The way I have my server structured is a SSD for the boot drive, two NVME drives in a mirror pool for the services, and five HDDs in a zfs pool for bulk storage (images, media files, etc.).
I'm trying to set up Immich in an unprivileged LXC. I used the community script to install it, added the storage folder on the host as a mount point, and followed these instructions to change the storage folder to the mounted directory from the host.
The first thing I tried to do to allow Immich to write to the mounted folder was re-mapping the UID and GID for the immich user, using the instructions from the wiki.
This allowed me to write to the mounted folder from the terminal, but crashed the Immich app. I also was unable to edit the Immich configuration file. I believe that re-mapping the IDs must have somehow fundamentally changed the user and denied it the permissions it needed within the container for the app to function.
I also tried adding the immich user to the group on the host that owns the mounted directory.
The mounted directory is a sub-directory of a directory that's set up as a samba share, to allow me to access various files on my Windows laptop, so the group that owns it is called samba_share, with GID 10000.
The immich user in the LXC has UID 999, so I created a user called immich on the host with UID 100999 and added it to the group samba_group.
I checked this with the id function and got this output, suggesting that it worked.
I also checked the access control of the mounted folder (/storage/samba/immich) on the host, which suggests that the group should have write access:
I also checked with the touch command; my understanding is that no output means that it worked:
However, in the LXC I get this result when I try the touch command on the mounted directory:
Trying to create a test file in the mounted folder from the terminal also fails, as does trying to upload a photo to the Immich app.
This is the error that shows up in the Immich logs after trying to upload a photo:
I'm not sure how important most of that is, but it seems to suggest permissions are still not configured correctly.
Can anyone suggest what I'm doing wrong, or how I can fix it?
I'm trying to set up Immich in an unprivileged LXC. I used the community script to install it, added the storage folder on the host as a mount point, and followed these instructions to change the storage folder to the mounted directory from the host.
The first thing I tried to do to allow Immich to write to the mounted folder was re-mapping the UID and GID for the immich user, using the instructions from the wiki.
This allowed me to write to the mounted folder from the terminal, but crashed the Immich app. I also was unable to edit the Immich configuration file. I believe that re-mapping the IDs must have somehow fundamentally changed the user and denied it the permissions it needed within the container for the app to function.
I also tried adding the immich user to the group on the host that owns the mounted directory.
The mounted directory is a sub-directory of a directory that's set up as a samba share, to allow me to access various files on my Windows laptop, so the group that owns it is called samba_share, with GID 10000.
The immich user in the LXC has UID 999, so I created a user called immich on the host with UID 100999 and added it to the group samba_group.
I checked this with the id function and got this output, suggesting that it worked.
Code:
root@server:~# id -a immich
uid=100999(immich) gid=10000(samba_group) groups=10000(samba_group)I also checked the access control of the mounted folder (/storage/samba/immich) on the host, which suggests that the group should have write access:
Code:
root@server:~# getfacl /storage/samba/immich/
getfacl: Removing leading '/' from absolute path names
# file: storage/samba/immich/
# owner: samba_user
# group: samba_group
user::rwx
group::rwx
other::r-xI also checked with the touch command; my understanding is that no output means that it worked:
Code:
root@server:~# sudo -u immich touch /storage/samba/immich/However, in the LXC I get this result when I try the touch command on the mounted directory:
Code:
root@immich:~# sudo -u immich touch /mnt/immich
touch: setting times of '/mnt/immich': Permission deniedTrying to create a test file in the mounted folder from the terminal also fails, as does trying to upload a photo to the Immich app.
This is the error that shows up in the Immich logs after trying to upload a photo:
Code:
[Nest] 364 - 06/07/2026, 8:26:24 PM ERROR [Api:ErrorInterceptor~iaz98w7o] Unknown error: Error: EACCES: permission denied, mkdir '/mnt/immich/upload/cb44c7c5-7744-4e3b-90bf-bdce30bde524/ca/3a'
Error: EACCES: permission denied, mkdir '/mnt/immich/upload/cb44c7c5-7744-4e3b-90bf-bdce30bde524/ca/3a'
at mkdirSync (node:fs:1350:26)<br> at StorageRepository.mkdirSync (/opt/immich/app/dist/repositories/storage.repository.js:150:37)
at AssetMediaService.getUploadFolder (/opt/immich/app/dist/services/asset-media.service.js:80:32)
at FileUploadInterceptor.handleFile (/opt/immich/app/dist/middleware/file-upload.interceptor.js:102:66)
at /opt/immich/app/node_modules/.pnpm/multer@2.1.1/node_modules/multer/lib/make-middleware.js:214:17
at FileUploadInterceptor.fileFilter (/opt/immich/app/dist/middleware/file-upload.interceptor.js:88:13)
at wrappedFileFilter (/opt/immich/app/node_modules/.pnpm/multer@2.1.1/node_modules/multer/index.js:45:7)
at Multipart.<anonymous> (/opt/immich/app/node_modules/.pnpm/multer@2.1.1/node_modules/multer/lib/make-middleware.js:183:7)
at Multipart.emit (node:events:509:28)
at HeaderParser.cb (/opt/immich/app/node_modules/.pnpm/busboy@1.6.0/node_modules/busboy/lib/types/multipart.js:358:14)I'm not sure how important most of that is, but it seems to suggest permissions are still not configured correctly.
Can anyone suggest what I'm doing wrong, or how I can fix it?