Register for the iXsystems Community to get an ad-free experience and exclusive discounts in our eBay Store.
Resource icon

Install Heimdall Dashboard in a jail

danb35

FreeNAS Wizard
Joined
Aug 16, 2011
Messages
10,488
danb35 submitted a new resource:

Install Heimdall Dashboard in a jail - Pretty one-page index to your jails and other web apps

Heimdall Dashboard is a nice-looking web application to give an index page for your jails and other web applications. Selected applications support integration with the application's API to show relevant information. It will give you an index page like this:
View attachment 32302
Scripted installation instructions are at https://forum.freenas-community.org/t/install-heimdall-dashboard-in-a-jail-script-freenas-11-2/35
Read more about this resource...
 

KrisBee

FreeNAS Guru
Joined
Mar 20, 2017
Messages
897
Many thanks for the script, I wondered if you'd take the heimdall bait... I know nothing about web server config, but I'm always wary of using world writable perms, so is the "chmod -r 777" really necessary?
 

danb35

FreeNAS Wizard
Joined
Aug 16, 2011
Messages
10,488
is the "chmod -r 777" really necessary?
It probably isn't, and a change in ownership would likely be more appropriate. It works in its current state, but could definitely use refinement.
 

KrisBee

FreeNAS Guru
Joined
Mar 20, 2017
Messages
897
I read that caddy added telemetry to versions >= 0.11, is it off in the freebsd pkg by default? Not dealt that much with perms,user & ownership in jails. So does refinement start with adding a "www" system user, etc.?
 

danb35

FreeNAS Wizard
Joined
Aug 16, 2011
Messages
10,488
Yes, telemetry is off in the FreeBSD package; it's also off in the version you'd download for the TLS support. A www user is created during installation (I believe it's installation of php that does it), so chown -r www:www /usr/local/www/html would probably be a better way to go than what's currently there.
 

KrisBee

FreeNAS Guru
Joined
Mar 20, 2017
Messages
897
I have a heimdal jail running using your script, thanks. Only problem seems to be the upload of user images for app icons, e.g a suitable png for logitech media server. This fails with what looks like a permission problem which i haven't diagnosed.
 

danb35

FreeNAS Wizard
Joined
Aug 16, 2011
Messages
10,488
Last edited:

danb35

FreeNAS Wizard
Joined
Aug 16, 2011
Messages
10,488
This fails with what looks like a permission problem which i haven't diagnosed.
It looks like the issue is that permissions are getting set improperly on the icons directory (/usr/local/www/html/storage/app/public/icons). More fundamentally than that, Caddy is running as root (which seems to be necessary in order to bind to ports 80/443), but php-fpm is running as www. I could change that and run php-fpm as root, but that doesn't sound like the greatest idea. Perhaps with a combination of the setgid bit and directory permissions at 775 this could be fixed.

Edit: My last commit seems to have this fixed--I can add apps, upload custom icons, and upload a custom background image.
 
Last edited:

KrisBee

FreeNAS Guru
Joined
Mar 20, 2017
Messages
897
I only got as far as caddy runing as "root" and php-fpm running as "www" with the problem, so thanks for the update. Looking at linux installs, caddy can run as a non-root user and bind to ports 80/443 using setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy. I don't know if that's set by the FreeBSD pkg. If I've understood the FreeBSD init script correctly it looks as if caddy can run as non-root user by simply adding a caddy user:group to /etc/rc.conf. But simply changing html tree owner/group to www:www and adding to rc.conf doesn't appear to work, as caddy running as www can't bind to port 80:

Code:
root@heimdall:/var/log # cat caddy.log
Activating privacy features... done.
2019/08/14 08:52:37 [INFO][FileStorage:/.caddy] Started certificate maintenance routine
2019/08/14 08:52:37 Listen: listen tcp :80: bind: permission denied
root@heimdall:/var/log 


Are we stuck with caddy only running as root in FreeBSD?
 
Last edited:

danb35

FreeNAS Wizard
Joined
Aug 16, 2011
Messages
10,488
Is that a viable solution on FreeNAS?
Not sure, but looks like it could be, though it would involve adding a tunable through the web GUI. The only other issue I know of is writting to the Caddy log file, but that could go somewhere other than in /var/log.

Edit: Well, adding the specified values to sysctl.conf in the jail (after adding the loader tunable and rebooting the host system) doesn't seem to be working. It also isn't working when I set those values as sysctl tunables at the host level in the web GUI--still getting "permission denied" on binding to port 80.
1565806523565.png
 
Last edited:

garm

FreeNAS Expert
Joined
Aug 19, 2017
Messages
1,178
I set up my existing reverse proxy to serve up Heimdall, if caddy doesn’t switch user from root to another like nginx then maybe use it instead?
 

danb35

FreeNAS Wizard
Joined
Aug 16, 2011
Messages
10,488
Both Apache and nginx start as root to bind to the ports and load the certificate(s), and then drop privileges and run as a non-privileged user; Caddy doesn't have this capability. It isn't so much an issue with respect to certs (as Caddy manages those itself), but the ports can be an issue. Easy enough if it just runs as root (which is the default), not so much otherwise.

Certainly a different webserver could be used--but Caddy's configuration is so much simpler that I'd like to make it work this way.
 
Top