[Electric Eel][Jellyfin][ffmpeg] Playback error due to permissions denied

Hi all! First post and first experience with TrueNAS :slight_smile:

I’m tinkering with Electric Eel RC2 before committing to a reliable home server once 24.10 is out!

I’m encountering some problems I can’t quite fully understand with some apps, particularly Jellyfin

I’ll narrate the whole process so that anyone who wants to help can have the most amount of information, so I thank in advance the poor souls who will bear with this topic!

TL;DR
The Jellyfin app in the “community” train has some problem with permissions, ffmpeg specifically, what can I do to solve it?

Useful context info:

  • Current Train: TrueNAS-ElectricEel-RC - TrueNAS ElectricEel 24.10 RC
  • Encrypted Pool: no
  • Jellyfin App version: 10.9.11

This is my main dataset:

As you can see, I have a /data/media folder (that I want Jellyfin to access in order to retrieve the media) and I set the permissions to share some test media through SMB (Mask + custom group called “smb_users”)

I have also created the folder structure app_configs/jellyfin/cache and app_configs/jellyfin/config to use intead of ixVolumes

Below is the Jellyfin configuration through the standard Apps:

application name: jellyfin (default)
version: 1.0.25 (default)
Timezone: Europe/Rome
UID:568 (default)
GID:568 (default)
port: 30013 (default)
config storage: host path @ /mnt/pippin/app_configs/jellyfin/config
cache storage: host path @ /mnt/pippin/app_configs/jellyfin/cache
transcode storage: temporary
additional storage: host path @ /mnt/pippin/data/media : /media

With the configuration above, the app is stuck in a deploying cycle where the containers start and exit.
The log I found from the jellyfin container is the following: Unhandled exception. System.UnauthorizedAccessException: Access to the path '/config/log' is denied.

First batch of questions: if 568:568 is the built-in uid:gid apps, why is it throwing an error about permissions?
From what I understood, the apps uid:gid should fulfill the necessary permissions to run the apps without using the root user. Am I supposed to run Jellyfin as a root user? (it didn’t require it for other apps, e.g. Dockge, NPM or Tailscale)

One thing I noticed is in the “Application Metadata” pane in the “Apps” dashboard


From what I can understand, the container is expecting to run as a uid:gid jellyfin even though that uid:gid is reserved for “apps”, maybe that’s the issue? Some conflict with permissions?

So I manually set an ACL for the /mnt/pippin/app_configs/jellyfin dataset to explicitly allow the apps group to r, w & x. Here’s a screenshot of the ACL (started from a restricted preset).


I noticed that the child datasets have the ACL preset without my additions (maybe a bug?), but that’s just a side problem, I manually set the ACL to be as above for the child datasets AND the /mnt/pippin/data/media folder, just to be absolutely sure that jellyfin can access all the necessary folders.

Now the jellyfin container works! Odd, but it works!

I set up the initial configuration of Jellyfin using default parameters: I only created a movie library from the /media folder I enabled from “additional storage”.

Jellyfin scans the folder correctly, I have Big Buck Bunny ready and…


Fatal player error! Come on!!

So I check the logs and I find this error:

Now what? :sob:
I tried to find some solution here, the old TrueNas forum and the Jellyfin forum, but most certainly I’m missing something
It’s the second try I do in the last few days, I erased the pool and started from a fresh install just to get stuck at the same point.

How can I edit permissions inside a container for a specific program (in this case, ffmpeg)? if I cat /etc/passwd I don’t see the a user that can lead to ffmpeg.

I could deploy a custom app or a new stack using Dockge, but I would like to use the “official” way if I can.

If you need more information, please let me know! I’m happy to share (and learn from my mistakes!)

I found a solution!

By re-reading my topic, one detail emerged:

I was trying to figure out something to work with, so I simply decided to use a new preset for the ACL in /mnt/pippin/data/media/movies: instead of using the POSIX_RESTRICTED preset and then giving access specifically to the apps group, I went with the POSIX_OPEN preset.

While I’m not fully aware of the privacy/security implication of this choice, it seems that now the playback is working correctly, so yay!! :tada:

I’m planning to host some services and to expose them through NPM/Tailscale, so no service is exposed to the internet directly.

BUT, if anyone wants to give any advice about how to configure this ACL that doesn’t require giving access to everybody and everyone (since that folder is also part of an SMB share), I’m always eager to learn!

I am green with TrueNas and have solved the issue for myself though, I am throwing this in here as this may help you or anybody that comes across

In my Host Path, I enabled ACL>repoint my Host path>added the ACL Entries>ID Type is for USER>Set my User ID (My Apps User)>Provide Full_control Access> Forced Flag.

My Player is working now :slight_smile:

1 Like

I will definitely try this approach, thank you! :slight_smile: