This weekend I had an interesting experience: A plugin failed for to update and left my jail in an odd state halting all downloads. I figured, “Let’s do the Jail thing, copy out the /var/db/ directory, rebuild/replace/resolve!”
It wasn’t so simple. I was reminded of constant errors, related to python compiled SSL 0.9.8, that I had experienced last time I was spinning up new plugins; but now all sources hard-blocked me. Sad day.
ssl.SSLError: [SSL: TLSV1_ALERT_PROTOCOL_VERSION] tlsv1 alert protocol version (_ssl.c:645)
So what happened? What could I do?
I tried updating python, but the jail’s python was still using the old pyOpenSSL with 0.9.8 while the rest of the system was on 1.0.2.
I tried copying updated ssl.so compiled libraries, but as you’d expect with this kind of piecemeal: a lot of dependencies didn’t make it over.
I tried to softlink versions of python with a known-good pyOpenSSL, and again ran into directory and dependency problems.
Several hours of trying to duct tape my way to success: I gave up.
Lets look into the “Why did this really happen?”
FreeBSD Jails plugins for FreeNAS were using a compiled version of Python that was wrapped with this outdated OpenSSL library. Any Warden based jail I spun up was impacted by this, which also means that soon my Couchbase, sabNZBD, Transmission, and Plex will all be impacted with this as well on the next update.
The solution: IOCage based Jails using an updated FreeBSD kernel! But 11.1 didn’t have the IOCage plugins enabled in the new UI. Sadder day.
I’ve now encountered a laundry list of issues with my build, and a solution was readily available: Get onto 11.2Beta3 with the new UI and IOCage plugins, and updated Python compilations.
Time to update!
FreeNAS 11.1 made this stupid simple (after backing up my configuration)- Log in to the web UI -> System -> Update -> pick your train and *wait*.
I made the mistake of getting hasty while it was updating and thought it was frozen, I refreshed the browser and ran into some errors about permissions in the /var/db/freenas directory; I fixed them and re-updated. I was met with being stuck at the NIC instantiation on boot time. I rebooted again, booted into the alternate partition, and tried again. This time I went and made a sandwich or something and by the time I came back it had finished, rebooted, and entered 11.2 clean and easy.
Now that I had the new version 11.2, updated web UI (which is looking good so far, keep up the good work XI!), and access to the plugins… it didn’t have the plugins I wanted.
Saddest day.
I was resolute in my need to get my TV show manager working, but what to do. I looked at eXtendable Download Manager as an option, and realized the last commit was in 2015, not wanting that. I was going to go back to SickRage and realized that I was a bit bored with it. Then I found Medusa. It seemed easy enough to manage, was really similar to SickRage visually, but seemed to be the current hotness. Lets do this.
I was hoping to find a guide to install this, but instead all I had was a generic Jail install guide.
So here’s what I did:
In FreeNAS, I set up a new Jail using the new UI (the old UI will set up Warden jails, the new UI will set up IOCage jails. You cannot see IOCage made jails in the old UI and you cannot see Warden jails in the new UI.).
Copied the MAC address into my pfSense DHCP lease service to hardcode an IP via DHCP (Guides to come)
Set up configurations in Nagios (Guides to come)
Set up some basic quality of life in the jail:
Enable SSH in the jail:
In the FreeNAS UI, browse to the jail, open the shell:
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config passwd (enter root password) sed -i '' -e 's/sshd_enable=\"NO\"/sshd_enable=\"YES\"/g' /etc/rc.conf service sshd restart pkg update && pkg upgrade pkg install python27 py27-sqlite3 unrar git openssl
Add service account (Below steps are from this forum post by INCSlayer):
adduser Username: <service account> Full name: <service account> User Uid (Leave empty for default): Login group [medusa]: Login group is medusa. Invite medusa into other groups? []: Login class [default]: Shell (sh csh tcsh git-shell nologin) [sh]: Home directory [/home/medusa]: Home directory permissions (Leave empty for default): Use password-based authentication? [yes]: no Lock out the account after creation? [no]: no
Install service (I’m pasting what I did for medusa, but this can be done with any service repository):
git clone https://github.com/pymedusa/Medusa.git /usr/local/medusa
cp /usr/local/medusa/runscripts/init.freebsd /usr/local/etc/rc.d/medusa
chmod 755 /usr/local/etc/rc.d/medusa
chown -Rf medusa:medusa /usr/local/medusa
sysrc "medusa_enable=YES"
service medusa start
Normally at this point I would enable lower ports to bind medusa owned services to port 80, but this didn’t work as it did with Warden Jails as I’m met with Operation not Permitted errors. I’m still working through that bit:
sysctl net.inet.ip.portrange.reservedhigh=0 echo "net.inet.ip.portrange.reservedhigh=0" >> /etc/sysctl.conf
Now I have Medusa working and installed, and I’ll be following this same process to migrate off Warden and forever away from outdated SSL errors.
Hi
Im curiousif you’ve managed to find a solution to
sysctl: net.inet.ip.portrange.reservedhigh=0: Operation not permitted
I have just upgraded to freenas 11.2 and is a bit disappointed with this not working.
The older version of jails (Warden) allowed for configuring these properties in the GUI and through /etc/sysctl.conf. I was just trying to do it on my configuration and found you were right, this does not work; just as you described.
What I do for simplifying my ports is using HAProxy, others use NGINX. This setup is pretty simple – I’ll write a post soon about doing HAProxy in various places in my stack; hopefully this will help with your issue.
Did you find a workaround in the meantime? Looks like I missed the comment for a while.
Did you ever figure out how to allow lower priv users to bind to port 80? I’m working through the same thing myself now.
I’m editing my answer as the old version of doing this with sysctl.conf changes doesn’t seem to work on 11.2 with iocage.
What I use to do port translation is a reverse proxy, specifically HAProxy; others use NGINX. These allow for header based redirection and port forwarding to non-standard ports, this greatly simplifies bigger configurations and allows for more robust systems in the long run and I highly encourage it.
I have a task to add a how-to on configuration of HAProxy for purposes like this, I’ll re-prioritize and post soon!