PHP 8.0.x in TrueNas 13.0-U6

[fanifeey]

Hello,
I am using TrueNAS-13.0-U6 and the latest version of NEXTCLOUD is running as a plugin.
Nextcloud makes me aware that PHP 8.0.30 is used in the jail and this is no longer up to date.
I just updated the jail yesterday (not the plugin).
PHP 8.0.x will no longer be provided with security updates from the end of the year.
When will TrueNAS provide an up-to-date PHP?
Thanks a lot

 

[Patrick M. Hausen]

It does. You can pkg install php82 and pkg install nextcloud-php82 just fine. Just don't expect the plugin to be updated but install a standard jail with the necessary components inside. There's a great script provided by @danb35 to do that for you.

 

[danb35]

When will TrueNAS provide an up-to-date PHP?

Probably never. Plugins are a dead feature walking, and you shouldn't use them. One of these days maybe iX will stop lying to prospective users.

 

[fanifeey]

But the PHP problem is not a problem of the plugins, but of the jails and that comes from TrueNAS.

Shouldn't TrueNAS also ensure that the jails are up to date?

It is the OS of the jail, no matter what is running in it.

 

[Patrick M. Hausen]

No, no, no ... the jails inside are plain FreeBSD and have all the latest packages that FreeBSD offers.

That's why all the regulars here have come to recommend plain jails over plugins. They are not a TrueNAS feature. I run two data centres full of them - about 1000 instances.

To check availability and versions of any open source product as a FreeBSD package, use Freshports.

See my post above, just pkg install, pkg upgrade, ... inside a jail just like any dedicated FreeBSD installation or apt on Linux.

 

[danb35]

But the PHP problem is not a problem of the plugins, but of the jails

This is incorrect.

that comes from TrueNAS.

So is this.

What made you believe either of these to be true?

 

[Juan Manuel Palacios]

I'm slowly moving away from plugins and moving everything to vanilla jails, including my PHP dev environments, for which I have php-81 & php-82 jails (both with Apache HTTPD, running PHP under the mod_php sAPI), and will soon be building a php-83 jail. To support those, I run a mysql-80 jail (and will soon be building mysql-81 & mysql-82 counterparts), a redis jail, and various others (and might even migrate to php-fpm in the future, away from mod_php, which would translate into even more jails).

So, all in all, I think the point is clear, all jails all the way! They're incredibly easy to build & manage, while plugins are very clearly on their way out. So I'd say the recommendation to learn a bit about FreeBSD jails migrate to them is more than clear.

 

[fanifeey]

Hello, you have to understand that I am a layman in this field and I have to teach myself everything from scratch. I have nothing to do with IT professionally.

This is my hobby in my limited free time. That's why I certainly have difficulties understanding the origin of the problem. I'm sure it's all trivial for you.

I set up TrueNAS a long time ago and when I installed NEXTcloud, a jail was set up first. NEXTcloud was then installed in this jail.

As far as I know, the OS in this jail is a mini BSD, which creates the prerequisite that an application like NEXTcloud can run in the jail. This means that the application in the jail is independent of the NAS system. For NEXTcloud to work, the mini OS must also provide php. Otherwise NEXTcloud would provide this and keep it up to date itself. If TrueNAS does not provide and maintain this mini-BSD, where does it come from?

Please do not be offended. Thanks for your help.

 

[Patrick M. Hausen]

It's not a mini BSD, it's a full installation of FreeBSD that TrueNAS installed for you. The problem is that if you use the plugin mechanism to do that, this version is what is defined in the "plugin" - which is really just a small file saying "install this version of FreeBSD, this version of PHP, this version of Nextcloud, etc."

For an update of any of these components you depend on the maintainer of that plugin. And support and updates for plugins have been irregular and unreliable to say the least.

Now in the TrueNAS UI there is also a section labelled "Jails". Go there, click on "Add" and install what is frequently called a standard jail. You get to pick the FreeBSD version. Pick a supported one, i.e. 13.2.

Then you will have a jail that does not run the possibly outdated FreeBSD version specified in some unmaintained "plugin" but a current one. Invoke a shell in that jail and install current maintained and supported packages provided by the FreeBSD project with the commands I outlined above.

Jails are an integral part of FreeBSD and have been for more than 20 years. The only TrueNAS specific thing is the "plugin" mechanism that is supposed to provide a one-click installation of FreeBSD plus some applications. Which it does. But when plugins were created and promoted nobody considered that they need continuing maintenance and updates.

That's why I am opposing the view that jails are anything coming from TrueNAS. They are tried and true rock solid FreeBSD technology and if you don't use the badly maintained plugins but just install the standard jails, you get exactly that. Current, reliable, maintainable software - running on your TrueNAS.

 

[danb35]

I have nothing to do with IT professionally.

Neither do I; I'm a lawyer.

If TrueNAS does not provide and maintain this mini-BSD, where does it come from?

It comes from the FreeBSD project--it's a standard installation of FreeBSD.

the mini OS must also provide php.

The basic FreeBSD installation doesn't include (i.e., as something that's automatically installed) any version of PHP. PHP (in several versions) is available through the FreeBSD package repositories (and thus can be installed using pkg install ...), and those are the source of the packages that are installed by plugins as well. The problem, as you've already been told, is that the Nextcloud plugin installs an old version of PHP.

The problem is compounded by the fact that plugins have never been well-maintained, and iX has finally agreed that this is the case, deprecating them. See this link for some discussion, ending with a link to iX' statement:

iXsystems, when are you going to stop pretending that CORE has (usable) plugins?

Plugins are broken. We all know it, and you have no intention of fixing them. Most notably, @Kris Moore has said not to use them, and that they're "more or less deprecated": using plugins on CORE is a path to sadness. The plugin system is more or less deprecated and as you can tell, somewhat...

www.truenas.com

The solution, as many of us have been telling users for a very long time, is to not use plugins. Either move to SCALE and use its Apps ecosystem, or install your software of choice in a jail without a plugin. In the latter case, you can install it manually (here's a good guide on that for Nextcloud), or use a script like mine.

 

[fanifeey]

Thank you very much for the factual and comprehensive explanation.

Now I have understood an important point.

If such an outdated jail (which was created by the plugin) is not maintained by users like me out of ignorance, then this is a very big security risk.

That's scary.

 

[fanifeey]

The update went through (pkg install php82, pkg install nextcloud-php82), I restarted the jail, then restarted the plugin and now what I was afraid of has happened. The server is not reachable, although the config.php is completely ok. Where do I start?

 

[fanifeey]

Internal Server Error

The server encountered an internal error and was unable to complete your request.

 

[Patrick M. Hausen]

What do you mean by restarted the jail, then restarted the plugin? You need to create a completely new jail using e.g. @danb35's script, then move your data, then abandon the plugin. You cannot update the plugin that way.

 

[fanifeey]

Actually, I don't want to have to build a car first, I want to understand how to maintain the car, start it and then drive it.

I've been struggling with this topic for hours. I installed a new jail (as suggested above), installed php82, nextcloud-php82, nginx and now I'm at the end of my rope.

It doesn't respond at all to the IP address created when setting up the jail.

I don't think I can use the script from danb35 because I don't have a qualified web address for the home server.

You see, I don't want to have to screw an engine together first. That's why the idea with the plugin is very good for so many people like me.

I just don't know what to do and after investing so much time I don't want to give up. Even the little bit of software installation didn't work as described on docs.freebsd.org.

Is there nowhere that has a very simple guide for dummies like me?

 

[Patrick M. Hausen]

Why don't you use the script provided by @danb35 that creates a standard jail with a turnkey Nextcloud installation? I am quite sure I have already hinted at that.

Scripted installation of Nextcloud 28 in iocage jail

Status: This script will run with TrueNAS CORE 13. It's possible, but untested, that it will work with FreeNAS 12. Earlier versions are not supported. There are a number of guides on the forum to install Nextcloud, but they all rely on a lot of...

www.truenas.com

 

[ddaenen1]

I have had all the same comments about plugins in the past but i finally got over the fact that plugins are never coming back and have moved my Plex from a plugin to a manual install in a jail over the weekend. Eventually, that went quite ok and is up and running now. No more worries on plugin updates and so on. I actually have the impression the manual install runs better than the plugin did but this could be just an impression.

Next up is to do the same for Nextcloud. I do realize it will not be as simple as it was with Plex and more mission critical as i use Nextcloud for business purposes but i will keep the plugin instance running until i have the manual install completely up and running the way i want it. The issue i have is that the script from @danb35 has too many features included that i don't actually want. I want a plain install without any other bells and whistles such as Letsencrypt and Caddy since i have all that configured in pfSense and am very happy with that setup. Also, i want to know what happens under the hood so i can troubleshoot if needed. I think i will have some more reading to do before i can start...

 

[danb35]

I want a plain install without any other bells and whistles such as Letsencrypt and Caddy

You're obviously free to install in whatever way works for you, but you misunderstand what Caddy is doing in my script--it's the web server. You do need one to run Nextcloud, whether it be Nginx, Apache, Caddy, or something else; nothing on your pfSense box will substitute for it. I'm using Caddy because it's vastly simpler to configure than any other web server I've encountered. And you certainly don't have to enable SSL with my script.

 

[victort]

Neither do I; I'm a lawyer.

lol. And I’m a cowboy…

 

[ddaenen1]

You're obviously free to install in whatever way works for you, but you misunderstand what Caddy is doing in my script--it's the web server. You do need one to run Nextcloud, whether it be Nginx, Apache, Caddy, or something else; nothing on your pfSense box will substitute for it. I'm using Caddy because it's vastly simpler to configure than any other web server I've encountered. And you certainly don't have to enable SSL with my script.

Thanks for the clarification @danb35 . So i have been reading up on your script and i am considering having a go with it but i do have a couple of questions:

1. i like my jails to be DHCP autoconfigure IPv4 and manage the static IP through pfSense. Is that possible? I am asking because the config file requires me to define the IP address or alternatively can i change that afterwards in the jail settings (and subsequentially in the "trusted domains"?
2. do i need to define the FQDN if i just want an internal IP to access Nextcloud since, as mentioned before, i access my cloud through an FQDN with letsencrypt and HAProxy in pfSense?
3. Is it sufficient to replace STANDALONE_CERT to NOCERT=1 to bypass the whole cert process?
4. assuming point 3, is it required to set CERT_EMAIL?
5. would there be an issue if i already have a jail named "nextcloud" in which the plugin is running

Last but not least, would there be any chance at all i could import my existing users, settings and content from the NC plugin instance that i have running now or would i need to set it all up from scratch again (it is not a job stopper but it would safe me a bunch of work)?

Many thanks