Jellyfin container's bind mount copying folders but not contents of folders

General
1

My docker compose:

services:
  jellyfin:
    container_name: jellyfin
    image: lscr.io/linuxserver/jellyfin:latest
#    user: 1000:1000
    networks:
      - caddy-net # provides access for the reverse proxy
    ports:
      - 8096:8096 #HTTP webUI
      - 8920:8920 #HTTPS webUI
    environment:
      - TZ=America/Los_Angeles
      - JELLYFIN_PublishedServerURL=jfin.jlr.lol #optional. The Server URL to publish in udp Auto Discovery response.
      - PUID=1000
      - PGID=1000
      - UMASK=002
    volumes:
      - ~/server/config/jellyfin:/config
      - ~/server/cache/jellyfin:/cache
      - ~/server/data/jellyfin:/data
      - ~/server/logs/jellyfin:/logs
      - ~/data/media/:/media:ro #naming, etc all handled by *arr apps-
    restart: unless-stopped

  jellyseerr:
    image: fallenbagel/jellyseerr:latest
    container_name: jellyseerr
    networks:
      - caddy-net
    environment:
      - LOG_LEVEL=debug
      - TZ=America/Los_Angeles
      - PUID=1000
      - PGID=1000
      - UMASK=002
    ports:
      - 5055:5055
    volumes:
      - ~/server/config/jellyseerr:/app/config
    restart: unless-stopped

networks:
  caddy-net:
    name: caddy-net
    external: true

This bind mount is copying the folder inside media but not the mkv file inside of the folder inside media. I own the file and the result of ls -l: “-rw-rw-r-- 1 jr jr” where jr is my user name. Running id gives me “uid=1000(jr) gid=1000(jr) groups=1000(jr),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),999(docker)”. Can someone help me figure this out?

2

It is not, it is literary mounting the host folder into a container folder. It is not a copy, it is the very same inode (think of it as the pointer to where the physical information is stored).

If something like ACL, AppArmor or SELinux is running on the host and performs access control for each file access, it is not sufficient to just align the uid and/or the gid of the folder owner with the uid/gid of the jellyfin process.

Synology for instances uses a non-standard ACL implementation, which containers are not able to satisfy - it will need anonymous/everyone accesses for the share/folders in order for a container to access the files. If no ACLs are set, align the UID/GID is enough.