How to do jail permissions "the right way"?

[Sokonomi]

Hi all,

I've been trying to get my TrueNAS-12.0-U4 build up and running, and i've only been semi successful so far. I've managed to set up a pool with some data sets, even installed some plugins that seem to be running. The main issue I seem to keep running into though, is the permission/ownership systems.

I have 2 downloaders (sabnzbd and transmission), 3 content trackers (pair of sonarrs and radar), and one content server (plex). One would think sticking them in three groups (download, track, serve) would make sense, but I can't for the life of me figure out how to actually do it. Each time I try changing the UID:GID of a plugin in its jail, it just jams up and ceases to function.

The only way I found to be working, somewhat, is by just cloning the UID:GID that the plugins just happen to use in their respective jails. But tacking all the individual users on to datasets seems to be causing some chaos. They all just write files in their own name and it makes interaction between plugins rather problematic, and SMB shares seem to only show half the files due to this as well.. And just making a user in the host for each plugin and then assigning them to the same group doesn't seem to work either.

Google keeps drumming up an ocean of irrelevance, and thumbing through the wiki doesnt seem to get me anywhere either.. So could I perhaps ask one of you to pretend im 12 and explain what one should normally do to handle this permission mess?

 

[JohnDigital]

I will advise that you have as few jails as possible, and a common user/group all your softwares run as. In a perfect world this user and group should exist in and be identical to:
1. Your main client (Windows, Mac, Linux -- Identical UID/GID, email, name)
2. The TrueNAS Host (Identical UID/GID, email, name, etc..)
3. Each jail (Identical UID/GID, email, name, etc.)

Once this is configured you can give ownership of all pertinent files to this user and (OR GROUP).

Then using the /etc/rc.conf file in the jail(s) set your softwares to run as this user (before first run or youll have to change ownership of its working directories) ie chown -R MYNEWUSER:MYNEWGROUP /usr/local/sonarr /usr/local/share/sonarr

The main issue here being that sonarr wants to run as sonarr, plex as plex, sab as sab, transmission as transmission.. All different names and UID/GID. It quickly creates a mess. Often new users are tricked into having a separate jail for each of these softwares too, THIS ISNT NECESSARY, and only beneficial if you hose something up beyond repair (or if you can only use plugins, boooo). Otherwise having one jail is perfect for this process as you only have to tinker with one set of data mounts, rc.conf file, pkg updates, user creation, etc, etc. Far superior and easier IMO. The real issue is to use plugins they all create their own jail, so youll have to learn to install these softwares manually if you want to go this route, but here again is a far superior way to do it IMO.

If you insist on using 10 different jails then youll have to go thru and do all of this for each jail, again, booo.

 

[sretalla]

sonarr wants to run as sonarr, plex as plex, sab as sab, transmission as transmission

That's the default... the software will do what you tell it to do, so actually it has no preference.

Making sure to execute the same user creation command in each jail to result in the same user name and ID isn't hard...
pw user add mediauser -c mediauser -u 1111 -d /nonexistent -s /usr/bin/nologin

And then using the variables in the rc.d scripts with sysrc isn't hard either:
sysrc sonarr_user="mediauser"
sysrc sonarr_group="wheel"
sysrc radarr_user="mediauser"
etc...

And as you said, changing permissions is not hard:

chown -R mediauser:wheel /usr/local/sonarr /usr/local/share/sonarr

having one jail is perfect for this

IMHO, there's something to be said for having jails that can start and stop independently of the others in addition to potentially having different versions of mono (as radarr goes dotnet and sonarr doesn't yet), python or whatever is needed. (yes I know you can theoretically mix versions in a single jail, but, blergh... not for me)