Unable to get ffmpeg to run with reduced privileges (firejail ffmpeg) #2296

New issue

Open

opened 2026-02-22 06:37:08 -05:00 by deekerman · 0 comments

deekerman commented

2026-02-22 06:37:08 -05:00

Owner

Originally created by @fluxie38 on GitHub (Apr 17, 2020).

What happened?
I tried to sandbox ffmpeg with firejail as described in https://docs.joinpeertube.org/#/maintain-configuration, security
Result when connecting to my server : 502 Bad Gateway

Any help will be much appreciated.

What do you expect to happen instead?
No change. I should see my Peertube instance home page.

Steps to reproduce:
I followed the Peertube documentation referred to above. Here are the results/commands :

Create local files & chmod +x :
::::::::::::::
/usr/local/bin/jail_ffmpeg
::::::::::::::
#!/bin/bash
/usr/bin/firejail --writable-var /usr/bin/ffmpeg "$@"
::::::::::::::
/usr/local/bin/jail_ffprobe
::::::::::::::
#!/bin/bash
/usr/bin/firejail --writable-var /usr/bin/ffprobe "$@"
::::::::::::::
$ ll /usr/local/bin/
total 8
-rwxr-xr-x 1 root root 66 Apr 16 16:26 jail_ffmpeg
-rwxr-xr-x 1 root root 67 Apr 16 16:28 jail_ffprobe
Add to environment path :
$ sudo vim /etc/systemd/system/peertube.service
Added the following two lines :
Environment=FFMPEG_PATH=/usr/local/bin/jail_ffmpeg
Environment=FFPROBE_PATH=/usr/local/bin/jail_ffprobe
Reload/restart daemon/peertube
$ systemctl daemon-reload
$ sudo systemctl restart peertube
Note that I did not implement the ln -s to /home/ since I understood from https://github.com/netblue30/firejail/issues/2259#issuecomment-438355805 that it was no longer necessary. In any case when I did I ran into another problem (npm access rights of the _log directory which I couldn't solve even with npm suggested fix - chown ...)

Additional information

PeerTube version : v2.1.1
Browser name/version: Firefox Quantum 61.0.1 32 bit
NodeJS version: v10.20.0
Link to server log if useful (journalctl or /var/www/peertube/storage/logs/):
$ sudo journalctl -feu peertube

Apr 17 15:39:12 pud systemd[1]: peertube.service: Service RestartSec=100ms expired, scheduling restart.
Apr 17 15:39:12 pud systemd[1]: peertube.service: Scheduled restart job, restart counter is at 3.
Apr 17 15:39:12 pud systemd[1]: Stopped PeerTube daemon.
Apr 17 15:39:12 pud systemd[1]: Started PeerTube daemon.
Apr 17 15:39:12 pud peertube[18782]: > peertube@2.1.1 start /var/www/peertube/versions/peertube-v2.1.1
Apr 17 15:39:12 pud peertube[18782]: > node dist/server
Apr 17 15:39:18 pud peertube[18782]: [swigif.biz.st:443] 2020-04-17 15:39:18.703 error: Error in ffmpeg check. {
Apr 17 15:39:18 pud peertube[18782]: "err": {
Apr 17 15:39:18 pud peertube[18782]: "stack": "Error: ffmpeg exited with code 1\n at ChildProcess. (/var/www/peertube/versions/peertube-v2.1.1/node_modules/fluent-ffmpeg/lib/processor.js:182:22)\n at ChildProcess.emit (events.js:198:13)\n at Process.ChildProcess._handle.onexit (internal/child_process.js:248:12)",
Apr 17 15:39:18 pud peertube[18782]: "message": "ffmpeg exited with code 1"
Apr 17 15:39:18 pud peertube[18782]: }
Apr 17 15:39:18 pud peertube[18782]: }
Apr 17 15:39:18 pud peertube[18782]: npm ERR! code ELIFECYCLE
Apr 17 15:39:18 pud peertube[18782]: npm ERR! errno 255
Apr 17 15:39:18 pud peertube[18782]: npm ERR! peertube@2.1.1 start: node dist/server
Apr 17 15:39:18 pud peertube[18782]: npm ERR! Exit status 255
Apr 17 15:39:18 pud peertube[18782]: npm ERR!
Apr 17 15:39:18 pud peertube[18782]: npm ERR! Failed at the peertube@2.1.1 start script.
Apr 17 15:39:18 pud peertube[18782]: npm ERR! This is probably not a problem with npm. There is likely additional logging output above.
Apr 17 15:39:18 pud peertube[18782]: npm ERR! A complete log of this run can be found in:
Apr 17 15:39:18 pud peertube[18782]: npm ERR! /var/www/peertube/.npm/_logs/2020-04-17T13_39_18_735Z-debug.log

Originally created by @fluxie38 on GitHub (Apr 17, 2020). **What happened?** I tried to sandbox ffmpeg with firejail as described in https://docs.joinpeertube.org/#/maintain-configuration, security Result when connecting to my server : 502 Bad Gateway Any help will be much appreciated. **What do you expect to happen instead?** No change. I should see my Peertube instance home page. **Steps to reproduce:** I followed the Peertube documentation referred to above. Here are the results/commands : 1) Create local files & chmod +x : :::::::::::::: /usr/local/bin/jail_ffmpeg :::::::::::::: #!/bin/bash /usr/bin/firejail --writable-var /usr/bin/ffmpeg "$@" :::::::::::::: /usr/local/bin/jail_ffprobe :::::::::::::: #!/bin/bash /usr/bin/firejail --writable-var /usr/bin/ffprobe "$@" :::::::::::::: $ ll /usr/local/bin/ total 8 -rwxr-xr-x 1 root root 66 Apr 16 16:26 jail_ffmpeg -rwxr-xr-x 1 root root 67 Apr 16 16:28 jail_ffprobe 2) Add to environment path : $ sudo vim /etc/systemd/system/peertube.service Added the following two lines : Environment=FFMPEG_PATH=/usr/local/bin/jail_ffmpeg Environment=FFPROBE_PATH=/usr/local/bin/jail_ffprobe 3) Reload/restart daemon/peertube $ systemctl daemon-reload $ sudo systemctl restart peertube 4) Note that I did not implement the ln -s to /home/ since I understood from https://github.com/netblue30/firejail/issues/2259#issuecomment-438355805 that it was no longer necessary. In any case when I did I ran into another problem (npm access rights of the _log directory which I couldn't solve even with npm suggested fix - chown ...) **Additional information** * PeerTube version : v2.1.1 * Browser name/version: Firefox Quantum 61.0.1 32 bit * NodeJS version: v10.20.0 * Link to server log if useful (journalctl or /var/www/peertube/storage/logs/): $ sudo journalctl -feu peertube Apr 17 15:39:12 pud systemd[1]: peertube.service: Service RestartSec=100ms expired, scheduling restart. Apr 17 15:39:12 pud systemd[1]: peertube.service: Scheduled restart job, restart counter is at 3. Apr 17 15:39:12 pud systemd[1]: Stopped PeerTube daemon. Apr 17 15:39:12 pud systemd[1]: Started PeerTube daemon. Apr 17 15:39:12 pud peertube[18782]: > peertube@2.1.1 start /var/www/peertube/versions/peertube-v2.1.1 Apr 17 15:39:12 pud peertube[18782]: > node dist/server Apr 17 15:39:18 pud peertube[18782]: [swigif.biz.st:443] 2020-04-17 15:39:18.703 error: Error in ffmpeg check. { Apr 17 15:39:18 pud peertube[18782]: "err": { Apr 17 15:39:18 pud peertube[18782]: "stack": "Error: ffmpeg exited with code 1\n at ChildProcess.<anonymous> (/var/www/peertube/versions/peertube-v2.1.1/node_modules/fluent-ffmpeg/lib/processor.js:182:22)\n at ChildProcess.emit (events.js:198:13)\n at Process.ChildProcess._handle.onexit (internal/child_process.js:248:12)", Apr 17 15:39:18 pud peertube[18782]: "message": "ffmpeg exited with code 1" Apr 17 15:39:18 pud peertube[18782]: } Apr 17 15:39:18 pud peertube[18782]: } Apr 17 15:39:18 pud peertube[18782]: npm ERR! code ELIFECYCLE Apr 17 15:39:18 pud peertube[18782]: npm ERR! errno 255 Apr 17 15:39:18 pud peertube[18782]: npm ERR! peertube@2.1.1 start: `node dist/server` Apr 17 15:39:18 pud peertube[18782]: npm ERR! Exit status 255 Apr 17 15:39:18 pud peertube[18782]: npm ERR! Apr 17 15:39:18 pud peertube[18782]: npm ERR! Failed at the peertube@2.1.1 start script. Apr 17 15:39:18 pud peertube[18782]: npm ERR! This is probably not a problem with npm. There is likely additional logging output above. Apr 17 15:39:18 pud peertube[18782]: npm ERR! A complete log of this run can be found in: Apr 17 15:39:18 pud peertube[18782]: npm ERR! /var/www/peertube/.npm/_logs/2020-04-17T13_39_18_735Z-debug.log