Immich permissions to access external library?

Apps and Virtualization
1

What uid/gid does Immich use to read external libraries, so that I can set appropriate minimal permissions on the external library?

I tried running Immich as a specific uid/gid, with the gid matching the external library filesystem permissions, and folder/file permissions set to 770/660. Immich could not read the external library. It worked when I set to 775/664. Maybe it runs the web service as a less privileged user?

Thank you!

1 Like
2

What version of Truenas are you running? Also did you try the apps Uid and Gid?

3

I am on 25.04.1 and using the latest Immich and Immich app definition, with the new directory structure.

I made the folders/files 770/660 with the gid on the folders/files matching the Immich container gid. I did’t try changing the uid on the folders/files to match immich container uid because even if that helped it wouldn’t be a viable long-term solution (it’s a share that my uid writes to, so the files will all be owned by me).

4

I don’t think you have to change ownership, but you do have to give read and maybe write access to the datasets. That way immich can actually see the files.

5

Immich container running as userid immich, group id photos. I can see this by entering the container:

root@fileserver[~]# docker exec -it ix-immich-server-1 /bin/sh

$ id

uid=3008 gid=4001 groups=4001,568

where uid=3008 is the immich user, and gid=4001 is the photos group.

Sample Directory permissions: /media/Photos 770 evan:photos
Sample File permissions: /media/Photos/Photo1.jpg 660 evan:photos

Immich container should be able to read because it is running as gid photos, but can’t unless I make the directories 775 and files 664. It must not be reading as gid photos then?

6

Under the immich app → application context → run as context what does it say the Uid and Gid are for immich?

7

This is what is shown in Application Metadata. It is not correct vs. what is actually configured in the container. I wonder if it is showing the template defaults and not the actual config?

App Configuration:
User ID: 3008 (immich)
Group ID: 4001 (photos)

Application Metadata

Run As Context

UID: 568
GID: 568
Username: immich
Groupname: immich
Description: Immich runs as any non-root user.

UID: 999
GID: 999
Username: postgres
Groupname: postgres
Postgres runs as non-root user.

UID: 1001
GID: 0
Username: redis
Groupname: root
Redis runs as a non-root user and root group.

8

Yeah I think I am a bit confused. Did you change the uid or gid of the app when you installed it?

What happens when you give Uid 568 and Gid 568 access to the dataset?

These are users on your Truenas correct? Not within the immich app?

Can you just add read/write access to these datasets in the ACL page so that immich can see it?

9

When you deploy the TrueNAS App from the catalog you can choose the uid and gid to run the immich container. I set to uid 3008, gid 4001, with gid 4001 matching the group on the external library. The external library is to-date not using POSIX/NFSv4 ACL but I will look at that as the next option if I can’t work out which gid is used to read the external library.

10

Hi there,

Just in case it helps:

I was facing issues when trying to load external libraries within Immich via a TrueNAS install, although I was aligned with the doc.

PERMISSIONS
The pgData dataset must be owned by the user netdata (UID 999) for postgres to start. The other datasets must be owned by the user root (UID 0) or a group that includes the user root (UID 0) for immich to have the necessary permissions.
The library dataset must have ACL mode set to Passthrough if you plan on using a storage templateand the dataset is configured for network sharing (its ACL type is set to SMB/NFSv4). When the template is applied and files need to be moved from uploads to library, immich performs chmodinternally and needs to be allowed to execute the command.

Symptom was in the output logs of Immich - server :

# Error: EACCES: permission denied, scandir ...

So basically the things to check up to makes it work are:

  • pgData dataset with user netdata (which is done automatically by checking the corresponding checkbox at Immich install in the TrueNAS GUI
  • set the external libraries data set in ACL mode Passthrough (Edit dataset > advanced option > ACL mode
  • Put the user apps in the dataset of the external libraries (I let full control, I assume that modify is enough), owner root
  • what I forgot that drives me mad is in the ACL dataset, don’t forget to check ‘Apply permissions recursively’

Doing that, no need to change ownership and permission via CLI (forget about chown and chmod), which I think is not the philosophy of TrueNAS.

Hope that will help

1 Like
11

Thank you! I think this documentation is out of date – it is for the older TrueNAS template with many datasets and which did not allow the Immich user to be set, so Immich ran as root.

12

I still have got the pgData dataset, and with this user ‘netdata’, with a fresh install of Immich from yesterday !

Immich run as user Immich internally, but still no need to change anything (user ‘Immich’ don’t even exist on my truenas ACL.

What solve me everything is that I forgot to enable recursive permission in the ACL of the external library dataset.

13

Sorry, I had meant that the documentation overall was out of date – you are completely correct on the postgres_data permissions. I have been able to avoid ACLs so far (using standard UNIX permissions only) but I might need to try ACLs next. Thank you for the ideas!

1 Like
14

I’m having access permission issue from Immich trying to access an external library that is mounted within Immich’s container.

Something I found is that the permission from the dataset persisted into the Immich container and most likely the owner/group IDs that is persisted into the container do not exist in the container.

For example, on my system, the directories in the mounted dataset are owned by UID 3000 but UID 3000 does not exist in Immich container’s /etc/passwd. Instead, UID is a valid user in TrueNAS’s credential list.

I suspect this is causing the access permission issue.

15

I had an external library working with no NFSv4 ACL and everyone-read permissions. Now with an ACL set with everyone@-read the process cannot read the images. When I run docker exec -it /bin/sh and go to the images I can read them. From the Immich GUI I can also navigate to the images and see the files are there, and even download them, but cannot display the image within in Immich. It says: “Error loading image”.

This is the current ACL set on the directory. Group 4001 is the container’s group.

# group: 4001
# mode: 0o100664
# trivial_acl: false
# ACL flags: none
group:builtin_administrators:rwxpDdaARWcCos:------I:allow
            owner@:rw-p--aARWcCos:-------:allow
            group@:rw-p--a-R-c--s:-------:allow
         everyone@:r-----a-R-c--s:-------:allow

For those who have external libraries working, what ACL did you apply?

Thank you!

16

Adding “nobody” to the group 4001 which has group@ privilege enabled Immich to access. I can’t find where in Immich it drops privileges but it must do so somewhere in the web server.

“everyone@” is meant to include every user, even anonymous user / nobody, but it obviously doesn’t include nobody on TrueNAS. It also did not match nobody in a discrete ACL, although I may have done that incorrectly, because TrueNAS would not let me do from the UI. Adding nobody to a group that already had access is very poor from a security perspective but gets the service up and running while I try to work out if there is a better way.

I’d appreciate if anyone else having this issue could confirm if this resolves.