Recommendation about media server?

[nkkfs]

Hello everyone,
I need your help with choosing best option to host containers with access (write/read) between them. I need to run jellyfin with some disk management software like OMV.
I’ve lost around whole day to try configure it.
#1 unprivileged container and tried omv + nfs share but i stuck on setting permissions like guid/uuid etc. I’ve followed many tutorials, step by step, everything I got stuck with permissions denied when wanted to create file on shared directory
#2 unprivileged and with mount drive on local which for me all time doesn’t work (wrong FS type etc)
#3 privileged containers and local drive which is even working but I’m not satisfied cause it’s not secure.
Can you share some complete tutorial how to make it from scratch? Or write step by step. Really I don’t know what to do now… feeling so bad.

 

[Dunuin]

#1 unprivileged container and tried omv + nfs share but i stuck on setting permissions like guid/uuid etc. I’ve followed many tutorials, step by step, everything I got stuck with permissions denied when wanted to create file on shared directory

Use a VM or run something like zamba or an LXC with webmin or cockpit as webUI for managing users/shares. Without the "sharerootfs" OMV plugin, where my latest knowlage is that it isn't working anymore, you won'T be able to share bind-mounted filesystems via SMB/NFS.

unprivileged and with mount drive on local which for me all time doesn’t work (wrong FS type etc)

You cant mount NFS/SMB shares inside a unprivileged LXC. You will have to totally rely on bind-mounts.

#3 privileged containers and local drive which is even working but I’m not satisfied cause it’s not secure.

LXCs in general are not as secure as VMs. If you really care about security I would run everything in a VM and work with SMB/NFS shares where all those permission problems with user/group remapping are also not existent.

 

[nkkfs]

Use a VM or run something like zamba or an LXC with webmin or cockpit as webUI for managing users/shares. Without the "sharerootfs" OMV plugin, where my latest knowlage is that it isn't working anymore, you won'T be able to share bind-mounted filesystems via SMB/NFS.

Rather I would stick with LXC because I'm using tteck scripts for my comfort in setting containers.
If I'll use one of them which you recommended me, could you help me with set user/shares to get cooperating containers? Am kinda "green" with linux permissions and my most tries are starting with tutorials on internet.

You cant mount NFS/SMB shares inside a unprivileged LXC. You will have to totally rely on bind-mounts.

I've tried this tutorial: https://www.closingtags.com/writing-to-bind-mounts-from-unprivileged-lxc-containers/
Thought that it can work. :/ I think my general problem is with proper share nfs into proxmox (users, permissions etc).

LXCs in general are not as secure as VMs. If you really care about security I would run everything in a VM and work with SMB/NFS shares where all those permission problems with user/group remapping are also not existent.

As I said, I would rather stick with LXC.
But, If you use VM's and add NFS/SMB shared folder into Proxmox, you can use this folder on many VM's without any permissions and problems?


Generally, I'm using one 3TB HDD for data and internal 500GB M2 disk for proxmox data like containers, iso etc.
My goal is to run Jellyfin + Jellyseer + Radarr + Prowlarr and P2P client when every container can see, edit and write same files.

 

[Dunuin]

But, If you use VM's and add NFS/SMB shared folder into Proxmox, you can use this folder on many VM's without any permissions and problems?

You don't need to mount the SMB/NFS share on the host. Thats only required as a workaround for unprivileged LXCs. You directly mount the NFS/SMB share inside all those VMs. And yes, then all VMs can access the same folder with very easy to set up permissions (especially when using SMB).

 

[mon0]

@nkkfs did you ever figure this out? I have an almost identical setup to yours running TrueNAS for storage, and have had a hell of a time with mounting the NFS shares to unprivileged containers. I followed the guide here, and all the folders have the proper UID:GID, but the mapping from root to my 3000:3000 just fails and I still get permission denied. Did you end up switching back to just plain VMs? I have the overhead but I too like those LXC scripts a bit too much

 

[nkkfs]

@nkkfs did you ever figure this out? I have an almost identical setup to yours running TrueNAS for storage, and have had a hell of a time with mounting the NFS shares to unprivileged containers. I followed the guide here, and all the folders have the proper UID:GID, but the mapping from root to my 3000:3000 just fails and I still get permission denied. Did you end up switching back to just plain VMs? I have the overhead but I too like those LXC scripts a bit too much

Hey, I just gave up and set all needed containers as privilaged and set chmod 777 on shared folder. G(U)ID are nobody/nogroup but permissions are rwx. Seems to work nice.
Used cookpit for manage shared disk and permissions.

 

[mon0]

Hey, I just gave up and set all needed containers as privilaged and set chmod 777 on shared folder. G(U)ID are nobody/nogroup but permissions are rwx. Seems to work nice.
Used cookpit for manage shared disk and permissions.

Hey, I actually managed to figure out how to fix the permissions issue with uid:gid last night. Are you using something like TrueNAS scale? I had gone through all the UID:GID process but was still getting permission denied on the folders, but found a video with a comment mentioning that the share needs to have the Mapall or Maproot user set as the user/group of the UID you're using. So, for example in my case, the user and group that owns my share in the TrueNAS would be mon0 has a UID of 1005 with my own group created for the user as well at 1005. When you go into the share settings, click advanced options at the bottom and under Access -> Mapall User and Mapall Group (or Maproot, not really sure of the difference), I would set the user and group as mon0. As long as that users group and user UID in the Credentials -> Users match what you've setup for the <lxcid>.conf and chown perms, you should be able to access the NFS shares in your LXC container. Make sure you restart and rebind mount the shares after doing this, otherwise it won't get the new perms. Let me know if this helps! I am now running all unprivileged LXC containers and NFS shares with no issues using this setup.

 

[nkkfs]

Hey, I actually managed to figure out how to fix the permissions issue with uid:gid last night. Are you using something like TrueNAS scale? I had gone through all the UID:GID process but was still getting permission denied on the folders, but found a video with a comment mentioning that the share needs to have the Mapall or Maproot user set as the user/group of the UID you're using. So, for example in my case, the user and group that owns my share in the TrueNAS would be mon0 has a UID of 1005 with my own group created for the user as well at 1005. When you go into the share settings, click advanced options at the bottom and under Access -> Mapall User and Mapall Group (or Maproot, not really sure of the difference), I would set the user and group as mon0. As long as that users group and user UID in the Credentials -> Users match what you've setup for the <lxcid>.conf and chown perms, you should be able to access the NFS shares in your LXC container. Make sure you restart and rebind mount the shares after doing this, otherwise it won't get the new perms. Let me know if this helps! I am now running all unprivileged LXC containers and NFS shares with no issues using this setup.

Unfortunately, im not using TrueNAS because I've only 8GB ram :/ But there is so many informations that you wrote.
I can't understand how Cookpit (my shares manager like TrueNAS) configure UID and GUID and how proxmox knows which user and what permissions it has to use.

 

[mon0]

Unfortunately, im not using TrueNAS because I've only 8GB ram :/ But there is so many informations that you wrote.
I can't understand how Cookpit (my shares manager like TrueNAS) configure UID and GUID and how proxmox knows which user and what permissions it has to use.

I'm assuming Cockpit is on a VM/LXC container itself? In the accounts menu, if you click on a user, does it tell you any kind of ID? You might also be able to type

id

in the terminal of your Cockpit container, or potentially run a ls -al where ever your shares are located.

 

[nkkfs]

I'm assuming Cockpit is on a VM/LXC container itself? In the accounts menu, if you click on a user, does it tell you any kind of ID? You might also be able to type

id

in the terminal of your Cockpit container, or potentially run a ls -al where ever your shares are located.

Sorry @mon0. I really appreciate your willingness to help. I couldn't stand it and had to clean install everything again.
From the beginning, what do you recommend to get everything working perfectly?

 

[mon0]

Sorry @mon0. I really appreciate your willingness to help. I couldn't stand it and had to clean install everything again.
From the beginning, what do you recommend to get everything working perfectly?

https://forum.proxmox.com/threads/u...ccess-in-unprivileged-lxc.138502/#post-618122
This post details everything that I did; specifically the trick for me was to make sure I had the same user on the Maproot/Mapall selection in my NFS share settings, as well as making sure I was using the UID:GID of the user:group that owned the shares (if root has UID of 1005, you'd use that. If you made a user in a system like TrueNAS, it'd have some different non-1000 id, like 3000 in my case). However I am currently in the process of migrating from TrueNAS back to something like OpenMediaVault or just straight up letting Proxmox handle ZFS configuration as I'm finding it's just a massive head ache to have to bind mount storage to every new LXC container I create, and it seems to me the general recommendation is to not run a NAS software that requires ownership over the disks, vs something like OpenMediaVault that is happy to use a virtual disk. My setup might be pretty different from yours though, so it depends a lot on how exactly you are creating your ZFS pools/datasets and shares.

 

[nkkfs]

https://forum.proxmox.com/threads/u...ccess-in-unprivileged-lxc.138502/#post-618122
This post details everything that I did; specifically the trick for me was to make sure I had the same user on the Maproot/Mapall selection in my NFS share settings, as well as making sure I was using the UID:GID of the user:group that owned the shares (if root has UID of 1005, you'd use that. If you made a user in a system like TrueNAS, it'd have some different non-1000 id, like 3000 in my case). However I am currently in the process of migrating from TrueNAS back to something like OpenMediaVault or just straight up letting Proxmox handle ZFS configuration as I'm finding it's just a massive head ache to have to bind mount storage to every new LXC container I create, and it seems to me the general recommendation is to not run a NAS software that requires ownership over the disks, vs something like OpenMediaVault that is happy to use a virtual disk. My setup might be pretty different from yours though, so it depends a lot on how exactly you are creating your ZFS pools/datasets and shares.

Hmm. Okay. So that's how I'm setting mappings. Okay.
But I'm a little confused about these id's while mapping.
What should I put into it when:
- My Cockpit user nkkfs has (uid=1000,gid=1001)? How the mappings should look?
- My Root in proxmox in every container has (uid=0,gid=0)
- Should I create any other user in proxmox and give them above uid/gid?

 

[mon0]

Hmm. Okay. So that's how I'm setting mappings. Okay.
But I'm a little confused about these id's while mapping.
What should I put into it when:
- My Cockpit user nkkfs has (uid=1000,gid=1001)? How the mappings should look?
- My Root in proxmox in every container has (uid=0,gid=0)
- Should I create any other user in proxmox and give them above uid/gid?

If your cockpit user has uid 1000, gid 1001, I'd put in your /etc/pve/lxc/<LXC_container_id>.conf files

lxc.idmap = u 0 100000 1000
lxc.idmap = g 0 100000 1000
lxc.idmap = u 1000 1000 1
lxc.idmap = g 1000 1000 1
lxc.idmap = u 1001 101001 64530
lxc.idmap = g 1001 101001 64530

And then in /etc/subuid:
root:1000:1

I'd recommend making the group ID the same, but you should be able to do the following in /etc/subgid:
root:1001:1

That should map the root user to your nkkfs user and the 1001 group.

Then make sure you run chown -R 1000:1001 <path_to_nfs_share> on yourProxmox host. You may need to reshare the NFS shares you're applying this to, and definitely reboot the container. This should work, lmk if you have any issues. No need to create any other users unless you want permissions to be separate for different containers for security reasons.