Jellyfin in FreeBSD jail

[tthenrie]

Hey, this is the only place I could figure to appropriately ask my questions.

I am trying to install a jellyfin server on my FreeBSD NAS in a jail to stream personally owned content on my home network. I have created a practice installation on my laptop, to check things out before I install to my NAS. The recent pkg installed in the jail and I have jellyfin running in the jail, but cannot seem to log into it to start configuration. I have been searching the Internet for hours and find very little useful information, because it's all way outdated. Could anybody point me in the right direction? I am familiar with FreeBSD, running 13.2-RELEASE on my NAS and laptop (been a casual user since 2007), but I am just knowledgeable enough to be dangerous (thank goodness for good documentation).

 

[SirDice]

I have jellyfin running in the jail, but cannot seem to log into it to start configuration.

How is the jail configured? Specifically, its network configuration.

(Moved it to "Web and Network Services" as Jellyfin seems to be a network service. But I might move it to "Emulation and virtualization" as it appears to be a jail configuration issue)

 

[subnetspider]

I just created a FreeBSD 13.1 VNET Jail and installed the Jellyfin package inside of it.
The only thing I had to do to get it working was add the following to my jail.conf:

  allow.mlock=1;

I took this from the package message ( pkg info --pkg-message jellyfin):

...

If you are running this in a jail please set "allow_mlock=1" or similar
for this jail otherwise the program will fail to start.

dotNET does not work well inside jails that are missing either a) VNET or
b) ip6=inherit. The service file will try workaround any user misconfiguration
but is not perfect.

Before I edited my jail.conf, sockstat would not show any ports used by the jellyfin deamon and accessing IP-of-my-jail:8096 would not work, this may be the problem in your case as well.

 

[tthenrie]

Jail was set up via bsdinstall and pkg. I had also found an old thread on a docker-related github page and got the "allow.mlock=1" in the jellyfin.conf file. As for the network setup, it's just "inherit". I added the raw_sockets so I could ping to ensure I had connectivity. Jail starts just fine and I have connectivity. Just can't get figure out how to start Jellyfin. I was expecting to be able to connect via a browser, so I could configure it.

Another question: I will be installing Jellyfin on my homebuilt NAS running FreeBSD 12.2-RELEASE (zfs). I want the media server in a jail to keep it separate from my computer backups and personal file storage. Should I put my media libraries (photos, videos, movies, music) in the jail? What would be a good trouble-free kind of organization for the server and libraries that would not pose any risk to my personal files and backups?

Here's my /etc/jail.conf.d/jellyfin.conf:

## jellyfin jail config

exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown jail";
exec.clean;
mount.devfs;
path = /usr/jails/jellyfin;

## jail
jellyfin {
      host.hostname = "jellyfin.media.server";
      interface = "wlan0";
      ip4 = "inherit";
      ip6 = "inherit";
      allow.raw_sockets=1;
      allow.mlock=1;
}

 

[SirDice]

As for the network setup, it's just "inherit".

Skip IPv6 for now, get it working on IPv4 first. Instead of 'inherit' set ip4 to a free IP address in the same range as your wlan0 interface. That will give you a 'fixed' IP address for your browser to connect to.

I was expecting to be able to connect via a browser, so I could configure it.

You often have to connect the browser to a specific port i.e. http://1.2.3.4:9600 Or start something locally, i.e. http://127.0.0.1. Check the documentation, it will be explained there. Connecting to http://127.0.0.1 remotely won't work of course (you'll be connecting to localhost where the browser is running). So you may need to configure Jellyfin to run on a specific address, or 0.0.0.0.

Should I put my media libraries (photos, videos, movies, music) in the jail?

Use nullfs(5) to mount the directory in the jail. You could do this read-only for some added security. Unless Jellyfin wants to write metadata or similar in those media directories.

 

[subnetspider]

Just can't get figure out how to start Jellyfin.

I suppose you've already ran sudo service jellyfin enable and sudo service jellyfin start?

 

[tthenrie]

Skip IPv6 for now, get it working on IPv4 first. Instead of 'inherit' set ip4 to a free IP address in the same range as your wlan0 interface. That will give you a 'fixed' IP address for your browser to connect to.


You often have to connect the browser to a specific port i.e. http://1.2.3.4:9600 Or start something locally, i.e. http://127.0.0.1. Check the documentation, it will be explained there. Connecting to http://127.0.0.1 remotely won't work of course (you'll be connecting to localhost where the browser is running). So you may need to configure Jellyfin to run on a specific address, or 0.0.0.0.


Use nullfs(5) to mount the directory in the jail. You could do this read-only for some added security. Unless Jellyfin wants to write metadata or similar in those media directories.

I reset jellyfin.conf to quote out ipv6...for now.

Already tried setting a static ip for the jellyfin server as well as the local address and loopback, using port 8096. I'm on a laptop with no ethernet, so it's a wlan and that doesn't seem to play well with FreeBSD jails networking (I've done the research), which is why I had it set to "inherit", which accesses the network stack in host system and gives me Internet connection. I tried setting up a NAT, but haven't been able to get it to work....yet. Going to try again, then maybe I can get a static ip for the server.

The way I read your response re the media libraries, tells me you would keep the media libraries on the main box and just mount the directories in the jail via nullfs, correct? That should work for me. Thanks.

subnetspider : Yes. Already done that. The service starts and runs (apparently) as it should, as per my original post. I just can't seem to open the server in a browser, so I can configure it.

 

[tthenrie]

OK. Thanks for the responses. I gave up on the laptop, which was a testbed before installation on the NAS. I installed it on the NAS and was able to open Jellyfin in a browser with no trouble. Must be something to do with the wlan networking that I'll figure out some other time.

Just for info of anybody else who might be searching:

Here is the jellyfin.conf that worked on my FreeBSD 13.2-RELEASE nas:

## /etc/jail.conf.d/jellyfin.config:
## jellyfin jail config

exec.start = "/bin/sh /etc/rc";
exec.stop = "/bin/sh /etc/rc.shutdown jail";
exec.clean;
mount.devfs;
path = "/usr/jails/jellyfin";

## jail
jellyfin {
host.hostname = "jellyfin.media.server";
interface = "em1";
ip4.addr = 192.168.50.201;
allow.raw_sockets = 1;
allow.mlock = 1;
}

I'm sure there will be modifications later, but this got me started.

I installed the jail using the instructions provided in the FreeBSD Handbook:

# bsd-install jail /usr/jails/jellyfin

Options were lib32 and nothing else.

After installing the jail, I started the jail:

# sysrc jail_enable=YES
# sysrc jail_list="jellyfin"

and

# service jail start

(it's the only jail right now)

Then,

# pkg -j jellyfin install jellyfin

which installed the jellyfin package. I also installed the other packages suggested for first-time users in the messages after the install completed.

Then enter the jail:

# jexec jellyfin sh

and start the jellyfin service:

# sysrc jellyfin_enable=YES
# service jellyfin start

Then I was able to point my browser (Firefox) to http://192.168.50.201:8096 and up it came. I should note that I disabled pf before I tried, just to make sure it would work. So, now to go back and make sure my pf rules will allow traffic both ways on it.

Thanks again for the responses. I think we can call this one SOLVED.
P.S. I know there's a way to mark all that as code, but I couldn't get it to work. Like I said above, I am just good enough to be dangerous.

 

[tthenrie]

I know this is resurrecting an old thread, but I have been out of action for awhile and I'm back in the saddle. I started this thread and I need to continue it.
SirDice, I cannot seem to get my jellyfin server to play music. I get the

"Playback Error​

This client isn't compatible with the media and the server isn't sending a compatible media format." error message.

I suspect the server can't find the media data, although it shows the metadata. You mentioned above mounting the media directories as nullfs file systems, but I cannot figure out how to do that. I have done a ton of research, but can't seem to come across what I need.

As shown above, I am running a Jellyfin instance as a Docker container on my FreeBSD NAS (13.2-RELEASE), ZFS. The jail seems to be functioning. With the above configuration, do I mount the media directories (movies and music) to the jail via fstab on the host or in the jail? My jail doesn't even have an /etc/fstab file. I suspect it may be an issue in the way zfs handles things, because I get an error when I make a line in my /etc/fstab on the host like this:

/home/media /usr/jails/jellyfin/media nullfs

 

[jdmcellin]

I’m still quite new to FreeBSD myself but have a setup similar to what you are looking for.

First, have you gotten any media to play? From the error you posted, it’s possible that your browser doesn’t support the codec your audio is encoded in. You can get more information about the error in Jellyfin by going to Administration->Dashboard->Advanced->Logs. You can also check what codecs each browser supports here: https://jellyfin.org/docs/general/clients/codec-support/. You can use transcoding to fix this issue later on but it’s a lot simpler if the media is already in the correct format for starting off.

Once you’re happy that the media format is correct, mounting the dataset to the jail is the next step. If you followed the handbook, then this explained at the end of 17.5.2, although it is easy enough to miss.

For this example, I will use a jail called “jellyfin” and the zfs dataset I want to mount is called “/tank/music”. The jails are installed at the location given in the handbook “/usr/local/jails”.

First, create the file “/usr/local/jails/jellyfin.fstab”. In this file, we will mount the zfs dataset “/tank/music” to “/mymusic” in the jail. This entry will look like:

/tank/music /usr/local/jails/containers/jellyfin/mymusic nullfs ro 0 0

This mount is read only which should be enough for Jellyfin to be able to read the audio files.

After this file is created, edit “/etc/jail.conf” or where you specify your jail configuration and add the following option:

mount.fstab = “/usr/local/jails/jellyfin.fstab”

Restart your jail, use jexec to enter it and hopefully when you run “ls /mymedia”, you should be able to see your files.

You may have permission issues when trying to access the files but I think the steps above are a good starting point before worrying about that whole side of things.

Hope this helps!

 

[tOsYZYny]

tthenrie - I think jdmcellin should have resolved your nullfs issue.

I haven't had any luck with jellyfin in a jail, but my jail.conf is slightly different:

vnet;
allow.mlock=1;
allow.raw_sockets;

My jail has an epair interface assigned to it so it can talk to the base system. When I start jellyfin and run sockstat -ss | grep -i listen, I don't see jellyfin listed there. Additionally, sysctl shows:

sysctl -a | grep mlock

vm.old_mlock: 0
p1003_1b.memlock: 0
p1003_1b.memlock_range: 0
security.bsd.unprivileged_mlock: 1
security.jail.param.allow.mlock: 0

sysctl -a | grep raw_sockets

security.jail.param.allow.raw_sockets: 0
security.jail.allow_raw_sockets: 1

Is this correct?

 

[nxjoseph]

I know this is resurrecting an old thread, but I have been out of action for awhile and I'm back in the saddle. I started this thread and I need to continue it.
SirDice, I cannot seem to get my jellyfin server to play music. I get the

"Playback Error​

This client isn't compatible with the media and the server isn't sending a compatible media format." error message.

I suspect the server can't find the media data, although it shows the metadata. You mentioned above mounting the media directories as nullfs file systems, but I cannot figure out how to do that. I have done a ton of research, but can't seem to come across what I need.

As shown above, I am running a Jellyfin instance as a Docker container on my FreeBSD NAS (13.2-RELEASE), ZFS. The jail seems to be functioning. With the above configuration, do I mount the media directories (movies and music) to the jail via fstab on the host or in the jail? My jail doesn't even have an /etc/fstab file. I suspect it may be an issue in the way zfs handles things, because I get an error when I make a line in my /etc/fstab on the host like this:

/home/media /usr/jails/jellyfin/media nullfs

I couldn't view images and play videos on jellyfin and that was because of folder permissions. I added jellyfin user to the wheel group and they started to work. Make sure users of wheel group has access to folders that you mount.

I also solved the issue about upnp/dlna inside jail does not work. See this comment.

EDIT: Afterwards, playback error happened again and the solution was specifying ffmpeg binary's path. I couldn't set it from jellyfin UI, so I added some lines to the configuration file.

 

[tOsYZYny]

It seems you're asking a bunch of questions and it can be confusing which one is your problem. The best thing is to start with the error, then say what you tried to do ...

That said, after reading your whole post.

If your jellyfin is running in a jail:

/usr/jails/jellyfin

And inside your jail, you would then expect the media to be mounted at /media.

Then, you can simply try mounting nullfs as follows:

mount -t nullfs /home/media /usr/jails/jellyfin/media

Then, from there, you can see if that works or not and then proceed to worry about making the configuration permanent through the jail fstab.