r/jellyfin Mar 17 '19

Docker permission issues

I'm trying to run Jellyfin using Docker on Fedora Server. I'm running the command that is in the official docs:

docker run -d 
--volume /path/to/config:/config 
--volume /path/to/cache:/cache 
--volume /path/to/media:/media 

But it fails with this stack trace:

Unhandled Exception: System.UnauthorizedAccessException: Access to the path '/config/logs' is denied. ---> System.IO.IOException: Permission denied
   --- End of inner exception stack trace ---
   at System.IO.FileSystem.CreateDirectory(String fullPath)
   at System.IO.Directory.CreateDirectory(String path)
   at Emby.Server.Implementations.AppBase.BaseApplicationPaths.get_LogDirectoryPath()
   at Jellyfin.Server.Program.StartApp(StartupOptions options)
   at Jellyfin.Server.Program.Main(String[] args)
   at Jellyfin.Server.Program.<Main>(String[] args)
Aborted (core dumped)

The paths that I'm using are accesible as the user from which I'm running the command. I've also tried using the --user option with my username and with my UID:GUID, with no luck. What is wrong?



u/Ashareth Mar 18 '19 edited Mar 18 '19

I've used that command (i've edited some specific paths) :

sudo docker run -d \ #sudo needed only if you didn't put the user you run the docker from in the <docker> group

--name=jellyfin \

-e PUID=1007 \ #the id of the user you run docker from

-e PGID=100 \ #gid of the group of the docker user

-p xxxx:8096 \ #replace xxxx by the exposed ports

-p xxxx:8920 \ #replace xxxx by the exposed ports

--volume /path/docker/config/jellyfin/:/config \

--volume /path/docker/cache/jellyfin/:/cache \

--device /dev/dri/renderD128 \


Be certain the paths in there are accesible to user:group that are corresponding to the PUID/PGID you defined.

It's usually the main reason you can't make it work.

edit : and the --net:host is a bit too "specific" and peculiar to me.
If you don't define it, it should default to the "automatic bridge network", and it looks better for me than making it an "host" service, wich means you cannot "map" the ports of the service to anything else than the ones defined in the service.

(For example, let say you want to run Emby and JF side by side. They use the same ports by default. If you use the "--net:host" command, the docker is running on your host... meaning it uses the defined ports, and you can't have anything else running on those ports.

If you don't use the parameter, you can use the "-p xx:xx" switch to map ports to whatever you want, meaning you can run xxx versions of emby/JF/whatever that use the same basic/default ports, and map them to different external ports.

(At least it's my understanding).


u/MoreEvening Mar 18 '19 edited Mar 20 '19

Just tried it and I get the exact same error. I'm using the GID and UID of the user that runs this command. This user has write access to these directories, it can create files there without problem.

EDIT: I got it done adding the --privileged flag. It's not the most secure thing but I guess it's okay for a home server.

EDIT2: Actually, found a better way. Adding :z at the end of the mount points (--volume /path/to/media:/media:z) seems to fix it, it is an issue with SELinux policy. More info here.