[Solved] Permissions/ACL sonarr & radarr "Couldn't import" because "Access to the path is denied"

TrueNAS General
1

My sonarr and radarr logs are full of messages like this:

Couldn’t import episode /media/downloads/sabnzbd/complete/The.Show.2024.06.17/The.Show.2024.06.17.mkv: Access to the path ‘/media/downloads/sabnzbd/complete/The.Show.2024.06.17/The.Show.2024.06.17.mkv’ is denied.

I’m running TrueNAS-13.0-U6.1 with a jail named dvr5 that has sabnzbd, sonarr, and radarr installed.
Another jail is running my plex media server.
dvr5 has a mount point defined source = /mnt/Deepend/Videos-dataset and Destination = /mnt/Deepend/iocage/jails/dvr5/root/media

Sabnzbd is able to create files & directories using
Temporary Download Folder = /media/downloads/sabnzbd/incomplete
Completed Download Folder = /media/downloads/sabnzbd/complete
but radarr and sonarr aren’t able to import them

I followed [HOW TO] Install and configure sonarr, radarr, transmission and sabnzbd (11.3-U3.2) | TrueNAS Community
More or less.

In particular I created a ‘media’ user and group in Truenas with GID=UID=8675309.
In the Jail I’ve also created a media user with the same GID
pw useradd media -n media -u 8675309 -d /home/media -s /usr/local/bin/zsh

dvr5# ls -alhd /media/TV-Shows
dr-xrwxr-x+ 238 972 media 238B Jun 15 16:38 /media/TV-Shows

dvr5# ls -alh /media/downloads/sabnzbd/
total 226
dr-xrwxr-x+ 4 media media 4B Dec 31 2020 .
dr-xrwxr-x+ 3 media media 3B Jun 15 10:25 …
dr-xrwxr-x+ 204 media media 205B Jun 21 09:27 complete
dr-xrwxr-x+ 2 media media 2B Jun 21 09:27 incomplete

I changed sabnzbd, sonarr and radarr to run as this media username
chown -R media:media /usr/local/sabnzbd /usr/local/share/sabnzbd
sysrc ‘sabnzbd_user=media’
sysrc ‘sabnzbd_group=media’
chown -R media:media /usr/local/sonarr /usr/local/share/sonarr
sysrc ‘sonarr_user=media’
chown -R media:media /usr/local/radarr /usr/local/share/radarr
sysrc ‘radarr_user=media’

What works:

  • I can connect from my laptop and have read & write permissions to the folders.
  • If I ‘iocage exec dvr5’ I can su to media and read & write the local /media/ folders
  • sabnzbd can queue up new shows and write them to /media/downloads/sabnzbd/complete/…

What doesn’t work:

  • sonarr (&radarr) can’t Import the files or rename them.
  • because this they don’t get moved to the /media/TV-Shows and so plex doesn’t see them.

Random observation:

  • Within the jail if I su to sonarr I’m able to change the ownership of a downloaded file and then sonarr happily sees it and moves it to the /media/TV-Shows directory where plex can find it.
  • Trying the same as the media user it says “Operation not permitted”

It seems like I may have found the problem… From the shell (but not in the jail)

Myserver# getfacl /mnt/Deepend/Videos-dataset/downloads/sabnzbd/complete/test

file: /mnt/Deepend/Videos-dataset/downloads/sabnzbd/complete/test

owner: media

group: media

     user:972:rwxpDdaARWcCos:fd----I:allow
       group@:rwxpDdaARWcCos:fd----I:allow
    everyone@:r-x---a-R-c---:fd----I:allow
    everyone@:--------------:fd----I:allow

There isn’t a UID=972 in the system though. Once I changed the ACL to be owned by media (UID=8675309) it seems like that fixed my problem.