Debian 10 > Docker > Emby + OMV permission help

[rbhenderson 0]

I've been stubbornly struggling with this for the last 2 days and I'm totally stumped... Linux isn't my strong suit but I'm not totally inept either (pfff, at this point who knows)

Host is running Debian 10 with kernel 5.10.0-0.bpo.7-amd64 to get NIC working. Creatively named "fast-000". On Docker 20.10.7

OMV on a separate box with a share via CIFS/SMB, permissions set to guest only. Mounted into main host via fstab using: (is samba the problem? Saw another post that there might be a .net issue?)

//OMV.local/shared_media /OMVshared_media cifs username=emby,password=Password,uid=1002,gid=998,file_mode=0777,dir_mode=0777,_netdev 0 0

Docker compose (inside portainer if that matters) has been through many alterations but comes down to this:

---
version: "2"
services:
  emby:
    image: emby/embyserver
    container_name: emby
    environment:
      - UID=1002
      - GID=998
      - GIDLIST=1001,1000,44,107
      - TZ=America/Chicago
      - UMASK=022 #optional
    volumes:
      - /OMVshared_media/configs/Emby:/config:z
      - /OMVshared_media/TV Shows:/data/tvshows:z
      - /OMVshared_media/Movies:/data/movies:z
    ports:
      - 8096:8096
      - 8920:8920 #optional for secure connections
    devices:
      - /dev/dri:/dev/dri
    restart: unless-stopped

I've verified on the host that the uid (dockeruser) can read/write to the mounted share using the "runuser" command successfully... Though it did give me an error that there is no home directory for that user

So, when I try to run it I get the following in the portainer log viewer:

[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Info Main: Application path: /system/EmbyServer.dll
Info Main: Shutdown complete
Unhandled exception. System.UnauthorizedAccessException: Access to the path '/config/logs/embyserver.txt' is denied.
 ---> System.IO.IOException: Permission denied
   --- End of inner exception stack trace ---
   at System.IO.FileStream.WriteNative(ReadOnlySpan`1 source)
   at System.IO.FileStream.FlushWriteBuffer()
   at System.IO.FileStream.FlushInternalBuffer()
   at System.IO.FileStream.Flush(Boolean flushToDisk)
   at Emby.Server.Implementations.Logging.FileLogger.Dispose()
   at Emby.Server.Implementations.Logging.SimpleLogManager.Dispose()
   at EmbyServer.Program.Main(String[] args)
Aborted

I've also tried running it using a docker volume for configs - works/runs but can't store stuff to the media share, I'm assuming at least, based off this error and the fact that all metadata is in the docker volume not the movie folder like I selected:

2021-08-01 04:34:28.265 Error ProviderManager: UnauthorizedAccessException: Emby Server is being write access to /data/movies/Green Book (2018)/poster.jpg. Please check your file permissions.

Permissions for the folder are wide open:

drwxrwxrwx 2 dockeruser docker 0 Jul 31 23:34 .

 

I'm totally stumped and would appreciate some additional eyes and any help I can get!

Edited August 1, 2021 by rbhenderson
pride

[Q-Droid 634]

You have a few things to unwrap here so let's start with the easier ones.

Using CIFS - yes, .NET Core has been throwing access errors for some on CIFS/SMB shares and recently found that the mount option "nobrl" has helped in some cases.

    volumes:
      - /OMVshared_media/configs/Emby:/config:z

Don't put your Emby config path on the CIFS share. Find/create a local path on the OMV host for the config. 

This part isn't required though life is usually easier if a local user and group emby:emby are created to run the service. A local user with a home directory which can in turn be used for the /config location mimics the package installation of Emby on Linux. You would have to modify the UID/GID for the container and fstab then everything else should fall into place.

If you have plans for other containers to access the same media with read/write permissions then consider using a common group (GID) and changing the UMASK to 002.

 

[rbhenderson 0]

Adding "nobrl" to the fstab fixed the access issues I was having! Thank you!

I'm not sure how to make a local path on my OMV host accessible to Emby running on Fast-000. Can you walk me through that? Or did you just mean keep "config" on whatever the local host is (I would assume either for responsiveness or to avoid issues with network connectivity?)

Changed UMASK to 002, thanks for that. As you probably predicted, this is running with most of the 'arr's and a few other things.

[Q-Droid 634]

41 minutes ago, rbhenderson said:

I'm not sure how to make a local path on my OMV host accessible to Emby running on Fast-000. Can you walk me through that? Or did you just mean keep "config" on whatever the local host is (I would assume either for responsiveness or to avoid issues with network connectivity?)

Basically yes, keep config on local host storage and if SSD then even better. #1 reason is reliability with performance and responsiveness a close #2. The DBs, metadata, metadata cache, generated images and other latency sensitive stuff are kept in /config.

 

[rbhenderson 0]

Makes sense, thanks again for the help!