[How-To] Giving Plugins Write Permissions to Your Data

[Scharbag]

In order for your plugin to be able to write to your data datasets/folders it must have..

1. access to your data dataset/folders
2. permissions to write to your data folders.

1) MAKING DATA ACCESSIBLE TO YOUR PLUGIN'S JAIL

• It is preferred that your data reside on a dataset(s) outside of your jail that you regularly snapshot and backup.

• FreeNAS plugins, by default, have no access to files residing outside of its jail.

• Data datasets/folders should be mounted into the plugin's jail as described in the FreeNAS User Guide.
  • http://doc.freenas.org/9.3/freenas_jails.html#add-storage

2) PERMISSIONS
Choose one of the 4 solutions to give your plugin write permission to your data folders.

FACTS

• Every folder/file has a UNIX permission level, UID ownership, and GID ownership, which determines which user/group members can read/write to that folder/file. Basic UNIX permissions are described in the opening part of Chapter 4, Part 4, of the FreeBSD handbook.
  • https://www.freebsd.org/doc/handbook/permissions.html

• Jails and the FreeNAS host do not share user/group databases. They only associate UIDs/GIDs to users/groups if that mapping exists in it's particular user/group database.

• Processes running inside a jail's userland (plugins) are permitted to read/write files/folders according to the jail's user/group database.

• By default, most plugins run as a specific user, with a specific UID, and keep their configuration/databases/logs in what I will refer to as a data-directory.
  Show : Relevant Information for Most Plugins I Support

  • SERVICE - USER (UID) - DATA-DIRECTORY
  • transmission - transmission (921) - /var/db/transmission
  • sabnzbd - media (816) - /var/db/sabnzbd
  • sickbeard - media (816) - /var/db/sickbeard
  • sickrage - media (816) - /var/db/sickrage
  • sonarr - media (816) - /var/db/sonarr
  • couchpotato - media (816) - /var/db/couchpotato
  • headphones - media (816) - /var/db/headphones
  • mylar - media (816) - /var/db/mylar
  • xdm - media (816) - /var/db/xdm
  • maraschino - media (816) - /var/db/maraschino
  • htpc-manager - media (816) - /var/db/htpc-manager
  • plexmediaserver - plex (972) - /var/db/plexdata
  • emby-server - emby (983) - /var/db/emby-server
  • subsonic - media (816) - /var/db/subsonic
  • btsync - btsync (817) - /var/db/btsync
  • syncthing - syncthing (983) - /var/db/syncthing

SOLUTION 1 - USER WRITEABLE

Show

• Add a user in the FreeNAS WebUI with a matching UID as the plugin's default user.
• Change ownership of the data dataset/folders to the newly added user.

SOLUTION 2 - USER WRITEABLE

Show

• In the jail, add a user with a matching UID as the owner of the data dataset/folders.
  • Code:

    pw useradd -n USER -u UID -d /nonexistent -s /usr/sbin/nologin

• In the jail, change the user the plugin runs as, and change ownership of the data-directory.
  • Code:

    service PLUGIN onestop
    chown -R USER:GROUP /var/db/PLUGIN
    sysrc 'PLUGIN_user=USER'
    service PLUGIN start

SOLUTION 3 - GROUP WRITEABLE

Show

• Change permission of the data dataset/folders to allow group writing.
• In the jail, add a group with a matching GID as the group owner of the data dataset/folders.
  • Code:

    pw groupadd -n GROUP -g GID

• In the jail, add the user the plugin runs as to the newly added group.
  • Code:

    pw groupmod GROUP -m USER

SOLUTION 4 - OTHER WRITEABLE

Show

• Change permission of the data dataset/folder to allow other writing.

Option 5 - Change the UID of the user that is running the service? That worked for me :)

 

[Bej]

Thank you thank you!

Solution one for me.

 

[Fredde]

Thank you for this!

Solution 2 worked for me, i had to do this in all my jails!

 

[gilligan5000]

I'm losing my mind on this...I've screwed around with this so many times from so many different threads that I think I've officially screwed the pooch on this one...so I just deleted all my jails and am starting over.

In my mind this is an easy thing, I just can not get cooperation for one reason or another.

For the life of me I can NOT get Sonarr to handle SABnzbd hand-back and re-naming of files. They just sit at 100% done and don't move. At some point in my dickering around it worked for a hot second and imported a pile I had downloaded, but its now broken again (to do more dickering I imagine). Problem is I apparently only know enough to be dangerous...at some point I have tried all four of the methods in the original post...I guess I'm just having a rough week at setting this all up. Any help would be GREATLY appreciated.

Group GID
-Spencer 1001

User UID
-Spencer 1001

Volume User:Group
-HTPC (Spencer:Spencer)
Datasets (User:Group)
--Media (Spencer:Spencer)
--jails (root:wheel)

Jails in the root Jail dataset (User:Group)
-Sonarr (Spencer:Spencer)
-SABnznd (Spencer:Spencer)

Storage is shared from source: /mnt/HTPC/Media
to destination: /media
for both jails. I even setup a storage between the two jails thinking that was the issue...

ls -l in each lists drwxrwxr-x 1001 Spencer for the media folder


With a newborn I'm only getting to work on this between 8pm-11pm to add even more frustration...thanks in advance.

 

[Joshua Parker Ruehlig]

I'm losing my mind on this...I've screwed around with this so many times from so many different threads that I think I've officially screwed the pooch on this one...so I just deleted all my jails and am starting over.

In my mind this is an easy thing, I just can not get cooperation for one reason or another.

For the life of me I can NOT get Sonarr to handle SABnzbd hand-back and re-naming of files. They just sit at 100% done and don't move. At some point in my dickering around it worked for a hot second and imported a pile I had downloaded, but its now broken again (to do more dickering I imagine). Problem is I apparently only know enough to be dangerous...at some point I have tried all four of the methods in the original post...I guess I'm just having a rough week at setting this all up. Any help would be GREATLY appreciated.

Group GID
-Spencer 1001

User UID
-Spencer 1001

Volume User:Group
-HTPC (Spencer:Spencer)
Datasets (User:Group)
--Media (Spencer:Spencer)
--jails (root:wheel)

Jails in the root Jail dataset (User:Group)
-Sonarr (Spencer:Spencer)
-SABnznd (Spencer:Spencer)

Storage is shared from source: /mnt/HTPC/Media
to destination: /media
for both jails. I even setup a storage between the two jails thinking that was the issue...

ls -l in each lists drwxrwxr-x 1001 Spencer for the media folder


With a newborn I'm only getting to work on this between 8pm-11pm to add even more frustration...thanks in advance.

• Did you change the owner of your sabnzbd/sonarr jail datasets?
  
• Are you currently trying to run sabnzbd or sonarr as a different user then their default 'media'?

Your "ls -l" output shows you are close to having group permissions setup correctly (Solution 3). If this was what you were trying to do just make sure the media user is added to the Spencer group in each jail, and that sabnzbd is writing files that allow group writing (775). See Sabnzbd Web UI > Config > Folders > Permissions for completed downloads
Just because you set your dataset to be 775, doesn't mean sabnzbd or transmission respect these permission levels. They each have application settings to adjust what permission level files are written with.

####

Personally, I wouldn't even use the 'Spencer' user (I do most of my file operations as root on the command line, and read-only access fine for Kodi-NFS/Emby).
I would just install sonarr and sabnzbd to the same jail, and "chown -R 816:816 /mnt/HTPC/Media".

 

[gilligan5000]

• Did you change the owner of your sabnzbd/sonarr jail datasets?
  
• Are you currently trying to run sabnzbd or sonarr as a different user then their default 'media'?

Your "ls -l" output shows you are close to having group permissions setup correctly (Solution 3). If this was what you were trying to do just make sure the media user is added to the Spencer group in each jail, and that sabnzbd is writing files that allow group writing (775). See Sabnzbd Web UI > Config > Folders > Permissions for completed downloads
Just because you set your dataset to be 775, doesn't mean sabnzbd or transmission respect these permission levels. They each have application settings to adjust what permission level files are written with.

####

Personally, I wouldn't even use the 'Spencer' user (I do most of my file operations as root on the command line, and read-only access fine for Kodi-NFS/Emby).
I would just install sonarr and sabnzbd to the same jail, and "chown -R 816:816 /mnt/HTPC/Media".

Ok, I'll give that a try once the little one is to bed tonight.

So I'll:
1. change permissions recursively on EVERYTHING (HTPC volume, both media and jail datasets , both sonarr and sabnzbd jails) to root:wheel?
2. upload the sabnzbd .pbi into the sonarr jail or vica-versa
3. in the shell of that single jail run "chown -R 816:816 /mnt/HTPC/Media" (which is weird to me, because I thought that's what these two jails defaults were (media:media 816:816)?...unless I'm super thick and running this in the jail shell will actually change the user:group of the Media dataset? In which case, how is this different from doing it in the GUI?) I really have no doubts in you after reading the 100's of problems you've solved, I think I'm just mad because I really want this to "click" in my mind so I can do this forever, not just this one time.

p.s. - if its really this easy I think its because I was doing chown with group/user names, not uid/gid numbers...do'oh.
Thanks again for the fast reply. You seem like you know your $h!t ...you should seriously consider a video for the dumb-dumbs like me out there :) who need to be spoon fed.

p.p.s. - reboots also seemed to be my worst enemy...I'd seem to get it working one way, then reboot only to find it completely broken to the point where I would have to refresh from a snapshot...it seems like no amount of coffee adderall and beer was going to make my brain comprehend what is going on here.

 

[Joshua Parker Ruehlig]

1) DONT change the permissions of your jail datasets, this is probably why your plugins aren't starting after a reboot.
2) good plan, will make things a bit simpler.
3) that command was meant to be run on the freenas host. doing the same thing in the freenas webui would work as well. but, if you don't have a user assigned to that UID on the host you couldn't use the webui, which is why I suggested it.

chown with user/group or UID/GID does the same thing, just depends what that user/group maps to in your current context (host/jail).

 

[gilligan5000]

1) DONT change the permissions of your jail datasets, this is probably why your plugins aren't starting after a reboot.
2) good plan, will make things a bit simpler.
3) that command was meant to be run on the freenas host. doing the same thing in the freenas webui would work as well. but, if you don't have a user assigned to that UID on the host you couldn't use the webui, which is why I suggested it.

chown with user/group or UID/GID does the same thing, just depends what that user/group maps to in your current context (host/jail).

well that was easy...let me know if I can PayPal you a beer or something. Thanks again

 

[Joshua Parker Ruehlig]

well that was easy...let me know if I can PayPal you a beer or something. Thanks again

glad/hope it worked.

Here's my paypal link in case you're so inclined.
https://www.paypal.com/cgi-bin/webs...lig@gmail.com&item_name=JRuehlig Technologies

 

[gilligan5000]

I sent you two beers and a healthy tip in podunk PA...but its probably only half a beer in Sacramento now that I'm giving it some thought...

 

[rsquared]

We do like our fancy craft beers here... (I happen to be in Sacramento too)

 

[Joshua Parker Ruehlig]

I sent you two beers and a healthy tip in podunk PA...but its probably only half a beer in Sacramento now that I'm giving it some thought...

No prob, thanks for the tip. Don't drink beer but it's enough to buy some fruit for a smoothie =D

 

[gilligan5000]

Josh, thanks again, everything is working so well now!
I did just realize that I'll need Plex to also be able to write (because of the subtitles plugin I like). So reading everything one last time I would do the following in my separate Plex jail shell (root:wheel)?:

1. pw useradd -n 816 -u 816 -d /nonexistent -s /usr/sbin/nologin
2. service plexmediaserver onestop
3. chown -R 816:816 /var/db/plexmediaserver
4. sysrc 'plexmediaserver_user=816'
5. service plexmediaserver start

And Plex will run just fine being changed from 972 to 816...and then be able to add my .srt subtitle files to my Media dataset (owned by 816)?

After this, the last on my wish-list is to figure out Handbrake CLI and monitoring script...then I'm DONE and can let this thing just hum along and do work for me. I attempted to install from freshports but there were 50 dependencies that weren't installed with the package keeping it from running...if anyone has any experience with that I would love some help there too. I spent way too long installing all these different missing dependencies only to be stopped by one that I couldn't find...Isn't a PKG supposed to install all of these for me?

 

[Joshua Parker Ruehlig]

Josh, thanks again, everything is working so well now!
I did just realize that I'll need Plex to also be able to write (because of the subtitles plugin I like). So reading everything one last time I would do the following in my separate Plex jail shell (root:wheel)?:

1. pw useradd -n 816 -u 816 -d /nonexistent -s /usr/sbin/nologin
2. service plexmediaserver onestop
3. chown -R 816:816 /var/db/plexmediaserver
4. sysrc 'plexmediaserver_user=816'
5. service plexmediaserver start

And Plex will run just fine being changed from 972 to 816...and then be able to add my .srt subtitle files to my Media dataset (owned by 816)?

After this, the last on my wish-list is to figure out Handbrake CLI and monitoring script...then I'm DONE and can let this thing just hum along and do work for me. I attempted to install from freshports but there were 50 dependencies that weren't installed with the package keeping it from running...if anyone has any experience with that I would love some help there too. I spent way too long installing all these different missing dependencies only to be stopped by one that I couldn't find...Isn't a PKG supposed to install all of these for me?

that's the idea. though plex's data-directory is slightly different, it's at /var/db/plexdata so adjust the chown command.
it should all work, if it doesn't start plex may have a stale pidfile/pidfolder somewhere that needs to be deleted.

i don't know anything about handbrake on freebsd, but yeah pkg should grab dependencies for you, unless it doesn't work =\

 

[DJ9]

Handbrake works just fine on FreeBSD 10.2 installed via pkg, although I didn't use the CLI version.

 

[witalit]

Trying my best to get this running but I seem to fall at the 2nd hurdle. Sabnzbd and Sickbeard to not appear as a service. The onestop command finds nothing and I don't see a sabnzbd/sickbeard dir in /var/db/

Can anyone help?

Thanks appreciate your work on these awesome plugins!

 

[Joshua Parker Ruehlig]

Trying my best to get this running but I seem to fall at the 2nd hurdle. Sabnzbd and Sickbeard to not appear as a service. The onestop command finds nothing and I don't see a sabnzbd/sickbeard dir in /var/db/

Can anyone help?

Thanks appreciate your work on these awesome plugins!

Are you sure you are working inside your jail and not on the host FreeNAS system?

 

[witalit]

Are you sure you are working inside your jail and not on the host FreeNAS system?

How do I work inside the Jail? Thing is I have configured this before on FreeNAS Pre 9.3 so have some experience in setting permissions etc. Here is a screen of my /var/db/

 

[Joshua Parker Ruehlig]

How do I work inside the Jail? Thing is I have configured this before on FreeNAS Pre 9.3 so have some experience in setting permissions etc. Here is a screen of my /var/db/

You open shells for the jail. Either through the Jails tab, or by entering the jail from the FreeNAS commandline using 'jexec'

 

[Fredde]

Or you can go to /mnt/"yourpool"/jails/

But the recommended way is doing from SSH.

SSH to your freenas IP

Type:

"jls" (without "")
Now you see your jails listed

Type:
"jexec NUMBER of jail /bin/tcsh" (without "")

You are now connected to your jail with SSH


Skickat från min iPhone med Tapatalk