’ll narrate the whole process so that anyone who wants to help can have the most amount of information, so I thank in advance the poor souls who will bear with this topic!

TL;DR
The Jellyfin app in the “community” train has some problem with permissions, ffmpeg specifically, what can I do to solve it?

Useful context info:

  • Current Train: TrueNAS-ElectricEel-RC - TrueNAS ElectricEel 24.10 RC
  • Encrypted Pool: no
  • Jellyfin App version: 10.9.11

This is my main dataset:

As you can see, I have a /data/media folder (that I want Jellyfin to access in order to retrieve the media) and I set the permissions to share some test media through SMB (Mask + custom group called “smb_users”)

I have also created the folder structure app_configs/jellyfin/cache and app_configs/jellyfin/config to use intead of ixVolumes

Below is the Jellyfin configuration through the standard Apps:

application name: jellyfin (default)
version: 1.0.25 (default)
Timezone: Europe/Rome
UID:568 (default)
GID:568 (default)
port: 30013 (default)
config storage: host path @ /mnt/pippin/app_configs/jellyfin/config
cache storage: host path @ /mnt/pippin/app_configs/jellyfin/cache
transcode storage: temporary
additional storage: host path @ /mnt/pippin/data/media : /media

With the configuration above, the app is stuck in a deploying cycle where the containers start and exit.
The log I found from the jellyfin container is the following: Unhandled exception. System.UnauthorizedAccessException: Access to the path '/config/log' is denied.

First batch of questions: if 568:568 is the built-in uid:gid apps, why is it throwing an error about permissions?
From what I understood, the apps uid:gid should fulfill the necessary permissions to run the apps without using the root user. Am I supposed to run Jellyfin as a root user? (it didn’t require it for other apps, e.g. Dockge, NPM or Tailscale)

One thing I noticed is in the “Application Metadata” pane in the “Apps” dashboard


From what I can understand, the container is expecting to run as a uid:gid jellyfin even though that uid:gid is reserved for “apps”, maybe that’s the issue? Some conflict with permissions?

So I manually set an ACL for the /mnt/pippin/app_configs/jellyfin dataset to explicitly allow the apps group to r, w & x. Here’s a screenshot of the ACL (started from a restricted preset).


I noticed that the child datasets have the ACL preset without my additions (maybe a bug?), but that’s just a side problem, I manually set the ACL to be as above for the child datasets AND the /mnt/pippin/data/media folder, just to be absolutely sure that jellyfin can access all the necessary folders.

Now the jellyfin container works! Odd, but it works!

I set up the initial configuration of Jellyfin using default parameters: I only created a movie library from the /media folder I enabled from “additional storage”.

Jellyfin scans the folder correctly, I have Big Buck Bunny ready and…


Fatal player error! Come on!!

So I check the logs and I find this error:

Now what? :sob:
I tried to find some solution here, the old TrueNas forum and the Jellyfin forum, but most certainly I’m missing something
It’s the second try I do in the last few days, I erased the pool and started from a fresh install just to get stuck at the same point.

How can I edit permissions inside a container for a specific program (in this case, ffmpeg)? if I cat /etc/passwd I don’t see the a user that can lead to ffmpeg.

I could deploy a custom app or a new stack using Dockge, but I would like to use the “official” way if I can.

If you need more information, please let me know! I’m happy to share (and learn from my mistakes!)

I found a solution!

By re-reading my topic, one detail emerged:

I was trying to figure out something to work with, so I simply decided to use a new preset for the ACL in /mnt/pippin/data/media/movies: instead of using the POSIX_RESTRICTED preset and then giving access specifically to the apps group, I went with the POSIX_OPEN preset.

While I’m not fully aware of the privacy/security implication of this choice, it seems that now the playback is working correctly, so yay!! :tada:

I’m planning to host some services and to expose them through NPM/Tailscale, so no service is exposed to the internet directly.

BUT, if anyone wants to give any advice about how to configure this ACL that doesn’t require giving access to everybody and everyone (since that folder is also part of an SMB share), I’m always eager to learn!

I am green with TrueNas and have solved the issue for myself though, I am throwing this in here as this may help you or anybody that comes across

In my Host Path, I enabled ACL>repoint my Host path>added the ACL Entries>ID Type is for USER>Set my User ID (My Apps User)>Provide Full_control Access> Forced Flag.

My Player is working now :slight_smile:

1 Like

I will definitely try this approach, thank you! :slight_smile:

Hi, I’m getting the same playback error, and in the ffmpeg log I see this at the bottom.

[in#0 @ 0x55ba7869cf80] Error opening input: No such file or directory
Error opening input file file:/mnt/Pool1/Media/TV/Secret Invasion/Secret.Invasion.S01E01.1080p.WEB.h264-EDITH.mkv.
Error opening input files: No such file or directory

I’m assuming that this is a permission issue, but I can’t figure out why. I’m new to truenas and had a tough time getting Jellyfin to catalog the folders but when it did that I thought I had the permissions sorted.

Any help would be greatly appreciated.

Thanks!

Be sure to enable the ACL selection and set it to recursive for the directories with your media files (that way the jellyfin user can actually access the media).

This begs the question, should there be a jellyfin user in my Truenas? I see in the application metadata section that it mentions a jellyfin user and group, but I don’t have those under credentials in Truenas.

I did set the acl to recursive when I set the permissions for the SMB share.

Thanks.

The UID and GID 568 should exist on your TrueNAS as apps. The jellyfin user and group names are container size and don’t matter for the host, as long as the right ID has permissions for all the datasets.

Ok, so the user and group apps did not have permissions to the SMB share, so I added them. I still get the same player error and the ffmpeg log shows the same error.

This is a hunch and not something I’ve tested, but apps does not have Samba authentication turned on by default. What happens if you edit the apps user and turn on SMB User?

Edit: actually it would require you to change the user password to update that field, which might not work.

You could try changing the UID and GID in User and Group Configuration on the Jellyfin install to a user that does have SMB authentication enabled, and then give that user permissions to the share.

Error opening input file file:/mnt/Pool1/Media/TV/Secret Invasion/Secret.Invasion.S01E01.1080p.WEB.h264-EDITH.mkv

This is the log from inside the Jellyfin application I assume - but it’s referencing the pool path as /mnt/Pool1 rather than the container path.

Can you show a screenshot of your “Additional Storage” setting in the Apps screen, such as shown below?

Jellyfin would not start when I changed these.

For some reason I can’t include a screenshot in a post.

Type
SMB/CIFS

Mount Path
/MEDIA

SMB Configuration

Server
LFTrueNAS.local

Path
Media

Are you doing a loopback SMB mount such that LFTrueNAS.local is the system that the SMB share is running on as well as Jellyfin?

Yes, this is all on the same server.

Is there a particular reason you aren’t using host paths? Adding SMB introduces many more potential failure points, including my favorite one of “DNS does something silly and won’t resolve the SMB servername you’re trying to mount”

If you open the Volume Mounts or container shell (from the Apps page) do you see the contents of your folder if you ls /MEDIA?

I had initially set it up using host paths, but jellyfin did not see any media.

I just reconfigured jellyfin to use host path instead and get the same error.

I finally figured out what you meant by running ls /MEDIA from container shell.

When I ran it I got this:
OCI runtime exec failed: exec failed: unable to start container process: exec: “ls /MEDIA”: stat ls /MEDIA: no such file or directory: unknown