Docker UMASK Environment Variable

[sparkplug188 3]

I would like to specify permissions on the metadata files Emby generates.  It looks like this feature was implemented in November 2016, but is currently not working or has been removed.

 

Docker, Emby Server Version 3.4.1.0

 

____________________________________________

 

https://github.com/MediaBrowser/Emby.Build/issues/53

 

https://emby.media/community/index.php?/topic/9754-docker/?p=574817

In the older docker we had a UMASK parameter that could control the file permissions of metadata files, etc that Emby would create. It looks like that's now gone and all files are being created with 644 permission making it impossible for other users to delete the files.

 

Could we bring back UMASK or have another way to control file permissions?

 

Edited June 5, 2018 by sparkplug188

[mastrmind11 717]

Why can't you set the mask yourself on the parent folder of your media and let it cascade?  Unless you don't want your media files to be touched too, I suppose.

Edited June 5, 2018 by mastrmind11

[sparkplug188 3]

That sounds exactly like what I want to do!  However, I don't know how to do that.  I did some digging, but every source says you cannot set umask per directory.

[sparkplug188 3]

Follow up-  I did a ton of research and was able to effectively set a mask on a directory by using ACLs.

All in all, It really wasn't too difficult.  However, it did take about 10 hours longer than simply setting UMASK=002 in docker-compose.

 

These are the basic steps I took:

• Get NFSv4 working.  ACLs do not work well (or at all really) on NFSv3. In FreeNAS there is a checkbox to enable NFSv4 in the services section. Verify you are connected via NFSv4:

  nfsstat -m

• Most of the folders were showing up as unknown username and an extremely high group ID number.  This will fix that, assuming your NAS's domain is set to local:

 

edit /etc/idmapd.conf and set Domain on server and client to the "local"

 

[General]

 

Domain = local

 

[Translation]

 

Method = nsswitch

 

change the /etc/default/nfs-common file (on both your server and client): set NEED_IDMAPD= yes

• Install nfs4-acl-tools 

  sudo apt install nfs4-acl-tools

• Watch this video and try to pay attention to the examples:
• Use this reference chart: https://www.osc.edu/book/export/html/4523
• Edit the ACLs one at a time in a text editor: 

  nfs4_setfacl -e /media/folder

• Or edit many ACLs once you're confident you know what you're doing: 

  find /media/folder/ -type d -exec nfs4_setfacl -s A:d:OWNER@:RWXdo,A:dg:GROUP@:RWXdo,A:d:EVERYONE@:RX,A:fi:OWNER@:RWdo,A:fig:GROUP@:RWdo,A:fi:EVERYONE@:R {} \;
  
  find /media/folder/ -type f -exec nfs4_setfacl -s A::OWNER@:RWdo,A:g:GROUP@:RWdo,A::EVERYONE@:R {} \;

Edited June 7, 2018 by sparkplug188

[mastrmind11 717]

nice work.