Jellyfin Docker Permissions

[erik15]

I run jellyfin in a docker container on a linux server with the --user option as 1000:1000(my non root user)

I followed the guide for gpu acceleration with nvidia, but run into a problem on the last steps.
When i try to run docker exec -it jellyfin ldconfig i get an error that i dont have permission.
I kinda solved the problem by removing the --user option and running as root but this isn't so secure. Everything worked fine after that.

Is there a way to run that command without running as root, with my previous --user setting?

[bitmap]

Does ldconfig need sudo/root access to run or just access to render/video whatever groups your card is part of in your system?

[erik15]

Not sure but when i use the cli command "sudo docker run ... --user 1000:1000" it has the problem. When i remove the user option it works fine. I havent added my server user to docker group is use sudo. I also have added him to the video group. I think its with privliges inside the container but i dont know to fix it.

[erik15]

Does ldconfig need sudo/root access to run or just access to render/video whatever groups your card is part of in your system?

When I run "sudo docker exec -it jellyfin ldconfig" I get this error:

"ldconfig: Can't create temporary cache file /etc/ld.so.cache~: Permission denied"

Also get an error for running "sudo docker exec -it jellyfin nvidia-smi" too:

"Failed to initialize NVML: Insufficient Permissions"

[bitmap]

So you're running sudo docker exec, which isn't what you want. Because inside the container is a completely different file system layer, it has different permissions. You could technically run:

Code:

docker exec -it jellyfin /bin/bash

And then go in and try to run ldconfig or nvidia-smi. It seems like a permissions issue. Looking at the hardware acceleration documentation, I'm wondering if there was a step missed or something like that. So taking a step back, I have a few troubleshooting requests... 

1. Could you post (using the code block tool and not a quick post, preferably) your redacted docker run command or compose file? 
   
2. Also confirm that you installed the NVIDIA driver and container toolkit (steps 1 and 2 in the virtualized hardware acceleration guide). 
   
3. Maybe confirm your user and group IDs by running ID and ensuring that your user and group ID numbers match 1000:1000 and not something else (I've never had them be 1000:1000).
   

Hopefully that'll put us on the right path...

[erik15]

So you're running sudo docker exec, which isn't what you want. Because inside the container is a completely different file system layer, it has different permissions. You could technically run:

Code:

docker exec -it jellyfin /bin/bash

And then go in and try to run ldconfig or nvidia-smi. It seems like a permissions issue. Looking at the hardware acceleration documentation, I'm wondering if there was a step missed or something like that. So taking a step back, I have a few troubleshooting requests... 

1. Could you post (using the code block tool and not a quick post, preferably) your redacted docker run command or compose file? 
   
2. Also confirm that you installed the NVIDIA driver and container toolkit (steps 1 and 2 in the virtualized hardware acceleration guide). 
   
3. Maybe confirm your user and group IDs by running ID and ensuring that your user and group ID numbers match 1000:1000 and not something else (I've never had them be 1000:1000).
   

Hopefully that'll put us on the right path...

I can only run 

Code:

docker exec -it jellyfin /bin/bash

with sudo.

After that, that's what I tried:

Code:

I have no name!@myhomeserver:/$ groups
groups: cannot find name for group ID 1000
1000
I have no name!@myhomeserver:/$ id
uid=1000 gid=1000 groups=1000
I have no name!@myhomeserver:/$ who

Code:

I have no name!@myhomeserver:/$ ldconfig
ldconfig: Can't create temporary cache file /etc/ld.so.cache~: Permission denied
I have no name!@myhomeserver:/$ su
Password:
su: Authentication failure

Also my user on the server has 1000:1000 but his not in the docker group, and i dont know the password for su inside the jellyfin container.

My yml file:

Code:

version: '3.5'
services:
  jellyfin:
    image: jellyfin/jellyfin
    container_name: jellyfin
    user: 1000:1000
    network_mode: 'host'
    volumes:
      - /home/erik/srv/jellyfin/config:/config
      - /home/erik/srv/jellyfin/cache:/cache
      - /home/erik/Media:/media
    restart: 'unless-stopped'
    runtime: nvidia
    deploy:
      resources:
        reservations:
          devices:
            - capabilities: [gpu]

I comment out the user fot gpu acceleration to work.

[bitmap]

Okay, so you don't have a docker group that you added to avoid sudo, which is fine. Not a big deal, more of an annoyance for you.

Your last line might lead you to the answer here -- you generally shouldn't (most times can't) swap between users running the docker container. If you don't specify a user, generally containers don't run as root, they have a user set up inside the container to run as a preset UID/GID that works with the services inside the container. Setting a user/group changes those IDs to match so that file/group permissions work properly with your existing infrastructure. So by giving your user access to the card, then commenting out that information to try and get the card to work, you're muddling things pretty hard.

Looking at your id command output, you don't seem to have access to the video/render group, which means you don't have access to your video card, which could explain why you can't access it in the docker container. Step 4 of the docker guide explicitly states that you should add your user (on the host) to the correct group.

Skipping steps is the primary reason HWA didn't work for me, even if I swore I hit every step previously. Even if you think you don't need something. Note that this last step you're trying to do is just updating dynamic links, per the guide. Follow the guide, step-by-painstaking-step. You need to start, run, and keep the container run by the same user in perpetuity unless you plan to have a full changeover for the foreseeable future. A momentary change can destroy access to your files, databases, etc.. So I'd recommend making the correct steps to ensure your user has the right access. The guide walks you through this.

[erik15]

Okay, so you don't have a docker group that you added to avoid sudo, which is fine. Not a big deal, more of an annoyance for you.

Your last line might lead you to the answer here -- you generally shouldn't (most times can't) swap between users running the docker container. If you don't specify a user, generally containers don't run as root, they have a user set up inside the container to run as a preset UID/GID that works with the services inside the container. Setting a user/group changes those IDs to match so that file/group permissions work properly with your existing infrastructure. So by giving your user access to the card, then commenting out that information to try and get the card to work, you're muddling things pretty hard.

Looking at your id command output, you don't seem to have access to the video/render group, which means you don't have access to your video card, which could explain why you can't access it in the docker container. Step 4 of the docker guide explicitly states that you should add your user (on the host) to the correct group.

Skipping steps is the primary reason HWA didn't work for me, even if I swore I hit every step previously. Even if you think you don't need something. Note that this last step you're trying to do is just updating dynamic links, per the guide. Follow the guide, step-by-painstaking-step. You need to start, run, and keep the container run by the same user in perpetuity unless you plan to have a full changeover for the foreseeable future. A momentary change can destroy access to your files, databases, etc.. So I'd recommend making the correct steps to ensure your user has the right access. The guide walks you through this.

The id command was run while I was inside the container when i run "docker exec jellyfin /bin/bash/"

This is my actual id command on my server user:

Code:

uid=1000(erik) gid=1000(erik) groups=1000(erik),10(wheel),27(video),28(render),100(users)

And groups command:

Code:

wheel video render users erik

and nvidia-smi works fine on my server user.

I already had my server user in the video group and just added him to render group but it didnt work.
Also thanks for helping me work this out.

[bitmap]

Weird question...who owns the files in your persistent volumes for Jellyfin? Your 1000 user? Or a different user? You can try running the container as privileged and see if that works. It's a bit of a security risk, but as a troubleshooting step, it will provide you with an indication of what's going on.

You may also be able to run the container as privileged, update the dynamic links, remove the privileged line, and everything is peachy. Added the line between container_name and network_mode.

Code:

version: '3.5'
services:
  jellyfin:
    image: jellyfin/jellyfin
    container_name: jellyfin
    privileged: true
    network_mode: 'host'
    volumes:
      - /home/erik/srv/jellyfin/config:/config
      - /home/erik/srv/jellyfin/cache:/cache
      - /home/erik/Media:/media
    restart: 'unless-stopped'
    runtime: nvidia
    deploy:
      resources:
        reservations:
          devices:
            - capabilities: [gpu]

[erik15]

Weird question...who owns the files in your persistent volumes for Jellyfin? Your 1000 user? Or a different user? You can try running the container as privileged and see if that works. It's a bit of a security risk, but as a troubleshooting step, it will provide you with an indication of what's going on.

You may also be able to run the container as privileged, update the dynamic links, remove the privileged line, and everything is peachy. Added the line between container_name and network_mode.

Code:

version: '3.5'
services:
  jellyfin:
    image: jellyfin/jellyfin
    container_name: jellyfin
    privileged: true
    network_mode: 'host'
    volumes:
      - /home/erik/srv/jellyfin/config:/config
      - /home/erik/srv/jellyfin/cache:/cache
      - /home/erik/Media:/media
    restart: 'unless-stopped'
    runtime: nvidia
    deploy:
      resources:
        reservations:
          devices:
            - capabilities: [gpu]

I don't have any other user on the server just the erik one and the root.

Also I think by not using a uid:guid option I am using a privileged user(root) as the jellyfin documentation says.
https://jellyfin.org/docs/general/instal...container/

Code:

Using Docker Compose

Create a docker-compose.yml file with the following contents. Add in the UID and GID that you would like to run jellyfin as in the user line below, or remove the user line to use the default (root).

Is this different to "privileged:true"?