That is not normal. I have much the same setup, sabnzbd, Plex, jellyfin, sonar, radar. They all run under a particular user and their /opt and /var/lib folders don’t ‘revert’ to their old ownership and permissions.
Either something is watching those folders and setting permissions, or some kind of immutability is in play, but permissions normally don’t revert like that.
Because NAT acts as a firewall with a “default deny” policy for incoming packets, but no other rules. You cannot prevent a device on the private subnet side of a NAT from attempting to communicate with an “outside” ip with nat alone, nat doesnt understand the concepts of accept/deny/drop.
All nat does is rewrite address headers.
The machines behind a NAT box are not directly addressable because they have private IP addresses. Machines out on the general Internet cannot send IP packets to them directly. Instead, any packets will be sent to the address of the NAT box, and the NAT box looks at its records to see which outgoing packet an incoming packet is in reply to, to decide which internal address the packet should be forwarded to. If the packet is not in reply to an outgoing packet, there’s no matching record, and the NAT box discards the packet.
It’s a confused topic because for a lot of people, nat does essentially everything they want. As soon as you get into more complex networking where a routing table needs to be updated, or bidirectional fw rules, it becomes apparent why routing + fw + nat is the most common combo.
Yes, Lxc, docker, whatever cgroup2 isolation environment, but not VMS, true.
Vms can achieve the same thing through shares
Assuming it’s not a 1-1 NAT it does make for a functional unidirectional firewall.
That’s like saying a router and firewall are the same thing. NAT appears to be a “firewall” because it’s usually deployed with one. NAT itself has no filtering functions the way you’re describing.
Now, a pure router in the sense of simply offering a gateway to another subnet
A “pure” router, as you put it, understands upstream subnets and routing tables. NAT does not, and is usually overlayed on top of an existing routing function.
You can set up NAT between two subnets as an experiment with no iptables and it will do its job.
Each cgroup container mounts a host path. That’s it.
Op means, as they said, a firewall on the server itself.
NAT is, effectively, a firewall.
No it isn’t. Stop giving advice on edge security.
Zfs (and most modern filesystems) are fine with concurrency.
I mount the same data store into several instances, it works well. Just needs some planning for permissions.
Yes, not course. I forgot about the gui, that’s valid.
If it’s a private ZFS pool not on the network you’re fucked.
Sorry, i didn’t word that correctly. I understand why you might need a share, I just think a whole truenas instance just for a few shares is way overkill. If I needed a samba share, NFS export, or an iscsi lun i would just spin up a Debian container and be done with it.
Why bother with truenas? Just put the media in a zfs pool and mount it directly into jellyfin.
Oh yeah, sorry. There is some vendor lock-in with all bookstores, but kobo looks the other way.
I have calibre-web setup with kobo sync, so calibre-web pretends to be part of the kobo store to my reader and I’m able to add non-drm books to my reader while still using the kobo store if I like.
Kobo does not block non-drm. Calibre is used as a server all the time, see calibre-web.
Yes, you’re right, I forgot about the forking.
Your view unfortunately doesn’t show you how shitty the unpaid experience has become. XBMC used to be a good product. Since becoming Plex, now we have:
If this were clear from the outset , no one would be upset. But pulling back features Plex at one time promised “forever” (remote streaming), is complete rug-pull bullshit.
You can enjoy that warm and fuzzy reverse-fomo feeling now, but you should know that they’ll start limiting your paid experience eventually.
No worries. And don’t misunderstand: I think proxmox is great, I’ve simply moved on to a different way of doing thing.
I’ve moved to all containers and I’m gradually automating everything. The metaphor for orchestration and provisioning is much clearer in incus than it was in lxd, and makes way more sense than proxmox.
Proxmox is fine, I’ve used it for going on 8 years now, I’m still using it, in fact. But it’s geared toward a “safe” view of abstraction that makes lxc containers seem like virtual machines, and they absolutely aren’t, they are much, much more flexible and powerful than vms.
There are also really annoying deficiencies in proxmox that I’ve taken for granted for a long time as well:
Ultimately, I have more flexibility with a vanilla bookworm install with incus.
Migrating from proxmox to incus, continued.
Lots of fun, actually!
dd if=/dev/null of=<mount-point>/test.file bs=1G count=10 status=progress
/dev/null tests from dd are not an accurate indicator of performance unless you only have one disk in your pool. fio is a much more accurate tool for zfs pool testing.
I just vi the systems/system/fancy name.service files father than use systemd edit, but I think the result is the same.
There are two configs you can add to the the [service] directive
user=someuserThis should allow you to run the service under the credentials of your choosing.
Remember to systemctl daemon-reload after making changes to unit files.