App Permissions?

M

mrmorg

Dabbler
Joined
Jun 25, 2022
Messages
14
Hi all,

My dataset is one big SMB share that has the ACL list permissions. windows clients connect no prolems to the share. bbut when i want an app (docker app) to also have access to this data the mount point when i browse to it in the app is empty... any ideas?

im using the hostpath (simple) method
host path of: /mnt/Data/DATASMB
mount point on: /enterprisedata

then in the app enterprisedata shows in the paths but no data is visable.

Running TrueNas Scale 22.02.01
 
anodos

anodos

Sambassador
iXsystems
Joined
Mar 6, 2014
Messages
9,554
mrmorg said:
Hi all,

My dataset is one big SMB share that has the ACL list permissions. windows clients connect no prolems to the share. bbut when i want an app (docker app) to also have access to this data the mount point when i browse to it in the app is empty... any ideas?

im using the hostpath (simple) method
host path of: /mnt/Data/DATASMB
mount point on: /enterprisedata

then in the app enterprisedata shows in the paths but no data is visable.

Running TrueNas Scale 22.02.01
Click to expand...


What are permissions on /mnt/Data and /mnt/Data/DATASMB? The relevant process in the app needs execute on /mnt/Data and /mnt/Data/DATASMB and read-related permissions on /mnt/Data/DATASMB. You can run the `id` command for the relevant user in the app to figure out what groups you may need to add to the ACL on DATASMB.
 
M

mrmorg

Dabbler
Joined
Jun 25, 2022
Messages
14
anodos said:
What are permissions on /mnt/Data and /mnt/Data/DATASMB? The relevant process in the app needs execute on /mnt/Data and /mnt/Data/DATASMB and read-related permissions on /mnt/Data/DATASMB. You can run the `id` command for the relevant user in the app to figure out what groups you may need to add to the ACL on DATASMB.
Click to expand...
sorry im a bit of a noob when it comes to linux commandline what would i need to do in the shell?
 
M

mrmorg

Dabbler
Joined
Jun 25, 2022
Messages
14
also i only have 1 user on the ACL list but in the permissions section of the app setup there is nothing about using an account to allow access to the share/data
 
M

mrmorg

Dabbler
Joined
Jun 25, 2022
Messages
14
so what is happening now is the download is sometimes putting the correct permissions on the downloaded files but other times they are blank, to sort this i have to come into here and reapply the permissions then the files are accessable by plex container and the windows user.


1657403082287.png
 
indivision

indivision

Guru
Joined
Jan 4, 2013
Messages
806
I'd also like to hear how others recommend addressing this. Because my solution doesn't feel like necessarily the best or most elegant.

But, in case it helps, this is what I do:
  1. Create a new group called something like "mediaUsers" in TrueNAS > Credentials > Local Groups
  2. Within most (all?) apps, you will find a setting called "fsGroup". Change that to the GID number of the local group you created above.
  3. Update the permissions of all files you want reachable to be part of that group (easiest within shell imo).
  4. Update the ACL to give higher permissions to that group (and apply recursively to intended files). You can do this in Storage > View Permissions > Edit Permissions
  5. And make sure that your user is added to that group (you can do this in settings for that user in TrueNAS gui).
Now, moving forward, you should be able to access those files from all directions.

Side note: It gets a little tricky if you are applying these permissions into a nested folder. At least in my experience. Sometimes, you have to mess with permissions of the folders/shares that are parents of the target folder for things to work.
 
Last edited:
M

mrmorg

Dabbler
Joined
Jun 25, 2022
Messages
14
when adding "MediaUsers to the ACL i get this error: [EINVAL] filesystem_acl.dacl: Named (user or group) POSIX ACL entries require a mask entry to be present in the ACL. [EINVAL] filesystem_acl.dacl: Presence of default [OTHER] entry is required.
 
indivision

indivision

Guru
Joined
Jan 4, 2013
Messages
806
mrmorg said:
when adding "MediaUsers to the ACL i get this error: [EINVAL] filesystem_acl.dacl: Named (user or group) POSIX ACL entries require a mask entry to be present in the ACL. [EINVAL] filesystem_acl.dacl: Presence of default [OTHER] entry is required.
Click to expand...

Hm. I'm not sure what is going on with that. Is there a reason you need to control the perms with ACL?

When I go to Storage > View Permissions > Edit Permissions it goes to the Unix Permissions Editor. And I change the Group there instead of going further into the ACL section.
 
M

mrmorg

Dabbler
Joined
Jun 25, 2022
Messages
14
i have changed the fsGroup to 1000 which is what Plex uses as that seems to have no issue with permissions, will run that for overnight and see what happens
 
M

mrmorg

Dabbler
Joined
Jun 25, 2022
Messages
14
1000 didnt work, had to put it back to 568, its weird, some downloads work some dont, here is the view from my windows machine on the file permissions, one on the left downloaded 1st...
1657414746039.png


note sure why this happends its rather anoying.
 
S

satreddy

Cadet
Joined
May 15, 2023
Messages
1
indivision said:
I'd also like to hear how others recommend addressing this. Because my solution doesn't feel like necessarily the best or most elegant.

But, in case it helps, this is what I do:
  1. Create a new group called something like "mediaUsers" in TrueNAS > Credentials > Local Groups
  2. Within most (all?) apps, you will find a setting called "fsGroup". Change that to the GID number of the local group you created above.
  3. Update the permissions of all files you want reachable to be part of that group (easiest within shell imo).
  4. Update the ACL to give higher permissions to that group (and apply recursively to intended files). You can do this in Storage > View Permissions > Edit Permissions
  5. And make sure that your user is added to that group (you can do this in settings for that user in TrueNAS gui).
Now, moving forward, you should be able to access those files from all directions.

Side note: It gets a little tricky if you are applying these permissions into a nested folder. At least in my experience. Sometimes, you have to mess with permissions of the folders/shares that are parents of the target folder for things to work.
Click to expand...
Thanks! Your suggestion worked for me.
I have just replaced the apps group ID 568 with my group ID 3000 and deployed the app.
 
You must log in or register to reply here.

Similar threads

A
21.08 + docker + smb share = lost access problem?
Replies
3
Views
1K
aakaa
A
J
Plex App generates console message "IPVS: rr: UDP 172.17.21.37:32412 - no destination available"
Replies
11
Views
9K
ArmadaFG
A
P
How to modify App files?
Replies
1
Views
3K
truecharts
truecharts
T
How to understand what an App can see of the truenas datasets
Replies
9
Views
2K
billbillw
B
D
Datasets with NFSv4 ACL cannot be mounted in Containers
Replies
14
Views
3K
truecharts
truecharts
Top