Replies: 4 comments 3 replies
-
I advise to not expose TrueNAS SCALE or any services running on it to the internet. Instead I recommend to use a VPN, hosted on another device, to join the network where your NAS is located and access your services (Nextcloud in this case) that way. |
Beta Was this translation helpful? Give feedback.
-
You can expose a single port (or both 80 and 443) into a jail running a reverse proxy, and control access through that reverse proxy. NPM (Nginx Proxy Manager) is the most WebUI oriented solution out there, but of course you can use whatever suites your fancy. |
Beta Was this translation helpful? Give feedback.
-
Thank you very much to you both for your help. I realise that my question was maybe not precise enough, as my main preocccupation is more specifically about privileges and trying to get as close as possible to the Core jails security level. I think this is especially needed if I expose a service within the jail. I've had a look at the Security implications of the Readme but, being unfamiliar to systemd-nspawn, I'm not sure how to properly use user Namespacing and limit capabilities in the context of Jailmaker. |
Beta Was this translation helpful? Give feedback.
-
Edit: please ignore this, I think I finally figured out the issue. I had the impression that traverse had more permissions than modify (since it follows modify in the dropdown), giving it modify permissions fixed it.
@skittle-brau could I check how you did this? I've been trying to figure out how to get permissions to work for the past 3 days to no avail. I thought the best practice was having a user per container so that each container has access to only what it needs to. Hence, I have the following data set structure:
So each container gets its own data set. They use the NFSV4 ACL. I created a podman user on TrueNas that maps to a non-root user in the jail that I use to run my containers. It owns the podman data set, everything works as expected there - the rootless user can see the files from the jail. I created a traefik user on TrueNas (id 526288, maps to 2000 in the jail) and granted access to the traefik data set only. However when I try accessing the data via [traefik@podman traefik]$ ls -al
ls: cannot open directory '.': Permission denied This is what the posix permissions look like outside the jail root@truenas[/mnt/tank/enc/docker/data]# ls -al
total 42
drwxrwx--x 4 rootless podman 4 May 6 15:29 .
drwxrwx--x 4 rootless podman 4 May 5 21:58 ..
drwxrwx--x 4 rootless podman 7 May 6 22:53 traefik
root@truenas[/mnt/tank/enc/docker/data]# cd traefik
root@truenas[/mnt/tank/enc/docker/data/traefik]# ls -al
total 88
drwxrwx--x 4 rootless podman 7 May 6 22:53 .
drwxrwx--x 4 rootless podman 4 May 6 15:29 ..
-rw------- 1 rootless podman 52310 May 6 15:38 acme.json
-rwxrwx--- 1 rootless podman 599 May 6 15:38 default.toml
drwxrwx--- 2 rootless podman 5 May 6 15:38 dynamic
drwxrwx--- 2 rootless podman 3 May 6 15:38 shared
-rwxrwx--- 1 rootless podman 1329 May 6 15:38 traefik.toml My guess is that the ACL entries are completely ignored and only the permission bits are checked. |
Beta Was this translation helpful? Give feedback.
-
Hi there, thank you very much for your awesome tool ! :)
I wanted to know what are the best practice and how do you get an unprivileged jail?
Coming from Core I'd like to migrate my Truenas Core Nextcloud instance. I'd love to keep my Mariadb while customising curves in nginx ; things that TrueCharts typically does not allow and on which I'm feeling like I don't have much control anymore on Scale.
However, not being too familiar yet with Scale, I find instructions quite unclear regarding the best practice to setup a "secure" jail that could be exposed to internet.
Could you please help me and let me know what I should/should not do to secure jails created and managed with your tool? 🙂
Many thanks in advance for your kind help!
Beta Was this translation helpful? Give feedback.
All reactions