Thursday, 25 October 2018

How to Setup phpMyAdmin in an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم


Abstract



Tutorial on how to setup phpMyAdmin in an iocage Jail on FreeNAS 11.1.


Assumptions and Prerequisites



  • OS: FreeNAS 11.1-U6
  • FreeNAS Host: fn
  • FreeNAS Network Interface: igb0
  • FreeNAS IP: 10.0.0.2
  • FreeNAS Subnet Mask: 24
  • Jail Container: iocage
  • iocage Version: 1.0 Alpha
  • Jail Release: 11.1-RELEASE
  • Jail Name: test
  • Jail Network Interface: vnet0
  • Jail Network Config: DHCP
  • Jail Default Route: 10.0.0.1
  • IP Version: IPv4
  • Bridge Network Interface: bridge0
  • DNS 1: 10.0.0.1 
  • Domain: example.com
  • ZPool Volume: tank
  • Database: MariaDB v10.2.17
  • Web Server: NGINX v1.14.0_12
  • Web Directory: /usr/local/www/html
  • PHP Version: 7.2
  • phpMyAdmin Version: 4.8.3
  • Setup iocage Jail
  • Setup NGINX Web Server
  • Setup MariaDB 



Install phpMyAdmin


Since we are using php72 on the nginx webserver, we will install phpMyAdmin for the php72 version
root@test:~ # pkg install phpMyAdmin-php72




Create a Symbolic Link to the phpMyAdmin directory into the webroot directory
root@test:~ # ln -s /usr/local/www/phpMyAdmin /usr/local/www/html/phpmyadmin

Restart nginx and php-fpm service
root@test:~ # service nginx restart; service php-fpm restart


Configure phpMyAdmin 



Edit the /usr/local/www/phpMyAdmin/config.inc.php file and configure phpMyAdmin settings or delete the /usr/local/www/phpMyAdmin/config.inc.php and then go to http://test/phpmyadmin/setup to configure a database server host. For our example, I am going to use the phpMyAdmin setup wizard.

First delete /usr/local/www/phpMyAdmin/config.inc.php file
root@test:~ # rm -v /usr/local/www/phpMyAdmin/config.inc.php




Go to http://test/phpmyadmin/setup and configure a database server host








Copy the text of the generated configuration file and then paste it into the /usr/local/www/phpMyAdmin/config.inc.php file




Paste the config text into /usr/local/www/phpMyAdmin/config.inc.php and Save File
root@test:~ # ee /usr/local/www/phpMyAdmin/config.inc.php




Login to phpMyAdmin



Go to http://test/phpmyadmin in your browser and login using your root username and password.







Resource Links

Wednesday, 24 October 2018

How to Setup a MariaDB Server v10.2 in an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم


Abstract



Tutorial on how to setup MariaDB Database Server v10.2.17 in an iocage Jail on FreeNAS 11.1.


Assumptions and Prerequisites



  • OS: FreeNAS 11.1-U6
  • FreeNAS Host: fn
  • FreeNAS Network Interface: igb0
  • FreeNAS IP: 10.0.0.2
  • FreeNAS Subnet Mask: 24
  • Jail Container: iocage
  • iocage Version: 1.0 Alpha
  • Jail Release: 11.1-RELEASE
  • Jail Name: test
  • Jail Network Interface: vnet0
  • Jail Network Config: DHCP
  • Jail Default Route: 10.0.0.1
  • IP Version: IPv4
  • Bridge Network Interface: bridge0
  • DNS 1: 10.0.0.1 
  • Domain: example.com
  • ZPool Volume: tank
  • Database: MariaDB
  • Database Version: 10.2.17
  • Setup iocage Jail


Install MariaDB


root@test:~ # pkg install mariadb102-server



MariaDB Configuration


Choose the configuration file from template for Database server eg: my-small.cnf, my-medium.cnf, my-large.cnf, or my-huge.cnf
root@test:~ # cp /usr/local/share/mysql/my-small.cnf /usr/local/etc/my.cnf 



Enable MariaDB Server to start on boot


root@test:~ # sysrc mysql_enable="yes"


Start MariaDB Server


root@test:~ # service mysql-server start


Configure and Secure MariaDB Server for production


root@test:~ # mysql_secure_installation

   Enter current password for root (enter for none): [Press Enter]
   Set root password? [Y/n]: y
   Remove anonymous users? [Y/n]: y
   Disallow root login remotely? [Y/n]: y
   Remove test database and access to it? [Y/n]: y
   Reload privilege tables now? [Y/n]: y


Test Login of 'root' user


root@test:~ # mysql -u root -p


Test SQL Queries


MariaDB [(none)]> select user,host,password from mysql.user;
MariaDB [(none)]> show databases; 
MariaDB [(none)]> exit;



Helpful Commands


Search for package
root@test:~ # pkg search mariadb


Resource Links


How to Setup NGINX Web Server in an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم


Abstract



Tutorial on how to setup NGINX Web Server with PHP72 in an iocage Jail on FreeNAS 11.1.


Assumptions and Prerequisites



  • OS: FreeNAS 11.1-U6
  • FreeNAS Host: fn
  • FreeNAS Network Interface: igb0
  • FreeNAS IP: 10.0.0.2
  • FreeNAS Subnet Mask: 24
  • Jail Container: iocage
  • iocage Version: 1.0 Alpha
  • Jail Release: 11.1-RELEASE
  • Jail Name: test
  • Jail Network Interface: vnet0
  • Jail Network Config: DHCP
  • Jail Default Route: 10.0.0.1
  • IP Version: IPv4
  • Bridge Network Interface: bridge0
  • DNS 1: 10.0.0.1 
  • Domain: example.com
  • ZPool Volume: tank
  • NGINX Version: 1.14.0_12
  • Web Directory: /usr/local/www/html
  • PHP Version: 7.2
  • Certificate File Name and Location: /usl/local/etc/ssl/test.crt
  • Certificate Key File Name and Location: /usr/local/etc/ssl/test.key
  • Setup iocage Jail

NGINX


Install NGINX
root@test:~ # pkg install nginx

Install Output


Enable NGINX to start on boot
root@test:~ # sysrc nginx_enable="yes"

Start NGINX Server
root@test:~ # service nginx start

Check to see what ports NGINX is listening on
root@test:~ # sockstat -4 -6 | grep nginx


NGINX Running Success


NGINX Loads Default Page


PHP72


Install PHP72
root@test:~ # pkg install php72 php72-extensions

Create Web Directory
root@test:~ # mkdir -p /usr/local/www/html

Edit NGINX main configuration file to set php as server side script
root@test:~ # ee /usr/local/etc/nginx/nginx.conf

. . . . . . . . . . . . 
02: user www;
. . . . . . . . . . . . 
42: server_name  test;
. . . . . . . . . . . .
49: root   /usr/local/www/html;
50: index  index.php index.html index.htm;
. . . . . . . . . . . . 
70: location ~ \.php$ { 
71:     root                  /usr/local/www/html;                                                                             
72:     fastcgi_pass    127.0.0.1:9000;                                                                                 
73:     fastcgi_index  index.php;                                                                                      
74:     fastcgi_param SCRIPT_FILENAME $request_filename;
75:     include            fastcgi_params;                                                                                 
76: } 
. . . . . . . . . . . .


Create php.ini file from copying the php production file template
root@test:~ # cp /usr/local/etc/php.ini-production /usr/local/etc/php.ini

Configure php.ini
root@test:~ # ee /usr/local/etc/php.ini

672: post_max_size = 10M
776: cgi.fix_pathinfo=0
825: upload_max_filesize = 10M
939: date.timezone = "Australia/Melbourne"

Enable PHP-FPM to start on boot
root@test:~ # sysrc php_fpm_enable="yes"

Start the PHP-FPM Service
root@test:~ # service php-fpm start

Check to see what ports PHP-FPM is listening on
root@test:~ # sockstat -4 -6| grep php-fpm

PHP-FPM Running Success 


Create a php file to check if php works
root@test:~ # echo "<?php phpinfo(); ?>" | tee /usr/local/www/html/phpinfo.php

Restart NGINX
root@test:~ # service nginx restart

Go to http://test/phpinfo.php to check if php script works. 


PHP Page Load Success


Setup HTTPS / SSL / TLS Service


In order to enable the HTTPS service on NGINX, we would need a SSL Certificate and Key. There are more than one way to acquire these certificate and key.

  1. Self-Signed Certificate and Key
  2. Webhosting Provider
  3. Let's Encrypt / Certbot / Acme

Once you have acquired the certificate files, then copy them in the following directory.

Certificate File Name and Location: '/usl/local/etc/ssl/test.crt'
Key File Name and Location: '/usr/local/etc/ssl/test.key'

Certificate and Key File Location


Edit '/usr/local/etc/nginx/nginx.conf' file to define the location of those certificates.
root@test:~ # ee /usr/local/etc/nginx/nginx.conf

. . . . . . . . . . .
 22:  http {
. . . . . . . . . . .
 40:     server {
. . . . . . . . . . .
 84:     } # End of http server block
. . . . . . . . . . .
123:    # HTTPS Server
124:    server {
125:       listen       443 ssl;
126:       server_name  test;
127:
128:        ssl_certificate      /usr/local/etc/ssl/test.crt;
129:        ssl_certificate_key  /usr/local/etc/ssl/test.key;
130
131:        ssl_session_cache    shared:SSL:1m;
132:        ssl_session_timeout  5m;
133:
134:        ssl_ciphers  HIGH:!aNULL:!MD5;
135:        ssl_prefer_server_ciphers  on;
136:
137:        root   /usr/local/www/html;
138:
139:        location / {
140:            index  index.php index.html index.htm;
141:        }
142:
143:        location ~ \.php$ {
144:            fastcgi_param HTTPS on;
145:            fastcgi_pass   127.0.0.1:9000;
146:            fastcgi_index  index.php;
147:            fastcgi_param  SCRIPT_FILENAME $request_filename;
148:            include        fastcgi_params;
149:        }
150:    } # End of https server block
. . . . . . . . . . .
153:} # End of http block


HTTPS Server Block


Restart NGINX and PHP-FPM Service
root@test:~ # service nginx restart ; service php-fpm restart

Go to https://test/phpinfo.php to check if the certificate work.


Certificate works



Observations


When using Self-Signed Certificates, make sure your Internet browser recognises the Certificate Authority that issued the certificate and key.


Helpful Commands


Check NGINX configuration settings and syntax
root@test:~# nginx -t


Resource Links


How to Setup Emby Media Server in an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم


Abstract



Tutorial on how to setup Emby Media Server in an iocage Jail on FreeNAS 11.1.


Assumptions and Prerequisites



  • OS: FreeNAS 11.1-U6
  • FreeNAS Host: fn
  • FreeNAS Network Interface: igb0
  • FreeNAS IP: 10.0.0.2
  • FreeNAS Subnet Mask: 24
  • Jail Container: iocage
  • iocage Version: 1.0 Alpha
  • Jail Release: 11.1-RELEASE
  • Jail Name: emby
  • Jail Network Interface: vnet0
  • Jail Network Config: DHCP
  • Jail Default Route: 10.0.0.1
  • IP Version: IPv4
  • Bridge Network Interface: bridge0
  • DNS 1: 10.0.0.1 
  • Domain: example.com
  • ZPool Volume: tank
  • Dataset: /mnt/tank/movies
  • Emby Server Version: 3.5.3.0
  • Setup iocage Jail


Create a Dataset on FreeNAS and Set Permissions


Create dataset 'movies' on FreeNAS as windows type




Set dataset 'movies' user owner as 'mujahid(uid:1000)' and group owner as 'media(gid:8675309)'. And set these permissions recursively.



Mount Dataset in Emby Jail with Read/Write Permissions


root@fn:~ #  iocage fstab -a emby /mnt/tank/movies /mnt/movies nullfs rw 0 0


Installation 


Login/Console into Emby Jail



root@fn:~ # iocage console emby


Go to https://emby.media/freebsd-server.html to look up the instructions and release version on how to install the latest emby package.

Install Dependency packages for Emby Server


root@emby:~ # pkg install mono libass fontconfig freetype2 fribidi gnutls iconv opus samba48 sqlite3 libtheora libva libvorbis webp libx264 libzvbi


Install Emby Server 


root@emby:~ # pkg add -f https://github.com/MediaBrowser/Emby.Releases/releases/download/3.5.3.0/emby-server-freebsd_3.5.3.0_amd64.txz


Create group 'media' with gid:8675309 in the emby jail. Make sure the gid is the same as the gid on the FreeNAS host for the 'media' group. Then add the 'emby' user to the 'media' group on the emby jail as a member. This will make sure emby has group read/write permissions to the 'movies' dataset on the FreeNAS. Note: The group 'media' on the FreeNAS and the emby jail should have the same gid(8675309), otherwise the permissions won't work properly.

Create group 'media' with gid:8675309 
root@emby:~ # pw groupadd -n media -g 8675309

Add user 'emby' to group 'media'
root@emby:~ # pw groupmod media -m emby

Enable Emby to run at boot


root@emby:~ # sysrc emby_server_enable="YES"


Start Emby Service


root@emby:~ # service emby-server start


Run Emby Server Setup Wizard



Open your web browser and visit http://[IP ADDRESS]:8096 to run the Emby Server setup wizard.


Resource Links

Tuesday, 23 October 2018

How to Setup an OpenVPN Client with IPFW in an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم


Abstract



Tutorial on how to setup and configure an OpenVPN Client in an Transmission iocage jail on FreeNAS 11.1 with IPFW to implement a VPN Killswitch.


Assumptions and Prerequisites



  • OS: FreeNAS 11.1-U6
  • FreeNAS Host: fn
  • FreeNAS Network Interface: igb0
  • FreeNAS IP: 10.0.0.2
  • FreeNAS Subnet Mask: 24
  • Jail Container: iocage
  • iocage Version: 1.0 Alpha
  • Jail Release: 11.1-RELEASE
  • Jail Name: transmission
  • Jail Network Interface: vnet0
  • Jail Network Config: DHCP
  • Jail Default Route: 10.0.0.1
  • IP Version: IPv4
  • Bridge Network Interface: bridge0
  • DNS 1: 10.0.0.1 
  • Domain: example.com
  • ZPool Volume: tank
  • VPN Service Provider: Trust Zone VPN (https://trust.zone)
  • Setup iocage Jail
  • Firewall: IPFW


OpenVPN Pre-Setup Tasks


Allow Jail To Create TUN Network Devices


OpenVPN Client needs to create a TUN interface in order to establish a secure encrypted connection. According to the default iocage jail security settings (rule 4), it doesn't allow the jail to create a tun network interface device. Because of that, the OpenVPN client won't be able to create and establish a VPN Tunnel to your choice of a VPN Service Provider. So, in order for it to be able to do that, you would need to allow the devfs rule 4 to be able to create a tun device network interface for the OpenVPN. And the way to do that is to create a 'preinit' task on the FreeNAS to run the following command on reboot on the FreeNAS server.   
devfs rule -s 4 add path 'tun*' unhide



Reboot FreeNAS.

Download OpenVPN files from your VPN Provider


Download the necessary files from your VPN service provider. I downloaded and copied the *.ovpn and userpass.txt files from my vpn provider (trust.zone) to the (/usr/local/etc/openvpn/) directory, create the directory if it does not exist. Make sure all the certificates, keys and settings are listed in the (trust_zone_vpn.ovpn) file and the 'auth-user-pass' setting in the trust_zone_vpn.ovpn is set to point at 'userpass.txt'.The  'userpass.txt' file has your VPN account's  username and password listed in it. You will need this for OpenVPN to auto login when the jail start/restart.  
root@transmission:~ # mkdir -p /usr/local/etc/openvpn

Setup OpenVPN Client


Install the openvpn package
root@transmission:~ # pkg install openvpn

Set the location of the openvpn config file
root@transmission:~ # sysrc openvpn_configfile="/usr/local/etc/openvpn/openvpn.conf"

Enable OpenVPN to start on boot
root@transmission:~ # sysrc openvpn_enable="YES"

Create a symbolic link 'openvpn.conf' to your trustzone.ovpn settings file 
root@transmission:~ # ln -s /usr/local/etc/openvpn/trust_zone_vpn.ovpn /usr/local/etc/openvpn/openvpn.conf

Before starting the openvpn service, first check and note down your public IP. 
root@transmission:~ # host myip.opendns.com resolver1.opendns.com

Start the openvpn service
root@transmission:~ # service openvpn start

Wait a minute for the openvpn service to start and establish a connection. Check to see if the TUN device has been assigned a different IP. 
root@transmission:~ # ifconfig

Then check the public IP again. It should be different to the public IP you checked earlier before you started the openvpn service. 
root@transmission:~ # host myip.opendns.com resolver1.opendns.com 

If the vpn tunnel is not created or established or the public IP remains the same as before, then something went wrong. Check the messages log file. Look for the line where it says "openvpn[####]: Initialization Sequence Completed". The line "openvpn[####]: Initialization Sequence Completed" indicates the connection was successful and established.

root@transmission:~ # tail -f -n 30 /var/log/messages

Setup VPN Killswitch with IPFW


Create directory to hold the ipfw startup script(s)
root@transmission:~ # mkdir -p /usr/local/etc/ipfw

Create startup script for ipfw rules
root@transmission:~ # ee /usr/local/etc/ipfw/ipfw_rules

---------File "/usr/local/etc/ipfw/ipfw_rules"---------------
#!/bin/bash
# Flush out the list before we begin
ipfw -q -f flush

# Set rules command prefix
cmd="ipfw -q add"
vpn="tun0"

# allow all local traffic on the loopback interface
$cmd 00001 allow all from any to any via lo0

# allow any connection to/from VPN interface
$cmd 00010 allow all from any to any via $vpn

# allow connection to/from LAN by Transmission
$cmd 00101 allow all from me to 10.0.0.0/24 uid transmission
$cmd 00102 allow all from 10.0.0.0/24 to me uid transmission

# deny any Transmission connection outside LAN that does not use VPN
$cmd 00103 deny all from any to any uid transmission
--------------End of File-------------------------------------------

Enable IPFW to start on boot
root@transmission:~ # sysrc firewall_enable="YES"

Set the startup script for ipfw rules
root@transmission:~ # sysrc firewall_script="/usr/local/etc/ipfw/ipfw_rules"

Start the IPFW service
root@transmission:~ # service ipfw start

Note: Although, the listed IPFW rules above implements a VPN killswitch. But, the major disadvantage of these rules is that it also prevents the access to the web admin GUI interface of Transmission from the LAN for Torrent administration when VPN tunnel is active. If anyone can write better IPFW rules that would implement a VPN killswitch without losing access to the web interface of Transmission, then let me know.

On my personal setup, instead of placing the OpenVPN and the Firewall rules to implement a VPN killswitch within the Jail itself, I have placed the VPN client on my pfSense router and configured the firewall rules on the pfSense router for my Transmission jail accordingly. I will probably write up a tutorial on how to do that on a separate post.       

Helpful Commands


Check your Public IP


root@transmission:~ # host myip.opendns.com resolver1.opendns.com
    .....or.....
root@transmission:~ # curl https://wtfismyip.com/text
    .....or.....
root@transmission:~ # curl ifconfig.me

Create a Symbolic link


root@transmission:~ # ln -s /path/to/source/file /path/to/new/link/file

Watch/Monitor a log file in real-time up to 30 lines


root@transmission:~ # tail -f -n 30 /var/log/messages

Resource Links



Thursday, 11 October 2018

How to Setup BitTorrent Client Transmission iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم


Abstract



Tutorial on how to setup and configure a Bit Torrent Transmission Client in an iocage jail on FreeNAS 11.1.

Assumptions and Prerequisites



  • OS: FreeNAS 11.1-U6
  • FreeNAS Host: fn
  • FreeNAS Network Interface: igb0
  • FreeNAS IP: 10.0.0.2
  • FreeNAS Subnet Mask: 24
  • Jail Container: iocage
  • iocage Version: 1.0 Alpha
  • Jail Release: 11.1-RELEASE
  • Jail Name: transmission
  • Jail Network Interface: vnet0
  • Jail Network Config: DHCP
  • Jail Default Route: 10.0.0.1
  • IP Version: IPv4
  • Bridge Network Interface: bridge0
  • DNS 1: 10.0.0.1 
  • Domain: example.com
  • ZPool Volume: tank
  • Dataset: /mnt/tank/torrents
  • Setup iocage Jail


Instructions


1. Create an iocage Jail with VNET configured by DHCP 


iocage create -n "[Name]" -r [Release] vnet="on" bpf="yes" dhcp="on" allow_raw_sockets="1" boot="on" interfaces="vnet[N]:bridge[N]" resolver="search [DOMAIN];domain [DOMAIN];nameserver [DNS1 IP]

root@fn:~ # iocage create -n "transmission" -r 11.1-RELEASE defaultrouter="10.0.0.1" vnet="on" bpf="yes" dhcp="on" allow_raw_sockets="1" boot="on" interfaces="vnet0:bridge0" host_hostname="transmission" resolver="search example.com;domain example.com;nameserver 10.0.0.1"

2. Create Dataset and then mount inside the Jail


Create a user (eg:mujahid) as member of the media (gid:8675309) group that will have group access to the 'torrents' dataset on FreeNAS.



Create a dataset 'torrents' on the FreeNAS volume as type 'Windows'.



Create a torrent watch directory(watch_dir) for transmission within the 'torrents' dataset. When any torrent file is copied into this directory, transmission will read the file and add to its queue for downloading. This is optional if you don't need to create a torrent watch directory.  
root@fn:~ # mkdir -p /mnt/tank/torrents/watch_dir

Create a torrent downloads directory(downloads) for transmission within the 'torrents' dataset. This is the directory transmission will use to save the downloaded files. 
root@fn:~ # mkdir -p /mnt/tank/torrents/downloads

Set dataset 'torrents' user owner as 'mujahid(uid:1000)' and group owner as 'media(gid:8675309)'. And set these permissions recursively.



Create a windows share for the 'torrents' dataset on FreeNAS, So the FreeNAS user 'mujahid' can access the 'downloads' directory contents.



Mount the dataset '/mnt/tank/torrents/downloads' on FreeNAS into "Transmission" jail with read/write access.
root@fn:~ #  iocage fstab -a transmission /mnt/tank/torrents/downloads /mnt/downloads nullfs rw 0 0

Mount dataset '/mnt/tank/torrents/watch_dir' on FreeNAS into transmission jail with read/write access.
root@fn:~ #  iocage fstab -a transmission /mnt/tank/torrents/watch_dir /mnt/watch_dir nullfs rw 0 0

3. Install and Configure Transmission client in iocage jail


Login/Console into the transmission jail
root@fn:~ # iocage console transmission

Install the transmission package
root@transmission:~ # pkg install transmission-daemon

Create group 'media' with gid:8675309 in the transmission jail. Make sure the gid is the same as the gid on the FreeNAS host for the 'media' group. Then add the 'transmission' user to the 'media' group on the transmission jail as a member. This will make sure transmission has group read/write permissions to the 'torrents' dataset on the FreeNAS. Note: The group 'media' on the FreeNAS and the transmission jail should have the same gid(8675309), otherwise the permissions won't work properly.

Create group 'media' with gid:8675309 
root@transmission:~ # pw groupadd -n media -g 8675309

Add user 'transmission' to group 'media'
root@transmission:~ # pw groupmod media -m transmission

Enable transmission to start on boot
root@transmission:~ # sysrc transmission_enable="YES"

Set the transmission auto file permissions and ownership check to 'No'. Because, when the transmission service starts, it resets the user and group ownership of the FreeNAS dataset 'torrents' to the default jail user and group "root:wheel", which we don't want because the user won't be able to access the downloads share directory contents.
root@transmission:~ # sysrc transmission_chown="NO"

Set the download directory for transmission
root@transmission:~ # sysrc transmission_download_dir="/mnt/downloads"

Set the torrents watch directory for transmission.
root@transmission:~ # sysrc transmission_download_dir="/mnt/watch_dir"

Start and then stop the transmission service to create a '/usr/local/etc/transmission/home/settings.json' file with default settings.
root@transmission:~ # service transmission start && service transmission stop

Edit the 'settings.json' file to change the transmission configurations with the following settings 
root@transmission:~ # ee /usr/local/etc/transmission/home/settings.json

{   
    "port-forwarding-enabled": false, 
               .......
    "rpc-whitelist": "127.0.0.1, 10.0.0.*",     # Only for internal network clients to access 
               ....... 
    "speed-limit-up-enabled": true,             
               .......
    "trash-original-torrent-files": false,         # Do not save torrent files
    "umask": 2,                                              # Make downloads directory group read writable
               .......
    "watch-dir": "/mnt/watch_dir",               # Watch directory for *.torrent files
    "watch-dir-enabled": true                        # Watch directory enabled
}

Start transmission service
root@transmission:~ # service transmission start

Go to http://[IP]:9091/transmission/web to check if the transmission web-gui is accessible.



Helpful Commands


Remove user from group
root@transmission:~ # pw groupmod media -d transmission

Show Group members
root@transmission:~ # pw groupshow media

watch/monitor a log file in real-time up to 30 lines
root@transmission:~ # tail -f -n 30/var/log/messages

Links and Resources

How to Create and Configure an iocage Jail on FreeNAS 11.1

بسم الله الرحمن الرحيم


Abstract


Tutorial on how to create and configure an iocage jail on FreeNAS 11.1.

Assumptions and Prerequisites


  • OS: FreeNAS 11.1-U6
  • FreeNAS Host: fn
  • FreeNAS Network Interface: igb0
  • FreeNAS IP: 10.0.0.2
  • FreeNAS Subnet Mask: 24
  • Jail Container: iocage
  • iocage Version: 1.0 Alpha
  • Jail Release: 11.1-RELEASE
  • Jail Name: test
  • Jail Network Interface: vnet0
  • Jail Network Config: DHCP | STATIC
  • Jail IP: 10.0.0.3
  • Jail Default Route: 10.0.0.1
  • IP Version: IPv4
  • Bridge Network Interface: bridge0
  • DNS 1: 10.0.0.1 
  • Domain: example.com
  • ZPool Volume: tank
  • Dataset: /mnt/tank/share

Instructions


List iocage Commands


root@fn:~ # iocage

Activate iocage zpool volume


Set iocage to use the default volume, use the following command.
root@fn:~ # iocage activate
    or
Set iocage to use a zpool volume if more than one exist on the FreeNAS
iocage activate [zpool]
root@fn:~ # iocage activate tank

Fetch/Download a Release Image


Fetch a release which will be used to create a jail.

Fetch a release from a list
root@fn:~ # iocage fetch

Fetch a release by name
iocage fetch -r [RELEASE IMAGE NAME]
root@fn:~ # iocage fetch -r 11.1-RELEASE


Create a Jail with VNET/VIMAGE (Virtual Network Interface Stack) and DHCP


Command Example:  iocage create -n "[Name]" -r [Release] vnet="on" bpf="yes" dhcp="on" allow_raw_sockets="1" boot="on" interfaces="vnet[N]:bridge[N]" resolver="search [DOMAIN];domain [DOMAIN];nameserver [DNS1 IP]

The following command creates a jail "test" from the "11.1-RELEASE" image with the following jail properties enabled, vnet/vimage network stack, Start on boot, and dhcp.

root@fn:~ # iocage create -n "test" -r 11.1-RELEASE vnet="on" bpf="yes" dhcp="on" allow_raw_sockets="1" boot="on" interfaces="vnet0:bridge0" resolver="search example.com;domain example.com;nameserver 10.0.0.1"


Create a Jail with VNET/VIMAGE (Virtual Network Interface Stack) and Static IP Configuration


Command Example: iocage create -n "[Name]" -r [Release] ip4_addr="vnet[N]|[IP]/[Mask]" defaultrouter="[IP]" vnet="on" allow_raw_sockets="1" boot="on" interfaces="vnet[N]:bridge[N]" resolver="search [DOMAIN];domain [DOMAIN];nameserver [DNS1 IP]"


root@fn:~ # iocage create -n "test" -r 11.1-RELEASE vnet="on" ip4_addr="vnet0|10.0.0.3/24" defaultrouter="10.0.0.1" vnet="on" allow_raw_sockets="1" boot="on" interfaces="vnet0:bridge0" resolver="search example.com;domain example.com;nameserver 10.0.0.1"


Create a Jail with a Shared IP


Command Example: iocage create -n "[Name]" -r [Release] ip4_addr="[IF]|[IP]/[MASK]" defaultrouter="[IP]" vnet="off" allow_raw_sockets="1" boot="on" resolver="search [DOMAIN];domain [DOMAIN];nameserver [DNS1 IP]"

root@fn:~ # iocage create -n "test" -r 11.1-RELEASE ip4_addr="igb0|10.0.0.100/24" defaultrouter="10.0.0.1" vnet="off" allow_raw_sockets="1" boot="on" resolver="search example.com;domain example.com;nameserver 10.0.0.1"

List Jails, Releases, and Plugins


List all Jails
root@fn:~ # iocage list

List all downloaded Releases
root@fn:~ # iocage list -r

List all available Templates
root@fn:~ # iocage list -t

List Remote Plugins
iocage list -PR
or
iocage list --plugins --remote

List Installed Plugins
iocage list -P
or
iocage list --plugins

Start, Stop, or Restart a Jail


Start a Jail
iocage start [JAIL NAME]
root@fn:~ # iocage start test

Stop a Jail
iocage stop [JAIL NAME]
root@fn:~ # iocage stop test

Restart a Jail
iocage restart [JAIL NAME]
root@fn:~ # iocage restart test

Configure a Jail


Set Jail Property
iocage set [PROPERTY]="[ARG]" [JAIL NAME]
root@fn:~ # iocage set notes="This is a test jail." test

Get Jail Property
iocage get [PROPERTY] [JAIL NAME]
root@fn:~ # iocage get notes test

Get All Properties of a Jail
iocage get all [JAIL NAME]
root@fn:~ # iocage get all test

Delete/Destroy a Jail


iocage destroy [JAIL NAME]
root@fn:~ # iocage destroy test

Rename a Jail


iocage rename [OLD JAIL NAME] [NEW JAIL NAME]
root@fn:~ # iocage rename test test2

Log in to a Jail


iocage console [JAIL NAME]
root@fn:~ # iocage console test

Run a command inside a Jail


iocage exec [JAIL NAME] "[COMMAND]"
root@fn:~ # iocage exec test "ls -lfa /etc"

Mount Dataset inside a Jail as Read Only


iocage fstab -a [JAIL NAME] /source/folder  /destination/folder/in/jail  nullfs  ro  0  0
root@fn:~ # iocage fstab -a test /mnt/tank/share /mnt/share nullfs ro  0  0

Mount Dataset inside a Jail as Read and Write


iocage fstab -a [JAIL NAME] /source/folder  /destination/folder/in/jail  nullfs  rw  0  0
root@fn:~ # iocage fstab -a test /mnt/tank/share /mnt/share nullfs rw  0  0

List Jail Mount Entries


iocage fstab -l [JAIL NAME]
root@fn:~ # iocage fstab -l test

Edit Jail Mount Entries


iocage fstab -e [JAIL NAME]
root@fn:~ # iocage fstab -e test

Remove a Jail Mount Entry


iocage fstab -r [JAIL NAME] [INDEX]
root@fn:~ # iocage fstab -r test 0

Create Jail Snapshot


iocage snapshot -n "[SNAPSHOT NAME]" [JAIL]
root@fn:~ # iocage snapshot -n "Recent Upgrade" test

List Jail Snapshots


iocage snaplist [JAIL]
root@fn:~ # iocage snaplist test

Remove/Delete Jail Snapshot


iocage snapremove -n "[SNAPSHOT NAME]" [JAIL]
root@fn:~ # iocage snapremove -n "Recent Upgrade" test

Rollback Jail to a Snapshot


iocage rollback -n "[SNAPSHOT NAME]" [JAIL]
root@fn:~ # iocage rollback -n "Recent Upgrade" test


Observations


DNS Resolver


When you create a Jail in iocage and skip to define the 'resolver' property, the iocage uses the host system's (in this case the FreeNAS host) default DNS settings defined in the '/etc/resolv.conf'.

If your FreeNAS has been configured as a Domain Controller, it resets the DNS setting in the '/etc/resolv.conf' to point to itself. Example: "nameserver 127.0.0.1". Incidentally, the iocage jail DNS is also set to 127.0.0.1. As a result, all the DNS queries within the jail fail because the jail points to itself as a nameserver where a name service does not exits. So, in order for the jail's DNS to work, we will need to manually define the resolver property for the jail.

And if you have a complicated network setup, like a switch with multiple VLANs. You will also need to define the 'defaultrouter' and 'interfaces' property so that the vnet interface is linked to the correct bridge interface and the bridge interface is link to the correct VLAN interface.



Helpful Commands


Check iocage version
root@fn:~ # iocage -v

iocage Help command
root@fn:~ # iocage --help

List all zpools on the FreeNAS
root@fn:~ # zpool list

Delete Release
iocage destroy -r [RELEASE NAME]
root@fn:~ # iocage destroy -r 11.0-RELEASE

Links and Resources