UID/GID mapping, again...

79corvette

New Member
Jun 20, 2023
10
1
3
I know this has been covered before, but I've spent hours reading the documentation and old threads here and on Reddit and I just cant seem to figure it out.

I am trying to get a bind mount directory to work in my Jellyfin LXC. I had it working, but changed something and can't figure out what. Restoring yesterday's backup (when I installed Jellyfin) did not fix the issue, so I am trying to figure out how I had the UID/GID mapping when this worked before.

Before performing any custom mapping in the LXC .conf, Jellyfin starts and allows me to login to the server, but does not display any media. This is the troubleshooting I have managed to do so far:

In LXC shell:
Code:
root@Jellyfin:~# ls -l /mnt/ 
total 42
drwxrwxrw- 32 nobody nogroup 40 Nov 16  2020 Music
drwxrwxrw-  4 nobody nogroup  4 Jul  3 00:07 Stash
drwxrwxrw-  5 nobody nogroup  7 Jul  2 01:52 Videos

In LXC shell:
Code:
root@Jellyfin:~# id jellyfin
uid=110(jellyfin) gid=118(jellyfin) groups=118(jellyfin),44(video),107(render)

It appears the Jellyfin service runs as UID 110 and GID 118, so I assume that is what I need to map so it can read the directory. I append the following to the respective files, attempting to map the Jellyfin UID and GID to User 1005 on the PVE host (this is the owning user/group of the bind mount directory):

/etc/pve/lxc/101.conf
lxc.idmap: u 0 100000 110
lxc.idmap: g 0 100000 118
lxc.idmap: u 110 1005 1
lxc.idmap: g 118 1005 1
lxc.idmap: u 111 100111 65425
lxc.idmap: g 119 100119 65417

/etc/subuid
root:110:1

/etc/subgid
root:118:1

Once this is done, I restart the LXC and log in and see the following:
Code:
root@Jellyfin:~# ls -l /mnt/
total 42
drwxrwxrw- 32 jellyfin jellyfin 40 Nov 16  2020 Music
drwxrwxrw-  4 jellyfin jellyfin  4 Jul  3 00:07 Stash
drwxrwxrw-  5 jellyfin jellyfin  7 Jul  2 01:52 Videos

But now the Jellyfin service will not start, and when I access the web interface it is down with the error "This site can’t be reached 192.168.1.112 refused to connect". This shows up in the logs:
Code:
root@Jellyfin:~# journalctl -u jellyfin -f
Jul 05 03:21:24 Jellyfin systemd[1]: Started Jellyfin Media Server.
Jul 05 03:21:24 Jellyfin systemd[347]: jellyfin.service: Changing to the requested working directory failed: Permission denied
Jul 05 03:21:24 Jellyfin systemd[347]: jellyfin.service: Failed at step CHDIR spawning /usr/bin/jellyfin: Permission denied
Jul 05 03:21:24 Jellyfin systemd[1]: jellyfin.service: Main process exited, code=exited, status=200/CHDIR
Jul 05 03:21:24 Jellyfin systemd[1]: jellyfin.service: Failed with result 'exit-code'.
Jul 05 03:21:24 Jellyfin systemd[1]: jellyfin.service: Scheduled restart job, restart counter is at 5.
Jul 05 03:21:24 Jellyfin systemd[1]: Stopped Jellyfin Media Server.
Jul 05 03:21:24 Jellyfin systemd[1]: jellyfin.service: Start request repeated too quickly.
Jul 05 03:21:24 Jellyfin systemd[1]: jellyfin.service: Failed with result 'exit-code'.
Jul 05 03:21:24 Jellyfin systemd[1]: Failed to start Jellyfin Media Server.

Somehow the LXC has lost access to its own /usr/bin folder:
Code:
root@Jellyfin:~# ls -l /usr/bin/jellyfin
lrwxrwxrwx 1 nobody nogroup 30 Jul  1 09:44 /usr/bin/jellyfin -> /usr/lib/jellyfin/bin/jellyfin

Removing the custom mapping resolves the issue and the server starts properly, but obviously loses access to the bind mount directory. Can anyone see something I am doing wrong?
Also with permissions set to 'drwxrwxrw' for all my media folders, why can't every user in the LXC access them regardless of id mapping?



EDIT: I was able to resolve this, but I don't understand what about my prior approach was incorrect. This was my solution. Recall 1005:1005: is the UID/GID which owns the bind mount directory on the host

update /etc/pve/lxc/101.conf to map 1005:1005 instead of what I had before
Code:
lxc.idmap: u 0 100000 1005
lxc.idmap: g 0 100000 1005
lxc.idmap: u 1005 1005 1
lxc.idmap: g 1005 1005 1
lxc.idmap: u 1006 101006 64530
lxc.idmap: g 1006 101006 64530


In the LXC:
create gid 1005:

Code:
root@Jellyfin:~# addgroup --gid 1005 share-data
Adding group share-data' (GID 1005) ...
Done.

add user jellyfin to that group:
Code:
root@Jellyfin:~# usermod -a -G share-data jellyfin

Now the Jellyfin server is able to work again and it has r/w permission to all the media files.
 
Last edited:

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!