Making progress - WOOHOO!!!
Plex Container/Portainer Install
-
- OMV 5.x
- gelöst
- fibrou
-
-
I wonder, how many will come with the same problem in the next days, Something must have changed.
-
---
version: "2.1"
services:
plex:
image: lscr.io/linuxserver/plex:arm64v8-latest
network_mode: host
container_name: plex
environment:
- PUID=998
- PGID=100
- VERSION=docker
- PLEX_CLAIM= #optional
volumes:
- /srv/dev-disk-by-uuid-84dd4d45-477b-4c80-8700-85af38f059e0/jpbs1TbDockerData/plex:/config
ports:
- 32400:32400
restart: unless-stopped
Still generates error.
When you define host networking you CAN NOT also define ports.
Running a container privileged when not necessary is a major mistake. It is not required of the linuxserver.io plex image.
-
Running in privileged mode should not be necessary, but was the only way to make it work in this install.
gderf: Reading the thread, do you have an idea why he gets this error (it is arm64, so not the one mentioned for workarounds in the linuxserver thread)
Codelibc++abi: terminating with uncaught exception of type std::__2::system_error: clock_gettime(CLOCK_MONOTONIC) failed: Operation not permitted
Ports are ignored when in network_mode: host. You can remove them.
-
Before running privileged I would try the plexinc/pms-docker image instead.
https://hub.docker.com/r/plexinc/pms-docker/
I have no knowledge about a fix for the posted error.
-
Before running privileged I would try the plexinc/pms-docker image instead.
https://hub.docker.com/r/plexinc/pms-docker/
I have no knowledge about a fix for the posted error.
Will that image run on a Rpi?
-
Will that image run on a Rpi?
No, they only provide amd64
-
No, they only provide amd64
There you have it...
-
I think it is an underlying problem of the image linuxserver uses, but not too many google hits on that.
Only for 32bit. Wait a few weeks / months and then update and remove the privileged:tru.
-
When you define host networking you CAN NOT also define ports.
Running a container privileged when not necessary is a major mistake. It is not required of the linuxserver.io plex image.
I completely agree.
Something else is wrong if he's being required to use privileged mode.
Personally, I wouldn't run Plex (or Emby or Jellyfin) in privileged mode given issues both have had in the past w/ file deletion due to code/update issues that were not caught (another reason for setting ro flags on media directories).
-
When running in privileged mode (or GASP PUID=0 GUID=) solves a problem without explanation it should be a signal to immediately stop doing that and find out why it worked. Continuing otherwise is a dangerous crutch that may also set up a bad habit.
-
When running in privileged mode (or GASP PUID=0 GUID=) solves a problem without explanation it should be a signal to immediately stop doing that and find out why it worked. Continuing otherwise is a dangerous crutch that may also set up a bad habit.
This is signature material!
To many don't take permissions as seriously as they should and seem to try and avoid using them altogether.. either via allowing "everyone" access, or doing something ridiculous like you mentioned and essentially running everything as root.
-
-
If You have a Plexpass then don't use linuxserver/plex last update/image (beta channel) , it's not working. At list on my server. It is a two or three days old. Use plexinc/pms-docker:latest.
His plex pass isn't the issue.. Beyond that, Plex Pass and LinuxServer always seems to be a little bit behind on new releases. That's why generally you set your version to "docker", which basically means when the container is updated, you'll get updated.
-
Maybe someone can help me understand your concerns or give me a pointer to read on.
- The container is running as a non privileged user
- The container is granted the same privileges it had if it was running on the host itself
- The alternative is to run plex directly on the host
To me you get (some of) the benefits of containerization, but do not suffer form more weaknesses you had when running directly on the host.
Which attack vector you have in that configuration you do not have in the other?
If one had the chance to use a different container or fix the problem you get more security than now.
I still wonder why this problem is not more widly discussed, only in the context of 32bit OSes. Is 64bit on the Pi not the standard by now?
Does anyone have an idea how to analyze this problem deeper?
-
-
Which architecture are you running on the Pi?
I saw you mentioning arm64 but a post you made, shows the armhf kernel on the OMV GUI.
Print screen of the OMV Gui System Information
uname -a
cat /etc/*version
cat /etc/*release
Here you go:
-
Maybe someone can help me understand your concerns or give me a pointer to read on.
- The container is running as a non privileged user
- The container is granted the same privileges it had if it was running on the host itself
- The alternative is to run plex directly on the host
To me you get (some of) the benefits of containerization, but do not suffer form more weaknesses you had when running directly on the host.
Which attack vector you have in that configuration you do not have in the other?
If one had the chance to use a different container or fix the problem you get more security than now.
I still wonder why this problem is not more widly discussed, only in the context of 32bit OSes. Is 64bit on the Pi not the standard by now?
Does anyone have an idea how to analyze this problem deeper?
I think that could possibly be an issue. Just from searching it seems the 64bit Pi OS is beta.
As for privileges.. It should work w/o elevating yourself to a privileged user... If you have to do this, it would make me question where I went wrong.
-
Maybe someone can help me understand your concerns or give me a pointer to read on.
- The container is running as a non privileged user
- The container is granted the same privileges it had if it was running on the host itself
- The alternative is to run plex directly on the host
To me you get (some of) the benefits of containerization, but do not suffer form more weaknesses you had when running directly on the host.
Which attack vector you have in that configuration you do not have in the other?
If one had the chance to use a different container or fix the problem you get more security than now.
I still wonder why this problem is not more widly discussed, only in the context of 32bit OSes. Is 64bit on the Pi not the standard by now?
Does anyone have an idea how to analyze this problem deeper?
If your question is about running containers privileged then see here:
-
After reading this my conclusion is, running the container in privileged mode is not more insecure than running plex on the host:
- Root in a privileged container has the same priviliges as root on the host
- The container drops root privileges in it's entrypoint to PUID:GUID
- The normal user has the same privilegel it has on the host
- The container has a smaller attack vector (less tools installed) than the host
- Containers (hopefully) get updated by watchtower
If a root escalation exploit is found, it is more likely to be hit on it on the host than the container.
Still there seems to be no reason this container needs these privileges. This is somesthing the guys from linuxserver.io should tackle.
@fbrou Do you consider opening a bug / report / issue for that project?
Jetzt mitmachen!
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!