2025-01-22, 12:40 AM
Seems straightforward enough. A rule of thumb is to avoid giving additional permissions to containers if they're not needed. I call it the tenet of least access. If these are working without providing access to the host network, there's no need to do so. I have one container with host networking enabled: Pi-hole. All of the others use bridge network (not an amazing practice, but not super harmful). Not sure we have any professional Docker folks here, but most of us who use Docker have similar setups.
You could add your server's IP to the beginning of these if you want to clamp down a little more, but it's not really a huge deal. Another thing you could do is utilize non-standard ports for things so that nobody can scan through and find a Jellyfin instance. You're a relatively low-end target, so again it's not really a big deal.
Code:
-p 7359/udp Optional - Allows clients to discover Jellyfin on the local network.
-p 1900/udp Optional - Service discovery used by DNLA and clients.You could add your server's IP to the beginning of these if you want to clamp down a little more, but it's not really a huge deal. Another thing you could do is utilize non-standard ports for things so that nobody can scan through and find a Jellyfin instance. You're a relatively low-end target, so again it's not really a big deal.
Jellyfin 10.10.7 LSIO Docker | Ubuntu 24.04 LTS | i7-13700K | Arc A380 6 GB | 64 GB RAM | 79 TB Storage
![[Image: AIL4fc84QG6uSnTDEZiCCtosg7uAA8x9j1myFaFs...qL0Q=w2400]](https://lh3.googleusercontent.com/pw/AIL4fc84QG6uSnTDEZiCCtosg7uAA8x9j1myFaFsx_0wM5mKgTleZb466r4NtOHIRePq_CxyhsB72qsd-xuYFkqCGogLltAMN62BXsm-yFsSZcDuryqL0Q=w2400)