1
0
Fork 0
mirror of https://github.com/immich-app/immich.git synced 2024-12-29 15:11:58 +00:00

docs: admin-only library settings (#7716)

* document admin-only library settings

* renew library guide
This commit is contained in:
Jonathan Jogenfors 2024-03-07 22:27:02 +01:00 committed by GitHub
parent 661409bac7
commit a5a27594b8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
10 changed files with 14 additions and 75 deletions

View file

@ -38,7 +38,7 @@ Note: Either a manual or scheduled library scan must have been performed to iden
In all above scan methods, Immich will check if any files are missing. This can happen if files are deleted, or if they are on a storage location that is currently unavailable, like a network drive that is not mounted, or a USB drive that has been unplugged. In order to prevent accidental deletion of assets, Immich will not immediately delete an asset from the library if the file is missing. Instead, the asset will be internally marked as offline and will still be visible in the main timeline. If the file is moved back to its original location and the library is scanned again, the asset will be restored. In all above scan methods, Immich will check if any files are missing. This can happen if files are deleted, or if they are on a storage location that is currently unavailable, like a network drive that is not mounted, or a USB drive that has been unplugged. In order to prevent accidental deletion of assets, Immich will not immediately delete an asset from the library if the file is missing. Instead, the asset will be internally marked as offline and will still be visible in the main timeline. If the file is moved back to its original location and the library is scanned again, the asset will be restored.
Finally, files can be deleted from Immich via the `Remove Offline Files` job. This job can be found by the three dots menu for the associated external storage that was configured under user account settings > libraries (the same location described at [create external libraries](#create-external-libraries)). When this job is run, any assets marked as offline will then be removed from Immich. Run this job whenever files have been deleted from the file system and you want to remove them from Immich. Finally, files can be deleted from Immich via the `Remove Offline Files` job. This job can be found by the three dots menu for the associated external storage that was configured under Administration > Libraries (the same location described at [create external libraries](#create-external-libraries)). When this job is run, any assets marked as offline will then be removed from Immich. Run this job whenever files have been deleted from the file system and you want to remove them from Immich.
### Import Paths ### Import Paths
@ -50,8 +50,6 @@ If the import paths are edited in a way that an external file is no longer in an
Sometimes, an external library will not scan correctly. This can happen if immich_server or immich_microservices can't access the files. Here are some things to check: Sometimes, an external library will not scan correctly. This can happen if immich_server or immich_microservices can't access the files. Here are some things to check:
- Is the external path set correctly? Each import path must be contained in the external path.
- Make sure the external path does not contain spaces
- In the docker-compose file, are the volumes mounted correctly? - In the docker-compose file, are the volumes mounted correctly?
- Are the volumes identical between the `server` and `microservices` container? - Are the volumes identical between the `server` and `microservices` container?
- Are the import paths set correctly, and do they match the path set in docker-compose file? - Are the import paths set correctly, and do they match the path set in docker-compose file?
@ -61,18 +59,6 @@ Sometimes, an external library will not scan correctly. This can happen if immic
To validate that Immich can reach your external library, start a shell inside the container. Run `docker exec -it immich_microservices /bin/bash` to a bash shell. If your import path is `/data/import/photos`, check it with `ls /data/import/photos`. Do the same check for the `immich_server` container. If you cannot access this directory in both the `microservices` and `server` containers, Immich won't be able to import files. To validate that Immich can reach your external library, start a shell inside the container. Run `docker exec -it immich_microservices /bin/bash` to a bash shell. If your import path is `/data/import/photos`, check it with `ls /data/import/photos`. Do the same check for the `immich_server` container. If you cannot access this directory in both the `microservices` and `server` containers, Immich won't be able to import files.
### Security Considerations
:::caution
Please read and understand this section before setting external paths, as there are important security considerations.
:::
For security purposes, each Immich user is disallowed to add external files by default. This is to prevent devastating [path traversal attacks](https://owasp.org/www-community/attacks/Path_Traversal). An admin can allow individual users to use external path feature via the `external path` setting found in the admin panel. Without the external path restriction, a user can add any image or video file on the Immich host filesystem to be imported into Immich, potentially allowing sensitive data to be accessed. If you are running Immich as root in your Docker setup (which is the default), all external file reads are done with root privileges. This is particularly dangerous if the Immich host is a shared server.
With the `external path` set, a user is restricted to accessing external files to files or directories within that path. The Immich admin should still be careful not set the external path too generously. For example, `user1` wants to read their photos in to `/home/user1`. A lazy admin sets that user's external path to `/home/` since it "gets the job done". However, that user will then be able to read all photos in `/home/user2/private-photos`, too! Please set the external path as specific as possible. If multiple folders must be added, do this using the docker volume mount feature described below.
### Exclusion Patterns ### Exclusion Patterns
By default, all files in the import paths will be added to the library. If there are files that should not be added, exclusion patterns can be used to exclude them. Exclusion patterns are glob patterns are matched against the full file path. If a file matches an exclusion pattern, it will not be added to the library. Exclusion patterns can be added in the Scan Settings page for each library. Under the hood, Immich uses the [glob](https://www.npmjs.com/package/glob) package to match patterns, so please refer to [their documentation](https://github.com/isaacs/node-glob#glob-primer) to see what patterns are supported. By default, all files in the import paths will be added to the library. If there are files that should not be added, exclusion patterns can be used to exclude them. Exclusion patterns are glob patterns are matched against the full file path. If a file matches an exclusion pattern, it will not be added to the library. Exclusion patterns can be added in the Scan Settings page for each library. Under the hood, Immich uses the [glob](https://www.npmjs.com/package/glob) package to match patterns, so please refer to [their documentation](https://github.com/isaacs/node-glob#glob-primer) to see what patterns are supported.
@ -145,27 +131,13 @@ The `ro` flag at the end only gives read-only access to the volumes. While Immic
_Remember to bring the container `docker compose down/up` to register the changes. Make sure you can see the mounted path in the container._ _Remember to bring the container `docker compose down/up` to register the changes. Make sure you can see the mounted path in the container._
::: :::
### Set External Path
Only an admin can do this.
- Navigate to `Administration > Users` page on the web.
- Click on the user edit button.
- Set `/mnt/media` to be the external path. This folder will only contain the three folders that we want to import, so nothing else can be accessed.
:::note
Spaces in the internal path aren't currently supported.
You must import it as:
`..:/mnt/media/my-media:ro`
instead of
`..:/mnt/media/my media:ro`
:::
### Create External Libraries ### Create External Libraries
- Click on your user name in the top right corner -> Account Settings These actions must be performed by the Immich administrator.
- Click on Libraries
- Click on Administration -> Libraries
- Click on Create External Library - Click on Create External Library
- Select which user owns the library, this can not be changed later
- Click the drop-down menu on the newly created library - Click the drop-down menu on the newly created library
- Click on Rename Library and rename it to "Christmas Trip" - Click on Rename Library and rename it to "Christmas Trip"
- Click Edit Import Paths - Click Edit Import Paths
@ -176,7 +148,7 @@ NOTE: We have to use the `/mnt/media/christmas-trip` path and not the `/mnt/nas/
Next, we'll add an exclusion pattern to filter out raw files. Next, we'll add an exclusion pattern to filter out raw files.
- Click the drop-down menu on the newly christmas library - Click the drop-down menu on the newly-created Christmas library
- Click on Manage - Click on Manage
- Click on Scan Settings - Click on Scan Settings
- Click on Add Exclusion Pattern - Click on Add Exclusion Pattern

View file

@ -11,23 +11,11 @@ Edit `docker-compose.yml` to add two new mount points under `volumes:`
``` ```
immich-server: immich-server:
volumes: volumes:
- ${EXTERNAL_PATH}:/usr/src/app/external - /path/to/photos/on/host:/usr/src/app/external
``` ```
Be sure to add exactly the same line to both `immich-server:` and `immich-microservices:`. Be sure to add exactly the same line to both `immich-server:` and `immich-microservices:`.
Edit `.env` to define `EXTERNAL_PATH`, substituting in the correct path for your computer:
```
EXTERNAL_PATH=<your-path-here>
```
On my computer, for example, I use this path:
```
EXTERNAL_PATH=/home/tenino/photos
```
Restart Immich. Restart Immich.
``` ```
@ -35,42 +23,21 @@ docker compose down
docker compose up -d docker compose up -d
``` ```
# Set the External Path # Create the library
In the Immich web UI: In the Immich web UI:
- click the **Administration** link in the upper right corner. - click the **Administration** link in the upper right corner.
<img src={require('./img/administration-link.png').default} width="50%" title="Administration link" /> <img src={require('./img/administration-link.png').default} width="50%" title="Administration link" />
- Select the **Users** tab - Select the **External Libraries** tab
<img src={require('./img/users-tab.png').default} width="50%" title="Users tab" /> <img src={require('./img/external-libraries.png').default} width="50%" title="External Libraries tab" />
- Select the **pencil** next to your user ID - Click the **Create Library** button
<img src={require('./img/pencil.png').default} width="50%" title="Pencil" /> <img src={require('./img/create-external-library.png').default} width="50%" title="Create Library button" />
- Fill in the **External Path** field with `/usr/src/app/external` - In the dialog, select which user should own the new library
<img src={require('./img/external-path.png').default} width="50%" title="External Path field" /> <img src={require('./img/library-owner.png').default} width="50%" title="Library owner diaglog" />
Notice this matches the path _inside the container_ where we mounted your photos.
The purpose of the external path field is for administrators who have multiple users
on their Immich instance. It lets you prevent other authorized users from
navigating to your external library.
# Import the library
In the Immich web UI:
- Click your user avatar in the upper-right corner (circle with your initials)
<img src={require('./img/user-avatar.png').default} width="50%" title="User avatar" />
- Click **Account Settings**
<img src={require('./img/account-settings.png').default} width="50%" title="Account Settings button" />
- Click to expand **Libraries**
<img src={require('./img/libraries-dropdown.png').default} width="50%" title="Libraries dropdown" />
- Click the **Create External Library** button
<img src={require('./img/create-external-library-button.png').default} width="50%" title="Create External Library button" />
- Click the three-dots menu and select **Edit Import Paths** - Click the three-dots menu and select **Edit Import Paths**
<img src={require('./img/edit-import-paths.png').default} width="50%" title="Edit Import Paths menu option" /> <img src={require('./img/edit-import-paths.png').default} width="50%" title="Edit Import Paths menu option" />

Binary file not shown.

Before

Width:  |  Height:  |  Size: 26 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 5.7 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 3.7 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 5.7 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 12 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 14 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 3 KiB

Binary file not shown.

Before

Width:  |  Height:  |  Size: 15 KiB