FN11.3 iocage jails - Plex, Tautulli, Sonarr, Radarr, Lidarr, Jackett, Transmission, Organizr

[ChaosBlades]

I have been looking at this for the external config setup but I noticed two things that I have not been doing when setting these up in the past and want to know the reasoning behind.

Is allow raw sockets really necessary? I don't have raw sockets enabled on any of my jails running these applications. It is off by default for security reasons and should not be enabled unless required. Risk is minimal but still. So what is the reasoning behind it being enabled?

Also, why is a symbolic link being created between /usr/local/bin/mono and /usr/bin/mono? I never did this when installing my jails and don't have any issues.

 

[1ccs-todd]

I have been looking at this for the external config setup but I noticed two things that I have not been doing when setting these up in the past and want to know the reasoning behind.

Is allow raw sockets really necessary? I don't have raw sockets enabled on any of my jails running these applications. It is off by default for security reasons and should not be enabled unless required. Risk is minimal but still. So what is the reasoning behind it being enabled?

Also, why is a symbolic link being created between /usr/local/bin/mono and /usr/bin/mono? I never did this when installing my jails and don't have any issues.

For the most part you are correct that allow_raw_sockets is not required. Some extra features rely on it. Ping, traceroute, and OpenVPN(for transmission) require it. There is nothing wrong with leaving this disabled if you don't want the features it brings to your jail(s).

The symink for mono is just in case the app that uses mono is not updated to look under /usr/local/bin. I did some testing and this is no longer needed by Lidarr, Sonarr, Radarr, or Jackett. So, that is safe to skip/remove also.

 

[ChaosBlades]

For the most part you are correct that allow_raw_sockets is not required. Some extra features rely on it. Ping, traceroute, and OpenVPN(for transmission) require it. There is nothing wrong with leaving this disabled if you don't want the features it brings to your jail(s).

The symink for mono is just in case the app that uses mono is not updated to look under /usr/local/bin. I did some testing and this is no longer needed by Lidarr, Sonarr, Radarr, or Jackett. So, that is safe to skip/remove also.

Thanks for the info. I don't need it for Transmission because I use OpenVPN on pfSense. That way I can just route whatever local IP I want through the VPN.

 

[Sean Cunningham]

I'm getting the following error when attempting to create a plex jail:

Code:

root@Alexandria[~]# iocage create -n "plex" -p /tmp/pkg.json -r 11.2-RELEASE ip4_addr="vnet0|192.168.0.101/24" defaultrouter="192.168.0.3" vnet="on" allow_raw_sockets="1" boot="on"
plex successfully created!

Testing SRV response to FreeBSD
pkg.freebsd.org's SRV record could not be verified.

Testing DNSSEC response to FreeBSD
pkg.freebsd.org could not be reached via DNSSEC.

Testing DNS response to FreeBSD
pkg.freebsd.org could not be reached via DNS, check your network

I initially tried creating the jail through the GUI and in both cases, the jail cannot access the internet. It can't be pinged from the host (and the host can ping/browse no problem.) If I create the jail using the active NIC (igb1 in my case) it works just fine - except that as I understand things, Plex doesn't like running in that configuration and needs vnet.

 

[1ccs-todd]

I'm getting the following error when attempting to create a plex jail:

Code:

root@Alexandria[~]# iocage create -n "plex" -p /tmp/pkg.json -r 11.2-RELEASE ip4_addr="vnet0|192.168.0.101/24" defaultrouter="192.168.0.3" vnet="on" allow_raw_sockets="1" boot="on"
plex successfully created!

Testing SRV response to FreeBSD
pkg.freebsd.org's SRV record could not be verified.

Testing DNSSEC response to FreeBSD
pkg.freebsd.org could not be reached via DNSSEC.

Testing DNS response to FreeBSD
pkg.freebsd.org could not be reached via DNS, check your network

I initially tried creating the jail through the GUI and in both cases, the jail cannot access the internet. It can't be pinged from the host (and the host can ping/browse no problem.) If I create the jail using the active NIC (igb1 in my case) it works just fine - except that as I understand things, Plex doesn't like running in that configuration and needs vnet.

It appears to be DNS or Route related. Is your router at 192.168.0.3? Typical configurations are x.x.x.1 or x.x.x.254. nothing wrong with using .3, just need to make sure it is correct for you.
Is /etc/resolv.conf configured correctly in your new plex jail?
What responses does your plex jail get from nslookup; ping to your router; and ping to public ip?

 

[Sean Cunningham]

Yes, 192.168.0.3 is our firewall/router/gateway. /etc/resolv.conf is:

Code:

# Generated by resolvconf
search local
nameserver 8.8.8.8
nameserver 75.75.75.75

nslookup reports command not found in the jail, but in the host it performs lookups properly.
I can't ping anything from inside the jail - not the router, the host, or anything on the internet. From the host I can ping everything fine (except the jail.)

 

[1ccs-todd]

my bad nsloookup is part of bind. the built in tools are 'drill' and 'host'
did you try restarting the jail and/or the host?
do you have other vnet enabled jails on your host? if so, do they operate correctly?
If not, I am thinking you are having a bridge device related issue. I had these myself and had to create some custom settings to get them resolved.

 

[Sean Cunningham]

Yes, multiple reboots, no luck. If I switch from vnet to either bridge0 or igb1 (the active NIC on that server) things work just fine. What custom settings did you have to do?

 

[1ccs-todd]

The customized settings were specific to the nic. Your igb device does not need those tweaks.
Do you have other vnet enabled jails on your host? if so, do they operate correctly?
I have seen what you are describing. I just destroyed the jail and recreated it. The new jail worked perfectly. I had to assume some hidden error occurred in the initial jail's creation. I have 7 active vnet based jails... So I knew my vnet/bridge/pNIC interfaces were not the issue.

 

[Sean Cunningham]

No, this is the only jail I've created on this box - and I've deleted it and recreated it probably 20 times at this point, attempting to do so both from the GUI and from command line, always with the same result.

 

[1ccs-todd]

No, this is the only jail I've created on this box - and I've deleted it and recreated it probably 20 times at this point, attempting to do so both from the GUI and from command line, always with the same result.

VNET not functioning is outside the scope of this thread and will not get the attention you need here. Start a new thread, submit a bugreport, or ask on IRC. We need much more information to properly assist in diagnosing. I will not continue in hijacking this thread to that end.

 

[ChaosBlades]

If anyone is trying to move the plex data from a plex plugin to a fresh plex jail from this guide you will want to use the below rsync command to move the files so everything is an exact copy. I tried a few different methods and this was the only one that worked.

rsync -apAX --info=progress2 /mnt/Jail_Storage/iocage/jails/plex-bak/root/Plex\ Media\ Server /mnt/Jail_Storage/configs/plex
and
rsync -apAX --info=progress2 /mnt/Jail_Storage/iocage/jails/plex-bak/root/Plex /mnt/Jail_Storage/configs/plex

Just change the file paths to where yours are. Make sure the old plugin and new jail are both stopped before copying.

 

[mistermanko]

Can somebody point me to a working guide on how to set-up openvpn + transmission (or qbittorrent) in FN 11.3?

 

[ChaosBlades]

Can somebody point me to a working guide on how to set-up openvpn + transmission (or qbittorrent) in FN 11.3?

The guide you just replied to should be working and details exactly what you want. If it isn't working you should post your error and maybe someone can help. I use pfSense for that stuff.

 

[1ccs-todd]

Can somebody point me to a working guide on how to set-up openvpn + transmission (or qbittorrent) in FN 11.3?

Click "Overview" at the top of this page. then scroll down to "Transmission with OpenVPN + IPFW Killswitch" and click on "Show" button.
That is THE guide. If you want an alternative, try my customizable install scripts. HERE

 

[mistermanko]

Click "Overview" at the top of this page. then scroll down to "Transmission with OpenVPN + IPFW Killswitch" and click on "Show" button.
That is THE guide. If you want an alternative, try my customizable install scripts. HERE

Thanks @1ccs-todd, this looks very promising. I'll look into it after work.
Is this reported to be working on 11.3?

 

[1ccs-todd]

Thanks @1ccs-todd, this looks very promising. I'll look into it after work.
Is this reported to be working on 11.3?

I started the scripts on 11.3 beta. They are fully compatible with 11.2-U7 and 11.3. Earlier versions (11.2-U6, etc.) just need an edit to the variables file for the correct iocage-release version.

 

[1ccs-todd]

I just received a PM from another member with VNET jail connectivity issues.
There is a VNET bug in 11.3-Release. A fix is implemented in 11.3-U1.

https://jira.ixsystems.com/browse/NAS-104963

If anyone is having issues with internet connectivity (ping/DNS/etc.) from a jail... That must be resolved before attempting to setup one of these application jails. Internet connectivity is required during the applications installation.
If anyone has issues creating jails from this thread, I suggest you create a simple base-jail without any application setup first. Verify internet ping/dig commands work. Once underlying issues are resolved, then we can attempt application jails, and the guides in this thread should work perfectly.
Hopefully the update to 11.3-U1 resolves this for anyone effected.

 

[mistermanko]

hey @1ccs-todd, your scripts ran smoothly for me. 1 question though: when installing plex I get

Code:

install: chmod 755 /config/Plex Media Server: Operation not permitted
install: chmod 755 /config/Plex: Operation not permitted

transmission won't install either via the script or manual

Code:

http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly/All/libxml2-2.9.10.txz: Operation timed out
    - transmission failed to install, retry #1

 

[1ccs-todd]

hey @1ccs-todd, your scripts ran smoothly for me. 1 question though: when installing plex I get

Code:

install: chmod 755 /config/Plex Media Server: Operation not permitted
install: chmod 755 /config/Plex: Operation not permitted

transmission won't install either via the script or manual

Code:

http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly/All/libxml2-2.9.10.txz: Operation timed out
    - transmission failed to install, retry #1

There are no chmod commands in my plex install script. How/where did you get this error?? I think I know the cause though. Your jail name is "Plex Media Server" but the command does not have quotes to account for spaces in the name. If desired, I can edit the scripts to allow for spaces in jail names. Alternatively you can use a jail name like "Plex", "PlexMS", or "PlexMediaServer".

I successfully grabbed that file from pkg.freebsd.org. Perhaps a temporary issue at the server end? Retry it. If the issue persists, please copy more of the log, so I know if this is occurring during jail creation or during pkg update process.