Just a short question about how to install Jellyfin the right way, using a vanilla install of TrueNAS-SCALE-22.12.3.3 (for now as a virtual machine in VMware) and the current Jellyfin app. In the settings for Jellyfin, I can add "Additional Storage" enabling Jellyfin to see my media dataset, but I can't seem to find how to make that read-only... What am I missing?
-
Important Announcement for the TrueNAS Community.
The TrueNAS Community has now been moved. This forum will now become READ-ONLY for historical purposes. Please feel free to join us on the new TrueNAS Community Forums
How to give Jellyfin read-only access?
- Thread starter HerrRay
- Start date
winnielinnie
MVP
- Joined
- Oct 22, 2019
- Messages
- 3,641
You can use ACL to limit the
jellyfin user as read-only permissions for that dataset. (Or whatever user runs the Jellyfin process.)Thanks for your reply... I tried that (I think the
app userruns the Jellyfin process) but still a Jellyfin-admin user (within Jellyfin itself I mean) can delete files... but perhaps I did something wrong with using ACL...OK, here's a longer post to describe what I mean in more detail. I'm just starting out with TrueNAS related things, so chances are I'm doing things wrong... I did the following, all in a test environment:
- create a vanilla instal of TrueNAS-SCALE-22.12.3.3
- create a pool for my media called "mediapool" (two mirrored disks)
- create a pool for app data called "appdatapool" (two mirrored disks)
- create a SMB share type dataset on "mediapool" called "movies"
- create a Apps share type dataset on "appdatapool" called "appdata_jellyfin"
- create a user in Credential -> Local Users with the standard settings
- create a SMB share with the path "/mnt/mediapool/movies" and subsequent name "movies", having it turn on automatically
(at this point I could log in with this user from another machine and copy files to the "movies" dataset)
- go to Apps, choose the "appdatapool" for Apps
- go to Apps -> Settings -> Advanced Settings and disable "Host Path Safety Checks"
- go to Apps and install Jellyfin from the existing catalog with the following settings: use the "/mnt/appdatapool/appdata_jellyfin" path for config and cache storage, use "emptyDir" in memory for transcode storage, and add additional storage with my existing "/mnt/mediapool/movies" as host path, and "/movies" as mount path. After a while, Jellyfin is active.
- set up Jellyfin with an admin user (within Jellyfin I mean), and a movie library pointing to "/movies" in such a way that Jellyfin does not get movie data from the internet or writes any data (like nfo files) to the movies dataset
- in the TrueNAS interface, go to the movies dataset and edit permissions
- then in the Edit ACL screen, add an item, choose the "apps" user, set permissions to read, save ACL
- now connect using the local user to the SMB share, and copy a directory with therein another directory with therein a movie (in this case just a random mkv file for testing purposes)
- have Jellyfin do a library scan, and the movie indeed shows up
- in the Jellyfin interface, go to that movie (as the Jellyfin admin user) and try to delete the movie using the submenu...
And there you have it, to my surprise it deletes the movie with its enclosing directory, whereas I saved the ACL for the "apps" user within TrueNAS as "read".
I totally assume I'm doing something wrong, but I don't know what...
- create a vanilla instal of TrueNAS-SCALE-22.12.3.3
- create a pool for my media called "mediapool" (two mirrored disks)
- create a pool for app data called "appdatapool" (two mirrored disks)
- create a SMB share type dataset on "mediapool" called "movies"
- create a Apps share type dataset on "appdatapool" called "appdata_jellyfin"
- create a user in Credential -> Local Users with the standard settings
- create a SMB share with the path "/mnt/mediapool/movies" and subsequent name "movies", having it turn on automatically
(at this point I could log in with this user from another machine and copy files to the "movies" dataset)
- go to Apps, choose the "appdatapool" for Apps
- go to Apps -> Settings -> Advanced Settings and disable "Host Path Safety Checks"
- go to Apps and install Jellyfin from the existing catalog with the following settings: use the "/mnt/appdatapool/appdata_jellyfin" path for config and cache storage, use "emptyDir" in memory for transcode storage, and add additional storage with my existing "/mnt/mediapool/movies" as host path, and "/movies" as mount path. After a while, Jellyfin is active.
- set up Jellyfin with an admin user (within Jellyfin I mean), and a movie library pointing to "/movies" in such a way that Jellyfin does not get movie data from the internet or writes any data (like nfo files) to the movies dataset
- in the TrueNAS interface, go to the movies dataset and edit permissions
- then in the Edit ACL screen, add an item, choose the "apps" user, set permissions to read, save ACL
- now connect using the local user to the SMB share, and copy a directory with therein another directory with therein a movie (in this case just a random mkv file for testing purposes)
- have Jellyfin do a library scan, and the movie indeed shows up
- in the Jellyfin interface, go to that movie (as the Jellyfin admin user) and try to delete the movie using the submenu...
And there you have it, to my surprise it deletes the movie with its enclosing directory, whereas I saved the ACL for the "apps" user within TrueNAS as "read".
I totally assume I'm doing something wrong, but I don't know what...
winnielinnie
MVP
- Joined
- Oct 22, 2019
- Messages
- 3,641
Can you post the command-line output of the ACL for
Someone who runs SCALE might better know the inner-workings of "Apps" and the user that runs such processes.
For comparison in Core, I can add the "mountpoint"
/mnt/mediapool/movies and as well for a subfolder?Someone who runs SCALE might better know the inner-workings of "Apps" and the user that runs such processes.
For comparison in Core, I can add the "mountpoint"
/mnt/mediapool/movies as read-only for my Jellyfin jail. No need to even bother with ACLs or permissions. Is there such an option for the App's media "Path"?
Last edited:
- Joined
- Jan 20, 2017
- Messages
- 17
I was wondering the same thing a few days ago. From what I saw, this app just changes(!) the dataset ACL. It changes the owner of the mounted dataset from
I wanted to test Jellyfin, and had added the apps user to a read-only group. Disabled the SMB share and mounted the dataset as host path. Everything worked, and then I wanted to remove an item from the library. Jellyfin said it would also delete it. I didn't think much of it (as I only gave read-only permissions to the
This is on TrueNAS SCALE 22.12.3.3. Looks reproducible. And seems not right.
Maybe that's what happened to the OP too?
root:root to apps:apps. There's not even a notification.I wanted to test Jellyfin, and had added the apps user to a read-only group. Disabled the SMB share and mounted the dataset as host path. Everything worked, and then I wanted to remove an item from the library. Jellyfin said it would also delete it. I didn't think much of it (as I only gave read-only permissions to the
apps user). But when a rescan wouldn't find the item, I looked at the actual dataset, and the folder was gone. Then I looked at permissions, and to my surprise the owner was apps:apps. I changed it back to root:root. But when stopping and re-deploying Jellyfin, it is changed back to apps:apps. Again, no notification or anything. At that point, I stopped the application and removed it.This is on TrueNAS SCALE 22.12.3.3. Looks reproducible. And seems not right.
Maybe that's what happened to the OP too?
winnielinnie
MVP
- Joined
- Oct 22, 2019
- Messages
- 3,641
This just makes me so glad to be on Core...
Nice and simple, and sure you need to have a little know-how about the command-line, but it's worth it.
Nice and simple, and sure you need to have a little know-how about the command-line, but it's worth it.
- Joined
- Mar 6, 2014
- Messages
- 9,554
Is JellyFin from the official (iX) charts repo or TrueCharts? I don't see it with the official iX app. Do note that we do not vet third-party charts repos for whether they do sane / safe things (which is why there should be a large disclaimer popup in the TrueNAS webui when enabling one).
Last edited:
confirming this behavior for the original iX provided jellyfin on Scale 22.12.3.3
issue reproduction steps:
- install scale 22.12.3.3 , no additional config or repo
- create datased with root:root ownership, 755 rights
- install Jellyfin from default Application catalog
- add additional storage as Host path to Jellyfin, aiming to mentioned dataset
- save, jellyfin redeploys
- boom, ownershop of dataset is app:app
is that expected behavior?
- Joined
- Feb 6, 2014
- Messages
- 5,112
From the Jellyfin chart description:
also from chart description:
All mounted storage(s) will be chowned only if the parent directory does not match the configured user.
which parent directory we are talking about? even if i make mentioned datased apps:apps owned and have root owned sub folders below, init container chowns again recursively all. or do i need to keep proper ownership all the way up to the mount root?
maybe it is desired behaviour, but feels a little bit dangerous to the mediafile of unsuspecting users.
winnielinnie
MVP
- Joined
- Oct 22, 2019
- Messages
- 3,641
- Joined
- Mar 6, 2014
- Messages
- 9,554
No need to see yourself out, there are areas of the product where I am not an SME. If I see something that I think is incorrect behavior I ask for more details and then throw it at the dev in charge of that area. Most of my interactions on the forums are scouting for bugs to fix.
Last edited:
winnielinnie
MVP
- Joined
- Oct 22, 2019
- Messages
- 3,641
I'll see myself back in...
I realize it doesn't address the issue of "automatically changing the ownership", but will this not work?
(I don't use SCALE, so I cannot provide a more up-to-date screenshot.)
I realize it doesn't address the issue of "automatically changing the ownership", but will this not work?
(I don't use SCALE, so I cannot provide a more up-to-date screenshot.)
- Joined
- Feb 6, 2014
- Messages
- 5,112
That sounds a little bit unexpected. As @anodos mentioned we're gathering information here to engage with the correct members of dev team on the back-end.
Jellyfin doesn't have the
read-only mount option at present for additional storage.Sorry for the delay (time difference, I'm in Japan). Command-line output (I hope I used the correct command):
admin@truenas[/mnt/mediapool]$ nfs4xdr_getfacl /mnt/mediapool/movies
# File: /mnt/mediapool/movies
# owner: 568
# group: 568
# mode: 0o40770
# trivial_acl: false
# ACL flags: none
owner@:rwxpDdaARWcCos:fd-----:allow
group@:rwxpDdaARWc--s:fd-----:allow
group:builtin_users:rwxpDdaARWc--s:fd-----:allow
group:builtin_administrators:rwxpDdaARWcCos:fd-----:allow
user:apps:r-x---a-R-c---:fd-----:allow
admin@truenas[/mnt/mediapool]$ nfs4xdr_getfacl /mnt/mediapool/movies/TestDirector
# File: /mnt/mediapool/movies/TestDirector
# owner: 3000
# group: 568
# mode: 0o40770
# trivial_acl: false
# ACL flags: none
owner@:rwxpDdaARWcCos:fd----I:allow
group@:rwxpDdaARWc--s:fd----I:allow
group:builtin_users:rwxpDdaARWc--s:fd----I:allow
group:builtin_administrators:rwxpDdaARWcCos:fd----I:allow
user:apps:r-x---a-R-c---:fd----I:allow
It is Jellyfin from the official (iX) charts repo. And in the current version there's no read-only checkbox in the app's config settings, as someone mentioned before...
- Joined
- Jan 20, 2017
- Messages
- 17
From the default/official repository.
Thanks. Hadn't seen that. Although I still find this behaviour slightly odd. Why would it need to be owner of mounted data/media storage, without any possibility for read-only permissions?
Yeah, that I had seen ;) But e.g. emby does, from what I recall. Would it be possible to allow that here too? Just asking for the general public, as what I wanted Jellyfin to do it isn't capable of, and currently, I have no luck of even getting any response at all from their dev team regarding that feature and its possible implementation. So, Jellyfin is dead to me anyhow, for the time being.
Thank you all.
- Joined
- Feb 6, 2014
- Messages
- 5,112
We'll see if we can tweak the Jellyfin chart to allow for read-only access.
(Also, excellent choice of pseudonym - I still have my original Voodoo 4MB.)
(Also, excellent choice of pseudonym - I still have my original Voodoo 4MB.)
winnielinnie
MVP
- Joined
- Oct 22, 2019
- Messages
- 3,641
Nostalgic!
To show you how far I've come, I used to think the "size" moniker was the size used up on your harddrive when you installed the driver. So a 4MB graphics card takes up 4MB of space. Then I later believed that you could "upgrade" your card's capability by finding a larger driver to download.
"That Voodoo card you just bought is only 4MB? Can't we upgrade it to 8MB with a third-party driver?"
- Joined
- Jan 20, 2017
- Messages
- 17
Hey, great :) Always cool to meet some fellow old-school-gamer ;) I too still have my old Voodoo Graphics (Diamond Monster 3D), and also the Voodoo2 12MB SLI combo, Voodoo3, Voodoo5 5500, and also one 6000 Rev 3700A prototype (with PCI rework, and therefore, fully functional, at least on the right motherboard). Couldn't let go of this stuff...
Also thanks for looking into the Jellyfin "issue".
