13.1-RELEASE no longer available, jail creation problem

[no-more-usernames-left]

Hello,

On a new TrueNAS install (13.0-U5.3) I can't install any plugins (TrueNAS returns the error "Error: 13.1-RELEASE was not found!").

Digging around in the logs, I believe this is because iocage can't fetch 13.1-RELEASE, as it's no longer posted at https://download.freebsd.org/ftp/releases/amd64/.

Also, `iocage fetch` doesn't work either:
```
# iocage fetch
[0] 12.4-RELEASE
[1] 13.2-RELEASE
[2] 14.0-RELEASE

Type the number of the desired RELEASE
Press [Enter] to fetch the default selection: (13.1-RELEASE)
Type EXIT to quit:
```

If I manually fetch 13.2-RELEASE, that doesn't solve the issue.

 

[akawamlah]

What the solution I can't install the Plex Media Server.

 

[Patrick M. Hausen]

Plugins are deprecated and poorly maintained. Create a standard 13.2 jail and install the application you wish to use with pkg install. For more complex things like Nextcloud, Plex, MineOS there are scripts provided by users of this forum.

 

[victort]

Check my signature for a list of those scripts.

 

[winnielinnie]

For more complex things like Nextcloud, Plex, MineOS there are scripts provided by users of this forum.

AKA: "What Plugins were meant for, but without the fancy GUI support."

 

[no-more-usernames-left]

Plugins are deprecated and poorly maintained. Create a standard 13.2 jail and install the application you wish to use with pkg install. For more complex things like Nextcloud, Plex, MineOS there are scripts provided by users of this forum.

Wow.

So my first experience with TrueNAS is that one of the tentpole features is broken without a fix forthcoming from the developers, and the community tells me to stay away from it and DIY the feature instead.

If I'm gonna DIY, then why run TrueNAS at all? Honest question.

 

[Patrick M. Hausen]

Because of rock solid ZFS operation with a (debatably) nice UI? File sharing, VMs and jails? Plugins are just "canned" jails. While they looked like a good idea in the beginning iX never really took responsibility for them, especially about what happens after initial installation. E.g. Nextcloud needs regular updates in a timely fashion, aproximately once per month, to stay secure. And a major upgrade including new PHP and database versions at least every two years. These include manual steps and configuration adjustments. Plugins never had any mechanism to take care of that.

Look at the resources in @victort's lists. Jails are great, low overhead, solid. Updates can be done with pkg upgrade unless a major release switch is called for (see Nextcloud above).

 

[danb35]

So my first experience with TrueNAS is that one of the tentpole features is broken without a fix forthcoming from the developers, and the community tells me to stay away from it and DIY the feature instead.

@Kris Moore, this is why I started this thread:
https://www.truenas.com/community/t...etending-that-core-has-usable-plugins.104355/

Take "plugins" out of your marketing copy. Completely. Everywhere. Now. It's dishonest to pretend that they're a viable feature in CORE.

 

[victort]

I would also add to learn. I've learned a ton that I wouldn't have if it would have been click and go.

But that's just me perhaps.

 

[winnielinnie]

I would also add to learn. I've learned a ton that I wouldn't have if it would have been click and go.

This is true, and I agree with it in spirit.

But even as much as I'm able to get my fingers dirty in the command-line, I do prefer (and appreciate) a nice GUI that reduces the number of steps and simplifies things.

I like it both ways. Give me a nice, sleek GUI, but also don't remove the means for me to do it myself. (Even if we did have working "Plugins" in Core, I would still likely resort to creating my own jails. Though, this is a deal-breaker for users who prefer a more "NAS-sy" solution.)

Case in point: Look at the OP. I 100% sympathize with this grievance. The Plugins were (and still are?) a selling point on the iX and TrueNAS web pages. I would expect the same level of quality if I was new to TrueNAS. But it's not just the marketing. It's also a full-fledge menu in the GUI. It's not like they "hid" the menu and you have to unlock it with a special button.

 

[Davvo]

@no-more-usernames-left if you want plugins/no DIY you have to go SCALE (with everything that entails).

On CORE as others wrote there are community-created scripts that simplify the jail creation (basically, working plugins) and allow you to not require a lot of knowledge about FreeBSD and Jails: one of those is for Plex (can't remember if it's made by @victort or @danb35 ).

I believe the community's general consensus to be that with TN you have to get a bit dirt, sooner or later, even with SCALE: the good thing is that there is a ton of resources and expertise about CORE and SCALE, albeit considerably less (given its much shorter life) for the latter, here.

Edited for spelling corrections.

 

[no-more-usernames-left]

>Case in point: Look at the OP. I 100% sympathize with this grievance. The Plugins were (and still are?) a selling point on the iX and TrueNAS web pages. I would expect the same level of quality if I was new to TrueNAS.

They sure are:

TrueNAS CORE - World's Most Popular Open Storage OS

TrueNAS CORE is the world’s most popular Open Source Storage OS. Store, archive and protect your data, share files, and stream media.

www.truenas.com

In fact, the documentation says:
>This feature is generally available in TrueNAS CORE and supported by the TrueNAS Community. iXsystems customers with TrueNAS Enterprise hardware and an iXsystems Support contract can contact Support about accessing these features.

So are they magically making this feature work for those with a support contract but not releasing the fix for the community edition? That's not a good look... but nor is the alternative if they can't make it work for customers with a contract either!

The simplicity of the plugin system was one of the biggest selling points for me, because frankly I wanted to spend the limited number of hours I have in a day doing other things. If I'm going to have to DIY that aspect, then since I don't mind getting my hands dirty I might as well DIY the whole thing (likely FreeBSD or Proxmox). As you correctly point out, I'll also learn more about the fundamentals in the process, which is never a bad thing.

A year ago almost to the day the TrueNAS update server fell over. According to the CT logs, they acquired a Let's Encrypt certificate five full days before that but never bothered switching out the certificate which was being served until almost a full day after it fell over, and even then for a day or so they were serving a valid certificate on the IPv4 address but still serving the expired certificate on the IPv6 address. It was a really bad look for a company wanting people to entrust their precious data to iXsystems' software and appliances, and I have never forgotten it.

Frankly, the myriad warnings to never expose the TrueNAS web interface to the internet didn't help either.

To those who were kind enough to take the time to reply, so long, and thanks for all the fish.

 

[Ericloewe]

So are they magically making this feature work for those with a support contract

It's not magic, it's neural networks. Squishy ones inside people's heads. Some support tech has to set things up.

Frankly, the myriad warnings to never expose the TrueNAS web interface to the internet didn't help either.

Don't tell me you're exposing pretty much anything to the internet, that's insane. The TrueNAS WebGUI is no different from the vast majority of things not explicitly designed to be hardened.

 

[no-more-usernames-left]

It's not magic, it's neural networks. Squishy ones inside people's heads. Some support tech has to set things up.

So a tentpole feature doesn't work at all, for anyone, and perhaps hasn't for a year now. But I'm supposed to entrust my data to this?

Don't tell me you're exposing pretty much anything to the internet, that's insane.

Security is my day job, so no. But that warning made me wonder just how shitty the security actually was. Then I found this (source), which was another nail in the coffin, because there goes accountability:
>Only the root user account can log in to the TrueNAS web interface.

The TrueNAS WebGUI is no different from the vast majority of things not explicitly designed to be hardened.

Sorry, but "only root can log in" is a much lower bar than the average internet-facing software. Apparently this is "fixed" in SCALE, but if I can't trust CORE today then I'm not sure I can trust SCALE tomorrow.

 

[Ericloewe]

Sorry, but "only root can log in" is a much lower bar than the average internet-facing software. Apparently this is "fixed" in SCALE, but if I can't trust CORE today then I'm not sure I can trust SCALE tomorrow.

It's a mild annoyance, hardly a security issue. You could argue that it makes investigating what happened after the fact more difficult, but I prefer to focus on keeping things from happening in the first place.

But that warning made me wonder just how shitty the security actually was.

I'm sure it's about typical, but the average clueless user is one to get bright ideas like forwarding port 80 on their firewall right to their NAS. That's the primary reason the warning is so vocal.

 

[no-more-usernames-left]

I prefer to focus on keeping things from happening in the first place.

I'm surprised to be the one to inform you that's literally the whole point of creating lower-privilege user accounts.

I'm sure it's about typical, but the average clueless user is one to get bright ideas like forwarding port 80 on their firewall right to their NAS. That's the primary reason the warning is so vocal.

TrueNAS shouldn't even be listening on port 80, tbh. But if the password is strong and 2FA is enabled, that should be sufficient; if not, one wonders about the security hygiene of the product -- which, other than the broken functionality, was exactly the point I was trying to raise.

Telling people "don't expose the web UI of your Nextcloud instance to the internet" will get you funny looks, but that's what's required for TrueNAS? Sus software is sus.

The horse is dead. I'm going to stop beating it now. Thanks again for your time.

 

[Ericloewe]

I'm surprised to be the one to inform you that's literally the whole point of creating lower-privilege user accounts.

Lower privilege is an entirely different matter that I don't recall being really proposed for the GUI. I can see the interest in the abstract, but it's not very appliance-y. How would you see the separation of permissions? In other words, is there a part of the GUI that you feel could be cordoned off and delegated to a "lesser" admin?

TrueNAS shouldn't even be listening on port 80, tbh

That's not a practical suggestion. By that reasoning, no WebGUIs at all could exist, not for a server, not for a firewall, not for a switch, ... Having a port open inside a LAN is not the same as exposing it to the internet.

Telling people "don't expose the web UI of your Nextcloud instance to the internet" will get you funny looks, but that's what's required for TrueNAS? Sus software is sus.

Now you're conflating very different things. Nextcloud is one thing, the TrueNAS WebGUI an entirely separate thing. Nextcloud is explicitly designed to be exposed to the internet (wouldn't be super useful otherwise), but it's an app running in its own environment inside an ideally-secure little container (either Linux cgroup spaghetti or a FreeBSD jail).

 

[no-more-usernames-left]

Lower privilege is an entirely different matter that I don't recall being really proposed for the GUI. I can see the interest in the abstract, but it's not very appliance-y. How would you see the separation of permissions? In other words, is there a part of the GUI that you feel could be cordoned off and delegated to a "lesser" admin?

As just one example, junior admins or interns could manage the alerting, backups, updates, plugins (lol), etc while not being able to destroy pools, datasets, or snapshots.

That's not a practical suggestion. By that reasoning, no WebGUIs at all could exist, not for a server, not for a firewall, not for a switch, ... Having a port open inside a LAN is not the same as exposing it to the internet.

Earlier you said:
>the average clueless user is one to get bright ideas like forwarding port 80 on their firewall right to their NAS

Using HTTPS would secure the connection, ensuring credentials and data are not passed in the clear. Further, all modern browsers attempt an HTTPS connection first by default. Combined with Let's Encrypt, it's set-and-forget.

But, as you've made clear, this is a moot point because the web UI is apparently not fit for purpose: not only must multiple admins share the same god-mode credentials (thus eliminating accountability), you've made quite clear that the web UI cannot be trusted to be secure at all.

Now you're conflating very different things. Nextcloud is one thing, the TrueNAS WebGUI an entirely separate thing. Nextcloud is explicitly designed to be exposed to the internet (wouldn't be super useful otherwise), but it's an app running in its own environment inside an ideally-secure little container (either Linux cgroup spaghetti or a FreeBSD jail).

You seem to think that an intruder should be kept within the bounds of the container. Rather, users' data is what is to be kept secure from unauthorised disclosure or alteration while yet still being within that container. In other words, Nextcloud is also secure on bare metal or in a VM as the container is not the primary security boundary. In fact, containerised installs are considered less secure than being in a VM as kernel compromise results in loss of containment in a containerisation scenario.

 

[Davvo]

If you want non-root admin users, go with SCALE instead of complaining: CORE won't receive any major updates since iX's focus is to maintain the current experience for their paying customers while polishing SCALE.

If you want to remain on CORE, just cope with it (not that hard). Don't use plug-is, they are dead (and those who aren't will by the end of 2024): build your own jail instead.

If you don't want to use TrueNas it's equally fine, it's not for everyone.

 

[Ericloewe]

As just one example, junior admins or interns could manage the alerting, backups, updates, plugins (lol), etc while not being able to destroy pools, datasets, or snapshots.

It's an interesting idea, but I don't know how practical it is. I guess it could be done without too much hassle on the middleware, though that would raise important questions about SSH or other direct console access...

Using HTTPS would secure the connection, ensuring credentials and data are not passed in the clear.

True, but that's yet another matter. HTTP must remain available so that HTTPS can be configured, at least.

You seem to think that an intruder should be kept within the bounds of the container. Rather, users' data is what is to be kept secure from unauthorised disclosure or alteration while yet still being within that container. In other words, Nextcloud is also secure on bare metal or in a VM as the container is not the primary security boundary. In fact, containerised installs are considered less secure than being in a VM as kernel compromise results in loss of containment in a containerisation scenario

TrueNAS is not a Nextcloud distro, so dedicating a whole machine is not going to happen. As for intruders, they should obviously be kept out, but additional barriers are good. Container vs. VM is a minor point, relatively speaking, in either case Nextcloud's web server has nothing to do with the TrueNAS GUI web server.