Jellyfin container in podman on Fedora: empty libraries

Hi,

I am trying to run Jellyfin as media server in my local network. The idea is to run jellyfin in a root-less container using podman.

Here is how I start the container:

podman run \
 --detach \
 --log-level=error \
 --label "io.containers.autoupdate=registry" \
 --name jellyfin \
 --publish 8096:8096/tcp \
 --rm \
 --user $(id -u):$(id -g) \
 --userns keep-id \
 --volume /home/florian/jellyfin/cache:/cache:Z \
 --volume /home/florian/jellyfin/config:/config:Z \
 --mount type=bind,source=/home/florian/Videos,destination=/media/movies,ro=true,relabel=private \
 --mount type=bind,source=/home/florian/Musik,destination=/media/music,ro=true,relabel=private \
 docker.io/jellyfin/jellyfin:latest

The web interface comes up and I can configure stuff but the libraries I create remain empty. When I open a shell in the container I can ls /media and I see the content from the host.

So far, the only error I have noted in the logs is:

[11:45:36] [ERR] [8] Emby.Server.Implementations.IO.LibraryMonitor: Error in Directory watcher for: /
System.UnauthorizedAccessException: Access to the path '/var/cache/ldconfig' is denied.
 ---> System.IO.IOException: Permission denied

Re SELinux: from what I understand, the libraries have the correct context: system_u:object_r:container_file_t:s0:c331,c645

Can someone help me understand the issue and provide ideas for mitigation?

Check if the issue persists in permissive SELinux mode:

sudo setenforce 0

Hi,
I forgot to mention, I have tried permissive already as well as adding a local policy module (see 2177273 – SELinux is preventing .NET ThreadPool from 'watch' accesses on the Verzeichnis /sys.) - didn’t change anything.

1 Like

Jellyfin seems to have read access to my library, since I can do ls /media/music and ls /media/movies in container’s terminal and I get to see my host library mounted there.

so, here is the fix:

1.) Stopped the container
2.) Deleted cache and config folders on the host
3.) Created new cache and config folders in the same directory
4.) Started container (same flags), need to do the whole setup again … but it works…

This path is owned by a package and is not accessible to an unprivileged user:

> rpm -q -f /var/cache/ldconfig
glibc-2.36-9.fc37.x86_64

> ls -l -d /var/cache/ldconfig
drwx------.  2 root root 4096 Mar 14 15:14 /var/cache/ldconfig

Consider running a privileged container, or somehow elevate the jellyfin privileges.

1 Like

here’s the command I use to start jellyfin with podman. I hope this works for you.

podman run \
 --detach \
 --label "io.containers.autoupdate=registry" \
 --name myjellyfin \
 --publish 8096:8096/tcp \
 --rm \
 --user $(id -u):$(id -g) \
 --userns keep-id \
 --volume /var/home/umaa/.config/umaa/jellyfin/cache:/cache:Z \
 --volume /var/home/umaa/.config/umaa/jellyfin/config:/config:Z \
 --mount type=bind,source='/run/media/umaa/My Passport/movies',destination=/passport,ro=true \
 --mount type=bind,source='/var/home/umaa/files/torrents',destination=/torrents,ro=true \
 --mount type=bind,source='/var/home/umaa/files/movies',destination=/movies,ro=true \
 docker.io/jellyfin/jellyfin:latest

It turns out that when you set up jellyfin for the first time and accidentally select / as library folder instead of /media/ it messes up the config. deleting and recreating the library didn’t solve it. I think this is a bug in jellyfin.