Plex Container/Portainer Install

I wonder, how many will come with the same problem in the next days, Something must have changed.

Zitat von fibrou

---

version: "2.1"

services:

plex:

image: lscr.io/linuxserver/plex:arm64v8-latest

network_mode: host

container_name: plex

environment:

- PUID=998

- PGID=100

- VERSION=docker

- PLEX_CLAIM= #optional

volumes:

- /srv/dev-disk-by-uuid-84dd4d45-477b-4c80-8700-85af38f059e0/jpbs1TbDockerData/plex:/config

ports:

- 32400:32400

restart: unless-stopped

Still generates error.

Alles anzeigen

When you define host networking you CAN NOT also define ports.

Running a container privileged when not necessary is a major mistake. It is not required of the linuxserver.io plex image.

Running in privileged mode should not be necessary, but was the only way to make it work in this install.

gderf: Reading the thread, do you have an idea why he gets this error (it is arm64, so not the one mentioned for workarounds in the linuxserver thread)

libc++abi: terminating with uncaught exception of type std::__2::system_error: clock_gettime(CLOCK_MONOTONIC) failed: Operation not permitted

Ports are ignored when in network_mode: host. You can remove them.

Before running privileged I would try the plexinc/pms-docker image instead.

https://hub.docker.com/r/plexinc/pms-docker/

I have no knowledge about a fix for the posted error.

Zitat von fibrou

Will that image run on a Rpi?

No, they only provide amd64

I think it is an underlying problem of the image linuxserver uses, but not too many google hits on that.

Only for 32bit. Wait a few weeks / months and then update and remove the privileged:tru.

When running in privileged mode (or GASP PUID=0 GUID=) solves a problem without explanation it should be a signal to immediately stop doing that and find out why it worked. Continuing otherwise is a dangerous crutch that may also set up a bad habit.

fibrou

If You have a Plexpass then don't use linuxserver/plex last update/image (beta channel) , it's not working. At list on my server. It is a two or three days old. Use plexinc/pms-docker:latest.

Maybe someone can help me understand your concerns or give me a pointer to read on.

• The container is running as a non privileged user
• The container is granted the same privileges it had if it was running on the host itself
• The alternative is to run plex directly on the host

To me you get (some of) the benefits of containerization, but do not suffer form more weaknesses you had when running directly on the host.

Which attack vector you have in that configuration you do not have in the other?

If one had the chance to use a different container or fix the problem you get more security than now.

I still wonder why this problem is not more widly discussed, only in the context of 32bit OSes. Is 64bit on the Pi not the standard by now?

Does anyone have an idea how to analyze this problem deeper?

fibrou

Which architecture are you running on the Pi?

I saw you mentioning arm64 but a post you made, shows the armhf kernel on the OMV GUI.

Print screen of the OMV Gui System Information

uname -a

cat /etc/*version

cat /etc/*release

Zitat von Zoki

Maybe someone can help me understand your concerns or give me a pointer to read on.

• The container is running as a non privileged user
• The container is granted the same privileges it had if it was running on the host itself
• The alternative is to run plex directly on the host

To me you get (some of) the benefits of containerization, but do not suffer form more weaknesses you had when running directly on the host.

Which attack vector you have in that configuration you do not have in the other?

If one had the chance to use a different container or fix the problem you get more security than now.

I still wonder why this problem is not more widly discussed, only in the context of 32bit OSes. Is 64bit on the Pi not the standard by now?

Does anyone have an idea how to analyze this problem deeper?

Alles anzeigen

If your question is about running containers privileged then see here:

https://phoenixnap.com/kb/docker-privileged

After reading this my conclusion is, running the container in privileged mode is not more insecure than running plex on the host:

• Root in a privileged container has the same priviliges as root on the host
• The container drops root privileges in it's entrypoint to PUID:GUID
• The normal user has the same privilegel it has on the host
• The container has a smaller attack vector (less tools installed) than the host
• Containers (hopefully) get updated by watchtower

If a root escalation exploit is found, it is more likely to be hit on it on the host than the container.

Still there seems to be no reason this container needs these privileges. This is somesthing the guys from linuxserver.io should tackle.

@fbrou Do you consider opening a bug / report / issue for that project?