Understanding iocage Jail Installation

[jmcguire525]

I've been reading freenas and iocage documentation along with a few guides and resources in an attempt to create my jails through the cli. I have a few questions and just want to make sure I'm understanding the process rather than just blindly following a guide... I'll use Plex as an example here.

I have 2 volumes, a RaidZ2 named "storage" and an ssd named "jails". I created a new user and group that I'll refer to as "user" and "admin". The main storage dataset and jails dataset retain the default permissions, as do the datasets within "jails" (iocage and the jails within are still set to "root" and "wheel"). I have 3 datasets within the main storage dataset named "media", "dvr", and "apps"... all of these have permissions changed to user=user group=admin. the "apps" dataset has datasets within it corresponding to each jail name (plex, sonarr, radarr, ect) with their permissions changed as well.

I fetched iocage into the main "jails" dataset and let it do its thing and left permissions alone. I set a few tunables to make vnet function properly with bridge0 addm em0, and then began installing plex. Here are my steps with comments of what I understand to be taking place, please correct me if I'm misunderstanding anything as that should help me understand more going forward and creating the rest of my jails.

Code:

echo '{"pkgs":["plexmediaserver-plexpass","ca_root_nss"]}' > /tmp/pkg.json

I assume this just fetches the resources needed for plex installion

Code:

iocage create -n "plex" -p /tmp/pkg.json -r 11.1-RELEASE ip4_addr="vnet0|<IP>/<MASK>" defaultrouter="<GATEWAY>" vnet="on" allow_raw_sockets="1" boot="on"

Creates a jail named "plex" with a virtual interface at the given ip address and enables the jail to start on boot

Code:

rm /tmp/pkg.json

Removes temporary install files

Code:

iocage fstab -a plex /mnt/storage/apps/plex /config nullfs rw 0 0

Stores the jail configuration in the specified "plex" dataset. Is this the best practice to have it in a dataset within the main RiadZ2 volume or should I have it placed in a new dataset in the ssd "jails" volume?

Code:

iocage fstab -a plex /mnt/storage/media /mnt/media nullfs ro 0 0

Gives the plex jail permission to access my files stored in the "media" dataset by mounting it within the jail. If I want to add Movies to a plex library that are stored in /mnt/storage/media/movies I would do so by going into plex and adding /mnt/media/movies.

Code:

iocage exec plex chown -R plex:plex /config

Lost on this one, I'm changing ownership of the plex jail from user=plex to user=plex??

Code:

iocage exec plex sysrc "plexmediaserver_enable=YES"

Telling iocage to start the plex media server on boot

Code:

iocage exec plex sysrc plexmediaserver_support_path="/config"

Telling iocage to load the Plex configuration that is located at "/mnt/storage/apps/plex" and was previously mounted to the jail at "/config"

Code:

iocage exec plex service plexmediaserver start

Starting plex media server for the first time with the given configuration

 

[jmcguire525]

Well I thought everything worked... after install I went to the <ip>:32400/web and named the server and added a test library which worked and was able to play the movie I had in the test folder, but when I try to go back to the web ui using the same ip it pulls up plex but doesn't can't find the server itself. Obviously its running on the given ip or the web ui wouldn't come up but I have no idea why the server isn't found, doesn't show up as offline or anything it just isn't listed.

Edit: looks like it may be an issue with Plex security, chrome reports the connection "is not secure" on the web ui and I had to allow insecure connections on my app to be able to connect to the sever and it still shows as indirect. Any tips?

 

[danb35]

Lost on this one, I'm changing ownership of the plex jail from user=plex to user=plex??

Close. The syntax is chmod user:group path. So it's changing ownership of the /config directory (and all its contents--that's what the -R does) to the plex user and plex group.

 

[jmcguire525]

Close. The syntax is chmod user:group path. So it's changing ownership of the /config directory (and all its contents--that's what the -R does) to the plex user and plex group.

So if I wanted Plex to have the ability to delete media files from the /mnt/storage/media dataset I would then...

Code:

iocage exec plex chown -R <user>:<group> /media

where user:group corresponds to the ownership of the original /mnt/storage/media dataset?

 

[jmcguire525]

Following along with this resource it mentions creating an "apps dataset that has a dataset under it for each application's configuration files owned by the user that it will run as". The way each jail is setup the guide sets up a user:group with the name of the app it is running.

Does this mean that I should create a separate user and group for each app before installing the jails? Example: create user:plex group:plex, create apps/plex dataset and change permission to plex:plex, install plex jail.

I'm confused by what user:group the jail setup creates and how they are allowed write access to the main storage/media dataset. For example when I need Sabnzbd to have write access to my media dataset that is owned by "admin:user" how would I go about that?

 

[Drew Heath]

chown changes ownership, chmod changes permission. Depending on if you plan to rely on group permissions, at a minimum you have to assign user permissions.

chown -R plex:plex /config

This assigns the plex user and group to the /config directory recursively (-R is for recursive). This mean all files, folder, sub folders etc. receive the same change.

chmod -R 770 /config

This changes permissions to read, write and execute rights for the user plex and the group plex recursively. If you only want to provide access to the user, change 770 with 700.

 

[jmcguire525]

When creating jails, the resources I'm following is using a user:group for each jail with that name (Example: "plex:plex"). Is there any reason I shouldn't use the same uid/gid for every app run in a jail, the same user:admin that has ownership of the "media" dataset?

I also noticed a plex user/group created when manually installing the iocage jail, but they don't show up in the gui under users or groups.

I mostly understand ownership uid/gid and permissions I'm just confused on how to give each app premission to read/write to the my "media" database. If each app is creating its own uid/gid should I go back and change ownership or just add each new uid to the "admin" group?

 

[Ty8]

@jmcguire525 I stumbled upon this thread and I'm in the exact same boat as you. Did you happen to get your plex jail up and running? If so, can I ask how you configured your user/group? I am using defaults (root:wheel) on my "media" dataset and I'm a little confused on the user/group permissions within the jail. I read through the permission guide below which was referenced in the IOCage jail setup linked below as well. I'm probably overthinking this but I'm actually more confused after reading the permission guide. Thanks in advance!

Permissions: https://forums.freenas.org/index.ph...plugins-write-permissions-to-your-data.27273/
IOCage Jail Setup: https://forums.freenas.org/index.ph...phones-jackett-ombi-transmission-organizr.58/