FN11.2 Help me understand how users and ownership work when creating jails and apps

[Digitaldreams]

I originally setup my server over 2 years ago and with the new update, I'm trying to relearn how to setup jails and work with the OS. My main goal now is to rebuild my jails so they are under iocage. That brings me to why I'm here...there's a lot I don't remember.

1.
So this is what I'm trying to wrap my head around. When I create a new jail using the basic wizard, it automatically chooses root as the exec_jail_user and exec.system_jail_user. When I later looked, these options appear in the advanced settings which I don't modify. This creates a path such as "tank/iocage/jails/plex/root". What bothers me about this is the "root" part. Is this what I should expect and is this preferred and why? In previous FreeNAS version using Warden I think, the jail path showed up as "tank/jails/plex". Why is this the case and does it matter?

2.
When I previously installed plex and transmission using the guides, it said to make sure you don't run them as root which I know to be standard practice. The previous plex jail was a standalone jail and transmission was using the plugin. What I'm confused about is when I go to install the plex pkg for example, should I be doing it as root or should I be creating a new user in the jail first, then installing plex as the new user? To take it one step further, with whichever user I do the install from, is this where I need to change the permissions in order to write data to the necessary datasets/folders (ie: tank/media/) ?


3.
As I understand it, you can only log into FreeNAS using root however I'd like to avoid poking around as root. If I run "su <username>" and choose the user that I created when I first configured the server, it doesn't have a home directory as configured per the guide I followed. So should I create another user to use when making changes via the CLI? Most importantly, how does this relate to ownership when installing apps within a jail?

 

[tprelog]

This creates a path such as "tank/iocage/jails/plex/root". What bothers me about this is the "root" part. Is this what I should expect and is this preferred and why?

Here it means / or the root of the file system for the jail. This is normal and can not be changed. In this case it has nothing to do with the user.

What I'm confused about is when I go to install the plex pkg for example, should I be doing it as root or should I be creating a new user in the jail first, then installing plex as the new user?

You install the app as root (a normal user needs elevated (sudo) privileges anyways) And you run the application a different user.

As I understand it, you can only log into FreeNAS using root however I'd like to avoid poking around as root. If I run "su <username>" and choose the user that I created when I first configured the server, it doesn't have a home directory as configured per the guide I followed. So should I create another user to use when making changes via the CLI? Most importantly, how does this relate to ownership when installing apps within a jail?

If you enable ssh, you can ssh into FreeNAS as the user you created and use sudo (if enabled) when you need `root permission`. I never log into FreeNAS as root. You can still add a home directory for your user but first should create a dataset somewhere for this purpose. Typically I name this dataset to match the user's name (but it can be anything) and change permissions so owner/group matches the user's name/group.

Now you can go to user settings and set this dataset as the users home directory. Here also you'll find a check box to `Permit Sudo`. Checking this will allow that user to run commands that need root. At this point there is nothing to do with a user or permissions inside a jail. A user inside only need to exist inside the jail. Not on FreeNAS.


I don't use Plex or Transmission so I can't speak exactly how they work but to general provide some clues overall, I can give you example using Emby Server.

Emby runs as a non-root user with the name emby and user/group ID 989. I have the same need to provide emby with rw access to a dataset that's outside the jail. This dataset contains my movies and tv-show folders and emby needs permission to save information files and artwork there

Just in some quick steps Here's how I set this up.
Before I start I'll say I have already have my user set up on FreeNAS. And have a dataset /mnt/tank/media containing movies and TV shows

I would first create the group emby and set group id to 989 also I would add myself as a user to this group.

Next I set the group of /mnt/tank/media to emby and check the box allowing rw permissions for the group.

This dataset will be added as storage inside the jail. This is the only configure on FreeNAS I do for the user that will exist inside the jail.

When I install Emby, the plugin script creates the jail and the emby user and group inside. I add /mnt/tank/media as storage inside the jail. Now since the group emby exists both on FreeNAS + inside the jail and the group has rw permissions we have our common point. Kinda general but hopefully gets you started.

If Plex or Transmission already create non-root users inside the jail, usually the group name = user name and same with user and group id. You could possible just substitute from the emby example accordingly. Again this is generally a starting point. Permissions can get complicated quickly depending on how everything interacts. Meaning you must still ensure the actual files are being created or added with the group rw permission as well. For example another application I use creates files by default with group set to r, in this case I might also need too set a different umask for that user running the application inside the jail.

I'd like to get this converted to a FreeNAS resource, unfortunate I haven't had time yet but I've quickly covered some these steps (using pictures) in the Getting Started section of this (outside link) guide for another jail which also requires a similar setup of jail user and permissions

 

[Digitaldreams]

Here it means / or the root of the file system for the jail. This is normal and can not be changed. In this case it has nothing to do with the user.


You install the app as root (a normal user needs elevated (sudo) privileges anyways) And you run the application a different user.




If you enable ssh, you can ssh into FreeNAS as the user you created and use sudo (if enabled) when you need `root permission`. I never log into FreeNAS as root. You can still add a home directory for your user but first should create a dataset somewhere for this purpose. Typically I name this dataset to match the user's name (but it can be anything) and change permissions so owner/group matches the user's name/group.

Now you can go to user settings and set this dataset as the users home directory. Here also you'll find a check box to `Permit Sudo`. Checking this will allow that user to run commands that need root. At this point there is nothing to do with a user or permissions inside a jail. A user inside only need to exist inside the jail. Not on FreeNAS.


I don't use Plex or Transmission so I can't speak exactly how they work but to general provide some clues overall, I can give you example using Emby Server.

Emby runs as a non-root user with the name emby and user/group ID 989. I have the same need to provide emby with rw access to a dataset that's outside the jail. This dataset contains my movies and tv-show folders and emby needs permission to save information files and artwork there

Just in some quick steps Here's how I set this up.
Before I start I'll say I have already have my user set up on FreeNAS. And have a dataset /mnt/tank/media containing movies and TV shows

I would first create the group emby and set group id to 989 also I would add myself as a user to this group.

Next I set the group of /mnt/tank/media to emby and check the box allowing rw permissions for the group.

View attachment 27546

This dataset will be added as storage inside the jail. This is the only configure on FreeNAS I do for the user that will exist inside the jail.

When I install Emby, the plugin script creates the jail and the emby user and group inside. I add /mnt/tank/media as storage inside the jail. Now since the group emby exists both on FreeNAS + inside the jail and the group has rw permissions we have our common point. Kinda general but hopefully gets you started.

If Plex or Transmission already create non-root users inside the jail, usually the group name = user name and same with user and group id. You could possible just substitute from the emby example accordingly. Again this is generally a starting point. Permissions can get complicated quickly depending on how everything interacts. Meaning you must still ensure the actual files are being created or added with the group rw permission as well. For example another application I use creates files by default with group set to r, in this case I might also need too set a different umask for that user running the application inside the jail.

I'd like to get this converted to a FreeNAS resource, unfortunate I haven't had time yet but I've quickly covered some these steps (using pictures) in the Getting Started section of this (outside link) guide for another jail which also requires a similar setup of jail user and permissions

Thanks for the info! This does clear some stuff up.