Understanding the TrueNAS SCALE "hostPathValidation" setting

[Tazlord]

I consider myself to be pretty well versed in many things tech and in TrueNAS/FreeNAS. However, I am having a hard time grasping this concept. I'm trying to understand what it's "protecting".

For instance, let's say I install the Plex app. It will end up installing itself into the 'ix-applications' dataset in the chosen pool.
Let's say I have another dataset on the root of the pool named 'media'. That dataset contains child datasets that will contain all of the media (movies, music, pictures, etc). Content is added to those datasets via SMB. The 'media' dataset and all of its children all have their own SMB shares (not all media devices need access to the entire 'media' folder).

1. Will Plex have access to the 'media' dataset from where it lives?
2. The 'media' dataset will have permissions in place to only allow read (and traverse) access to Plex or any other streaming app.
3. Does the 'host path validation' configuration setting have anything to do with a setup like this?

I figured it out.

 

[LiX47]

Perhaps beating a dead horse a bit but I definitely want to chime on on this as it's been a pain point for me as well.

For one, thank you for at least making this a setting, I have promptly turned this check off on my own machine. Like others in this thread, I'm struggling to understand what use case this actually addresses, as there are ample cases where one would want such a configuration, such as having a plex docker image accessing the same folder as a share. In fact, I would argue the whole point of being able to share folders to docker images IS because that folder is going to be shared with something that lives outside of the docker image, and in any such case, there is always a risk of one or more applications performing bad actions, as has always been the case. We as users expect this when we are setting up a share, that's the whole point of a share, to be shared, and I can't help but wonder who was even asking for this

 

[elorimer]

I regularly upload media files from a windows computer to plex, so I just created a new dataset called transfer, set it as a samba share, and then created a cron job to move files from that dataset into the media dataset plex accesses.

 

[Aipoc76]

For PLEX, all i do is disable my SMB share for plex via the toggle.

Start PLEX app, once its Deployed, I reenable the share, and i can upload while the server is running all day :) It even updates meta data for movies on the fly as i upload. It works perfectly.

I do not have any issues with hostPathValidation. UNLESS I try to start PLEX while the SMB share is active.. Then PLEX will not start.

 

[nemesis1782]

I consider myself to be pretty well versed in many things tech and in TrueNAS/FreeNAS. However, I am having a hard time grasping this concept. I'm trying to understand what it's "protecting".

For instance, let's say I install the Plex app. It will end up installing itself into the 'ix-applications' dataset in the chosen pool.
Let's say I have another dataset on the root of the pool named 'media'. That dataset contains child datasets that will contain all of the media (movies, music, pictures, etc). Content is added to those datasets via SMB. The 'media' dataset and all of its children all have their own SMB shares (not all media devices need access to the entire 'media' folder).

1. Will Plex have access to the 'media' dataset from where it lives?
2. The 'media' dataset will have permissions in place to only allow read (and traverse) access to Plex or any other streaming app.
3. Does the 'host path validation' configuration setting have anything to do with a setup like this?

That is because it adds little. I like that they make you aware of what you're doing, although they should explain the risk.

They're basically trying to solve a problem that is inherent to many system that would run on Kubernetes, some of which are available as apps by default. Which is multiple systems having read write access to the same thing.

For a PLEX setup with automated downloads all but required. Of course the video sources would also be made available through the horrid SMB protocol for easy access. At that point someone could delete your data. Either one of the Apps or through SMB.

I like the security feature actually I wish it was:
- Implemented better
-> Per dataset
-> It should notify on ANY duplicate access not just SMB/NFS and hostpath
- The information given in the UI needs to be improved

 

[nemesis1782]

For PLEX, all i do is disable my SMB share for plex via the toggle. View attachment 70512
Start PLEX app, once its Deployed, I reenable the share, and i can upload while the server is running all day :) It even updates meta data for movies on the fly as i upload. It works perfectly.

I do not have any issues with hostPathValidation. UNLESS I try to start PLEX while the SMB share is active.. Then PLEX will not start.

Wait. But how is that any different from disabling the host check in the first place. This does not remove the issue it's just a work around.

 

[12f23eddde]

Looks like host path validation has been forced on 23.10: The option box has been removed ( GitHub PR ) and there's no warning dialog or any options in the installation menu ( Reddit Post ) . It sounds like a weird choice to me, yes I understand that the path validation feature can be a fool-proof for many users, but please note the need of advanced users who's willing to map a single directory rather than dozens into the container (I have 3 arrays under /mnt and dozens of datasets, it's a pain in the a$$ to add all of them to the qBitTorrent container). Please consider introducing options / walkarounds or explain the rationales of forcing the validation.

As a temporary walkaround, you may use softlinks to bypass the validation:
```
cd /path/to/dataset/subdir
ln -s /path/to/dataset _dataset
```
Map /path/to/dataset/subdir/_dataset -> /dir/in/container

 

[HoneyBadger]

Looks like host path validation has been forced on 23.10

Host path has been "forced off" in that it will only warn you when you first configure the app pool. If you have existing apps, you will be able to configure any folders you like.

 

[12f23eddde]

Have to note that the current behavior actually STOPS the creation of new apps rather than kindly warns you.
Steps to replicate:
1. create a new pool (in my case, burner)
2. click custom app in the Apps top bar
3. create a new nginx container, map /mnt/burner -> /burner, keeps everything else as default.
4. modal pops up.

Thanks for your reminder of it is possible to attach the mapping later but the current behavior is misleading at least.
Hope there could be a 'I accept the risks and continue' toggle or something.

 

[danb35]

So that's a completely different problem than what's being discussed in this thread. Your problem is exactly what the error message says--you can't mount an entire pool to an app.

 

[nemesis1782]

Have to note that the current behavior actually STOPS the creation of new apps rather than kindly warns you.
Steps to replicate:
1. create a new pool (in my case, burner)
2. click custom app in the Apps top bar
3. create a new nginx container, map /mnt/burner -> /burner, keeps everything else as default.
4. modal pops up.
View attachment 73061
Thanks for your reminder of it is possible to attach the mapping later but the current behavior is misleading at least.
Hope there could be a 'I accept the risks and continue' toggle or something.

In this case the error is clear. You've mounted a root dataset or rather the root of a pool, which TrueNAS does not like. Do not know why this limitation exists, but I'd recommend honouring it nonetheless.

If you create a dataset in the root dataset you'll be golden!