lxc idmap changes ownership in rootfs "wrong", but mounted directories are good: Why ?

[norbertk]

I have a proxmox server and want to map some local paths with media data into an unprivileged container which runs jellyfin.

Since years this container runs more or less but without any id mapping and therefore jellyfin cannot change the mounted directories.

My aim is to make the mounted files writable by jellyfin.

I introduced idmap which sets the ownership of the mounted directories of the container correctly, the container starts without error.

The ownership of `jellyfin`'s own directories in the `rootfs` is set to nobody:nogroup so that the jellyfin service itself does not start.

In the following I document the status before and after the change to the best of my knowledge.

The question is : What can be done to assure that **all** ownerships the mounted and those in rootfs are correct.

I would be very thankful for any hints and pointers.


Norbert

Data on the host

root@grossglockner:/etc/pve/lxc\ ls -al /srv/
total 8
drwxr-xr-x 10 root       root       4096 Oct  7  2022 .
drwxr-xr-x 21 root       root       4096 Mar 26  2024 ..
drwsrwsr-x  1 sharemedia sharemedia   58 Jan 21  2022 assets
drwsrwsr-x  1 sharemedia sharemedia  256 Mar 17  2022 audio
drwsrwsr-x  1 sharemedia sharemedia  100 Jul 21  2022 music_export
drwsrwsr-x  1 sharemedia sharemedia   36 Jan 13  2022 photo
drwsrwsr-x  1 sharemedia sharemedia   26 Nov  8  2021 recordings
drwxrwxr-x  1      10001      10001   50 Mar 27 17:39 technical
drwsrwsr-x  1 sharemedia sharemedia  278 Nov 24  2023 text
drwsrwsr-x  1 sharemedia sharemedia   92 Mar 17  2022 video


id sharemedia
uid=10000(sharemedia) gid=10000(sharemedia) groups=10000(sharemedia)

Container without idmap (runs, but cannot write in /mnt)

arch: amd64
cores: 4
features: nesting=1
hostname: media-server
memory: 12000
mp0: /srv/recordings/,mp=/mnt/recordings
mp1: /srv/audio/,mp=/mnt/audio
mp2: /srv/video/,mp=/mnt/video
mp3: /srv/music_export,mp=/mnt/music_export
net0: xxxx
onboot: 1
ostype: debian
rootfs: local-lvm:vm-233-disk-0,size=12G
swap: 512
unprivileged: 1

The container starts without problems. See log.

Inside the container the jellyfin service starts up:

Apr 06 11:23:48 media-server systemd[1]: Started jellyfin.service - Jellyfin Media Server.
Apr 06 11:23:48 media-server jellyfin[71]: [11:23:48] [INF] Jellyfin version: 10.10.6
Apr 06 11:23:48 media-server jellyfin[71]: [11:23:48] [INF] Environment Variables: ["[JELLYFIN_CONFIG_DIR, /etc/jellyfin]", "[JELLYFIN_WEB_OPT, --webdir=/usr/share/jellyfin/web]", "[JELLYFIN_LOG_DIR, /var/log/jellyfin]", "[JELLYFIN_DATA_DIR, /var/lib/jellyfin]", "[JELLYFIN_USER, >
Apr 06 11:23:48 media-server jellyfin[71]: [11:23:48] [INF] Arguments: ["/usr/lib/jellyfin/bin/jellyfin.dll", "--webdir=/usr/share/jellyfin/web", "--ffmpeg=/usr/lib/jellyfin-ffmpeg/ffmpeg"]
Apr 06 11:23:48 media-server jellyfin[71]: [11:23:48] [INF] Operating system: Debian GNU/Linux 12 (bookworm)
Apr 06 11:23:48 media-server jellyfin[71]: [11:23:48] [INF] Architecture: X64
Apr 06 11:23:48 media-server jellyfin[71]: [11:23:48] [INF] 64-Bit Process: True
Apr 06 11:23:48 media-server jellyfin[71]: [11:23:48] [INF] User Interactive: True
Apr 06 11:23:48 media-server jellyfin[71]: [11:23:48] [INF] Processor count: 4
Apr 06 11:23:48 media-server jellyfin[71]: [11:23:48] [INF] Program data path: /var/lib/jellyfin
Apr 06 11:23:48 media-server jellyfin[71]: [11:23:48] [INF] Log directory path: /var/log/jellyfin
Apr 06 11:23:48 media-server jellyfin[71]: [11:23:48] [INF] Config directory path: /etc/jellyfin
Apr 06 11:23:48 media-server jellyfin[71]: [11:23:48] [INF] Cache path: /var/cache/jellyfin
Apr 06 11:23:48 media-server jellyfin[71]: [11:23:48] [INF] Temp directory path: /tmp/jellyfin
Apr 06 11:23:48 media-server jellyfin[71]: [11:23:48] [INF] Web resources path: /usr/share/jellyfin/web
Apr 06 11:23:48 media-server jellyfin[71]: [11:23:48] [INF] Application directory: /usr/lib/jellyfin/bin/
Apr 06 11:23:48 media-server jellyfin[71]: [11:23:48] [INF] Setting cache path: /var/cache/jellyfin

etc. etc.

The file privileges are not surprising:

clear
echo /usr/share/jellyfin
ls -al /usr/share/jellyfin | head -n 4
echo /var/lib/jellyfin
ls -al /var/lib/jellyfin | head -n 4
echo /var/log/jellyfin
ls -al /var/log/jellyfin | head -n 4
echo /var/cache/jellyfin
ls -al /var/cache/jellyfin | head -n 4
echo /var/lib/jellyfin/data
ls -al /var/lib/jellyfin/data | head -n 4
echo /var/lib/jellyfin/metadata
ls -al /var/lib/jellyfin/metadata | head -n 4
echo ###
echo /mnt/video
ls -al /mnt/video | head -n 4

gives:

/usr/share/jellyfin
total 488
drwxr-xr-x  3 root root   4096 Dec 27  2021 .
drwxr-xr-x 98 root root   4096 Mar 14 15:15 ..
drwxr-xr-x  5 root root 487424 Mar 14 11:05 web
/var/lib/jellyfin
total 128
drwxr-x--- 10 jellyfin jellyfin  4096 May 24  2024 .
drwxr-xr-x 25 root     root      4096 Mar 14 11:05 ..
drwxr-xr-x  3 jellyfin jellyfin  4096 Dec 27  2021 .aspnet
/var/log/jellyfin
total 15460
drwxr-x---  2 jellyfin jellyfin   12288 Apr  6 11:23 .
drwxr-xr-x 10 root     root        4096 Apr  6 00:00 ..
-rw-r--r--  1 jellyfin jellyfin   24020 Mar 14 10:47 FFmpeg.DirectStream-2025-03-14_10-47-42_c970d877c1adb0ffa04fcecc72d25d53_f5a196a5.log
/var/cache/jellyfin
total 28
drwxr-x---  7 jellyfin jellyfin 4096 Mar 24 19:36 .
drwxr-xr-x 13 root     root     4096 May 13  2024 ..
drwxr-xr-x  3 jellyfin jellyfin 4096 Mar 24 19:36 channels
/var/lib/jellyfin/data
total 38732
drwxr-xr-x  5 jellyfin jellyfin     4096 Apr  6 11:28 .
drwxr-x--- 10 jellyfin jellyfin     4096 May 24  2024 ..
drwxr-xr-x  2 jellyfin jellyfin     4096 Mar 15 07:37 ScheduledTasks
/var/lib/jellyfin/metadata
total 96
drwxr-xr-x    8 jellyfin jellyfin  4096 Jan  5  2022 .
drwxr-x---   10 jellyfin jellyfin  4096 May 24  2024 ..
drwxr-xr-x   31 jellyfin jellyfin  4096 Dec 28  2022 People

/mnt/video
total 4
drwsrwsr-x 1 nobody nogroup   92 Mar 17  2022 .
drwxr-xr-x 8 root   root    4096 Apr  4 17:46 ..
drwsrwsr-x 1 nobody nogroup   24 Jan 15  2022 Doku-Serien

The id of jellyfin is:

id jellyfin
uid=107(jellyfin) gid=115(jellyfin) groups=115(jellyfin),44(video),105(render)

Of course data on `/mnt/video`and friens is not writable.


View from the host

with container stopped and mounted this script on the host:

clear
echo /var/lib/lxc/233/rootfs/usr/share/jellyfin
ls -al /var/lib/lxc/233/rootfs/usr/share/jellyfin | head -n 4
echo /var/lib/lxc/233/rootfs/var/lib/jellyfin
ls -al /var/lib/lxc/233/rootfs/var/lib/jellyfin | head -n 4
echo /var/lib/lxc/233/rootfs/var/log/jellyfin
ls -al /var/lib/lxc/233/rootfs/var/log/jellyfin | head -n 4
echo /var/lib/lxc/233/rootfs/var/cache/jellyfin
ls -al /var/lib/lxc/233/rootfs/var/cache/jellyfin | head -n 4
echo /var/lib/lxc/233/rootfs/var/lib/jellyfin/data
ls -al /var/lib/lxc/233/rootfs/var/lib/jellyfin/data | head -n 4
echo /var/lib/lxc/233/rootfs/var/lib/jellyfin/metadata
ls -al /var/lib/lxc/233/rootfs/var/lib/jellyfin/metadata | head -n 4

gives:

/var/lib/lxc/233/rootfs/usr/share/jellyfin
total 488
drwxr-xr-x  3 100000 100000   4096 Dec 27  2021 .
drwxr-xr-x 98 100000 100000   4096 Mar 14 16:15 ..
drwxr-xr-x  5 100000 100000 487424 Mar 14 12:05 web
/var/lib/lxc/233/rootfs/var/lib/jellyfin
total 128
drwxr-x--- 10 100107 100115  4096 May 24  2024 .
drwxr-xr-x 25 100000 100000  4096 Mar 14 12:05 ..
drwxr-xr-x  3 100107 100115  4096 Dec 27  2021 .aspnet
/var/lib/lxc/233/rootfs/var/log/jellyfin
total 15460
drwxr-x---  2 100107 100115   12288 Apr  6 13:23 .
drwxr-xr-x 10 100000 100000    4096 Apr  6 02:00 ..
-rw-r--r--  1 100107 100115   24020 Mar 14 11:47 FFmpeg.DirectStream-2025-03-14_10-47-42_c970d877c1adb0ffa04fcecc72d25d53_f5a196a5.log
/var/lib/lxc/233/rootfs/var/cache/jellyfin
total 28
drwxr-x---  7 100107 100115 4096 Mar 24 20:36 .
drwxr-xr-x 13 100000 100000 4096 May 13  2024 ..
drwxr-xr-x  3 100107 100115 4096 Mar 24 20:36 channels
/var/lib/lxc/233/rootfs/var/lib/jellyfin/data
total 38732
drwxr-xr-x  5 100107 100115     4096 Apr  6 13:28 .
drwxr-x--- 10 100107 100115     4096 May 24  2024 ..
-rw-r--r--  1 100107 100115    28672 Sep  5  2022 authentication.db.old
/var/lib/lxc/233/rootfs/var/lib/jellyfin/metadata
total 96
drwxr-xr-x    8 100107 100115  4096 Jan  5  2022 .
drwxr-x---   10 100107 100115  4096 May 24  2024 ..
drwxr-xr-x 1701 100107 100115 65536 Sep 10  2022 artists

Configuration of idmap to make /mnt writable in container


My aim is to do the following user-mappings between Host and container:

Host                        Container
-------------------------------------------------------
user: sharemedia(10000)  -  jellyfin(107)
grp:  sharemedia(10000)  -  jellyfin(115)

Preparation on the host:

cat /etc/subuid
root:100000:65536
root:10000:1

cat /etc/subgid
root:100000:65536
toot:10000:1

So it should be possible to map uid and guid 10000

The changed configuration of the container

arch: amd64
cores: 4
features: nesting=1
hostname: media-server
memory: 12000
mp0: /srv/recordings/,mp=/mnt/recordings
mp1: /srv/audio/,mp=/mnt/audio
mp2: /srv/video/,mp=/mnt/video
mp3: /srv/music_export,mp=/mnt/music_export
net0: xxxx
onboot: 1
ostype: debian
rootfs: local-lvm:vm-233-disk-0,size=12G
swap: 512
unprivileged: 1
lxc.idmap: u 0 100000 107
lxc.idmap: u 107 10000 1
lxc.idmap: u 108 100108 65427
lxc.idmap: g 0 100000 115
lxc.idmap: g 115 10000 1
lxc.idmap: g 116 100116 65419

Results: The container starts, but jellyfin balks

And indeed the container itself starts without a problem. See attached log

But the service jellyfin.service fails because some directory ownerships in rootf are wrong

erver systemd[1]: Started jellyfin.service - Jellyfin Media Server.
Apr 06 12:09:48 media-server (jellyfin)[71]: jellyfin.service: Changing to the requested working directory failed: Permission denied
Apr 06 12:09:48 media-server (jellyfin)[71]: jellyfin.service: Failed at step CHDIR spawning /usr/bin/jellyfin: Permission denied
Apr 06 12:09:48 media-server systemd[1]: jellyfin.service: Main process exited, code=exited, status=200/CHDIR
Apr 06 12:09:48 media-server systemd[1]: jellyfin.service: Failed with result 'exit-code'.
Apr 06 12:09:49 media-server systemd[1]: jellyfin.service: Scheduled restart job, restart counter is at 1.
Apr 06 12:09:49 media-server systemd[1]: Stopped jellyfin.service - Jellyfin Media Server.
Apr 06 12:09:49 media-server systemd[1]: Started jellyfin.service - Jellyfin Media Server.


etc . etc. 


Apr 06 12:09:50 media-server systemd[1]: jellyfin.service: Scheduled restart job, restart counter is at 5.
Apr 06 12:09:50 media-server systemd[1]: Stopped jellyfin.service - Jellyfin Media Server.
Apr 06 12:09:50 media-server systemd[1]: jellyfin.service: Start request repeated too quickly.
Apr 06 12:09:50 media-server systemd[1]: jellyfin.service: Failed with result 'exit-code'.
Apr 06 12:09:50 media-server systemd[1]: Failed to start jellyfin.service - Jellyfin Media Server.

The ownership of `jellyfin`s directories in the rootfs io the container are indeed wrong


Ths script from above (with some amendments) :

clear
echo /usr/share/jellyfin
ls -al /usr/share/jellyfin | head -n 4
echo /var/lib/jellyfin

ls -al /var/lib/jellyfin | head -n 4
ls -al /var/lib | grep jellyfin$

echo /var/log/jellyfin
ls -al /var/log/jellyfin | head -n 4
ls -al /var/log | grep jellyfin$

echo /var/cache/jellyfin
ls -al /var/cache/jellyfin | head -n 4
ls -al /var/cache | grep jellyfin$

echo /var/lib/jellyfin/data
ls -al /var/lib/jellyfin/data | head -n 4
echo /var/lib/jellyfin/metadata
ls -al /var/lib/jellyfin/metadata | head -n 4
echo ###
echo /mnt/video
ls -al /mnt/video | head -n 4

gives:

/usr/share/jellyfin
total 488
drwxr-xr-x  3 root root   4096 Dec 27  2021 .
drwxr-xr-x 98 root root   4096 Mar 14 15:15 ..
drwxr-xr-x  5 root root 487424 Mar 14 11:05 web
/var/lib/jellyfin
ls: cannot open directory '/var/lib/jellyfin': Permission denied
drwxr-x--- 10 nobody  nogroup 4096 May 24  2024 jellyfin
/var/log/jellyfin
ls: cannot open directory '/var/log/jellyfin': Permission denied
drwxr-x---   2 nobody  nogroup            12288 Apr  6 11:23 jellyfin
/var/cache/jellyfin
ls: cannot open directory '/var/cache/jellyfin': Permission denied
drwxr-x---  7 nobody  nogroup 4096 Mar 24 19:36 jellyfin
/var/lib/jellyfin/data
ls: cannot access '/var/lib/jellyfin/data': Permission denied
/var/lib/jellyfin/metadata
ls: cannot access '/var/lib/jellyfin/metadata': Permission denied

/mnt/video
total 4
drwsrwsr-x 1 jellyfin jellyfin   92 Mar 17  2022 .
drwxr-xr-x 8 root     root     4096 Apr  4 17:46 ..
drwsrwsr-x 1 jellyfin jellyfin   24 Jan 15  2022 Doku-Serien

So the `jellyfin` directories in `/var/lib`, `/var/log` and `/var/cache` belong to `nobody:nogroup` now .

And the quenstion is: Why is this so and what can I do about it.