Bos55/Hugo
2
Fork 0
Code Issues 15 Pull requests Projects 1 Wiki Activity

Share storage between apps and SMB share #30

New issue
Closed
opened 2023-09-30 13:34:28 +02:00 by tdpeuter · 5 comments
tdpeuter commented 2023-09-30 13:34:28 +02:00
Owner
Copy link

Since Bluefin, there are some new hostPathValidation checks that prevent a dataset from being shared over SMB and be mounted in an app at the same time.

This is, however, what we want to achieve for datasets such as all media datasets. For example:

SMALL/MEDIA/AUDIO should be available for Jellyfin, Plex and Lidarr. It should also be accessible from SMB, so we can add our own music manually.

Since Bluefin, there are some new hostPathValidation checks that prevent a dataset from being shared over SMB and be mounted in an app at the same time. This is, however, what we want to achieve for datasets such as all media datasets. For example: `SMALL/MEDIA/AUDIO` should be available for Jellyfin, Plex and Lidarr. It should also be accessible from SMB, so we can add our own music manually.
tdpeuter added the
bug
chore
 labels 2023-09-30 13:34:28 +02:00
tdpeuter self-assigned this 2023-09-30 13:34:28 +02:00
tdpeuter added this to the Server setup project 2023-09-30 13:34:28 +02:00
tdpeuter added a new dependency 2023-09-30 13:34:51 +02:00
#23 Migration
tdpeuter commented 2023-09-30 13:48:12 +02:00
Author
Owner
Copy link

At the moment, I believe it is possible to:

  • In the dataset options, change ACL Type from POSIX to SMB/NFSv4
  • Use the ACL Editor to change to the NFS4_RESTRICTED preset. Apply user and group to the already used media user and group.
  • Create the SMB share for the dataset. No special configuration required.
  • Also create a NFS share for the dataset. No special configuration required.
  • Modify your application to use NFS Share storage type instead of Host Path. Make sure that your application is running as a user that has access to the dataset.

I tried this out with a torrents dataset, and it seems to work fine so far.

At the moment, I believe it is possible to: - In the dataset options, change `ACL Type` from `POSIX` to `SMB/NFSv4` - Use the ACL Editor to change to the `NFS4_RESTRICTED` preset. Apply user and group to the already used `media` user and group. - Create the SMB share for the dataset. No special configuration required. - Also create a NFS share for the dataset. No special configuration required. - Modify your application to use `NFS Share` storage type instead of `Host Path`. Make sure that your application is running as a user that has access to the dataset. I tried this out with a torrents dataset, and it seems to work fine so far.
tdpeuter commented 2023-09-30 14:01:18 +02:00
Author
Owner
Copy link

I believe this is all of a sudden a huge gap in security though.

I think it's possible to access the shares just by knowing the IP's. Not sure how the ACL's come into play here.

I believe this is all of a sudden a huge gap in security though. I think it's possible to access the shares just by knowing the IP's. Not sure how the ACL's come into play here.
tdpeuter commented 2023-09-30 14:42:45 +02:00
Author
Owner
Copy link

I think it's possible to access the shares just by knowing the IP's. Not sure how the ACL's come into play here.

You can whitelist IPs. Currently, I have set it up to only allow the IP of the server.

> I think it's possible to access the shares just by knowing the IP's. Not sure how the ACL's come into play here. You can whitelist IPs. Currently, I have set it up to only allow the IP of the server.
tdpeuter commented 2023-09-30 16:42:29 +02:00
Author
Owner
Copy link

Some resources:

Some resources: - [Setting Up Permissions on TrueNAS SCALE](https://www.truenas.com/docs/scale/scaletutorials/storage/datasets/permissionsscale/) - [Using NFS Shares with TrueCharts apps](https://truecharts.org/manual/SCALE/guides/nfs-share/) - [Using an SMB Share with apps](https://www.truenas.com/community/threads/using-a-smb-share-with-an-app.110794/)
tdpeuter commented 2023-10-01 23:08:27 +02:00
Author
Owner
Copy link

This seems fine so far

This seems fine so far
tdpeuter removed this from the Server setup project 2023-10-01 23:09:44 +02:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
lost+found
No results found.
Labels
Clear labels   
bug

Something is not working

  
chore

Necessary, but invisible to the end-user

  
duplicate

This issue or pull request already exists

  
enhancement

New feature

  
help wanted

Need some help

  
invalid

Something is wrong

  
question

More information is needed

  
urgent

Needs fixing ASAP

  
wontfix

This won't be fixed

No labels
bug
chore
duplicate
enhancement
help wanted
invalid
question
urgent
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
tdpeuter
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Blocks
#23 Migration
Bos55/Hugo
Reference: Bos55/Hugo#30
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?