SOLVED First Jail: best practices and questions

[Davvo]

Show : Hardware

Motherboard: Supermicro X11SSL-F
CPU: Intel Pentium G4560
RAM: 1x16GB Hynix DDR4 2666MHz Unbuffered ECC
PSU: LC-Power 560W GOLD
Boot: 1x 32GB MLC USB (TS32GJF780)
VMs/Jails: 1x Seagate IronWolf 250GB SATA SSD (ZA250NM1A002)
Storage: 2x Seagate IronWolf 3TB CMR HDD (ST3000VN007)

I'm trying a MLC USB as boot drive, I know it's not reccommended but I want to test its endurance; I have weekly config backups, don't worry.
I know stripes are dangerous, but I want to experiment; all my important data is in the HDD mirror and backups.

I decided to experiment more with my system and to try running a Jail; my first objective is to set up one for qBittorrent (and if everything goes well I will condsider Plex/Emby): my plan was to download torrents in the jail and then move the files directly on the SMB share of my storage pool, I don't know if there is a better or easier way to do so than SMB protocol.

Anyway, google bringed me to this guide. I set up the jail following its instructions with the exception of using DHCP for the network interface; I succesfully created the Jail (as Clone Jail btw, I don't know if there are benfits using Basejail), used putty to ssh into TrueNAS then used iocage console jailname (why the heck can't I directly ssh into the jail as root is beyond my understanding) to get to my jail terminal (thanks to the official documentation I dodged the WebUI Shell).

I install pkg, nano, qbittorrent-nox; I am able to reach qbittorrent-nox GUI from my_jail_ip:8080, I add the qbitscript_enable=”YES” line to the /etc/rc.conf file using nano file using nano, I create the /etc/rc.d/qbitscript file using nano, copy the script by stealing it from this thread (why did the author of that guide think that a screenshot was a good idea?! thanks @joeschmuck , you saved me 5 minutes of pain!) and modifying it to match the guide formatting (see below), and finally I run chmod 775 /etc/rc.d/qbitscript.

Code:

#!/bin/sh
# File name 'qbitscript'
# Place this file into /etc/rc.d
# Edit /etc/rc.conf to include qbitscript_enable="YES"

. /etc/rc.subr

name="qbitscript"
rcvar=qbitscript_enable

PATH="$PATH:/usr/local/bin"

start_cmd="${name}_start"
stop_cmd=":"

load_rc_config $name
eval "${rcvar}=\${${rcvar}:-'NO'}"

qbitscript_start()
{
    qbittorrent-nox -d
}

run_rc_command "$1"

I reboot the jail (from the WebUI this time, in my true first attempt I just sent reboot thinking it would be fine since I was into the jail, silly me) and qbittorrent isn't active in the background (checked with top). I then tried a chmod +x /etc/rc.d/qbitscript since the 775 looked hella suspicious to me, but still nothing.

Now, my questions are the following:​

• Where the hell can I look for some basic understanding of Jails? The FreeBSD documentation wasn't really helpful (being in the middle of the night might be the reason though, but it's likely that I'm trying to chew something too big for me).​
• Is what I envisioned possible, or do I need to continue following that guide and mounting things who knows where, going around with groups and permissions (they are so easier in the truenas interface)?​
• Are there any good practices about jails that I really should know and follow? I recall a post of @sretalla about properly setting up bridges for the IP addresses; also, should I stick with the Clone Jail or go for the BaseJail? Google bringed me different opinions, I don't think I will update it much (if it works, don't break it) but I will certanly upgrade TrueNAS versions to later 13-Us and maybe 14 in the future.​
• Finally, the mother of all questions: why the heck didn't qbittorrent-nex run at startup? Not finding any answer to this question I tried to look into how to setup a cronjob since I love them in TrueNAS, but at that point I was (am) really tired and decided to seek help.​

Please point me to any useful resource or documentation, I am willing to put the effort to learn but I did find myself a bit stuck. I deleted the jail for now with the intention to muster my attack after a good sleep.
Also, please forgive me since this isn't strictly a TrueNAS issue but more a collection of FreeBSD and networking ignorance.

EDIT: used lastest release for the jail and my system runs 13-U3.1​

 

[winnielinnie]

as Clone Jail btw, I don't know if there are benfits using Basejail

I would redo it as a Basejail. Easier to maintain and upgrade. Clone jails are forever tethered to and dependent on the original FreeBSD release from which it was installed. Basejails can be "upgraded" to later FreeBSD releases, without being tied to the original release. (This means you can also delete the old releases safely. You cannot do this with Clone jails.)

For example, a Basejail installed today will be based on FreeBSD 13.1. When the time comes, it can be upgraded to FreeBSD 14.0. Now you can safely delete the old release(s) under poolname/iocage/releases dataset.

my plan was to download torrents in the jail and then move the files directly on the SMB share of my storage pool, I don't know if there is a better or easier way to do so than SMB protocol.

qBittorrent has a built-in feature to "move" completed torrents. You specify a location where the folder/files will be moved to upon download completion. Whereas you enable and specify where "incompleted" torrents should first be downloaded.

qBittorrent will download to the "Incomplete" folder, and the move the files to the "Save Location" folder upon completion.

In order to leverage this, you have to add all real dataset(s)/path(s) as "mount point(s)" in the Jail's Mount Points settings.

An example, like so.
Save Path: /media/share/
Incomplete Path: /media/downloads/

In reality, the Jail's /media/share/ points to TrueNAS's /mnt/poolname/smbshare/, while the Jail's /media/downloads/ points to TrueNAS's /mnt/poolname/torrentdownloads/

why the heck can't I directly ssh into the jail as root is beyond my understanding

Because it's a different "server" on your network. Think of each jail as its own distinct FreeBSD server. You can setup SSH on a specific jail if desired.

Finally, the mother of all questions: why the heck didn't qbittorrent-nex run at startup? Not finding any answer to this question I tried to look into how to setup a cronjob since I love them in TrueNAS, but at that point I was (am) really tired and decided to seek help.

It might be because of a permissions issue inside the jail. It depends on which user is starting qbittorrent-nox, and if this same user has access to the qBittorrent settings folder. (The default user is qbittorrent with a UID of 850.)

I didn't use any of the extra steps you did (such as "qbitscript"). I'm using what comes installed from upstream. (When you install via pkg install qbittorrent-nox.)

This is the contents of my /etc/rc.conf:

Show

Code:

cron_flags="$cron_flags -J 15"

# Disable Sendmail by default
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

# Run secure syslog
syslogd_flags="-c -ss"

# Enable IPv6
ipv6_activate_all_interfaces="NO"
ifconfig_epair0b="SYNCDHCP"

# Enable custom services
wireguard_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_logging="NO"
qbittorrent_enable="YES"

The important part is qbittorrent_enable="YES", which refers to the following file, installed by upstream:
/usr/local/etc/rc.d/qbittorrent

The default qBittorrent-nox configuration folder is:
/var/db/qbittorrent/

 

[Davvo]

I would redo it as a Basejail. Easier to maintain and upgrade. Clone jails are forever tethered to and dependent on the original FreeBSD release from which it was installed. Basejails can be "upgraded" to later FreeBSD releases, without being tied to the original release. (This means you can also delete the old releases safely. You cannot do this with Clone jails.)

For example, a Basejail installed today will be based on FreeBSD 13.1. When the time comes, it can be upgraded to FreeBSD 14.0. Now you can safely delete the old release(s) under poolname/iocage/releases dataset.

Basejail it is then.

qBittorrent has a built-in feature to "move" completed torrents. You specify a location where the folder/files will be moved to upon download completion. Whereas you enable and specify where "incompleted" torrents should first be downloaded.

qBittorrent will download to the "Incomplete" folder, and the move the files to the "Save Location" folder upon completion.

Yup, I knew this and planned to use SMB to do the moving outside the jail like it were a VM.

In order to leverage this, you have to add all real dataset(s)/path(s) as "mount point(s)" in the Jail's Mount Points settings.

An example, like so.
Save Path: /media/share/
Incomplete Path: /media/downloads/

In reality, the Jail's /media/share/ points to TrueNAS's /mnt/poolname/smbshare/, while the Jail's /media/downloads/ points to TrueNAS's /mnt/poolname/torrentdownloads/

This was something I didn't know and it's smooth!

Because it's a different "server" on your network. Think of each jail as its own distinct FreeBSD server. You can setup SSH on a specific jail if desired.

Looking at the documentation it doesn't seem so though and it looks like you need to setup another user. Does anyone know the default password of the jail root user? Using root@myjail_ip asks me one.

It might be because of a permissions issue inside the jail. It depends on which user is starting qbittorrent-nox, and if this same user has access to the qBittorrent settings folder. (The default user is qbittorrent with a UID of 850.)

I didn't use any of the extra steps you did (such as "qbitscript"). I'm using what comes installed from upstream. (When you install via pkg install qbittorrent-nox.)

This is the contents of my /etc/rc.conf:

Show

Code:

cron_flags="$cron_flags -J 15"

# Disable Sendmail by default
sendmail_enable="NO"
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

# Run secure syslog
syslogd_flags="-c -ss"

# Enable IPv6
ipv6_activate_all_interfaces="NO"
ifconfig_epair0b="SYNCDHCP"

# Enable custom services
wireguard_enable="YES"
firewall_enable="YES"
firewall_script="/etc/ipfw.rules"
firewall_logging="NO"
qbittorrent_enable="YES"

The important part is qbittorrent_enable="YES", which refers to the following file, installed by upstream:
/usr/local/etc/rc.d/qbittorrent

The default qBittorrent-nox configuration folder is:
/var/db/qbittorrent/

This solved my issue, thank you very much. I didn't think the file already existed.

Now it works like a charm and I can download my Linux ISOs. I owe you a coffee, thanks!

 

[winnielinnie]

Don't forget that the jail uses UID 850 ("qbittorrent") to run qbittorrent-nox and subsequently download new torrents. You'll need to create this user in TrueNAS itself, then apply permissions (or ACLs) to grant this "user" permission in the relevant directories.

You can also specify a different user to run qbittorrent-nox, to match the UID in TrueNAS proper. (Create a new user in the jail, use the same UID as the one in TrueNAS, set this as the user forqbittorrent-nox, then check/set folder permissions accordingly.)

Looking at the documentation it doesn't seem so though and it looks like you need to setup another user. Does anyone know the default password of the jail root user? Using root@myjail_ip asks me one.

Honestly, since we usually don't do stuff in the jail's shell often (occasional pkg update maybe), it's simpler to SSH into TrueNAS and then execute iocage console jailname.

You can create a new user in the jail and setup SSH for this user. Or figure out how to enable root login with SSH in this jail (must edit /etc/ssh/sshd_config and create a new password for the root user.

But it's just simpler to use iocage console

Now it works like a charm and I can download my Linux ISOs.

GLORY TO THE TOTALLY LEGAL LINUX ISOS! MAY THEY LIVE FOREVER!

Never will there be a day where someone cannot download their favorite Linux distro released ten years ago!

 

[Whattteva]

Looking at the documentation it doesn't seem so though and it looks like you need to setup another user. Does anyone know the default password of the jail root user? Using root@myjail_ip asks me one.

I think, by default, there is no password, which would disallow remote logins. You can still login to it from the host system using either:

Code:

# iocage console <jail_name>

or

Code:

# jls

Note the JID of the jail you're trying to access.

Code:

# jexec <JID> /bin/csh

Now that you are logged in as root, you can create new users with

Code:

# adduser