Server Version#: 1.21.0.3616
Player Version#: Not applicable for this question
So, I want to run pms in docker, great.
I mound my current library in /data no problem there
However, my existing media library has different permissions for each subdirectory (intentional).
drwxr----- 62 mediamovies mediamoviesro 4096 Nov 28 18:58 Movies
drwxr----- 14 mediamusic mediamusicro 4096 Oct 27 2019 Music
drwxr-x— 64 mediatv mediatvro 4096 Oct 21 20:21 Series
This gives me a bit of a headache.
If i use PLEX_UID/PLEX_GID to the values for mediamovies/mediamovies RO i can of course create a library from that path. But not the others. They show as empty with a permission denied in the logs.
So, I thought i would be clever and add a new system user on the host system, which is a member of the groups and use that as my plex_uid / gid. But then I am back to not being able to ready any data.
Can i make docker/PMS play nice with this setup?
I could of course run PMS as non-docker… but that feels clumsy.
So to summarize, you have media with distinct users/groups and wish to keep them that way. Furthermore you want Plex, running in Docker (though this part isn’t the real issue here) to be able to have read-only access (or maybe read/write) to these different media directories.
It sounds like you are hitting the limits of what can be done with users/groups. Since the media is owned by different users/groups, you must have the user under which plex runs be a member of each group. You can do this by initiating a shell into the plex container, and adding the plex user there to each distinct group. You will likely have to do this by the group ID as the group names do not cross the docker boundary (only the IDs cross that boundary so names can be different inside a docker container and outside for the same ID). While this is possible, it is complicated by the fact that the docker containers are somewhat ephemeral which would mean that if the container is recreated, you’ll likely have to do the group additions all over again. This is simpler outside of docker in the fact that you don’t have to redo this operation since group membership outside of docker will persist.
As a side note, you do have an issue in that your groups on those directories do not have execute permission. You must have execute permission to enter a directory and read permission to see the contents of the directory. Furthermore you will have the fun in that you will want the group membership and permissions to be automatically created on any contents of these directories. This adds another level of complication.
Personally, I used to deal with this mess in a much simpler scenario (I had only one user/group) and I got sick of it. So instead I switched to using ACLs on the file system (since I used ZFS, ACLs were trivial to enable but most filesystems support them via a mount option). I’ve outlined how I did this in my setup here: https://www.cod3r.com/2018/12/using-acls-to-solve-permissions-issues/ Note: ACL setup can be tricky and not for the faint of heart but if you get it setup right, it can require no maintenance.
Hopefully this helps you to find a solution that works for you.
Thank you ever so much for an extremely detailed answer.
I have however realized that I may be able (ok ok “will”) be able to clean this all up a bit.
The main reason for the mess is actually Sonos. As I am sure you know Sonos “legacy” only handles SMB1, and even that it does badly.
So, I had a libvirt instance more or less just acting as a SMB3->SMB1 gateway. Now, call me daft, but I did not realize initially that PMS makes for an excellent storage aggregator for Sonos.
So, that instance is now shut down. And I think i will try to transition to a state where “plex” owns the media tree, and that other processes that may need to access them does so by using the group(s).
So, now in hindsight I feel like I have indirectly wasted your time because yours was a beaooootiful answer
Reducing it down to a single user does simplify this case significantly. You no longer need to deal with group membership nor have to worry about umask values. I had two users, my own and the plex user, and I ran into a mess that I wanted to solve once and not see again. So I implemented the solution in my blog post above and in the 2 years since, never once had another permissions issue.
Glad you found a better solution in the end as mine is not trivial.
