Nicholas Flamy
Dabbler
- Joined
- Feb 25, 2023
- Messages
- 28
I'm using this to run a postgresql server as well as a ffmpeg build script that executes every other month. It's great.
root@jellyfin:~# id jellyfin uid=102(jellyfin) gid=108(jellyfin) groups=108(jellyfin),44(video),105(render)
Bult-In User "Consul" already has UID 108 :/You can either create a user in TrueNAS called jellyfin with UID 108 and then assign that user as owner
It should be enough if the corresponding user is given read permissions (possibly also write permissions) and does not become the owner straight away.and then assign that user as owner
/usr/local/libexec/disable-rootfs-protection
as root if attempts to make changes fails with EROFS.Any news on this one?I think this is possible, but I have no experience with it: https://manpages.debian.org/bullsey...emd-nspawn.1.en.html#User_Namespacing_Options.
You can either create a user in TrueNAS called jellyfin with UID 108 and then assign that user as owner or just assign UID 108 with chown (but then not be able to access the files from TrueNAS).
Seems to work with Docker. I created the user jellyfin with UID 3050 in TrueNAS Scale and then gave him read access to the dataset 'Test" via ACL.It should be enough if the corresponding user is given read permissions (possibly also write permissions) and does not become the owner straight away.
docker run -d \ --name jellyfin \ --user 3050:3050 \ --net=host \ --volume /srv/jellyfin/config:/config \ --volume /srv/jellyfin/cache:/cache \ --mount type=bind,source=/mnt/default/Test,target=/media \ --restart=unless-stopped \ jellyfin/jellyfin
Despite having little knowledge of Linux, I experimented a little: --private-users=pick --private-users-chownJailmaker doesn't set this up for you but I suppose you could add those flags to the systemd_nspawn_additional_args in the config file. Just try it out if you're interested :)
# cat /proc/self/uid_map 0 0 4294967295
startup=1 docker_compatible=1 gpu_passthrough_intel=1 gpu_passthrough_nvidia=0 systemd_nspawn_user_args=--bind-ro=/mnt/default/media/center --private-users=pick --private-users-chown # You generally will not need to change the options below systemd_run_default_args=--property=KillMode=mixed --property=Type=notify --property=RestartForceExitStatus=133 --property=SuccessExitStatus=133 --property=Delegate=yes --property=TasksMax=infinity --co> systemd_nspawn_default_args=--keep-unit --quiet --boot
# cat /proc/self/uid_map 0 1357119488 65536
# cd /mnt/default/media/center bash: cd: /mnt/default/media/center: Operation not permitted
# jlmkr shell myjail Connected to machine myjail. Press ^] three times within 1s to exit session. bash: /root/.bash_profile: Permission denied
What are the permissions and owner/group of the /root/.bash_profile file? And which UID is the user inside the jail?
# cat /proc/self/uid_map 0 10000000 65536
# id uid=0(root) gid=0(root) groups=0(root)
# ls -l total 88 lrwxrwxrwx 1 nobody nogroup 7 Dec 27 06:25 bin -> usr/bin drwxr-xr-x 2 nobody nogroup 2 Dec 9 22:08 boot drwxr-xr-x 7 root root 440 Jan 5 00:50 dev drwxr-xr-x 45 nobody nogroup 99 Jan 4 21:31 etc drwxr-xr-x 2 nobody nogroup 2 Dec 9 22:08 home lrwxrwxrwx 1 nobody nogroup 7 Dec 27 06:25 lib -> usr/lib lrwxrwxrwx 1 nobody nogroup 9 Dec 27 06:25 lib32 -> usr/lib32 lrwxrwxrwx 1 nobody nogroup 9 Dec 27 06:25 lib64 -> usr/lib64 lrwxrwxrwx 1 nobody nogroup 10 Dec 27 06:25 libx32 -> usr/libx32 drwxr-xr-x 2 nobody nogroup 2 Dec 27 06:25 media drwxr-xr-x 3 nobody nogroup 3 Jan 4 22:39 mnt drwxr-xr-x 2 nobody nogroup 2 Dec 27 06:25 opt dr-xr-xr-x 474 nobody nogroup 0 Jan 5 00:50 proc drwx------ 3 nobody nogroup 6 Jan 4 21:31 root drwxr-xr-x 9 root root 220 Jan 5 00:50 run lrwxrwxrwx 1 nobody nogroup 8 Dec 27 06:25 sbin -> usr/sbin drwxr-xr-x 2 nobody nogroup 2 Dec 27 06:25 srv dr-xr-xr-x 13 nobody nogroup 0 Dec 31 16:59 sys drwxrwxrwt 3 root root 60 Jan 5 11:14 tmp drwxr-xr-x 14 nobody nogroup 14 Dec 27 06:25 usr drwxr-xr-x 11 nobody nogroup 13 Dec 27 06:25 var
# ls -a -l /root ls: cannot open directory '/root': Permission denied
# ls -l total 131 lrwxrwxrwx 1 329580544 329580544 7 Dec 27 06:25 bin -> usr/bin drwxr-xr-x 2 329580544 329580544 2 Dec 9 22:08 boot drwxr-xr-x 3 329580544 329580544 3 Jan 4 21:16 dev drwxr-xr-x 45 329580544 329580544 99 Jan 4 21:31 etc drwxr-xr-x 2 329580544 329580544 2 Dec 9 22:08 home lrwxrwxrwx 1 329580544 329580544 7 Dec 27 06:25 lib -> usr/lib lrwxrwxrwx 1 329580544 329580544 9 Dec 27 06:25 lib32 -> usr/lib32 lrwxrwxrwx 1 329580544 329580544 9 Dec 27 06:25 lib64 -> usr/lib64 lrwxrwxrwx 1 329580544 329580544 10 Dec 27 06:25 libx32 -> usr/libx32 drwxr-xr-x 2 329580544 329580544 2 Dec 27 06:25 media drwxr-xr-x 3 329580544 329580544 3 Jan 4 22:39 mnt drwxr-xr-x 2 329580544 329580544 2 Dec 27 06:25 opt drwxr-xr-x 2 329580544 329580544 2 Dec 9 22:08 proc drwx------ 3 root 329580544 6 Jan 4 21:31 root drwxr-xr-x 2 329580544 329580544 2 Dec 27 06:25 run lrwxrwxrwx 1 329580544 329580544 8 Dec 27 06:25 sbin -> usr/sbin drwxr-xr-x 2 329580544 329580544 2 Dec 27 06:25 srv drwxr-xr-x 2 329580544 329580544 2 Dec 9 22:08 sys drwxrwxrwt 2 329580544 329580544 2 Dec 27 06:25 tmp drwxr-xr-x 14 329580544 329580544 14 Dec 27 06:25 usr drwxr-xr-x 11 329580544 329580544 13 Dec 27 06:25 var
startup=1 docker_compatible=1 gpu_passthrough_intel=0 gpu_passthrough_nvidia=0 systemd_nspawn_user_args=--bind=/mnt/default/media/center --private-users=10000000 # You generally will not need to change the options below systemd_run_default_args=--property=KillMode=mixed --property=Type=notify --property=RestartForceExitStatus=133 --property=SuccessExitStatus=133 --property=Delegate=yes --property=TasksMax=infinity --co> systemd_nspawn_default_args=--keep-unit --quiet --boot
root@truenas[...ware/jailmaker/jails/paperless/rootfs]# jlmkr shell test Connected to machine test. Press ^] three times within 1s to exit session. root@test:~#
root@test:/# cat /proc/self/uid_map 0 1492320256 65536 root@test:/# id uid=0(root) gid=0(root) groups=0(root) root@test:/# ls -l total 88 lrwxrwxrwx 1 root root 7 Dec 27 06:25 bin -> usr/bin drwxr-xr-x 2 root root 2 Dec 9 22:08 boot drwxr-xr-x 8 root root 460 Jan 5 11:25 dev drwxr-xr-x 45 root root 99 Jan 5 11:20 etc drwxr-xr-x 2 root root 2 Dec 9 22:08 home lrwxrwxrwx 1 root root 7 Dec 27 06:25 lib -> usr/lib lrwxrwxrwx 1 root root 9 Dec 27 06:25 lib32 -> usr/lib32 lrwxrwxrwx 1 root root 9 Dec 27 06:25 lib64 -> usr/lib64 lrwxrwxrwx 1 root root 10 Dec 27 06:25 libx32 -> usr/libx32 drwxr-xr-x 2 root root 2 Dec 27 06:25 media drwxr-xr-x 3 root root 3 Jan 5 11:25 mnt drwxr-xr-x 2 root root 2 Dec 27 06:25 opt dr-xr-xr-x 477 nobody nogroup 0 Jan 5 11:25 proc drwx------ 3 root root 6 Jan 5 11:22 root drwxr-xr-x 12 root root 320 Jan 5 11:25 run lrwxrwxrwx 1 root root 8 Dec 27 06:25 sbin -> usr/sbin drwxr-xr-x 2 root root 2 Dec 27 06:25 srv dr-xr-xr-x 13 nobody nogroup 0 Dec 31 16:59 sys drwxrwxrwt 8 root root 160 Jan 5 11:25 tmp drwxr-xr-x 14 root root 14 Dec 27 06:25 usr drwxr-xr-x 11 root root 13 Dec 27 06:25 var root@test:~# ls -a -l /root total 39 drwx------ 3 root root 6 Jan 5 11:22 . drwxr-xr-x 17 root root 23 Dec 27 06:27 .. -rw------- 1 root root 248 Jan 5 11:32 .bash_history -rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc -rw-r--r-- 1 root root 161 Jul 9 2019 .profile drwx------ 2 root root 2 Dec 27 06:25 .ssh
root@truenas[.../software/jailmaker/jails/test/rootfs]# ls -l total 131 lrwxrwxrwx 1 1492320256 1492320256 7 Dec 27 06:25 bin -> usr/bin drwxr-xr-x 2 1492320256 1492320256 2 Dec 9 22:08 boot drwxr-xr-x 3 1492320256 1492320256 3 Jan 5 11:20 dev drwxr-xr-x 45 1492320256 1492320256 99 Jan 5 11:20 etc drwxr-xr-x 2 1492320256 1492320256 2 Dec 9 22:08 home lrwxrwxrwx 1 1492320256 1492320256 7 Dec 27 06:25 lib -> usr/lib lrwxrwxrwx 1 1492320256 1492320256 9 Dec 27 06:25 lib32 -> usr/lib32 lrwxrwxrwx 1 1492320256 1492320256 9 Dec 27 06:25 lib64 -> usr/lib64 lrwxrwxrwx 1 1492320256 1492320256 10 Dec 27 06:25 libx32 -> usr/libx32 drwxr-xr-x 2 1492320256 1492320256 2 Dec 27 06:25 media drwxr-xr-x 3 1492320256 1492320256 3 Jan 5 11:25 mnt drwxr-xr-x 2 1492320256 1492320256 2 Dec 27 06:25 opt drwxr-xr-x 2 1492320256 1492320256 2 Dec 9 22:08 proc drwx------ 3 1492320256 1492320256 6 Jan 5 11:22 root drwxr-xr-x 2 1492320256 1492320256 2 Dec 27 06:25 run lrwxrwxrwx 1 1492320256 1492320256 8 Dec 27 06:25 sbin -> usr/sbin drwxr-xr-x 2 1492320256 1492320256 2 Dec 27 06:25 srv drwxr-xr-x 2 1492320256 1492320256 2 Dec 9 22:08 sys drwxrwxrwt 2 1492320256 1492320256 2 Dec 27 06:25 tmp drwxr-xr-x 14 1492320256 1492320256 14 Dec 27 06:25 usr drwxr-xr-x 11 1492320256 1492320256 13 Dec 27 06:25 var
startup=1 docker_compatible=1 gpu_passthrough_intel=1 gpu_passthrough_nvidia=0 systemd_nspawn_user_args=--private-users=pick --private-users-chown --bind-ro=/mnt/default/media/center # You generally will not need to change the options below systemd_run_default_args=--property=KillMode=mixed --property=Type=notify --property=RestartForceExitStatus=133 --property=SuccessExitStatus=133 --property=Delegate=yes --property=TasksMax=infinity --co> systemd_nspawn_default_args=--keep-unit --quiet --boot
Thanks. I just suspected that:User namespace mapping for internal ZFS ACLs has not been fully implemented yet and so I would not be surprised if it does not work 100%. We reserve higher numbers of IDs for directory services (AD / LDAP) and so you won't be able to use those for local users via our APIs.