Recommended Plex workflow with sharing when accounting for HostPath validation?

Z

zer0th_

Cadet
Joined
Feb 13, 2023
Messages
1
First post here, so excuse the probably-obvious question, but are all these workarounds in these various threads just intended to keep things within the Applications UI? Because it does seem - as another poster commented on another of these similar threads - that the plane is being built while in the sky with regard to the Kubernetes ecosystem in SCALE.

As someone standing up their first TrueNAS instance this past weekend, my quick hottake on the state of apps on scale was "not worth the hassle" and I set up a VM throught the UI instead, installed barebones Ubuntu, mounted my SMB shares into it, and fired up some containers. This required the other "why do I have to do this" workaround of setting up a bridge interface, but that seemed simpler to me.

What's slightly bugging me, though, is given the amount of thought/effort being put forth to work around the various "access a share from an app" issues, what am I missing out on? In other words, my approach seems too simple to not have downsides, so I guess I'm wondering what downsides I haven't considered? Am I, for example, giving up a ton of performance with this approach?
 
P

Paddy0293

Dabbler
Joined
Sep 28, 2022
Messages
35
Mhm i dont know, i upgrade today and see no real solution to use Plex and smb share ?
The only solution, i think is, to use Plex in a VM

@oblivioncth u found a solution?
@morganL maybe u can tell me the recommended way
 
L

LarsR

Guru
Joined
Oct 23, 2020
Messages
719
You can always switch from hostpath to nfs, like the folks from truecharts recommend.
I did it yesterday after the update and have no problems. Same paths are using for smb shares on windows and nfs share for the app.
 
oblivioncth

oblivioncth

Explorer
Joined
Jul 13, 2022
Messages
71
Unfortunately it's one of those situations where there is no perfect solution and everything is a trade-off, but in practice in a homelab situation it's not that bad.

Options:
1) Use NFS share on your TrueNAS machine for the media files of the chart (you almost always should leave the config files as PVC)
2) Disable hostpath validation

Details:
1) If you're already using NFS for sharing the media out to your local clients then this is the obvious solution; however, you're more likely using SMB for that, in which case the downside is that NFS has a bit more overhead (especially for large files) compared to SMB, but for the purposes of a media sharing container (i.e. Plex) it's really not a big deal. There is also the slightly complex topic of having issues with ignored file locking when mixing SMB/NFS shares of the same dataset, but that's also mostly a non-issue in the homelab setting as long as you don't have tons of users that are likely to be modifying the same file using different protocols. For the plex case, the worst that can happen is you delete a file from the web interface while someone was accessing it via the SMB share and suddenly their playback stops. Again, not a big deal.

This is probably what you should do, though it of course isn't an option if you're using the official containers.

2) This one at the moment is a fairly bad solution, as the setting for toggling it on and off actually affects two separate features, one of which is good for security and should essentially never be disabled. This is discussed in the WIP change for Cobia (23.10) where iXSystems is looking to add a per-application host path validation toggle.

Assuming the above gets implemented, where only the service portion get's disabled and it's of course on an app-by-app basis, I think in Cobia this will be a reasonable alternative for people that wish to avoid NFS for whatever reason. As long as you know ahead of time that a given container won't have issues with ACLs and shared SMB access, and only disable it for that container (i.e. don't just blindly disable it on all containers without doing testing/research), IMO this is a decent option. It's especially safe if you mount the SMB share to the app as read-only.

Plex for example doesn't really struggle with having an SMB shared host path so you could leave host path validation on for everything else, only opting out of it for Plex specifically. You just have to be aware of that it may be an issue with some apps in some circumstances, and be conservative in it's use.

But like I said, I wouldn't consider doing this at all until it's implemented on a per-app basis given the above caveats.

Paddy0293 said:
Mhm i dont know, i upgrade today and see no real solution to use Plex and smb share ?
The only solution, i think is, to use Plex in a VM

@oblivioncth u found a solution?
@morganL maybe u can tell me the recommended way
Click to expand...

VM's are ultimately fine, especially if you have resources to spare, but they're overkill and add unnecessary overhead if all you're going to do is host one or two apps in them. I'm really happy with the apps implementation in SCALE after having gotten over the learning curve, and this host path issue is the only real "sticking point" of any kind I ran into (again in the end, not that bad), while everything else was just getting used to some workflows and things I was unfamiliar with.

Using the charts for your services is much more efficient and hands free once you get it setup, especially in terms of updates and ease of migration.

VM's certainly have their purpose those. I use one for Home Assistant for example as I use many of it's addons and preferred supervised home assistant. Being able to have HA supervised, with all of it' add-on's installed directly within it instead of flooding my chart's collection with apps I don't use for anything but HA, and a unique LAN IP without having to install the third-party MetalLB load balancer makes the VM make sense in this case. It encapsulates everything in to one nice, easy to use and manage "box" that I know won't interfere with the rest of my TrueNAS setup. But plex in a VM really saves you nothing and just adds complexity.
 
Last edited:
Belperite

Belperite

Dabbler
Joined
Feb 21, 2023
Messages
26
There may be another roundabout, inconvenient, duplicative but technically valid solution (I've not tested this).

1) Install a SAMBA docker image, e.g. https://hub.docker.com/r/servercontainers/samba.
a) Configure it to share mounts you need (see 3)
b) Configure it with appropriate users
(yes, this is very inconvenient and bypasses the TrueNAS UI, but may be enough for those who just want one "media" SMB share)
c) Give it its own IP on the host network your clients will connect to
3) Pass through the host paths that your container will know about (see 1)

*For those who just use Plex and the *arr apps don't bother and use Truecharts NFS solution. For those of us who use docker images from other sources but still want them SMB shared, maybe worth a try?
 
oblivioncth

oblivioncth

Explorer
Joined
Jul 13, 2022
Messages
71
Belperite said:
There may be another roundabout, inconvenient, duplicative but technically valid solution (I've not tested this).
Click to expand...
This is quite a hacky solution, but I can at least empathize with the allure of trying this hard to just have a single SMB share if it really bothers you from an organizational OCD standpoint.

Just be aware that the service check portion of host path validation exists to ensure that a dataset can't be accessed by an SMB share and app simultaneously period. While in all of the previous examples the SMB shares and app were both created by TrueNAS, this doesn't actually affect the fundamental reasoning for the check. A chart from another machine accessing an SMB share would also theoretically be a problem even if the machine hosting the share isn't aware of it.

The point is that this doesn't actually change anything and is just another way to dodge TrueNAS' detection of the scenario, but not actually avoid the underlying concern. So if someone really does end up resorting to this crazy work around, know that once Cobia is released you should just disabled host path validation for your specific container of interest instead, as it will functionally be the same safety wise and avoid all these shenanigans.
 
Last edited:
indivision

indivision

Guru
Joined
Jan 4, 2013
Messages
806
You're missing an option:

Increase guru powers and do all of your file manipulations via CLI.

:wink:
 
P

Paddy0293

Dabbler
Joined
Sep 28, 2022
Messages
35
oblivioncth said:
VM's are ultimately fine, especially if you have resources to spare,
Click to expand...
Im already using a VM for vaultwarden and nginx, because truecharts vaultwarden dont support the sqlite system and i want to integrate my old database with some users.

What annoys me about truecharts is, this create so much Snapshots, it's frustrating

So Plex Run now on my VM and works perfect, maybe i switch cobia back to Truenas Apps or i stay with VM, i do not know yet
 
mistermanko

mistermanko

Guru
Joined
Jan 27, 2020
Messages
577
P

Paddy0293

Dabbler
Joined
Sep 28, 2022
Messages
35
mistermanko said:
Disabling host path validation.
Click to expand...
its not recommended :)
I have no idea why the developers are doing this, because it is not possible to use plex without truecharts or disabling host path validation.
mistermanko said:
I would like to suggest everyone who likes the idea of having a fast deployment of apps but doesn't want to go through the known hoops with k3s, to try this: https://github.com/Jip-Hop/jailmaker from @Jip-Hop
Click to expand...
what is the difference to a vm ?
I think vm its the better way
 
mistermanko

mistermanko

Guru
Joined
Jan 27, 2020
Messages
577
Paddy0293 said:
its not recommended :)
I have no idea why the developers are doing this, because it is not possible to use plex without truecharts or disabling host path validation.

what is the difference to a vm ?
I think vm its the better way
Click to expand...
The main difference would be, that you can mount storage directly via "bind". With a VM you have to use NFS.
 
oblivioncth

oblivioncth

Explorer
Joined
Jul 13, 2022
Messages
71
NFS shares will be the best way to handle this for most I imagine, though it does beg the question as what people are expected to do with the official apps, unless they really envision people just periodically SFTPing their files over or something and then turning that off and restarting the container. Of course you'd also have to remount the PVC. Not horrible, but certainly annoying.

From what I understand, Kubernetes natively supports NFS mounts as a client and TrueCharts just did the extra leg work to expose this to users, so it's conceivable that the official apps may eventually get the same treatment.

I also just wanted to clarify that somehow I linked to the wrong issue in my previous post (which I updated) and that this is the actual issue:

[NAS-119483] - iXsystems TrueNAS Jira

ixsystems.atlassian.net ixsystems.atlassian.net

The note there by Kjeld Schouten-lebbing gives a pretty good summary on how things currently stand with host path validation and where they should likely go in Cobia, hopefully leading to an implementation where disabling just the service portion of it for one app is much less of a broad stroke and is a reasonable consideration if used with caution.

In a way what's ironic about of all this is that the official Kubernetes guidance for Host Paths is that they ideally should be used for testing and development only, not in production. So in a different universe it's possible that iXSystems may have never exposed the feature in the first place to really tighten things up for the enterprise environment :grin:.
 
Last edited:
oblivioncth

oblivioncth

Explorer
Joined
Jul 13, 2022
Messages
71
You must log in or register to reply here.

Similar threads

indivision
Is it possible that some charts (paperless-ng) need ACL?
Replies
5
Views
2K
indivision
indivision
Daisuke
Bluefin Recommended Settings and Optimizations
2 3 4 5
Replies
94
Views
50K
Mark_the_Red
M
P
Apps Host Path access problem with SMB
2 3
Replies
57
Views
25K
sfatula
S
HoneyBadger
  • Sticky
Understanding the TrueNAS SCALE "hostPathValidation" setting
2
Replies
30
Views
13K
nemesis1782
N
T
Pointing Truechart Nextcloud to a different hostpath for files?
Replies
10
Views
2K
tsm37
T
Top