Docker images can't launch/upgrade with valid host paths

[ChickenSalad]

Running TrueNAS-SCALE-22.02.2.1

Somewhere around the July charts update, host path validation was added. This blocks a lot of valid host path mounts, not just for chart apps, but for docker containers created through "Launch Docker Image".

If you have containers with paths created before this, they can no longer be upgraded. If you try to create a new container with Launch Docker Image, you just can't.

I've searched the forum and seen a post with people running into this for the plex app, but there doesn't seem to be any resolution. I've also created a Jira ticket about this and asked for help on the discord, but haven't gotten anything.

Is there a way to bypass this restriction? I feel that as long as the path actually exists, TrueNAS shouldn't be restricting what paths I mount to my docker images.

 

[indivision]

It seems like there must be a missing factor involved.

I have several apps with various mounted paths that have worked through those updates without issue.

Is it possible that something changed in your permissions that caused those paths to not be accessable?

 

[ChickenSalad]

It's not all paths. Sorry, I should've been more clear.

I can't mount various other system paths as read-only that have worked before, such as: /etc/timezone, /etc/localtime, /var/log/sysstat, /proc.

I've seen other people report that you also can't mount the root of a dataset anymore (/mnt/x), only subfolders below it (/mnt/x/*), but I don't use that particular setup myself.

 

[indivision]

I see. So, basically, you are looking to over-ride system paths. I haven't tried that one. I imagine that creates security issues or broken apps if/when users accidentally use a conflicting name for a mount.

 

[ChickenSalad]

/etc/timezone and /etc/localtime I pass through read-only just so I can easily keep the container timezones in sync with the host.

The rest are actually passed through to different folders so they won't conflict, i.e. /proc => /host/proc.

Either way, security issue or not, I feel that should be up to me when it comes to docker containers (via Launch Docker Image). I can understand that this restriction may make sense when it comes to enforcing best practices for chart apps though.

 

[brahmy]

OP, did you find a solution to this? (Sorry to bump old thread)

I'm currently running into this issue where the allowed paths one can mount seem arbitrary. I can mount /sys but not var, etc, proc, or run.

I posted a thread on Reddit here: https://www.reddit.com/r/truenas/comments/zs14tk/scale_readonly_mount_of_system_folders_to/

 

[ChickenSalad]

I didn't find a way to disable the host path validation. Seems like it's something here to stay.

Dirty workaround I used was to use symlinks. For example, I symlinked /etc => /mnt/pool/folder/etc, and then have host paths of /mnt/pool/folder/etc/localtime => /etc/localtime.

 

[brahmy]

Awesome. Thanks for the quick reply (amazing!). I'll give that a shot.

Edit: Success!! Thank you so much

 

[MisterE2002]

I didn't find a way to disable the host path validation. Seems like it's something here to stay.

On the APPS screen there is a "settings" button

 

[ChickenSalad]

On the APPS screen there is a "settings" button

What's the setting you see called? I don't have one to disable host path validation.

Ah, from reading a bit sounds like this is a new setting in Bluefin? I'm still on Angelfish but was going to upgrade sometime this weekend. Something to look forward to then!

 

[brahmy]

What's the setting you see called? I don't have one to disable host path validation.

Ah, from reading a bit sounds like this is a new setting in Bluefin? I'm still on Angelfish but was going to upgrade sometime this weekend. Something to look forward to then!

I think the host path validation checks are related to ensuring apps and SMB shares don't share the same datasets. I am on the latest Bluefin release and I can't mount (most) system folders to Docker containers (except for /sys, which seems... inconsistent).