Problem running Jellyfin app with non-app user and direct media mount

On TrueNAS Scale v25.04.2.4 I am trying to setup Jellyfin to run under a dedicated jellyfin user and directly mount my media files that are stored in an existing dataset that is configured as an SMB share. My reasoning is that I don’t want to incur the extra protocol overhead of SMB compared a direct mount of the dataset to the container.

I have created a jellyfin user and jellyfin group (UID: 2500, GID: 2500). All of my media is owned by group media. The jellyfin user has been added to both the media group and the apps groups.

I have created an apps dataset that contains a jellyfin dataset. Within the jellyfin dataset there are two folders cache and config that are both owned by jellyfin:jellyfin. For example, this results in the config folder having the absolute path /mnt/pool0/apps/jellyfin/config.

When I launch the Jellyfin app I set the User and Group configuration to UID:2500 and GID:2500. For storage I set:

• config storage: Host path set to the path /mnt/pool0/apps/jellyfin/config
• cache storage: Host path set to the path /mnt/pool0/apps/jellyfin/cache
• additional storage: Host path set to the path /mnt/pool0/smb/video read-only checkbox selected.

With this setup, the Jellyfin app launches and I can see the config and cache folders are being populated by jellyfin. In the Jellyfin web UI, when I add the video path as a library in Jellyfin I use the in-container mount point /media/truenas/pool0/video.

No media is found by Jellyfin from the additional storage mount. When I launch a shell in the Jellyfin container and try to ls /media/truenas/pool0 I can see the contents of the directory. When I try ls /media/truenas/pool0/video/ I get a permission denied error. The UID of the user running the shell is 2500.

I have set the ACL on the smb dataset to allow Traverse for @everyone and allow Modify for the media group.

Does anyone have suggestions on how to resolve this issue?
I am not sure if this is simply a permission that I haven’t set correctly, or something else.

I have read some forum comments suggesting that accessing an SMB share as a host mount leads to problems. Is this accurate information?

Thanks in advance.

It seems that if I launch the Jellyfin app with the UID=jellyfin and GID=media then the user in the docker container has a primary group of media. This matches the correct permissions to allow access to the media files mounted as a host mount.

I would prefer to launch the Jellyfin app with UID=jellyfin GID=jellyfin with additional groups set to media so that the docker container is launched with the user a member of the media group.

Is the TrueNAS community responsible for changing the app template, or is this handled by the Jellyfin community?

File a bug report or enhancement request on truenas GitHub

Now that I understand what is happening, this use-case looks like a small enhancement to the app template for Jellyfin.

Issue filed: [Enhancement]: Support supplemental groups for Jellyfin app · Issue #3478 · truenas/apps · GitHub

I deleted my Jellyfin app instance, deleted the config and cache files, then re-launched using UID=2500 (jellyfin) and GID=3000 (media). This has resolved the permissions issues.

The jellyfin config and cache files are being created with jellyfin:jellyfin ownership. This seems weird but is working with the host mounted dataset.

I’m leaving the GitHub issue open because explicitly setting the primary group and supplemental groups in the container would make this a lot more intuitive to setup.