Is it possible to install additional Debian packages / programs on TrueNas Scale?

[Louis2]

Hello,

I wonder if it is (in a simple way) possible to add missing programs / packages to a TrueNas scale machine itself .
(I am not talking about vm's or docker instances)

The command ^apt^ is only looking for files in the "ix-repository" which of of course only contains the packages directly needed by TryeNas scale itself.

Louis

 

[Samuel Tai]

Sure, if you want to blow up your installation and force a reinstall.

 

[anodos]

Hello,

I wonder if it is (in a simple way) possible to add missing programs / packages to a TrueNas scale machine itself .
(I am not talking about vm's or docker instances)

The command ^apt^ is only looking for files in the "ix-repository" which of of course only contains the packages directly needed by TryeNas scale itself.

Louis

What programs are missing?

 

[danb35]

Mostly what Samuel said. However, some software is distributed as a standalone script (e.g., acme.sh) or binary (e.g., rclone, step-cli), and you may be able to install and use those without issues--but if you put them in the "normal" location (like /usr/local/bin/), it will go away with the next update.

 

[jgreco]

Hello,

I wonder if it is (in a simple way) possible to add missing programs / packages to a TrueNas scale machine itself .
(I am not talking about vm's or docker instances)

The command ^apt^ is only looking for files in the "ix-repository" which of of course only contains the packages directly needed by TryeNas scale itself.

Louis

Yes, it is absolutely possible, just do the "usual stuff" like write files and make changes.

The answers above, however, mine included, fail to make clear this point:

TrueNAS is not intended to be a general purpose system for you to manipulate as you see fit. It is an appliance, and is carefully designed to accomplish a particular function. You are not supposed to be running "apt", or adding packages, or making changes to the system, unless you are able to do this through the GUI's configuration options or the API.

Once you start tinkering under the hood, you are doing things that the developers may not be expecting you to do, and you can cause a variety of issues that could potentially result in your NAS not working correctly. Likewise, the NAS is not designed to be aware of your changes, so it is going to feel free to run roughshod all over anything you do, potentially causing problems for your added programs in the future as you do updates.

It is best to forget that there is a FreeBSD or Linux system down there, and to view the system as a black box, or, perhaps, a read-only blob of some sort. There are some things that can sometimes be changed safely, if you fully understand what's going on and do all the homework, but there is no way to safely add random things using common package manager commands.

 

[anodos]

If you do decide to tinker with the guts, please try to reproduce any issues you encounter on a "vanilla" install before filling Jira tickets. There have been a few cases where users have submitted bug tickets without disclosing that the base install had been tinkered with.

 

[jgreco]

If you do decide to tinker with the guts, please try to reproduce any issues you encounter on a "vanilla" install before filling Jira tickets. There have been a few cases where users have submitted bug tickets without disclosing that the base install had been tinkered with.

And that's also a great point, because not only the system, but also the developers, will expect that the environment you have is the one you were given, not one you monkey-wrenched into some Franken-system. If you truly have some useful stuff that ought to be in the base system and isn't, the developers do consider requests posted in via Jira.

 

[Louis2]

What programs are missing?

I intend to use TrueNas as a storage device connected to multiple vlans (blue zone (mngt), greenzone (secure storage) and pc smb disks) and as as a host system for e.g. a media server and multiple webservers. My actual problem is that IMHO the vlan separation within the "true nas storage domain" is not absolutely present !! So I need to improve that.

I try to do that with policy based routing using ipfw. I tried to do that on TrueNas core 12.6. That ^nearly^ works, however ^nearly^ is not good enough. Given that version 13 is not yet in beta, I did decide to try TrueNas Scale, hoping that I can get it working there.

Trying that I met a couple of issues:
- advanced sysctl screen is vague. However if I can not get that one working, I can manipulate the config files as a work around
- the default shell changed from csh to zsh. I can manage that one. However it is strange since the TrueNas docs say that the default is zsh, which does not match my observations (this is also the case with a fresh 12.6 install)
- and than the reason for this question .... ipfw is not present in the scale version where it is in the core version

Trying to get the vlans working as separate vlans having their own routing and strictly separated ..... I need ipfw.

It would be even better if IXsystems would take care of the issue !! :)

Louis

 

[Patrick M. Hausen]

1. SCALE is based on Linux. Linux does not have ipfw.
2. Neither CORE nor SCALE are firewall appliances. You are messing with your system in completely unsupported ways and this will hurt you, eventually.
3. Use a real firewall like OPNsense on a separate device for that task.

 

[Samuel Tai]

On Linux, you need to use namespaces or VRFs to achieve this separation. See https://www.dasblinkenlichten.com/working-with-linux-vrfs/. However, SCALE isn't built to share over multiple namespaces or VRFs. You would need one SCALE per namespace/VRF. Alternatively, you could run a hypervisor on your bare metal, and have different VMs running SCALE for each namespace/VRF.

 

[Louis2]

1. SCALE is based on Linux. Linux does not have ipfw.
2. Neither CORE nor SCALE are firewall appliances. You are messing with your system in completely unsupported ways and this will hurt you, eventually.
3. Use a real firewall like OPNsense on a separate device for that task.

As you know I completely disagree:
- TrueNas is leading all VLAN's to one big traffic transit node with one routing table where all vlans are tied togehter and one default route which is IMHO completely wrong and insecure!!
- no problem if I should use another program to assure that TrueNas behaves as vlan endpoints in opposite to a traffic gateway
- and of cause I use a separate firewall (pfSense). That firewall is / SHOULD BE the ONLY controlled connection point. TrueNAS is tying all vlans together, which is completely in opposite from the reason / function from the vlans

Louis

 

[Patrick M. Hausen]

Show me one storage appliance that can terminate N VLAN endpoints and isolate them. TrueNAS is a storage system. If you need isolated storage, use N systems. You can virtualize, you know.

 

[jgreco]

As you know I completely disagree:
- TrueNas is leading all VLAN's to one big traffic transit node with one routing table where all vlans are tied togehter and one default route which is IMHO completely wrong and insecure!!

As has previously been explained to you, you are welcome to disagree, but this is inherent in the design of Linux, FreeBSD, and every other modern operating system. Your disagreement is irrelevant and is not going to cause the change you desire to be implemented in these operating systems. Modern networking does not operate the way you imagine or the way you wish. Further, it is not going to operate in this manner, because it would break so many OTHER things. Your only recourse is to properly design your network as previously explained to you.

It is not that I am unsympathetic to your plight, because there are certainly downsides to modern network stacks. I've spent the entire commercial Internet era working with them, and they are tricky in many ways. On the other hand, it is these same tricks that have allowed so much flexibility and incredible design to flourish.

If you wish the sort of control you desire, you really do need to place a layer 3 firewall between your clients and your NAS, and route the traffic. It probably also requires some changes in the ways in which you manage and design your IP networking, but that's merely a professional's opinion.

In any case, because the original topic has been brought to its normal "don't do that" conclusion, and you appear to be attempting to relitigate a different topic in this thread that has also reached its inevitable and inescapable conclusion in that previous thread, I've closed this thread to further replies.