trouble with apps accessing folder permissions

[mervincm]

Nope... That was about your changes to permissions on our apps, like we said "the customisations", you script is generally fine.

The permissions issue should be fixed (as well as remove the need for any permissions script) by the changes soon to be pushed, see our recent announcement for that...

I took your advice to heart and re-examined what I did and why I did it. I gave it a couple of weeks, but I don't see where I pulled away from best practices.

A unique ID per app is a recommended good practice.
A common group, with your App IDs as members, used for shared access is a recommended good practice.
Setting RunasUser to that user, and RunasGroup to that shared group are required for files created by that app to have the correct owner id/group.
Setting fsGroup to that shared group seems to be required for the enhanced permissions most apps require when you use the recommended 775/644 permissions.

While I agree that simpler designs can be easier to understand and implement, this is a better approach. And it doesn't use any id's by number that you don't actually have created yet. I have come across use of group ids and user ids in TrueChart apps that do not come by default with TrueNAS. I don't see how that can be defended as a superior approach.

 

[truecharts]

I took your advice to heart and re-examined what I did and why I did it. I gave it a couple of weeks, but I don't see where I pulled away from best practices.

The best practice is not changing our defaults. We stand by that quite fiercely.
Lets be realistic here: you do not deal with issues related to permissions multiple times on a daily basis, we do.

It's really important for users to start off from the defaults and only change the user (not the group) on a per-app basis when viable and possible.

A unique ID per app is a recommended good practice.

A good practice for sure, but definately not a best practice.
From a security perspective things get only slightly more secure, with the added isolation a different user offers when all the Apps already have access to the same group(s).

A common group (...) used for shared access is a recommended good practice.

Here we agree and that is why we setup all Apps to use the Apps group (568), and user (568), by default.

Setting RunasUser to that user, and RunasGroup to that shared group are required for files created by that app to have the correct owner id/group.
Setting fsGroup to that shared group seems to be required for the enhanced permissions most apps require when you use the recommended 775/644 permissions.

It's rather silly to explain something to us we build ourselves, isn't it? ;-)

And it doesn't use any id's by number that you don't actually have created yet

Neither do we, when possible.
All our Apps use the apps user (568) and apps group (568), which is natively included as a named user in TrueNAS SCALE.

I have come across use of group ids and user ids in TrueChart apps that do not come by default with TrueNAS. I don't see how that can be defended as a superior approach.

All our Apps run as user and group 568 aka "Apps" by default, unless we verified it's not very-well possible to change the defaults set by their upstream developers. An example of which is Nextcloud, which has an inherent dependency on group 33 and root access.

We never defended that, neither do we agree with those set groups and users
Actually: neither do we agree with the practice of running as root with PUID and PGID. As kubernetes permission tooling is far superior.


The problem here is:
We, as a developement group, have certain standards and offer pro-active support on what we build.
Giving advice to new users to do things that inherently voids our support (such as using hostPath instead of PVC).

When you yourself are quite clear about not understanding everything perfectly yet yourself, this means those users will still need our support if things go awry. Which they either, in some cases, won't get due to customisations or puts the burden of supporting your advice on our support staff, which already has a daily job of walking people through permission issues with just the default(!) 568 user/group settings.

 

[mervincm]

The problem here is:
We, as a developement group, have certain standards and offer pro-active support on what we build.
Giving advice to new users to do things that inherently voids our support (such as using hostPath instead of PVC).
When you yourself are quite clear about not understanding everything perfectly yet yourself, this means those users will still need our support if things go awry. Which they either, in some cases, won't get due to customisations or puts the burden of supporting your advice on our support staff, which already has a daily job of walking people through permission issues with just the default(!) 568 user/group settings.

Thank you for your prompt response. I back you 100% that as the team that creates these charts, you get to pick what and how they work, and what you will support. I have decades in operations and fully understand your need to limit variables or it wouldn't be possible to provide support. I also agree that giving a response that moves people out of support is not a good idea, especially without warning them. I will keep that in mind.

That said, what makes good practice for you (to control your support effort) and what makes good practice for a user will not always align 100%. Being willing to move out of official support can yield a superior experience as well as make it much easier to self-support.

I change users also from a visibility perspective. Having an owner set to "radarr" instead of "apps" told me to look at "radarr" instead of "one of the 24 applications" running as apps. I can use tools like netdata to show activity by user context in a predefined historical graph. This showed me that "tdarr-node" consumed tons of CPU while the NAS was struggling elsewhere. Seeing "Apps" was busy wouldn't have communicated the details required.

Visibility is also an advantage of host paths over creating a claim for a persistent volume. A host path is by default visible to the wide array of existing tools in ways that a PV is not. Easy remote access via TrueNAS built-in functionality SMB/NFS shares, SSH. Easy local access via shell using built-in tools like MC, and nano. We can use all the built-in data protection tools (snaps / replication / rsync / cloud backup) We just have a ton of options that each have a ton of easily researched information out there. Access to data in a Kubernetes-managed PV is an extra layer of complication with comparatively fewer tools and far more limited understanding available. Admittedly, with your documentation (quick start guide) this is less of a barrier than it used to be. The app shutdown requirement can be hard to live with.
I am not familiar with the advantages of sticking with PVC. The restricted access is a win from the avoiding unintentional change perspective and it would improve ease of support. Losing access to truetool for backups is significant, especially as it backs up both the app config, PV claims and the associated volume. This all-in-one package, combined with straightforward rollbacks is compelling.

I don't find it silly at all to indicate why I used your feature to achieve my preferred practice. we are not having a private conversation, Folks that read this thread may learn, I know I did. Secondly, it's an effective communication technique.

I appreciate your additional details on what ids/groups you use by default, and why you alter from them. I now see you document your id group use by app in the Apps section.
(btw Netdata is available in stable, but your apps section, stable is missing it, and the Manual app list has as incubator broken list for it)

Lastly, thank you again, for your product, for your support, and for your willingness to dig in with the community, actively engage, and express what you do and why you do it. I definitely appreciate it. I suggested a few missing charts, and one of them was quickly added. Exceptional.