| Both sides previous revision Previous revision Next revision | Previous revision |
| omv7:docker_in_omv [2024/10/31 13:05] – [2. Plugin Settings] chente | omv7:docker_in_omv [2025/04/20 08:58] (current) – [2. Plugin Settings] chente |
|---|
| Done. We now have a user //jellyfin// with a primary group //jellyfin// that we can assign to the jellyfin container and we can guarantee that it will only have access to the folders we give it permission to. The //jellyfin// user will not be able to access any other folder on the system since it does not belong to the //users// group. Additionally, the persistent data in the jellyfin container will belong to the //jellyfin// user and the //jellyfin// group, so no other container will be able to access those files either. If we want another user to have access to that persistent data we just have to include it in the //jellyfin// group. Now we have that container perfectly isolated. | Done. We now have a user //jellyfin// with a primary group //jellyfin// that we can assign to the jellyfin container and we can guarantee that it will only have access to the folders we give it permission to. The //jellyfin// user will not be able to access any other folder on the system since it does not belong to the //users// group. Additionally, the persistent data in the jellyfin container will belong to the //jellyfin// user and the //jellyfin// group, so no other container will be able to access those files either. If we want another user to have access to that persistent data we just have to include it in the //jellyfin// group. Now we have that container perfectly isolated. |
| |
| **In this document we will use a single user called //appuser// and created in the GUI for simplicity, this is enough for many users. Consider your use case and whether or not you need to go further.** | **In this document we will use a single user called //appuser// and created in the GUI, this is more than enough for 99% of users. Consider your use case and whether or not you need to go further. If you do, act accordingly throughout the entire process.** |
| |
| ---- | ---- |
| The first step is to define some folders where the different data is stored. To do this, we go to the SERVICES > COMPOSE > SETTINGS tab. | The first step is to define some folders where the different data is stored. To do this, we go to the SERVICES > COMPOSE > SETTINGS tab. |
| There are many possible configurations on a NAS. First we will see a simple configuration and then we will see a somewhat more advanced configuration. | There are many possible configurations on a NAS. First we will see a simple configuration and then we will see a somewhat more advanced configuration. |
| | |
| | ---- |
| |
| == 2.1 SIMPLE OMV NAS SYSTEM == | == 2.1 SIMPLE OMV NAS SYSTEM == |
| |
| Create those shared folders in the OMV GUI and follow the explanations in point 2.3. Just keep in mind that all paths in this case will be in the same mount folder of type ''/srv/disk-by-uuid-.../docker'' or ''/srv/disk-by-uuid-.../backup_compose'' since there is only one unit. | Create those shared folders in the OMV GUI and follow the explanations in point 2.3. Just keep in mind that all paths in this case will be in the same mount folder of type ''/srv/disk-by-uuid-.../docker'' or ''/srv/disk-by-uuid-.../backup_compose'' since there is only one unit. |
| | |
| | ---- |
| |
| == 2.2 ADVANCED OMV NAS SYSTEM == | == 2.2 ADVANCED OMV NAS SYSTEM == |
| On the right you can see how the plugin's SETTINGS tab could be configured following this diagram. If your system is simpler or more complicated, adapt it accordingly. A simpler system could be one drive for OMV and another drive for data, in which case just create all the necessary folders on the data drive. | On the right you can see how the plugin's SETTINGS tab could be configured following this diagram. If your system is simpler or more complicated, adapt it accordingly. A simpler system could be one drive for OMV and another drive for data, in which case just create all the necessary folders on the data drive. |
| {{ :omv7:dockeromv7-6.png?direct&1400 |Expand image -> Docker folders - Typical NAS}} | {{ :omv7:dockeromv7-6.png?direct&1400 |Expand image -> Docker folders - Typical NAS}} |
| | |
| | ---- |
| |
| == 2.3 CONFIGURATION == | == 2.3 CONFIGURATION == |
| Where <b>/srv/dev-disk-by-uuid-9d43cda9-20e5-474f-b38b-6b2b6c03211a/appdata</b> is the absolute path to the <i>appdata</i> folder. You can copy it from the OMV GUI in the STORAGE > SHARED FOLDERS tab in the ABSOLUTE PATH column. When you start the container, Docker will create the <i>jellyfin</i> and <i>config</i> subfolders if they do not exist.<br> | Where <b>/srv/dev-disk-by-uuid-9d43cda9-20e5-474f-b38b-6b2b6c03211a/appdata</b> is the absolute path to the <i>appdata</i> folder. You can copy it from the OMV GUI in the STORAGE > SHARED FOLDERS tab in the ABSOLUTE PATH column. When you start the container, Docker will create the <i>jellyfin</i> and <i>config</i> subfolders if they do not exist.<br> |
| Later you can see this with examples. | Later you can see this with examples. |
| | </tr></table></body></html> |
| | *...<html><body><table width="100%" border="0"><tr><td colspan="2" style="background-color:#FFB663;height:30px;"><strong><span style="color:#FFFFFF;font-size:110%;">  |
| | Warning |
| | </span></strong></td></tr><tr><td style="background-color:#FFE4A6;height:25px;width:380px;"> |
| | Make sure to create subfolders within each appdata folder for each container folder.<br> |
| | Don't do this: <b>- /srv/dev-disk-by-uuid-9d43cda9-20e5-474f-b38b-6b2b6c03211a/appdata/jellyfin:/config</b><br> |
| | If you do this, the persistent data in the config folder will be mixed with the plugin's Docker files, and permissions could change without warning.<br> |
| | Do this: <b>- /srv/dev-disk-by-uuid-9d43cda9-20e5-474f-b38b-6b2b6c03211a/appdata/jellyfin/config:/config</b><br> |
| | This way, the permissions will remain as created by the container. |
| </tr></table></body></html> | </tr></table></body></html> |
| *...<html><body><table width="100%" border="0"><tr><td colspan="2" style="background-color:#2C6700;height:30px;"><strong><span style="color:#FFFFFF;font-size:110%;">  Advanced configuration. | *...<html><body><table width="100%" border="0"><tr><td colspan="2" style="background-color:#2C6700;height:30px;"><strong><span style="color:#FFFFFF;font-size:110%;">  Advanced configuration. |
| </span></strong></td></tr><tr><td style="background-color:#E6FEFF;height:25px;width:380px;"> | </span></strong></td></tr><tr><td style="background-color:#E6FEFF;height:25px;width:380px;"> |
| If you don't have a fast drive for Docker, you can configure the <i>data</i> and <i>appdata</i> folders in the same shared folder. This will make the CHANGE_TO_COMPOSE_DATA_PATH variable serve to define the path of both. This is how the plugin example files are preconfigured. | If you don't have a fast drive for Docker, you can configure the <i>data</i> and <i>appdata</i> folders in the same shared folder. This will make the CHANGE_TO_COMPOSE_DATA_PATH variable serve to define the path of both. This is how the plugin example files are preconfigured. |
| | </tr></table></body></html> |
| | * ...<html><body><table width="100%" border="0"><tr><td colspan="2" style="background-color:#69A5FF;height:30px;"><strong><span style="color:#FFFFFF;font-size:110%;">  Beginners Info |
| | </span></strong></td></tr><tr><td style="background-color:#E6FEFF;height:25px;width:380px;"> |
| | The internal structure described in the "data" folder is unimportant. In this document, a "standard" structure has simply been described for illustrative purposes, so that the reader has a general idea about what the content of that folder may be. You can distribute within that folder any directory tree that you feel comfortable with. |
| </tr></table></body></html> | </tr></table></body></html> |
| * CONFIGURE THE DATA FOLDER: | * CONFIGURE THE DATA FOLDER: |
| Don't add <i>appuser</i> to the <i>docker</i> group. This is a security hole. | Don't add <i>appuser</i> to the <i>docker</i> group. This is a security hole. |
| </tr></table></body></html> | </tr></table></body></html> |
| * Edit //appuser// permissions and grant the appropriate permissions on each shared folder. At a minimum //appuser// must have write permissions to the //appdata// folder. Choose the permissions for the rest and make sure to deny anything that the containers do not need to function. | * Edit //appuser//'s permissions and grant the appropriate permissions to each shared folder that the containers should be able to access. Persistent configuration data will generally be stored in //appdata//, so we'll give appuser write permissions to the //appdata// folder. It must also have access to the shared folders defined as volumes in the containers. For example, for Jellyfin, this could be the /media folder where movies are stored. Make sure this user only has access to the necessary folders. |
| * ...<html><body><table width="100%" border="0"><tr><td colspan="2" style="background-color:#69A5FF;height:30px;"><strong><span style="color:#FFFFFF;font-size:110%;">  Beginners Info | * ...<html><body><table width="100%" border="0"><tr><td colspan="2" style="background-color:#69A5FF;height:30px;"><strong><span style="color:#FFFFFF;font-size:110%;">  Beginners Info |
| </span></strong></td></tr><tr><td style="background-color:#E6FEFF;height:25px;width:380px;"> | </span></strong></td></tr><tr><td style="background-color:#E6FEFF;height:25px;width:380px;"> |