Resource icon

Install Heimdall Dashboard in a jail

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462
danb35 submitted a new resource:

Install Heimdall Dashboard in a jail - Pretty one-page index to your jails and other web apps

Heimdall Dashboard is a nice-looking web application to give an index page for your jails and other web applications. Selected applications support integration with the application's API to show relevant information. It will give you an index page like this:
View attachment 32302
Scripted installation instructions are at https://forum.freenas-community.org/t/install-heimdall-dashboard-in-a-jail-script-freenas-11-2/35

Read more about this resource...
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
Many thanks for the script, I wondered if you'd take the heimdall bait... I know nothing about web server config, but I'm always wary of using world writable perms, so is the "chmod -r 777" really necessary?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462
is the "chmod -r 777" really necessary?
It probably isn't, and a change in ownership would likely be more appropriate. It works in its current state, but could definitely use refinement.
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
I read that caddy added telemetry to versions >= 0.11, is it off in the freebsd pkg by default? Not dealt that much with perms,user & ownership in jails. So does refinement start with adding a "www" system user, etc.?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462
Yes, telemetry is off in the FreeBSD package; it's also off in the version you'd download for the TLS support. A www user is created during installation (I believe it's installation of php that does it), so chown -r www:www /usr/local/www/html would probably be a better way to go than what's currently there.
 

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
I have a heimdal jail running using your script, thanks. Only problem seems to be the upload of user images for app icons, e.g a suitable png for logitech media server. This fails with what looks like a permission problem which i haven't diagnosed.
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462
Last edited:

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462
This fails with what looks like a permission problem which i haven't diagnosed.
It looks like the issue is that permissions are getting set improperly on the icons directory (/usr/local/www/html/storage/app/public/icons). More fundamentally than that, Caddy is running as root (which seems to be necessary in order to bind to ports 80/443), but php-fpm is running as www. I could change that and run php-fpm as root, but that doesn't sound like the greatest idea. Perhaps with a combination of the setgid bit and directory permissions at 775 this could be fixed.

Edit: My last commit seems to have this fixed--I can add apps, upload custom icons, and upload a custom background image.
 
Last edited:

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288
I only got as far as caddy runing as "root" and php-fpm running as "www" with the problem, so thanks for the update. Looking at linux installs, caddy can run as a non-root user and bind to ports 80/443 using setcap 'cap_net_bind_service=+ep' /usr/local/bin/caddy. I don't know if that's set by the FreeBSD pkg. If I've understood the FreeBSD init script correctly it looks as if caddy can run as non-root user by simply adding a caddy user:group to /etc/rc.conf. But simply changing html tree owner/group to www:www and adding to rc.conf doesn't appear to work, as caddy running as www can't bind to port 80:

Code:
root@heimdall:/var/log # cat caddy.log
Activating privacy features... done.
2019/08/14 08:52:37 [INFO][FileStorage:/.caddy] Started certificate maintenance routine
2019/08/14 08:52:37 Listen: listen tcp :80: bind: permission denied
root@heimdall:/var/log 


Are we stuck with caddy only running as root in FreeBSD?
 
Last edited:

KrisBee

Wizard
Joined
Mar 20, 2017
Messages
1,288

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462
Is that a viable solution on FreeNAS?
Not sure, but looks like it could be, though it would involve adding a tunable through the web GUI. The only other issue I know of is writting to the Caddy log file, but that could go somewhere other than in /var/log.

Edit: Well, adding the specified values to sysctl.conf in the jail (after adding the loader tunable and rebooting the host system) doesn't seem to be working. It also isn't working when I set those values as sysctl tunables at the host level in the web GUI--still getting "permission denied" on binding to port 80.
1565806523565.png
 
Last edited:

garm

Wizard
Joined
Aug 19, 2017
Messages
1,555
I set up my existing reverse proxy to serve up Heimdall, if caddy doesn’t switch user from root to another like nginx then maybe use it instead?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462
Both Apache and nginx start as root to bind to the ports and load the certificate(s), and then drop privileges and run as a non-privileged user; Caddy doesn't have this capability. It isn't so much an issue with respect to certs (as Caddy manages those itself), but the ports can be an issue. Easy enough if it just runs as root (which is the default), not so much otherwise.

Certainly a different webserver could be used--but Caddy's configuration is so much simpler that I'd like to make it work this way.
 

saviodesign

Dabbler
Joined
Apr 7, 2017
Messages
21
danb35 submitted a new resource:

Install Heimdall Dashboard in a jail - Pretty one-page index to your jails and other web apps



Read more about this resource...
Excellent script. I only have one issue, it's beginning instructions are a bit misleading.

The instructions state "Install Heimdall Dashboard in a jail (script)", this leads one to assume that they will either install this inside a current jail or create a new jail, then install Heimdall manually.

Instead, the script is to be executed externally (on FreeNAS OS Host not within a jail), the script will then create a jail with all the necessary parameters ( again, great job), and install Heimdall.

It should probably read something like Script to create a Freenas IOCAGE Jail and Heimdall Dashboard.
Then start with a note like "This script is to be run from the FreeNAS HOST OS, not from within a jail"

This will create less confusion for the less technically inclined.
Regardless, 2 Thumbs up from me!
 

markymark832

Dabbler
Joined
Feb 28, 2017
Messages
36
i have a very weird msg
root@freenas[/tmp/freenas-iocage-heimdall]# ./heimdall-jail.sh
11.3-RELEASE-P5 was not found!
Failed to create jail


if i do freebsd-version it states that i am on 11.3 release p5

any ideas?
 

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462
11.3-RELEASE-P5 was not found!
11.3 reports its release differently than prior versions, and I'd forgotten to update the script for that--it's fixed now. You can update the script by changing into the directory where you downloaded the script and running git pull.
 
Joined
Jan 4, 2014
Messages
1,644

danb35

Hall of Famer
Joined
Aug 16, 2011
Messages
15,462
Integrates very nicely with the Reverse Proxy using Caddy resource.
Definitely; there's no reason the same Caddy instance that's serving Heimdall can't also reverse proxy for your other services. My system isn't set up that way--Heimdall is in its own jail--but that's mostly because I'd gotten the reverse proxy running nicely before I started playing with Heimdall.
 
Joined
Jan 4, 2014
Messages
1,644
there's no reason the same Caddy instance that's serving Heimdall can't also reverse proxy for your other services
That's exactly how I've set mine up. It works brilliantly!
 
Top