Readarr inside a jail

[ByteNick]

Did somebody managed to install Readarr inside of a jail?

 

[Rinku_Nezert]

Same Question ?
I refresh the thread

 

[sretalla]

Yes, I have done that... (since you asked for it... I don't actually use it myself)

iocage create -n "readarr" -r 12.3-RELEASE vnet="on" allow_raw_sockets="1" allow_mlock="1" dhcp="on" bpf="yes" boot="on"

then with that jail console (iocage console readarr)

Thanks to @FrankNAS: (see his experimental thread here: https://www.truenas.com/community/threads/experimental-radarr-v3-2-dotnet5-binary.91489/)
fetch https://github.com/Thefrank/freebsd-port-sooners/releases/download/20210613/radarrv3-3.2.2.5080.txz

I understand that Radarr isn't the app we want, we're just using that package to get the dotnet binaries.

pkg install ./radarrv3-3.2.2.5080.txz

fetch "https://readarr.servarr.com/v1/update/healthchecks/updatefile?os=bsd&arch=x64&runtime=netcore" -o ./readarr.tar.gz

mkdir /usr/local/share/readarr

tar -xf ./readarr.tar.gz -C /usr/local/share/readarr

rm /usr/local/etc/rc.d/radarr

ee /usr/local/etc/rc.d/readarr

Paste this content in that file, ESC to exit and elect to save:

Code:

#!/bin/sh

# PROVIDE: readarr
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
# to enable this service. Using sysrc will also work
#
# readarr_enable:    Set to YES to enable readarr
#            Default: NO
# readarr_user:    The user account used to run the readarr daemon.
#            This is optional, however do not specifically set this to an
#            empty string as this will cause the daemon to run as root.
#            Default: readarr
# readarr_group:    The group account used to run the readarr daemon.
#            This is optional, however do not specifically set this to an
#            empty string as this will cause the daemon to run with group wheel.
#            Default: radarr
# readarr_data_dir:    Directory where readarr configuration
#            data is stored.
#            Default: "/usr/local/readarr"

. /etc/rc.subr
name=readarr
rcvar=${name}_enable
load_rc_config $name

: ${readarr_enable:="NO"}
: ${readarr_user:="readarr"}
: ${readarr_group:="readarr"}
: ${readarr_data_dir:="/usr/local/readarr"}

pidfile="${readarr_data_dir}/${name}_daemon.pid"
pidfile_child="${readarr_data_dir}/${name}_child.pid"
command="/usr/sbin/daemon"

start_precmd=${name}_precmd
readarr_precmd() {
    if [ ! -d ${readarr_data_dir} ]; then
    install -d -o ${readarr_user} -g ${readarr_group} ${readarr_data_dir}
    fi

    chown -R ${readarr_user}:${readarr_group} /usr/local/share/readarr

    rc_flags="-r -f -p ${pidfile_child} -P ${pidfile} /usr/local/share/readarr/Readarr/Readarr --data=${readarr_data_dir} --nobrowser >> /dev/null 2>&1 ${rc_flags}"

}

run_rc_command "$1"

chmod +x /usr/local/etc/rc.d/readarr

pw user add readarr -c readarr -u 787 -d /nonexistent -s /usr/bin/nologin

mkdir /usr/local/readarr

chown -R readarr:readarr /usr/local/share/readarr/ /usr/local/readarr

sysrc readarr_enable=YES

service readarr start

pkg install chromaprint

Visit http://your.jail.IP.address:8787/

------------------------------------------------
Some proposed "best practices" to go with the information above...

Aside from the program itself, you would normally have (at least) 2 locations for "data"... one for config (which can be modified with sysrc readarr_data_dir="/config"), and one additional one to be used for your "library".

Personally, I would recommend keeping all config information outside the jail, so mounting something into the jail and then setting the readarr_data_dir appropriately to use it.

So it would go something like this...

create either a directory or dataset like tank/apps/readarr to store the config (which would mount to /mnt/tank/apps/readarr) then

On the host:
iocage fstab readarr -a /mnt/tank/apps/readarr /config nullfs rw 0 0

and if your Library were somewhere like /mnt/tank/data/library:
iocage exec readarr mkdir /mnt/library
iocage fstab readarr -a /mnt/tank/data/library /mnt/library nullfs rw 0 0

Then set that (/mnt/library) in the app as your root folder.

You may want to consider setting the user to a different one (making sure to match both the name and the user ID for the one you create in the jail to the one on the host and/or in your other jails... like the downloader... to avoid permissions issues).

You could re-use/replace the line from the setup above pw user add username -c username -u 787 -d /nonexistent -s /usr/bin/nologin , replacing the username (twice) and the ID accordingly, then:
sysrc readarr_user="user"
sysrc readarr_group="group"
(make sure to do all these additional bits before your start the service).

In any case, you will need to set permissions on your library folder so that the nominated user (readarr or whatever you named it) will have rw permissions:

inside the jail:
chown -R readarr:readarr /mnt/library
or
chown -R user:group /mnt/library

 

[zamana]

(...)

I understand that Radarr isn't the app we want, we're just using that package to get the dotnet binaries.

(...)

Very clever idea get the "infrastructure" of Radarr in order to run Readarr...

And just for completion:

1) You need to "chmod +x" the start script for it to work;

2) allow_raw_sockets="1" is absolutely necessary. If you got the error message "Failed to create CoreCLR, HRESULT: 0x8007FF02", you forgot it;

3) If you want to get rid of the "fpcalc" warning in the status page, install chromaprint.

Thank you!

 

[sretalla]

allow_raw_sockets="1" is absolutely necessary.

It's right there in the iocage create.

3) If you want to get rid of the "fpcalc" warning in the status page, install chromaprint.

Thanks, looked but didn't easily find that.

1) You need to "chmod +x" the start script for it to work;

OK, you caught me... I originally just renamed the radarr one and edited it, so didn't need to.


I added your points to the post.

 

[zamana]

It's right there in the iocage create.

Yes. It was just to *stress* that this is really necessary.

I my case, I created the jail through the WEB UI, and that option is not available anymore. So I needed to set it after.

Thanks!

 

[Rinku_Nezert]

Yes, I have done that... (since you asked for it... I don't actually use it myself)

iocage create -n "readarr" -r 12.3-RELEASE vnet="on" allow_raw_sockets="1" allow_mlock="1" dhcp="on" bpf="yes" boot="on"

then with that jail console (iocage console readarr)

Thanks to @FrankNAS: (see his experimental thread here: https://www.truenas.com/community/threads/experimental-radarr-v3-2-dotnet5-binary.91489/)
fetch https://github.com/Thefrank/freebsd-port-sooners/releases/download/20210613/radarrv3-3.2.2.5080.txz

I understand that Radarr isn't the app we want, we're just using that package to get the dotnet binaries.

pkg install ./radarrv3-3.2.2.5080.txz

fetch "https://readarr.servarr.com/v1/update/healthchecks/updatefile?os=bsd&arch=x64&runtime=netcore" -o ./readarr.tar.gz

mkdir /usr/local/share/readarr

tar -xf ./readarr.tar.gz -C /usr/local/share/readarr

rm /usr/local/etc/rc.d/radarr

ee /usr/local/etc/rc.d/readarr

Paste this content in that file, ESC to exit and elect to save:

Code:

#!/bin/sh

# PROVIDE: readarr
# REQUIRE: LOGIN
# KEYWORD: shutdown
#
# Add the following lines to /etc/rc.conf.local or /etc/rc.conf
# to enable this service. Using sysrc will also work
#
# readarr_enable:    Set to YES to enable readarr
#            Default: NO
# readarr_user:    The user account used to run the readarr daemon.
#            This is optional, however do not specifically set this to an
#            empty string as this will cause the daemon to run as root.
#            Default: readarr
# readarr_group:    The group account used to run the readarr daemon.
#            This is optional, however do not specifically set this to an
#            empty string as this will cause the daemon to run with group wheel.
#            Default: radarr
# readarr_data_dir:    Directory where readarr configuration
#            data is stored.
#            Default: "/usr/local/readarr"

. /etc/rc.subr
name=readarr
rcvar=${name}_enable
load_rc_config $name

: ${readarr_enable:="NO"}
: ${readarr_user:="readarr"}
: ${readarr_group:="readarr"}
: ${readarr_data_dir:="/usr/local/readarr"}

pidfile="${readarr_data_dir}/${name}_daemon.pid"
pidfile_child="${readarr_data_dir}/${name}_child.pid"
command="/usr/sbin/daemon"

start_precmd=${name}_precmd
readarr_precmd() {
    if [ ! -d ${readarr_data_dir} ]; then
    install -d -o ${readarr_user} -g ${readarr_group} ${readarr_data_dir}
    fi

    chown -R ${readarr_user}:${readarr_group} /usr/local/share/readarr

    rc_flags="-r -f -p ${pidfile_child} -P ${pidfile} /usr/local/share/readarr/Readarr/Readarr --data=${readarr_data_dir} --nobrowser >> /dev/null 2>&1 ${rc_flags}"

}

run_rc_command "$1"

chmod +x /usr/local/etc/rc.d/readarr

pw user add readarr -c readarr -u 787 -d /nonexistent -s /usr/bin/nologin

mkdir /usr/local/readarr

chown -R readarr:readarr /usr/local/share/readarr/ /usr/local/readarr

sysrc readarr_enable=YES

service readarr start

pkg install chromaprint

Visit http://your.jail.IP.address:7878/


Some proposed "best practices" to go with the information above...

Aside from the program itself, you would normally have (at least) 2 locations for "data"... one for config (which can be modified with sysrc readarr_data_dir="/config"), and one additional one to be used for your "library".

Personally, I would recommend keeping all config information outside the jail, so mounting something into the jail and then setting the readarr_data_dir appropriately to use it.

So it would go something like this...

create either a directory or dataset like tank/apps/readarr to store the config (which would mount to /mnt/tank/apps/readarr) then

On the host:
iocage fstab readarr -a /mnt/tank/apps/readarr /config nullfs rw 0 0

and if your Library were somewhere like /mnt/tank/data/library:
iocage exec readarr mkdir /mnt/library
iocage fstab readarr -a /mnt/tank/data/library /mnt/library nullfs rw 0 0

Then set that (/mnt/library) in the app as your root folder.

You may want to consider setting the user to a different one (making sure to match both the name and the user ID for the one you create in the jail to the one on the host and/or in your other jails... like the downloader... to avoid permissions issues).

You could re-use/replace the line from the setup above pw user add username -c username -u 787 -d /nonexistent -s /usr/bin/nologin , replacing the username (twice) and the ID accordingly, then:
sysrc readarr_user="user"
sysrc readarr_group="group"
(make sure to do all these additional bits before your start the service).

In any case, you will need to set permissions on your library folder so that the nominated user (readarr or whatever you named it) will have rw permissions:

inside the jail:
chown -R readarr:readarr /mnt/library
or
chown -R user:group /mnt/library

It works perfectly thank you

 

[zamana]

I installed Readarr and the first Calibre library (yes, I linked Readarr with Calibre) was successfully imported.

Now I'm trying to import 4 more libraries, but I started to receive weird error messages:

I said "weird" because I'm able to ping/resolve all these URLs inside the jail, through command line. It can be through my DNS or even through /etc/hosts, my network is working fine. But for some reason, Readarr app does not.

I tried to get help through Readarr Discord, but they said, essentially, that as I'm using a "niche OS", I'm on my own... I need to support myself. Something like this...

Does anybody knows what is the cause of these errors?

Thanks.
Regards.

 

[FrankNAS]

first of all: Nice work getting a rough outline of getting Readarr working! :)
I don't have a guide for it yet as its still in the "nightly" phase and would be a rather fast moving target for a guide as things might change quicker than I can react on updating a guide.

Cert errors:
make sure `openssl` is installed along with `ca_root_nss`
make sure it is not using the now-expired Let's Encrypt root cert as you may have to delete it. If you need to connect to a site that uses VeriSign's old root cert you will need to remove it from the blacklist.

Here is where things get odd:
Do you have ipv6 enabled for the jail? If no, you need to either a) be running the jail with `VNET=on` AND/OR `ip6=inherit`. If yes, make sure the ipv6 stack is working correctly and double check firewall rules.

 

[zamana]

Hi!

Thanks for reply.

1) openssl and ca_root_nss are installed. How do I check if they are using Let's encrypt root cert?

2) IPv6 is not enabled. Actually none of my jails has IPv6 enabled.

3) VNET is enable. Actually all my jails uses VNET.

Is there anything else?

Thanks.
Regards.

 

[FrankNAS]

does openssl make the connection OK? e.g.,:

`openssl s_client -showcerts -connect api.bookinfo.club:443`

it should return a `Verification: OK` for each certchain. it also might seem like it hangs. just wait :)

 

[zamana]

I guess that both addresses returns ok, but I don't know to evaluate them properly.

Would you mind to check them, please?

Thanks.
Regards.

 

[FrankNAS]

both of those look fine. can you make and attach trace logs? you can remove things like API keys

 

[zamana]

both of those look fine. can you make and attach trace logs? you can remove things like API keys

Here is the one of the log files with trace enabled.

Thanks.

 

[NasKar]

I think the port for Readarr is 8787 not 7878

 

[zamana]

I think the port for Readarr is 8787 not 7878

Are you talking about the post #3? Maybe it was just a typo...

 

[sretalla]

I think the port for Readarr is 8787 not 7878

Fair enough, updated it.

 

[FrankNAS]

well, im confused. it looks like it can connect out to other services (like nzbhydra in another jail?) but its having issues with public addresses that require resolution.
Readarr is still in nightlies and this might be a known issue that will get resolved in a future release. The last few things that you might want to try is setting `DOTNET_SYSTEM_NET_DISABLEIPV6=1` when launching Readarr and/or if possible, using an IP address for any address you want it to connect to.