Error: [EPERM] Changing permissions on jail dataset paths is not permitted

[Ralphshep]

I just updated from FreeNAS to TrueNAS and I've run into some problems. (Possibly due to personal configuration errors)

Right now I'm having problems with SMB and ACL Permissions on 3 of my SMB shares. My main data drive (FreeNAS-Data) cannot be connected to at all. I also have an Apache web and Plex servers running in a jail and I share their main content folders. I can connect to both of those shares but can't make any changes. As far as I know have have not made any changes to the ACL permissions since I transitioned to the new system and upgraded to TrueNAS Core.

Looking at the ACL's for each of these drives and it doesn't appear that anything has change, and it appears my personal user still has access to the folder and the root user controls all of the datasets. However, when I click Save or STRIP ACLs I get the following error message:

Updating Dataset ACL​

Error: [EPERM] Changing permissions on jail dataset paths is not permitted: /mnt/MAINpool/iocage/FreeNAS-Data

Updating Dataset ACL​

Error: [EPERM] Changing permissions on jail dataset paths is not permitted: /mnt/MAINpool/iocage/jails/Plex/root/Plex/Media

Updating Dataset ACL​

Error: [EPERM] Changing permissions on jail dataset paths is not permitted: /mnt/MAINpool/iocage/jails/WebServer/root/usr/local/www/apache24/data

I'm also trying to make these changes using the root user on the online interface.

One post I saw suggested disconnecting and reimporting the pool (but I'm a little scared to do that especially since I haven't setup my backup yet)

Any suggestions?

 

[artlessknave]

why are you sharing jail paths at all? that's a massive no-no, run away screaming, AAHHH!.
do NOT do that. do not change your jail permissions, you will break your jail.

I dont see enough here to fully figure out what you are doing, but it looks to me like you are using jails incorrectly.

you create a dataset, OUTSIDE iocage, and mount that in any jail you want to have access to that data. then you share that data with smb, giving you access to the data.
eg,
MAINpool/iocage/jails/plex/root
MAINpool/media
MAINpool/media > MAINpool/iocage/jails/plex/root/mnt/media
SMB: \\servername\media

 

[anodos]

You should think of paths within the jail's filesystem as basically owned by that jail. Permissions management can happen from within the jail (chmod, chown, setfacl, etc), but we do not permit it from the host OS because there is too much chance of users breaking their jails. The host and guest may not have same users and groups, and the admin may accidentally change permissions on paths that should never be touched. This is not to say that there is something inherently wrong with doing this from the host, it's just one avenue for foot-shooting for those not familiar with the details of how these features are implemented.

We had to add this validation because of cases where users have accidentally broken all the plugins / jails on their server through a recursive change on the ACL of the iocage dataset.

The solution to managing permissions on jail data is above. The same general principal applies to permissions on the ix-applications dataset and kubernetes in SCALE.

 

[Ralphshep]

So, just to make sure I’m understanding.

TrueNAS does not allow you to create an SMB share or manage ACL permissions on Datasets within the iocage or Jails? If so I completely understand the reasoning behind that decision.

If this is the case, what would be the best way for me to move my main data drive out of the iocage and into the root of the pool?

 

[artlessknave]

you CAN do it, if you really want to, and know what you are doing. but there is no reason to really.
i *think*:

Code:

zfs rename MAINpool/iocage/jails/Plex/root/Plex/Media MAINpool/Media

would work, but im not 100% sure.
alternatively if you have enough space, you should be able to replicate:
MAINpool/iocage/jails/Plex/root/Plex/Media > MAINpool/Media
or mount (through the UI, not commandline)
MAINpool/Media into your jail, and copy the data